Sie sind auf Seite 1von 207

eBox 1.

2 for Network Administrators


R EVISION 1.2

E B OX

P LATFORM - T RAINING

http://www.ebox-technologies.com/
S TUDENT G UIDE

eBox 1.2 for Network Administrators

This document is distributed under Creative Commons Attribution-Share Alike license version 2.5 ( http://creativecommons.org/licenses/by-sa/2.5/ )

This document uses images from Tango Desktop Project also distributed under Creative Commons Attribution-Share Alike license version 2.5.

http://tango.freedesktop.org/

Contents

1 eBox Platform: unied server for SMEs 1.1 1.2 1.3 1.4 1.5 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 1.5.2 1.5.3 Local network conguration . . . . . . . . . . . . . . . . . . . . . . . . . Network conguration with eBox Platform . . . . . . . . . . . . . . . . . . Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 4 6 11 15 16 16 17 17 25 25 26 30 31 32 35 35 38 39 39 41 42 42 45 45 45

2 eBox Infrastructure 2.1 2.2 Network conguration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.4 2.4.1 DHCP server conguration with eBox . . . . . . . . . . . . . . . . . . . . DNS cache server conguration with eBox . . . . . . . . . . . . . . . . . Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server conguration with eBox . . . . . . . . . . . . . . . . . . . . . Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual domains Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . .

Time synchronization service (NTP)

NTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . .

3 eBox Gateway 3.1 High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.1.2 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.3 3.3.1 3.3.2 3.4 3.4.1 3.4.2 3.5 3.5.1 3.5.2 3.5.3 3.5.4 4 eBox Ofce 4.1 4.2

Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The rewall in GNU/Linux: Netlter . . . . . . . . . . . . . . . . . . . . . eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall conguration with eBox . . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Suggested exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multirouter rules and load balancing . . . . . . . . . . . . . . . . . . . . . Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47 50 51 51 52 56 56 57 57 62 65 65 67 68 69 71 72 72 79 79 80 85 85 86 86 86 89 92 94 95 98 98 99 103 105 105 106

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Trafc shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access policy conguration . . . . . . . . . . . . . . . . . . . . . . . . . Client connection to the proxy and transparent mode Web content lter . . . . . . . . . . . . Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.2.7 Users and groups File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . eBox as le server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS clients conguration . . . . . . . . . . . . . . . . . . . . . . . eBox as authentication server . . . . . . . . . . . . . . . . . . . . . . . . PDC Client Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.3 4.4

Printers sharing service 4.3.1 4.4.1 4.4.2 Groupware Service Exercises

Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . .

5 eBox Unied Communications 5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . . 5.1.1 How electronic mail works through the Internet . . . . . . . . . . . . . . .

ii

5.1.2 5.2 5.2.1 5.2.2 5.2.3 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7

SMTP/POP3-IMAP4 server conguration with eBox . . . . . . . . . . . . . Conguring a Jabber/XMPP server with Ebox . . . . . . . . . . . . . . . . Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . Exercises Protocols Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107 114 114 116 119 119 120 121 121 124 127 127 130 133 133 134 141 142 144 144 145 145 146 146 148 149 149 149 151 153 163 164 165 166 167 167 170

Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . .

Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asterisk server conguration with eBox . . . . . . . . . . . . . . . . . . . Conguring a softphone to work with eBox Exercises . . . . . . . . . . . . . . . . . Ekiga (Gnome) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 eBox Unied Threat Manager 6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 6.1.2 6.1.3 6.1.4 6.1.5 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.3 6.3.1 6.3.2 6.3.3 6.3.4 6.4 6.4.1 6.4.2 6.4.3 7 eBox Core 7.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 Logs conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail lter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . External connection control lists Exercises . . . . . . . . . . . . . . . . . . . . . . Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proposed exercises

HTTP Proxy advanced conguration . . . . . . . . . . . . . . . . . . . . . . . . Group based ltering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group-based ltering for objects Exercises . . . . . . . . . . . . . . . . . . . . . . Filter proles conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . Virtual Private Network (VPN) Public Key Infrastructure (PKI) with a Certication Authority (CA) . . . . . . . CA conguration with eBox Platform Conguring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . . Setting up an IDS with eBox Exercises . . . . . . . . . . . . . . . . . . . . . . . .

Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

iii

7.2

Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 7.2.2 7.2.3 Metrics Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173 174 178 179 179 182 183 183 183 184 189 194 195 196 196 197 199 199 201

7.3

Events and alerts 7.3.1 7.3.2 Exercises

Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . Backup conguration with eBox . . . . . . . . . . . . . . . . . . . . . . . How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . Conguration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . Command line tools for conguration backups . . . . . . . . . . . . . . . . Management of eBox components . . . . . . . . . . . . . . . . . . . . . System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.4

Backup 7.4.1 7.4.2 7.4.3 7.4.4 7.4.5

7.5

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 7.5.2 7.5.3 7.5.4

Index

iv

Chapter 1 eBox Platform: unied server for SMEs

1.1

Presentation
eBox Platform (<http://ebox-platform.com/>) is a unied network server that offers easy and efcient computer network management for small and medium enterprises (SMEs). eBox Platform can act as a Network Gateway, a Unied Threat Manager (UTM) 1 , an Ofce Server, an Infrastructure Manager, a Unied Communications Server or a combination of them. This manual is written for the 1.2 version of eBox Platform. All these functionalities are fully integrated and therefore automate most tasks, prevent manual errors and save time for system administrators. This wide range of network services is managed through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in each server only the necessary modules and easily extend the functionality according to your needs. Besides, eBox Platform is released under a free software license (GPL) 2 . The main features are: Unied and efcient management of the services: Task automation. Service integration. Easy and intuitive interface.
UTM (Unied Threat Management ): Term that groups a series of functionalities related to computer network security: rewall, intrusion detection, antivirus, etc. 2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of derivative works with the same license.
1

eBox 1.2 for Network Administrators

Extendable and adaptable to specic needs. Hardware independent. Open source software. The services currently offered are: Network management: Firewall and router * Trafc ltering * NAT and port redirection * Virtual local networks (VLAN 802.1Q) * Support for multiple gateways, load balancing and self-adaptation in case of loss of connectivity * Trafc shaping (with application-level ltering support) * Trafc monitoring * Dynamic DNS support High-level network objects and services Network infrastructure * DHCP server * DNS server * NTP server Virtual private networks (VPN) * Dynamic auto-conguration of network paths HTTP proxy * Cache * User authentication * Content ltering (with categorized lists) * Transparent antivirus

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Mail server * Spam ltering and antivirus * Transparent POP3 lter * White-, black- and grey-listing Web server * Virtual domains Intrusion Detection System (IDS) Certication Authority Groupware: Shared directory using LDAP (Windows/Linux/Mac) * Shared authentication (including Windows PDC) Shared storage as NAS (Network-attached storage) Shared printers Groupware server: calendars, address books, ... VoIP server * Voicemail * Meetings * Calls through outside vendor Instant messaging server (Jabber/XMPP) * Meetings User corner to allow users to modify their data Reports and monitoring Dashboard to centralize the information Disk, memory, load, temperature and host CPU monitoring Software RAID status and information regarding the hard drive use

eBox 1.2 for Network Administrators

Network service logs in databases, allowing you to have daily, weekly monthly and annual reports Event-based system monitoring * Notication via Jabber, mail and RSS Host management: Conguration and data backup Updates Control Center to easily administer and monitor multiple eBox hosts from one central point
3

1.2

Installation
In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This does prevent you from installing other unmanaged services, but these must be manually congured. eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of Ubuntu Server Edition distribution 4 . The installation can be done in two different ways: Using the eBox Platform Installer (recommended). Installing from an existing Ubuntu Server Edition installation. In the second case, you need to add the ofcial eBox Platform repositories and to install the packages you are interested in. Nevertheless, in the rst case eBox Platform installation and deployment is easy as all the dependencies are in a single CD and in addition, some pre-conguration is made during the installation process.

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.1: Installer home screen

Figure 1.2: Selection of the installation method

eBox 1.2 for Network Administrators

1.2.1 eBox Platform installer


The eBox Platform installer is based on the Ubuntu installer and therefore those who are already familiar with it will nd the installation process very similar. After installing the base system and rebooting, you can start installing eBox Platform. There are two methods for selecting the functionalities you want to include in your system. Simple: Depending on the task the server will be dedicated to, you can install a set of packages that provides several functionalities. Advanced: You can select the packages individually. If a package has dependencies on other packages, these will be automatically selected later. If you select the simple installation method, you get a list of available proles. As shown in the gure Selection of the proles, the mentioned list matches the following paragraphs of this manual.

Figure 1.3: Selection of the proles

eBox Gateway : eBox is the local network gateway that provides secure and controlled Internet access. eBox Unied Threat Manager : eBox protects the local network against external attacks, intrusions, internal security threats and enables secure interconnection between local networks via Internet or via other external networks. eBox Infrastructure : eBox manages the local network infrastructure including the following basic services: DHCP, DNS, NTP, HTTP server, etc.
For additional information regarding the Control Center, please visit: http://www.eboxtechnologies.com/products/controlcenter/ the company behind eBox Platform development. 4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and servers <http://www.ubuntu.com/>.
3

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

eBox Ofce : eBox is an ofce server that allows sharing the following resources through the local network: les, printers, calendars, contacts, authentication, users and groups proles, etc. eBox Unied Communications: eBox becomes the unied communications server of your organization, including mail, instant messaging and voice over IP. You can select several proles to combine different functionalities. In addition, the selection is not nal and later you can install and remove packages according to your needs. However, if you select the advanced installation method, you get the complete list of eBox Platform modules and you can select individually the modules you are interested in. Once you have completed the selection, also the necessary additional packages will be installed.

Figure 1.4: Selection of the modules

After you have selected the components to install, the installation process will begin and you will be shown a progress bar with the installation status. Once the installation is completed, you are requested to enter a password to access the eBox Platform web administration interface:

eBox 1.2 for Network Administrators

Figure 1.5: Installing eBox Platform

You need to conrm the inserted password:

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

The installer will try to pre-congure some important conguration parameters. First, it will ask if some of the network interfaces are external (not within the local network), i.e., used to connect to the Internet. Strict policies for all incoming trafc through external network interfaces will be applied. Depending on the role the server plays, there might be no external interfaces at all.

Figure 1.6: Selection of the external interface

Second, if you installed the mail module, you will be requested to enter the default virtual domain that will be the main virtual domain of the system. Once you have answered these questions, each module you installed will be pre-congured and ready to be used via the web interface. After this process is completed, a message informs you about how to connect to the web interface of eBox Platform.

eBox 1.2 for Network Administrators

Figure 1.7: Primary virtual mail domain

Figure 1.8: Conguration progress

Figure 1.9: Installation completed

10

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Once the eBox Platform installation process is completed you get a system console to authenticate with the user created during the Ubuntu installation. eBox Platform password is exclusive to the web interface and it has nothing to do with the administrator user password of the host. When you log in to the console, you will get the following eBox Platform specic message:

1.3

Administration web interface


Once you have installed eBox Platform, you can access the administration web interface at the following URL: https://network_address/ebox/ Here network_address is the IP address or a host name that resolves to the address where eBox is running. The rst screen will ask for the administrator password:

After authentication you get the administration interface that is divided into three main sections: Left side menu: Contains links to all services, separated by categories, that can be congured using eBox. When you select a service, you might get a submenu to congure specic details of the selected service.

11

eBox 1.2 for Network Administrators

Figure 1.10: Main screen

Figure 1.11: Left side menu

12

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Top menu: Contains actions to save the changes made to the content, make the changes effective and close the session.

Figure 1.12: Top menu

Main content: The main content is composed of one or several forms or tables with information about the service conguration and depends on the selection made in the left side menu and submenus. Sometimes you will get a tab bar at the top of the page: each tab represents a different subsection within the section you have accessed.

Figure 1.13: Conguration form

Dashboard : The dashboard is the initial screen of the web interface. It contains a number of congurable widgets. You can reorganize them at any moment simply by clicking and dragging the titles. By clicking on Congure Widgets the interface changes, allowing you to remove and add new widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the page. An important detail to take into account is the method eBox uses to apply the conguration changes made through the interface. First of all, you have to accept changes in the current form, but, once this is done, to make these changes effective and apply them on a permanent basis, you

13

eBox 1.2 for Network Administrators

Figure 1.14: Dashboard

Figure 1.15: Dashboard conguration

14

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

must click on Save Changes from the top menu. This button will change to red if there are unsaved changes. Failure to follow this procedure will result in the loss of all changes you have made throughout the session once you log out. There are some special cases when you dont need to save the changes, but in these cases you will receive a notication.

Figure 1.16: Save changes

1.4

How does eBox Platform work?


eBox Platform is not just a simple web interface to manage the most common network services 5 . One of the main goals of eBox Platform is to unify a set of network services that otherwise would work independently.

All conguration of individual services is handled automatically by eBox. To do this eBox uses a template system. This automation prevents manual errors and saves administrators from having to know the details of each conguration le format. As eBox manages automatically these conguration
5

You get longer support than on the normal version. With the LTS version you get 5 years of support on the server.

15

eBox 1.2 for Network Administrators

les, you must not edit the original les as these will be overwritten as soon you save any conguration changes. Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are divided in the following les: /var/log/ebox/ebox.log : Errors related to eBox Platform. /var/log/ebox/error.log : Errors related to the web server. /var/log/ebox/access.log : Every access to the web server. If you want more information about an error that has occurred, you can enable the debugging mode by selecting the debug option in the /etc/ebox/99ebox.conf le. Once you have enabled this option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.

1.5

Location within the network


1.5.1 Local network conguration
eBox Platform can be used in two different ways: Router and lter of the Internet connection. Server of different network services. Both functionalities can be combined in a single host or divided among several hosts. The gure Different locations within the network displays the different locations eBox Platform server can take in the network, either as a link between networks or a server within the network.

Figure 1.17: Different locations within the network

16

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Throughout this documentation you will nd out how to congure eBox Platform as a router and gateway. You will also learn how to congure eBox Platform in the case it acts as just another server within the network.

1.5.2 Network conguration with eBox Platform


If you place a server within a network, you will most likely be assigned an IP address via DHCP protocol. Through Network Interfaces you can access each network card detected by the system and you can select between a static conguration (address congured manually), dynamic conguration (address congured via DHCP) or a Trunk 802.1Q to create VLANs.

Figure 1.18: Network interface conguration

If you congure a static interface, you can associate one or more Virtual Interfaces to this real interface to serve additional IP addresses. These can be used to serve different networks or the same network with different address. To enable eBox to resolve domain names, you must indicate the address of one or several domain name servers in Network DNS.

1.5.3 Network diagnosis


To check if you have congured the network correctly, you can use the tools available in Network Diagnosis. Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple echo request.

17

eBox 1.2 for Network Administrators

Figure 1.19: Static conguration of network interfaces

Figure 1.20: Conguration of DNS servers

Figure 1.21: Network diagnosis tools

18

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.22: Ping tool

19

eBox 1.2 for Network Administrators

Additionally you can use the traceroute tool that is used to determine the route taken by packages across different networks until reaching a given remote host. This tool allows to trace the route the packages follow in order to carry out more advanced diagnosis.

Figure 1.23: Traceroute tool

Besides, you can use the dig tool, which is used to verify the correct functioning of the name service resolution.

Practical example A Lets congure eBox so that it obtains the network conguration via DHCP. Therefore: 1. Action: Access the eBox interface, go to Network

Interfaces and, as network interface,

select eth0. Then choose the DHCP method. Click on Change.

20

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.24: Dig tool

21

eBox 1.2 for Network Administrators

Effect: You have enabled the button Save Changes and the network interface maintains the entered data. 2. Action: Go to Module status and enable the Network module, in order to do this, check the box in the Status column. Effect: eBox asks for permission to overwrite some les. 3. Action: Read the changes that are going to be made in each modied le and grant eBox the permission to overwrite them. Effect: You have enabled the button Save Changes and you can enable some of the modules that depend on Network. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox manages the network conguration. 5. Action: Access Network Diagnosis tools. Ping ebox-platform.com. Effect: As a result, you are shown three successful connection attempts to the Internet server. 6. Action: Access Network Diagnosis tools. Ping the eBox of a fellow classmate. Effect: As a result, you are shown three successful connection attempts to the host. 7. Action: Access Network Diagnosis tools. Run a traceroute to ebox-technologies.com. Effect: As a result, you are shown a route of all the intermediate routers a packet traverses until it reaches the destination host.

Practical example B For the rest of the exercises of the manual, it is a good practice to enable the logs. Therefore: 1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order to do this, check the box in the Status column. Effect: eBox asks for permission to carry out a series of actions. 2. Action: Read the actions that are going to be made and accept them.

22

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Effect: You have enabled the button Save Changes. 3. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox has enabled the logs. You can check them at Logs Query logs in the section Logs.

23

eBox 1.2 for Network Administrators

24

Chapter 2 eBox Infrastructure

This section explains several of the services to manage and optimize internal trafc and the infrastructure of your local network, including domain management, automatic network conguration in network clients, publication of internal Web sites and time synchronization using the Internet. The conguration of these services requires great efforts, although they are easier to congure with eBox. The DHCP service is widely used to automatically congure different network parameters, such as the IP address of a host or the gateway to be used for Internet access. The DNS service provides access to services and hosts using names instead of IP addresses, which are more difcult to memorize. Many businesses use Web applications to which only internal access is available.

2.1

Network conguration service (DHCP)


As indicated, DHCP (Dynamic Host Conguration Protocol ) is a protocol that enables a device to request and obtain an IP address from a server with a list of available addresses to assign. The DHCP service
1

is also used to obtain many other parameters, such as the default gateway,

the network mask, the IP addresses for the name servers or the search domain, among others. Hence, access to the network is made easier, without the need for manual conguration by clients. When a DHCP client connects to the network, it sends a broadcast request and the DHCP server responds to valid requests with an IP address, the lease time granted for that IP and the parameters
1

eBox uses ISC DHCP Software (https://www.isc.org/software/dhcp) to congure the DHCP service.

25

eBox 1.2 for Network Administrators

explained above. The request normally occurs during the client booting period and must be completed before going on with the remaining network services. There are two ways of assigning addresses: Manual: Assignment is based on a table containing physical address (MAC )/IP address mappings, entered manually by the administrator. Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process that uses the lease concept with a controlled period in which the granted IP remains valid. The server keeps a table with the previous assignments to try to reassign the same IP to a client in successive requests.

2.1.1 DHCP server conguration with eBox


To congure the DHCP service with eBox, at least one statically congured interface is required. Once this is available, go to the DHCP menu, where the DHCP server can be congured. As indicated above, some network parameters can be sent with the IP address. These parameters can be congured in the Common options tab. Default gateway: This is the gateway to be used by the client if it is unaware of another route to send the package to its destination. Its value can be eBox, a gateway already congured in the Network Routers section or a custom IP address. Search domain: In a network with hosts named in line with <host>.domain.com, the search domain can be congured as domain.com. Hence, when seeking to resolve an unsuccessful domain name, another attempt can be made by adding the search domain to the end of it. For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the client host. The search domain can be entered or one congured in the DNS service can be selected. Primary name server: This is the DNS server that the client will use when a name is to be resolved or an IP address needs to be translated into a name. Its value can be eBox (if the eBox DNS server is to be queried) or an IP address of another DNS server. Secondary name server: DNS server that the client will use if the primary one is not available. Its value must be the IP address of a DNS server.

26

CHAPTER 2. EBOX INFRASTRUCTURE

Figure 2.1: Overview of DHCP service conguration

27

eBox 1.2 for Network Administrators

The common options display the ranges of addresses distributed by DHCP and the addresses assigned manually. For the DHCP service to be active, there must be at least one range of addresses to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if the service is listening on all the network interfaces. The ranges of addresses and the static addresses available for assignment from a certain interface are determined by the static address assigned to that interface. Any free IP address from the corresponding subnet can be used in ranges or static assignments. To add a new range, click on Add new in the Ranges section. Then enter a name by which to identify the range and the values to be assigned within the range appearing above. Static assignments of IP addresses are possible to determined physical addresses in the Static assignments section. An address assigned in this way cannot form part of any range.

Figure 2.2: Appearance of the advanced conguration for DHCP

The dynamic granting of addresses has a deadline before which renewal must be requested (congurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assignments do not expire and, therefore, are unlimited leases. A Lightweight Client is a special machine with no hard drive that is booted via the network by requesting the booting image (operating system) from a lightweight client server.

28

CHAPTER 2. EBOX INFRASTRUCTURE

eBox allows the PXE server 2 to which the client must connect to be congured. The PXE service, which is responsible for transmitting everything required for the lightweight client to be able to boot its system, must be congured separately. The PXE server may be an IP address or a name, in which case the path to the boot image or eBox must be indicated, in which case the image le can be loaded.

Practical example Congure the DHCP service to assign a range of 20 network addresses. Check from another client host using dhclient that it works properly. To congure DHCP, the Network module must be enabled and congured. The network interface on which the DHCP server is to be congured must be static (manually assigned IP address) and the range to assign must be within the subnet determined by the network mask of that interface (e.g. range 10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0). 1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP module by marking its checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Enter DHCP and select the interface on which the server is to be congured. The gateway may be eBox itself, one of the eBox gateways, a specic address or none (no routing to other networks). Furthermore, the search domain (domain added to all DNS names that cannot be resolved) can be dened along with at least one DNS server (primary DNS server and optionally a secondary one). eBox then indicates the range of available addresses. Select a subset of 20 addresses and in Add new give a signicant name to the range to be assigned by eBox. 4. Action: Save the changes.
Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment)
2

29

eBox 1.2 for Network Administrators

Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. eBox now manages the DHCP server conguration. 5. Action: From another PC connected to this network, request a dynamic IP from the range using dhclient:

$ sudo dhclient eth0 There is already a pid file /var/run/dhclient.pid with pid 9922 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ wmaster0: unknown hardware address type 801 wmaster0: unknown hardware address type 801 Listening on LPF/eth0/00:1f:3e:35:21:4f Sending on LPF/eth0/00:1f:3e:35:21:4f Sending on Socket/fallback DHCPREQUEST on wlan0 to 255.255.255.255 port 67 DHCPACK from 10.1.2.254 bound to 10.1.2.1 -- renewal in 1468 seconds.
6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is displayed.

2.2

Name resolution service (DNS)


As explained, the function of the DNS (Domain Name System) is to convert hostnames that are readable and easy to remember by users into IP addresses and vice versa. The name domain system is a tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.

30

CHAPTER 2. EBOX INFRASTRUCTURE

2.2.1 DNS cache server conguration with eBox


A name server can act as a cache 3 for queries that it cannot respond to. In other words, it will initially query the appropriate server, as it is based on a database without data, but the cache will subsequently reply, with the consequent decrease in response time. At present, most modern operating systems have a local library to translate the names that is responsible for storing its own domain name cache with the requests made by system applications (browser, e-mail clients, etc.).

Practical example A Check the correct operation of the cache name server. What is the response time with regard to the same request www.example.com? 1. Action: Access eBox, enter Module status and enable the DNS module by marking the checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Network DNS and add a new Domain name server with value 127.0.0.1. Effect: eBox is established to translate names to IP and vice versa. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it is indicated as such. eBox now manages the DNS server conguration. 5. Action: Use the Domain name resolution tool available in Network checking the response time.
3

Diagnosis to check

the operation of the cache, querying the domain www.example.com consecutively and

A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or

compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).

31

eBox 1.2 for Network Administrators

2.2.2 DNS server conguration with eBox


DNS has a tree structure and the source is known as . or root. Under . are the TLDs (Top Level Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the answer, the tree is recursively searched until it is found. Each . in an address (e.g. home.example.com) indicates a different branch of the DNS tree and a different query area. The name will be traversed from right to left.

Figure 2.3: DNS tree Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP address to a domain name. Furthermore, as many aliases (or canonical names) as required can be added to each associated name and the same IP address can have several associated names. Another important characteristic of the DNS is the MX record. This record indicates the place where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mail is to be sent to someone@home.example.com, the e-mail server will ask for the MX record of home.example.com and the service will reply that it is mail.home.example.com. The conguration in eBox is done through the DNS menu. In eBox, as many DNS domains as required can be congured. To congure a new domain, drop down the form by clicking on Add new. From here, the domain name and an optional IP address to which the domain will refer can be congured.

32

CHAPTER 2. EBOX INFRASTRUCTURE

Once a correct domain has been created, e.g. home.example.com, it is possible to complete the hostnames list for the domain. As many IP addresses as required can be added using the names decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can also be used for each mapping.

As an additional feature, e-mail server names can be added through mail exchangers by selecting a name for the domains in which eBox is the authority 4 or an external one. Furthermore, a preference can be given, the lowest value of which gives highest priority, i.e. an e-mail client will rst try the server with the lowest preference number.

For a more in-depth look into the operation of the DNS, let us see what happens depending on the query made through the dig diagnosis tool located in Network Diagnosis. If a query is made for one of the domains added, eBox will reply with the appropriate answer immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as
4

A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.

33

eBox 1.2 for Network Administrators

soon as it gets an answer. It is important to be aware of the fact that the nameservers congured in Network DNS are used by client applications to resolve names, but are not used in any way by the DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1 as primary DNS server in the aforementioned section.

Practical example B Add a new domain to the DNS service. Within this domain, assign a network address to a hostname. From another host, check that it resolves correctly using the dig tool. 1. Action: Check that the DNS service is active through Dashboard in the Module status widget. If it is not active, enable it in Module status. 2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down where hostnames, mail servers for the domain and the domain address itself can be added. In Hostnames do the same by adding the hostname and its associated IP address. 3. Action: Save the changes. Effect: eBox will request permission to write the new les. 4. Action: Accept the overwriting of these les and save the changes. Effect: The progress is displayed while the changes are being applied. Once this is complete it indicates as such. 5. Action: From another PC connected to this network, request the name resolution using dig, where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the domain to be resolved:

$ dig mirror.ebox-platform.com @10.1.2.254 ; <<>> DiG 9.5.1-P1 <<>> mirror.ebox-platform.com @10.1.2.254 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33835 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mirror.ebox-platform.com.

IN

34

CHAPTER 2. EBOX INFRASTRUCTURE

;; ANSWER SECTION: mirror.ebox-platform.com. 600 ;; AUTHORITY SECTION: ebox-platform.com. ebox-platform.com. ;; ADDITIONAL SECTION: ns1.ebox-platform.com. ns2.ebox-platform.com. ;; ;; ;; ;;

IN

87.98.190.119

600 600

IN IN

NS NS

ns1.ebox-platform.com. ns2.ebox-platform.com.

600 600

IN IN

A A

67.23.0.68 209.123.162.63

Query time: 169 msec SERVER: 10.1.2.254#53(10.1.2.254) WHEN: Fri Mar 20 14:37:52 2009 MSG SIZE rcvd: 126

2.3

Web data publication service (HTTP)


The Web is one of the most common services on the Internet, so much that it has become its visible face for most users. A website started to become the most convenient way of publishing data on a network. All that was needed was a web browser, which is installed as standard in current desktop platforms. A website is easy to create and can be viewed from any computer. Over time, the possibilities of web interfaces have improved and true applications are now available that have nothing to envy of desktop applications. But... what is behind the web?

2.3.1 Hyper Text Transfer Protocol


One of the keys to the success of the web has been the application layer protocol used, HTTP (Hyper Text Transfer Protocol ), as it is extremely simple yet exible. HTTP is a request and response protocol. A client, also known as a User Agent, makes a request to a server. The server processes it and gives a response.

35

eBox 1.2 for Network Administrators

Figure 2.4: Request schema with GET headers between a client and the 200 OK response from the server. Routers and proxies in between.

36

CHAPTER 2. EBOX INFRASTRUCTURE

By default, HTTP uses TCP port 80 for unencrypted connections and 443 for encrypted connections (HTTPS) using TLS technology 5 . A client request contains the following elements: An initial line containing <method> <resource requested> <HTTP version>. For example, GET /index.html HTTP/1.1 requests the resource /index.html through GET and using protocol HTTP/1.1. Headers, such as User-Agent: Mozilla/5.0 ... Firefox/3.0.6, which identify the type of client requesting the data. A blank line. An optional message. This is used, for example, to send les to the server using the POST method. There are several methods GET and POST: GET: GET is used to request a resource. It is a harmless method for the server, as no le has to be modied in the server if a request is made via GET. POST: POST is used to send data to be processed by the server. For example, when Send message is clicked in a webmail, the server is given the email data to be sent. The server must process this information and send the email. OPTIONS: This is used to request the methods that can be used on a resource. HEAD: Requests the same data as GET, although the response will not include the text, only the header. Hence, it is possible to obtain the metadata of the resource without downloading it. PUT: Requests the text data to be stored and accessible from the path indicated. DELETE: Requests the deletion of the resource indicated. TRACE: This informs the server that it must return the header sent by the client. It is useful to see how the request is modied by the intermediate proxies. CONNECT: The specication reserves this method for tunnels.
5

with which clients can request data. The most common ones are

TLS (Transport Layer Security ) and its predecessor SSL (Secure Sockets Layer ) are encryption protocols that provide

data security and integrity for Internet communications. The subject is discussed in further detail in section Virtual Private Network (VPN). 6 A more detailed explanation can be found in section 9. RFC 2616

37

eBox 1.2 for Network Administrators

The server response has the same structure as the client request, changing the rst row. In this case, the rst row is <status code> <text reason>, which corresponds to the response code and a text with the explanation, respectively. The most common response codes 7 are: 200 OK: The request has been processed correctly. 403 Forbidden: When the client has been authenticated, but does not have permission to operate on the resource requested. 404 Not Found: When the resource requested has not been found. 500 Internal Server Error: When an error has occurred in the server that has prevented the request from being correctly run. HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is unable to remember the clients between connections. This can be avoided by using cookies. Moreover, the server cannot start a conversation with the client. Should the client want to be notied by the server of something, this must be periodically requested. The HTTP service can offer dynamic data produced by different software applications. The client requests a certain URL with specic parameters and the software manages the request to return a result. The rst method used was known as CGI (Common Gateway Interface), which runs one command per URL. This mechanism has mainly been deprecated due to its memory overload and low performance when compared to other solutions: FastCGI : A communication protocol between software applications and the HTTP server, with a single process to resolve requests made by the HTTP server. SCGI (Simple Common Gateway Interface ): This is a simplied version of the FastCGI protocol. Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run within the server, this solution depends on the HTTP server used.

2.3.2 The Apache Web server


The Apache HTTP server 8 has been the most popular program for serving websites since April 1996. eBox uses this server for both its web interface and the web server module. Its aim is to offer a secure,
7 8

The full list of response codes for the HTTP server can be found in section 10 of RFC 2616. Apache HTTP Server project http://httpd.apache.org.

38

CHAPTER 2. EBOX INFRASTRUCTURE

efcient and extendible system in line with HTTP standards. Its capacity to be extensible is based on adding features using modules that extend the core. Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for websites to be created using programming languages such as Perl, Python, TCL or PHP. It has several authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful URL rewriting system with mod_rewrite. It has a total of 57 ofcially documented modules that add functionality, although this number increases to 168 if you include those registered for the 2.2 version of Apache 9 .

2.3.3 Virtual domains


The purpose of a virtual domain is to host websites for several domain names in the same server. If the server has a public IP address for each website, a conguration can be made for every network interface. When seen from outside, they look like several hosts in the same network. The server will redirect the trafc from each interface to its corresponding website. However, it is more common to have one or two IPs per host. In this case, each website will have to be associated with its domain. The web server will read the headers sent in the client request and, depending on the domain of the request, will redirect it to one website or another. Each of these congurations is known as Virtual Host, as there is only one host in the network, but the existence of several is simulated.

2.3.4 HTTP server conguration with eBox


Through Web, it is possible to access the web service conguration. In the rst form, it is possible to modify the following parameters: Listening port Where the daemon is to listen to HTTP requests. Enable public_html per user Through this option, if the Samba module (eBox as le server ) is enabled, users can create a subdirectory known as public_html in their private directory within samba that will be displayed by the web server via the URL http://<eboxIP>/~<username>/, where username is the name of the user that published contents.
9

There is a full list at http://modules.apache.org.

39

eBox 1.2 for Network Administrators

Figure 2.5: Appearance of the Web module conguration

With regard to the Virtual domains, the only conguration needed is the name for the domain and whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module (if it is installed) so that, if the domain www.company.com is added, the domain company.com will be created with the host name www, the IP address of which will be the address of the rst static network interface. To publish data, it must be under /var/www/<vHostname>, where vHostName is the name of the virtual domain. If any customized conguration is to be added, for example capacity to load applications in Python using mod_python, the necessary conguration les for this virtual domain must be created in the directory /etc/apache2/sites-available/user-ebox-<vHostName>/.

Practical example Enable the web server. Check that it is listening on port 80. Congure it to listen on a different port and verify that the change becomes effective. 1. Action: Access eBox, enter Module status and enable the Web server module by marking the checkbox in the Status column. This indicates the changes to be made in the system. Allow the operation by clicking on the Accept button. Effect: The guilabel:Save changes button has been enabled. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such.

40

CHAPTER 2. EBOX INFRASTRUCTURE

The web server is enabled by default on port 80. 3. Action: Using a browser, access the following address: http://eBox_ip/. Effect: An Apache default page will be displayed with the message It works!. 4. Action: Access the Web menu. Change the port value from 80 to 1234 and click on the Change button. Effect: The guilabel:Save changes button has been enabled. 5. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. Now the web server is listening on port 1234. 6. Action: Use the browser again to try to access http://<eBox_ip>/. Effect: A response is not obtained and, after a while, the browser will indicate that it was impossible to connect to the server. 7. Action: Now try to access http://<eBox_ip>:1234/. Effect: The server responds and the It works! page is obtained.

2.3.5 Exercises
Exercise A Create a Virtual domain called www.ebox-course.com with a test page. Use a browser to check that you can access it correctly, making sure that eBox is your DNS server and can resolve this domain.

41

eBox 1.2 for Network Administrators

2.4

Time synchronization service (NTP)


The NTP (Network Time Protocol ) protocol was designed to synchronize the clocks in PCs in an unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to withstand the effects of jitter. It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can reach a precision of up to 200 s or greater if the clock is in the local network. There are up to 16 levels dening the distance of the reference clock and its associated precision. Level 0 is for atomic clocks that are not connected to the network but to another level 1 computer with RS-232 serial connection. Level 2 are the computers connected via NTP to those of a higher level and are normally offered by default in the most common operating systems, such as GNU/Linux, Windows or MacOS.

2.4.1 NTP server conguration with eBox


To congure eBox to use the NTP architecture
10

, eBox must rst be synchronized with an external

server of a higher level (normally 2) offered via System clients a relatively precise time over the Internet.

Date/Time. A list of these can be found

in the NTP pool (pool.ntp.org ), which is a dynamic collection of NTP servers that voluntarily give their

Once eBox has been synchronized as an NTP client 11 , eBox can also act as an NTP server with a globally synchronized time.
10 11

NTP public service project http://support.ntp.org/bin/view/Main/WebHome. eBox uses ntpdate as its NTP client. http://www.ece.udel.edu/~mills/ntp/html/ntpdate.html.

42

CHAPTER 2. EBOX INFRASTRUCTURE

Practical example Enable the NTP service and synchronize the time of your host using the command ntpdate. Check that both eBox and the client host are set to the same time. 1. Action: Access eBox, enter Module status and enable the ntp module by marking the checkbox in the Status column. This will show the changes to be made to the system. Allow the operations by clicking on the Accept button. Effect: The Save changes button has been enabled. 2. Action: Access the System

Date/Time menu. In the Synchronization with NTP servers

section, select Enabled and click on Change. Effect: The option to manually change the date and time is replaced by elds to enter the NTP servers with which to synchronize. 3. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, it noties the user. Your eBox host will act as an NTP server. 4. Action: Install the ntpdate package in your client host. Run the command ntpdate <eBox_ip>. Effect: The time on the host will have been synchronized with that of the eBox host. You can check this by running the date command on both hosts.

43

eBox 1.2 for Network Administrators

44

Chapter 3 eBox Gateway

This section considers the main function of eBox as a gateway. eBox Gateway can make your network more reliable, optimized for your bandwidth and help you control whatever enters your network. This section includes a chapter that focuses on the functionality of the eBox rewall module, which enables you to manage rules for the incoming and outgoing trafc of your internal network. The rewall is not congured directly, but is supported by another two modules that provide easier network object and service management, as described in the rst part of the section. Load balancing can be applied for Internet access, along with different rules depending on the outgoing trafc. Furthermore, this section explains trafc shaping, which is used to ensure critical applications are served correctly and to even limit any applications generating a lot of network trafc. Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or denies access from the internal network to the WWW using different ltering rules, including contentbased ones.

3.1

High-level eBox network abstractions


3.1.1 Network objects
Network objects are a way of giving a name to a network element or a group of elements. They are used to simplify and subsequently facilitate network conguration management by being able to select behavior for these objects.

45

eBox 1.2 for Network Administrators

To give an example, they can be used to give a signicant name to an IP address or a group of IP addresses. In the case of the latter, instead of dening access rules for each of the addresses, they merely have to be dened for the network object so that all the addresses belonging to the object take on this conguration.

Figure 3.1: GRAPHIC: representation of network objects

Management of network objects with eBox For object management in eBox, go to the submenu Objects and create new objects with an associated name and a series of members. Objects can be created, modied and deleted. These objects will be used later by other modules, such as the rewall, the Web cache proxy or the mail service. Each one will have at least the following values: name, IP address and network mask using CIDR notation. The physical address will only make sense for members with a single physical machine.

46

CHAPTER 3. EBOX GATEWAY

Figure 3.2: General appearance of the network object module

The members of an object can overlap the members of another; therefore, great care must be taken when using them in the remaining modules to obtain the desired conguration and avoid security problems.

3.1.2 Network services


A network service is the abstraction of one or more applicable protocols that can be used in other modules, such as the rewall or the trafc-shaping module. The use of the services is similar to that of the objects. It was seen that with the objects it was possible to make an easy reference to a group of IP addresses using a signicant name. It is also possible to identify a group of numerical ports that are difcult to remember and time-consuming to enter several times in different congurations, with a name in line with its function (more typically, the name of the level-7 protocol or application using these ports).

47

eBox 1.2 for Network Administrators

Figure 3.3: GRAPHIC: client connection to a server

Management of network services with eBox For management in eBox, go to the submenu Services, where it is possible to create new services, which will have an associated name, description and a ag indicating whether the service is external or internal. A service is internal if the ports congured for that service are being used in the machine in which eBox is installed. Furthermore, each service has a series of members. Each one will have the following values: protocol, source port and destination port. The value any can be entered in all of these elds, e.g. to specify services in which the source port is indifferent. Bear in mind that in network services based on the most commonly-used client/server model, clients often use any random port to connect to a known destination port. Well-known ports are considered those located between 0 and 1023, registered ports the ones located between 1024 and 49151 and private or dynamic ports are those located between 49152 and 65535. A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found in the /etc/services le. The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having to add the same port used for both protocols twice.
The IANA (Internet Assigned Numbers Authority ) is responsible for establishing the services associated with wellknown ports. The full list can be found at http://www.iana.org/assignments/port-numbers.
1

48

CHAPTER 3. EBOX GATEWAY

Figure 3.4: General appearance of the network service module Services can be created, modied and deleted. These services will be used later on in the rewall or trafc shaping by merely referring to the signicant name.

Practical example
Create an object and add the following: a host with no MAC address, a host with a MAC address and a network address. To do so: 1. Action: Access Objects. Add accountancy hosts. Effect: The accountancy hosts object has been created. 2. Action: Access Members of the accountancy hosts object. Create accountancy server member with a network IP address, e.g. 192.168.0.12/32. Create another member backup accountancy server with another IP address, e.g. 192.168.0.13/32, and a valid MAC address, e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP address of a subnet of your local network, e.g. 192.168.0.64/26. Finally, go to Save changes to conrm the conguration created. Effect: The accountancy hosts object will contain three permanent members, i.e. accountancy server, backup accountancy server and accountancy PC network.

49

eBox 1.2 for Network Administrators

Exercises

Exercise A
Create a service called IRC with the following characteristics: Protocol: TCP External Single destination port: 6667

Exercise B
Change the conguration of the previous service to become internal and then try to change the port where eBox is listening in System General to 6667. Did you have any problems? Why?

3.2

Firewall
We will congure a rewall to see the application of the network objects and services. A rewall is a system that strengthens the access control policies between networks. In our case, a host will be devoted to protecting our internal network and eBox from attacks from the external network. A rewall allows the user to dene a series of access policies, such as which hosts can be connected to or which can receive data and the type thereof. In order to do this, it uses rules that can lter trafc depending on different parameters, such as the protocol, source or destination addresses or ports used. Technically speaking, the best solution is to have a computer with two or more network cards that isolate the different connected networks (or segments thereof) so that the rewall software is responsible for connecting the network packages and determining which can be passed or not and to which network they will be sent. By conguring the host as a rewall and router, trafc packages can be exchanged between networks in a more secure manner.

50

CHAPTER 3. EBOX GATEWAY

3.2.1 The rewall in GNU/Linux: Netlter


Starting with the Linux 2.4 kernel, a ltering subsystem known as Netlter is provided to offer packet ltering and Network Address Translation (NAT) 2 . The iptables command interface allows for the different conguration tasks to be performed for the rules affecting the ltering system (lter table), rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and handling options (mangle table). It is extremely exible and orthogonal to handle, although it adds a great deal of complexity and has a steep learning curve.

3.2.2 eBox security model


The eBox security model is based on seeking to provide the utmost default security, in turn trying to minimize the work of the administrator regarding conguration when new services are added. When eBox acts as a rewall, it is normally installed between the local network and the router that connects that network to another, normally Internet. The network interfaces connecting the host to the external network (the router ) must be marked as such. This enables the Firewall module to establish default ltering policies.

Figure 3.5: Internal network - Filtering rules - External network

The policy for external interfaces is to deny all attempts of new connections to eBox. Internal interfaces are denied all connection attempts, except those made to internal services dened in the Services module, which are accepted by default. Furthermore, eBox congures the rewall automatically to provide NAT for packages entering through an internal interface and exiting through an external interface. Where this function is not
NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it passes through a router or rewall. Its main use is to provide several hosts in a private network with Internet access through a single public IP.
2

51

eBox 1.2 for Network Administrators

required, it may be disabled using the nat_enabled variable in the rewall module conguration le in /etc/ebox/80rewall.conf.

3.2.3 Firewall conguration with eBox


For easier handling of iptables in ltering tasks, the eBox interface in Firewall used. Where eBox acts as a gateway, ltering rules can be established to determine whether the trafc from a local or remote service must be accepted or not. There are ve types of network trafc that can be controlled with the ltering rules: Trafc from an internal network to eBox (e.g. allow SSH access from certain hosts). Trafc among internal networks and from internal networks to the Internet (e.g. forbid Internet access from a certain internal network). Trafc from eBox to external networks (e.g. allow les to be downloaded by FTP from the host using eBox). Trafc from external networks to eBox (e.g. enable the Jabber server to be used from the Internet). Trafc from external networks to internal networks (e.g. allow access to an internal Web server from the Internet). Bear in mind that the last two types of rules may jeopardize eBox and network security and, therefore, must be used with the utmost care. The ltering types can be seen in the following graphic: eBox provides a simple way to control access to its services and to external services from an internal interface (where the intranet is located) and the Internet. It is normally object-congured. Hence, it is possible to determine how a network object can access each of the eBox services. For example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet access rules are managed by eBox too, e.g. to congure Internet access, outgoing packages to TCP ports 80 and 443 to any address have to be allowed. Each rule has a source and destination that depend on the type of ltering used. For example, the ltering rules for eBox output only require the establishing of the destination, as the source is always eBox. A specic service or its reverse can be used to deny all output trafc, for example, except SSH trafc. In addition, it can be given a description for easier rule management. Finally, each rule has a decision that can have the following values: Accept the connection.

Package ltering is

52

CHAPTER 3. EBOX GATEWAY

Figure 3.6: GRAPHIC: types of ltering rules

Figure 3.7: List of package ltering rules from internal networks to eBox

53

eBox 1.2 for Network Administrators

Deny connection by ignoring the incoming packages and making the source suppose that connection could not be established. Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is possible to see whether a rule is working properly.

Port redirection Port redirections (destination NAT) are congured through Firewall Redirection, where an external port can be given and all trafc routed to a host listening on a certain port can be redirected by translating the destination address. To congure a redirection, the following elds need to be specied: interface where the translation is to be made, the original target (this could be eBox, an IP address or an object), the original destination port (this could be any, a range of ports or a single port), the protocol, the source from where the connection is to be started (in a normal conguration, its value will be any ), the target IP address and, nally, the destination port, where the target host is to receive the requests, which may or may not be the same as the original.

According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will be redirected to port 80/TCP of the host with IP address 10.10.10.10.

54

CHAPTER 3. EBOX GATEWAY

Practical example Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a service and a rewall rule so that an internal host can access the service. To do so: 1. Action: Access eBox, enter Module status and enable the Firewall module by marking the checkbox in the Status column. Effect: eBox requests permission to take certain actions. 2. Action: Read the actions to be taken and grant permission to eBox to do so. Effect: The Save changes button has been enabled. 3. Action: Create an internal service as in Exercise A of section High-level eBox network abstractions through Services with the name netcat and with the destination port 6970. Then go to Firewall

Package ltering in Filtering rules from internal networks to eBox and add the

rule with at least the following elds: Decision : ACCEPT Source : Any Service : netcat. Created in this action. Once this is done, Save changes to conrm the conguration. Effect: The new netcat service has been created with a rule for internal networks to connect to it. 4. Action: From the eBox console, launch the following command:

nc -l -p 6970
5. Action: From the client host, check that there is access to this service using the command nc:

nc <ip_eBox> 6970
Effect: You can send data that will be displayed in the terminal where you launched netcat in eBox.

55

eBox 1.2 for Network Administrators

3.2.4 Exercises
Exercise A Add a rule to enable a host in the internal network to browse. Check whether this is possible.

Exercise B Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a service and a rewall rule so that an external host can access the service.

Exercise C Add a redirection so that an external host can connect via ssh to an internal host accessible through eBox.

Exercise D Using the iptables command, nd the ltering and NAT rule that eBox has added in the previous exercises.

3.2.5 Suggested exercises


Exercise E The rewall is the most common source of problems when testing network services. Therefore, it is useful to know how to allow all trafc in any direction. How would you do it?

56

CHAPTER 3. EBOX GATEWAY

3.3

Routing
3.3.1 Routing tables
The term routing refers to the action of deciding through which interface a certain packet must be sent from a host. The operating system has a routing table with a set of rules to make this decision. Each of these rules has different elds, although the three most important ones are: destinatino address, interface and router. These must be read as follows: to reach a certain destination address, the packet must be directed through a router, which is accessible through a certain interface. When the message arrives, its destination address is compared to the entries in the table and is sent through the interface indicated in the rule that matches. The best match is considered the most specic rule. For example, if a rule is specied indicating that to reach network A (10.15.0.0/16), router A must be used and another rule indicates that to reach network B (10.15.23.0/24), which is a subnet of A, router B must be used. If a packet arrives with destination 10.15.23.23/32, then the operating system will decide to send it to router B, as there is a more specic rule. All hosts have at least one routing rule for the loopback interface, or local interface, and additional rules for other interfaces that connect it to other internal networks or to Internet. To manually congure a static route table, Network

Routes is used (basically it is an interface

for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.

Figure 3.8: Route conguration

57

eBox 1.2 for Network Administrators

Gateway When sending a packet, if no route matches and there is a gateway congured, it will be sent through the gateway. The gateway is the route by default for packets sent to other networks. To congure a gateway, use Network Routers.

Name: Name identifying the gateway. IP address: IP address of the gateway. This address must be accessible from the host containing eBox. Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent through this interface. Upload/Download: Upload and download rates supported by the gateway. These values are used by the trafc shaping module. Weight: The heavier the weight, the more trafc will be directed to this gateway when load balancing is enabled. Default: Indicates if this gateway should be used as the default one.

58

CHAPTER 3. EBOX GATEWAY

Subnets and subnet routing As indicated above, initially there were classes of networks with associated xed network masks, which were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain Routing) was created to allow for network masks of a variable size to be used, allowing, for example, for a class C network to be divided into several subnets of a smaller size or to aggregate several class C subnets into one of a larger size. This allows: A more effective use of the scarce IPv4 address space. Better use of the hierarchy in address assignment (adding of prexes), decreasing routing overload throughout the Internet. The number of bits interpreted as the subnet identier is given by a netmask that is of the same length as the IP address. To nd the network of an IP address with its mask, proceed as follows: Address with full stops IP address Netmask Network portion 192.168.5.10 255.255.255.0 192.168.5.0 Binary 11000000.10101000.00000101.00001010 11111111.11111111.11111111.00000000 11000000.10101000.00000101.00000000

CIDR also introduced a new nomenclature that can be seen compared to the above in the following table: CIDR /32 /31 /25 /24 /21 Class 1/256 C 1/128 C 1/2 C 1C 8C N Hosts 1 2 128 256 2048 Mask 255.255.255.255 255.255.255.254 255.255.255.128 255.255.255.0 255.255.248.0

Practical example A
You will now congure the network interface statically. The class will be divided into two subnets. To do so: 1. Action: Access the eBox interface, enter Network

Interfaces and, for the network inter-

face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the instructor. As the Netmask, use 255.255.255.255.0. Click on the Change button.

59

eBox 1.2 for Network Administrators

The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and Y to the host. These values will be used from now on. Enter Network DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add. Effect: The Save changes button has been enabled and the network interface keeps the data entered. A list is displayed containing the name servers, including the recently created server. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:

connect: network is unreachable


4. Action: Access Network subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result. 5. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: The following is given as the result:

Diagnosis. Ping to an eBox of a classmate part of the same

connect: network is unreachable

Practical example B
You will now congure a route to access hosts in other subnets. To do so: 1. Action: Access the eBox interface, enter Network the form with the following values: Network 10.1.X.0 / 24 Gateway 10.1.1.1 Description route to the other subnet

Routes and select Add new. Complete

60

CHAPTER 3. EBOX GATEWAY

Click on the Add button. Effect: The Save changes button has been enabled. A list is displayed containing the routes, including the recently created one. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:

connect: network is unreachable


4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.

Practical example C
You will now congure a gateway to connect to the remaining networks. To do so: 1. Action: Access the eBox interface, enter Network during the previous exercise. Enter Network Routers and select Add new. Complete with the following data: Name Default Gateway IP address 10.1.X.1 Interface eth0 Upload 0 Download 0 Weight 1 Default yes Click on the Add button.

Routes and delete the route created

61

eBox 1.2 for Network Administrators

Effect: The Save changes button has been enabled. The list of routes has disappeared. A list of gateways is displayed containing the recently created gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: Three satisfactory connection attempts to the host are displayed as the result. 4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.

3.3.2 Multirouter rules and load balancing


Multirouter rules are a tool that enables PCs in a network to use several Internet connections transparently. This is useful if, for example, an ofce has several ADSL connections and the entire bandwidth available is to be used without having to worry about distributing the work of the hosts manually between both routers, so that the load is shared automatically between them. Basic load balancing evenly distributes the packets transferred from eBox to the Internet. The simplest form of conguration involves establishing different weights for each router so that, if the connections available have different capacities, they can be used optimally. Multirouter rules allow for certain trafc types to be sent permanently by the same router, where required. Common examples include sending emails through a certain router or ensuring that a certain subnet is always routed from the Internet through the same router. eBox uses the iproute2 and iptables tools for the conguration required for the multirouter function. iproute2 informs the kernel of the availability of several routers. For multirouter rules, iptables is used to mark the packets of interest. These marks can be used from iproute2 to determine the router through which a packet must be sent. There are several possible problems that must be considered. Firstly, the connection concept does not exist in iproute2. Therefore, with no other type of conguration, the packets belonging to the same connection could end up being sent by different routers, making communications impossible. To solve this, iptables is used to identify the different connections and ensure that all the packets of a connection are sent via the same router. The same applies to any incoming connections established. All response packets for a connection must be sent using the same router through which that connection was received.

62

CHAPTER 3. EBOX GATEWAY

To establish a multirouter conguration with load balancing in eBox, as many routers as required must be dened in Network

Routers. Using the weight parameter when conguring a router, it

is possible to determine the proportion of packets that each one will send. Where two routers are available and weights of 5 and 10, respectively, are established, 5 of every 15 packets will be sent through the rst router, while the the remaining 10 will be sent via the second.

Multirouter rules and trafc balancing are established in the Network Trafc balancing section. In this section, it is possible to add rules to send certain packets to a specic router, depending on the input interface, the source (this could be an IP address, an object, eBox or any), the destination (an IP address or a network object), the service with which this rule is to be associated and via which routers the trafc type specied is to be directed.

Practical example D Congure a multirouter scenario with several routers with different weights and check that it works using the traceroute tool. To do so:

63

eBox 1.2 for Network Administrators

1. Action: In pairs, leave one eBox with the current conguration and add a new gateway in the other, accessing Network following data: Name Gateway 2 IP address <classmates eBox IP> Interface eth0 Upload 0 Download 0 Weight 1 Default yes Click on the Add button. Effect: The Save changes button has been enabled. A list of gateways is displayed containing the recently created gateway and the previous gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Go to a console and run the following script :

Routers via the interface and clicking on Add new, with the

for i in $(seq 1 254); do sudo traceroute -I -n 155.210.33.$i -m 6; done


Effect: The result of running traceroute shows the different routers through which a packet passes to reach its destination. On running it in a host with multirouter conguration, the result of the rst leaps between routers should be different depending on the router chosen.

Exercises

Exercise A
Add a multirouter rule for a certain destination and check that the scenario works correctly using the traceroute tool.

64

CHAPTER 3. EBOX GATEWAY

3.4

Trafc shaping
3.4.1 Quality of Service (QoS)
Quality of Service (QoS) in computer networks refers to resource reservation control mechanisms to provide different priorities to different applications, users, or data ows, or to guarantee a certain level of performance according to the constraints imposed by the application. Constraints such as delay in delivery, the bit rate, the probability of packet loss or the variation delay per packet
3

may

be determined for various multimedia data stream applications such as voice or TV over IP. These mechanisms are only applied when resources are limited (wireless cellular networks) or when there is congestion in network, otherwise such QoS mechanisms are not required. There are several techniques to give quality of service: Reserving network resources: using Resource reSerVation Protocol (RSVP) to request and reserve resources in the routers. However, this option has been neglected because it does not scale well with Internet growth Differentiated services (DiffServ ): in this model, packets are marked according to the type of service they need. In response to these marks, routers and switches use various queuing strategies to tailor performance to requirements. This approach is currently widely accepted. In addition to these systems, bandwidth management mechanisms may be used to further improve performance such as trafc shaping, Scheduling algorithms o congestion avoidance. Regarding trafc shaping, there are two predominant methods: Token bucket : It dictates when trafc can be transmitted, based on the presence of tokens in the bucket (an abstract container that holds aggregate network trafc to be transmitted). Each token in the bucket can represent a unit of bytes of predetermined size, so each time that trafc is transmitted, the tokens are removed (cashed in). When there are no tokens, a ow cannot transmit its packets. Periodically, tokens are added to the bucket. Using such mechanism, it is allowed to send data in peak burst rate. Leaky bucket : Conceptually based on considering a bucket with a hole in the bottom. If packets arrive, they are placed into the bucket until it becomes full, then packets are discarded. Packets are sent at a constant rate, which is equivalent to the size of the hole in the bucket.
jitter or Packet Delay Variation (PDV) is the difference in end-to-end delay between selected packets in a ow with any lost packets being ignored.
3

65

eBox 1.2 for Network Administrators

eBox uses Linux kernel features Shaping Rules menu.

to shape trafc using token bucket mechanisms that allow to

assign a limited rate, a guaranteed rate and a priority to certain types of data ows through the Trafc

In order to perform trafc shaping, it is required to have, at least, an internal network interface and an external one. A congured gateway with a download and upload rates different from zero is required. The shaping rules are specic for each interface and they may be selected for those external network interfaces with assigned upload rate and all internal ones. If the external network interface is shaped, then you are limiting eBox output trafc to the Internet. The maximum output rate is the sum of all the upload rates provided by the gateways. If, however, you shape an internal network interface, then the eBox output to internal networks is limited. The maximum rate will be the sum of all download gateway rates. As it can be seen, shaping input trafc is not possible directly, that is because input trafc is not predictable nor controllable in almost any way. There are specic techniques from various protocols to handle the incoming trafc, for instance TCP by articially adjusting the TCP window size as well as controlling the rate of acknowledgements (ACK) being returned to the sender. Each network interface has a rule table to give priority (0: highest priority, 7: lowest priority), guaranteed rate and/or limited rate. These rules apply to trafc bound to a service, a source and/or a destination.

Figure 3.9: Trafc shaping rules

Practice example Set up a rule to shape incoming HTTP trafc by limiting it to 20KB/s. Check if it works properly. 1. Action: Add a gateway in Network Gateways to your external network interface.
4

Linux Advanced Routing & Trafc Control http://lartc.org

66

CHAPTER 3. EBOX GATEWAY

Effect: The Save changes button is enabled. The gateway list displays a single gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete, it informs the user. 3. Action: Enter Services and add a new external service called HTTP with TCP protocol and destination port 80. Effect: eBox shows a list with all the services where the new service is displayed too. 4. Action: Enter Trafc Shaping Rules. Select the internal interface from the interface list and, using Add new, set a new rule with the following details: Enabled Yes Service Port-based service / HTTP Source any Destination any Priority 7 Guaranteed rate 0 Kb/s Limited rate 160 Kb/s Press the Add button. Effect: eBox displays a table with the new trafc shaping rule. 5. Action: Start downloading a huge le (for example a Ubuntu ISO image) from the Internet using the wget command. Effect: The download rate is stable around 20 KB/s.

3.4.2 Exercises
Exercise A Give an output guaranteed rate of 60 Kb/s to SSH data ow. Check using tc command:

67

eBox 1.2 for Network Administrators

# Iptables rule list $ sudo iptables -t mangle -vL ... Chain EBOX-SHAPER (1 references) pkts bytes target prot opt in 0 0 EBOX-SHAPER-eth2 all -583 369K EBOX-SHAPER-eth0 all -Chain EBOX-SHAPER-eth0 (1 references) pkts bytes target prot opt in 569 367K MARK all -- any 0 0 MARK all -- any 10 600 MARK tcp -- any

out any any

source eth2 anywhere eth0 anywhere

destination anywhere anywhere

out any any any

source 192.168.45.185 anywhere anywhere

destination anywhere 192.168.45.185 anywhere

Chain EBOX-SHAPER-eth2 (1 references) pkts bytes target prot opt in out source destination 0 0 MARK tcp -- any any anywhere anywhere 0 0 MARK tcp -- any any anywhere anywhere ... # List "qdisc" from "interface" interface $ sudo tc qdisc ls dev <interface> # Display stats about classes within "interface" interface $ sudo tc -s class ls dev <interface> ... class htb 1:400 parent 1:2 leaf 400: prio 1 rate 61440bit ceil 204800bit burst 1599 Sent 740 bytes 10 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 lended: 10 borrowed: 0 giants: 0 tokens: 194295 ctokens: 58289 ...

3.5

HTTP Proxy Service


A Web Proxy Cache server is used to reduce the bandwidth used in HTTP (Web) 5 connections, control access and improve the browsing security and browsing speed.
5

For more information about HTTP service, see the section Web data publication service (HTTP).

68

CHAPTER 3. EBOX GATEWAY

A proxy is a program that acts as intermediary in a connection, in this case a connection using the HTTP protocol. In this intermediation it can change the behaviour of the protocol, for example adding a cache or mangling the received data.

The HTTP proxy service available in eBox has the following features: Web content cache. It speeds up the browsing and reduces the bandwidth consumption. Access restriction. It can be restricted by source address, user or using a time table criteria. Antivirus. It blocks infected les. Content access restriction for given domains or le types. Content lter. eBox uses Squid 6 as proxy, and draws on Dansguardian 7 for content control.

3.5.1 Access policy conguration


The most important task when conguring the HTTP Proxy, is to set the access policy to the web content trough it. The policy determines whether the access to the web is allowed and whether the content lter is applied.
6 7

Squid: http://www.squid-cache.org Squid Web Proxy Cache Dansguardian: http://www.dansguardian.org Web content ltering

69

eBox 1.2 for Network Administrators

The rst step to do is to dene a default police. We set it in the page HTTP Proxy choosing one of the six available policies:

General,

Allow all: This policy allows to browse without restriction. However it does not mean that the cache is not used. Deny all: This policy denies the web access. At rst, it could seem not useful because you could too deny access with a rewall rule. However, as we will see later, we can dene particular policies for each network object, so we could use this policy to deny as default and then override it in some objects. Filter: This policy allows the access and also enables the content ltering, so the access could be denied depending on the requested content. Authorize and allow, Authorize and deny, Authorize and lter: These policies are derived from the previous policies but with authorization added. The authorization will be explained in the section HTTP Proxy advanced conguration.

After setting the default policy, we can rene our policy setting particular policies for each network object. To set them we must enter in the section HTTP Proxy Objects policy. We can choose any of the six policies for each object; when accessing the proxy from an object this policy will override the default policy. A network address can be contained in various objects so we can establish the priority rearranging the objects in the list. In this case, the policy with greater priority will be applied. It is also possible to dene a timetable for each object, access outside the specied time will be denied.

70

CHAPTER 3. EBOX GATEWAY

Warning: The timetable option is not compatible with policies that use the content lter.

Figure 3.10: Network objects web access policies

3.5.2 Client connection to the proxy and transparent mode


In order to connect to the HTTP proxy the users must congure their browser. The exact conguration method depends on the used browser but the information required is the eBox servers address and the port used by the proxy. The eBox proxy only accepts connections received on its internal interfaces so an internal address must be used in the browsers conguration. The default port is 3128 but it can be changed through the HTTP Proxy popular ports for HTTP proxy services are 8000 and 8080. To avoid that users could bypass the proxy and access directly to the web, you should deny the HTTP trafc in the rewall. One way to avoid the need to congure each browser is to use the transparent mode. In this mode, eBox should be the network gateway and the HTTP connections toward external servers (for example, Internet) will be redirected to the proxy. To activate this mode we should go to the HTTP Proxy conguration, the transparent mode is incompatible with policies with authorization. Finally, it must be kept in mind that the secure web trafc (HTTPS) cannot be used in transparent mode. If you want to allow it, you must set a rewall rule that allows it. This trafc will not be managed by the proxy.

General page. Other

General and enable the Transparent Proxy checkbox. As we will see in HTTP Proxy advanced

71

eBox 1.2 for Network Administrators

3.5.3 Cache parameters


In the section HTTP Proxy General, is possible to dene the disk cache size and which addresses are exempted from it. The cache size controls the maximum disk space used to store the cached web elements. This maximum size is set in the eld Cache le size that we nd under the heading General Settings. With a bigger size, the probability of recovering a web element from the cache increases, and as result the browsing speed could be increased and the bandwidth use could be reduced. In the other hand, the increase of size not only comes with a greater disk usage but also with a increase in the use of RAM memory because the cache must maintain in memory an index of the stored elements. It is the job of each system administrator to choose a size according to the server characteristics and the trafc prole. It is possible to establish domains that are exempted from cache usage. For example, you may have local web servers that a cache will not speed up and you will waste cache space with them. When a domain exempted from cache is requested, it will be contacted directly without any cache lookup and the response will be returned without being stored. The exempted domains are managed under the heading Cache Exemptions that we nd at the page HTTP Proxy General.

3.5.4 Web content lter


eBox allows to lter web pages according to their contents. To enable the lter, the default policy or the object policy of a given object should be either Filter or Authorize and Filter. With eBox, we can dene multiple lter proles but in this section we will only talk about the default prole, leaving the discussion of multiple proles to the section HTTP Proxy advanced conguration. In order to congure the lter settings you have to go to the page HTTP Proxy select the conguration of the default prole.

Filter Proles and

72

CHAPTER 3. EBOX GATEWAY

The content ltering is based in various test including virus ltering, heuristic word lter and simpler things like banned domains. The end result is the decision about whether to allow or deny the browsing of the page under analysis. The rst lter is the virus ltering. To use it you should have the antivirus module installed and enabled. Then you can congure in the lter prole whether you want to use it or not. When enabled it will block HTTP trafc with infected contents. The text content lter analyzes the text contained in the web page, if it is considered not appropriate according to the rules (for example is considered a text of a pornographic page) the request will be blocked. To control this process we can establish a threshold that will be compared to the score assigned to the page by the lter, if the score is above the threshold, the page will be blocked. The threshold is set in the lter prole, at the section Content ltering threshold. This lter can also be disabled by choosing the value Disabled. Itx should be noted that the text analysis could result either in false positives or false negatives, blocking innocent pages or letting pass inappropriate ones; this problems can be mitigated using domain policies but it could happen again with unknown pages. There are more explicit lters: * By domain. For example, denying the access to a sport newspaper domain * By le extension. For example, forbidding the download of .EXE les. * By le MIME type. For example, forbidding the download of video les. These lters are presented in the lter prole conguration by means of three tabs, Files extension lter, MIME types ltering and Domains ltering.

73

eBox 1.2 for Network Administrators

In the Files extension lter table you can congure which le extensions should be blocked. Likewise, in the MIME types ltering table you can establish which MIME types should be blocked. The MIME types (Multipurpose Internet Mail Extensions) are a standard, originally conceived to extend the contents of email, which dene the type of the content. They are used too by other protocols, HTTP among them, to determine the content of transfered les. An example of MIME type is text/html, which is the type for web pages. The rst part of the type informs about the type of content stored (text, video, images, executables, ...) and the second about the format used (HTML, MPEG, gzip, .. ). In the Domains ltering section, you will found the parameters related to ltering websites according to its domain. They are two global settings: Block not listed domains. This option will block domains that are not present in Domain rules or in the categories in Domain lists les. In this last case, the domains in a category with the policy of Ignore are considered not listed.

74

CHAPTER 3. EBOX GATEWAY

Block sites specied only as IP. This option blocks pages requested using their IP address instead of their domain name. The purpose of this option is to avoid attempts to bypass domain rules using IP addresses. Next we have Domain rules, where you can introduce domains and assign them one of the following policies: Always allow: The access to the content of this domain is always allowed. All the content lters are ignored. Always deny: The access to the contents of this domains will be always blocked. Filter: The lters will be applied to this domain as usual. However it will not be automatically blocked if the Block not listed domains option is active.

In Domain list les, you can simplify the management of domains using classied lists of domains. These lists are usually maintained by third parties and they have the advantage that the domains are classied in categories, allowing to dene policies for a full domain category. eBox supports the lists distributed by urlblacklist 8 , shallas blacklists
8 9

and any other that uses the same format.

URLBlacklist: http://www.urlblacklist.com Shallas blacklist: http://www.shallalist.de

75

eBox 1.2 for Network Administrators

This lists are distributed as compressed archives. Once downloaded, you can add the archive to your conguration and set policies for each category. The policies that can be set for each category are the same polices that can be applied to individual domains, and they will be enforced to all domains in the category. There is an additional policy called ignore, its effect is to ignore completely the presence of a category. This is the default policy for all categories.

Practical example Enable the transparent mode in the proxy. Check with the iptables command the added NAT rules which should have been added to enable this feature. 1. Action: Log into eBox, enter Module status and enable the HTTP Proxy module, to do this check its box in the column Status. Effect: eBox will ask for permission to overwrite some les. 2. Action: Read the reason for the changes on each le and grant permission to eBox to overwrite them. Effect: The Save changes button is highlighted. 3. Action: Go to HTTP Proxy

General, check the Transparent proxy checkbox. Make sure

that eBox can act as router, for this at least one internal and one external interfaces are required. Effect: The transparent mode is congured.

76

CHAPTER 3. EBOX GATEWAY

4. Action: Click into Save changes to enforce the new conguration. Effect: The rewall and HTTP proxy services will be restarted. 5. Action: In the console of the eBox computer, execute the command iptables -t nat -vL. Effect: The command output must be similar to this:

Chain PREROUTING (policy ACCEPT 7289 packets, 1222K bytes) pkts bytes target prot opt in out 799 88715 premodules all any any anywhere anywhere

Chain POSTROUTING (policy ACCEPT 193 packets, 14492 bytes) pkts bytes target prot opt in out 0 0 SNAT all any eth2 !10.1.1.1 anywhere to:10.1.1.1 Chain OUTPUT (policy ACCEPT 5702 packets, 291K bytes) pkts bytes target prot opt in out source destination Chain postmodules (1 references) pkts bytes target prot opt in out source destination Chain premodules (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp eth3 any anywhere !192.168.45.204 tcp dpt:www redir ports 3129

Exercises
Exercise A Disable the transparent mode. Establish a default policy that allows Internet browsing. Verify that you can browse the Internet through the proxy from a client.

Exercise B Disable the transparent mode. Set a default policy that forbids browsing. Check that Internet access through the proxy is denied.

Exercise C Enable the transparent mode. Set a default policy that allows browsing. From a client, access the Internet through the proxy without setting a explicit proxy connection.

77

eBox 1.2 for Network Administrators

Exercise D Set a default policy with content ltering. Enable the antivirus module. Enable virus ltering in the default prole. Check that the download of infected les is denied. You can use the EICAR test virus, that can be found in www.eicar.org.

Exercise E Set a default policy with content ltering. In the lter prole establish the content lter threshold to Very strict. Check that some pornographic pages are blocked.

Exercise F Set a default policy with content ltering. In the lter prole establish the content lter threshold to Very strict. Allow explicitly the access to one of the pages which were blocked in the previous exercise. Check that now you can access it.

Exercise G Set a default policy with content ltering. Deny the access to the domain marca.es. Check that this domain is blocked.

Exercise H Set a default policy with content ltering. Go to www.shallalist.de and download the domain list archive. Add it to the domain list les, block some categories and check that you cannot browse the domains contained on those categories. To know which domains are contained in each category, you can decompress the archive and look into the list that you can nd in each category directory.

Exercise I Set a default policy that forbids browsing. Create a network object with the address of a client. Set a policy that allows browsing for this object. Check that you can only browse from that client.

78

Chapter 4 eBox Ofce

One of the fundamentals for the creation of computer networks was the sharing of resources and data
1

. This issue is particularly emphasized here and is possibly the most useful section for the daily

operations of many local area networks in ofces or at home. Unied user and group management through a directory service for all network services, the use of shared les and printers and all groupware services, such as calendars, contacts and tasks, are discussed in this section.

4.1

Directory service (LDAP)


Directory services are used to store and sort the data relating to organizations (in this case, users and groups). They enable network administrators to handle access to resources by users by adding an abstraction layer between the resources and their users. This service gives a data access interface. It also acts as a central, common authority through which users can be securely authenticated. A directory service can be considered similar to the yellow pages. Its characteristics include: The data is much more often read than written. Hierarchical structure that simulates organisational architecture.
1

See Appendix A: Introduction to computer networks for further information.

79

eBox 1.2 for Network Administrators

Properties are dened for each type of object, standardized by the IANA 2 , on which access control lists (ACLs) can be dened. There are many different implementations of the directory service, including NIS, OpenLDAP, ActiveDirectory, etc. eBox uses OpenLDAP as its directory service with Samba technology for Windows domain controller and to share les and printers.

4.1.1 Users and groups


Normally, in the management of any size of organization there is the concept of user or group. For easier shared resource administration, the difference is made between users and their groups. Each one may have different privileges in relation to the resources of the organization.

Management of users and groups in eBox A group can be created from the Groups can contain a description.

Add group menu. A group is identied by its name and

Through Groups Edit group, the existing groups are displayed for edition or deletion. While a group is being edited, the users belonging to the group can be chosen. Some options belonging to the installed eBox modules with some specic conguration for the user groups can be changed too.
Internet Assigned Numbers Authority (IANA) is responsible for assigning public IP addresses, top level domain (TLD) names, etc. http://www.iana.org/
2

80

CHAPTER 4. EBOX OFFICE

The following are possible with user groups, among others: Provide a directory to be shared between users of a group. Provide permission for a printer to all users of a group. Create an alias for an e-mail account that redirects to all users of a group. Assign access permission to the different eGroupware applications for all users of a group. The users are created from the Users completed:

Add user menu, where the following data must be

81

eBox 1.2 for Network Administrators

User name: Name of the user in the system, which will be the name used for identication in the authentication processes. Name: Users name. Surnames: Users surnames. Comments: Additional data on the user. Password: Password to be used by the user in the authentication processes. Group: The user can be added to a group during its creation. From Users Edit user, a list of users can be obtained, edited or deleted.

While a user is being edited, all the previous data can be changed, except for the user name. The data regarding the installed eBox modules that have some specic conguration for users can also be changed, as well as the list of groups to which the user belongs.

82

CHAPTER 4. EBOX OFFICE

It is possible to edit a user to: Create an account for the Jabber server. Create an account for le or PDC sharing with a customized quota. Provide permission for the user to use a printer. Create an e-mail account for the user and aliases for it. Assign access permission to the different eGroupware applications. Enable and assign a telephone extension to the user.

User Corner The user data can only be modied by the eBox administrator, which becomes non-scalable when the number of users managed becomes large. Administration tasks, such as changing a users password, may cause the person responsible to waste a lot of time. Hence the need for the user corner. This corner is an eBox service that allows users to change their own data. This function must be enabled

83

eBox 1.2 for Network Administrators

like the other modules. The user corner is listening in another port through another process to increase system security.

Users can enter the user corner through: https://<eBox_ip>:<user_corner_port>/ Once users have entered their user name and password, changes can be made to their personal conguration. For now, the functions provided are: Change current password User voicemail conguration

Practical example A
Create a group in eBox called accountancy. To do so: 1. Action: Enable the users and groups module. Enter Module status and enable the module if it is not enabled. Effect: The module is enabled and ready for use. 2. Action: Access Groups. Add accountancy as a group. The comments parameter is optional. Effect: The accountancy group has been created. The changes do not have to be saved, as any action on LDAP is instant.

84

CHAPTER 4. EBOX OFFICE

Practical example B
Create the user peter and add him to the accountancy group. To do so: 1. Action: Access Users

Add user. Complete the different elds for the new user. The user

peter can be added to the accountancy group from this screen. Effect: The user has been added to the system and to the accountancy group. Check from the console that the user has been correctly added: 1. Action: In the console, run the command:

# id peter
Effect: The result should be something like this:

uid=2003(pedro) gid=1901(__USERS__) groups=1901(__USERS__) ,2004(accountancy)

Exercises

Exercise A
Enable the user corner and change the password of peter through this system.

4.2

File sharing service and remote authentication


4.2.1 File sharing
The le sharing takes place through a network le system. The systems more widely used are: NFS (Network File System) by Sun Microsystems, which was the rst one, AFS (Andrew File System) and CIFS (Common Internet File System), also known as SMB (Server Message Block ). The clients operate on les (opening, reading or writing les) as if they were locally stored in the machine, but the information can in fact be stored in different places, location being completely

85

eBox 1.2 for Network Administrators

transparent to the end user. Ideally, the client should not know whether the le is stored in the host itself or whether it is spread all over the network. However, this is not possible due to the network delays and the issues related to concurrent le updates which should not interfere among them.

4.2.2 SMB/CIFS and its Linux Samba implementation


SMB (Server Message Block ) or CIFS (Common Internet File System) is used to share the access to: les, printers, serial ports and any other series of communications between nodes in a local network. It also offers authentication mechanisms between processes. It is mainly used among computers with Windows. However, there are also some implementations in other operating systems such as GNU/Linux using Samba, which implements Windows system protocols using reverse engineering 3 . Given the success of some le sharing systems, Microsoft decided to rename SMB as CIFS, adding new features to it, such as: symbolic and hard links and bigger le sizes, as well as avoiding the use of NetBIOS 4 in which SMB is based.

4.2.3 Primary Domain Controller (PDC)


A Primary Domain Controller (PDC) is a domain server for Windows NT versions previous to the Windows 2000 version. In this environment, a domain is a system which allows restricted access to a series of resources with a username and password. Therefore, it can be used to log in in the system through remote access control. PDC has also been recreated by Samba inside the SMB authentication system. In modern Windows versions it is denominated Domain Controller.

4.2.4 eBox as le server


eBox uses Samba SMB/CIFS implementation for Linux as a le server and Windows operative system authentication. You will be able to congure eBox as a le server going to: File Sharing

General Settings

unchecking the Enable PDC option. The le sharing in eBox is integrated with the users and groups. As a result, each user can have a personal directory and each group can have a shared directory for all its users.
Reverse engineering tries to gure out the communication protocols just through observation of their messages. NetBIOS (Network Basic Input/Output System): API that allows communication among different computers in a local area network. It gives a NetBIOS name and IP address to each one of the hosts.
4 3

86

CHAPTER 4. EBOX OFFICE

Domain will refer to the Windows local network name whereas NetBIOS Name will identify eBox inside the Windows network. You can also give a Description with the domain characteristics. Apart from that, and as an optional feature, a Quota Limit can be established. To add a new shared directory, go to File Sharing Shared Directories and click Add new.

Enabled: This option has to be marked whenever the directory needs to be shared. Unmarking the option will cause the directory to no longer be shared, while keeping the settings. Shared directory name: This refers to the name of the shared directory. Shared directory path: A path can be created either in the eBox directory /home/samba/shares or using an already existing directory path. Comment: A more detailed description of the shared directory can be provided in this eld.

87

eBox 1.2 for Network Administrators

Access Control can be congured from the shared directory list. You can go to Add New in order to give reading, writing and administration permissions to a given user or group. If a user has administratiOn permission over a shared directory they will be granted all the permissions over the les created by other users in this directory.

Going to Groups Edit Group a shared directory for a group can also be created. Every member of this group will have access to this directory, being able to read and write all the les.

88

CHAPTER 4. EBOX OFFICE

4.2.5 SMB/CIFS clients conguration


Files can be shared between Windows and GNU/Linux once the le sharing service is running.

Windows client The selected domain will be found in Network Places

All the Network. The server

host with the selected name will show the shared resources it has.

89

eBox 1.2 for Network Administrators

Linux client 1. Konqueror (KDE) When using Konqueror

smb:// should be introduced in the location bar in order to see the

Windows network, where you will be able to nd the specied domain.

2. Nautilus (Gnome)

90

CHAPTER 4. EBOX OFFICE

When using Nautilus (Gnome) go to Network Server specied domain and the eBox server inside.

Windows Network in order to nd the

Taking into account that the personal directories are not shown when browsing the server resources, those will need to be introduced in the location bar. For example, if you need to have access to Peters personal directory, you will have to introduce the following address:

smb://<ip_de_ebox>/peter
3. Smbclient Besides the graphical interfaces, there is a command line client which works in a similar way to FTP clients. Smbclient allows actions such as: le downloading and uploading or le and directory information gathering among others. This could be an example of a session:

$ smbclient -U joe //192.168.45.90/joe > get ejemplo > put eaea > ls > exit $ smbclient -U joe -L //192.168.45.90/ Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]

91

eBox 1.2 for Network Administrators

Sharename Type Comment -----------------_foo Disk _mafia Disk hp Printer br Printer IPC$ IPC IPC Service (eBox Samba Server) ADMIN$ IPC IPC Service (eBox Samba Server) joe Disk Home Directories Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian] Server Comment --------------DME01 PC Verificaci eBox-SMB3 eBox Samba Server WARP-T42 Workgroup Master --------------eBox eBox-SMB3 GRUPO_TRABAJO POINT INICIOMS WARHOL MSHOME SHINNER WARP WARP-JIMBO

4.2.6 eBox as authentication server


You have to go to File Sharing General Conguration and check the Enable PDC option in order to have eBox working as an authentication server (PDC).

92

CHAPTER 4. EBOX OFFICE

If the option Roaming Proles is enabled, the PDC server will store all the user proles. Any user prole will contain general information such as: Windows settings, Outlook e-mail accounts or its documents. Every time a user logs in an updated prole will be sent to them by the PDC server. The user can have access to his prole information from any computer. Please take into account the size of the users information when setting up your server in order to make sure there is enough space. In addition to that, the Disk Letter for the personal directory can be redened. Finally, you can dene user policy passwords through File Sharing PDC. Minimum Password Length Maximum Password Age. The password has to be changed after this period. Enforce Password History. Stores a number of passwords once modied. This policy only applies when a password is changed from Windows. Actually Windows will enforce the policy when a user logs in in a machine registered in the domain.

93

eBox 1.2 for Network Administrators

4.2.7 PDC Client Conguration


An account with administration rights will be needed in order to congure a PDC client, this can be done going to Users Quota.

Edit User File Sharing or PDC Account. You can also establish a Disk

Now, go to a different machine in the same LAN (keep in mind that the SMB/CIFS protocol works using broadcast) that has a CIFS-capable Windows (i.e., Windows XP Professional ). Click on My PC

Properties. This will launch the Network Id wizard. We will reboot the server

after entering the administratiion user name and password as well as the domain name given in the File Sharing conguration. The machine name can be the one already set, as long as it does not collide with an existing one already in the domain. After nishing the process, you need to reboot the machine. Every user can see their disk usage and quota in My PC.

94

CHAPTER 4. EBOX OFFICE

4.3

Printers sharing service


In order to share a printer in our network, allowing or denying users and groups the access to it, we need to have access to that printer from a host running eBox. This can be done through: direct connection, i.e., with a USB
5

or parallel port, or through the local network. Besides that, if we want to

obtain good results on its operation, we will need to know certain information regarding the manufacturer, the model and the driver of the printer. Printers can be added going to Printers Once there, you will be asked to enter all the necessary details in a wizard. First of all, we need to name the printer and to establish a connection method for it. The following methods are currently supported by eBox: Parallel port: A physical printer connected to the eBox server using parallel port. USB: A physical printer connected to the eBox server using USB AppSocket : A remote printer that uses the AppSocket protocol, also known as JetDirect. IPP: A remote printer that uses the Internet Printing Protocol (IPP) 6 .
Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer. Internet Printing Protocol (IPP) is a standard network protocol for remote printing as well as for managing print jobs, media size, resolution, and so forth. More information available on RFC 2910.
6 5

Add printer.

95

eBox 1.2 for Network Administrators

LPD: A remote printer that uses the Line Printer Daemon protocol (LPD) 7 . Samba: A remote printer shared through Samba or Windows printer sharing.

We will need to congure the connection parameters according to the selected method. For example, if we have a network printer, we will have to set up an IP address and a listening port as the following gure shows:

In the next four steps we will congure the printer driver that eBox needs to use in order to send the jobs to be printed out, dening: the manufacturer, the model, the printer driver as well as other settings.

Line Printer Daemon protocol (LPD) is a set of programs that provide printer spooling and network printer server functionality for Unix-like systems. More information available on RFC 1179.

96

CHAPTER 4. EBOX OFFICE

After these steps, the printer will be congured. Now you will be able to see not only the queued printing jobs but also the ones in progress. In addition to that, you can also modify any of the parameters already introduced in the wizard going to Printers Manage printers. The printers managed by eBox are accessible using the Samba protocol. You can

also enable the printing daemon CUPS in order to share the printers using IPP too.

Once the service is enabled and you have saved changes, you can give access to the resources editing either the group or the user (Groups Printers).

Edit Group Printers or Users Edit User

97

eBox 1.2 for Network Administrators

4.3.1 Exercises
Exercise A Add a network printer. Allow the accounting group to use it.

4.4

Groupware Service
Groupware, also known as collaborative software, is a set of applications integrating the work of different users in common projects. Each user can connect to the system from various working stations on the local network or from anywhere in the world via the Internet. Some of the most important functions of groupware tools are:

98

CHAPTER 4. EBOX OFFICE

Communication between users: mail, chat rooms, etc. Information sharing: shared calendars, task lists, common address books, knowledge base, le sharing, news, etc. Project management, resources, time management, bugtracking, etc. There is a large number of groupware solutions available on the market. Among the Open Source alternatives, one of the most popular options is eGroupWare
8

which is the one selected for eBox

Platform to implement such an important feature in business environments. Setting up eGroupware with eBox Platform is very simple. The goal is for the user not to need to access the traditional conguration offered in eGroupware and to allow him to manage all the settings from eBox interface, unless some advanced customization is needed. In fact, the password for the conguration of eGroupware is auto-generated and left in an unstable status.
9

by eBox and the administrator should use it under

her own responsibility: by taking any wrong action the module might become improperly congured

4.4.1 Groupware service settings with eBox


Most of eGroupware conguration is performed automatically by enabling the module and saving the changes. Without requiring any additional user intervention, eGroupware will be operating fully integrated with the eBox directory service (LDAP). All users being added to eBox from that moment on will be able to log in eGroupware without requiring any other action. In addition, we can integrate the webmail service provided by eGroupware with eBox mail module. For this the only action required is to select a pre-existing virtual domain and to enable the IMAP service, allowing for the reception of mail. Instructions for creating a mail domain and conguring the IMAP service are fully explained in chapter Electronic Mail Service (SMTP/POP3-IMAP4). For the selection of the domain used by eGroupware, you should access the menu Groupware and the tab Virtual Mail Domain. The interface is shown in the following image. It is only needed to select the desired domain and click the button Change. Although, as usual, this action does not take effect until the button Save Changes is pressed.
eGroupware: An enterprise ready groupware software for your network http://www.egroupware.org Note for eGroupware advanced users: The password is stored in the le /var/lib/ebox/conf/ebox-egroupware.passwd and usernames are admin and ebox for header and domain conguration respectively.
9 8

99

eBox 1.2 for Network Administrators

In order for users to be able to use the mail service they will need to have their own accounts created on it. The image below (Users Edit User ) shows that during the conguration of eGroupware a notice is displayed indicating the name of the mail account that should be used from eGroupware.

eGroupware consists of several applications; in eBox you can edit access permissions to these applications for each user assigning a permission template, as shown in the image above. There is a default permission template but you can dene other ad-hoc ones. The default permission template is useful for conguring most of the users of the system with the same permissions, so that when a new user is created permissions will be assigned automatically. To edit the default template go to the menu Groupware and tab Default Applications, as shown in the image.

100

CHAPTER 4. EBOX OFFICE

For small groups of users such as administrators, you can dene a custom permission template and apply it manually for these users. To dene a new template go to the tab User Dened Permission Templates in the menu Groupware and click on Add New. Once the name is entered it will appear on the table and you can edit the applications by clicking on Allowed Applications, in a similar way as with the default template.

Be aware that if you modify the default permission template, changes will only be applied to users that are created from that moment on. They will not be applied retroactively to users previously created. The same applies to the user-dened templates: if there were any users with that template applied on their conguration you should edit that users properties and apply the same template again once it has been modied.

101

eBox 1.2 for Network Administrators

Finally, once you have congured everything, you can access eGroupWare through the address http://<ebox_ip>/egroupware using the username and password dened in the eBox interface.

eGroupware management is beyond the scope of this manual. For any question, you should check the ofcial eGroupware user manual. It is available on-line in the ofcial website and it is also linked from within the application once you are inside.

Practical example Enable the Groupware module and check its integration with the mail. 1. Action: Access eBox, go to Module Status and activate module Groupware, checking the box in the column Status. You will be informed eGroupware conguration is about to change. Allow the operation by pressing the button Accept. Make sure you have previously enabled the modules on which it depends (Mail, Webserver, Users, ...). Effect: The button Save Changes is activated. 2. Action: Set up a virtual mail domain as shown in the example Practice example. In this example a user is added with her corresponding email account. Steps related to objects or forwarding policies in the example are not necessary. Follow the steps just until the point in which the user is added. Effect: The new user has a valid mail account. 3. Action: Access the :menuselection: Mail > General menu and in the Mail Server Options tab check the box IMAP Service Enabled and click Change. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Access the :menuselection: Groupware menu and in the Virtual Mail Domain tab select the previously created domain and click Change.

102

CHAPTER 4. EBOX OFFICE

Effect: The change is saved temporarily but it will not be effective until changes are saved. 5. Action: Save changes. Effect: eBox shows the progress while applying the changes and informs when it is done. From now on eGroupware is congured correctly to be integrated with your IMAP server. 6. Action: Access the eGroupware interface (http://<ebox_ip>/egroupware) with the user you created earlier. Access the eGroupware mail application and send an email to your own address. Effect: You will receive in your inbox the email you just sent.

4.4.2 Exercises
Exercise A Modify the default permission template by removing any of the applications enabled by default. Create a new user and check, by logging in eGroupWare, that the disabled applications do not appear.

Exercise B Add a new permission template with access to the admin application enabled. Apply it to a user and log into eGroupware to make sure you have access to the administration menu.

Exercise C Create a new mail domain and select it in order to use eGroupware. Change the existing user accounts to make them belong to the new domain and check from eGroupware interface that you can use it to send and receive emails.

103

eBox 1.2 for Network Administrators

104

Chapter 5 eBox Unied Communications

In this section we will see the different communication methods for sharing information that are centralized in eBox and are all accessible using the same username and password. First, the mail service is explained. It allows a quick and easy integration with the preferred mail client of the users of the network, offering also the latest techniques available to prevent spam. Second, the instant messaging service through the Jabber / XMPP protocol. It provides an internal IM service without having to rely on external companies or an Internet connection. It also offers conference rooms and can be used with any of the many clients available. It allows faster communication in the cases where the mail is not enough. Finally, we will see an introduction to voice over IP, which enables each person to have an extension to make calls or participate in conferences easily. Additionally, with an external provider, eBox can be congured to connect to the traditional telephone network.

5.1

Electronic Mail Service (SMTP/POP3-IMAP4)


The electronic mail service is a store and forward method messages over electronic communication systems.
1

to compose, send, store and receive

105

eBox 1.2 for Network Administrators

Figure 5.1: Diagram where Alice sends an email to Bob

5.1.1 How electronic mail works through the Internet


The diagram depicts a typical event sequence that takes place when Alice writes a message to Bob using her Mail User Agent (MUA). 1. Her MUA formats the message in email format and uses the Simple Mail Transfer Protocol (SMTP) to send the message to the local Mail Transfer Agent (MTA). 2. The MTA looks at the destination address provided in the SMTP (not from the message header), in this case bob@b.org, and resolves a domain name to determine the fully qualied domain name of the destination mail exchanger server (MX record that was explained in the DNS section). 3. smtp.a.org sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the user bob. 4. Bob receives the message through his MUA, which picks up the message using Pop Ofce Protocol (POP3). There are many alternative possibilities and complications to the previous email system sequence. For instance, Bob may pick up his email in many ways, for example using the Internet Message Access Protocol (IMAP), by logging into mx.b.org and reading it directly, or by using a Webmail service.
Store and forward: Telecommunication technique in which information is sent to an intermediate station where it is kept and sent at a later time to the nal destination or to another intermediate station.
1

106

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

The sending and reception of emails between mail servers is done through SMTP but the users pick up their email using POP3 or IMAP. Using these protocols provides interoperability among different servers and email clients. There are also proprietary protocols such as the ones used by Microsoft Exchange and IBM Lotus Notes.

POP3 vs IMAP The POP3 design to retrieve email messages is useful for slow connections, allowing users to pick up all their email all at once to see and manage it without being connected. These messages are usually removed from the user mailbox in the server, although most MUAs allow to keep them on the server. The more modern IMAP, allows to work on-line or ofine as well as to explicitly manage server stored messages. Additionally, it allows simultaneous access by multiple clients to the same mailbox or partial fetches from MIME messages among other advantages. However, it is a quite complicated protocol with more server work load than POP3, which puts most of the load on the client side. The main advantages over POP3 are: Connected and disconnected modes of operation. Multiple clients simultaneously connected to the same mailbox. Access to MIME message parts and partial fetch. Message state information using ags (read, removed, replied, ...). Multiple mailboxes on the server (usually presented to the user as folders) allowing to make some of them public. Server-side searches Built-in extension mechanism

5.1.2 SMTP/POP3-IMAP4 server conguration with eBox


Setting up an email system service requires to congure an MTA to send and receive emails as well as IMAP and/or POP3 servers to allow users to retrieve their mails. To send and receive emails Postx
3 2

acts as SMTP server. The email retrieval service (POP3,

IMAP4) is provided by Dovecot . Both servers support secure communication using SSL.
2 3

Postx The Postx Home Page http://www.postx.org . Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .

107

eBox 1.2 for Network Administrators

General conguration Through Mail General Mail server options you can access the general conguration to require authentication, to send email messages through the server or allow the SMTP communication encryption using the TLS for SMTP server setting.

In addition, the relay service is provided, that is, forwarding email messages whose source and destination are different from any of the domains managed by the server. Furthermore, in Mail

General Mail server options you can congure eBox to not send

messages directly but by using a smarthost, which is in charge of sending them. Each received email will be forwarded to the smarthost without keeping a copy. In this case, eBox would be an intermediary between the user who sends the email and the server which is the real message sender. The following settings can be congured: Smarthost to send mail: Domain name or IP address. Smarthost authentication: Whether the smarthost requires authentication using user and password or not.

108

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Maximum message size accepted: Indicates, if necessary, the maximum message size accepted by the smarthost in MB. In order to congure the mail retrieval services go to the Mail retrieval services section. There eBox may be congured as POP3 and/or IMAP4 server, both allowing SSL support. In addition to this, eBox may be congured to act as a smarthost. To do so, you can add relay policies for network objects through Mail General Relay policy for network objects. The policies are based on the source mail server IP address. If the relay is allowed from a object, then each object member may send emails through eBox.

Warning: Be careful when using an Open Relay policy, i.e., forwarding email from everywhere, since your mail server will probably become a spam source. Finally, the mail server may be congured to use a content lter for their messages 4 . To do so, the lter server must receive the message from a xed port and send the result back to another xed port where the mail server is bound to listen the response. Through Mail General Mail lter options, you may choose a custom server or eBox as mail lter.
4

In Mail Filter section this topic is explained in depth.

109

eBox 1.2 for Network Administrators

Email account creation through virtual domains In order to set up an email account with a mailbox, a virtual domain and a user are required. From Mail Virtual Mail Domains, you may create as many virtual domains as you want. They provide the domain name for email accounts for eBox users. Moreover, it is possible to set aliases for a virtual domain. It does not make any difference to send an email to one virtual domain or any of their aliases.

In order to set up email accounts, you have to follow the same rules than when conguring le sharing. From Users Edit User Create mail account. There, you select the main virtual domain for the user. If you want to assign to the user more than a single email address, you can use aliases. Behind the scenes, the email messages are kept just once in a mailbox.

110

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Likewise, you may set up aliases for user groups. Messages received by these aliases are sent to every user of the group. Group aliases are created through Groups Edit Group Create alias mail account to group.

Queue Management From Mail

Queue Management, you may see those email messages that havent already been

delivered. All the information about the messages is displayed. The allowed actions to perform are: deletion, content viewing or send retrying (re-queuing the message again).

Practice example
Set up a virtual domain for the mail service. Create a user account and a mail account within the domain for that user. Congure the relay policy to send email messages. Send a test email message with the new account to an external mail account.

111

eBox 1.2 for Network Administrators

1. Action: Log into eBox, access Module status and enable Mail by checking its checkbox in the Status column. Enable Network and Users and Groups rst if they are not already enabled. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Mail Virtual Mail Domains and click Add new to create a new domain. Enter the name in the appropriate eld. Effect: eBox noties you that you must save changes to use this virtual domain. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, you will be notied. Now you may use the newly created virtual mail domain. 5. Action: Enter Users Add User, ll up the user data and click the Create button. Effect: The user is added immediately without saving changes. The edition screen is displayed for the newly created user. 6. Action: Introduce a name for the user mail account in Create mail account and create it. Effect: The account has been added immediately and options to delete it or add aliases for it are shown. 7. Action: Enter the Object Add new menu. Fill in a name for the object and press Add. Click on Members in the created object. Fill in again a name for the member and write the host IP address where the mail will be sent from. Effect: The object has been added temporarily and you may use it in other eBox sections, but it is not persistent until you save changes. 8. Action: Enter Mail

General Relay policy for network objects. Select the previously

created object making sure Allow relay is checked and add it. Effect: The Save changes button has been enabled. 9. Action: Save the changes Effect: A relay policy for that object has been added, which makes possible from that object to send e-mails to the outside.

112

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

10. Action: Congure a selected MUA in order to use eBox as SMTP server and send a test email message from this new account to an external one. Effect: After a brief period you should receive the message in your external account mailbox. 11. Action: Verify using the mail server log le /var/log/mail.log that the email message was delivered correctly.

Exercises

Exercise A
Send an email using the mail account created above, setting the same address as recipient. Check that the email message may be retrieved using POP3. Also congure it to use Secure POP to enhance retrieval security.

Exercise B
Congure the SMTP service to use authentication and TLS. Send an email message using the same user as above to an external mail account using the password and TLS.

Exercise C
Enable IMAP to access mailboxes and check if it works properly. Now congure it to use Secure IMAP to improve retrieval security.

Exercise D
Send a message whose recipient is root@hostname substituting hostname by the real congured host name. Verify that the message is shown in the pending messages queue.

113

eBox 1.2 for Network Administrators

Exercise E
Set up a virtual mail domain alias and an alias for the users mail account. Send an email message whose recipient is that alias with that domain and make sure the message was received correctly.

5.2

Instant Messaging (IM) Service (Jabber/XMPP)


Instant messaging (IM) applications manage a list of people with whom one wishes to stay in touch by exchanging messages. They convert the asynchronous communication provided by email in a synchronous communication in which participants can communicate in real time. Besides the basic conversation, IM has other benets such as: * Chat rooms. * File transfer. * Shared Whiteboard to view drawings done by a peer in real-time. * Simultaneous connection from devices with different priorities (e.g.: from the mobile and the computer, giving preference to one of them for receiving messages). Nowadays, there are many instant messaging protocols such as ICQ, AIM or Yahoo! Messenger, whose operation is essentially privative and centralized. However, Jabber/XMPP is a set of protocols and technologies that enable the development of distributed messaging. This protocol is public, open, exible, extensible, distributed and secure. Moreover, although Jabber/XMPP is still in the process of becoming an international standard, it has been adopted by Cisco or Google (for its messaging service Google Talk) among others. eBox employs Jabber/XMPP as its IM protocol. Jabber/XMPP is integrated with user management through Jabber Service. Additionally, eBox uses jabberd2 5 as XMPP server.

5.2.1 Conguring a Jabber/XMPP server with Ebox


First, check if the module users and groups is enabled, as Jabber depends on it. If so, go to Module State in the eBox Menu and mark the box jabber. To congure the server go to Jabber Service, setting the following parameters: Domain Name: Specifying the name of the server, the users accounts will be user@domain. Tip: domain should have an entry in the DNS, so it can be resolved.
5

jabberd 2.x - XMPP server written in C http://jabberd2.xiaoka.com/

114

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Figure 5.2: Jabber Service general conguration

Connect to other servers: We must check this box if we want our users to contact users of external servers. On the contrary, if you want a private server, only for your internal network, it should be left unchecked. Enable Multi User Chat (MUC): It enables the chat rooms 6 for more than two users, giving the possibility to invite users, moderate and administer the room, etc. These rooms can be created as permanent or temporary. SSL Support: It species whether the communications with the server are encrypted. You can disable it, make it mandatory or leave it as optional. If you leave SSL encryption as optional, it has to be selected when conguring the Jabber client. To register a user in the Jabber/XMPP service, go to Users for an already existing user. As you can see in the picture, a section called Jabber account will appear, where you can select whether the account is enabled or disabled. Moreover, you can specify whether the user will have administrator privileges on the Jabber server. Administrator privileges allow to see which users are connected to the server, send them messages, set the message displayed when connecting (MOTD, Message Of The Day) and send a notice to all users connected (broadcast).
6

Add User if you want to create a

new user account on the Jabber server, or to Edit user if you just want to enable the Jabber account

There is a standard for Jabber/XMPP chat rooms in http://xmpp.org/extensions/xep-0045.html

115

eBox 1.2 for Network Administrators

Figure 5.3: Setting up a Jabber account for a user

5.2.2 Setting up a Jabber client


For the example of the conguration of a Jabber client, we will use Pidgin, but if you use another client, the next steps should be very similar. Pidgin [#] _ is a multi-protocol client that allows to manage multiple accounts at the same time. In addition to Jabber/XMPP, Pidgin supports many other protocols such as IRC, Yahoo! and MSN. Pidgin is included by default in the desktop version of Ubuntu, and you can nd it in the menu Internet

IM client Pidgin. When starting Pidgin, if you do not have an account created yet, the

window to manage accounts will appear as shown in the picture.

From this window, you can add new accounts and modify and delete existing accounts.

116

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Clicking on Add, two tabs with the basic and advanced conguration will appear. For the basic conguration of your Jabber/XMPP account, start by selecting the protocol XMPP. The name and password should be the same that the Jabber-enabled users have on eBox. The domain must be the same than that selected in the conguration of Jabber Service. In the eld Local nick, write the name you want to show to your contacts.

In case the domain of the Jabber server is not a domain registered in the eBox DNS, you will have to provide eBox IP or domain name. You can do this in the eld Connect with the server in the tab Advanced.

117

eBox 1.2 for Network Administrators

If you have congured the Jabber service to require SSL, you must check the boxes: Requires SSL/TLS and Force old SSL, and set the Connection port to the value 5223.

Practical example Enable the Jabber service and assign to it a domain name that eBox is able to resolve. 1. Action: Go to Module Status and enable the module Jabber. When the info about the actions required in the system is displayed, allow them by clicking Accept. Effect: Enabled the button Save Changes. 2. Action: Add a domain with the desired name and whose IP address is equivalent to the eBox machines, in the same way done in Practical example B . Effect: You will be able to use the added domain as the domain for your Jabber service. 3. Action: Access the menu Jabber Service. In the eld Domain Name, write the domain name just added. Click Apply Changes. Effect: Save Changes has been enabled. 4. Action: Save the changes. Effect: eBox shows the progress while applying the changes. Once done, it is shown. The Jabber Service is ready to be used.

118

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

5.2.3 Exercises
Exercise A Enable the Jabber account for an eBox user and check that it is possible to launch your session in the server. Double check that you are using the eBox IP adddress as the primary DNS to be able to resolve the domain correctly.

Exercise B Add a colleague as a friend and check you are able to communicate with him. Check it with an external account too if your server is connected to the global Jabber network.

Exercise C Repeat what you have done in the former exercises, but with SSL. Set SSL Support to Mandatory and check what are the required changes in the conguration of the client to be able to connect.

Exercise D Enable the support for multi-user chat rooms and connect to the room with several accounts. For this, in Pidgin go to Friends Join a chat.... The rst person to join the room is in charge of creating and conguring it.

5.3

Voice over IP service


Voice over IP or VoIP involves transmitting voice over data networks using different protocols to send the digital signal through packets, instead of using analog circuits. Any IP network can be used for this purpose, including private or public networks such as Internet. There are huge cost savings on using the same network for data and voice, without losing quality or reliability. The main issues of VoIP deployments over data networks are NAT
8 7

and the difculties to

manage it, and QoS , because of the need to offer a quality real-time service, where latency (the
7 8

Concept explained in section Firewall . Concept explained in section Trafc shaping .

119

eBox 1.2 for Network Administrators

time it takes for data to arrive at destination), jitter (variations on latency) and bandwidth have to be considered.

5.3.1 Protocols
There are several protocols involved in voice transmission, from network protocols such as IP and transport protocols like TCP or UDP, to voice protocols, both for transport and signaling. VoIP signaling protocols accomplish the task of establishing and controlling the call. SIP, IAX2 and H.323 are signaling protocols. The most widely used voice transport protocol is RTP (Realtime Transport Protocol ), which carries the encoded voice from origin to destination. This protocol starts once the call is established by the signaling protocol.

IAX2 IAX2 is the second version of the Inter Asterisk eXchange protocol, created for connecting Asterisk
9

PBX systems. The main features of this protocol are that voice and signaling travel through the same data stream, which can be encrypted. This can traverse NAT easily and there is less overhead when trying to keep multiple communication channels open among servers. IAX2 works on UDP/4569 port.

SIP SIP or Session Initiation Protocol is a protocol created by the IETF 10 for the establishment, modication and termination of interactive multimedia sessions. It incorporates many elements of HTTP and SMTP. SIP only handles signaling and works over the UDP/5060 port. Multimedia transmission is handled by RTP over the port range UDP/10000-20000.
9 10

Asterisk is a PBX software that eBox uses for its VoIP module (http://www.asterisk.org/). Internet Engineering Task Force develops and promotes communication standards used on Internet.

120

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

5.3.2 Codecs
A codec is an algorithm that adapts digital information (encoding at origin, and decoding at destination) to compress it, reducing bandwidth usage, and to detect and recover from transmission errors. G.711, G.729, GSM and speex are common codecs for VoIP. G.711: It is one of the most used codecs. It comes in two avors: an American one (ulaw ) and an European one (alaw ). This codec offers good quality, but it has signicant bandwidth requirements (64kbps), which makes it the ideal choice for communication over local networks. G.729: It offers a better compression using only 8kbps, being ideal for Internet communications. There are some usage restrictions. GSM: It is the same codec that is used in mobile networks. Voice quality is not very good and it uses around 13kbps. speex: It is a patent-free codec specially designed for voice. It is very versatile, though it uses more CPU than the rest. It can work at different bitrates, such as 8KHz, 16KHz and 32KHz, usually referred as narrowband, wideband and ultra-wideband, each consuming 15.2kbps, 28kbps and 36kbps respectively.

5.3.3 Deployment
Lets cover the elements involved in a VoIP deployment:

IP Phones They are phones with a traditional look, but which are able to use a RJ45 connector to plug them to a Ethernet network instead of the RJ11 connector for phone networks. They also add new features, like address book access, call automation, ... not present in regular analog phones.

Analog Adapters Analog adapters, also known as ATA (Analog Telephony Adapter ), they can connect a traditional analog phone to an IP data network, and make it work like an IP phone. It has a RJ45 data port and one or more RJ11 phone ports.

121

eBox 1.2 for Network Administrators

122

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Softphones Softphones are computer programs to make and receive calls without additional hardware (except the computers microphone and speakers). There are multiple applications for all platforms and operating systems. X-Lite and QuteCom (WengoPhone) are available for Windows, OSX and GNU/Linux. Ekiga (GnomeMeeting) or Twinkle are native applications for GNU/Linux.

IP PBXs In contrast to traditional telephony which routed all calls through a central PBX, VoIP clients (IP phones or softphones) register on the server, ask it for the call recipient info, and then establish the call directly.

123

eBox 1.2 for Network Administrators

When establishing the call, the caller and the recipient negotiate a common codec for voice transmission. Asterisk is a software-only application that works in commodity servers, providing the features of a PBX (Private Branch eXchange): connect multiple phones amongst them, with a VoIP provider or the public telephone network. It also offers services such as voicemail, conference, interactive voice responses, etc. To connect the Asterisk server to the public network, it needs extra cards called FXO (Foreign eXchange Ofce) which allow Asterisk to act like a regular phone and route calls through the phone network. To connect an analog phone to the server, it needs a FXS (Foreign eXchange Station) card. That way, existing phones can be adapted to the new IP telephony network.

5.3.4 Asterisk server conguration with eBox


eBox VoIP module allows you to manage an Asterisk server with the users that already exist on the system LDAP server, and the most common features congured.

As usual, the module must be enabled rst. Go to Module status and select the VoIP checkbox. If the Users and groups is not enabled, it should be enabled beforehand. To change the general conguration, go to VoIP parameters should be congured:

General. Once there, the following general

124

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Enable demo extensions: Enables extensions 500 and 600. A call to extension 500 starts a call via IAX to guest@pbx.digium.com. Extension 600 provides an echo test, to estimate our call latency. This two extensions can help to check if a client is well congured. Enable outgoing calls: Enables outgoing calls to other servers (like user@domain.tld) or through a SIP provider to call regular phones. To call through the SIP provider, add an additional zero before the number to call. For instance, to call eBox Technologies ofces (+34 976733507, or 0034976733506), dial 00034976733506. Voicemail extension: It is the extension to call to check the voicemail. User and password are both the extension assigned by eBox when creating the user, or assigned the rst time. It is strongly recommended to change that password immediately from the User corner 11 . The application listening on this extension allows you to change the welcome message, listen to recorded messages and delete them. For security reasons, it is only accessible by the users of the eBox server, so it does not accept incoming calls from other servers. VoIP domain: It is the domain assigned to the user addresses. A user user, with a extension 1122, can be called at user@domain.tld or 1122@domain.tld. In the SIP provider section, enter the credentials supplied by the SIP provider, so eBox can route calls through it: Name: It is the identier of the provider in eBox.
11

User corner is explained in the section User Corner .

125

eBox 1.2 for Network Administrators

User name: It is the user name in the provider. Password: It is the password in the provider. Server: It is the domain name of the providers server. Recipient of incoming calls: It is the internal extension that will receive the incoming calls to the providers account. The NAT conguration section denes the network location of your eBox host. If it has a public IP address, the default option eBox is behind NAT is not appropriate. If it has a private IP address, Asterisk needs to know your Internet public IP address. If you have a xed public address, select Fixed IP address and enter it; if the IP is dynamic, congure the dynamic DNS service (DynDNS) available in Network hostname. In the Local networks section, you can add the local networks to which eBox has direct access without NAT, like VPN or not congured network segments, like a Wi-Fi network. This is necessary because of how SIP behaves in NAT environments. The conference conguration is accessed through VoIP

DynDNS (or congure it manually) and enter the domain name in Dynamic

Meetings. There you can congure

multiple conference rooms. These rooms extension should t in the 8001-8999 range and optionally have a password and a description. These extensions can be accessed from any server by dialing extension@domain.tld.

126

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

5.3.5 Conguring a softphone to work with eBox 5.3.6 Ekiga (Gnome)


Ekiga
12

is the softphone (or VoIP client) recommended by the Gnome desktop environment. When

rst launched, Ekiga presents a wizard to congure the users personal data, audio and video devices, the connection to the Internet and the Ekiga.net s services. We can skip the conguration of both Ekiga.net and Ekiga Call Out. From Edit > Accounts, selecting Accounts > Add a SIP Account you can congure your VoIP account in eBox Platform. Name: Identier of the account inside Ekiga. Register server: Domain name of the VoIP server. User and User for authentication: Both are the user name. Password: User password.

After setting the account, it will attempt to register on the server. To make a call is as simple as typing the number or SIP address on the top bar, and call using the green phone icon to the right of the bar. To hang up, use the red phone icon.
12

http://ekiga.org

127

eBox 1.2 for Network Administrators

128

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Qutecom (Multiplatform) Qutecom 13 is a softphone that uses Qt4 libraries, what makes it available for the three more popular operating systems: GNU/Linux, OSX and Windows. When launched rst time it shows a wizard to congure the VoIP account, as Ekiga does.

You have a keypad or a list of contacts to make calls. Use the green/red buttons at the bottom to call and hang up.

13

http://www.qutecom.org

129

eBox 1.2 for Network Administrators

Example Create a user with a VoIP account. Change the extension to 1500. 1. Action: Log into eBox, click on Module status and enable the VoIP module by clicking the checkbox in the Status column. If Users and Groups is not enabled you should enable it previously. Then you will be informed about the changes that are going to take place in the system. You should allow these actions by clicking the Accept button. Effect: The Save Changes button has been activated. 2. Action: Go to VoIP. Write the machines domain name in VoIP Domain. The domain should be resolvable from the machines of the service clients. Click on Change. 3. Action: Save the changes done. Effect: eBox shows its progress while applying the changes. Once it is done, it shows it. VoIP service is ready to be used. 4. Action: Access the Users Create User. Effect: eBox creates a new user and shows you its prole. 5. Action: In the section VoIP Account, eBox shows if the user has its account enabled or disabled, and also its extension. Make sure that the account is enabled, all the users created while the VoIP module is enabled should have their account also enabled. Finally, change the extension given by defect (say, the rst free extension of the range of users), to the extension 1500. Click on Apply changes in the VoIP Account section. Effect: eBox apply the changes immediately. The user is able to receive calls in that extension.

Add User menu. Fill in the form to create a new user. Click on

5.3.7 Exercises
Exercise A Create a user with a VoIP account. Congure this user account for one of the softphones discussed previously. Enable the test extensions and verify that it works correctly.

130

CHAPTER 5. EBOX UNIFIED COMMUNICATIONS

Exercise B Create a VoIP account for another user. Close the softphone congured previously and, using other of the VoIP clients, set up this new user. Call the rst user that we have created and left him a message in the voice mailbox. Close again the current softphone and, using the former one, check the voice mail of the user we called.

Exercise C Create a conference room in one of the allowed extensions and invite someone to join and test it.

131

eBox 1.2 for Network Administrators

132

Chapter 6 eBox Unied Threat Manager

This section will explain different techniques to protect your network beyond a simple rewall, preventing external attacks, and detecting possible intrusions into your network services. An email service without a spam lter is a waste of time and resources. This section shows different techniques to avoid junk mail (spam) and viruses in the email service provided by eBox. Web trafc can also bring problems depending on the sites visited. Therefore, in this section we explain the integration of the content ltering of the HTTP proxy with an antivirus and several advanced congurations to provide greater security to the Internet browsing of the users in the network. We will also explain how to allow the employees outside the ofce to securely connect your local network, or how to make connections between ofces by using virtual private networks. For that we will dene the bases of the network security. Finally, it is explained how the intrusion detection system uses rulesets to match the contents of the trafc packages in order to detect external attacks. You can get notications of possible attacks and analyze the damage they may have caused.

6.1

Mail Filter
The main issues when talking about email are spam and viruses. Spam, or not desired email, makes the user waste time looking for the right emails in the inbox. Moreover, spam generates a lot of network trafc that could affect the network and email services.

133

eBox 1.2 for Network Administrators

Although the viruses do not harm the system where eBox is installed, an infected email could affect other computers in the network.

6.1.1 Mail lter schema in eBox


To defend ourselves from these threats, eBox has a mail lter quite powerful and exible.

Figure 6.1: GRAPHIC: eBoxs mail lter schema

In the gure, we can observe the different steps that a message follows before tagging it. First, the email server sends it to the greylisting policies manager. If the email passes through the lter, spam and viruses are checked next using a statistical lter. Finally, if everything is OK, the email is considered valid and is sent to its recipient or stored in the servers mailbox. In the following section, details on those lters and its conguration will be explained in detail.

Greylist A greylist [#] _ is a method of defense against spam which does not discard emails, but makes life harder for the spammers. In the case of eBox, the strategy is to pretend to be out of service. When a server wants to send a new mail, eBox says Im out of service at this time, try in 300 seconds 1 . If the server meets the specication, it will sent the message again a bit later and eBox will consider it as a valid server. However, the servers that send spam do not usually follow the standard. They will not try to send the email again and eBox will include them in a black list.
1

eBox uses postgrey http://postgrey.schweikert.ch/ as the policy manager in postx.

134

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

Figure 6.2: GRAPHIC: Schematic operation of a greylist Greylisting is congured from Mail Greylist with the following options:

Enabled: Set to enable greylisting. Greylist duration: Seconds the sending server must wait before sending the mail again. Retry window: Time (in hours) when the sender server can send email. If the server has sent any mail during that time, that server will go down in the grey list. In a grey list, the mail server can send all the emails you want without temporary restrictions. Entry time-to-live: Days that data will be stored in the servers evaluated in the greylist. After the congured days, the mail server will have to pass again through the greylisting process described above.

135

eBox 1.2 for Network Administrators

Content ltering system Mail content ltering is provided by the antivirus and spam detectors. To perform this task, eBox uses an interface between the MTA (postx) and those programs. amavisd-new
2

talks with the MTA via

(E)SMTP or LMTP (Local Mail Transfer Protocol RFC 2033) to check that the emails are not spam neither contain viruses. Additionally, this interface performs the following checks: White and black lists of les and extensions. Malformed headers.

Antivirus The antivirus used by eBox is ClamAV 3 , which is an antivirus toolkit designed for UNIX to scan attachments in emails in an MTA. ClamAV updates its virus database through freshclam. This database is updated daily with new virus that have been found. Furthermore, the antivirus is able to scan a variety of le formats such as Zip, BinHex, PDF, etc.. In Antivirus, you can check if the antivirus is installed and up to date.

You can update it from Software Management, as we will see in Software Updates. If the antivirus is installed and up to date, eBox will use it in the following modules: SMTP proxy, POP proxy, HTTP proxy and even le sharing.

Antispam eBox employs a Bayesian lter to detect spam. It is necessary to train the lter, indicating what is junk mail and what is not. The latter kind of mail is often called ham. The lter will detect statistical patterns to classify the mail as spam or ham. eBox uses Spamassassin
4

as spam detector, based on rules of content similarity. It can use a

Bayesian lter or network rules such as:


2 3 4

Actually the mail server sends as response Greylisted, say, put on the greylist. Amavisd-new: http://www.ijs.si/software/amavisd/ Clam Antivirus: http://www.clamav.net/

136

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

DNS published blacklists (DNSBL). URI blacklists that track spam websites. Filters based on the checksum of messages. Sender Policy Framework (SPF): RFC: 4408. Others. [#] _ The general conguration of the lter is done from Mail lter Antispam:

Spam threshold: Mail will be considered spam if the score is above this number. Spam subject tag: Tag to be added to the mail subject when it is classied as spam. Use the Bayesian classier: If it is marked, the Bayesian lter will be used. Otherwise, only lists of allowed (whitelist ) and blocked (blacklist ) addresses will be taken into account.

137

eBox 1.2 for Network Administrators

Automatic whitelist: It takes into account the history of the sender when rating the message. That is, if the sender has sent some ham emails, it is highly probable that the next email sent by that sender is also ham. Automatic learning: If it is enabled, the lter will learn from messages that are obviously spam or ham. Threshold of self-learning spam: The automatic learning system will learn from spam emails that have a score above this value. It is not appropriate to set a low value, since it can subsequently lead to false positives. Its value must be greater than the spam threshold. Threshold of self-learning ham: The automatic learning system will learn from ham emails that have a score below this value. It is not appropriate to put a high value, since it can cause false negatives. Its value should be less than 0. From Sender Policy we can congure some senders so their mail is always accepted (whitelist ), always marked as spam (blacklist ) or always processed by the spam lter (process). From Train Bayesian spam lter we can train the Bayesian lter sending it a mailbox in mbox format [#] _ containing only spam or ham. There are many sample les in the Internet to train a Bayesian lter. The more trained the lter is, the better the spam detection.

File-based ACLs It is possible to lter les attached to mails using Mail lter File based ACLs (Access Control Lists). There, we can allow or blocks mail according to the extensions of the les attached or their Multipurpose Internet Mail Extensions (MIME) types.

138

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

Simple Mail Transfer Protocol (SMTP) mail lter From Mail lter

SMTP mail lter it is possible to congure the behavior of the lters when eBox

receives mail by SMTP. On the other hand, from General conguration we can set the general behavior for every incoming email:

Enabled: Check to enable the SMTP mail lter. Antivirus enabled: Check to make the lter look for viruses.

139

eBox 1.2 for Network Administrators

Antispam enabled: Check to make the lter look for spam. Service port: Port to be used by the SMTP lter. Notify about problematic email that is not spam: We can send notications to a mailbox when problematic (but not spam) emails are received, e.g., emails infected by virus. From SMTP lter policies, it is possible to congure what the lter must do with any kind of email.

For each kind of email problem, you can perform the following actions: Pass: Do nothing, let the mail reach its recipient. Reject: Discard the message before it reaches the recipient, notifying the sender that the message has been discarded. Bounce: Like reject, but enclosing a copy of the message in the notication. Discard: Discards the message before it reaches the destination, without notice to the sender. From Virtual domain conguration the behavior of the lter for virtual email domains can be congured. These settings override the general settings dened previously. To customize the conguration of a virtual domain email, click on: guilabel: add new.

140

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

The parameters that can be overriden are the following: Domain: Virtual domain that we want to customize, from those congured in at Mail main. Use virus ltering / spam: If this is enabled, mail received for this domain will be ltered looking for viruses or spam. Spam threshold: You can use the default threshold score for spam or a custom value. Learning account for ham / spam: If enabled, ham@domain and spam@domain accounts will be created. spam. Once the domain is added, from Anti-spam policy for senders, it is possible to add addresses to its whilelist and its blacklist or even force every mail for the domain to be processed. Users can send emails to these accounts to train the lter. All mail sent to ham@domain will be learned as ham mail, while mail sent to spam@domain will be learned as

Virtual Do-

6.1.2 External connection control lists


From Mail Filter

SMTP Mail Filter External connections, you can congure connections from

external MTAs, through its IP address or domain name, to the mail lter congured in eBox. In the same way, these external MTAs can be allowed to lter mail for those external virtual domains allowed in the conguration. This way, you can distribute your load between two machines, one acting as a mail server and another as a server to lter mail.

141

eBox 1.2 for Network Administrators

6.1.3 Transparent proxy for POP3 mailboxes


If eBox is congured as a transparent proxy, you can lter POP email. The eBox machine will be placed between the real POP server and the user to lter the content downloaded from the MTAs. To do this, eBox uses p3scan 5 . From Mail Filter Transparent POP Proxy you can congure the behavior of the ltering:

Enabled: If checked, POP email will be ltered. Filter virus: If checked, POP email will be ltered to detect viruses. Filter spam: If checked, POP email will be ltered to detect spam.
5

The Powerful #1 Open-Source Spam Filter http://spamassassin.apache.org .

142

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

Spam subject tag from the ISP: If the server marks spam mail with a tag, it can be specied here and the lter will consider these emails as spam.

Practical example Activate the mail lter and the antivirus. Send an email with a virus. Check that the lter is working properly. 1. Action: Access eBox, go to Module Status and enable the module mail lter. To do this, check the box in the column Status. You will have to enable network and rewall rst in case they were not already. Effect: eBox asks for permission to override some les. 2. Action: Read the changes that are going to be made and grant eBox permission to perform them. Effect: Save Changes has been enabled. 3. Action: Go to Mail Filter SMTP Mail Filter, check boxes for Enabled and Antivirus enabled and click on Change. Effect: eBox informs you about the success of the modications with a Done message. 4. Action: Go to Mail General Mail lter Options and select Internal eBox Mail Filter. Effect: eBox will use its own lter system. 5. Action: Save changes. Effect: eBox shows the progress while applying the changes. Once it is done, it noties about it. The mail lter with antivirus is enabled. 6. Action: Download the le http://www.eicar.org/download/eicar_com.zip, which contains a test virus and send it from your mail client to an eBox mailbox. Effect: The email will never reach its destination because the antivirus will discard it. 7. Action: Go to the console in the eBox machine and check the last lines of /var/log/mail.log using the tail command. Effect: There is a message in the log registering that the message with the virus was blocked, specifying the name of the virus: Blocked INFECTED (Eicar-Test-Signature)

143

eBox 1.2 for Network Administrators

6.1.4 Exercises
Exercise A Enable the spam lter. Send an email and, once received, check that the spamassassin headers are in it.

Exercise B Add an address to the blacklist of spammers. Send an email from that address and check the headers.

Exercise C For one of the virtual domains already created, enable the ham account (ham@domain.tld ) and send a correct email to that mailbox. Afterwards, resend the email to an address of the server and check whether it has been marked as ham.

Exercise D Enable the greylisting and try to send an email from a external address to a mailbox server. See how that mail has been delayed. Try sending the mail when the waiting time is over.

Exercise E Deny sending/receiving emails with attachments compressed with the algorithm Lempel-Ziv-Welch.

6.1.5 Proposed exercises


Exercise F Congure a POP client to connect to an external POP server in a machine that uses eBox as gateway. Enable the transparent POP Proxy in eBox. Check that the headers of the newly received email are marked by p3scan.

144

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

6.2

HTTP Proxy advanced conguration


6.2.1 Group based ltering
You can use user groups as a way to control access and to apply different ltering proles. The rst step is to either set a global or a network object policy to any of these policies: Authorize and allow all, Authorize and deny all or Authorize and lter. If any of these policies is set, users will have to provide credentials to be able to use the HTTP proxy. Warning: Please note that you cannot use HTTP authentication with the transparent proxy mode enabled due to protocol limitations. If you set a global policy that uses authentication you will also be able to use this global policy for any group. This policy allows you to control the access of group members and apply a custom ltering prole. Group policies are managed in the menu entry named HTTP Proxy

Group Policy. You can

allow or deny the access for a given group. Note that this only affects the browsing. The use of the content lter for the group depends on whether you have a global policy or group policy that is set to lter. You can schedule when the group is allowed to browse. If a group member tries to use the proxy out of the set schedule they will be denied access.

Each group policy has a priority given by its position in the list (top-bottom priority). Priority is important because users can be members of several groups. The policy applied to the user will depend on the priority. You can also select which ltering prole will be applied to the group.

145

eBox 1.2 for Network Administrators

6.2.2 Group-based ltering for objects


Remember that you can congure custom policies for network objects that will override the global policy. Likewise, in case you pick a policy that enforces authorization, you can also set custom policies for a group. In this case, group policies only affect to the permissions for browsing and not to the content ltering. The content ltering policy is determined by the object policy. Authorization policies are incompatible with the transparent mode. Finally, you also have to take into account that you cannot set ltering proles to groups in an object policy. This means a group will use the ltering prole that is set in its group global policy.

6.2.3 Filter proles conguration


You can congure lter proles in Proxy HTTP Filter Proles.

You can congure and create new proles. The conguration options are exactly the same as the ones we explained for the default prole. There is just one thing that you have to take into account: it is possible to use the default prole values in other proles. To do so, you only need to click on Use default conguration.

146

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

Practical Example The goal of this exercise is to set access policies for two groups: IT and Accounting. Members of the Accounting group will only be able to access the Internet during work time, and its ltering prole threshold will be set to very strict. On the other hand, members of the IT group will be able to use the Internet at any time. They will also skip the censorship of the content lter. However, they will not be able to access those domains that are explicitly denied to all the workers. For the sake of clarity, the needed users and groups are already created. These are steps you have to take: 1. Action: Go to eBox, click on Module Status and enable the HTTP Proxy. Effect: Once changes have been saved, users will need to authenticate with their login and password in order to surf the Internet. 2. Action: Go to HTTP proxy -> Filter proles. Add a list of forbidden domains to the default prole. You can do this by clicking on the Conguration cell of the default prole, and then, clicking on the tab labeled Domains ltering. You can now add youtube.com and popidol.com to the Domains rules section. Go back to HTTP proxy -> Filter Proles. Add two new proles for your groups, IT and Accounting. The Accounting prole must enforce a very strict threshold on the content lter. We will stick to the defaults for the other options. To do so, you have to check the Use default prole conguration eld in Domains Filtering and File Extensions ltering. The IT prole will allow unltered access to everything but the forbidden domains. To enforce this policy, you need to check the Use default prole conguration eld in Domains Filtering. You can grant free access for everything else by setting the content lter threshold to Disabled. Effect: We will enforce the required policy. 3. Action: Now you have to set a schedule and a ltering prole for groups. You can go to HTTP Proxy Group Policy. Click on Add new, select the Accounting group. Set the schedule from Monday to Friday, from 9:00 to 18:00. And select the Accounting prole. Likewise, you have to set a policy for the IT group. In this case, you dont have to add any restriction to the schedule.

147

eBox 1.2 for Network Administrators

Effect:

Once the changes have been saved, you can test if the conguration works as expected. You can use the proxy authentication with a user from each group. You will know that it is working properly if: You can actually access www.playboy.com using the credentials of an IT user . However, if you use the credentials of an Accounting user, you are denied access. You are not allowed to access any of the banned domains from any of the groups. If you set the date in eBox to weekend, and you cannnot surf the Internet with an Accounting* user, but you can with an IT user.

6.2.4 Exercises
Exercise A Set a global policy to Authorize and allow. Create a user. Check that the user can only use the proxy if a valid login and password are provided.

Exercise B Create a new group. Add a user to this group. Set a policy to deny access to this group. Check that although the authentication process succeeds, the access is denied.

Exercise C Set a group policy to allow access based on a restricted schedule. Check that the schedule policies are enforced. Use the command date to make these tests quicker.

Excercise D Create a new user and group. Create a new ltering prole. Congure the default ltering prole and the new prole in a way that they deny different domains. Create group policies for two groups, one group will use the default prole and the other one, the new prole. Check that depending on the group that is using the proxy, different domains are denied.

148

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

6.3

Secure interconnection between local networks


6.3.1 Virtual Private Network (VPN)
The Virtual Private Networks were designed both to allow secure access to remote users to the corporate network and secure interconnection of geographically distant networks. A frequent situation is were remote users need to access resources located in the company local network, but those users are outside the facilities and cannot connect directly. The obvious solution is to allow the connection through the Internet. This would create security and conguration problems, which can be resolved through the use of virtual private networks. The solution offered by a VPN (Virtual Private Network ) to this problem is the use of encryption to only allow access to authorized users (hence the private adjective). And to facilitate the use and conguration, connections seem to be as if there were a network between the users and the local network (hence the virtual). The VPNs usefulness is not limited to the access of remote users; a organization may wish to interconnect networks that are located in different places. For example, networks located in differents cities. Some time ago, to solve this problem dedicated data lines were hired, but this service was expensive and slow to deploy. Later, the advance of the Internet provided a ubiquitous and cheap, but insecure, medium. And again, the security and virtualization features of the VPN were an appropriate response to this problem. In this regard, eBox Platform provides two modes of operation. It can work as a server for remote users and as a server and client for the connection between two networks.

6.3.2 Public Key Infrastructure (PKI) with a Certication Authority (CA)


The VPN used by eBox to ensure data privacy and integrity uses SSL as cypher technology. The SSL technology is used widely since a long time so we could reasonably trust its security. However, all cypher schemas have the problem of how to distribute the keys to their users without interception by third parties. In the VPN case this step is required when a new participant joins the virtual network. The adopted solution is the use of a public key infrastructure (PKI). This technology allows the use of the key in a insecure medium, like the Internet, without allowing the interception of keys by anyone who snoops the communication. PKI is based in that each participant generates two keys: a public key and a private key. The public one can be distributed publicly and the private one must remain secret. Any participant who

149

eBox 1.2 for Network Administrators

wants to cypher a message can do it with the public key of the recipient but the message can only be deciphered with the private key of the recipient. As this key is kept secret, it is ensured that only the recipient can read the message. However, this solution creates a new problem. If anyone could present a public key, how we can guarantee that a participant is really who he claims to be and is not impersonating another identity?. To solve this problem, certicates were created.
6

Figure 6.3: GRAPHIC: Public key encryption

Figure 6.4: GRAPHIC: Public key signature The certicates use another PKI feature: the possibility of signing les. To sign a le, the private key is used. The signature can be checked by anyone using the public key. A certicate is a le that
There is a lot of information about public key encryption. You can begin here: http://en.wikipedia.org/wiki/Publickey_encryption
6

150

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

contains a public key, signed for someone that is trusted. This trusted participant is used to verify identities and is called Certication Authority (CA).

Figure 6.5: GRAPHIC: Diagram to issue a certicate

6.3.3 CA conguration with eBox Platform


eBox Platform has integrated management of the Certication Authority and the life cycle of the certicates. It uses the OpenSSL 7 tools for this. First, you need to issue the certicate of the CA itself, which is autosigned. The CA certicate is needed to issue new certicates, so the remaining features of the module will not be available until the CA certicate is issued. To issue it, go to Certication Authority -> General and you will nd a form to issue the CA certicate. It is required to ll the Organization Name and Days to expire elds. When setting the duration of the certicate you have to take in account that its expiration will revoke all certicates issued by it, stopping all services depending on those certicates. It is possible to add this optional elds to the CA certicate: - Country Code - City - State Once the CA certicate is issued, you will be able to issue certicates signed by it. To issue them, use the form available at Certication Authority -> General. The required data are the common name
7

OpenSSL: The open source toolkit for SSL/TLS http://www.openssl.org/.

151

eBox 1.2 for Network Administrators

of the certicate and the Days to expire. This last eld sets the number of days that the certicate will remain valid and the duration cannot surpass the duration of the CA certicate. When the certicate is issued, it will appear in the list of certicates and it will be available to eBox services that use certicates and to external applications. Furthermore, several actions can be applied to the certicates through the certicate list. The available actions are the following: Download an archive containing the public key, private key and the certicate. Revoke the certicate. Renew the certicate.

If you renew the CA certicate then all the certicates will be renewed with the new public key of the CA. The old expiration date will be kept, if this is not possible it means that the old expiration date is a later date than the new CA expiration date, in this case the expiration date of the certicate will be set to the expiration date of the CA. When a certicate expires all the modules are notied. The expiration date of each certicate is checked every night and also whenever the certicate list is shown.

152

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

Practical example A Creation of a Certication Authority and certicates. This example has the following objective: to create a certication authority which will be valid for a year, to create a certicate called server and to create two certicates for clients called client1 and client2. To do so: 1. Action: Access eBox interface and go to Certication Authority

General. In the form

called Issue certicate of the Certication Authority, ll in the elds Organization name and Days to expire with reasonable values. Press Issue to issue the certicate of the Certication Authority. Effect: The certicate of the Certication Authority will be issued and displayed in the list of certicates. The form for issuing the CA certicate will be replaced by another one intended to issue normal certicates. 2. Action: Use the form Issue a new certicate to issue certicates. To do this you have to enter server as Common Name and then, in Days to expire, a number of days less than or equal to the one you entered for the CA certicate. Repeat these steps with the names client1 and client2. Effect: The new certicates will appear in the list of certicates, ready to be used.

6.3.4 Conguring a VPN with eBox


The software selected by eBox to create VPNs is OpenVPN 8 . OpenVPN has the following advantages: Authentication using public key infrastructure. Encryption based on SSL technology. Clients available for Windows, MacOS X and Linux. Code that runs in user space, without the need to modify the network stack (as opposed to IPSec). Possibility to use network applications in a transparent way.
8

OpenVPN: An open source SSL VPN Solution by James Yonan http://openvpn.net.

153

eBox 1.2 for Network Administrators

Remote VPN Client eBox can be congured to support remote clients (familiarly known as road warriors). That is, an eBox machine can work as a gateway and OpenVPN server, allowing clients on the Internet (the road warriors) to connect to the network via the VPN service and access the local area network. The following gure can give a more accurate view of the scenario:

Figure 6.6: eBox and remote VPN clients

The goal is to connect the client number 3 with the other two remote clients (1 and 2) and also connect these two among themselves. To do this, we need to create a Certication Authority and certicates for all the elements present in the system, the OpenVPN server and the two remote clients. Here, the eBox machine also acts as a CA. Once we have the certicates, we should congure the OpenVPN server in eBox using Create a new server. You should enter a name, a port/protocol pair, a certicate (the one you have just created in the previous example) and a network address for the VPN. Addresses belonging to the VPN network are assigned to the server and the clients. To avoid conicts, you have to make sure that the network address is not used in any other part of your network. The OpenVPN server will be listening on all the external interfaces. Therefore, we have to mark at least one of our interfaces as external via Network -> Interfaces. In this scenario only two interfaces are needed, the internal one for the LAN and the external one for the Internet. You can congure the server to listen also on internal interfaces, activating the option Network Address Translation (NAT), but for the moment you can ignore it. If you want the clients to connect to each other using their VPN addresses, you have to activate the option Allow connections between clients. You can leave the rest of the options with their defaults.

154

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

After creating the OpenVPN server you have to enable the service and save the changes. Subsequently, you should check in Dashboard that the VPN service is running. After that, you have to advertise networks. These networks will be accessible by OpenVPN authorized clients. To achieve this, you need networks that are accessible from the eBox machine. In our example scenario, you have to add the local network to make visible the client number 3 to the two other clients. Once done, its time to congure the clients. The easiest way to congure an OpenVPN client is using the bundles provided by eBox. These are available in the table in VPN -> Servers, by clicking the icon on the Download client bundle column. There are bundles for two types of operating system. If you are using MacOS X or GNU/Linux, you have to choose Linux as type. When a bundle is created, the certicates that will be given to the client are included, and the external IP address to which VPN clients have to connect is set. If the selected system is Windows, an OpenVPN for Win32 installer is also included. The conguration bundles should be downloaded by the eBox administrator and he is responsible for distributing them to the clients in a proper and secure way.

155

eBox 1.2 for Network Administrators

A bundle includes the conguration le and other necessary les to start a VPN connection. For example, in Linux, simply extract the archive and execute it, within the newly created directory, using the following command:

openvpn --config filename


Now you have access to the client number 3 from the two remote clients. Bear in mind that the eBox DNS service will not work through the private network unless you congure the remote clients to use eBox as name resolver. That is why you cannot access the services of the hosts on the LAN by name, you have to do it by IP address. That also applies to the NetBIOS 9 service when accessing Windows shared resources. To enable the remote clients to connect between themselves, you need to activate the Enable client-to-client connections option in the VPN server conguration. To verify that the conguration is correct, look at the routing table of the client and check that the new networks were added to the tapX virtual interface.

Practical example B This example will congure a VPN server. A client on a computer located on a external network is going to be congured. Once connected it to the VPN, it will access another host in the local network, which is only accessible from the server through an internal interface. To do this:
9

For more information about le sharing, see section File sharing service and remote authentication

156

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

1. Action: Access the eBox interface, go to Module Status and activate the VPN module by checking the box on the Status column. Effect: eBox requests permission to perform certain actions. 2. Action: Read about the actions that are going to be performed and grant permission to do them. Effect: Save Changes button is activated. 3. Action: Access the eBox web interface, enter the VPN -> Server section, click on Add new. A form with the elds Enabled and Name will appear. Enter a name for the server and leave it disabled until it is congured correctly. Effect: The new server appears in the list of servers. 4. Action: In the server list, click on the Conguration section corresponding to your server. Change the following parameters: Server port: select a port that is not in use, e.g. 7777. VPN Address: enter a private network address that is not in use. For example, 192.168.68.0. Server Certicate: select the certicate called server. If it does not exist, you can create it as indicated in the previous example. Interface to listen on: Select the external interface connected to the network where the computer that you are going to use as client is located. Once you have made the changes click on Change. Effect: Changes will be saved in the server conguration. 5. Action: Go back to the server list and enter the Advertised networks section for your server. In the list of networks, click Add new. Add the private network address to the list of advertised networks. Then come back to the server list and click on edit in the Action column, as the server is already congured, tick Enabled. Effect: You already have the server fully congured. changes. 6. Action: Click on Save Changes and accept all the changes. Effect: The server is active, you can verify its status in the Dashboard. It will be active when saving

157

eBox 1.2 for Network Administrators

7. Action: To simplify the conguration of the client, download the conguration bundle. To do this, click the icon on the Download client bundle column. Fill in the conguration form with the following options: Client type: select Linux, as it is the client OS. Client certicate: select client1. If This certicate is not created, create it following the instructions from the previous example. Server address: enter here the address that the client has to use to reach the VPN server. In this scenario, this address will be the one for the external interface connected to the same network as the computer client. Effect: Once the form is completed, a bundle le for the client will be downloaded. It will be a compressed le in .tar.gz format. 8. Action: Congure the client computer. For this, decompress the bundle in a directory. Note that the bundle contains les with the necessary certicates and a conguration le with the .conf extension. If there have been no mistakes in the steps earlier, you have all the necessary conguration and you only have to launch the program. To launch the client run the following command within the directory:

openvpn --config [ filename.conf ]


Effect: When launching the command in a terminal window the actions will be printed on it. If everything is correct, once the connection is ready Initialization Sequence Completed will appear on the terminal; otherwise error messages will appear to help you diagnose the problem. 9. Action: Before checking if there is a connection between the client and the computer on the private network, you have to be sure that the latter has a return route to the VPN client. If you are using eBox as the default gateway, there will be no problem. Otherwise you will need to add a route to the client. First you have to check if there is connection by using the ping command. Run the following command:

ping -c 3 [ another_computer_ip_address ]
To verify that there is not only communication, but also access to the resources of another computer, launch a remote console session. You can do it with the following command from the client computer:

158

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

ssh [ another_computer_ip_address ]
After accepting the identity of the computer and entering the user and the password, you will access the console of the remote computer as if it were physically on your local network.

Remote VPN Client with NAT


If you want to have a VPN server that is not the gateway of your LAN, i.e. the machine has no external interfaces, then you need to activate the Network Address Translation option. As this is a rewall feature, you have to make sure that the rewall module is active, otherwise you will not be able to activate this option. With this option, the VPN server will act as a representative of VPN clients within the network. In fact, it will be a representative of all the advertised networks, and it will receive the response packets and subsequently forward them through the private network to the clients. This situation is best explained with the following gure:

Figure 6.7: GRAPHIC: VPN connection from a client to the LAN using NAT with VPN

Exercises

159

eBox 1.2 for Network Administrators

Exercise A Set up a VPN server using NAT, to do this you will have to follow the same steps that in the Practical example B , but you should activate the NAT option. Connect a client to the server through an internal interface and check that the address is translated.

Secure interconnection between local networks


In this scenario there are two ofces in different networks that need to be connected via a private network. To do this, eBox is used as gateway in both networks. One eBox will act as OpenVPN client and another as server. The following gure attempts to clarify the situation:

Figure 6.8: eBox vs OpenVPN as a server. eBox OpenVPN as a client

The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same local network. Therefore, you have to congure an OpenVPN server as done in Practical example B . However, you need to make two small changes. First, enable the Allow eBox-to-eBox tunnels option to exchange routes between eBox machines. Then enable password for the eBox-to-eBox tunnel to have a more secure connection environment. You have to bear in mind that you have to add the address of the LAN 1 in Advertised networks. To congure eBox as an OpenVPN client, you can do it through VPN -> Clients. You must give a name to activate the client and activate the service. You can set the client conguration manually or automatically using the bundle from the VPN server, as done in the Practical example B . If not using the bundle, you will have to enter the IP address and the protocol-port pair where the server is listening. A tunnel password and the certicates used by the client are also required. These certicates should have been issued by the same CA that is using the server.

160

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

When changes are saved, you can see in Dashboard a new OpenVPN daemon on the network 2 running as a client, connected to the other eBox in the LAN 1.

When the connection is complete, the server machine will have access to all routes of the client machines through the VPN. However, the client machines will have access only to the routes that the server has advertised explicitly.

Practical example C The objective of this example is to set up a tunnel between two networks that use eBox servers as gateways to an external network, so that members of both networks can connect with each other.

161

eBox 1.2 for Network Administrators

1. Action: Access the web interface of the eBox which is going to act as server in the tunnel. Make sure the VPN module is enabled and activate it if necessary. Once you are in the VPN -> Servers section, create a new server with the following settings: Port: choose a port that is not in use, such as 7766. VPN address: enter a private network address not used in any part of your infrastructure, e.g. 192.168.77.0/24. Enable Allow eBox-to-eBox tunnels. This is the option indicating that it will be a tunnel server. Enter a Password for eBox-to-eBox tunnel. Finally, in the Interfaces where the server will listen section, choose the external interface that the eBox client will connect to. To complete the conguration of the server the networks have to be advertised following the same steps as in the previous examples. Advertise the private network you want to give access from the client. Remember that this step is not necessary on the client, it will supply all its routes to the server automatically. The only step left is enabling the server and save changes. Effect: Once all the above steps are done you have the server running. You can verify its status in the Dashboard. 2. Action: To ease the process of conguring the client, you can obtain a conguration bundle. To download it from the server, log back into the eBox web interface and go to VPN -> Servers, click on Download bundle client conguration in our servers row. Before the download starts you have to enter some parameters in the form: Client type: choose eBox-to-eBox tunnel. Client certicate: choose a certicate different to the server one that is not in use in any other client either. If you do not have enough certicates, follow the steps of above examples to create a certicate that you can use for the client. Server address: you have to enter the address which the client will use to connect to the server. In this case, the address of the external interface connected to the network visible by both server and client will be the appropriate one. After entering all the data press the Download button. Effect: You download a tar.gz le containing the conguration data required for the client.

162

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

3. Action: Access the eBox server web interface that will take the role of client. Check that the VPN module is active, go to the VPN -> Clients section. This section is an empty list of clients. To create one, click Add client and enter a name for it. As it is unset, it cannot be enabled, so you have to return to the list of clients and congure it. Since you have a client conguration bundle you do not need to complete the data in the section by hand. Using the Upload bundle with client conguration option, you can select the le obtained in the previous step and click on Change. Once the conguration is loaded, you can return to the list of clients and enable it. For this, click the Edit icon in the Action column. A form where you can tick the Enable option will appear. Now you have a fully congured client and the only thing left is saving changes. Effect: Once the changes are saved, the client will be active. You can check this in the Dashboard. If both client and server congurations are correct, the client will start the connection and the tunnel will be ready in a few seconds. 4. Action: Now you have to check if the hosts in the servers internal networks and in the client ones can see each other. Besides the existence of the tunnel, there are the following requirements: The hosts must know the return route to the other private network If, as in this case, eBox is being used as gateway, there is no need to setup additional routes. The rewall must allow connections between the routes for the services you want to use. Once these requirements are met, you can test the connection. From one of the hosts on the private network of the VPN server do the following: Ping a host on the network of the VPN client. Attempt to initiate an SSH session on a host of the VPN client network. Once you have checked this, repeat it from a host on the network of the VPN client, choosing as target a host located in the network of the VPN server.

6.4

Intrusion Detection System (IDS)


An intrusion detection system (IDS) is an application designed to prevent unwanted access to our machines, mainly attacks coming from the Internet. The two main functions of an IDS are to detect potential attacks or intrusions, what is done through a set of rules that are matched against packets of inbound trafc. In addition to recording all suspicious

163

eBox 1.2 for Network Administrators

events, it records useful information (such as the source IP address of the attacker) in a database or le. Combined with the rewall, some IDS can also block intrusion attempts. There are different types of IDS, the most common one is the Network Intrusion Detection System (NIDS), which is responsible for checking all the trafc on a local network. One of the most popular NIDS is Snort 10 , which is the tool that eBox integrates to perform this task.

6.4.1 Setting up an IDS with eBox


The conguration of the IDS in eBox is very simple. You only need to activate or deactivate a number of elements. First, you have to specify which network interfaces you want the IDS to listen on. After that, you can select different sets of rules to match with the captured packets. Alerts will be red in case of positive results. Both settings are accessed via the IDS menu. On the Interfaces tab a table with a list of all network interfaces that are congured is shown. By default, all of them are disabled due to the increased network latency and CPU consumption caused by the trafc inspection. To enable any of them you can click the pencil icon, check Enabled and press the button Change.

On the Rules tab you can see a table that is preloaded with all the Snort rulesets installed on your system (les under the directory /etc/snort/rules). By default, for increased security, all of them are enabled. But if you want to save CPU time, it is advisable to disable those that are not of interest, for example, the ones related to services not available in your network. The procedure for activating or disabling a rule is the same as for the interfaces.
10

Snort: A free lightweight network intrusion detection system for UNIX and Windows * http://www.snort.org

164

CHAPTER 6. EBOX UNIFIED THREAT MANAGER

6.4.2 IDS Alerts


Now you have the IDS module running. At this point, the only thing you can do is observe alerts manually in the /var/log/snort/alert le. We are going to see how eBox can make this task easier and more efcient thanks to its logs and events subsystem. The IDS module is integrated with the eBox logs, so if it is enabled, you can query different IDS alerts through the usual procedure. Likewise, we can congure an event for any of these alerts in order to notify the system administrator by any of the different means available. For more information, see the Logs chapter.

Practical example Enable the IDS module and launch a port scanning attack against the eBox machine. 1. Action: Access the eBox web interface, go to Module Status and activate the IDS module by checking the box in the Status column. You will be notied of eBox wanting to modify the Snort conguration. Allow the operation by pressing the Accept button. Effect: Save Changes is activated.

165

eBox 1.2 for Network Administrators

2. Action: Similarly, activate the Logs module if it is not already activated. Effect: When the IDS is started, it will be ready to record its alerts. 3. Action: Access the IDS menu and select the Interfaces tab. Enable an interface that is reachable from the machine that will launch the attack. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Save the changes. Effect: eBox shows the progress while it is applying the changes. Once the process is completed you are notied. From now on, the IDS is analyzing the trafc on the selected interface. 5. Action: Install the nmap package on another machine using aptitude install nmap. Effect: The nmap tool is installed on the system. 6. Action: From the same machine run the nmap command passing only the IP address of the interface eBox previously selected as parameter. Effect: It will make attempts to connect to several ports on the eBox machine. You can interrupt the process at any moment by pressing: kbd: Ctrl-c. 7. Action: Access Logs -> Query logs and select Full report for the domain IDS. Effect: Entries related to the attack just performed are listed on the table.

6.4.3 Exercises
Exercise A Research other types of known attacks and test them against your eBox machine to verify that the IDS works properly.

Exercise B Congure an event dispatcher to notify you of any intrusion via Jabber or RSS.

166

Chapter 7 eBox Core

The target of eBox is not only the conguration of the integrated network services. It also offers a number of features that facilitate and make more efcient the administration of eBox itself. This feature set is what we call the eBox core. Backups to restore a previous state, logs of services to nd out what happened and when, notications for certain events or incidents, monitoring of the machine or security updates of the software are issues that will be explained in this section.

7.1

Logs
eBox provides an infrastructure for their modules that allows them to log different kind of events that may be useful for the administrator. These logs are available through the eBox interface. They are also stored in a database for making queries, reports and updates in an easier and more efcient way. The database management system used is PostgreSQL 1 . We can also congure different dispatchers for the events. That way the administrator can be notied by different means (email, RSS or Jabber 2 ). You can have logs for the following services: OpenVPN (Virtual Private Network (VPN))
PostgreSQL The worlds most advanced open source database http://www.postgresql.org/. RSS Really Simple Syndication is an XML format used mainly to publish frequently updated works http://www.rssboard.org/rss-specication/.
2 1

167

eBox 1.2 for Network Administrators

SMTP Filter (Simple Mail Transfer Protocol (SMTP) mail lter ) POP3 proxy (Transparent proxy for POP3 mailboxes) Printers (Printers sharing service) Firewall (Firewall ) DHCP (Network conguration service (DHCP)) Mail (Electronic Mail Service (SMTP/POP3-IMAP4)) Proxy (HTTP HTTP Proxy Service) File Sharing (File sharing service and remote authentication) IDS (Intrusion Detection System (IDS)) Likewise, you can receive notications of the following events: Specic values inside the logs. eBox health status. Service status Events from the software RAID subsystem. Free disk space. Problems with Internet routers. Completion of a full data backup. First, before you can work with the logs, like other eBox modules, you have to make sure it is enabled. To enable it, go to Module Status and select Logs. In order to obtain reports from the existing logs, you can access the Logs -> Query Logs menu. You can get a Full report of all log domains. Moreover, some of them give us an interesting Summarized Report that provides an overview of the service for a period of time. In Full report, we have a list of all registered actions for the selected domain. Information provided is dependent on each domain. For example, for the OpenVPN domain you can see the connections to a VPN server of a client with a specic certicate, or for example, in the HTTP Proxy domain you can know which pages have been denied to a particular client. You can also make custom queries that allow ltering by time period or different values, depending on the domain. These queries can

168

CHAPTER 7. EBOX CORE

Figure 7.1: Query logs

Figure 7.2: Full report example

169

eBox 1.2 for Network Administrators

be stored like an event that generates an alert when a match occurs. Furthermore, if you do a query without an upper bound in time, the results will be automatically refreshed with new data. The Summarized Report allows you to select the period of the report, which may be one hour, one day, a week or a month. The information you get is one or more graphs, accompanied by a summary table with total values for different data. In the picture you can see, for example, daily statistics about the requests and trafc of the HTTP proxy.

7.1.1 Logs conguration


Once you know how to check the logs, is also important to know how to congure them, through the Logs -> Congure logs menu on the eBox interface. The values you can congure for each installed domain are: Enabled: If this option is not activated no logs are written for this domain. Purge logs older than: Sets the maximum time that the logs will be saved. Every value whose age exceeds the specied period, will be discarded. You can also force the instant removal of all logs that are older than a certain period. You can do this using the Purge button inside of the Force log purge section, which allows you to select different intervals between one hour and 90 days.

Practical example Enable the logs module. Using the Practice example as a reference for generating email trafc containing viruses, spam, banned senders and forbidden les. Observe the results in :menuselection Logs -> Query Logs -> Full Report. 1. Action: Access eBox interface. Go to Module Status and activate the logs module. For this, check the box in the State column. You will be informed that a database to save the logs is going to be created. Allow the operation by pressing Accept. Effect: Save Changes button is now activated. 2. Action: Access Logs -> Congure Logs and check that the Mail domain is already enabled. Effect: You have enabled the Logs module and you have checked that the logs for mail are enabled. 3. Action: Save the changes.

170

CHAPTER 7. EBOX CORE

Figure 7.3: Summarized report example

171

eBox 1.2 for Network Administrators

Figure 7.4: Congure logs

Effect: eBox shows the progress while applying the changes. Once the process is nished you are notied of that. From now on, all sent emails will be logged. 4. Action: Send a few problematic emails (with spam or virus) as it was done in the relevant chapter. Effect: As now the logs module is enabled, emails have been logged, unlike what happened when we sent them for the rst time. 5. Action: Access Records -> Query Logs and Full report for the Mail domain. Effect: A table with entries for the emails that you have sent appears showing some information for each sent email.

Exercises

172

CHAPTER 7. EBOX CORE

Exercise A With the data generated in the previous example, get a report of the email that contains forbidden les during the last hour. Generate more mail trafc to check that the report keeps growing.

Exercise B Observe the results of the Summarized Report in Logs -> Query Logs -> Summarized Report.

Exercise C Purge the obtained data and check that it has been purged correctly.

7.2

Monitoring
The monitor module allows the eBox administrator to know the state of the resources of the eBox machine. This information is essential to both troubleshoot and plan in advance the necessary resources. Monitoring implies knowing how to interpret some system values in order to decide if these values fall into an expected range, or otherwise, they are too high or too low. The main issue of monitoring is the selection of these ranges. As every machine can have different values depending on the kind of use. For example, in a le sharing server, the free storage space is a very important value that can change very quickly. However, in a router with an enabled content lter, free memory and CPU load are more interesting values. You should avoid fetching values that are useless for your scenario. This is the reason why eBox monitors only a few system metrics in its current version. These are: system load, CPU usage, memory usage, and le system usage. The monitor module displays the fetched data using graphs. This allows the user to easily visualize the evolution of the resources during time. To access these graphs you have to click on the menu entry labeled as Monitor. You can place the mouse pointer over any graph point to know the exact value at that point. You can see different time scales of the registered data: hourly, daily, monthly or yearly. You just need to click on the relevant tab.

173

eBox 1.2 for Network Administrators

7.2.1 Metrics
System load The system load tries to measure the rate of pending work over the completed work. This value is computed using the number of active process in the CPU. This metric is the capacity of the used CPU over a given time. This means that a load of 1 represents a CPU working at full capacity. A load of 0.5 means that the CPU could take twice as much. Conversely, a load of 2 means that it would need another CPU to fullll the requirements of the current work load. You have to take into account that those processes that are waiting for read/write operations in disk also contribute to this value.

174

CHAPTER 7. EBOX CORE

CPU usage This graph shows detailed information of the CPU usage. In the case of having a multi-core or multicpu machine you will see one graph for each one of the cores. This graph represents the amount of time that the CPU spends in each of its states: running user code, system code, inactive, input/output wait, and so on. This measure is not a percentage, but scheduling units known as jifes. In most Linux systems this value is 100 per second, but it can be different.

175

eBox 1.2 for Network Administrators

Memory usage This graphs shows the memory usage. The following variables are monitored: Free memory: Amount of memory not used Page cache: Amount of memory that is cached in disk swap Buffer cache: Amount of memory that is cached for input/output operations Memory used: Amount of memory that is not included in any of the above

File system usage This graph displays the used and free space of every mounting point.

176

CHAPTER 7. EBOX CORE

Temperature This graph allows you to know the system temperature in degrees Celsius by using the ACPI system
3

. You need to have data available in these directories: /sys/class/thermal or /proc/acpi/thermal_zone.

Advanced Conguration and Power Interface (ACPI) is an open standard to congure devices focused on operating

systems and power management. http://www.acpi.info/

177

eBox 1.2 for Network Administrators

7.2.2 Alerts
These graphs are not very helpful if in case of unexpected behaviour the administrator is not properly notied. By using alerts, you can know when the machine has reached an unusual system load or is approaching its full capacity. You can congure monitor alerts in Events monitor.

Congure Events. The relevant alert is called

You can access the conguration page by clicking on the conguration cell. In this page you can pick any monitored metric and set the threshold that will trigger an event.

There are two different thresholds, warning and failure, this allows the user to lter based on the event severity. You can use the option reverse: to swap the values that are considered right and wrong. Other important option is persistent:. Depending on the metric we can also set other parameters. Once you have congured and enabled the event you will need to congure, at least, one observer. The observer conguration is the same as the conguration of any other event. Check the Events chapter for further information.

178

CHAPTER 7. EBOX CORE

7.2.3 Exercises
Excercise A Enable the monitor module and check on the graphs the usual values of the system when it is idle. Set an upper boundary to trigger an event. Try to increase the system load to trigger the alert.

Exercise B Set a lower boundary for the idle state of the CPU. Make it trigger an event.

7.3

Events and alerts


The events module is a convenient service that allows you to receive notications of certain events and alerts that happen in your eBox machine. eBox allows you to receive these alerts and events through the following dispatchers: Mail 4 Jabber Logs RSS Before enabling any event watcher you have to make sure that the events module is enabled. Go to :menuselection Module status and check the events module. Unlike in the Logs module, where all services are enabled by default except the rewall, you have to enable those events that might be of your interest. To enable any events, you have to click on the menu entry Events Change button. There are some events that need further conguration to work properly. This is the case for the log and free storage space observers.
4

Congure Events. You can

edit an event state by clicking on the pencil icon. Tick the :guilabel: Enabled box and click on the

The mail module needs to be installed and congured. (Electronic Mail Service (SMTP/POP3-IMAP4)).

179

eBox 1.2 for Network Administrators

Figure 7.5: Congure events page

The conguration of the free storage observer is pretty straightforward. The only required parameter is the free space percentage that will trigger the event when its actual value goes under it. For the log observer, the rst step is to select which domains you want to generate events from. For every domain, you can add ltering rules that depend on the domain. Some examples are: denied HTTP requests by the proxy, DHCP leases for a giving IP, canceled printer jobs, and so on. You can also create an event lter from an existing log query by clicking on the Save as an event button through Logs Query Logs Full Report. So far, you know how to enable the generation of events and alerts. However, you also need these events and alerts to be sent to you in order to be read. That is what event dispatchers are for. Go to the Congure dispatchers tab. The procedure to enable event dispatchers is similar to enabling event watchers. You have to congure all the watchers except the log watcher. The latter will write its output to /var/log/ebox/ebox.log. The other dispatchers require further conguration. Mail: You have to set the email address of the recipient (usually the eBox administrator). You can also set the subject of the messages. Jabber: You have to set the Jabber server address and port that will be used to send the messages. You also have to set the username and password of the user that will send the messages.

180

CHAPTER 7. EBOX CORE

Figure 7.6: Congure Log Observer page

Figure 7.7: Congure dispatchers page

181

eBox 1.2 for Network Administrators

Finally, you have to set the Jabber address of the recipient. RSS: You have to decide who will be able to read the RSS feed, and the feed link itself. You can make the channel public, private, or authorized by a source IP address-based policy. Note that you can also use objects instead of IP addresses.

7.3.1 Practical Example


Congure the events module to make it show the message eBox is up and running in

/var/log/ebox/ebox.log. This message will be generated periodically, and every time


the events module is restarted. 1. Action: Access the eBox web interface, go to Module Status and enable events. Effect: The Save Changes button has turned red. 2. Action: Go to Events and click on the tab labeled Congure Events. Click on the pencil icon that is placed in the Status column. Check the Enabled eld and click on:Change. Effect: The events table shows the event as enabled. 3. Action: Go to the tab labeled Congure dispatchers. Click on the pencil icon of the row that contains the Log event. Enable it and click on Change. Effect: The event disptacher table shows the log dispatcher as enabled. 4. Action: Save changes. Effect: eBox shows the progress of the saving changes process until it displays a message to let you know it is done. An event with the message eBox is up and running /var/log/ebox/ebox.log. 5. Action: From the console on the eBox machine run: sudo /etc/init.d/ebox events restart. Effect: An event with the message eBox is up and running will be written again in /var/log/ebox/ebox.log. will be written in

182

CHAPTER 7. EBOX CORE

7.3.2 Exercises
Exercise A Follow the steps described in Practical Example. However, this time you have to use the mail dispatcher. Remember that you need to have the mail module congured and running.

Exercise B Follow the steps described in Practical Example. However, this time you have to use the Jabber dispatcher. It is a good idea to create both the eBox Jabber account and the administrator account in an eBox server as described in Practical example.

Exercise C Create an event to report those email messages that pass cleanly through our mail lter. Use both the mail and Jabber dispatchers.

7.4

Backup
7.4.1 The backup system design
A data loss is an eventual accident that you have to be prepared to deal with. Hardware failures, software bugs or human mistakes can cause an irreparable loss of important data. Its an unavoidable task to design a well tested procedure to make, check and restore backups, taking into consideration both conguration-only and full backups. One of the rst decisions we have to make is whether we are going to make full backups, what is an exact copy of the data or incremental backups that are copies of the differences from the rst backup. Incremental backups use less space but need some computation to restore the copy. A combination of often incremental backups plus eventual full copies is the most usual choice but this will depend on your needs and available storage resources. Another important choice is whether to make the backups on the same host or to use a remote host. A remote host gives more security because of being on a different server. A hardware failure, software bug, human mistake or a security compromise shouldnt affect the integrity of a remote

183

eBox 1.2 for Network Administrators

backup. To minimize risks, the remote backup server should be used exclusively for this purpose. Two non-dedicated servers making backups of each other is denitely a bad idea, a compromise in one of them leads to a compromise in the other one leaving you without a safe backup copy. The given arguments justify a design where the backup server pulls data from the backed up server and not the other way around. Access is only possible in this way, keeping the backups secure. The purpose of this design is to avoid that an unauthorized access on the main server can reach the backup server.

7.4.2 Backup conguration with eBox


A very complex backup system can be deployed over any eBox Platform host, but we began introducing some preliminary backup support so you can congure through the interface a simple incremental backup to a local disk. rdiff-backup 5 is the chosen tool to make the copies. The copies are incremental but a bit different from how they are usually made. This tool, instead of having an initial copy plus differences on top, has a full copy of the last version and differences backwards. Thanks to this feature, we can access and restore the last copy in a straightforward manner. It uses the rsync uses SSH, which simplies the deployment over the network. Although we could make the backups on the same hard disk where is the system, this option is not recommended because in the case of a hard disk failure, the backup copy could be damaged. The rst step is to install an additional disk on the server. Hard disks are usually identied by the system as /dev/sdx giving a letter to x for each disk: a, b, c, etc. The following step is to create a partition and a le system on the hard disk. The le /proc/partitions shows details about the connected disks and the partitions they have. The following example is a host where the system is on the rst hard disk (/dev/sda) using LVM without partitions:
7 6

protocol to compare source

and destination, transfering only the differences and making an efcient usage of the bandwith. It also

and a second disk (/dev/sdb) still

# cat /proc/partitions major minor #blocks name 8


5 6 7

8388608 sda

<- first disk

rdiff-backup <http://rdiff-backup.nongnu.org/>. rsync <http://rsync.samba.org/>. LVM

184

CHAPTER 7. EBOX CORE

8 8 8 254 254 254

1 2 16 0 1 2

248976 8136922 1048576 4194394 524288 2097152

sda1 sda2 sdb dm-0 dm-1 dm-2

<<<<<<-

first partition on the first disk second partition on the first disk second disk still without partitions first LVM volume second LVM volume third LVM volume

To create a partition we are going to run the command cfdisk, followed by the disk name, on the example presented above, /dev/sdb. This is a critial step. We have to be especially careful to not modify the partitions on the system disk because we could break it:

# cfdisk /dev/sdb
Using the bottom menu, we create the partition:

Figure 7.8: Select [New]

Figure 7.9: Select partition type [Primary]

Now we can see the newly created partition in the example as /dev/sdb1:

185

eBox 1.2 for Network Administrators

Figure 7.10: Select the default size Size (in MB) (full disk)

Figure 7.11: Save changes on the partition table with [Write]

Figure 7.12: Conrm changes with yes

186

CHAPTER 7. EBOX CORE

Figure 7.13: Finish with [Quit]

# cat /proc/partitions major minor #blocks name 8 8 8 8 8 254 254 254 0 1 2 16 17 0 1 2 8388608 248976 8136922 1048576 1044193 4194394 524288 2097152 sda sda1 sda2 sdb sdb1 dm-0 dm-1 dm-2 <<<<<<<<-

first disk first partition on the first disk second partition on the first disk second disk first partition on the second disk (recently cre first LVM volume second LVM volume third LVM volume

It is time to create the le system on the new partition. Again we have to be very careful in order to create the le system on the right partition, otherwise we would destroy all the existing data in other partition. In this example we are going to use the ext3 lesystem with the dir_index parameter for better performance:

# mkfs.ext3 -O dir_index /dev/sdb1 Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 65280 inodes, 261048 blocks 13052 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=268435456 8 block groups

187

eBox 1.2 for Network Administrators

32768 blocks per group, 32768 fragments per group 8160 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 31 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
We can create the mount point now:

# mkdir /mnt/backup
Add the following line to your /etc/fstab le so it mounts it at boot time:

/dev/sdb1

/mnt/backup

ext3

noatime

And nally mount it and you are ready:

# mount /mnt/backup
Once you have the hard disk where you will store the backup, you can enable the backup module from Module Status. Once enabled, click on Save Changes and go to Backup. There are three parameters we can congure here. Backup path: This is the path where you have mounted the disk where the backup is going to be stored. Defaults to /mnt/backup/. Days to keep: This is the number of days from when the backups are going to be rotated. Copies older than this number of days will be deleted after the next successful copy. After clicking Save Changes, you can check if the rst copy has nished and the current state of the backup with the following command:

# rdiff-backup -l /mnt/backup/ Found 0 increments: Current mirror: Wed May 20 21:56:32 2009

188

CHAPTER 7. EBOX CORE

Figure 7.14: ebox-ebackup conguration

Note that the current module version still lacks the posibility to congure which directories are being included in the backup and all of them are included except /dev, /proc and /sys which are generated by the system at boot time. There is a rdiff-backup log on /mnt/backup/ebox-backup.log.

7.4.3 How to recover on a disaster


Knowing the procedure and having the habilities and experience to successfully restore a backup in a critial situation is as important as making backups. You should be able to restore services as soon as posible when a disaster interrupts the systems. Restoring a le or a directory is as easy as running rdiff-backup with the -r parameter giving now for the last copy or the number of days we want to go back with the backup, followed by the origin and the destination where the les will be restored:

# rdiff-backup -r now /mnt/backup/etc/ebox /etc/ebox # rdiff-backup -r 10D /mnt/backup/home/samba/users/john /home/samba/users/john


On a total disaster, you would have to boot the system using a CD-ROM like the eBox Platform installer (or any other Ubuntu installer) in rescue mode and use the option Rescue a broken system. At the beginning, you will have to follow the same steps than on system install. Those questions only set up the temporary system without modifying the installed one. Continue until the rescue menu appears. In this menu, select the partition where /boot is if you have the partition scheme recommended by the developers (/boot + LVM). Otherwise, select the partition where / is mounted. In this case, you

189

eBox 1.2 for Network Administrators

Figure 7.15: Boot with Rescue a broken system

will already have the system mounted under /target and you will only have to mount the remaining partitions. First of all, we have to create a mount point for the backup hard disk and mount it. The partition in the example is /dev/sdb1 with an ext3 le system:

# mkdir /mnt/backup # mount -t ext3 /dev/sdb1 /mnt/backup


Now you have to create another mount point for the system root and mount it. Once mounted, delete everything to start from a clean environment:

# mkdir /mnt/ebox # mount -t ext3 /dev/ebox/root /mnt/ebox # rm -fr /mnt/ebox/*


If you had other partitions which needed to be restored as well, like usually happens with /var, just do the same. Also with the other partitions if they have been compromised (/home, /var/vmail, etc.):

190

CHAPTER 7. EBOX CORE

Figure 7.16: Select /dev/sda1

Figure 7.17: Select Execute a shell in the installer environment

191

eBox 1.2 for Network Administrators

Figure 7.18: An info message

Figure 7.19: A restricted shell

192

CHAPTER 7. EBOX CORE

# mkdir /mnt/ebox/var # mount -t xfs /dev/ebox/var /mnt/ebox/var # rm -fr /mnt/ebox/var/*


And now you can restore the backup:

# cd /mnt/backup/ # cp -ra * /mnt/ebox/


There are some issues that have to be dealt with to get the system booting. You have to create the directories excluded from the backup. You should also clean up the temporal directories and the rdiff-backup metadata le:

# # # # # #

mkdir -p /mnt/ebox/dev mkdir -p /mnt/ebox/sys mkdir -p /mnt/ebox/proc rm -fr /mnt/ebox/var/run/* rm -fr /mnt/ebox/var/lock/* rm -fr /mnt/ebox/rdiff-backup-data
Now you just need to restore the /boot partition mounted on /target :

# rm -fr /target/* # mv /mnt/ebox/boot/* /target/


If you had mounted more partitions under /mnt/ebox, unmount them:

# umount /mnt/ebox/var
Create /var/run and /var/lock which are needed to boot the system. Finally, unmount and exit:

# # # #

mkdir -p /mnt/ebox/var/run mkdir -p /mnt/ebox/var/lock umount /mnt/ebox exit


The restoring proccess has nished and you can reboot now.

193

eBox 1.2 for Network Administrators

Figure 7.20: Select Reboot the system

7.4.4 Conguration backups


In addition, eBox Platform has another way to make conguration backups and restore them from the interface itself. This method backs up the conguration of all modules that have been enabled at some point, as well as the LDAP users and any other additional les required by each of these modules. The backup can also include the data stored by these modules (home directories, voicemail, etc.) but from 1.2 onwards this way has been deprecated in favor of the rst explained method because it can deal better with huge datasets. To make these backups, you should go, as usual, to System can see in the following image.

Backup. You will not be able to

make a new backup if you have modied the conguration and you have not saved changes as you

194

CHAPTER 7. EBOX CORE

Once introduced the name for the backup, select the backup type (conguration or full) and click Backup. A screen will appear showing the progress through the modules until it nishes with Backup successfully nished. After this, if you go back you will see a Backup list. Through this list you will be able to restore, download to your local disk or delete any of the stored backup copies. Some information like backup type, date and size will be shown as well. On Restore backup from le you can upload a backup le that you have in your local disk, for example, from a previous eBox Platform deployment on a different server, and restore it using Restore. A conrmation will be requested on restore. You should be careful because all the current conguration will be replaced. This action is similar to the backup, a screen will appear, showing the progress and notifying whether the operation was successful or an error occurred.

7.4.5 Command line tools for conguration backups


Two command line tools are provided to export and import the conguration from the console. They are available in /usr/share/ebox and are ebox-make-backup and ebox-restore-backup. ebox-make-backup allows you to make conguration backups. Among its options you can select the backup type to do. One of them is bug-report, which helps developers to debug bugs by including extra information in the backup. Passwords are replaced in order to maintain users privacy. This backup type cant be done through the web interface. You can see all the options using the help parameter.

195

eBox 1.2 for Network Administrators

ebox-restore-backup allows you to restore conguration backups. It also provides an option to extract information from the backup le. Another interesting feature is the posibility of making partial restorations, restoring only some specic modules. This is very useful when restoring a module from an old version or when restoring a module failed. You should be careful with the interdependencies between the modules. For example, if you restore a rewall module backup that uses objects and services you have to restore those rst. But you still have the option to force the script to ignore the dependencies that you can use if really required. To see all options of this program use the help parameter.

7.5

Software Updates
Like any other software system, eBox Platform requires periodic updates, either to add new features or to x defects or system failures. eBox distributes its software as packages and it uses Ubuntus standard tool, APT 8 . However, in order to ease this task, eBox provides a web interface to simplify the process.[#]_ The web interface allows checking for new available versions of eBox components and installing them in a simple way. It also allows you to update the software supporting eBox, mainly to correct potential security aws.

7.5.1 Management of eBox components


The management of eBox components allows you to install, update and remove eBox modules. The component manager is a module, and like any other eBox module must be enabled before being used. To manage eBox components you must access :menuselection: Software Management -> eBox components.
Advanced Packaging Tool (APT) is a system for the management of software packages created by the Debian Project that greatly simplies the installation and removal of programs on the GNU / Linux operating system http://wiki.debian.org/Apt
8

196

CHAPTER 7. EBOX CORE

A list of all eBox components is shown there, together with the installed version and the latest available version. Components that are not installed or up to date, can be installed or updated by clicking on the respective icon in the Actions column. There is a button called Update all packages to update all those packages with a new version available. It is also possible to uninstall components by clicking on the respective icon for this action. Before proceeding to uninstall, a dialogue will be displayed with the list of the software packages to be removed. This step is necessary because it might be about to eliminate a component that is used by others, which would be also removed. Some components are basic and cannot be uninstalled, as that would uninstall eBox Platform completely.

7.5.2 System Updates


System updates performs the updates of programs used by eBox. In order to carry out its function, eBox Platform integrates different system programs within eBox components packages. These programs are referenced as dependencies ensuring that when installing eBox, they are also installed. Similarly, these programs may have dependencies as well. Usually the update of a dependency is not important enough to create a new eBox package with new dependencies, but it may be interesting to install it in order to use its improvements or its patches for security aws. To see updates of the system you must go to Software Management

System Updates. You

should see if your system is already updated or, otherwise, a list of packages that can be upgraded.

197

eBox 1.2 for Network Administrators

198

CHAPTER 7. EBOX CORE

If you install packages on the machine without using the web interface, this data may be outdated. Therefore, every night a process is executed to search for available updates for the system. Such a search can be forced by running:

$ sudo ebox-software
For each update, you can determine whether it is a security update using the information icon. If it is a security update the details about the security aw included in the package changelog will be displayed by clicking on the icon. If you want to perform an update you should select the packages on which to perform the action and press the appropriate button. As a shortcut, you can use the button Update all packages. Status messages will be displayed during the update operation.

7.5.3 Automatic Updates


Automatic updates allow eBox Platform to automatically install any updates available. This operation is performed daily at midnight. This feature can be activated by accessing the page Software Management -> Automatic Updates.

It is not advisable to use this option if the administrator wants to keep a higher level of security in the management of updates. When performing the updates manually, administrators can avoid possible errors going unnoticed.

7.5.4 Exercises
Exercise A Activate the software module. Go to the list of eBox components and uninstall the component eBox - NTP Server. Check that it has been uninstalled properly by conrming that we cannot access the components page. Go back to the list of eBox components and install it again. Check that it has been properly installed.

199

eBox 1.2 for Network Administrators

Exercise B Go to system updates. If updates are available, install them.

200

Index
R
RFC RFC 1179, 96 RFC 2033, 136 RFC 2616, 37, 38 RFC 2910, 95

201