≡ Menu

configuration file

20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors

In Linux and UNIX system services are configured using various text files located in /etc/ or /usr/local/etc/ directory tree. A typical server system could have dozens of configuration files. It is important that you check the validity of the configuration file. In some cases it is possible to to check the sanity of the special data (such as keys) or directories (such as /var/lib/cache/). Text files are easier to manage remotely. You can use ssh and a text editor. If there is an error in configuration, server may not start. This may result into a disaster. In this article I will explains how-to find out a syntax error for popular servers and test configuration file for syntax errors.
[click to continue…]

Lighttpd mod_rewrite Hotlink Protection To Display Image Message

Many of our regular readers like to know more about lighttpd hotlink protection using mod_rewrite. Lighttpd can use HTTP referrer to detect hotlink and can be configured to partially protect hosted media from inline linking, usually by not serving the media or by serving a different file.

Lighttpd anti hotlinking configuration - redirect to another media

Open lighttpd.conf configuration file:
# vi /etc/lighttpd/lighttpd.conf
Append the following directive to redirect to a default picture called /hotlink.png:

$HTTP["referer"] =~ ".*BADDOMAIN\.com.*|.*IMAGESUCKERDOMAIN\.com.*|.*blogspot\.com.*" {
  url.rewrite = ("(?i)(/.*\.(jpe?g|png))$" => "/hotlink.png" )

So if anyone from *.blogspot.com linked www.cyberciti.biz/image.png it will be replaced with www.cyberciti.biz/hotlink.png. I've written small script to detect excessive hotlink from log file and ban all those domains. Most types of electronic media can be redirected this way, including video files, music files, and animations etc.

Related: Apache web server user can stop leechers using mod_rewrite / .htaccess rules.

How to Install and Configure ProFTPD in RHEL / CentOS / Fedora Linux

This is a user contributed tutorial.

ProFTPD is an enhanced, secure and highly configurable FTP server. Its configuration syntax is very similar to apache web server. It offers several functionalities such as:
+ multiple virtual server
+ anonymous
+ authenticated access
+ chroot jail support
+ SSL/TLS encryption
+ RADIUS, LDAP and SQL support etc

Install ProFTPD server

Type the following command as root user:
# yum install proftpd
Start ProFTPD when the system reboot:
# chkconfig --level 3 proftpd on
To start proftpd ftp service, enter:
# service proftpd start
To Stop proftpd ftp server, enter:
# service proftpd stop
To restart proftpd ftp service, enter:
# service proftpd restart
To reload the configuration file, enter:
# service proftpd reload

/etc/proftpd.conf - Proftpd configuration file

The default configuration file is located at /etc/proftpd.conf. To edit the configuration file, enter:
# vim /etc/proftpd.conf
Checking the syntax of the configuration file
# proftpd -t6

Virtual users authentication configuration

When you install ProFTPD, it is almost ready to use by anonymous users, you only have to uncomment anonymous section in /etc/proftpd.conf but if you want authenticated access then you must configure extra directives, keep in mind these to virtual users authentication.

  • AuthUserFile : Specify the users file, has the same format as /etc/passwd
  • AuthGroupFile : Specify the groups file, has the same format as /etc/group

Open /etc/proftpd.conf file:
# vi /etc/proftpd.conf
These files can be created with ftpasswd tool, here is an example:
# ftpasswd --passwd --name {username} --file /etc/ftpd.passwd --uid {5000} --gid {5000} --home /var/ftp/username-home/ --shell /bin/false
# ftpasswd --group --name group1 –file /etc/ftpd.group --gid 5000 --member username

For example, add a ftp user called tom for cyberciti.biz domain (ftpcbz group):
# ftpasswd --passwd --name tom --file /etc/ftpd.passwd --uid 5001 --gid 5001 --home /var/ftp/tom/ --shell /bin/false
# ftpasswd --group --name ftpcbz –file /etc/ftpd.group --gid 5000 --member tom

Then the above directives must be set in this way :

AuthUserFile	/etc/ftpd.passwd
AuthGroupFile	/etc/ftpd.group

Warnings! The created user must have UNIX permission under his home directory.

The value of --shell option must be set to /bin/false if you want to improve the security of the FTP server.

Sometimes ProFTPD throws many errors when you try to authenticated trough virtual users then you must look these directives and theris recommend values.

Don't check against /etc/shells
RequireValidShell off
Don't check against /etc/passwd, use only AuthUserFile
AuthOrder mod_auth_file.c.
Disable PAM authentication
PersistentPasswd off
AuthPAM off

To jail users to theirs respective home directories, add following to config file:
DefaulRoot ~

Playing with files access permission

The general syntax is as follows:

Sets the mask of the newly created files and directories. FILEMODE and DIRMODE must be an octal mode, in the format 0xxx. If DIRMODE is omitted then DIRMODE = FILEMODE.

Some examples:

Umask 022

  • The owner has rw permissions over the files and full access over directories.
  • The group has r permission over the files and rx over directories.
  • The world has r permission over the files and rx over directories.

More restrictive:
Umask 026 027

  • The owner has rw permissions over the files and full access over directories.
  • The group has r permission over the files and rx over directories.
  • The world doesn't have any permission over the files neither over directories.

To Deny every one except admin changes files permission via ftp put this in your context:

AllowUser admin

Firewall Configuration - Open FTP port

See FAQ section for further details on iptables configuration.

Further readings:

  1. Proftpd project
  2. ProFTPD unofficial documentation

This article / faq is contributed by Yoander Valdés Rodríguez (yoander). nixCraft welcomes readers' tips / howtos.

Lighttpd Control a Directory Listing With mod_dirlisting

Lighttpd web server will generate a directory listing if a directory is requested and no index-file was found in that directory. mod_dirlisting is one of the modules that is loaded by default and doesn't have to be specified on server.modules to work.

Task: Enable Directory Listings Globally

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf
Append / modify
server.dir-listing = "enable"
dir-listing.activate = "enable"
Save and close the file. Restart lighttpd:
# /etc/init.d/lighttpd restart
To disable directory listing, use:
dir-listing.activate = "disable"

Enable directory listing only for a directory

You can also enable or disable listing on selected url / directory combination. For example, display directory listing only for /files/:
$HTTP["url"] =~ "^/files($|/)" { server.dir-listing = "enable" }
$HTTP["url"] =~ "^/files($|/)" { dir-listing.activate = "enable" }

Further readings:

Check BIND – DNS Server configuration file for errors with named-checkconf tools

You can use a tool called named- checkconf to check BIND dns server (named daemon) configuration file syntax under Linux / UNIX. It checks the syntax, but not the semantics, of a named configuration file i.e. it can check for syntax errors or typographical errors but cannot check for wrong MX / A address assigned by you. Nevertheless, this is an excllent tool for troubleshooting DNS server related problems.

How do I check my bind configuration for errors?

Simply run command as follows:
# named-checkconf /etc/named.conf
You may want to chroot to directory so that include directives in the configuration file are processed as if run by a similarly chrooted named:
# named-checkconf -t /var/named/chroot /etc/named.conf
If there is no output, the configuration is considered correct and you can safely restart or reload bind configuration file. If there is an error it will be displayed on screen:
# named-checkconf /etc/named.conf

/etc/named.conf:58: open: /etc/named.root.hints: file not found

Related tool: BIND-DNS server zone file validity checking tool

Linux: Display a login banner for Gnome (GDM) Desktop

You can easily use /etc/issue file to display a pre-login message / login warning banner for text based session. You can also force OpenSSH (SSHD) to display a login message or banner. But how do you force GDM to display a login banner for all local and remote users?

GDM customization

GDM is a replacement for XDM, the X Display Manager. GDM runs and manages the X servers for both local and remote logins (using XDMCP). You can easily configure GDM to display message. You need to open gdm custom configuration file:

[a] RHEL / CentOS / Fedora Linux : Open /etc/gdm/custom.conf file.
[b] Debian / Ubuntu Linux : Open /etc/gdm/gdm.conf-custom file.

This file is the appropriate place for specifying your customizations to the GDM configuration. If you run gdmsetup, it will automatically edit this file for you and will cause the daemon and any running GDM GUI programs to automatically update with the new configuration. Not all configuration options are supported by gdmsetup, so to modify some values it may be necessary to modify this file directly by hand.

Display a login banner for Gnome / GDM under Linux

Open /etc/gdm/custom.conf file:
# vi /etc/gdm/custom.conf
Find out [greeter] section and append following text:
Welcome=Message for local users
RemoteWelcome=Message for remote login users

Save and close the file.

A note about RHEL / CentOS / Fedora user

Apart from above configuration you also need to add following line inder the [daemon] section:

Using GUI tool gdmsetup

gdmsetup is a graphical tool for easily changing the most commonly used options including greeting messages. As I mentioned earlier gdmsetup does not support changing of all onfiguration variables, so it may be necessary to edit the files by hand for some configurations and security issues. Open X terminal and enter the command:
$ sudo gdmsetup
How do I display a login warning banner for GDM under Linux / UNIX with gdmsetup?
(click to enlarge)

Select Local tab > Welcome Messages > Custom > Enter your custom message > Click on Close button to save the changes.

Gnome per user language encoding configuration using .dmrc file

Sometime you may see different language encoding in X than on your console (tty) prompt. Sometime two different user need two have different language encodings.

~/.dmrc file - Per-user language support

In theory this file should be shared between GDM (Gnome) and KDM (KDE), so users only have to configure things once. This is a standard .ini kind / style configuration file. It has only one section called [Desktop] which has two keys: Session and Language. There are some per user configuration settings that control how GDM behaves. GDM is picky about the file ownership and permissions of the user files it will access, and will ignore files if they are not owned by the user or files that have group/world write permission. Normally GDM will write this file when the user logs in for the first time, and rewrite it if the user chooses to change their default values on a subsequent login.

Setup language encoding in X

Defining LANG variable is not sufficient, you need to setup language encoding using ~/.dmrc file.
cat ~/.dmrc


Refer to Gnome Display Manager Reference Manual for more information.