Ebox For Network Administrators

eBox 1.
4 for Network Administrators

R EVISION 1.4
E B OX
P LATFORM - T RAINING
http://www.ebox-technologies.com/
S TUDENT G UIDE
eBox 1.4 for Network Administrators
This document is distributed under Creative Commons Attribution-Share Alike license version 2.5 ( http://creativecommons.org/licenses/by-sa/2.5/ )
This document uses images from Tango Desktop Project also distributed under Creative Commons Attribution-Share Alike license version 2.5.
http://tango.freedesktop.org/
Contents
1 eBox Platform: unied server for SMEs 1.1 1.2 1.3 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.3.1 1.3.2 1.3.3 1.4 1.5 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying conguration changes . . . . . . . . . . . . . . . . . . . . . . . Modules status conguration . . . . . . . . . . . . . . . . . . . . . . . . Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 1 4 5 12 13 16 18 18 20 20 21 24 31 31 32 37 38 39 43 43 46 47 47 49 50 53
How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 1.5.2 1.5.3 Local network conguration . . . . . . . . . . . . . . . . . . . . . . . . . Network conguration with eBox Platform . . . . . . . . . . . . . . . . . . Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 eBox Infrastructure 2.1 2.2 Network conguration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.4 2.4.1 DHCP server conguration with eBox . . . . . . . . . . . . . . . . . . . . DNS cache server conguration with eBox . . . . . . . . . . . . . . . . . Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server conguration with eBox . . . . . . . . . . . . . . . . . . . . . Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . NTP server conguration with eBox . . . . . . . . . . . . . . . . . . . . .
Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . .
Time synchronization service (NTP)
3 eBox Gateway
3.1
High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 3.1.2 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The rewall in GNU/Linux: Netlter . . . . . . . . . . . . . . . . . . . . . eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multirouter rules and load balancing . . . . . . . . . . . . . . . . . . . . . WAN Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53 53 55 58 58 58 63 63 69 71 73 73 74 76 77 78 79 80 81 82 82 89 89 90 97 97 98 98 98 101 104 106 107 110 111 117 117
3.2
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2
3.3
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 3.3.2 3.3.3
3.4
Trafc shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 3.4.2 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . QoS conguration in eBox . . . . . . . . . . . . . . . . . . . . . . . . .
3.5
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 3.5.2 RADIUS server conguration with eBox . . . . . . . . . . . . . . . . . . . Access Point (AP) conguration . . . . . . . . . . . . . . . . . . . . . . . Access policy conguration . . . . . . . . . . . . . . . . . . . . . . . . . Client connection to the proxy and transparent mode Web content lter . . . . . . . . . . . . Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.6
HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 3.6.2 3.6.3 3.6.4
4 eBox Ofce 4.1 4.2 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.2.7 4.3 4.4 Users and groups File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . eBox as le server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS clients conguration . . . . . . . . . . . . . . . . . . . . . . . eBox as an authentication server . . . . . . . . . . . . . . . . . . . . . . PDC Client Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Printers sharing service Groupware Service 4.4.1
Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . .
5 eBox Unied Communications 5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . .
ii
5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.2 5.3 5.2.1 5.3.1 5.3.2 5.3.3 5.3.4 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7
How electronic mail works through the Internet
. . . . . . . . . . . . . . .
118 120 120 127 127 128 128 130 131 132 133 134 140 143 144 144 145 146 149 151 156 157 159 159 160 168 168 170 170 171 171 172 174 174 174 176 180
SMTP/POP3-IMAP4 server conguration with eBox . . . . . . . . . . . . . Receiving and relaying mail . . . . . . . . . . . . . . . . . . . . . . . . . SMTP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POP3 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ManageSieve client parameters . . . . . . . . . . . . . . . . . . . . . . . Conguring a webmail in eBox . . . . . . . . . . . . . . . . . . . . . . . Conguring a Jabber/XMPP server with eBox . . . . . . . . . . . . . . . . Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . Practical example Protocols Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WebMail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . .
Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asterisk server conguration with eBox . . . . . . . . . . . . . . . . . . . Conguring a softphone to work with eBox . . . . . . . . . . . . . . . . . Using eBox VoIP features . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 eBox Unied Threat Manager 6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.3 6.3.1 6.3.2 6.3.3 6.3.4 Mail lter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . External connection control lists . . . . . . . . . . . . . . . . . . . . . . Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . Filter proles conguration . . . . . . . . . . . . . . . . . . . . . . . . . Filter prole per object . . . . . . . . . . . . . . . . . . . . . . . . . . . Group based ltering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group-based ltering for objects Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP Proxy advanced conguration . . . . . . . . . . . . . . . . . . . . . . . .
Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . Public Key Infrastructure (PKI) with a Certication Authority (CA) . . . . . . . Certication Authority conguration with eBox . . . . . . . . . . . . . . . . Conguring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . .
iii
6.4
Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4.1 6.4.2 Setting up an IDS with eBox . . . . . . . . . . . . . . . . . . . . . . . . IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
189 190 191 193 193 196 198 199 203 204 207 208 208 208 213 216 218 218 219 221 221 222 223
7 eBox Core 7.1 7.2 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 7.2.1 7.2.2 7.3 7.4 7.3.1 Backup 7.4.1 7.4.2 7.4.3 7.4.4 7.5 7.5.1 7.5.2 7.5.3 7.6 7.6.1 7.6.2 Logs conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . Backup conguration with eBox . . . . . . . . . . . . . . . . . . . . . . . How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . Conguration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . Management of eBox components . . . . . . . . . . . . . . . . . . . . . System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subscribing eBox to the Control Center . . . . . . . . . . . . . . . . . . . Conguration backup to the Control Center . . . . . . . . . . . . . . . . .
Events and alerts
Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iv
Chapter 1 eBox Platform: unied server for SMEs
1.1
Presentation
eBox Platform (<http://ebox-platform.com/>) is a unied network server that offers easy and efcient computer network management for small and medium enterprises (SMEs). eBox Platform can act as a Network Gateway, a Unied Threat Manager (UTM) 1 , an Ofce Server, an Infrastructure Manager, a Unied Communications Server or a combination of them. This manual is written for the 1.4 version of eBox Platform. All these functionalities are fully integrated and therefore automate most tasks, prevent manual errors and save time for system administrators. This wide range of network services is managed through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in each server only the necessary modules and easily extend the functionality according to your needs. Besides, eBox Platform is released under a free software license (GPL) 2 . The main features are: Unied and efcient management of the services: Task automation. Service integration. Easy and intuitive interface.
UTM (Unied Threat Management): Term that groups a series of functionalities related to computer network security: rewall, intrusion detection, antivirus, etc. 2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of derivative works with the same license.
1
Extensible and adaptable to specic needs. Hardware independent. Open source software. The services currently offered are: Network management: Firewall and router * Trafc ltering * NAT and port redirection * Virtual local networks (VLAN 802.1Q) * Support for multiple gateways, load balancing and self-adaptation in case of loss of connectivity * Trafc shaping (with application-level ltering support) * Trafc monitoring * Dynamic DNS support High-level network objects and services Network infrastructure * DHCP server * DNS server * NTP server Virtual private networks (VPN) * Dynamic auto-conguration of network paths HTTP proxy * Cache * User authentication * Content ltering (with categorized lists) * Transparent antivirus
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Mail server * Spam ltering and antivirus * Transparent POP3 lter * White-, black- and grey-listing Web server * Virtual domains Intrusion Detection System (IDS) Certication Authority Groupware: Shared directory using LDAP (Windows/Linux/Mac) * Shared authentication (including Windows PDC) Shared storage as NAS (Network-attached storage) Shared printers Groupware server: calendars, address books, ... VoIP server * Voicemail * Meetings * Calls through outside vendor Instant messaging server (Jabber/XMPP) * Meetings User corner to allow users to modify their data Reports and monitoring Dashboard to centralize the information Disk, memory, load, temperature and host CPU monitoring Software RAID status and information regarding the hard drive use
Network service logs in databases, allowing you to have daily, weekly monthly and annual reports Event-based system monitoring * Notication via Jabber, mail and RSS Host management: Conguration and data backup Updates Control Center to easily administer and monitor multiple eBox hosts from one central point
3
1.2
Installation
In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This does not prevent you from installing other unmanaged services, but these must be manually congured. eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of Ubuntu Server Edition distribution 4 . The installation can be done in two different ways: Using the eBox Platform Installer (recommended). Installing from an existing Ubuntu Server Edition installation. In the second case, you need to add the ofcial eBox Platform repositories and to install the packages you are interested in. Nevertheless, the former one is easier since all the dependencies are in a single CD. Moreover, some pre-conguration is made during the installation process.
Figure 1.1: Installer language select
1.2.1 eBox Platform installer

The eBox Platform installer is based on the Ubuntu installer and therefore those who are already familiar with it will nd the installation process very similar. You can install using the default mode which deletes all disk content and creates the partitions needed by eBox using LVM and asking less questions or using the expert mode which allows you to make your own partitioning. Most people should choose the default option unless they are installing on a server with special requirements, for instance software RAID. After installing the base system and rebooting, you can start installing eBox Platform. The rst step will be create a user on the system. This user will be able to log on the system and will have sudo privileges. Then, you will be asked for a password for this user you just created. This password will be used to log on the eBox interface too. You have to enter this password twice. Now it is time to select which features you want to include on your system. There are two methods for this selection:
For additional information regarding the Control Center, please visit: http://www.eboxtechnologies.com/products/controlcenter/ the company behind eBox Platform development. 4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and servers <http://www.ubuntu.com/>.
3
Figure 1.2: Installer menu
Figure 1.3: Administration user
Figure 1.4: Administration password
Figure 1.5: Conrm administration password
Figure 1.6: Package selection method
Simple: Depending on the task the server will be dedicated to, you can install a set of packages that provides several features. Advanced: You can select the packages individually. If a package has dependencies on other packages, these will be automatically selected later. If you select the simple installation method, you get a list of available proles. As shown in the gure eBox tasks to install, the mentioned list matches the following paragraphs of this manual.
Figure 1.7: eBox tasks to install
eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet access. eBox Unied Threat Manager: eBox protects the local network against external attacks, intrusions, internal security threats and enables secure interconnection between local networks via Internet or via other external networks. eBox Infrastructure: eBox manages the local network infrastructure including the following basic services: DHCP, DNS, NTP, HTTP server, etc. eBox Ofce: eBox is an ofce server that allows sharing the following resources through the local network: les, printers, calendars, contacts, authentication, users and groups proles, etc. eBox Unied Communications: eBox becomes the unied communications server of your organization, including mail, instant messaging and voice over IP. You can select several proles to make eBox play different roles in your network. However, if you select the advanced installation method, you get the complete list of eBox Platform modules and you can select individually the modules you are interested in.
Figure 1.8: eBox packages to install
Once you have completed the selection, the necessary additional packages will be installed. This selection is not nal and you can install and remove packages according to your needs later. After you have selected the components to install, the installation process will begin and you will be shown a progress bar with the installation status. The installer will try to precongure some important conguration parameters. First will have to select the type of the server for the Users and Groups mode. If we just have one server choose standalone. If we are deploying a master-slave infrastructure or if we want to syncronize the users with a Microsoft Windows Active Directory, choose advanced. This step will appear only if usersandgroups module is installed. Also, it will ask if some of the network interfaces attached to the host are external (not within the local network, used to connect to the Internet or other external networks). Strict policies for all incoming trafc through external network interfaces will be applied. This step will appear only if network module was installed and the server has more than one network interface. After that, you will do the mail conguration, dening the default virtual domain. This step will appear only if mail is installed. Once you have answered these questions, every module you installed will be precongured and ready to be used via the web interface. Once the eBox Platform installation process is completed, you get graphical interface with a browser to authenticate in the eBox web interface using the password given in the rst steps of the
Figure 1.9: Installing eBox packages
Figure 1.10: Type of the server
10
Figure 1.11: Select external interfaces
Figure 1.12: Mail conguration
11
Figure 1.13: Preconguring eBox packages
installer.
Figure 1.14: eBox administration web interface
1.3
Administration web interface

Once you have installed eBox Platform, you can access the administration web interface at the following URL: https://network_address/ebox/
12
Here network_address is the IP address or a host name that resolves to the address where eBox is running. Warning: To access the web interface you should use Mozilla Firefox as they are some known issues with another browsers such as Microsoft Internet Explorer. The rst screen will ask for the administrator password:
After authentication you get the administration interface that is divided into three main sections: Left side menu: Contains links to all services, separated by categories, that can be congured using eBox. When you select a service, you might get a submenu to congure specic details of the selected service. Top menu: Contains actions to save the changes made to the content, make the changes effective and close the session. Main content: The main content is composed of one or several forms or tables with information about the service conguration and depends on the selection made in the left side menu and submenus. Sometimes you will get a tab bar at the top of the page: each tab represents a different subsection within the section you have accessed.
1.3.1 Dashboard
The dashboard is the initial screen of the web interface. It contains a number of congurable widgets. You can reorganize them at any moment simply by clicking and dragging the titles. By clicking on Congure Widgets the interface changes, allowing you to remove and add new widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the page.
13
Figure 1.15: Main screen
Figure 1.16: Left side menu
14
Figure 1.17: Top menu
Figure 1.18: Web User Interface conguration forms
Figure 1.19: Dashboard
15
Figure 1.20: Dashboard conguration
Module status There is a very important widget within the dashboard which shows the status from all installed modules in eBox. The gure depicts the current status for a service and action to apply on it. The available status are the following: Running: The service daemons are running to accept connections from the network clients. You can restart the service using Restart. Running unmanaged: If you havent congured the service yet, it is possible to nd it running with the default conguration from the distribution. Therefore it is not managed by eBox yet. Stopped: Some problem has happened since the service has to be running but it is stopped for some reason. In order to nd it out, you should check the log les for the service or eBox log le itself as How does eBox Platform work? section describes. You may try to start the service by clicking on Start. Disabled: The service has been disabled explicitly by the system administrator as it is explained in Modules status conguration.
1.3.2 Applying conguration changes

An important detail to take into account is the method eBox uses to apply the conguration changes made through the interface. First of all, you have to accept changes in the current form, but, once this is done, to make these changes effective and apply them on a permanent basis, you must click on Save Changes from the top menu. This button will change to red if there are unsaved changes. Failure to follow this procedure will result in the loss of all changes you have made throughout the
16
Figure 1.21: Module status widget
17
session once you log out. There are some special cases when you dont need to save the changes, but in these cases you will receive a notication.
Figure 1.22: Save changes
In addition to this, you can revert your changes. Hence if you have done something that you do not remember or you are unsure to do it, you can always discard them safely. Take into account, if you have made changes on the network interfaces conguration or the eBox Web administration port, then you may lose current connection to eBox, so you must rewrite the URL in the browser to reach administration interface again.
1.3.3 Modules status conguration

As it is discussed above, eBox is built up with modules. The majority of the modules are intended to manage network services that you must enable them through Module Status. Each module may have dependencies on others to work. For instance, DHCP service needs to have the network module enabled so that it can serve IP address leases through the congured network interfaces. Thus the dependencies are shown in Depends column. Enabling a module for the rst time in eBox jargon is called congure the module. Conguration is done once per module. By clicking on Status checkbox, you enable the module. If it is the rst time, a dialog is presented to accept to carry out a set of actions and le modications that enabling the service implies 5 . After that, you may save changes to apply these modications. Likewise, you may disable a module by unchecking the Status column for this module.
1.4
How does eBox Platform work?

eBox Platform is not just a simple web interface to manage the most common network services 6 . One of the main goals of eBox Platform is to unify a set of network services that otherwise would work independently.
5 6
You get longer support than on the normal version. With the LTS version you get 5 years of support on the server. This process is mandatory to comply the Debian Policy http://www.debian.org/doc/debian-policy/
18
Figure 1.23: Module status conguration
Figure 1.24: Conrm dialog to congure a module
19
All conguration of individual services is handled automatically by eBox. To do this eBox uses a template system. This automation prevents manual errors and saves administrators from having to know the details of each conguration le format. As eBox manages automatically these conguration les, you must not edit the original les as these will be overwritten as soon you save any conguration changes. Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are divided in the following les: /var/log/ebox/ebox.log: Errors related to eBox Platform. /var/log/ebox/error.log: Errors related to the web server. /var/log/ebox/access.log: Every access to the web server. If you want more information about an error that has occurred, you can enable the debugging mode by selecting the debug option in the /etc/ebox/99ebox.conf le. Once you have enabled this option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.
1.5
Location within the network

1.5.1 Local network conguration
eBox Platform can be used in two different ways:
20
Router and lter of the Internet connection. Server of different network services. Both functionalities can be combined in a single host or divided among several hosts. The gure Different locations within the network displays the different locations eBox Platform server can take in the network, either as a link between networks or a server within the network.
Figure 1.25: Different locations within the network
Throughout this documentation you will nd out how to congure eBox Platform as a router and gateway. You will also learn how to congure eBox Platform in the case it acts as just another server within the network.
1.5.2 Network conguration with eBox Platform

If you place a server within a network, you will most likely be assigned an IP address via DHCP protocol. Through Network Interfaces you can access each network card detected by the system and you can select between a static conguration (address congured manually), dynamic conguration (address congured via DHCP) or a Trunk 802.1Q to create VLANs. If you congure a static interface, you can associate one or more Virtual Interfaces to this real interface to serve additional IP addresses. These can be used to serve different networks or the same network with different address. If you dont have a router with PPPoE support, eBox can also manage PPPoE connections just selecting PPPoE as Method and entering the User name and Password given by your DSL provider.
To enable eBox to resolve domain names, you must indicate the address of one or several domain name servers in Network DNS.
21
Figure 1.26: Network interface conguration
Figure 1.27: Static conguration of network interfaces
Figure 1.28: PPPoE conguration of network interfaces
22
Figure 1.29: Conguration of DNS servers
If your Internet connection has a dynamic IP address and you want to map a domain name to your eBox, a third party dynamic DNS provider is required. eBox supports the connection to some of the most popular dynamic DNS providers. To congure dynamic DNS on eBox go to Network
DynDNS and select your service provider
and set up the user name, password and the domain name you want to update when your public address changes. Check the box Enable Dynamic DNS and Save changes.
Figure 1.30: Dynamic DNS conguration
eBox makes a connection to the provider getting your public IP address bypassing any NAT between you and Internet. If you are using this feature on a multigateway scenario 7 , dont forget to create
In order to understand the magnitude of the project, you can visit the independent site ohloh.net, where you can nd an extensive analysis of the eBox Platform code base <http://www.ohloh.net/p/ebox/analyses/latest>.
7
23
a rule that makes the connections to your provider use always the same gateway.
1.5.3 Network diagnosis

To check if you have congured the network correctly, you can use the tools available in Network Diagnosis.
Figure 1.31: Network diagnosis tools
Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple echo request. Additionally you can use the traceroute tool that is used to determine the route taken by packages across different networks until reaching a given remote host. This tool allows to trace the route the packages follow in order to carry out more advanced diagnosis. Besides, you can use the dig tool, which is used to verify the correct functioning of the name service resolution.
Practical example A Lets congure eBox so that it obtains the network conguration via DHCP. Therefore: 1. Action: Access the eBox interface, go to Network
Interfaces and, as network interface,
select eth0. Then choose the DHCP method. Click on Change. Effect: You have enabled the button Save Changes and the network interface maintains the entered data.
24
Figure 1.32: Ping tool
25
Figure 1.33: Traceroute tool
26
Figure 1.34: Dig tool
27
2. Action: Go to Module status and enable the Network module, in order to do this, check the box in the Status column. Effect: eBox asks for permission to overwrite some les. 3. Action: Read the changes that are going to be made in each modied le and grant eBox the permission to overwrite them. Effect: You have enabled the button Save Changes and you can enable some of the modules that depend on Network. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox manages the network conguration. 5. Action: Access Network Diagnosis tools. Ping ebox-platform.com. Effect: As a result, you are shown three successful connection attempts to the Internet server. 6. Action: Access Network Diagnosis tools. Ping the eBox of a fellow classmate. Effect: As a result, you are shown three successful connection attempts to the host. 7. Action: Access Network Diagnosis tools. Run a traceroute to ebox-technologies.com. Effect: As a result, you are shown a route of all the intermediate routers a packet traverses until it reaches the destination host.
Practical example B For the rest of the exercises of the manual, it is a good practice to enable the logs. Therefore: 1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order to do this, check the box in the Status column. Effect: eBox asks for permission to carry out a series of actions. 2. Action: Read the actions that are going to be made and accept them. Effect: You have enabled the button Save Changes.
28
3. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has nished, you are notied. Now eBox has enabled the logs. You can check them at Logs Query logs in the section Logs.
29
30
Chapter 2 eBox Infrastructure
This section explains several of the services to manage and optimize internal trafc and the infrastructure of your local network, including domain management, automatic network conguration in network clients, publication of internal Web sites and time synchronization using the Internet. The conguration of these services requires great efforts, although they are easier to congure with eBox. The DHCP service is widely used to automatically congure different network parameters, such as the IP address of a host or the gateway to be used for Internet access. The DNS service provides access to services and hosts using names instead of IP addresses, which are more difcult to memorize. Many businesses use Web applications to which only internal access is available.
2.1
Network conguration service (DHCP)

As indicated, DHCP (Dynamic Host Conguration Protocol) is a protocol that enables a device to request and obtain an IP address from a server with a list of available addresses to assign. The DHCP service
1
is also used to obtain many other parameters, such as the default gateway,
the network mask, the IP addresses for the name servers or the search domain, among others. Hence, access to the network is made easier, without the need for manual conguration done by clients. When a DHCP client connects to the network, it sends a broadcast request and the DHCP server responds to valid requests with an IP address, the lease time granted for that IP and the parameters
1
eBox uses ISC DHCP Software (https://www.isc.org/software/dhcp) to congure the DHCP service.
31
explained above. The request usually happens during the client booting period and must be completed before going on with the remaining network services. There are two ways of assigning addresses: Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings, entered manually by the administrator. Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process that uses the lease concept with a controlled period in which the granted IP remains valid. The server keeps a table with the previous assignments to try to reassign the same IP to a client in successive requests.
2.1.1 DHCP server conguration with eBox

To congure the DHCP service with eBox, at least one statically congured interface is required. Once this is available, go to the DHCP menu, where the DHCP server can be congured. As indicated above, some network parameters can be sent with the IP address. These parameters can be congured in the Common options tab. Default gateway: This is the gateway to be used by the client if it is unaware of another route to send the package to its destination. Its value can be eBox, a gateway already congured in the Network Gateways section or a custom IP address. Search domain: In a network with hosts named in line with <host>.sub.domain.com, the search domain can be congured as sub.domain.com. Hence, when seeking to resolve an unsuccessful domain name, another attempt can be made by adding the search domain to the end of it or parts of it. For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the client host. The search domain can be entered or one congured in the DNS service can be selected. Primary name server: This is the DNS server 2 that the client will use when a name is to be resolved or an IP address needs to be translated into a name. Its value can be local eBox DNS (if the eBox DNS server is to be queried, take into account dns module must be enabled) or an IP address of another DNS server.
2
Go to Name resolution service (DNS) section for more details about this service.
32
CHAPTER 2. EBOX INFRASTRUCTURE
Figure 2.1: Overview of DHCP service conguration
33
Secondary name server: DNS server that the client will use if the primary one is not available. Its value must be the IP address of a DNS server. NTP server: This is the NTP (Network Transport Protocol)
3
server that the client will use when it
wants to synchronize its clock using the network. Its value can be none, local eBox NTP (take into account ntp module must be enabled) or a custom NTP server. WINS server: This is the WINS (Windows Internet Name Service) 4 server the client will use to resolve NetBIOS names. Its value can be none, local eBox (take into account samba must be enabled) or a custom one. The common options display the ranges of addresses distributed by DHCP and the addresses assigned manually. For the DHCP service to be active, there must be at least one range of addresses to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if the service is listening on all the network interfaces. The ranges of addresses and the static addresses available for assignment from a certain interface are determined by the static address assigned to that interface. Any free IP address from the corresponding subnet can be used in ranges or static assignments. Adding a range in the Ranges section is done by entering a name by which to identify the range and the values to be assigned within the range appearing above. Static assignments of IP addresses are possible to determined physical addresses in the Fixed Addresses section. An address assigned in this way cannot form part of any range. You may add an optional description for that assignment as well.
Figure 2.2: Appearance of the advanced conguration for DHCP

Check out Time synchronization service (NTP) section for details about the time synchronization service WINS is the implementation for NBNS (NetBIOS Name Service). For more information about it, check out File sharing service and remote authentication section.
4 3
34
The dynamic granting of addresses has a deadline before which renewal must be requested (congurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assignments do not expire and, therefore, are unlimited leases. A Lightweight Client is a special machine with no hard drive that is booted via the network by requesting the booting image (operating system) from a lightweight client server. eBox allows the PXE server 5 to which the client must connect to be congured. The PXE service, which is responsible for transmitting everything required for the lightweight client to be able to boot its system, must be congured separately. The PXE server may be an IP address or a name, in which case the path to the boot image or eBox must be indicated, in which case the image le can be loaded.
Dynamic DNS updates The DHCP server has the ability to dynamically update the DNS server 6 . That is, the DHCP server will update in real time the A and PTR records to map an IP address to a host name and vice versa when an IP address is leased and released. The way that is done, it depends on the DHCP server conguration. eBox provides dynamic DNS feature integrating dhcp and dns modules from the same box in Dynamic DNS Options tab. In order to enable this feature, the DNS module must be enabled as well. You may provide a Dynamic domain and a Static domain, which both will be added automatically to the DNS conguration. The dynamic domain maps the host names whose IP address corresponds from a range and the associated name follows this pattern: dhcp-<leased-IP-address>.<dynamicdomain>. Regarding to the static domain, the host name will follow this pattern: <name>.<staticdomain> being the name the one you set on Fixed addresses table. Take into account that any DHCP client name update is ignored from eBox. The update is done using a secure protocol 7 and, currently, only direct mapping is supported.
5 Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment) 6 The RFC 2136 explains how to do dynamic updates in the Domain Name System 7 Communication is done using TSIG (Transaction SIGnature) to authenticate the dynamic update requests using a shared secret key.
35
Figure 2.3: Dynamic DNS updates conguration
Practical example Congure the DHCP service to assign a range of 20 network addresses. Check from another client host using dhclient that it works properly. To congure DHCP, the Network module must be enabled and congured. The network interface on which the DHCP server is to be congured must be static (manually assigned IP address) and the range to assign must be within the subnet determined by the network mask of that interface (e.g. range 10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0). 1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP module by marking its checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Enter DHCP and select the interface on which the server is to be congured. The gateway may be eBox itself, one of the eBox gateways, a specic address or none (no routing to other networks). Furthermore, the search domain (domain added to all DNS names that cannot be resolved) can be dened along with at least one DNS server (primary DNS server and optionally a secondary one). eBox then indicates the range of available addresses. Select a subset of 20 addresses and in Add new give a signicant name to the range to be assigned by eBox. 4. Action: Save the changes.
36
Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. eBox now manages the DHCP server conguration. 5. Action: From another PC connected to this network, request a dynamic IP from the range using dhclient:
$ sudo dhclient eth0 There is already a pid file /var/run/dhclient.pid with pid 9922 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ wmaster0: unknown hardware address type 801 wmaster0: unknown hardware address type 801 Listening on LPF/eth0/00:1f:3e:35:21:4f Sending on LPF/eth0/00:1f:3e:35:21:4f Sending on Socket/fallback DHCPREQUEST on wlan0 to 255.255.255.255 port 67 DHCPACK from 10.1.2.254 bound to 10.1.2.1 -- renewal in 1468 seconds.
6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is displayed.
2.2
Name resolution service (DNS)

As explained, the function of the DNS (Domain Name System) is to convert hostnames that are readable and easy to remember by users into IP addresses and vice versa. The name domain system is a tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.
37
2.2.1 DNS cache server conguration with eBox

A name server can act as a cache 8 for queries that it cannot respond to. In other words, it will initially query the appropriate server, as it is based on a database without data, but the cache will subsequently reply, with the consequent decrease in response time. At present, most modern operating systems have a local library to translate the names that is responsible for storing its own domain name cache with the requests made by system applications (browser, e-mail clients, etc.).
Practical example A Check the correct operation of the cache name server. What is the response time with regard to the same request www.example.com? 1. Action: Access eBox, enter Module status and enable the DNS module by marking the checkbox in the Status column. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Network DNS and add a new Domain name server with value 127.0.0.1. Effect: eBox is established to translate names to IP and vice versa. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it is indicated as such. eBox now manages the DNS server conguration. 5. Action: Use the Domain name resolution tool available in Network checking the response time.
8
Diagnosis to check
the operation of the cache, querying the domain www.example.com consecutively and
A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or
compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).
38
2.2.2 DNS server conguration with eBox

DNS has a tree structure and the source is known as . or root. Under . are the TLDs (Top Level Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the answer, the tree is recursively searched until it is found. Each . in an address (e.g. home.example.com) indicates a different branch of the DNS tree and a different query area. The name will be traversed from right to left.
Figure 2.4: DNS tree
As you may see on gure DNS tree, each zone has an authority name server 9 . When a client performs a query to a name server, it delegates the resolution to the name server pointed by a NS record which claims to be authoritative for that zone. For instance, a client queries for www.home.example.com IP address to a name server which is authoritative for example.com. As the name server has a record which indicates the authoritative name server for home.example.com zone (the NS record), then it delegates the answer to that server who should know the IP address for that host. Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP address to a domain name. Furthermore, as many aliases (or canonical names) as required can be added to each associated name and the same IP address can have several associated names.
9
A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.
39
Another important characteristic of the DNS is the MX record. This record indicates the place where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mail is to be sent to someone@example.com, the e-mail server will ask for the MX record of example.com and the service will reply that it is mail.example.com. The conguration in eBox is done through the DNS menu. In eBox, as many DNS domains as required can be congured. To congure a new domain, drop down the form by clicking on Add new. From here, the domain name and an optional IP address which the domain will refer to can be congured.
When a new domain is added, you may have noticed a eld called dynamic is set to false. A domain is set as dynamic when it is updated automatically by a process without restarting the server. A typical example for this is a DHCP server which updates the DNS records when it leases/releases an IP address for a host. Check out Dynamic DNS updates section for details about this conguration with eBox. Currently, if a domain is set as dynamic, then no manual conguration can be done using eBox interface.
Once a correct domain has been created, e.g. home.example.com, it is possible to complete the hostnames list for the domain. As many IP addresses as required can be added using the names decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can also be used for each mapping.
40
eBox set automatically the authoritative name server for the congured domains to ns host name. If none is set, then 127.0.0.1 is set as authoritative name server for those domains. If you want to congure the authoritative name server manually for your domains (NS records), go to name servers and choose one of the congured host names for that domain or set a custom one. In a typical scenario, you may congure a ns host name using as IP address one of the congured in Network Interfaces section.
As an additional feature, e-mail server names can be added through mail exchangers by selecting a name for the domains in which eBox is the authority or an external one. Furthermore, a preference can be given, the lowest value of which gives highest priority, i.e. an e-mail client will rst try the server with the lowest preference number.
For a more in-depth look into the operation of the DNS, let us see what happens depending on the query made through the dig diagnosis tool located in Network Diagnosis. If a query is made for one of the domains added, eBox will reply with the appropriate answer immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as
41
soon as it gets an answer. It is important to be aware of the fact that the name servers congured in Network DNS are used by client applications to resolve names, but are not used in any way by the DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1 as primary DNS server in the aforementioned section.
Practical example B Add a new domain to the DNS service. Within this domain, assign a network address to a host name. From another host, check that it resolves correctly using the dig tool. 1. Action: Check that the DNS service is active through Dashboard in the Module status widget. If it is not active, enable it in Module status. 2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down where hostnames, mail servers for the domain and the domain address itself can be added. In Hostnames do the same by adding the host name and its associated IP address. 3. Action: Save the changes. Effect: eBox will request permission to write the new les. 4. Action: Accept the overwriting of these les and save the changes. Effect: The progress is displayed while the changes are being applied. Once this is complete it indicates as such. 5. Action: From another PC connected to this network, request the name resolution using dig, where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the domain to be resolved:
$ dig mirror.ebox-platform.com @10.1.2.254 ; <<>> DiG 9.5.1-P1 <<>> mirror.ebox-platform.com @10.1.2.254 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33835 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mirror.ebox-platform.com.
IN
42
;; ANSWER SECTION: mirror.ebox-platform.com. 600 ;; AUTHORITY SECTION: ebox-platform.com. ebox-platform.com. ;; ADDITIONAL SECTION: ns1.ebox-platform.com. ns2.ebox-platform.com. ;; ;; ;; ;;
IN
87.98.190.119
600 600
IN IN
NS NS
ns1.ebox-platform.com. ns2.ebox-platform.com.
600 600
IN IN
A A
67.23.0.68 209.123.162.63
Query time: 169 msec SERVER: 10.1.2.254#53(10.1.2.254) WHEN: Fri Mar 20 14:37:52 2009 MSG SIZE rcvd: 126
2.3
Web data publication service (HTTP)

The Web is one of the most common services on the Internet, so much that it has become its visible face for most users. A website started to become the most convenient way of publishing data on a network. All that was needed was a web browser, which is installed as standard in current desktop platforms. A website is easy to create and can be viewed from any computer. Over time, the possibilities of web interfaces have improved and true applications are now available that have nothing to envy of desktop applications. But... what is behind the web?
2.3.1 Hyper Text Transfer Protocol

One of the keys to the success of the web has been the application layer protocol used, HTTP (Hyper Text Transfer Protocol), as it is extremely simple yet exible. HTTP is a request and response protocol. A client, also known as a User Agent, makes a request to a server. The server processes it and gives a response.
43
Figure 2.5: Request schema with GET headers between a client and the 200 OK response from the server. Routers and proxies in between.
44
By default, HTTP uses TCP port 80 for unencrypted connections and 443 for encrypted connections (HTTPS) using TLS technology 10 . A client request contains the following elements: An initial line containing <method> <resource requested> <HTTP version>. For example, GET /index.html HTTP/1.1 requests the resource /index.html through GET and using protocol HTTP/1.1. Headers, such as User-Agent: Mozilla/5.0 ... Firefox/3.0.6, which identify the type of client requesting the data. A blank line. An optional message. This is used, for example, to send les to the server using the POST method. There are several methods GET and POST: GET: GET is used to request a resource. It is a harmless method for the server, as no le has to be modied in the server if a request is made via GET. POST: POST is used to send data to be processed by the server. For example, when Send message is clicked in a webmail, the server is given the email data to be sent. The server must process this information and send the email. OPTIONS: This is used to request the methods that can be used on a resource. HEAD: Requests the same data as GET, although the response will not include the text, only the header. Hence, it is possible to obtain the metadata of the resource without downloading it. PUT: Requests the text data to be stored and accessible from the path indicated. DELETE: Requests the deletion of the resource indicated. TRACE: This informs the server that it must return the header sent by the client. It is useful to see how the request is modied by the intermediate proxies. CONNECT: The specication reserves this method for tunnels.
10
11
with which clients can request data. The most common ones are
TLS (Transport Layer Security ) and its predecessor SSL (Secure Sockets Layer ) are encryption protocols that provide
data security and integrity for Internet communications. The subject is discussed in further detail in section Virtual Private Network (VPN). 11 A more detailed explanation can be found in section 9. RFC 2616
45
The server response has the same structure as the client request, changing the rst row. In this case, the rst row is <status code> <text reason>, which corresponds to the response code and a text with the explanation, respectively. The most common response codes 12 are: 200 OK: The request has been processed correctly. 403 Forbidden: When the client has been authenticated, but does not have permission to operate on the resource requested. 404 Not Found: When the resource requested has not been found. 500 Internal Server Error: When an error has occurred in the server that has prevented the request from being correctly run. HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is unable to remember the clients between connections. This can be avoided by using cookies. Moreover, the server cannot start a conversation with the client. Should the client want to be notied by the server of something, this must be periodically requested. The HTTP service can offer dynamic data produced by different software applications. The client requests a certain URL with specic parameters and the software manages the request to return a result. The rst method used was known as CGI (Common Gateway Interface), which runs one command per URL. This mechanism has mainly been deprecated due to its memory overload and low performance when compared to other solutions: FastCGI: A communication protocol between software applications and the HTTP server, with a single process to resolve requests made by the HTTP server. SCGI (Simple Common Gateway Interface): This is a simplied version of the FastCGI protocol. Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run within the server, this solution depends on the HTTP server used.
2.3.2 The Apache Web server

The Apache HTTP server
13
has been the most popular program for serving websites since April
1996. eBox uses this server for both its web interface and the web server module. Its aim is to offer
12 13
The full list of response codes for the HTTP server can be found in section 10 of RFC 2616. Apache HTTP Server project http://httpd.apache.org.
46
a secure, efcient and extendible system in line with HTTP standards. Its capacity to be extensible is based on adding features using modules that extend the core. Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for websites to be created using programming languages such as Perl, Python, TCL or PHP. It has several authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful URL rewriting system with mod_rewrite. It has a total of 57 ofcially documented modules that add functionality, although this number increases to 168 if you include those registered for the 2.2 version of Apache 14 .
2.3.3 Virtual domains

The purpose of a virtual domain is to host websites for several domain names in the same server. If the server has a public IP address for each website, a conguration can be made for every network interface. When seen from outside, they look like several hosts in the same network. The server will redirect the trafc from each interface to its corresponding website. However, it is more common to have one or two IPs per host. In this case, each website will have to be associated with its domain. The web server will read the headers sent in the client request and, depending on the domain of the request, will redirect it to one website or another. Each of these congurations is known as Virtual Host, as there is only one host in the network, but the existence of several is simulated.
2.3.4 HTTP server conguration with eBox

Through Web, it is possible to access the web service conguration. In the rst form, it is possible to modify the following parameters: Listening port Where the daemon is to listen to HTTP requests. Enable public_html per user Through this option, if the Samba module (eBox as le server ) is enabled, users can create a subdirectory known as public_html in their private directory within samba that will be displayed by the web server via the URL http://<eboxIP>/~<username>/, where username is the name of the user that published contents.
14
There is a full list at http://modules.apache.org.
47
Figure 2.6: Appearance of the Web module conguration With regard to the Virtual domains, the only conguration needed is the name for the domain and whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module (if it is installed) so that, if the domain www.company.com is added, the domain company.com will be created with the host name www, the IP address of which will be the address of the rst static network interface. To publish data, it must be under /var/www/<vHostname>, where vHostName is the name of the virtual domain. If any customized conguration is to be added, for example capacity to load applications in Python using mod_python, the necessary conguration les for this virtual domain must be created in the directory /etc/apache2/sites-available/user-ebox-<vHostName>/.
Practical example Enable the web server. Check that it is listening on port 80. Congure it to listen on a different port and verify that the change becomes effective. 1. Action: Access eBox, enter Module status and enable the Web server module by marking the checkbox in the Status column. This indicates the changes to be made in the system. Allow the operation by clicking on the Accept button. Effect: The guilabel:Save changes button has been enabled. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. The web server is enabled by default on port 80.
48
3. Action: Using a browser, access the following address: http://eBox_ip/. Effect: An Apache default page will be displayed with the message It works!. 4. Action: Access the Web menu. Change the port value from 80 to 1234 and click on the Change button. Effect: The guilabel:Save changes button has been enabled. 5. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. Now the web server is listening on port 1234. 6. Action: Use the browser again to try to access http://<eBox_ip>/. Effect: A response is not obtained and, after a while, the browser will indicate that it was impossible to connect to the server. 7. Action: Now try to access http://<eBox_ip>:1234/. Effect: The server responds and the It works! page is obtained.
2.4
Time synchronization service (NTP)

The NTP (Network Time Protocol) protocol was designed to synchronize the clocks in PCs in an unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to withstand the effects of jitter. It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can reach a precision of up to 200 s or greater if the clock is in the local network. There are up to 16 levels dening the distance of the reference clock and its associated precision. Level 0 is for atomic clocks that are not connected to the network but to another level 1 computer with RS-232 serial connection. Level 2 are the computers connected via NTP to those of a higher level and are normally offered by default in the most common operating systems, such as GNU/Linux, Windows or MacOS.
49
2.4.1 NTP server conguration with eBox

To congure eBox to use the NTP architecture
15
, eBox must rst be synchronized with an external
server of a higher level (normally 2) offered via System clients a relatively precise time over the Internet.
Date/Time. A list of these can be found
in the NTP pool (pool.ntp.org), which is a dynamic collection of NTP servers that voluntarily give their
Once eBox has been synchronized as an NTP client 16 , eBox can also act as an NTP server with a globally synchronized time.
Practical example Enable the NTP service and synchronize the time of your host using the command ntpdate. Check that both eBox and the client host are set to the same time. 1. Action: Access eBox, enter Module status and enable the ntp module by marking the checkbox in the Status column. This will show the changes to be made to the system. Allow the operations by clicking on the Accept button. Effect: The Save changes button has been enabled. 2. Action: Access the System
Date/Time menu. In the Synchronization with NTP servers
section, select Enabled and click on Change.

15 16
NTP public service project http://support.ntp.org/bin/view/Main/WebHome.
eBox uses ntpdate to set the date the rst time, once the date is set it uses ntpd to remain synchronized. http://www.ece.udel.edu/~mills/ntp/html/
50
Effect: The option to manually change the date and time is replaced by elds to enter the NTP servers with which to synchronize. 3. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, it noties the user. Your eBox host will act as an NTP server. 4. Action: Install the ntpdate package in your client host. Run the command ntpdate <eBox_ip>. Effect: The time on the host will have been synchronized with that of the eBox host. You can check this by running the date command on both hosts.
51
52
Chapter 3 eBox Gateway
This section considers the main function of eBox as a gateway. eBox Gateway can make your network more reliable, optimized for your bandwidth and help you control whatever enters your network. This section includes a chapter that focuses on the functionality of the eBox rewall module, which enables you to manage rules for the incoming and outgoing trafc of your internal network. The rewall is not congured directly, but is supported by another two modules that provide easier network object and service management, as described in the rst part of the section. Load balancing can be applied for Internet access, along with different rules depending on the outgoing trafc. Furthermore, this section explains trafc shaping, which is used to ensure critical applications are served correctly and to even limit any applications generating a lot of network trafc. Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or denies access from the internal network to the WWW using different ltering rules, including contentbased ones.
3.1
High-level eBox network abstractions

3.1.1 Network objects
Network objects are a way of giving a name to a network element or a group of elements. They are used to simplify and subsequently facilitate network conguration management by being able to select behavior for these objects.
53
To give an example, they can be used to give a signicant name to an IP address or a group of IP addresses. In the case of the latter, instead of dening access rules for each of the addresses, they merely have to be dened for the network object so that all the addresses belonging to the object take on this conguration.
Figure 3.1: Representation of network objects
Management of network objects with eBox For object management in eBox, go to the submenu Objects and create new objects with an associated name and a series of members. Objects can be created, modied and deleted. These objects will be used later by other modules, such as the rewall, the Web cache proxy or the mail service. Each one will have at least the following values: name, IP address and network mask using CIDR notation. The physical address will only make sense for members with a single physical machine.
54
CHAPTER 3. EBOX GATEWAY
Figure 3.2: General appearance of the network object module
The members of an object can overlap the members of another; therefore, great care must be taken when using them in the remaining modules to obtain the desired conguration and avoid security problems.
3.1.2 Network services

A network service is the abstraction of one or more applicable protocols that can be used in other modules, such as the rewall or the trafc-shaping module. The use of the services is similar to that of the objects. It was seen that with the objects it was possible to make an easy reference to a group of IP addresses using a signicant name. It is also possible to identify a group of numerical ports that are difcult to remember and time-consuming to enter several times in different congurations, with a name in line with its function (more typically, the name of the level-7 protocol or application using these ports).
55
Figure 3.3: Client connection to a server
Management of network services with eBox For management in eBox, go to the submenu Services, where it is possible to create new services, which will have an associated name, description and a ag indicating whether the service is external or internal. A service is internal if the ports congured for that service are being used in the machine in which eBox is installed. Furthermore, each service has a series of members. Each one will have the following values: protocol, source port and destination port. The value any can be entered in all of these elds, e.g. to specify services in which the source port is indifferent. Bear in mind that in network services based on the most commonly-used client/server model, clients often use any random port to connect to a known destination port. Well-known ports are considered those located between 0 and 1023, registered ports the ones located between 1024 and 49151 and private or dynamic ports are those located between 49152 and 65535. A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found in the /etc/services le. The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having to add the same port used for both protocols twice. Services can be created, modied and deleted. These services will be used later on in the rewall or trafc shaping by merely referring to the signicant name.
The IANA (Internet Assigned Numbers Authority ) is responsible for establishing the services associated with wellknown ports. The full list can be found at http://www.iana.org/assignments/port-numbers.
1
56
Figure 3.4: General appearance of the network service module
Practical example
Create an object and add the following: a host with no MAC address, a host with a MAC address and a network address. To do so: 1. Action: Access Objects. Add accountancy hosts. Effect: The accountancy hosts object has been created. 2. Action: Access Members of the accountancy hosts object. Create accountancy server member with a network IP address, e.g. 192.168.0.12/32. Create another member backup accountancy server with another IP address, e.g. 192.168.0.13/32, and a valid MAC address, e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP address of a subnet of your local network, e.g. 192.168.0.64/26. Finally, go to Save changes to conrm the conguration created. Effect: The accountancy hosts object will contain three permanent members, i.e. accountancy server, backup accountancy server and accountancy PC network.
57
3.2
Firewall
We will congure a rewall to see the application of the network objects and services. A rewall is a system that strengthens the access control policies between networks. In our case, a host will be devoted to protecting our internal network and eBox from attacks from the external network. A rewall allows the user to dene a series of access policies, such as which hosts can be connected to or which can receive data and the type thereof. In order to do this, it uses rules that can lter trafc depending on different parameters, such as the protocol, source or destination addresses or ports used. Technically speaking, the best solution is to have a computer with two or more network cards that isolate the different connected networks (or segments thereof) so that the rewall software is responsible for connecting the network packages and determining which can be passed or not and to which network they will be sent. By conguring the host as a rewall and gateway, trafc packages can be exchanged between networks in a more secure manner.
3.2.1 The rewall in GNU/Linux: Netlter

Starting with the Linux 2.4 kernel, a ltering subsystem known as Netlter is provided to offer packet ltering and Network Address Translation (NAT) 2 . The iptables command interface allows for the different conguration tasks to be performed for the rules affecting the ltering system (lter table), rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and handling options (mangle table). It is extremely exible and orthogonal to handle, although it adds a great deal of complexity and has a steep learning curve.
3.2.2 eBox security model

The eBox security model is based on seeking to provide the utmost default security, in turn trying to minimize the work of the administrator regarding conguration when new services are added. When eBox acts as a rewall, it is normally installed between the local network and the gateway that connects that network to another, normally Internet. The network interfaces connecting the host to the external network (the gateway) must be marked as such. This enables the Firewall module to establish default ltering policies.
NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it passes through a router or rewall. Its main use is to provide several hosts in a private network with Internet access through a single public IP.
2
58
Figure 3.5: Internal network - Filtering rules - External network The policy for external interfaces is to deny all attempts of new connections to eBox. Internal interfaces are denied all connection attempts, except those made to internal services dened in the Services module, which are accepted by default. Furthermore, eBox congures the rewall automatically to provide NAT for packages entering through an internal interface and exiting through an external interface. Where this function is not required, it may be disabled using the nat_enabled variable in the rewall module conguration le in /etc/ebox/80rewall.conf.
Firewall conguration with eBox For easier handling of iptables in ltering tasks, the eBox interface in Firewall used. Where eBox acts as a gateway, ltering rules can be established to determine whether the trafc from a local or remote service must be accepted or not. There are ve types of network trafc that can be controlled with the ltering rules: Trafc from an internal network to eBox (e.g. allow SSH access from certain hosts). Trafc among internal networks and from internal networks to the Internet (e.g. forbid Internet access from a certain internal network). Trafc from eBox to external networks (e.g. allow les to be downloaded by FTP from the host using eBox). Trafc from external networks to eBox (e.g. enable the Jabber server to be used from the Internet). Trafc from external networks to internal networks (e.g. allow access to an internal Web server from the Internet).
Package ltering is
59
Bear in mind that the last two types of rules may jeopardize eBox and network security and, therefore, must be used with the utmost care. The ltering types can be seen in the following graphic:
Figure 3.6: Types of ltering rules
eBox provides a simple way to control access to its services and to external services from an internal interface (where the intranet is located) and the Internet. It is normally object-congured. Hence, it is possible to determine how a network object can access each of the eBox services. For example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet access rules are managed by eBox too, e.g. to congure Internet access, outgoing packages to TCP ports 80 and 443 to any address have to be allowed. Each rule has a source and destination that depend on the type of ltering used. For example, the ltering rules for eBox output only require the establishing of the destination, as the source is always eBox. A specic service or its reverse can be used to deny all output trafc, for example, except SSH trafc. In addition, it can be given a description for easier rule management. Finally, each rule has a decision that can have the following values: Accept the connection. Deny connection by ignoring the incoming packages and making the source suppose that connection could not be established.
60
Figure 3.7: List of package ltering rules from internal networks to eBox
Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is possible to see whether a rule is working properly.
Port forwarding Port redirections (destination NAT) are congured through Firewall by translating the destination address. To congure a redirection, the following elds need to be specied: interface where the translation is to be made, the original destination (this could be eBox, an IP address or an object), the original destination port (this could be any, a range of ports or a single port), the protocol, the source from where the connection is to be started (in a normal conguration, its value will be any ), the destination IP and, nally, the port, where the target host is to receive the requests, which may or may not be the same as the original. There is also a optional eld called description that is useful to add a comment describing the purpose of the rule.
Port Forwarding, where an
external port can be given and all trafc routed to a host listening on a certain port can be redirected
61
According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will be redirected to port 80/TCP of the host with IP address 10.10.10.10.
Practical example Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a service and a rewall rule so that an internal host can access the service. To do so: 1. Action: Access eBox, enter Module status and enable the Firewall module by marking the checkbox in the Status column. Effect: eBox requests permission to take certain actions. 2. Action: Read the actions to be taken and grant permission to eBox to do so. Effect: The Save changes button has been enabled. 3. Action: Create an internal service as in serv-exer-ref of section High-level eBox network abstractions through Services with the name netcat and with the destination port 6970. Then go to Firewall Package ltering in Filtering rules from internal networks to eBox and add the rule with at least the following elds: Decision : ACCEPT
62
Source : Any Service : netcat. Created in this action. Once this is done, Save changes to conrm the conguration. Effect: The new netcat service has been created with a rule for internal networks to connect to it. 4. Action: From the eBox console, launch the following command:
nc -l -p 6970
5. Action: From the client host, check that there is access to this service using the command nc:
nc <ip_eBox> 6970
Effect: You can send data that will be displayed in the terminal where you launched netcat in eBox.
3.3
Routing
3.3.1 Routing tables
The term routing refers to the action of deciding through which interface a certain packet must be sent from a host. The operating system has a routing table with a set of rules to make this decision. Each of these rules has different elds, although the three most important ones are: destination address, interface and router. These must be read as follows: to reach a certain destination address, the packet must be directed through a router, which is accessible through a certain interface. When the message arrives, its destination address is compared to the entries in the table and is sent through the interface indicated in the rule that matches. The best match is considered the most specic rule. For example, if a rule is specied indicating that to reach network A (10.15.0.0/16), router A must be used and another rule indicates that to reach network B (10.15.23.0/24), which is a subnet of A, router B must be used. If a packet arrives with destination 10.15.23.23/32, then the operating system will decide to send it to router B, as there is a more specic rule. All hosts have at least one routing rule for the loopback interface, or local interface, and additional rules for other interfaces that connect it to other internal networks or to Internet.
63
To manually congure a static route table, Network
Routes is used (basically it is an interface
for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.
Figure 3.8: Route conguration
Gateway When sending a packet, if no route matches and there is a gateway congured, it will be sent through the gateway. The gateway is the route by default for packets sent to other networks. To congure a gateway, use Network Gateways.
64
Enabled: Indicates if the gateway is really going to be used at the moment. Name: Name identifying the gateway. IP address: IP address of the gateway. This address must be accessible from the host containing eBox. Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent through this interface. Weight: The heavier the weight, the more trafc will be directed to this gateway when load balancing is enabled. Default: Indicates if this gateway should be used as the default one. If you have interfaces congured as DHCP or PPPoE you cant add gateways for them as they are managed automatically. You still can enable and disable them, edit their Weight or set the Default one, but not the rest of attributes.
Figure 3.9: Gateway list showing DHCP and PPPoE gateways
Subnets and subnet routing As indicated above, initially there were classes of networks with associated xed network masks, which were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain Routing) was created to allow for network masks of a variable size to be used, allowing, for example, for a class C network to be divided into several subnets of a smaller size or to aggregate several class C subnets into one of a larger size. This allows: A more effective use of the scarce IPv4 address space.
65
Better use of the hierarchy in address assignment (adding of prexes), decreasing routing overload throughout the Internet. The number of bits interpreted as the subnet identier is given by a netmask that is of the same length as the IP address. To nd the network of an IP address with its mask, proceed as follows: Address with full stops IP address Netmask Network portion 192.168.5.10 255.255.255.0 192.168.5.0 Binary 11000000.10101000.00000101.00001010 11111111.11111111.11111111.00000000 11000000.10101000.00000101.00000000
CIDR also introduced a new nomenclature that can be seen compared to the above in the following table: CIDR /32 /31 /25 /24 /21 Class 1/256 C 1/128 C 1/2 C 1C 8C N Hosts 1 2 128 256 2048 Mask 255.255.255.255 255.255.255.254 255.255.255.128 255.255.255.0 255.255.248.0
Practical example A
You will now congure the network interface statically. The class will be divided into two subnets. To do so: 1. Action: Access the eBox interface, enter Network
Interfaces and, for the network inter-
face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the instructor. As the Netmask, use 255.255.255.0. Click on the Change button. The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and Y to the host. These values will be used from now on. Enter Network DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add. Effect: The Save changes button has been enabled and the network interface keeps the data entered. A list is displayed containing the name servers, including the recently created server. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied.
66
3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:
connect: network is unreachable

4. Action: Access Network subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result. 5. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: The following is given as the result:
Diagnosis. Ping to an eBox of a classmate part of the same
Practical example B
You will now congure a route to access hosts in other subnets. To do so: 1. Action: Access the eBox interface, enter Network the form with the following values: Network 10.1.X.0 / 24 Gateway 10.1.1.1 Description route to the other subnet Click on the Add button. Effect: The Save changes button has been enabled. A list is displayed containing the routes, including the recently created one. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:
Routes and select Add new. Complete
67

4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.
Practical example C
You will now congure a gateway to connect to the remaining networks. To do so: 1. Action: Access the eBox interface, enter Network during the previous exercise. Enter Network Routers and select Add new. Complete with the following data: Name Default Gateway IP address 10.1.X.1 Interface eth0 Weight 1 Default yes Click on the Add button. Effect: The Save changes button has been enabled. The list of routes has disappeared. A list of gateways is displayed containing the recently created gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network Diagnosis. Ping ebox-platform.com. Effect: Three satisfactory connection attempts to the host are displayed as the result. 4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.
Routes and delete the route created
68
3.3.2 Multirouter rules and load balancing

Multirouter rules are a tool that enables PCs in a network to use several Internet connections transparently. This is useful if, for example, an ofce has several ADSL connections and the entire bandwidth available is to be used without having to worry about distributing the work of the hosts manually between both routers, so that the load is shared automatically between them. Basic load balancing evenly distributes the packets transferred from eBox to the Internet. The simplest form of conguration involves establishing different weights for each router so that, if the connections available have different capacities, they can be used optimally. Multirouter rules allow for certain trafc types to be sent permanently by the same router, where required. Common examples include sending emails through a certain router or ensuring that a certain subnet is always routed from the Internet through the same router. eBox uses the iproute2 and iptables tools for the conguration required for the multirouter function. iproute2 informs the kernel of the availability of several routers. For multirouter rules, iptables is used to mark the packets of interest. These marks can be used from iproute2 to determine the router through which a packet must be sent. There are several possible problems that must be considered. Firstly, the connection concept does not exist in iproute2. Therefore, with no other type of conguration, the packets belonging to the same connection could end up being sent by different routers, making communications impossible. To solve this, iptables is used to identify the different connections and ensure that all the packets of a connection are sent via the same router. The same applies to any incoming connections established. All response packets for a connection must be sent using the same router through which that connection was received. To establish a multirouter conguration with load balancing in eBox, as many routers as required must be dened in Network
Routers. Using the weight parameter when conguring a router, it
is possible to determine the proportion of packets that each one will send. Where two routers are available and weights of 5 and 10, respectively, are established, 5 of every 15 packets will be sent through the rst router, while the the remaining 10 will be sent via the second.
69
Multirouter rules and trafc balancing are established in the Network Trafc balancing section. In this section, it is possible to add rules to send certain packets to a specic router, depending on the input interface, the source (this could be an IP address, an object, eBox or any), the destination (an IP address or a network object), the service with which this rule is to be associated and via which routers the trafc type specied is to be directed.
Practical example D Congure a multirouter scenario with several routers with different weights and check that it works using the traceroute tool. To do so: 1. Action: In pairs, leave one eBox with the current conguration and add a new gateway in the other, accessing Network following data: Name Gateway 2 IP address <classmates eBox IP> Interface eth0 Weight 1 Default yes Click on the Add button. Effect: The Save changes button has been enabled. A list of gateways is displayed containing the recently created gateway and the previous gateway.
Routers via the interface and clicking on Add new, with the
70
2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Go to a console and run the following script:
for i in $(seq 1 254); do sudo traceroute -I -n 155.210.33.$i -m 6; done

Effect: The result of running traceroute shows the different routers through which a packet passes to reach its destination. On running it in a host with multirouter conguration, the result of the rst leaps between routers should be different depending on the router chosen.
3.3.3 WAN Failover

If you are balancing trafc among two or more gateways, this feature is really useful. In a standard scenario without failover, imagine you are balancing the trafc between two routers and one of them goes down. Assuming both gateways have the same weight, half of the trafc will keep going through the downed gateway, causing connectivity problems to all the clients in the network. In the failover conguration, you can dene a set of rules for each gateway that needs to be checked. These rules can be a ping to the gateway, to another external host, a DNS resolution or a HTTP request. You can also dene how many probes you need and the acceptation percentage. If any of the tests fails to reach the acceptation percentage, the associated gateway will be disabled. But the tests keep running, so if the gateway comes back to life all the tests should run successfully and it will be enabled again. The gateway disabling without connection heads to all the trafc coming out through the other gateway instead of being balanced. That way the users in the network shouldnt notice any big issue with the connection. Once eBox detects that the downed gateway is fully operative, the normal behavior of the trafc balance is restored. The failover is implemented as an eBox event. In order to use it, you rst need to make sure that the Events module is enabled and also enable WAN Failover event.
3
Check out Events and alerts chapter for details about how events work in eBox and how to congure them.
71
To congure the failover options and rules go to the Network
WAN Failover menu. You can
specify the event period modifying the value of the Time between checks option. For adding a new rule, just click Add new and a form with the following elds will appear: Enabled: It indicates whether the rule is going to be applied or not when checking the connectivity of the gateways. You add different rules and enable or disable according to your needs instead of deleting and adding them again. Gateway: It is already lled with the list of congured gateways, so you just need to select one of them. Test type: It may have any of the following values: Ping to gateway: It sends a ICMP echo packet with the IP address of the gateway as destination. Ping to host: It sends a ICMP echo packet with the IP address of a external host specied below as destination. DNS resolve: It tries to get the IP address for the host name specied below.
72
HTTP request: It downloads the website content specied below. Host: The server to be used as target in the test, it is not applicable in case of the Ping to gateway type. Number of probes: Number of times that the test is tried. Required success ratio: Indicates how many successful attempts are needed to consider the test as passed. It is recommended to congure a event dispatcher in order to be aware of the connections and disconnections of the gateways. Otherwise, they will be logged only to the /var/log/ebox/ebox.log le.
3.4
Trafc shaping
3.4.1 Quality of Service (QoS)
Quality of Service (QoS) in computer networks refers to resource reservation control mechanisms to provide different priorities to different applications, users, or data ows, or to guarantee a certain level of performance according to the constraints imposed by the application. Constraints such as delay in delivery, the bit rate, the probability of packet loss or the variation delay per packet
4
may
be determined for various multimedia data stream applications such as voice or TV over IP. These mechanisms are only applied when resources are limited (wireless cellular networks) or when there is congestion in network, otherwise such QoS mechanisms are not required. There are several techniques to give quality of service: Reserving network resources: Using Resource reSerVation Protocol (RSVP) to request and reserve resources in the routers. However, this option has been neglected because it does not scale well with Internet growth. Differentiated services (DiffServ): In this model, packets are marked according to the type of service they need. In response to these marks, routers and switches use various queuing strategies to tailor performance to requirements. This approach is currently widely accepted. In addition to these systems, bandwidth management mechanisms may be used to further improve performance such as trafc shaping, Scheduling algorithms o congestion avoidance. Regarding trafc shaping, there are two predominant methods:
4
jitter or Packet Delay Variation (PDV) is the difference in end-to-end delay between selected packets in a ow with any
lost packets being ignored.
73
Token bucket: It dictates when trafc can be transmitted, based on the presence of tokens in the bucket (an abstract container that holds aggregate network trafc to be transmitted). Each token in the bucket can represent a unit of bytes of predetermined size, so each time that trafc is transmitted, the tokens are removed (cashed in). When there are no tokens, a ow cannot transmit its packets. Periodically, tokens are added to the bucket. Using such mechanism, it is allowed to send data in peak burst rate. Leaky bucket: Conceptually based on considering a bucket with a hole in the bottom. If packets arrive, they are placed into the bucket until it becomes full, then packets are discarded. Packets are sent at a constant rate, which is equivalent to the size of the hole in the bucket.
3.4.2 QoS conguration in eBox

eBox uses Linux kernel features 5 to shape trafc using token bucket mechanisms that allow to assign a limited rate, a guaranteed rate and a priority to certain types of data ows through the Trafc Shaping
Rules menu.
In order to perform trafc shaping, it is required to have, at least, an internal network interface and an external one. You need, at least, one congured gateway as well. And you have also to set your bandwidth information in Trafc Shaping
Interface Rates. Set the upload and download rate that
provide the router that is connected to every external interface. The shaping rules are specic for each interface and they may be selected for those external network interfaces with assigned upload rate and all internal ones. If the external network interface is shaped, then you are limiting eBox output trafc to the Internet. If, however, you shape an internal network interface, then the eBox output to internal networks is limited. The maximum output and input rates are given by the conguration in Trafc Shaping
Interface Rates. As it can be seen, shaping input trafc is not possible directly, that is because input trafc is not predictable nor controllable in almost any way. There are specic techniques from various protocols to handle the incoming trafc, for instance, TCP by articially adjusting the window size as well as controlling the rate of acknowledgements (ACK) segments being returned to the sender. Each network interface has a rule table to give priority (0: highest priority, 7: lowest priority), guaranteed rate and/or limited rate. These rules apply to trafc bound to a service, a source and/or a destination.
5
Linux Advanced Routing & Trafc Control http://lartc.org
74
Figure 3.10: Trafc shaping rules
Practise example Set up a rule to shape incoming HTTP trafc by limiting it to 20KB/s. Check if it works properly. 1. Action: Add a gateway in Network Gateways to your external network interface. Effect: The Save changes button is enabled. The gateway list displays a single gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete, it informs the user. 3. Action: Enter Services and add a new external service called HTTP with TCP protocol and destination port 80. Effect: eBox shows a list with all the services where the new service is displayed too. 4. Action: Enter Trafc Shaping Rules. Select the internal interface from the interface list and, using Add new, set a new rule with the following details: Enabled Yes Service Port-based service / HTTP Source any Destination any Priority 7 Guaranteed rate 0 Kb/s Limited rate 160 Kb/s
75
Press the Add button. Effect: eBox displays a table with the new trafc shaping rule. 5. Action: Start downloading a huge le, which is reachable from the Internet (for example, a Ubuntu ISO image) from a host within your LAN (not eBox itself) using the wget command. Effect: The download rate is stable around 20 KB/s (160 Kbit/s).
3.5
RADIUS
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization and Accounting (AAA) management for computers to connect and use a network service. The authentication and authorization ow in RADIUS works as follows: the user or machine sends a request to a Network Access Server (NAS), like it could be a wireless Access Point, using the proper link-layer protocol in order to gain access to a particular network resource using access credentials. In turn, the NAS sends an Access Request message to the RADIUS server, requesting authorization to grant access and including all the needed access credentials, not only username and password but probably also realm, IP address, VLAN to be assigned or maximum time to be connected. This information is checked using authentication schemes like Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP) or Extensible Authentication Protocol (EAP) and then a response is sent to the NAS: 1. Access Reject: when the user is denied access. 2. Access Challenge: when additional information is requested, like in TTLS where a tunneled dialog is established between the RADIUS server and the client for a second authentication phase. 3. Access Accept: when the user is granted access. RADIUS ofcial assigned IANA ports are 1812/UDP for Authentication and 1813/UDP for Accounting. This protocol does not transmit passwords in plain text between the NAS and the server (not even with PAP protocol), a shared secret is used to encrypt the communication between both parties. FreeRADIUS 7 server is being used for eBox RADIUS service.
6 7
These authentication protocols are dened in RFC 1334. FreeRADIUS - The worlds most popular RADIUS Server <http://freeradius.org/>.
76
3.5.1 RADIUS server conguration with eBox

If we want to give support to RADIUS server in eBox, rst check in Module Status if the Users and Groups module is enabled, as RADIUS depends on it. Then, mark the RADIUS checkbox to enable the RADIUS eBox module.
Figure 3.11: RADIUS General Conguration
In order to congure the service, go to RADIUS in the left menu. There you will be able to setup the whether All users or only the users who belong to one of your groups will be granted access. All the NAS requesting authentication to eBox need to be dened on the RADIUS clients section. For each NAS client we can specify: Enabled: whether this NAS is enabled or not. Client: The name for this client, like it could be the hostname. IP Address: The IP address or IP range allowed to send authentication requests to the RADIUS server. Shared Secret: A shared password between the RADIUS server and the NAS to authenticate and encrypt their communication.
77
3.5.2 Access Point (AP) conguration

On every NAS you will need to setup the address of eBox as the RADIUS server, the port, which defaults to UDP/1812 and the shared secret. WPA and WPA2, using TKIP or AES (recommended) can both be used with eBox RADIUS. The mode should be EAP.
Figure 3.12: Access Point Wireless Settings
78
3.6
HTTP Proxy Service

A Web Proxy Cache server is used to reduce the bandwidth used in HTTP (Web) 8 connections, control access and improve the browsing security and browsing speed. A proxy is a program that acts as intermediary in a connection, in this case a connection using the HTTP protocol. In this intermediation it can change the behaviour of the protocol, for example adding a cache or mangling the received data.
The HTTP proxy service available in eBox has the following features: Web content cache. It speeds up the browsing and reduces the bandwidth consumption. Access restriction. It can be restricted by source address, user or using a time table criteria. Antivirus. It blocks infected les. Content access restriction for given domains or le types. Content lter. eBox uses Squid 9 as proxy, and draws on Dansguardian 10 for content control.
8 9 10
For more information about HTTP service, see the section Web data publication service (HTTP). Squid: http://www.squid-cache.org Squid Web Proxy Cache Dansguardian: http://www.dansguardian.org Web content ltering
79
3.6.1 Access policy conguration

The most important task when conguring the HTTP Proxy, is to set the access policy to the web content trough it. The policy determines whether the access to the web is allowed and whether the content lter is applied. The rst step to do is to dene a default police. We set it in the page HTTP Proxy choosing one of the six available policies: Allow all: This policy allows to browse without restriction. However it does not mean that the cache is not used. Deny all: This policy denies the web access. At rst, it could seem not useful because you could too deny access with a rewall rule. However, as we will see later, we can dene particular policies for each network object, so we could use this policy to deny as default and then override it in some objects. Filter: This policy allows the access and also enables the content ltering, so the access could be denied depending on the requested content. Authorize and allow, Authorize and deny, Authorize and lter: These policies are derived from the previous policies but with authorization added. The authorization will be explained in the section HTTP Proxy advanced conguration.
General,
After setting the default policy, we can rene our policy setting particular policies for each network object. To set them we must enter in the section HTTP Proxy Objects policy.
80
We can choose any of the six policies for each object; when accessing the proxy from an object this policy will override the default policy. A network address can be contained in various objects so we can establish the priority rearranging the objects in the list. In this case, the policy with greater priority will be applied. It is also possible to dene a timetable for each object, access outside the specied time will be denied. Warning: The timetable option is not compatible with policies that use the content lter.
Figure 3.13: Network objects web access policies
3.6.2 Client connection to the proxy and transparent mode

In order to connect to the HTTP proxy the users must congure their browser. The exact conguration method depends on the used browser but the information required is the eBox servers address and the port used by the proxy. The eBox proxy only accepts connections received on its internal interfaces so an internal address must be used in the browsers conguration. The default port is 3128 but it can be changed through the HTTP Proxy popular ports for HTTP proxy services are 8000 and 8080. To avoid that users could bypass the proxy and access directly to the web, you should deny the HTTP trafc in the rewall. One way to avoid the need to congure each browser is to use the transparent mode. In this mode, eBox should be the network gateway and the HTTP connections toward external servers (for example, Internet) will be redirected to the proxy. To activate this mode we should go to the HTTP Proxy
General page. Other
81
General and enable the Transparent Proxy checkbox. As we will see in HTTP Proxy advanced conguration, the transparent mode is incompatible with policies with authorization. Finally, it must be kept in mind that the secure web trafc (HTTPS) cannot be used in transparent mode. If you want to allow it, you must set a rewall rule that allows it. This trafc will not be managed by the proxy.
3.6.3 Cache parameters

In the section HTTP Proxy General, is possible to dene the disk cache size and which addresses are exempted from it. The cache size controls the maximum disk space used to store the cached web elements. This maximum size is set in the eld Cache le size that we nd under the heading General Settings. With a bigger size, the probability of recovering a web element from the cache increases, and as result the browsing speed could be increased and the bandwidth use could be reduced. In the other hand, the increase of size not only comes with a greater disk usage but also with a increase in the use of RAM memory because the cache must maintain in memory an index of the stored elements. It is the job of each system administrator to choose a size according to the server characteristics and the trafc prole. It is possible to establish domains that are exempted from cache usage. For example, you may have local web servers that a cache will not speed up and you will waste cache space with them. When a domain exempted from cache is requested, it will be contacted directly without any cache lookup and the response will be returned without being stored. The exempted domains are managed under the heading Cache Exemptions that we nd at the page HTTP Proxy General.
3.6.4 Web content lter

eBox allows to lter web pages according to their contents. To enable the lter, the default policy or the object policy of a given object should be either Filter or Authorize and Filter. With eBox, we can dene multiple lter proles but in this section we will only talk about the default prole, leaving the discussion of multiple proles to the section HTTP Proxy advanced conguration. In order to congure the lter settings you have to go to the page HTTP Proxy select the conguration of the default prole.
Filter Proles and
82
The content ltering is based in various test including virus ltering, heuristic word lter and simpler things like banned domains. The end result is the decision about whether to allow or deny the browsing of the page under analysis. The rst lter is the virus ltering. To use it you should have the antivirus module installed and enabled. Then you can congure in the lter prole whether you want to use it or not. When enabled it will block HTTP trafc with infected contents. The text content lter analyzes the text contained in the web page, if it is considered not appropriate according to the rules (for example is considered a text of a pornographic page) the request will be blocked. To control this process we can establish a threshold that will be compared to the score assigned to the page by the lter, if the score is above the threshold, the page will be blocked. The threshold is set in the lter prole, at the section Content ltering threshold. This lter can also be disabled by choosing the value Disabled. Itx should be noted that the text analysis could result either in false positives or false negatives, blocking innocent pages or letting pass inappropriate ones; this problems can be mitigated using domain policies but it could happen again with unknown pages. There are more explicit lters: * By domain. For example, denying the access to a sport newspaper domain * By le extension. For example, forbidding the download of .EXE les. * By le MIME type. For example, forbidding the download of video les. These lters are presented in the lter prole conguration by means of three tabs, Files extension lter, MIME types ltering and Domains ltering.
83
In the Files extension lter table you can congure which le extensions should be blocked. Likewise, in the MIME types ltering table you can establish which MIME types should be blocked. The MIME types (Multipurpose Internet Mail Extensions) are a standard, originally conceived to extend the contents of email, which dene the type of the content. They are used too by other protocols, HTTP among them, to determine the content of transfered les. An example of MIME type is text/html, which is the type for web pages. The rst part of the type informs about the type of content stored (text, video, images, executables, ...) and the second about the format used (HTML, MPEG, gzip, .. ). In the Domains ltering section, you will found the parameters related to ltering websites according to its domain. They are two global settings: Block not listed domains. This option will block domains that are not present in Domain rules or in the categories in Domain lists les. In this last case, the domains in a category with the policy of Ignore are considered not listed.
84
Block sites specied only as IP. This option blocks pages requested using their IP address instead of their domain name. The purpose of this option is to avoid attempts to bypass domain rules using IP addresses. Next we have Domain rules, where you can introduce domains and assign them one of the following policies: Always allow: The access to the content of this domain is always allowed. All the content lters are ignored. Always deny: The access to the contents of this domains will be always blocked. Filter: The lters will be applied to this domain as usual. However it will not be automatically blocked if the Block not listed domains option is active.
In Domain list les, you can simplify the management of domains using classied lists of domains. These lists are usually maintained by third parties and they have the advantage that the domains are classied in categories, allowing to dene policies for a full domain category. eBox supports the lists distributed by urlblacklist
11 12
11
, shallas blacklists
12
and any other that uses the same format.
URLBlacklist: http://www.urlblacklist.com Shallas blacklist: http://www.shallalist.de
85
This lists are distributed as compressed archives. Once downloaded, you can add the archive to your conguration and set policies for each category. The policies that can be set for each category are the same polices that can be applied to individual domains, and they will be enforced to all domains in the category. There is an additional policy called ignore, its effect is to ignore completely the presence of a category. This is the default policy for all categories.
Practical example Enable the transparent mode in the proxy. Check with the iptables command the added NAT rules which should have been added to enable this feature. 1. Action: Log into eBox, enter Module status and enable the HTTP Proxy module, to do this check its box in the column Status. Effect: eBox will ask for permission to overwrite some les. 2. Action: Read the reason for the changes on each le and grant permission to eBox to overwrite them. Effect: The Save changes button is highlighted. 3. Action: Go to HTTP Proxy
General, check the Transparent proxy checkbox. Make sure
that eBox can act as router, for this at least one internal and one external interfaces are required. Effect: The transparent mode is congured.
86
4. Action: Click into Save changes to enforce the new conguration. Effect: The rewall and HTTP proxy services will be restarted. 5. Action: In the console of the eBox computer, execute the command iptables -t nat -vL. Effect: The command output must be similar to this: Chain PREROUTING (policy ACCEPT 7289 packets, 1222K bytes) pkts bytes target prot opt in out source destination 799 88715 premodules all any any anywhere anywhere Chain POSTROUTING (policy ACCEPT 193 packets, 14492 bytes) pkts bytes target prot opt in out source destination 29 2321 postmodules all any any anywhere anywhere 0 0 SNAT all any eth2 !10.1.1.1 anywhere to:10.1.1.1 Chain OUTPUT (policy ACCEPT 5702 packets, 291K bytes) pkts bytes target prot opt in out source destination Chain postmodules (1 references) pkts bytes target prot opt in out source destination Chain premodules (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp eth3 any anywhere !192.168.45.204 tcp dpt:www redir ports 3129
87
88
Chapter 4 eBox Ofce
One of the fundamentals for the creation of computer networks was the sharing of resources and data
1
. This issue is particularly emphasized here and is possibly the most useful section for the daily
operations of many local area networks in ofces or at home. Unied user and group management through a directory service for all network services, the use of shared les and printers and all groupware services, such as calendars, contacts and tasks, are discussed in this section.
4.1
Directory service (LDAP)

Directory services are used to store and sort the data relating to organizations (in this case, users and groups). They enable network administrators to handle access to resources by users by adding an abstraction layer between the resources and their users. This service gives a data access interface. It also acts as a central, common authority through which users can be securely authenticated. A directory service can be considered similar to the yellow pages. Its characteristics include: The data is much more often read than written. Hierarchical structure that simulates organizational architecture.
1
See net-intro-ref for further information.
89
Properties are dened for each type of object, standardized by the IANA 2 , on which access control lists (ACLs) can be dened. There are many different implementations of the directory service, including NIS, OpenLDAP, ActiveDirectory, etc. eBox uses OpenLDAP as its directory service with Samba technology for Windows domain controller and to share les and printers.
4.1.1 Users and groups

Normally, in the management of any size of organization there is the concept of user or group. For easier shared resource administration, the difference is made between users and their groups. Each one may have different privileges in relation to the resources of the organization.
Management of users and groups in eBox
Modes
As it has been explained, eBox has a modular design, allowing an administrator to distribute services among several machines in the network. In order for this to be feasible, the users and groups module supports a master/slave architecture to share users between different eBoxes. By default, and unless indicated otherwise in the Users and Groups
Mode menu entry, the
module will set up a master LDAP directory. By default, the Distinguished Name (DN) of the directory is set according to the current hostname, if a different one is desired, it can be set in the LDAP DN text entry.
Internet Assigned Numbers Authority (IANA) is responsible for assigning public IP addresses, top level domain (TLD) names, etc. http://www.iana.org/
2
90
CHAPTER 4. EBOX OFFICE
Other eBoxes can be congured to use a master as the source of their users, thus becoming directory slaves. In order to do this, the slave mode has to be selected in Users and Groups
Mode. The slave setup requires two extra parameters, the IP or hostname of the master directory and its LDAP password. This password is not the eBox one, but the one generated automatically when enabling the users and groups module. Its value can be obtained in the Password eld in Users and Groups LDAP Info in the master eBox.
There is one extra requirement before registering a slave in a master. The master has to be able to resolve the slaves hostname via DNS. There are different ways to achieve this. The easiest one is adding an entry for the slave in the masters /etc/hosts. Other option is to set up the DNS service in eBox, including the slave hostname and IP address. If the rewall module is enabled in the master eBox, it has to be congured in a way that allows incoming LDAP trafc from the slaves. By default, the rewall denies this trafc, so make sure to perform the necessary adjustments on the rewall before proceeding.
91
Once these parameters are set and the slave hostname can be resolved from the master, the slave can be registered in the master by enabling the users and groups module in Module Status. Slaves create a replica of the master directory when they register for the rst time, and that replica is kept up to date automatically when new users and groups are added. A list of the slaves can be seen in the master in Users and Groups Slave Status.
Modules that work with users such as mail or samba can be installed now in the slaves and they will use the users available in the master eBox. Some modules require some actions to be executed when new users are added, such as samba, which needs to create the home server. In order to do this, the master will notify the slaves about new users and groups when they are created, giving a chance to slaves to perform the appropriate actions. There might be problems executing these actions in some circumstances, for example if one of the slaves is down. In this case the master will remember that there are pending actions to be performed and will retry periodically. The user can also check the status of the slaves in Users and Groups Slave Status and force a retry manually. A slave can be deleted in this section as well. There is an important limitation in the current master/slave architecture. The master eBox cannot have any module depending on users and groups installed, for example, samba or mail among others. If the master has any of these modules installed, they have to be uninstalled before trying to register a slave on it. If at some point the mode of operation of the users and groups module needs to be changed, it can be done running this command:
# sudo /usr/share/ebox-usersandgroups/ebox-usersandgroups-reinstall
when it executed will completely remove the LDAP directory, deleting all the current users and groups and reinstall it from scratch so it can be set up in a different mode.
92
Users and groups creation

A group can be created from the Users and Groups Groups menu in the master eBox. A group is identied by its name and can contain a description.
Through Users and Groups Groups, the existing groups are displayed for edition or deletion. While a group is being edited, the users belonging to the group can be chosen. Some options belonging to the installed eBox modules with some specic conguration for the user groups can be changed too.
The following are possible with user groups, among others: Provide a directory to be shared between users of a group. Provide permission for a printer to all users of a group. Create an alias for an e-mail account that redirects to all users of a group. Assign access permission to the different eGroupware applications for all users of a group.
93
The users are created from the Users and Groups Users menu, where the following data must be completed:
User name: Name of the user in the system, which will be the name used for identication in the authentication processes. First Name: Users rst name. Last Name: Users last name. Comment: Additional data on the user. Password: Password to be used by the user in the authentication processes. This info must be provided twice to avoid misspellings in this vital data. Group: The user can be added to a group during its creation. From Users and Groups Users, a list of users can be obtained, edited or deleted.
While a user is being edited, all the previous data can be changed, except for the user name. The data regarding the installed eBox modules that have some specic conguration for users can also be changed, as well as the list of groups to which the user belongs.
94
It is possible to edit a user to: Create an account for the Jabber server. Create an account for le or PDC sharing with a customized quota. Provide permission for the user to use a printer. Create an e-mail account for the user and aliases for it. Assign access permission to the different eGroupware applications. Assign a phone extension to the user. In a master/slave setup, the basic elds of users and groups can be edited in the master, while any further attributes pertaining to a given module installed in a slave have to be edited in that slave.
User Corner The user data can only be modied by the eBox administrator, which becomes non-scalable when the number of users managed becomes large. Administration tasks, such as changing a users password, may cause the person responsible to waste a lot of time. Hence the need for the user corner. This corner is an eBox service that allows users to change their own data. This function must be enabled like the other modules. The user corner is listening in another port through another process to increase system security.
95
Users can enter the user corner through: https://<eBox_ip>:<user_corner_port>/ Once users have entered their user name and password, changes can be made to their personal conguration. The features provided so far are: Change current password User voicemail conguration Congure an external personal account to fetch mail to synchronize with the users mailbox in the eBox mail server.
Practical example A
Create a group in eBox called accountancy. To do so: 1. Action: Enable the users and groups module. Enter Module status and enable the module if it is not enabled. Effect: The module is enabled and ready for use.
96
2. Action: Access Users and Groups Groups. Add accountancy as a group. The comments parameter is optional. Effect: The accountancy group has been created. The changes do not have to be saved, as any action on LDAP is instant.
Practical example B
Create the user peter and add him to the accountancy group. To do so: 1. Action: Access Users and Groups
Users. Complete the different elds for the new user.
The user peter can be added to the accountancy group from this screen. Effect: The user has been added to the system and to the accountancy group. Check from the console that the user has been correctly added: 1. Action: In the console, run the command:
# id peter
Effect: The result should be something like this:
uid=2003(pedro) gid=1901(__USERS__) groups=1901(__USERS__) ,2004(accountancy)
4.2
File sharing service and remote authentication

4.2.1 File sharing
The le sharing takes place through a network le system. The systems more widely used are: NFS (Network File System) by Sun Microsystems, which was the rst one, AFS (Andrew File System) and CIFS (Common Internet File System), also known as SMB (Server Message Block ). The clients operate on les (opening, reading or writing les) as if they were locally stored in the machine, but the information can actually be stored in different places, location being completely transparent to the end user. Ideally, the client should not know whether the le is stored in the host
97
itself or it is spread all over the network. However, this is not possible due to the network delays and the issues related to concurrent le updates which should not interfere among them.
4.2.2 SMB/CIFS and its Linux Samba implementation

SMB (Server Message Block ) or CIFS (Common Internet File System) is used to share the access to: les, printers, serial ports and any other series of communications between nodes in a local network. It also offers authentication mechanisms between processes. It is mainly used among computers with Windows. However, there are also some implementations in other operating systems such as GNU/Linux using Samba, which implements Windows system protocols using reverse engineering 3 . Given the success of some le sharing systems, Microsoft decided to rename SMB as CIFS, adding new features to it, such as: symbolic and hard links and bigger le sizes, as well as avoiding the use of NetBIOS 4 in which SMB is based.
4.2.3 Primary Domain Controller (PDC)

A Primary Domain Controller (PDC) is a domain server for Windows NT versions previous to the Windows 2000 version. In this environment, a domain is a system which allows restricted access to a series of resources with a username and password. Therefore, it can be used to log in in the system through remote access control. PDC has also been recreated by Samba inside the SMB authentication system. In modern Windows versions it is denominated Domain Controller.
4.2.4 eBox as le server

eBox uses Samba SMB/CIFS implementation for Linux as a le server and Windows operative system authentication. The le sharing services are active when the File sharing module is active, regardless whether you are using eBox as PDC or not. The le sharing in eBox is integrated with the users and groups. As a result, each user will have a personal directory and each group can have a shared directory for all its users.
3 4
Reverse engineering tries to gure out the communication protocols just through observation of their messages. NetBIOS (Network Basic Input/Output System): API that allows communication among different computers in a local
area network. It gives a NetBIOS name and IP address to each one of the hosts.
98
The personal directory for the user is automatically shared and can only be accessed by the user.
Going to Groups Edit Group a shared directory for a group can also be created. Every member of this group will have access to this directory, being able to read and write all the les.
Go to File Sharing
General Settings to congure the general settings of le sharing service.
Domain will refer to the Windows local network name whereas NetBIOS Name will identify eBox inside the Windows network. You can also give a Description with the domain characteristics. Apart from that, and as an optional feature, a Quota Limit can be established. Using Samba group, you may optionally set a group to have a le sharing account instead of all users, the synchronization is done every hour. To add a new shared directory, go to File Sharing Shares and click Add new.
99
Enabled: This option has to be marked whenever the directory needs to be shared. Unmarking the option will cause the directory to no longer be shared, while keeping the settings. Share name: This refers to the name of the shared directory. Share path: A path can be created either in the eBox directory /home/samba/shares or using an already existing directory path if File system path is chosen. Comment: A more detailed description of the share can be provided in this eld.
Access Control can be congured from the shares list. You can go to Add New in order to give reading, writing and administration permissions to a given user or group. If a user has administration permission over a share they will be granted all the permissions over the les created by other users in this directory.
Going to Users and Groups Groups Edit Group a shared directory for a group can also be created. Every member of this group will have access to this directory, being able to read and write all the les. If you want to save the deleted les inside a special directory called RecycleBin, just go to File Sharing
Recycle Bin and check the Enable Recycle Bin option. If you dont want to apply it to
all your shares you can add exceptions in the Samba shares Recycle Bin exceptions section. You
100
can also modify some default settings for this feature, like the name of the directory, by editing the /etc/ebox/80samba.conf le.
Under File Sharing Antivirus there is also a checkbox to enable or disable the check for viruses in your shares and the possibility to add exceptions if there are shares that you dont want to check. Note that if you want to access the antivirus conguration for the lesharing module the samba-vscan package must be installed in the system. The Antivirus module must be installed and enabled as well.
4.2.5 SMB/CIFS clients conguration

Files can be shared between Windows and GNU/Linux once the le sharing service is running.
Windows client The selected domain will be found in Network Places
All the Network. The server
host with the selected name will show the shared resources it has.
101
Linux client 1. Konqueror (KDE) When using Konqueror
smb:// should be introduced in the location bar in order to see the
Windows network, where you will be able to nd the specied domain.
2. Nautilus (Gnome)
102
When using Nautilus (Gnome) go to Places
Network Windows Network in order to nd
the specied domain and the eBox server inside.
Taking into account that the personal directories are not shown when browsing the server resources, those will need to be introduced in the location bar. For example, if you need to have access to Peters personal directory, you will have to introduce the following address:
smb://<ip_de_ebox>/peter
3. Smbclient Besides the graphical interfaces, there is a command line client which works in a similar way to FTP clients. Smbclient allows actions such as: le downloading and uploading or le and directory information gathering among others. This could be an example of a session:
$ smbclient -U joe //192.168.45.90/joe > get ejemplo > put eaea > ls > exit $ smbclient -U joe -L //192.168.45.90/ Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]
103
Sharename Type Comment -----------------_foo Disk _mafia Disk hp Printer br Printer IPC$ IPC IPC Service (eBox Samba Server) ADMIN$ IPC IPC Service (eBox Samba Server) joe Disk Home Directories Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian] Server Comment --------------DME01 PC Verificaci eBox-SMB3 eBox Samba Server WARP-T42 Workgroup Master --------------eBox eBox-SMB3 GRUPO_TRABAJO POINT INICIOMS WARHOL MSHOME SHINNER WARP WARP-JIMBO
4.2.6 eBox as an authentication server

You have to go to File Sharing General Settings and check the Enable PDC option in order to have eBox working as an authentication server (PDC).
104
If the option Roaming Proles is enabled, the PDC server will store all the user proles. Any user prole will contain general information such as: Windows settings, Outlook e-mail accounts or its documents. Every time a user logs in an updated prole will be sent to them by the PDC server. The user can have access to his prole information from any computer. Please take into account the size of the users information when setting up your server in order to make sure there is enough space. In addition to that, the Disk Letter for the personal directory can be redened. When a user logs into the domain his personal directory will be automatically mapped to a drive with this letter. Finally, you can dene user policy passwords through File Sharing enforcement by the law. Minimum Password Length Maximum Password Age. The password has to be changed after this period. Enforce Password History. Stores a number of passwords once modied. This policy only applies when a password is changed from Windows. Actually Windows will enforce the policy when a user logs in in a machine registered in the domain.
PDC. This is usually an
105
4.2.7 PDC Client Conguration

An account with administration rights will be needed in order to congure a PDC client, this can be done going to Users and Groups Users File Sharing or PDC Account. You can also establish a Disk Quota.
Now, go to a different machine in the same LAN (keep in mind that the SMB/CIFS protocol works using broadcast) that has a CIFS-capable Windows (i.e., Windows XP Professional). Click on My PC
Properties. This will launch the Network Id wizard. We will reboot the server
after entering the administratiion user name and password as well as the domain name given in the File Sharing conguration. The machine name can be the one already set, as long as it does not collide with an existing one already in the domain. After nishing the process, you need to reboot the machine. Every user can see their disk usage and quota in My PC.
106
4.3
Printers sharing service

In order to share a printer in our network, allowing or denying users and groups the access to it, we need to have access to that printer from a host running eBox. This can be done through: direct connection, i.e., with a USB
5
or parallel port, or through the local network. Besides that, if we want to
obtain good results on its operation, we will need to know certain information regarding the manufacturer, the model and the driver of the printer. Printers can be added going to Printers Once there, you will be asked to enter all the necessary details in a wizard. First of all, we need to name the printer and to establish a connection method for it. The following methods are currently supported by eBox: Parallel port: A physical printer connected to the eBox server using parallel port. USB: A physical printer connected to the eBox server using USB AppSocket: A remote printer that uses the AppSocket protocol, also known as JetDirect.
5
Add printer.
Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer.
107
IPP: A remote printer that uses the Internet Printing Protocol (IPP) 6 . LPD: A remote printer that uses the Line Printer Daemon protocol (LPD) 7 . Samba: A remote printer shared through Samba or Windows printer sharing.
We will need to congure the connection parameters according to the selected method. For example, if we have a network printer, we will have to set up an IP address and a listening port as the following gure shows:
In the next four steps we will congure the printer driver that eBox needs to use in order to send the jobs to be printed out, dening: the manufacturer, the model, the printer driver as well as other settings.
Internet Printing Protocol (IPP) is a standard network protocol for remote printing as well as for managing print jobs, media size, resolution, and so forth. More information available on RFC 2910. Line Printer Daemon protocol (LPD) is a set of programs that provide printer spooling and network printer server functionality for Unix-like systems. More information available on RFC 1179.
7
108
After these steps, the printer will be congured. Now you will be able to see not only the queued printing jobs but also the ones in progress. In addition to that, you can also modify any of the parameters already introduced in the wizard going to Printers Manage printers. The printers managed by eBox are accessible using the Samba protocol. You can
also enable the printing daemon CUPS in order to share the printers using IPP too.
Once the service is enabled and you have saved changes, you can give access to the resources editing either the group or the user (Groups Printers).
Edit Group Printers or Users Edit User
109
4.4
Groupware Service
Groupware, also known as collaborative software, is a set of applications integrating the work of different users in common projects. Each user can connect to the system from various working stations on the local network or from anywhere in the world via the Internet. Some of the most important features of groupware tools are: Communication between users: mail, chat rooms, etc. Information sharing: shared calendars, task lists, common address books, knowledge base, le sharing, news, etc. Project management, resources, time management, bugtracking, etc.
110
There is a large number of groupware solutions available on the market. Among the Open Source alternatives, one of the most popular options is eGroupWare
8
which is the one selected for eBox
Platform to implement such an important feature in business environments. Setting up eGroupware with eBox Platform is very simple. The goal is for the user not to need to access the traditional conguration offered in eGroupware and to allow him to manage all the settings from eBox interface, unless some advanced customization is required. In fact, the password for the conguration of eGroupware is auto-generated 9 by eBox and the administrator should use it under her own responsibility: by taking any wrong action the module might become improperly congured and left in an unstable status.
4.4.1 Groupware service settings with eBox

Most of eGroupware conguration is performed automatically by enabling the module and saving the changes. Without requiring any additional user intervention, eGroupware will be operating fully integrated with the eBox directory service (LDAP). All users being added to eBox from that moment on will be able to log in eGroupware without requiring any other action. In addition, we can integrate the webmail service provided by eGroupware with eBox mail module. For this the only action required is to select a pre-existing virtual domain and to enable the IMAP service, allowing for the reception of mail. This is done by the eBox installer automatically if you select ebox-egroupware to install. Instructions for creating a mail domain and conguring the IMAP service are fully explained in chapter Electronic Mail Service (SMTP/POP3-IMAP4). For the domain selection used by eGroupware, you should access the Groupware Virtual Mail Domain tab. The interface is shown in the following image. It is only needed to select the desired domain and click the button Change. Although, as usual, this action does not take effect until the button Save Changes is pressed.
eGroupware: An enterprise ready groupware software for your network http://www.egroupware.org Note for eGroupware advanced users: The password is stored in the le /var/lib/ebox/conf/ebox-egroupware.passwd and usernames are admin and ebox for header and domain conguration respectively.
9 8
111
In order for users to be able to use the mail service they will need to have their own accounts created on it. The image below (Users and Groups eGroupware.
Users) shows that during the conguration of
eGroupware a notice is displayed indicating the name of the mail account that should be used from
eGroupware consists of several applications; in eBox you can edit access permissions to these applications for each user assigning a permission template, as shown in the image above. There is a default permission template but you can dene other ad-hoc ones. The default permission template is useful for conguring most of the users of the system with the same permissions, so that when a new user is created permissions will be assigned automatically. To edit the default template go to the Groupware image.
Default Applications tab, as shown in the
112
For small groups of users such as administrators, you can dene a custom permission template and apply it manually for these users. To dene a new template go to Groupware
User Dened Permission Templates in the menu
and click on Add New. Once the name is entered it will appear on the table and you can edit the applications by clicking on Allowed Applications, in a similar way as with the default template.
Be aware that if you modify the default permission template, changes will only be applied to users that are created from that moment on. They will not be applied retroactively to users previously created. The same applies to the user-dened templates: if there were any users with that template applied on their conguration you should edit that users properties and apply the same template again once it has been modied.
113
Finally, once you have congured everything, you can access eGroupWare through the address http://<ebox_ip>/egroupware using the username and password dened in the eBox interface.
eGroupware management is beyond the scope of this manual. For any question, you should check the ofcial eGroupware user manual. It is available on-line in the ofcial website and it is also linked from within the application once you are inside.
Practical example Enable the Groupware module and check its integration with the mail. 1. Action: Access eBox, go to Module Status and activate module Groupware, checking the box in the column Status. You will be informed eGroupware conguration is about to change. Allow the operation by pressing the button Accept. Make sure you have previously enabled the modules on which it depends (Mail, Webserver, Users, ...). Effect: The button Save Changes is activated. 2. Action: Set up a virtual mail domain as shown in the example Practice example. In this example a user is added with her corresponding email account. Steps related to objects or forwarding policies in the example are not necessary. Follow the steps just until the point in which the user is added. Effect: The new user has a valid mail account. 3. Action: Access the :menuselection: Mail > General menu and in the Mail Server Options tab check the box IMAP Service Enabled and click Change. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Access the :menuselection: Groupware menu and in the Virtual Mail Domain tab select the previously created domain and click Change.
114
Effect: The change is saved temporarily but it will not be effective until changes are saved. 5. Action: Save changes. Effect: eBox shows the progress while applying the changes and informs when it is done. From now on eGroupware is congured correctly to be integrated with your IMAP server. 6. Action: Access the eGroupware interface (http://<ebox_ip>/egroupware) with the user you created earlier. Access the eGroupware mail application and send an email to your own address. Effect: You will receive in your inbox the email you just sent.
115
116
Chapter 5 eBox Unied Communications
In this section we will see the different communication methods for sharing information that are centralized in eBox and are all accessible using the same username and password. First, the mail service is explained. It allows a quick and easy integration with the preferred mail client of the users of the network, offering also the latest techniques available to prevent spam. Second, the instant messaging service through the Jabber / XMPP protocol. It provides an internal IM service without having to rely on external companies or an Internet connection. It also offers conference rooms and can be used with any of the many clients available. It allows faster communication in the cases where the mail is not enough. Finally, we will see an introduction to voice over IP, which enables each person to have an extension to make calls or participate in conferences easily. Additionally, with an external provider, eBox can be congured to connect to the traditional telephone network.
5.1
Electronic Mail Service (SMTP/POP3-IMAP4)

The electronic mail service is a store and forward method messages over electronic communication systems.
1
to compose, send, store and receive
117
Figure 5.1: Diagram where Alice sends an email to Bob
5.1.1 How electronic mail works through the Internet

The diagram depicts a typical event sequence that takes place when Alice writes a message to Bob using her Mail User Agent (MUA). 1. Her MUA formats the message in email format and uses the Simple Mail Transfer Protocol (SMTP) to send the message to the local Mail Transfer Agent (MTA). 2. The MTA looks at the destination address provided in the SMTP (not from the message header), in this case bob@b.org, and resolves a domain name to determine the fully qualied domain name of the destination mail exchanger server (MX record that was explained in the DNS section). 3. smtp.a.org sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the user bob. 4. Bob receives the message through his MUA, which picks up the message using Pop Ofce Protocol (POP3). There are many alternative possibilities and complications to the previous email system sequence. For instance, Bob may pick up his email in many ways, for example using the Internet Message Access Protocol (IMAP), by logging into mx.b.org and reading it directly, or by using a Webmail service.
Store and forward: Telecommunication technique in which information is sent to an intermediate station where it is kept and sent at a later time to the nal destination or to another intermediate station.
1
118
CHAPTER 5. EBOX UNIFIED COMMUNICATIONS
The sending and reception of emails between mail servers is done through SMTP but the users pick up their email using POP3, IMAP or their secure versions (POP3S and IMAPS). Using these protocols provides interoperability among different servers and email clients. There are also proprietary protocols such as the ones used by Microsoft Exchange and IBM Lotus Notes.
POP3 vs. IMAP The POP3 design to retrieve email messages is useful for slow connections, allowing users to pick up all their email all at once to see and manage it without being connected. These messages are usually removed from the user mailbox in the server, although most MUAs allow to keep them on the server. The more modern IMAP, allows you to work on-line or ofine as well as to explicitly manage server stored messages. Additionally, it supports simultaneous access by multiple clients to the same mailbox or partial retrievals from MIME messages among other advantages. However, it is a quite complicated protocol with more server work load than POP3, which puts most of the load on the client side. The main advantages over POP3 are: Connected and disconnected modes of operation. Multiple clients simultaneously connected to the same mailbox. Access to MIME message parts and partial fetching. Message state information using ags (read, removed, replied, ...). Multiple mailboxes on the server (usually presented to the user as folders) allowing to make some of them public. Server-side searches Built-in extension mechanism Both POP3 and IMAP have secure versions, called respectively POP3S and IMAPS. The difference with its plain version is that they use TLS encryption so the content of the messages cannot be eavesdropped.
119
5.1.2 SMTP/POP3-IMAP4 server conguration with eBox

Setting up an email system service requires to congure an MTA to send and receive emails as well as IMAP and/or POP3 servers to allow users to retrieve their mails. To send and receive emails Postx
3 2
acts as SMTP server. The email retrieval service (POP3,
IMAP4) is provided by Dovecot . Both servers support secure communication using SSL.
5.1.3 Receiving and relaying mail

In order to understand the mail system conguration, a distinction must be made between receiving mail and relaying mail. Reception is when the server accepts a mail message whose recipients contains an account that belongs to any of his virtual mail domains. Mail can be received from any client which is able to connect to the server. On the other hand, relay is done when the mail server receives a message whose recipients do not belong to any of his managed virtual mail domains, thus requiring forwarding the message to other server. Mail relay is restricted, otherwise spammers could use the server to send spam over the Internet. eBox allows mail relay in two cases: 1. an authenticated user 2. a source address that belongs to a network object which has a allowed relay policy
General conguration Through Mail General Mail server options Authentication, you can manage the authentication options. The following options are available: TLS for SMTP server: Force the clients to connect to the mail server using TLS encryption, thus avoiding eavesdropping. Require authentication: This setting enables the authentication usage. A user must use his email address and his password to identify himself, authenticated users can relay mail through the server. An account alias cannot be used to authenticate.
2 3
Postx The Postx Home Page http://www.postx.org . Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .
120
In the Mail General Mail server options Options section you may congure the general settings for the mail service: Smarthost to send mail: Domain name or IP address of the smarthost. You could also specify a port appending the text :[port_number ] after the address. The default port is the standard SMTP port, 25. If this option is set eBox will not send its messages directly, but each received email will be forwarded to the smarthost without keeping a copy. In this case, eBox would be an intermediary between the user who sends the email and the server which is the real message sender. Smarthost authentication: Whether the smarthost requires authentication using a user and password pair or not.
121
Server mailname: This sets the visible mail name of the system, it will be used by the mail server as the local address of the system. Postmaster address: The postmaster address by default is aliased to the root system user but it could be set to any account, belonging to any of managed virtual mail domains or not. This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notication mails will typically use postmaster as reply address. Maximum mailbox size allowed: Using this option you could indicate a maximum size in MB for any user mailboxes. All mail which surpasses the limit will be rejected and the sender will be emailed a notication. This setting could be overridden for any user in the Users and Groups Users page. Maximum message size accepted: Indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any mailbox size limit. Expiration period for deleted mails: If you enable this option those mail messages which are in the users trash folder will be deleted when their dates passes the day limit. Expiration period for spam mails: This option applies the same way as above option but regarding to the users spam folder. In order to congure the mail retrieval services go to the Mail retrieval services section. There eBox may be congured as POP3 and/or IMAP server, their secure versions POP3S and IMAPS are available too. Also the retrieve email for external accounts and ManageSieve services could be enabled in this section, we will discuss those services in Mail retrieval from external accounts section. In addition to this, eBox may be congured to relay mail without authentication from some network addresses. To do so, you can add relay policies for network objects through Mail General Relay policy for network objects. The policies are based on the source mail client IP address. If the relay is allowed from an object, then each object member may relay emails through eBox.
122
Warning: Be careful when using an Open Relay policy, i.e., forwarding email from everywhere, since your mail server will probably become a spam source. Finally, the mail server may be congured to use a content lter for their messages 4 . To do so, the lter server must receive the message from a xed port and send the result back to another established port where the mail server is bound to listen the response. Through Mail Mail lter options, you may choose a custom server or eBox as mail lter.
General
In Mail Filter section this topic is deeply explained.
123
Email account creation through virtual domains In order to set up an email account with a mailbox, a virtual domain and a user are required. From Mail Virtual Mail Domains, you may create as many virtual domains as you want. They provide the domain name for email accounts for eBox users. Moreover, it is possible to set aliases for a virtual domain. It does not make any difference to send an email to one virtual domain or any of its aliases.
In order to set up email accounts, you have to follow the same rules applied conguring any other user-based service . From Users and Groups
Users Edit Users Create mail account. You
select the main virtual domain for the user there. If you want to establish to the user more than a single email address, you can create aliases. Behind the scenes, the email messages are kept just once in a mailbox. However, it is not possible to use the alias to authenticate, you always have to use the real account.
Note that you can decide whether an email account should be created by default when a new user is added or not. You can change this behaviour in Users and Groups Mail Account. Likewise, you may set up aliases for user groups. Messages received by these aliases are sent to every user of the group which has an email account. Group aliases are created through Users and Groups Groups Create alias mail account to group. The group aliases are only available when, at least, one user of the group has an email account.
Default User Template
124
You may dene alias to external accounts as well. The mail sent to that alias will be forwarded to the external account. This kind of aliases are set on a virtual domain basis and does not require any email account and could be set in Mail Virtual Domains External accounts aliases.
Queue Management From Mail
Queue Management, you may see those email messages that havent already been
delivered. All the information about the messages is displayed. The allowed actions to perform are: deletion, content viewing or retrying sending (re-queuing the message again). There are also two buttons to delete or requeue all messages in queue.
Mail retrieval from external accounts You could congure eBox to retrieve email messages from external accounts, which are stored in external servers, and deliver them to the users mailboxes. In order to congure this you have to enable this service in Mail
General Mail server options Retrieval services section. Once it
is enabled, the users will have their mail fetched from their external accounts and delivered to their internal accounts mailbox. Each user can congure its external accounts through the user corner 5 . The user must have a email account to be able to do this. The external servers are pooled periodically so email retrieval is not instantaneous. To congure its external accounts, a user have to login in the user corner and click on Mail retrieval from external mail accounts in the left menu. In this page a list of users external accounts is shown, the user can add, edit and delete accounts. Each account has the following elds: External account: The username or the mail address required to login in the external mail retrieval service. Password: Password to authenticate the external account.
5
The user corner conguration is explained in User Corner section
125
Mail server: Address of the mail server which hosts the external account. Protocol: Mail retrieval protocol used by the external account, it may be one of the following: POP3, POP3S, IMAP or IMAPS. Port: Port used to connect to the external mail server.
For retrieving external emails, eBox uses the Fetchmail 6 software.
Sieve scripts and ManageSieve protocol The Sieve language 7 allows the user to control how his mail messages are delivered, so it is possible to classify it in IMAP folders, forward it or use a vacation message among other things. The ManageSieve is a network protocol that allows the users to easily manage their Sieve scripts. To be able to use ManageSieve, it is required an email client that understands this protocol.
8
To enable ManageSieve in eBox you have to turn on the service in Mail General Mail server options -> Retrieval services and it could be used by all the users with email account. In addition to this, if ManageSieve is enabled and the webmail scripts will be available in the webmail interface. The ManageSieve authentication is done with the email account of the user and its password. Sieve scripts of an account are executed regardless of the ManageSieve protocol option value.
6 7 8 9
module in use, a management interface for Sieve
Fetchmail The Fetchmail Home Page http://fetchmail.berlios.de/ . For more info check out this page http://sieve.info/ . See a list of clients in this page http://sieve.info/clients The webmail module is explained in WebMail service chapter.
126
Email client conguration Unless users may use email only through the webmail or the egroupware webmail application, users would like to congure their email clients to use eBoxs mail server. The values of the required parameters would depend on the exact conguration of the module. Please note that different email clients could use other names for these parameters, so due to the great number of clients available this section is merely guidance.
5.1.4 SMTP parameters

SMTP server: Enter the address of your eBox server. It could be either an IP address or a domain name. SMTP port: 25, if you are using TLS you could instead use the port 465. Secure connection: Select TLS if you have enabled TLS for SMTP server:, otherwise select none. If you are using TLS please read the warning below about SSL/TLS. SMTP username: Use this if you have enabled Require authentication. Use as username the full email address of the user, dont use the username nor any of his mail aliases. SMTP password: It is the user password.
5.1.5 POP3 parameters

You can only use POP3 settings when POP3 or POP3S services are enabled in eBox. POP3 server: Enter your eBox address likewise in the SMTP parameters section above. POP3 port: 110 or 995 if you are using POP3S. Secure connection: Select SSL if you are using POP3S, otherwise none. If you are using POP3S please read the warning below about SSL/TLS. POP3 username: Full email address, as above avoid the user name or any of his email aliases. POP3 password: Users password.
127
5.1.6 IMAP parameters

IMAP conguration could be only used if either IMAP or IMAPS services are enabled. As you will see the parameters are almost identical to POP3 parameters. IMAP server: Enter your eBox address likewise in the SMTP parameters section above. IMAP port: 443 or 993 if you are using IMAPS. Secure connection: Select SSL if you are using IMAPS, otherwise none. If you are using IMAPS please read the warning below about SSL/TLS. IMAP username: Full email address, as above avoid the user name or any of his email aliases. IMAP password: Users password. Warning: In client implementations there are some confusion about the use of SSL and TLS
protocols. Some clients use SSL to mean that they will try to connect with TLS, others use TLS as a way to say that they will try to connect to the secure service through a port used normally by the plain version of the protocol.. In fact in some clients you will need to try both SSL and TLS modes to nd which one works. You have more information about this issue in this page http://wiki.dovecot.org/SSL , from the dovecots wiki.
5.1.7 ManageSieve client parameters

To connect to ManageSieve, you will need the following parameters: Sieve server: The same that your IMAP or POP server. Port: 4190, be warned that some applications use, mistakenly, the port number 2000 as default for ManageSieve. Secure connection: Set to true Username: Full mail address, as above avoid the user name or any of his email aliases. Password: Users password. Some clients allows you to select the same authentication than your IMAP or POP3 account if this is allowed, select it.
128
Catch-all account A catch-all account is those which receives a copy of all the mail sent and received by a mail domain. eBox allows you to dene a catch-all account for every virtual domain; to dene it you must go to Mail
Virtual Mail Domains and then click in the Settings cell.

All the messages sent and received by the domain will be emailed as Blind Carbon Copy (BCC) to the dened address. If the mail to the catch-all address bounces, it will be returned to the sender.
Practice example
Set up a virtual domain for the mail service. Create a user account and a mail account within the domain for that user. Congure the relay policy to send email messages. Send a test email message with the new account to an external mail account. 1. Action: Log into eBox, access Module status and enable Mail by checking its checkbox in the Status column. Enable Network and Users and Groups rst if they are not already enabled. Effect: eBox requests permission to overwrite certain les. 2. Action: Read the changes of each of the les to be modied and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Mail Virtual Mail Domains and click Add new to create a new domain. Enter the name in the appropriate eld. Effect: eBox noties you that you must save changes to use this virtual domain. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, you will be notied. Now you may use the newly created virtual mail domain. 5. Action: Enter Users and Groups Create and Edit button. Effect: The user is added immediately without saving changes. The edition screen is displayed for the newly created user.
Users Add User, ll up the user data and click the
129
6. Action: (This action is only required if you have disable the automatic creation of email accounts in Users and Groups > Default User Template > Mail Account). Enter a name for the user mail account in Create mail account and create it. Effect: The account has been added immediately and options to delete it or add aliases for it are shown. 7. Action: Enter the Object Add new menu. Fill in a name for the object and press Add. Click on Members in the created object. Fill in again a name for the member and write the host IP address where the mail will be sent from. Effect: The object has been added temporarily and you may use it in other eBox sections, but it is not persistent until you save changes. 8. Action: Enter Mail
General Relay policy for network objects. Select the previously
created object making sure Allow relay is checked and add it. Effect: The Save changes button has been enabled. 9. Action: Save the changes Effect: A relay policy for that object has been added, which makes possible from that object to send e-mails to the outside. 10. Action: Congure a selected MUA in order to use eBox as SMTP server and send a test email message from this new account to an external one. Effect: After a brief period you should receive the message in your external account mailbox. 11. Action: Verify using the mail server log le /var/log/mail.log that the email message was delivered correctly.
5.2
WebMail service
The webmail service allows users to read and send mail using a web interface provided by the mail server itself. Its main advantages are the no client conguration required by the user and easily accessible from any web browser that could reach the server. Their downsides are that the user experience is poorer than with most dedicated email user software and that web access should be allowed by the server. It also increases the server work load to render the mail messages, this job is done by the client in traditional email software.
130
eBox uses Roundcube to implement this service 10 .
5.2.1 Conguring a webmail in eBox

The webmail service is enabled like another eBox service. However, it requires the mail module is congured to use either IMAP, IMAPS or both and the webserver module enabled. If it is not, webmail will refuse to enable itself.
11
Webmail options You can access to the options clicking in the Webmail section in the left menu. You may establish the title that will use the webmail to identify itself, this title will be shown in the login screen and in the page HTML titles.
Login into the webmail In order to log into the webmail, rstly HTTP trafc must be allowed by the rewall from the source address used. The webmail login screen is available at http://[eBoxs address]/webmail from the browser. Then it has to enter his email address and his password. He has to use his real email address, an alias will not work.
Roundcube webmail http://roundcube.net/ The mail conguration in eBox is deeply explained in Electronic Mail Service (SMTP/POP3-IMAP4) section and the webserver module is explained in Web data publication service (HTTP) section.
11 10
131
SIEVE lters The webmail software also includes an interface to manage SIEVE lters. It will only be available if the ManageSIEVE protocol is enabled in the mail service.
12
5.3
Instant Messaging (IM) Service (Jabber/XMPP)

Instant messaging (IM) applications manage a list of people with whom one wishes to stay in touch by exchanging messages. They convert the asynchronous communication provided by email in a synchronous communication in which participants can communicate in real time. Besides the basic conversation, IM has other benets such as: Chat rooms. File transfer. Status updates (e.g.: you are busy, on the phone, away or idle). Shared whiteboard to view and show drawings with contacts. Simultaneous connection from devices with different priorities (e.g.: from the mobile and the computer, giving preference to one of them for receiving messages). Nowadays, there are many instant messaging protocols such as ICQ, AIM, MSN or Yahoo! Messenger, whose operation is essentially privative and centralized. However, Jabber/XMPP is a set of protocols and technologies that enable the development of distributed messaging. These protocols are public, open, exible, extensible, distributed and secure.
12
Check out Sieve scripts and ManageSieve protocol section for more information
132
Moreover, although Jabber/XMPP is still in the process of becoming an international standard, it has been adopted by Cisco or Google (for its messaging service Google Talk) among others. eBox employs Jabber/XMPP as its IM protocol integrating users with Jabber accounts. jabberd2
13
XMPP server is being used for eBox Jabber/XMPP service.
5.3.1 Conguring a Jabber/XMPP server with eBox

To congure the Jabber/XMPP server in eBox, rst check in Module Status if the Users and Groups module is enabled, as Jabber depends on it. Then, mark the Jabber checkbox to enable the Jabber/XMPP eBox module.
Figure 5.2: Jabber General Conguration
To congure the service, go to Jabber in the left menu, setting the following parameters: Domain Name: Specifying the domain name of the server. User accounts will be user@domain. Tip: domain should have an entry in the DNS server, so it can be resolved from the clients. Connect to other servers: To allow our users contact users in external servers, and the other way around, check this box. Otherwise, if you want a private server for your internal network, it should be left unchecked.
13
jabberd2 - XMPP server <http://jabberd2.xiaoka.com/>.
133
Enable Multi User Chat (MUC): Enables conference rooms (chat for more than two users). Tip: the conference rooms are under the domain conference.domain which like the Domain Name should have an entry in the DNS server, so it can be resolved from the clients too. SSL Support: It species whether the communications (authentication and chat messages) with the server are encrypted or plaintext. You can disable it, make it mandatory or leave it as optional. If you set it as optional, this setting will be selected from the Jabber client. To create a Jabber/XMPP user account, go to Users Add User if you want to create a new user account, or to Users Edit User if you just want to enable the Jabber account for an already existing user account.
Figure 5.3: Setting up a Jabber account
As you can see, a section called Jabber Account will appear, where you can select whether the account is enabled or disabled. Moreover, you can specify whether the user will have administrator privileges. Administrator privileges allow to see which users are connected to the server, send them messages, set the message displayed when connecting (MOTD, Message Of The Day) and send a notice to all users connected (broadcast).
5.3.2 Setting up a Jabber client

To illustrate the conguration of a Jabber client, we will use Pidgin and Psi, but if you use another client, the next steps should be very similar.
134
Pidgin Pidgin 14 is a multi-protocol client that allows to manage multiple accounts at the same time. In addition to Jabber/XMPP, Pidgin supports many other protocols such as IRC, ICQ, AIM, MSN and Yahoo!. Pidgin was included by default in the Ubuntu desktop edition until Karmic, but still is the most popular IM client. You can nd it in the menu Internet shown in the picture.
Pidgin Internet Messenger. When starting
Pidgin, if you do not have any account congured yet, the window to manage accounts will appear as
From this window, you can add new accounts, modify and delete existing accounts. Clicking on Add, two tabs with the basic and advanced conguration will appear. For the Basic conguration of your Jabber account, start by selecting the protocol XMPP. The Username and Password should be the same that the Jabber enabled user account has on eBox. The Domain must be the same that is set up in the Jabber/XMPP eBox module conguration. Optionally, in the eld Local alias, write the name you want to show to your contacts.
14
Pidgin, the universal chat client <http://www.pidgin.im/>.
135
On the Advanced tab we can congure the SSL/TLS settings. By default Require SSL/TLS is checked, so if we disabled on eBox the SSL Support we must uncheck this and check Allow plaintext auth over unencrypted streams.
136
If we didnt change the default SSL certicate a warning will be raised asking whether we want to accept it.
137
Psi Psi
15
is a Jabber/XMPP client that allows to manage multiple accounts at the same time. Fast and
lightweight, Psi is fully open-source and compatible with Windows, Linux, and Mac OS X. When starting Psi, if you do not have any account congured yet, a window will appear asking to use an existing account or registering a new one as shown in the picture. We will select Use existing account.
On the Account tab we will setup the basic conguration like the Jabber ID or JID which is user@domain and the Password. The user and password should be same that the Jabber enabled user account has on eBox. The domain must be the same that is set up in the Jabber/XMPP eBox module conguration.
15
Psi, The Cross-Platform Jabber/XMPP Client For Power Users <http://psi-im.org/>.
138
On the Connection tab we can nd the SSL/TLS settings between other advanced conguration. By default Encrypt connection: When available is selected. If we disabled on eBox the SSL Support we must change Allow plaintext authentication to Always.
If we didnt change the default SSL certicate a warning will be raised asking whether we want to accept it. To avoid this message check Ignore SSL warnings on the Connection tab from last step.
The rst time we connect the client will raise a harmless error because we havent published our personal information on the server yet.
139
Optionally we can publish some information about ourselves here.
Once published, this error wont appear again.
5.3.3 Setting up Jabber MUC (Multi User Chat) rooms

Jabber MUC or Multi User Chat is a service that allows multiple users exchange messages in the context of a room. Features like room topics, invitations, ability to kick and ban users, require password to join a room and many more are available in Jabber MUC rooms. For a full specication of MUC check, XEP-0045: Multi-User Chat 16 draft. Once we have enabled Enable Multi User Chat (MUC) on the Jabber eBox menu entry, all further room conguration is done from the Jabber clients. Everybody can create a room on the Jabber/XMPP eBox server and the user who creates a room is the administrator for that room. This administrator can set up all the settings, add other users as moderators or administrators and destroy the room.
16
The Jabber/XMPP chat rooms specication is available in <http://xmpp.org/extensions/xep-0045.html>.
140
One of the settings that we should highlight is Make Room Persistent. By default all the rooms are destroyed shortly after the last participant leaves. These are called dynamic rooms and are the preferred method for multi-user chats. On the other hand, persistent rooms must be destroyed by one of its administrators and are usually setup for work-groups or topics. On Pidgin to join a chat room go to Buddies > Join a Chat.... A Join a Chat window will pop up asking for some information like the Room name, the Server which should be conference.domain, the user Handle or nickname and the room Password if needed.
First user in joining a non existent room will lock it and will be asked whether Congure Room or Accept Defaults.
On Room Conguration will be able to set up all the possible settings for the room. This conguration window can be opened later typing /cong in the room chat window.
141
Once congured, other users will be able to join the room under the settings applied, leaving the room unlocked ready to use.
On Psi to join a chat room we should go to General > Join Groupchat. A Join Groupchat window will pop up asking for some information like the Host which should be conference.domain, the Room name, the user Nickname and the room Password if needed.
First user joining a non existent room will lock it and will be asked to congure it. On the top right corner, a button will show a context menu with the Congure Room option.
142
On Room Conguration will be able to set up all the possible settings for the room.
Once congured, other users will be able to join the room under the settings applied, leaving the room unlocked ready to use.
5.3.4 Practical example

Enable the Jabber/XMPP service and assign to it a domain name that eBox and the clients are able to resolve. 1. Action: Go to Module Status and enable the module Jabber. When the info about the actions required in the system is displayed, allow them by clicking Accept. Effect: Enabled the button Save Changes. 2. Action: Add a domain with the desired name and whose IP address is the eBox server one, in the same way done in Practical example B.
143
Effect: You will be able to use the added domain as the domain for your Jabber/XMPP service. 3. Action: Access the menu Jabber. In the eld Domain Name, write the domain name just added. Click Apply Changes. Effect: Save Changes has been enabled. 4. Action: Save the changes. Effect: eBox shows the progress while applying the changes. When it nish, a message will be displayed. Now the Jabber/XMPP service is ready to be used.
5.4
Voice over IP service

Voice over IP or VoIP involves transmitting voice over data networks using different protocols to send the digital signal through packets instead of using analog circuits. Any IP network can be used for this purpose, including private or public networks such as Internet. There are huge cost savings using the same network for data and voice without losing quality or reliability. The main issues of VoIP deployments over data networks are NAT difculties and QoS considered.
18 17
with its management
, because of the need to offer a quality real-time service where latency (the
time it takes for data to arrive at destination), jitter (variations on latency) and bandwidth have to be
5.4.1 Protocols
There are several protocols involved in the voice transmission, from network protocols like IP and transport protocols like TCP or UDP, to voice protocols both for signaling and transport. VoIP signaling protocols accomplish the task of establishing and controlling the call. SIP, IAX2 and H.323 are signaling protocols. The most widely used voice transport protocol is RTP (Realtime Transport Protocol), which carries the encoded voice from origin to destination. This protocol starts once the call has been established by the signaling protocol.
17 18
Concept explained in Firewall section. Concept explained in Trafc shaping section.
144
SIP SIP (Session Initiation Protocol) is a protocol created by the IETF 19 for the establishment, modication and termination of interactive multimedia sessions. It incorporates many elements of HTTP and SMTP. SIP only handles signaling and works over the UDP/5060 port. Multimedia transmission is handled by RTP over the port range UDP/10000-20000.
IAX2 IAX2 is the second version of the Inter Asterisk eXchange protocol, created for connecting Asterisk
20
PBX systems. The main feature for this protocol is that voice and signaling travel through the same data stream, this is called trunking. This way it can traverse NAT easily and there is less overhead when trying to keep multiple communication channels open among servers. Also with this protocol the communication can be encrypted. IAX2 works on UDP/4569 port.
5.4.2 Codecs
A codec is an algorithm that adapts digital information (encoding at origin and decoding at destination) to compress it, reducing bandwidth usage, detecting and recovering from transmission errors. G.711, G.729, GSM and speex are common codecs for VoIP. G.711: It is one of the most used codecs. It comes in two avors: an American one (ulaw) and an European one (alaw). This codec offers good quality, but it has signicant bandwidth requirements (64kbps), which makes it a common choice for communication over local networks. G.729: It offers a better compression using only 8kbps, being ideal for Internet communications. There are some usage restrictions on this codec. GSM: It is the same codec that is used in mobile networks. Voice quality is not very good and it uses around 13kbps. speex: It is a patent-free codec specially designed for voice. It is very versatile, though it uses more CPU than others. It can work at different bit rates, such as 8KHz, 16KHz and 32KHz, usually referred as narrowband, wideband and ultra-wideband, each consuming 15.2kbps, 28kbps and 36kbps respectively.
19 20
Internet Engineering Task Force develops and promotes communication standards used on Internet. Asterisk is a PBX software that eBox uses for its VoIP module <http://www.asterisk.org/>.
145
5.4.3 Deployment
Lets cover the elements involved in a VoIP deployment:
IP Phones They are phones with a traditional look but with a RJ45 connector to plug them to an Ethernet data network instead of the RJ11 connector for analog telephone networks. They add also new features like address book or call automation not present in regular analog phones. These phones talk usually SIP directly with the server and any other clients.
Analog Adapters Analog adapters, also known as ATA (Analog Telephony Adapter ) can connect a traditional analog phone to a data network and make it work like an IP phone. They have a RJ45 data port and one or more RJ11 analog ports.
Softphones Softphones are computer programs to make and receive calls without additional hardware (except the computer microphone and speakers). There are multiple applications for all platforms and operating systems. X-Lite and QuteCom (WengoPhone) are available for Windows, MacOS X and GNU/Linux. Ekiga or Twinkle are native GNU/Linux applications.
146
Figure 5.4: QuteCom
147
Figure 5.5: Twinkle
IP PBXs In contrast to traditional telephony which routed all calls through a central PBX, VoIP clients (IP phones or softphones) register on the server, ask him for the call recipient information and then establish the call directly. When establishing the call, the caller and the recipient negotiate a common codec for the voice transmission. Asterisk is a software only application that works in commodity servers, providing the features of a PBX (Private Branch eXchange): connect multiple phones amongst them and with a VoIP provider or the analog telephone network. It also offers services such as voice mail, conferences, interactive voice responses, etc. To connect the Asterisk server to the public network, it needs extra cards called FXO (Foreign eXchange Ofce) which allow Asterisk to act like a regular phone and route calls through the phone network. To connect an analog phone to the server, it needs a FXS (Foreign eXchange Station) card. That way, existing phones can be adapted to the new IP telephony network.
Figure 5.6: Digium TDM422E FXO and FXS card
148
5.4.4 Asterisk server conguration with eBox

eBox VoIP module allows you to manage an Asterisk server with the users that already exist on the system LDAP server, and the most common features congured.
As usual, the module must be enabled rst. Go to Module Status and select the VoIP checkbox. If the Users and Groups is not enabled, it should be enabled beforehand. To change the general conguration, go to VoIP parameters should be congured:
General. Once there, the following general
Enable demo extensions: It enables extensions 400, 500 and 600. A call to extension 400 starts music on hold if congured. Extension 500 starts an IAX call to guest@pbx.digium.com. Extension 600 provides an echo test to estimate your call latency. These extensions can help to check if a client is well congured.
149
Enable outgoing calls: It enables outgoing calls through a SIP provider to call regular phones. To call through the SIP provider, add an additional zero before the number to call. For instance, to call eBox Technologies ofces (+34 976733507 or 0034976733506) dial 00034976733506. Voicemail extension: It is the extension to call to check the voicemail. User and password are both the extension assigned by eBox when creating the user, or assigned for the rst time. It is strongly recommended to change that password immediately from the User Corner
21
. The
application listening on this extension allows you to change the welcome message, listen to recorded messages and delete them. For security reasons, it is only accessible by the users of the eBox server, so it does not accept incoming calls from other servers. VoIP domain: It is the domain assigned to the user addresses. For example, a user user with an extension 1122 can be called at user@domain.tld or 1122@domain.tld. In the SIP provider section, enter the credentials supplied by the SIP provider, so eBox can route calls through it: Provider: If you are using eBox VoIP Credit
22
, select this option which will congure your provider
name and server. Otherwise use Custom. Name: It is the identier of the provider in eBox. User name: It is the user name to log in the provider. Password: It is the password to log in the provider. Server: It is the provider server. Recipient of incoming calls: It is the internal extension that will receive the incoming calls to the provider account. The NAT conguration section denes the network location of your eBox host. If it has a public IP address, the default option eBox is behind NAT is not appropriate. If it has a private IP address, Asterisk needs to know your Internet public IP address. If you have a xed public address, select Fixed IP address and enter it; if the IP is dynamic, congure the dynamic DNS service (DynDNS) available in Network hostname. In the Local networks section, you can add the local networks to which eBox has direct access without NAT, like VPN or not congured network segments, like a wireless network. This is required to make SIP work with NAT environments.
21 22
DynDNS (or congure it manually) and enter the domain name in Dynamic
Explained in the section User Corner . You may buy eBox VoIP credit in our store.
150
The conference conguration is accessed through VoIP
Meetings. There you can congure
multiple conference rooms. These rooms extension should t in the 8001-8999 range and optionally have a password and a description. These extensions can be accessed from any server by dialing extension@domain.tld.
When editing a user, you will be able to enable and disable this user VoIP account and change his extension. Take in account that an extension can only be assigned to one user and no more, if you need to call more than one user from an extension, you must use queues. When editing a group, you will be able to enable and disable this group queue. A queue is an extension where all the users who belong to this queue ring when is called. If you want to congure music on hold, drop your MP3 songs to /var/lib/asterisk/mohmp3/ and install the mpg123 package.
5.4.5 Conguring a softphone to work with eBox

Ekiga (Gnome) Ekiga
23
is the softphone (or VoIP client) recommended by the Gnome desktop environment. When
rst launched, Ekiga presents a wizard to congure the users personal data, audio and video devices, the connection to the Internet and the Ekiga.nets services. We can skip the conguration of both Ekiga.net and Ekiga Call Out. From Edit > Accounts, selecting Accounts > Add a SIP Account you can congure your VoIP account in eBox Platform. Name: Identier of the account inside Ekiga.
23
Ekiga: Free your speech <http://ekiga.org/>
151
152
153
Register server: Domain name of the VoIP server. User and User for authentication: Both are the user name. Password: User password.
After setting the account, it will attempt to register on the server.
To make a call is as simple as typing the number or SIP address on the top bar, and call using the green phone icon to the right of the bar. To hang up, use the red phone icon.
Qutecom (Multiplatform) Qutecom 24 is a softphone that uses Qt4 libraries, what makes it available for the three more popular operating systems: GNU/Linux, OSX and Windows. When launched rst time it shows a wizard to congure the VoIP account, as Ekiga does.
24
QuteCom: Free VOIP Softphone <http://www.qutecom.org>
154
155
You have a keypad or a list of contacts to make calls. Use the green/red buttons at the bottom to call and hang up.
5.4.6 Using eBox VoIP features

Call transferring The call transferring feature is quite simple. While you are on a conversation, press # and then dial the extension where you want to transfer the current call. You can hang up at that time as the call will be ringing on the called extension.
Call parking The extension 700 is the call parking. While you are on a conversation, press # to initiate a transfer, then dial 700. The extension where the call has been parked will the announced to the called, and the caller will listen the music on hold, if congured. You can hang up now. From a different phone or different user dial that announced extension and you will wake up the parked user and you will be able to speak with him. On eBox, the call parking can hold up to 20 current calls and the maximum time a call can wait parked is 300 seconds.
156
5.4.7 Example
Create a user with a VoIP account. Change the extension to 1500. 1. Action: Log into eBox, click on Module status and enable the VoIP module by clicking the checkbox in the Status column. If Users and Groups is not enabled you should enable it previously. Then you will be informed about the changes that are going to take place in the system. You should allow these actions by clicking the Accept button. Effect: The Save Changes button has been activated. 2. Action: Go to VoIP. Write the machines domain name in VoIP Domain. The domain should be resolvable from the machines of the service clients. Click on Change. 3. Action: Save the changes done. Effect: eBox shows its progress while applying the changes. Once it is done, it shows it. VoIP service is ready to be used. 4. Action: Access the Users and Groups Users Add User menu. Fill in the form to create a new user. Click on Create and Edit. Effect: eBox creates a new user and shows you its prole. 5. Action: In the section VoIP Account, eBox shows if the user has its account enabled or disabled, and also its extension. Make sure that the account is enabled, all the users created while the VoIP module is enabled should have their account also enabled. Finally, change the extension given by defect (say, the rst free extension of the range of users), to the extension 1500. Click on Apply changes in the VoIP Account section. Effect: eBox apply the changes immediately. The user is able to receive calls in that extension.
157
158
Chapter 6 eBox Unied Threat Manager
This section will explain different techniques to protect your network beyond a simple rewall, preventing external attacks, and detecting possible intrusions into your network services. An email service without a spam lter is a waste of time and resources. This section shows different techniques to avoid junk mail (spam) and viruses in the email service provided by eBox. Web trafc can also bring problems depending on the sites visited. Therefore, in this section we explain the integration of the content ltering of the HTTP proxy with an antivirus and several advanced congurations to provide greater security to the Internet browsing of the users in the network. We will also explain how to allow the employees outside the ofce to securely connect your local network, or how to make connections between ofces by using virtual private networks. For that we will dene the bases of the network security. Finally, it is explained how the intrusion detection system uses rulesets to match the contents of the trafc packages in order to detect external attacks. You can get notications of possible attacks and analyze the damage they may have caused.
6.1
Mail Filter
The main threats in electronic mail system are spam and virus. Spam, or not desired email, makes the user waste time looking for the legitimate emails in the inbox. Moreover, spam generates a lot of network trafc that could affect the network and email services.
159
Although the virus do not harm the system where eBox is installed, an infected email could affect other computers in the network.
6.1.1 Mail lter schema in eBox

To defend ourselves from these threats, eBox has a mail lter quite powerful and exible.
Figure 6.1: eBoxs mail lter schema
In the gure, we can observe the different steps that a message follows before tagging it. First, the email server sends it to the greylisting policies manager. If the email passes through the lter, spam and viruses are checked next using a statistical lter. Finally, if everything is OK, the email is considered valid and is sent to its recipient or stored in the servers mailbox. In the following section, details on those lters and its conguration will be explained in detail.
Greylist A greylist 1 is a method of defense against spam which does not discard emails, but makes life harder for the spammers. In the case of eBox, the strategy is to pretend to be out of service. When a server wants to send a new mail, eBox says Im out of service at this time, try in 300 seconds 2 . If the server meets the specication, it will send the message again a bit later and eBox will consider it as a valid server.
1 2
eBox uses postgrey http://postgrey.schweikert.ch/ as the policy manager in postx. Actually the mail server sends as response Greylisted, say, put on the greylist.
160
CHAPTER 6. EBOX UNIFIED THREAT MANAGER
In eBox, the greylist exempts the mail sent from internal networks, from objects with an allowed mail relay policy and from addresses that are in the antispam whitelist. However, the servers that send spam do not usually follow the standard. They will not try to send the email again and we would have avoided the spam messages.
Figure 6.2: Schematic operation of a greylist
Greylisting is congured from Mail Greylist with the following options:
Enabled: Set to enable greylisting. Greylist duration (seconds): Seconds the sending server must wait before sending the mail again. Retry window (hours): Time (in hours) when the sender server can send email. If the server has sent any mail during that time, that server will go down in the grey list. In a grey list, the mail server can send all the emails you want without temporary restrictions.
161
Entry time-to-live (days): Days that data will be stored in the servers evaluated in the greylist. After the congured days, the mail server will have to pass again through the greylisting process described above.
Content ltering system Mail content ltering is provided by the antivirus and spam detectors. To perform this task, eBox uses an interface between the MTA (postx) and those programs. amavisd-new
3
talks with the MTA via
(E)SMTP or LMTP (Local Mail Transfer Protocol RFC 2033) to check that the emails are not spam neither contain viruses. Additionally, this interface performs the following checks: White and black lists of les and extensions. Malformed headers.
Antivirus The antivirus used by eBox is ClamAV 4 , which is an antivirus toolkit designed for UNIX to scan attachments in emails in an MTA. ClamAV updates its virus database through freshclam. This database is updated daily with new virus that have been found. Furthermore, the antivirus is able to scan a variety of le formats such as Zip, BinHex, PDF, etc.. In Antivirus, you can check if the antivirus is installed and up to date.
You can update it from Software Management, as we will see in Software Updates. If the antivirus is installed and up to date, eBox will use it in the following modules: SMTP proxy, POP proxy, HTTP proxy and even le sharing.
3 4
Amavisd-new: http://www.ijs.si/software/amavisd/ Clam Antivirus: http://www.clamav.net/
162
Antispam The spam lter works giving to each mail a spam score, if the mail reaches the spam threshold is considered as junk mail if not is considered as legitimate mail. The latter kind of mail is often called ham. The spam scanner uses the following techniques to assign scores: DNS published blacklists (DNSBL). URI blacklists that track spam websites. Filters based on the checksum of messages. Sender Policy Framework (SPF): RFC: 4408. DomainKeys Identied Mail (DKIM) Bayesian lter Static rules Other tests 5 Among this techniques the Bayesian lter should be further explained. This kind of lter does a statistical analysis content of the text of the message, giving a score which reects the probability of being spam for the message. However, the analysis is not done against a set of static rules but against a dynamic one, which is created supplying ham and spam messages to the lter. So it could learn from them what are the statistical features from each type. The advantage of this technique is that the lter could adapt to the ever-changing ow of spam messages, the downsides are that the lter needs to be trained and its accuracy depends on the quality of the received training. eBox uses Spamassassin 6 as spam detector. The general conguration of the lter is done from Mail lter Antispam:
5 6
A long list of antispam techniques can be found in http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail) The Powerful #1 Open-Source Spam Filter http://spamassassin.apache.org .
163
Spam threshold: Mail will be considered spam if the score is above this number. Spam subject tag: Tag to be added to the mail subject when it is classied as spam. Use Bayesian classier: If it is marked, the Bayesian lter will be used. Otherwise, it will be ignored. Auto-whitelist: It takes into account the history of the sender when rating the message. That is, if the sender has sent some ham emails, it is highly probable that the next email sent by that sender is also ham. Auto-learn: If it is enabled, the lter will learn from messages which hit the self learning thresholds. Autolearn spam threshold: The automatic learning system will learn from spam emails that have a score above this value. It is not appropriate to set a low value, since it can subsequently lead to false positives. Its value must be greater than the spam threshold. Autolearn ham threshold: The automatic learning system will learn from ham emails that have a score below this value. It is not appropriate to put a high value, since it can cause false negatives. Its value should be less than 0.
164
From Sender Policy we can congure some senders so their mail is always accepted (whitelist), always marked as spam (blacklist) or always processed by the spam lter (process). From Train Bayesian spam lter we can train the Bayesian lter sending it a mailbox in mbox format [#] _ containing only spam or ham. There are many sample les in the Internet to train a Bayesian lter but normally is more accurate to use mail received by the sites which will be ltered. The more trained the lter is, the better the spam detection.
File-based ACLs It is possible to lter les attached to mails using Mail lter Files ACL (Access Control Lists). There, we can allow or deny mail according to the extensions of the les attached or their Multipurpose Internet Mail Extensions (MIME) types.
165
Simple Mail Transfer Protocol (SMTP) mail lter From Mail lter
SMTP mail lter it is possible to congure the behavior of the lters when eBox
receives mail by SMTP. On the other hand, from General conguration we can set the general behavior for every incoming email:
Enabled: Check to enable the SMTP lter. Antivirus enabled: Check to make the lter look for viruses. Antispam enabled: Check to make the lter look for spam. Services port: Port to be used by the SMTP lter. Notify of non-spam problematic messages: We can send notications to a mailbox when problematic (but not spam) emails are received, e.g., emails infected by virus. From Mail lter Filter Policies, it is possible to congure what the lter must do with any kind of email.
For each kind of email problem, you can perform the following actions: Pass: Do nothing, let the mail reach its recipient. Reject: Discard the message before it reaches the recipient, notifying the sender that the message has been discarded.
166
Bounce: Like reject, but enclosing a copy of the message in the notication. Discard: Discards the message before it reaches the destination, without notice to the sender. From Mail Filter
Virtual Domains, the behavior of the lter for virtual email domains can be
congured. These settings override the general settings dened previously. To customize the conguration of a virtual domain email, click on Add new.
The parameters that can be overridden are the following: Domain: Virtual domain that we want to customize, from those congured in at Mail main. Use virus ltering / spam: If this is enabled, mail received for this domain will be ltered looking for viruses or spam. Spam threshold: You can use the default threshold score for spam or a custom value. Learn from accounts Spam IMAP folders: If enabled, when a email is put in the Spam IMAP folder the email is automatically learned as spam. Likewise if a email is moved from the Spam folder to a normal folder is learned as ham. Learning account for ham / spam: If enabled, ham@domain and spam@domain accounts will be created. spam. Once the domain is added, from Antispam policy for senders, it is possible to add addresses to its whilelist and its blacklist or even force every mail for the domain to be processed. Users can send emails to these accounts to train the lter. All mail sent to ham@domain will be learned as ham mail, while mail sent to spam@domain will be learned as
Virtual Do-
167
6.1.2 External connection control lists

From Mail Filter
SMTP Mail Filter External connections, you can congure connections from
external MTAs, through its IP address or domain name, to the mail lter congured in eBox. In the same way, these external MTAs can be allowed to lter mail for those external virtual domains allowed in the conguration. This way, you can distribute your load between two machines, one acting as a mail server and another as a server to lter mail.
6.1.3 Transparent proxy for POP3 mailboxes

If eBox is congured as a transparent proxy, you can lter POP email. The eBox machine will be placed between the real POP server and the user to lter the content downloaded from the MTAs. To do this, eBox uses p3scan 7 . From Mail Filter POP Transparent Proxy you can congure the behavior of the ltering:
Mbox and maildir are email storage formats, most email clients and servers use one of these. In the rst one, all the emails in a directory are stored in a single le, while the second organizes the emails in different les within a directory.
7
168
Enabled: If checked, POP email will be ltered. Filter virus: If checked, POP email will be ltered to detect viruses. Filter spam: If checked, POP email will be ltered to detect spam. ISP spam subject: If the server marks spam mail with a tag, it can be specied here and the lter will consider these emails as spam.
Practical example Activate the mail lter and the antivirus. Send an email with a virus. Check that the lter is working properly. 1. Action: Access eBox, go to Module Status and enable the module mail lter. To do this, check the box in the column Status. You will have to enable network and rewall rst in case they were not already. Effect: eBox asks for permission to override some les. 2. Action: Read the changes that are going to be made and grant eBox permission to perform them. Effect: Save Changes has been enabled. 3. Action: Go to Mail Filter SMTP Mail Filter, check boxes for Enabled and Antivirus enabled and click on Change. Effect: eBox informs you about the success of the modications with a Done message. 4. Action: Go to Mail General Mail lter options and select eBox internal mail lter. Effect: eBox will use its own lter system.
169
5. Action: Save changes. Effect: eBox shows the progress while applying the changes. Once it is done, it noties about it. The mail lter with antivirus is enabled. 6. Action: Download the le http://www.eicar.org/download/eicar_com.zip, which contains a test virus and send it from your mail client to an eBox mailbox. Effect: The email will never reach its destination because the antivirus will discard it. 7. Action: Go to the console in the eBox machine and check the last lines of /var/log/mail.log using the tail command. Effect: There is a message in the log registering that the message with the virus was blocked, specifying the name of the virus: Blocked INFECTED (Eicar-Test-Signature)
6.2
HTTP Proxy advanced conguration

6.2.1 Filter proles conguration
You can congure lter proles in Proxy HTTP Filter Proles.
You can congure and create new proles that could be used by user groups or network objects. The conguration options are exactly the same as the ones we explained for the default prole. There is just one thing that you have to take into account: it is possible to use the default prole values in other proles. To do so, you only need to click on Use default conguration.
170
6.2.2 Filter prole per object

You can select a lter prole for a source object. The requests coming from this source will use the chosen prole instead of the default prole. To do so you should go to HTTP Proxy Objects policy and change the lter prole in the objects row. This option requires the objects policy is set to Filter.
6.2.3 Group based ltering

You can use user groups as a way to control access and to apply different ltering proles. The rst step is to either set a global or a network object policy to any of these policies: Authorize and allow all, Authorize and deny all or Authorize and lter. If any of these policies is set, users will have to provide credentials to be able to use the HTTP proxy. Warning: Please note that you cannot use HTTP authentication with the transparent proxy mode enabled due to protocol limitations. If you set a global policy that uses authentication you will also be able to use this global policy for any group. This policy allows you to control the access of group members and apply a custom ltering prole. Group policies are managed in the menu entry named HTTP Proxy
Group Policy. You can
allow or deny the access for a given group. Note that this only affects the browsing. The use of the content lter for the group depends on whether you have a global policy or group policy that is set to lter. You can schedule when the group is allowed to browse. If a group member tries to use the proxy out of the set schedule they will be denied access.
171
Each group policy has a priority given by its position in the list (top-bottom priority). Priority is important because users can be members of several groups. The policy applied to the user will depend on the priority. You can also select which ltering prole will be applied to the group.
6.2.4 Group-based ltering for objects

Remember that you can congure custom policies for network objects that will override the global policy. Likewise, in case you pick a policy that enforces authorization, you can also set custom policies for a group. In this case, group policies only affect to the permissions for browsing and not to the content ltering. The content ltering policy is determined by the object policy. Authorization policies are incompatible with the transparent mode. Finally, you also have to take into account that you cannot set ltering proles to groups in an object policy. This means a group will use the ltering prole that is set in its group global policy.
Practical Example The goal of this exercise is to set access policies for two groups: IT and Accounting. Members of the Accounting group will only be able to access the Internet during work time, and its ltering prole threshold will be set to very strict. On the other hand, members of the IT group will be able to use the Internet at any time. They will also skip the censorship of the content lter. However, they will not be able to access those domains that are explicitly denied to all the workers. For the sake of clarity, the needed users and groups are already created. These are steps you have to take: 1. Action: Go to eBox, click on Module Status and enable the HTTP Proxy.
172
Effect: Once changes have been saved, users will need to authenticate with their login and password in order to surf the Internet. 2. Action: Go to HTTP proxy -> Filter proles. Add a list of forbidden domains to the default prole. You can do this by clicking on the Conguration cell of the default prole, and then, clicking on the tab labeled Domains ltering. You can now add youtube.com and popidol.com to the Domains rules section. Go back to HTTP proxy -> Filter Proles. Add two new proles for your groups, IT and Accounting. The Accounting prole must enforce a very strict threshold on the content lter. We will stick to the defaults for the other options. To do so, you have to check the Use default prole conguration eld in Domains Filtering and File Extensions ltering. The IT prole will allow unltered access to everything but the forbidden domains. To enforce this policy, you need to check the Use default prole conguration eld in Domains Filtering. You can grant free access for everything else by setting the content lter threshold to Disabled. Effect: We will enforce the required policy. 3. Action: Now you have to set a schedule and a ltering prole for groups. You can go to HTTP Proxy Group Policy. Click on Add new, select the Accounting group. Set the schedule from Monday to Friday, from 9:00 to 18:00. And select the Accounting prole. Likewise, you have to set a policy for the IT group. In this case, you dont have to add any restriction to the schedule. Effect: Once the changes have been saved, you can test if the conguration works as expected. You can use the proxy authentication with a user from each group. You will know that it is working properly if: You can actually access www.playboy.com using the credentials of an IT user . However, if you use the credentials of an Accounting user, you are denied access. You are not allowed to access any of the banned domains from any of the groups. If you set the date in eBox to weekend, and you cannnot surf the Internet with an Accounting* user, but you can with an IT user.
173
6.3
Secure interconnection between local networks

6.3.1 Virtual Private Network (VPN)
The Virtual Private Networks were designed both to allow secure access to remote users to the corporate network and secure interconnection of geographically distant networks. A frequent situation is where remote users need to access resources located in the company local network, but those users are outside the facilities and cannot connect directly. The obvious solution is to allow the connection through the Internet. This would create security and conguration problems, which can be resolved through the use of virtual private networks. The solution offered by a VPN (Virtual Private Network ) to this problem is the use of encryption to only allow access to authorized users (hence the private adjective). And to ease the use and conguration, connections seem to be as if there were a network between the users and the local network (hence the virtual). The VPNs usefulness is not limited to the access of remote users; a organization may wish to interconnect networks that are located in different places. For example, networks located in different cities. Some time ago, to solve this problem dedicated data lines were hired, but this service was expensive and slow to deploy. Later, the advance of the Internet provided a ubiquitous and cheap, but insecure, medium. And again, the security and virtualization features of the VPN were an appropriate response to this problem. In this regard, eBox Platform provides two modes of operation. It can work as a server for remote users and as a server and client for the connection between two networks.
6.3.2 Public Key Infrastructure (PKI) with a Certication Authority (CA)

The VPN used by eBox to ensure data privacy and integrity uses SSL as cypher technology. The SSL technology is used widely since a long time so we could reasonably trust its security. However, all cypher schemes have the problem of how to distribute the keys to their users without interception by third parties. In the VPN context, this step is required when a new participant joins the virtual network. The adopted solution is the use of a public key infrastructure (PKI). This technology allows the use of the key in a insecure medium, like the Internet, without allowing the interception of keys by anyone who snoops the communication. PKI is based in that each participant generates two keys: a public key and a private key. The public one can be distributed publicly and the private one must remain secret. Any participant who
174
wants to cypher a message can do it with the public key of the recipient but the message can only be deciphered with the private key of the recipient. As this key is kept secret, it is ensured that only the recipient can read the message. However, this solution creates a new problem. If anyone could present a public key, how we can guarantee that a participant is really who he claims to be and is not impersonating another identity? To solve this problem, certicates were created.
8
Figure 6.3: Public key encryption
Figure 6.4: Public key signature
The certicates use another PKI feature: the possibility of signing les. The private key is used to sign a le. The signature can be checked by anyone using the public key. A certicate is a le that contains a public key, signed for someone that is trusted. This trusted participant is used to verify identities and is called Certication Authority (CA).
There is a lot of information about public key encryption. You can begin here: http://en.wikipedia.org/wiki/Publickey_encryption
8
175
Figure 6.5: Diagram to issue a certicate
6.3.3 Certication Authority conguration with eBox

eBox Platform has integrated management of the Certication Authority and the life cycle of the issued certicates for your organization. It uses the OpenSSL 9 tools for this service. First of all, you need to generate the keys and issue the certicate of the CA itself. This step is needed to sign new certicates, so the remaining features of the module will not be available until the CA keys are generated and its certicate, which is self signed, is issued. Note that this module runs unmanaged and you dont need to enable it in Module Status.
Go to Certication Authority General and you will nd the form to issue the CA certicate after generating automatically the key pair. It is required to ll in the Organization Name and Days to expire elds. When setting this duration you have to take into account its expiration will revoke all
9
OpenSSL - The open source toolkit for SSL/TLS <http://www.openssl.org/>.
176
certicates issued by this CA, stopping all services depending on those certicates. It is possible to add also these optional elds to the CA certicate: Country Code An acronym consisted of two letters dened in ISO-3166. City State
Once the CA has been created, you will be able to issue certicates signed by the CA. To do this, use the form now available at Certication Authority General. The required data are the Common Name of the certicate and the Days to expire. This last eld sets the number of days that the certicate will remain valid and the duration cannot surpass the duration of the CA. In case we are using the certicate for a service server like it could be a web server or mail server, the Common Name of the certicate should match the hostname or domain name of that server. Anyway, you could set any Alternative Subject Names 10 for the certicate in order to, for example, set any other common name for HTTP virtual hosts 11 or an IP address or even a mail address to sign e-mail messages. When the certicate is issued, it will appear in the list of certicates and it will be available to eBox services that use certicates and to external applications. Furthermore, several actions can be applied to the certicates through the certicate list:
10 11
For more information about subject alternative names, visit http://www.openssl.org/docs/apps/x509v3_cong.html#Subject_Alternative_Name For more information about HTTP virtual hosts, check out Virtual domains section for details
177
Download a tarball archive containing the public key, private key and the certicate. Renew the certicate. Revoke the certicate. If you renew a certicate, the current certicate will be revoked and a new one with the new expiration date will be issued along with the key pair.
If you revoke a certicate you wont be able to use it anymore as this action is permanent and you cant go backwards. Optionally you can select the reason of the certicate revocation: unspecied keyCompromise The private key for this certicate has been compromised and now it is available for suspicious people. CACompromise The private key for the CA certicate has been compromised and now it is available for suspicious people. aflliationChanged The issued certicate has changed its afliation to another certication authority from other organization. superseded The certicate will be renewed and this is no longer valid and thus replaced. cessationOfOperation The issued certicate has ceased its operation. certicateHold removeFromCRL Currently unimplemented delta CRLs support.
178
If you renew the CA certicate then all the certicates will be renewed with the new the CA. The old expiration date will be kept, if this is not possible it means that the old expiration date is a later date than the new CA expiration date, in this case the expiration date of the certicate will be set to the expiration date of the CA. When a certicate expires all the modules are notied. The expiration date of each certicate is automatically checked once a day and every time you access the certicate list page.
Services Certicates
On Certication Authority
Services Certicates we can nd the list of eBox modules using
certicates for its secure services. By default, these are generated by each module, but if we are using the CA we can replace these self signed certicates with ones issued by our organization CA. You can dene for each service the Common Name of the certicate and if there is a certicate with that Common Name available, the CA will issue one. In order to set these key pair and signed certicate to the service you have to Enable the certicate. Every time a certicate is renewed is pushed again to the eBox module but you need to restart the service to force the new certicate usage.
179
Practical example A Create a Certication Authority which will be valid for a year, then create a certicate called server and two client certicates called client1 and client2. 1. Action: Go to Certication Authority
General. In the form called Create Certication
Authority Certicate, ll in the elds Organization Name and Days to expire with reasonable values. Press Create to generate the Certication Authority. Effect: The key pair of the Certication Authority is generated and its certicate will be issued. Our new CA will be displayed in the list of certicates. The form for creating the CA will be replaced by another one intended to issue normal certicates. 2. Action: Using the form Issue a New Certicate to issue certicates, enter server as Common Name and then, in Days to expire, a number of days less than or equal to the one you entered for the CA certicate. Repeat these steps with the names client1 and client2. Effect: The new certicates will appear in the list of certicates, ready to be used.
6.3.4 Conguring a VPN with eBox

The software selected by eBox to create VPNs is OpenVPN tages: Authentication using public key infrastructure. Encryption based on SSL technology. Clients available for Windows, MacOS X and Linux. Code that runs in user space, without the need to modify the network stack (as opposed to IPSec). Possibility to use network applications in a transparent way.
12
12
. OpenVPN has the following advan-
OpenVPN: An open source SSL VPN Solution by James Yonan http://openvpn.net.
180
Remote VPN Client eBox can be congured to support remote clients (familiarly known as road warriors). That is, an eBox machine can work as a gateway and OpenVPN server, allowing clients on the Internet (the road warriors) to connect to the network via the VPN service and access the local area network. The following gure can give a more accurate view of the scenario:
Figure 6.6: eBox and remote VPN clients
The goal is to connect the client number 3 with the other two remote clients (1 and 2) and also connect these two among themselves. To do this, we need to create a Certication Authority and certicates for the two remote clients. Note that you also need a certicate for the OpenVPN server itself, however, this certicate is automatically created when you add a new OpenVPN server. Here, the eBox machine also acts as a CA. Once we have the certicates, we should congure the OpenVPN server in eBox using Create a new server. To only parameter that you need to create a working OpenVPN server is its name. An OpenVPN server needs more parameters to work properly. eBox makes this easy and will try to automatically set valid parameters for you. The following conguration parameters will be added by eBox, feel free to adapt them to your needs: a port/protocol pair, a certicate ( eBox will create a certicate using the OpenVPN servers name) and a network address for the VPN. Addresses belonging to the VPN network are assigned to the server and the clients. In case you need to change the network address and to avoid conicts, you have to make sure that the network address is not used in any other part of your network. Furthermore, the local networks, i.e. the networks where the network interfaces are attached to, are advertised through the private network. The OpenVPN server will be listening on all the external interfaces. Therefore, we have to mark at least one of our interfaces as external via Network -> Interfaces. In this scenario only two interfaces
181
are needed, the internal one for the LAN and the external one for the Internet. You can congure the server to listen also on internal interfaces, activating the option Network Address Translation (NAT), but you can ignore it for the moment. If you want the clients to connect to each other using their VPN addresses, you have to activate the option Allow connections between clients. You can leave the rest of the options with their defaults.
After creating the OpenVPN server you have to enable the service and save the changes. Subsequently, you should check in Dashboard that the VPN service is running. After that, you may want to advertise networks through Advertised networks conguration for the VPN server. These networks will be accessible by OpenVPN authorized clients. Note that eBox will advertise all your local networks by default. Obviously, you can remove or add routes at your leisure. In our example scenario, the local network has been added automatically to make visible the client number 3 to the two other clients. Once done, its time to congure the clients. The easiest way to congure an OpenVPN client is using the bundles provided by eBox. These are available in the table in VPN -> Servers, by clicking the icon on the Download client bundle column. There are bundles for two types of operating system. If you are using MacOS X or GNU/Linux, you have to choose Linux as type. When a bundle is created, the certicates that will be given to the client are included, and the external IP address to which VPN clients have to connect is set. If the selected system is Windows, an OpenVPN for Win32 installer is
182
also included. The conguration bundles should be downloaded by the eBox administrator and he is responsible for distributing them to the clients in a proper and secure way.
A bundle includes the conguration le and other necessary les to start a VPN connection. For example, in Linux, simply extract the archive and execute it, within the newly created directory, using the following command:
openvpn --config filename

Now you have access to the client number 3 from the two remote clients. Bear in mind that the eBox DNS service will not work through the private network unless you congure the remote clients to use eBox as name resolver. That is why you cannot access the services of the hosts on the LAN by name, you have to do it by IP address. That also applies to the NetBIOS the broadcast trafc provided by the SMB/CIFS server. To enable the remote clients to connect between themselves, you need to activate the Allow client-to-client connections option in the VPN server conguration. To verify that the conguration is correct, look at the routing table of the client and check that the new networks were added to the tapX virtual interface. The current users connected to the VPN service are displayed in eBox Dashobard.
13
service when accessing
Windows shared resources, to browse the shared resources from the VPN, you must explicitly allow
Practical example B This example will congure a VPN server. A client on a computer located on a external network is going to be congured. Once connected it to the VPN, it will access another host in the local network, which is only accessible from the server through an internal interface.
13
For more information about le sharing, see section File sharing service and remote authentication
183
To do this: 1. Action: Access the eBox interface, go to Module Status and activate the VPN module by checking the box on the Status column. Effect: eBox requests permission to perform certain actions. 2. Action: Read about the actions that are going to be performed and grant permission to do them. Effect: Save Changes button is activated. 3. Action: Access the eBox web interface, enter the VPN -> Server section, click on Add new. A form with the elds Enabled and Name will appear. Enter a name for the server and leave it disabled until it is congured correctly. Effect: The new server appears in the list of servers. 4. Action: Click on Save Changes and accept all the changes. Effect: The server is active, you can verify its status in the Dashboard. 5. Action: To simplify the conguration of the client, download the conguration bundle. To do this, click the icon on the Download client bundle column. Fill in the conguration form with the following options: Client type: select Linux, as it is the client OS. Client certicate: select client1. If This certicate is not created, create it following the instructions from the previous example. Server address: enter here the address that the client has to use to reach the VPN server. In this scenario, this address will be the one for the external interface connected to the same network as the computer client. Effect: Once the form is completed, a bundle le for the client will be downloaded. It will be a compressed le in .tar.gz format. 6. Action: Congure the client computer. For this, decompress the bundle in a directory. Note that the bundle contains les with the necessary certicates and a conguration le with the .conf extension. If there have been no mistakes in the steps earlier, you have all the necessary conguration and you only have to launch the program. To launch the client run the following command within the directory:
184
openvpn --config [ filename.conf ]

Effect: When launching the command in a terminal window the actions will be printed on it. If everything is correct, once the connection is ready Initialization Sequence Completed will appear on the terminal; otherwise error messages will appear to help you diagnose the problem. 7. Action: Before checking if there is a connection between the client and the computer on the private network, you have to be sure that the latter has a return route to the VPN client. If you are using eBox as the default gateway, there will be no problem. Otherwise you will need to add a route to the client. First you have to check if there is connection by using the ping command. Run the following command:
ping -c 3 [ another_computer_ip_address ]
To verify that there is not only communication, but also access to the resources of another computer, launch a remote console session. You can do it with the following command from the client computer:
ssh [ another_computer_ip_address ]
After accepting the identity of the computer and entering the user and the password, you will access the console of the remote computer as if it were physically on your local network.
Remote VPN Client with NAT

If you want to have a VPN server that is not the gateway of your LAN, i.e. the machine has no external interfaces, then you need to activate the Network Address Translation option. As this is a rewall feature, you have to make sure that the rewall module is active, otherwise you will not be able to activate this option. With this option, the VPN server will act as a representative of VPN clients within the network. In fact, it will be a representative of all the advertised networks, and it will receive the response packets and subsequently forward them through the private network to the clients. This situation is better explained with the following gure:
185
Figure 6.7: VPN connection from a client to the LAN using NAT with VPN
Secure interconnection between local networks

In this scenario there are two ofces in different networks that need to be connected via a private network. To do this, eBox is used as gateway in both networks. One eBox will act as OpenVPN client and another as server. The following gure attempts to clarify the situation:
Figure 6.8: eBox vs OpenVPN as a server. eBox OpenVPN as a client
The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same local network. Therefore, you have to congure an OpenVPN server as done in Practical example B. However, you need to make two small changes. First, enable the Allow eBox-to-eBox tunnels option to exchange routes between eBox machines. Then enable password for the eBox-to-eBox tunnel to have a more secure connection environment. You have to bear in mind that you have to add the address of the LAN 1 in Advertised networks. To congure eBox as an OpenVPN client, you can do it through VPN -> Clients. You must give a name to activate the client and activate the service. You can set the client conguration manually or
186
automatically using the bundle from the VPN server, as done in the Practical example B. If not using the bundle, you will have to enter the IP address and the Server port pair where the server is listening. A eBox-to-eBox tunnel password and the certicates used by the client are also required. These certicates should have been issued by the same CA that is using the server.
When changes are saved, you can see in Dashboard a new OpenVPN daemon on the network 2 running as a client, connected to the other eBox in the LAN 1.
When the connection is complete, the server machine will have access to all routes of the client machines through the VPN. However, the client machines will have access only to the routes that the server has advertised explicitly.
187
Practical example C This examples goal is to set up a tunnel between two networks that use eBox servers as gateways to an external network, so that members of both networks can connect with each other. 1. Action: Access the web interface of the eBox which is going to act as server in the tunnel. Make sure the VPN module is enabled and activate it if necessary. Once you are in the VPN -> Servers section, create a new server with the following settings: Enable Allow eBox-to-eBox tunnels. This is the option indicating that it will be a tunnel server. Enter a eBox-to-eBox tunnel password. Finally, from the Interface to listen on select choose the external interface that the eBox client will connect to. Effect: Once all the above steps are done you have the server running. You can verify its status in the Dashboard. 2. Action: To ease the process of conguring the client, you can obtain a conguration bundle. To download it from the server, log back into the eBox web interface and go to VPN -> Servers, click on Download bundle client conguration in our servers row. Before the download starts you have to enter some parameters in the form: Client type: choose eBox to eBox tunnel. Client certicate: choose a certicate different to the server one that is not in use in any other client either. If you do not have enough certicates, follow the steps of above examples to create a certicate that you can use for the client. Server address: you have to enter the address which the client will use to connect to the server. In this case, the address of the external interface connected to the network visible by both server and client will be the appropriate one. After entering all the data press the Download button. Effect: You download a tar.gz archive containing the conguration data required for the client. 3. Action: Access the eBox server web interface that will take the role of client. Check that the VPN module is active, go to the VPN
Clients section. This section is an empty list of
clients. To create one, click Add client and enter a name for it. As it is unset, it cannot be enabled, so you have to return to the list of clients and congure it. Since you have a
188
client conguration bundle you do not need to complete the data in the section by hand. Using the Upload congurations bundle option, you can select the le obtained in the previous step and click on Change. Once the conguration is loaded, you can return to the list of clients and enable it. For this, click the Edit icon in the Action column. A form where you can tick the Enable option will appear. Now you have a fully congured client and the only thing left is saving changes. Effect: Once the changes are saved, the client will be active. You can check this in the Dashboard. If both client and server congurations are correct, the client will start the connection and the tunnel will be ready in a few seconds. 4. Action: Now you have to check if the hosts in the servers internal networks and in the client ones can see each other. Besides the existence of the tunnel, there are the following requirements: The hosts must know the return route to the other private network If, as in this case, eBox is being used as gateway, there is no need to setup additional routes. The rewall must allow connections between the routes for the services you want to use. Once these requirements are met, you can test the connection. From one of the hosts on the private network of the VPN server do the following: Ping a host on the network of the VPN client. Attempt to initiate an SSH session on a host of the VPN client network. Once you have checked this, repeat it from a host on the network of the VPN client, choosing as target a host located in the network of the VPN server.
6.4
Intrusion Detection System (IDS)

An intrusion detection system (IDS) is an application designed to prevent unwanted access to our machines, mainly attacks coming from the Internet. The two main functions of an IDS are to detect potential attacks or intrusions, what is done through a set of rules that are matched against packets of inbound trafc. In addition to recording all suspicious events, it records useful information (such as the source IP address of the attacker) in a database or le. Combined with the rewall, some IDS can also block intrusion attempts.
189
There are different types of IDS, the most common one is the Network Intrusion Detection System (NIDS), which is responsible for checking all the trafc on a local network. One of the most popular NIDS is Snort 14 , which is the tool that eBox integrates to perform this task.
6.4.1 Setting up an IDS with eBox

The conguration of the IDS in eBox is very simple. You only need to activate or deactivate a number of elements. First, you have to specify which network interfaces you want the IDS to listen on. After that, you can select different sets of rules to match with the captured packets. Alerts will be red in case of positive results. Both settings are accessed via the IDS menu. On the Interfaces tab a table with a list of all network interfaces that are congured is shown. By default, all of them are disabled due to the increased network latency and CPU consumption caused by the trafc inspection. However, you may enable any of them by clicking on the checkbox.
On the Rules tab you can see a table that is preloaded with all the Snort rulesets installed on your system (les under the directory /etc/snort/rules). A typical set of rules is enabled by default. If you want to save CPU time, it is advisable to disable those that are not of interest, for example, the ones related to services not available in your network. Also you can enable any other rules you nd interesting if your hardware is powerful enough. The procedure for activating or disabling a rule is the same as for the interfaces.
14
Snort: A free lightweight network intrusion detection system for UNIX and Windows * http://www.snort.org
190
6.4.2 IDS Alerts

Now you have the IDS module running. At this point, the only thing you can do is observe alerts manually in the /var/log/snort/alert le. We are going to see how eBox can make this task easier and more efcient thanks to its logs and events subsystem. The IDS module is integrated with the eBox logs, so if it is enabled, you can query different IDS alerts through the usual procedure. Likewise, we can congure an event for any of these alerts in order to notify the system administrator by any of the different means available. For more information, see the Logs chapter.
Practical example Enable the IDS module and launch a port scanning attack against the eBox machine. 1. Action: Access the eBox web interface, go to Module Status and activate the IDS module by checking the box in the Status column. You will be notied of eBox wanting to modify the Snort conguration. Allow the operation by pressing the Accept button. Effect: Save Changes is activated.
191
2. Action: Similarly, activate the Logs module if it is not already activated. Effect: When the IDS is started, it will be ready to record its alerts. 3. Action: Access the IDS menu and select the Interfaces tab. Enable an interface that is reachable from the machine that will launch the attack. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Save the changes. Effect: eBox shows the progress while it is applying the changes. Once the process is completed you are notied. From now on, the IDS is analyzing the trafc on the selected interface. 5. Action: Install the nmap package on another machine using aptitude install nmap. Effect: The nmap tool is installed on the system. 6. Action: From the same machine run the nmap command passing only the IP address of the interface eBox previously selected as parameter. Effect: It will make attempts to connect to several ports on the eBox machine. You can interrupt the process at any moment by pressing: kbd: Ctrl-c. 7. Action: Access Logs -> Query logs and select Full report for the domain IDS. Effect: Entries related to the attack just performed are listed on the table.
192
Chapter 7 eBox Core
The target of eBox is not only the conguration of the integrated network services. It also offers a number of features that facilitate and make more efcient the administration of eBox itself. This feature set is what we call the eBox core. Backups to restore a previous state, logs of services to nd out what happened and when, notications for certain events or incidents, monitoring of the machine or security updates of the software are issues that will be explained in this section.
7.1
Logs
eBox provides an infrastructure for their modules that allows them to log different kind of events that may be useful for the administrator. These logs are available through the eBox interface. They are also stored in a database for making queries, reports and updates in an easier and more efcient way. The database management system used is PostgreSQL 1 . We can also congure different dispatchers for the events. That way the administrator can be notied by different means (email, RSS or Jabber 2 ). You can have logs for the following services: OpenVPN (Virtual Private Network (VPN))
PostgreSQL The worlds most advanced open source database http://www.postgresql.org/. RSS Really Simple Syndication is an XML format used mainly to publish frequently updated works http://www.rssboard.org/rss-specication/.
2 1
193
SMTP Filter (Simple Mail Transfer Protocol (SMTP) mail lter ) POP3 proxy (Transparent proxy for POP3 mailboxes) Printers (Printers sharing service) Firewall (Firewall) DHCP (Network conguration service (DHCP)) Mail (Electronic Mail Service (SMTP/POP3-IMAP4)) Proxy (HTTP HTTP Proxy Service) File Sharing (File sharing service and remote authentication) IDS (Intrusion Detection System (IDS)) Likewise, you can receive notications of the following events: Specic values inside the logs. eBox health status. Service status Events from the software RAID subsystem. Free disk space. Problems with Internet routers. Completion of a full data backup. First, before you can work with the logs, like other eBox modules, you have to make sure it is enabled. To enable it, go to Module Status and select Logs. In order to obtain reports from the existing logs, you can access the Logs -> Query Logs menu. You can get a Full report of all log domains. Moreover, some of them give us an interesting Summarized Report that provides an overview of the service for a period of time. In Full report, we have a list of all registered actions for the selected domain. Information provided is dependent on each domain. For example, for the OpenVPN domain you can see the connections to a VPN server of a client with a specic certicate, or for example, in the HTTP Proxy domain you can know which pages have been denied to a particular client. You can also make custom queries that allow ltering by time period or different values, depending on the domain. These queries can
194
CHAPTER 7. EBOX CORE
Figure 7.1: Query logs
Figure 7.2: Full report example
195
be stored like an event that generates an alert when a match occurs. Furthermore, if you do a query without an upper bound in time, the results will be automatically refreshed with new data. The Summarized Report allows you to select the period of the report, which may be one hour, one day, a week or a month. The information you get is one or more graphs, accompanied by a summary table with total values for different data. In the picture you can see, for example, daily statistics about the requests and trafc of the HTTP proxy.
7.1.1 Logs conguration

Once you know how to check the logs, is also important to know how to congure them, through the Logs -> Congure logs menu on the eBox interface. The values you can congure for each installed domain are: Enabled: If this option is not activated no logs are written for this domain. Purge logs older than: Sets the maximum time that the logs will be saved. Every value whose age exceeds the specied period, will be discarded. You can also force the instant removal of all logs that are older than a certain period. You can do this using the Purge button inside of the Force log purge section, which allows you to select different intervals between one hour and 90 days.
Practical example Enable the logs module. Using the Practice example as a reference for generating email trafc containing viruses, spam, banned senders and forbidden les. Observe the results in :menuselection Logs -> Query Logs -> Full Report. 1. Action: Access eBox interface. Go to Module Status and activate the logs module. For this, check the box in the State column. You will be informed that a database to save the logs is going to be created. Allow the operation by pressing Accept. Effect: Save Changes button is now activated. 2. Action: Access Logs -> Congure Logs and check that the Mail domain is already enabled. Effect: You have enabled the Logs module and you have checked that the logs for mail are enabled. 3. Action: Save the changes.
196
Figure 7.3: Summarized report example
197
Figure 7.4: Congure logs
Effect: eBox shows the progress while applying the changes. Once the process is nished you are notied of that. From now on, all sent emails will be logged. 4. Action: Send a few problematic emails (with spam or virus) as it was done in the relevant chapter. Effect: As now the logs module is enabled, emails have been logged, unlike what happened when we sent them for the rst time. 5. Action: Access Records -> Query Logs and Full report for the Mail domain. Effect: A table with entries for the emails that you have sent appears showing some information for each sent email.
7.2
Monitoring
The monitor module allows the eBox administrator to know the state of the resources of the eBox machine. This information is essential to both troubleshoot and plan in advance the necessary resources.
198
Monitoring implies knowing how to interpret some system values in order to decide if these values fall into an expected range, or otherwise, they are too high or too low. The main issue of monitoring is the selection of these ranges. As every machine can have different values depending on the kind of use. For example, in a le sharing server, the free storage space is a very important value that can change very quickly. However, in a router with an enabled content lter, free memory and CPU load are more interesting values. You should avoid fetching values that are useless for your scenario. This is the reason why eBox monitors only a few system metrics in its current version. These are: system load, CPU usage, memory usage, and le system usage. The monitor module displays the fetched data using graphs. This allows the user to easily visualize the evolution of the resources during time. To access these graphs you have to click on the menu entry labeled as Monitor. You can place the mouse pointer over any graph point to know the exact value at that point. You can see different time scales of the registered data: hourly, daily, monthly or yearly. You just need to click on the relevant tab.
7.2.1 Metrics
199
System load The system load tries to measure the rate of pending work over the completed work. This value is dened as the number of runnable tasks in the run-queue and is provided by many operating systems as a one, ve or fteen minutes average. This metric is the capacity of the used CPU over a given time. This means that a load of 1 represents a CPU working at full capacity. A load of 0.5 means that the CPU could take twice as much. Conversely, a load of 2 means that it would need another CPU to fullll the requirements of the current work load. You have to take into account that those processes that are waiting for read/write operations in disk also contribute to this value.
CPU usage This graph shows detailed information of the CPU usage. In the case of having a multi-core or multicpu machine you will see one graph for each one of the cores. This graph represents the amount of time that the CPU spends in each of its states: running user code, system code, inactive, input/output wait, and so on. This measure is not a percentage, but scheduling units known as jifes. In most Linux systems this value is 100 per second, but it can be different.
200
Memory usage This graphs shows the memory usage. The following variables are monitored: Free memory: Amount of memory not used Page cache: Amount of memory that is cached in disk swap Buffer cache: Amount of memory that is cached for input/output operations Memory used: Amount of memory that is not included in any of the above
201
File system usage This graph displays the used and free space of every mounting point.
Temperature This graph allows you to know the system temperature in degrees Celsius by using the ACPI system
3
. You need to have data available in these directories: /sys/class/thermal or /proc/acpi/thermal_zone.
3 Advanced Conguration and Power Interface (ACPI) is an open standard to congure devices focused on operating systems and power management. http://www.acpi.info/
202
7.2.2 Alerts
These graphs are not very helpful if in case of unexpected behaviour the administrator is not properly notied. By using alerts, you can know when the machine has reached an unusual system load or is approaching its full capacity. You can congure monitor alerts in Events monitor.
Congure Events. The relevant alert is called
You can access the conguration page by clicking on the conguration cell. In this page you can pick any monitored metric and set the threshold that will trigger an event.
There are two different thresholds, warning and failure, this allows the user to lter based on the event severity. You can use the option reverse: to swap the values that are considered right and wrong. Other important option is persistent:. Depending on the metric we can also set other parameters. Each measure has a metric that it is described as follows: System load: The values must be set in average number of runnable tasks in the run-queue.
203
CPU usage: The values to set must be jifes or units of scheduling. Physical memory usage: The values to set must be bytes. File system: The values must be set in bytes. Temperature: The values to set must be grades. Once you have congured and enabled the event you will need to congure, at least, one observer. The observer conguration is the same as the conguration of any other event. Check the Events and alerts chapter for further information.
7.3
Events and alerts

The events module is a convenient service that allows you to receive notications of certain events and alerts that happen in your eBox machine. eBox allows you to receive these alerts and events through the following dispatchers: Mail 4 Jabber Logs RSS Before enabling any event watcher you have to make sure that the events module is enabled. Go to :menuselection Module status and check the events module. Unlike in the Logs module, where all services are enabled by default except the rewall, you have to enable those events that might be of your interest. To enable any events, you have to click on the menu entry Events Change button. There are some events that need further conguration to work properly. This is the case for the log and free storage space observers. The conguration of the free storage observer is pretty straightforward. The only required parameter is the free space percentage that will trigger the event when its actual value goes under it.
4
Congure Events. You can
edit an event state by clicking on the pencil icon. Tick the :guilabel: Enabled box and click on the
The mail module needs to be installed and congured. (Electronic Mail Service (SMTP/POP3-IMAP4)).
204
Figure 7.5: Congure events page
For the log observer, the rst step is to select which domains you want to generate events from. For every domain, you can add ltering rules that depend on the domain. Some examples are: denied HTTP requests by the proxy, DHCP leases for a giving IP, canceled printer jobs, and so on. You can also create an event lter from an existing log query by clicking on the Save as an event button through Logs Query Logs Full Report. So far, you know how to enable the generation of events and alerts. However, you also need these events and alerts to be sent to you in order to be read. That is what event dispatchers are for. Go to the Congure dispatchers tab. The procedure to enable event dispatchers is similar to enabling event watchers. You have to congure all the watchers except the log watcher. The latter will write its output to /var/log/ebox/ebox.log. The other dispatchers require further conguration. Mail: You have to set the email address of the recipient (usually the eBox administrator). You can also set the subject of the messages. Jabber: You have to set the Jabber server address and port that will be used to send the messages. You also have to set the username and password of the user that will send the messages. Finally, you have to set the Jabber address of the recipient.
205
Figure 7.6: Congure Log Observer page
Figure 7.7: Congure dispatchers page
206
RSS: You have to decide who will be able to read the RSS feed, and the feed link itself. You can make the channel public, private, or authorized by a source IP address-based policy. Note that you can also use objects instead of IP addresses.
7.3.1 Practical Example

Congure the events module to make it show the message eBox is up and running in
/var/log/ebox/ebox.log. This message will be generated periodically, and every time

the events module is restarted. 1. Action: Access the eBox web interface, go to Module Status and enable events. Effect: The Save Changes button has turned red. 2. Action: Go to Events and click on the tab labeled Congure Events. Click on the pencil icon that is placed in the Status column. Check the Enabled eld and click on:Change. Effect: The events table shows the event as enabled. 3. Action: Go to the tab labeled Congure dispatchers. Click on the pencil icon of the row that contains the Log event. Enable it and click on Change. Effect: The event disptacher table shows the log dispatcher as enabled. 4. Action: Save changes. Effect: eBox shows the progress of the saving changes process until it displays a message to let you know it is done. An event with the message eBox is up and running /var/log/ebox/ebox.log. 5. Action: From the console on the eBox machine run: sudo /etc/init.d/ebox events restart. Effect: An event with the message eBox is up and running will be written again in /var/log/ebox/ebox.log. will be written in
207
7.4
Backup
7.4.1 The backup system design
A data loss is an eventual accident that you have to be prepared to deal with. Hardware failures, software bugs or human mistakes can cause an irreparable loss of important data. It is an unavoidable task to design a well tested procedure to make, check and restore backups, taking into consideration both conguration-only and full backups. One of the rst decisions we have to make is whether we are going to make full backups, what is an exact copy of the data or incremental backups that are copies of the differences from the rst backup. Incremental backups use less space but need some computation to restore the copy. A combination of often incremental backups plus eventual full copies is the most usual choice but this will depend on your needs and available storage resources. Another important choice is whether to make the backups on the same host or to use a remote host. A remote host gives more security because of being on a different server. A hardware failure, software bug, human mistake or a security compromise shouldnt affect the integrity of a remote backup. To minimize risks, the remote backup server should be used exclusively for this purpose. Two non-dedicated servers making backups of each other is denitely a bad idea, a compromise in one of them leads to a compromise in the other one leaving you without a safe backup copy.
7.4.2 Backup conguration with eBox

First of all, we need to decide if we are going to store our backups locally or remotely. In case of using the latter we also need to specify what protocol will be used to connect to the remote server. Method: The current supported methods are eBox Backup Storage (EU), eBox Backup Storage (US Denver), eBox Backup Storage (US West Coast), FTP, SCP and File System. Note that depending on the method you select you will have to provide more or less information such as the remote host address or user and password. All methods except File System are used to access remote servers. This means you will have to provide proper credentials to connect to the server. You may create an account in our store
5
for eBox Backup Storage methods, use
this service to have a quick and safe remote location to store your data. If you use any of eBox Backup Storage methods you will not need to introduce the remote server address as eBox will have it congured automatically. On the other hand, if you select, FTP or SCP you will need to provide the remote server address.
5
eBox Technologies store at https://store.ebox-technologies.com
208
Figure 7.8: Select Conguration
Warning: If you use SCP, you will need to execute sudo ssh user@server and accept the remote servers ngerprint to add it to the list of SSH known hosts. If you dont do this, the backup software will fail to connect to the server. Host or Destination: For FTP and SCP you will need to provide the remote host name or IP address to connect. In case of using File System, introduce a local le system path. If you use a eBox Backup Storage method, then only the relative path is required. User: User name to authenticate in the remote host. Password: Password to authenticate in the remote host. Encryption: You may cipher your backup data using a symmetric key by introducing it in the host, or you may select an already created GPG key to provide asymmetric encryption to your data. Full Backup Frequency: This is used to tell the module how often a full backup is carried out. Values are: Daily, Weekly, Monthly. Number of full copies to keep: This value is used to limit the number of full copies that are stored. This is an important value and you should understand what actually means. It is related to the Full Backup Frequency. If you set the frequency to Weekly, and the number of full copies to 2, your oldest backup copy will be two weeks old. Similarly, if you set it to Monthly and 4, your oldest backup copy will be 4 months old. Set this value according to how long you wish to store backups and how much disk space you have.
209
Incremental Backup Frequency: This value is also related to Number of full copies to keep. A normal backup setting might consist of taking incremental copies between full copies. Incremental copies should be done more frequently than full copies. This means that if you make weekly full copies, incremental copies should be set to daily, but it does not make sense to set it to same frequency as the full copies. To understand better this eld lets see an example: Full Backup Frequency is set to weekly. Number of full copies to keep is set to 4. Incremental Backup Frequency to daily. This means that you will end up having 4 weekly full backups, and between every weekly backup you will have daily backups. That is a month worth of backed up data. And it also means that you could restore any arbitrary day of that month. Backup process starts at: This eld is used to set the time at when the backup process starts. It is a good idea to set it to times when nobody is in the ofce as it can consume a lot of upload bandwidth.
Conguring what directories and les are backed up The default conguration will backup the whole le system. This means that in the event of a disaster you will be able to restore the machine completely. It is a good idea not change this conguration unless the space on your remote server is very limited. A full backup of an eBox machine with all its modules takes around 300 MB.
Figure 7.9: Include and exclude list
The default list of excluded directories is: /mnt, /dev, /media, /sys, and /proc. It is usually a bad idea to include those directories, and in some cases, the backup process will fail.
210
The default list of included directories is: /. You can also exclude le extension using shell characters. For example, if you want to skip AVI les from the backup, you can select Exclude regexp and add *.avi.
Checking backup status You can check the status of your backup under the section Remote Backup Status. In that table, you will see the type of backup, full or incremental, and the date when it was taken.
Figure 7.10: Backup status
How to start a backup process manually The backup process is started automatically at congured time. However, if you need to start a backup process manually, you can run:
# /usr/share/ebox-ebackup/ebox-remote-ebackup --full
Or, to start an incremental backup:
# /usr/share/ebox-ebackup/ebox-remote-ebackup --incremental
211
Restoring les There are two ways of restoring a le. It depends on the size and type of the le or directory that you need to restore. It is possible to restore les directly from the eBox interface. In the section Backup
Restore
Files you have access to the list of all the remote les and directories, and also the available dates to be restored. Use this method with small data les, if they are too big it will take too long and you wont be able to use the web interface during the process of the operation. You must be very careful with the type of le you are restoring. It is usually safe to restore data les that are not used by applications at the moment of the restoring process. This data les will be placed under /home/samba/. However, it is very dangerous to restore system directories such as /lib, /var, /usr while the system is running. Do not do that unless you know what you are doing.
Figure 7.11: Restore le
Big les and system directories must be restored manually. Depending on the use of the le, you can restore it safely while your system is running. However, for system directories you will have to use a rescue CD and proceed as we explain later. In any case, you must know how the underneath used software works. duplicity is tool used by eBox. The process to restore a le or directory is actually very simple. You must run the following
212
command:
duplicity restore --file-to-restore -t 3D <file or dir to restore> <remote url

The ag -t is used to select the backup date to restore. In this case, 3D means to restore a copy that is three days old. Using now you can restore the latest available copy. You can fetch the <remote url and args> on the top note in the section Restore Files in the eBox interface.
Figure 7.12: Remote url and arguments
For example, if you need to recover the le /home/samba/users/john/balance.odc you would run the following command:
# duplicity restore --file-to-restore home/samba/users/john/balance.odc \ scp://backupuser@192.168.122.1 --ssh-askpass --no-encryption /tmp/balance.odc

The above command would restore the le in /tmp/balance.odc. If you need to overwrite a le or directory during a restoring operation you will need to add the ag force, otherwise duplicity will refuse to overwrite.
7.4.3 How to recover on a disaster

Knowing the procedure and having the abilities and experience to successfully restore a backup in a critical situation is as important as making backups. You should be able to restore services as soon as possible when a disaster interrupts the systems. To recover from a total disaster, you would have to boot the system using rescue CD-ROM that includes the backup software duplicity. We will be using grml.
213
Download the grml image and boot the machine with it. You can use the parameter nofb if you have issues with your screen size.
Figure 7.13: Boot grml
Once the boot process has nished you can start a shell by pressing return. If your network is not properly congured, you can run the command netcardcong to congure it. Now you need to mount the hard disk where les will be restored. In this case, we suppose we have our root partition in /dev/sda1. So we need to run:
# mount /dev/sda1 /mnt

The above command will mount the partition under the /mnt directory. During this example, we make a full restore. And to do that we remove all existing directories in the partition. Of course, you could just remove and restore one directory if you need to do so. To remove the existing les to proceed with the full restore, run:
214
Figure 7.14: Start a shell
# rm -rf /mnt/*
We need to install duplicity if its not already installed with:
# apt-get update # apt-get install duplicity

Before restoring a full backup we need to restore /etc/passwd and /etc/group. Otherwise, we can end up with a wrong le owner. The main issue is that duplicity saves the user and group names of a le and not its numerical values. We will run into problems if we restore the le with a system that has different UID or GID number. To avoid this we can just overwrite /etc/passwd and /etc/group on the rescue system rst. Run:
# duplicity restore --file-to-restore etc/passwd \ # scp://backupuser@192.168.122.1 /etc/passwd --ssh-askpass --no-encryption --fo
# duplicity restore --file-to-restore etc/group \ # scp://backupuser@192.168.122.1 /etc/group --ssh-askpass --no-encryption --for

Warning: If you use SCP, you will need to execute sudo ssh user@server to add the remote
server to the list of SSH known hosts. If you dont do this, duplicity will fail to connect.
215
Now, we are ready to proceed with the a full restore running duplicity manually:
# duplicity restore
scp://backupuser@192.168.122.1 /mnt/ --ssh-askpass --no-encryp
You have to create the directories excluded from the backup. You should also clean up the temporal directories.:
# # # # #
mkdir -p /mnt/dev mkdir -p /mnt/sys mkdir -p /mnt/proc rm -fr /mnt/var/run/* rm -fr /mnt/var/lock/*
The restoring proccess has nished and you can reboot now.
7.4.4 Conguration backups

In addition, eBox Platform has another way to make conguration backups and restore them from the interface itself. This method backs up the conguration of all modules that have been enabled at some point, as well as the LDAP users and any other additional les required by each of these modules. The backup can also include the data stored by these modules (home directories, voicemail, etc.) but from 1.2 onwards this way has been deprecated in favour of the rst explained method because it can deal better with huge data sets. To make these backups, you should go, as usual, to System can see in the following image.
Backup. You will not be able to
make a new backup if you have modied the conguration and you have not saved changes as you
216
Once introduced the name for the backup, select the backup type (conguration or full) and click Backup. A screen will appear showing the progress through the modules until it nishes with Backup successfully nished. After this, if you go back you will see a Backup list. Through this list you will be able to restore, download to your local disk or delete any of the stored backup copies. Some information like backup type, date and size will be shown as well. On Restore backup from le you can upload a backup le that you have in your local disk, for example, from a previous eBox Platform deployment on a different server, and restore it using Restore. A conrmation will be requested on restore. You should be careful because all the current conguration will be replaced. This action is similar to the backup, a screen will appear, showing the progress and notifying whether the operation was successful or an error occurred.
Command line tools for conguration backups Two command line tools are provided to export and import the conguration from the console. They are available in /usr/share/ebox and are ebox-make-backup and ebox-restore-backup. ebox-make-backup allows you to make conguration backups. Among its options you can select the backup type to do. One of them is bug-report, which helps developers to debug bugs by including extra information in the backup. Passwords are replaced in order to maintain users privacy. This backup type cant be done through the web interface. You can see all the options using the help parameter.
217
ebox-restore-backup allows you to restore conguration backups. It also provides an option to extract information from the backup le. Another interesting feature is the possibility of making partial restorations, restoring only some specic modules. This is very useful when restoring a module from an old version or when restoring a module failed. You should be careful with the interdependencies between the modules. For example, if you restore a rewall module backup that uses objects and services you have to restore those rst. But you still have the option to force the script to ignore the dependencies that you can use if really required. To see all options of this program use the help parameter.
7.5
Software Updates
Like any other software system, eBox Platform requires periodic updates, either to add new features or to x defects or system failures. eBox distributes its software as packages and it uses Ubuntus standard tool, APT 6 . However, in order to ease this task, eBox provides a web interface to simplify the process.[#]_ The web interface allows checking for new available versions of eBox components and installing them in a simple way. It also allows you to update the software supporting eBox, mainly to correct potential security aws.
7.5.1 Management of eBox components

The management of eBox components allows you to install, update and remove eBox modules. The component manager is a module, and like any other eBox module must be enabled before being used. To manage eBox components you must access :menuselection: Software Management -> eBox components.
Advanced Packaging Tool (APT) is a system for the management of software packages created by the Debian Project that greatly simplies the installation and removal of programs on the GNU / Linux operating system http://wiki.debian.org/Apt
6
218
A list of all eBox components is shown there, together with the installed version and the latest available version. Components that are not installed or up to date, can be installed or updated by clicking on the respective icon in the Actions column. There is a button called Update all packages to update all those packages with a new version available. It is also possible to uninstall components by clicking on the respective icon for this action. Before proceeding to uninstall, a dialogue will be displayed with the list of the software packages to be removed. This step is necessary because it might be about to eliminate a component that is used by others, which would be also removed. Some components are basic and cannot be uninstalled, as that would uninstall eBox Platform completely.
7.5.2 System Updates

System updates performs the updates of programs used by eBox. In order to carry out its function, eBox Platform integrates different system programs within eBox components packages. These programs are referenced as dependencies ensuring that when installing eBox, they are also installed. Similarly, these programs may have dependencies as well. Usually the update of a dependency is not important enough to create a new eBox package with new dependencies, but it may be interesting to install it in order to use its improvements or its patches for security aws. To see updates of the system you must go to Software Management
System Updates. You
should see if your system is already updated or, otherwise, a list of packages that can be upgraded.
219
220
If you install packages on the machine without using the web interface, this data may be outdated. Therefore, every night a process is executed to search for available updates for the system. Such a search can be forced by running:
$ sudo ebox-software
For each update, you can determine whether it is a security update using the information icon. If it is a security update the details about the security aw included in the package changelog will be displayed by clicking on the icon. If you want to perform an update you should select the packages on which to perform the action and press the appropriate button. As a shortcut, you can use the button Update all packages. Status messages will be displayed during the update operation.
7.5.3 Automatic Updates

Automatic updates allow eBox Platform to automatically install any updates available. This operation is performed daily at midnight. This feature can be activated by accessing the page Software Management -> Automatic Updates.
It is not advisable to use this option if the administrator wants to keep a higher level of security in the management of updates. When performing the updates manually, administrators can avoid possible errors going unnoticed.
7.6
Control Center Client

eBox Control Center is a fault-tolerant solution that allows centralized real-time monitoring and administration of multiple eBox Platform installations. It includes features such as remote, centralized and secure administration of groups of eBox installations, automatic remote conguration backup, network monitoring and customized reports.
7
Here we describe the client side conguration with eBox.

7
http://www.ebox-technologies.com/products/controlcenter/
221
7.6.1 Subscribing eBox to the Control Center

In order to congure eBox to subscribe to the Control Center, you must install ebox-remoteservices package which is installed by default if you have used eBox installer. In addition to this, the Internet connection should be available. Once everything is ready, go to Control Center and ll the following elds: User Name or Email Address: You must set the user name or the email address you use to sign in the Control Center Web site. Password: The same pass phrase you use to sign in the Control Center Web site. eBox Name: The unique name for your eBox within Control Center. This name is displayed from the control panel and it must be a valid domain name. Each eBox should have a different name, if two eBoxes use the same name for connecting to the Control Center, just one will be connected.
Figure 7.16: Subscribing eBox to the Control Center After entering the data, the subscription will take about a minute. Be sure after subscribing, save changes. This process sets a VPN connection to the Control Center, therefore it enables vpn module.
8
Figure 7.17: After subscribing eBox to the Control Center
If the connection is working nicely with eBox Control Center, then a widget will be shown in the dashboard indicating the connection was done established correctly.
8
For more information about VPN module, go to Virtual Private Network (VPN) section.
222
Figure 7.18: Connection widget to the Control Center
7.6.2 Conguration backup to the Control Center

One of the features using the Control Center is the automatic conguration backup 9 is stored in eBox Control Center. This backup is done daily if any change has been done in eBox conguration. Go to System Backup Remote Backup to check the conguration backups that have been done. You may perform a manual conguration backup, if you want to be sure a current conguration is backed up correctly in eBox Control Center.
Figure 7.19: Remote conguration backup
You may restore, delete or download that conguration backup from the Control Center. Additionally, to improve the disaster recovery, you may restore or download the conguration backup from other subscribed eBoxes using your name/email address and password pair. To do so, go to the System Backup Remote Backup from Other Subscribed Hosts tab.
The conguration backup in eBox is explained in Conguration backups section
223
Figure 7.20: Remote conguration backup from other subscribed hosts
224

Ebox For Network Administrators

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ebox For Network Administrators

Загружено:

Авторское право:

Доступные форматы

eBox 1.

4 for Network Administrators

eBox 1.4 for Network Administrators

Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . .

Time synchronization service (NTP)

53 53 55 58 58 58 63 63 69 71 73 73 74 76 77 78 79 80 81 82 82 89 89 90 97 97 98 98 98 101 104 106 107 110 111 117 117

Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 3.3.2 3.3.3

HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 3.6.2 3.6.3 3.6.4

Printers sharing service Groupware Service 4.4.1

Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . .

5 eBox Unied Communications 5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . .

How electronic mail works through the Internet

WebMail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . .

Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

HTTP Proxy advanced conguration . . . . . . . . . . . . . . . . . . . . . . . .

Events and alerts

Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 1 eBox Platform: unied server for SMEs

eBox 1.4 for Network Administrators

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

eBox 1.4 for Network Administrators

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.1: Installer language select

1.2.1 eBox Platform installer

eBox 1.4 for Network Administrators

Figure 1.2: Installer menu

Figure 1.3: Administration user

Figure 1.4: Administration password

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.5: Conrm administration password

Figure 1.6: Package selection method

eBox 1.4 for Network Administrators

Figure 1.7: eBox tasks to install

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.8: eBox packages to install

eBox 1.4 for Network Administrators

Figure 1.9: Installing eBox packages

Figure 1.10: Type of the server

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.11: Select external interfaces

Figure 1.12: Mail conguration

eBox 1.4 for Network Administrators

Figure 1.13: Preconguring eBox packages

Figure 1.14: eBox administration web interface

Administration web interface

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

eBox 1.4 for Network Administrators

Figure 1.15: Main screen

Figure 1.16: Left side menu

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.17: Top menu

Figure 1.18: Web User Interface conguration forms

Figure 1.19: Dashboard

eBox 1.4 for Network Administrators

Figure 1.20: Dashboard conguration

1.3.2 Applying conguration changes

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Figure 1.21: Module status widget

eBox 1.4 for Network Administrators

Figure 1.22: Save changes

1.3.3 Modules status conguration