Last modification date : Sun Jun 18 17:05:25 PDT 1995

*****************************************************************************
** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING **
*****************************************************************************
This HOWTO is not even NEAR finished. As such don't take anything in here
as gospel! In fact, use any of this information at your own risk! I am not
responsible for any nausea, convulsions, brain damage, etc. resulting from
the use, misuse, abuse, or disuse of this document. Do not insert document in
ear canal or expose to mucus membranes. You have been warned.
*****************************************************************************
** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING **
*****************************************************************************

=============================================================================
I am currently looking for contributors to this HOWTO. If you run Linux as
an ISP and feel you have something to contribute, I'd like to hear about it.
=============================================================================

The Linux-Public-Access-HOWTO
by Dan Hollis, root@anime.net
    v1.51, 18 June 1995

This document lists common problems encountered while setting up a Linux
system for public access.

1. Introduction

This is the Linux Public Access Box HOWTO. Common problems and issues 
most system admins encounter while setting up Linux for public access
will be covered here. However, much of this document is not Linux-
specific and could be just as easily applied to many other Unices. For
the most part however, we will be focusing on problems most commonly 
encountered with Linux.

  1.1.  Copyright

  The Linux Public Access HOWTO is copyright (C) 1994 by Dan Hollis. Linux
  HOWTO documents may be reproduced and distributed in whole or in part,
  in any medium physical or electronic, as long as this copyright notice
  is retained on all copies. Commercial redistribution is allowed and
  encouraged; however, the author would like to be notified of any such
  distributions.

  All translations, derivative works, or aggregate works incorporating
  any Linux HOWTO documents must be covered under this copyright notice.
  That is, you may not produce a derivative work from a HOWTO and impose
  additional restrictions on its distribution. Exceptions to these rules
  may be granted under certain conditions; please contact the Linux
  HOWTO coordinator at the address given below.

  In short, we wish to promote dissemination of this information through
  as many channels as possible. However, we do wish to retain copyright
  on the HOWTO documents, and would like to be notified of any plans to
  redistribute the HOWTOs.

  If you have questions, please contact Matt Welsh, the Linux HOWTO
  coordinator, at mdw@sunsite.unc.edu.  You may finger this address for phone
  number and additional contact information.

  1.2.  Other sources of information

  o man pages for: mgetty, setserial, zsh, identd, tcpd, smail

  1.3.  New versions of this document

  New versions will be placed on
  sunsite.unc.edu:/pub/Linux/docs/HOWTO/LPA-HOWTO,

  and the mirror sites.  The Linux-Public-Access-HOWTO
  (http://sunsite.unc.edu/mdw/HOWTO/LPA-HOWTO.html) is also available
  for WWW clients such as mosaic.

  1.4.  Feedback

  Please send me any questions, comments, suggestions, or additional
  material.  I'm always eager to hear about what you think about the
  HOWTO.  I'm also always on the lookout for improvements!  Tell me
  exactly what you don't understand, or what could be clearer.  You can
  reach me at root@anime.net via email.  I can also be reached at:

  Dan Hollis
  P.O. Box 1588
  Grants Pass, OR 97526

  via snail mail, and at my home page (http://www.anime.net/LPA-HOWTO) 
  via the WWW.

  Please include the version number of the LPA-HOWTO when writing,
  this is version 1.4.

  1.5.  Disclaimer

  Your milage may vary.  The answers given may not work for all systems
  and all setup combinations.


Table of contents:

 1. What distribution of Linux do I use?
 2. What equipment do I use?
 3. What can I do to maximize performance?
 4. When users hangup, processes are left hanging on 'con'!
 5. All the users on ttyS16-ttyS32 don't show up in 'who'!
 6. Setting up a PPP server
 7. How do I track incoming telnet, finger, etc.?
 8. What's the easiest way to set up a menu system?
 9. I'm having no luck with agetty and/or getty_ps!
10. I can receive news, but posting through tin doesn't work!
11. How do I prevent users from logging onto multiple serial ports at
    the same time?
12. My inetd keeps dying! Help!
13. I'm using smail, and I can't mail any MX hosts!
14. What packages in the Slackware distribution are broken?
15. What about security?
16. What about monitoring?
17. Sources of information?
18. Handy tidbits
19. I can't get the last 4 ports of a second BOCA 2016 to work!

1. What distribution of Linux do I use?

    By far the simplest installation is Slackware. A number of packages are
broken, but are widely known and easily replaced (see item #14).

    Comments on other distributions (Debian? MCC? Yggdrasil?) are welcome.

2. What equipment do I use?

Serial boards vs. Terminal Servers
==================================

    What are the specific advantages between a terminal server and a 
multiport serial board?

Serial board
------------
Advantages : Super cheap (in comparison to a terminal server). Lets an ISP 
"get their foot in the door" so to speak. A bit easier to configure and 
control than a terminal server, since the ports hang directly off the 
main CPU.

Disadvantages : Loads down the CPU with serial processing. Takes up a 
motherboard slot.

Terminal server
---------------
Advantages : Offloads serial processing from the main CPU. Most Terminal 
Servers can handle PPP/SLIP, so if your main CPU crashes the Terminal 
Server can still give your users PPP/SLIP. Doesn't use a motherboard slot :)

Disadvantages : Expensive -- your average terminal server can run $2500.
Can be difficult to configure.

Serial Boards
=============

    I have had great success with the BOCA 2016 board. It's super cheap,
and provides 16 ports (each having a 16550A UART) on a single shared
IRQ. It's very simple to configure for Linux (you use setserial), and
works very well. The 2016 supports full hardware flow control and can go
up to 115k on all ports. The 2016 is a single half-length ISA card with
a thick centronics-like connector in the back that goes into an external
box with 16 RJ45 sockets in it. You then use RJ45  25 pin RS232
connectors to connect to your modems.

    For those planning on making their own cables, beware : the 2016
uses non-standard *10 WIRE* RJ45  25 pin RS232 connectors. RJ45 is
usually 8 wire, you will have a difficult time finding 10 wire
connectors. You are generally better off buying your cables pre-made from
BOCA.

    WARNING! The BOCA 1008 and 1004 do _not_ support RI, DCD, DSR, or DTR, 
making them quite worthless for modems. They work great for dumb 
terminals however.

    For an excellent article on intelligent serial boards (Comtrol, 
Cyclades, Stallion, Digiboard) read the "Review: Intelligent Multiport 
Serial Boards" article in the June 1995 Linux Journal. You can retrieve 
benchmark results via the WWW at http://www.ssc.com/LJ/issue14/serial/

Terminal Servers
================

    It's not often you find a piece of hardware as highly recommended as the
Livingston Portmaster line. We purchased several PM2eR's which are
combination Terminal Servers/Routers. Lots of bang for the buck. Livingston's
direct software support for Linux is to be commended as well. For an ISP, a 
PM2eR is about as close to a "POP in a box" as you can get.

    Note: PM2eR's make fantastic terminal servers, but rather poor
routers. As long as your routing requirements are very modest, you'll love 
these things to death. You just better be prepared to settle for RIP (no 
BGP) and rather restrictive subnet and interface allocation.

Modems
======

    Personally I recommend the AT&T Dataport Express for 14.4 modems. Note 
BTW that the AT&T 28.8 is exactly the opposite, totally unreliable.

    Some ISPs swear by the USR Sportster. Other ISPs swear at it.

3. What can I do to maximize performance?

    The biggest performance hit will most likely come from thrashing. This 
is caused by a lack of RAM. Memory pressures on an overloaded machine 
will cause it to constantly page virtual RAM to and from your swap 
partition. Unfortunately, this takes large amounts of time, and bashes 
your drive.

    You can alleviate part of the problem by placing the swap partition 
on a drive that is completely separate from your root partition.

    You can avoid thrashing altogether by maintaining enough RAM for 
programs (and preferably a little breathing room for some disk buffers). 
A good rule of thumb seems to be 2mb RAM per user.

    Generally you will find that adding more RAM will speed your machine 
up more than upgrading your CPU.

4. When users hangup, processes are left hanging on 'con'!

    You are probably using bash for the login shell. Bash handles killing
child processes in a way that does not seem suitable for dial-in shells.
The solution is to change to a shell that kills its child processes
properly (I use Zsh).

    Don't think you'll avoid this problem by using a terminal server. It
affects both terminal servers and multiport serial cards.

5. All the users on ttyS16-ttyS32 don't show up in 'who'!

From a post on comp.os.linux.help (truncated for only the relevant bits):

Newsgroups: comp.os.linux.help
From: an176087@anon.penet.fi
Date: Tue, 10 Jan 1995 20:14:26 UTC
Subject: Strange problem w/talk & finger

Here's the problem:
   At different times, a given individual may want to execute the talk command
to another on-line user.  No problem, right?  That's what we thought, too.
However, the finger and talk commands often do not acknowledge that a user is
logged on to our machine.  In fact, their output varies considerably from time
to time, causing great headaches for myself and my partners.  I have included
two sample runs, which I'll show now.  In each case, I am logged in as mschaff,
and you'll notice that several others are logged in as well.  (I first include
the output from ps -aux, then from the finger command).  Each time, the finger
output is way off.  Here's the first sample (btw, our host is named host1):

host1:~$ ps -aux
USER       PID %CPU %MEM SIZE  RSS TTY STAT START   TIME COMMAND
bwalton  14947  0.0  5.5  348  400 s17 S    19:44   0:00 -bash
bwalton  14957  0.0  5.8  365  420 s17 S    19:47   0:00 -bash
bwalton  14965  0.0  8.1  697  592 s17 S    19:48   0:01 lynx http://www.timeinc
jhodges  15551  0.0  6.6  376  484 s16 S    21:59   0:00 -bash
jhodges  15620  0.1  8.0  676  584 s16 S    22:09   0:01 lynx
mschaff  15680  0.7  6.6  376  484 s19 S    22:25   0:01 -bash
mschaff  15708  0.0  2.8   81  208 s19 R    22:28   0:00 ps -aux

host1:~$ finger
Login    Name                 Tty  Idle  Login Time   Office     Office Phone
mschaff  Mitchell Schaff       S1        Jan  2 22:25

As you can see, the users bwalton and jhodges did not show up on the finger
command, though they were clearly logged on.  Now, here's a second example,
taken about 20 minutes later:

host1:~$ ps -aux
USER       PID %CPU %MEM SIZE  RSS TTY STAT START   TIME COMMAND
bwalton  14947  0.0  5.5  348  400 s17 S    19:44   0:00 -bash
bwalton  14957  0.0  5.8  365  420 s17 S    19:47   0:00 -bash
bwalton  14965  0.0  8.1  697  592 s17 S    19:48   0:01 lynx http://www.timeinc
jhodges  15551  0.0  6.6  376  484 s16 S    21:59   0:00 -bash
jhodges  15788  0.0  2.8   85  204 s16 S    22:39   0:00 sz tennis.zip
mschaff  15680  0.1  6.8  380  492 s19 S    22:25   0:01 -bash
mschaff  16279  0.0  2.8   81  208 s19 R    22:45   0:00 ps -aux
tjerde   15649  0.0  6.7  380  488 s18 S    22:20   0:00 -bash
tjerde   15786  0.0  3.4  112  248 s18 S    22:37   0:00 telnet 139.103.2.5 4321

host1:~$ finger
Login    Name                 Tty  Idle  Login Time   Office     Office Phone
tjerde   Todd Jerde            S1        Jan  2 22:37

This time, you'll notice that the mschaff login (mine) does not show up, and
neither do those of bwalton or jhodges.  Interestingly enough, tjerde does.

Oh, one other thing.  If I issue the the talk command to a user who is logged
on, but does not show up on the finger command, the talk output informs me that
the user is not logged on.  However, if another user lucks out, and my userid
shows up on the finger command and they start a talk session with me, I *CAN*
then issue the talk command, and the talk session proceeds normally.  Is this
wierd, or what?

Regards,
Mitchell Schaff
System Administrator
Dakota Internet Access
mschaff@host1.dia.williston.nd.us
(701) 572-2903

-------------------------------------------------------------------------

Ok, let's look at this problem a little closer:

ps shows tjerde logged into ttyS18:

tjerde   15649  0.0  6.7  380  488 s18 S    22:20   0:00 -bash

however finger shows tjerde logged into ttyS1:

Login    Name                 Tty  Idle  Login Time   Office     Office Phone
tjerde   Todd Jerde            S1        Jan  2 22:37

    The default Linux distributions use devices ttyS16 through ttyS32.
Unfortunately, it seems login is truncating the tty to 5 characters. 6 
char device names like ttyS16 get cut off, therefore confusing programs 
like 'who', 'finger', and 'talk' into thinking people are not really 
logged on. The solution? Rename your devices to 5 character names. I use ttyB0 
through ttyBF. (The 'B' meaning Boca Board :)

6. Setting up a PPP server

    By far, the easiest way to set up a PPP is to call pppd using the
'proxyarp' option. The NET-2 HOWTO docs say this is a bad idea, why? This 
is currently the only way for this to work.

Here's example scripts for zero care and feeding for a dynamically 
assigned PPP server:

/etc/passwd:
------------
user:password:uid:gid:Real Name:/home/user:/bin/zsh
Puser:password:uid:gid:Real Name (PPP):/tmp:/etc/ppp/dynamic_ppp

/etc/ppp/options:
-----------------
-detach modem crtscts proxyarp

/etc/ppp/dynamic_ppp:
-----------------
#
# Dynamic PPP allocation script
# Assigns PPP based on tty
#
choice=`tty | cut -b6-10`
case $choice in
    ttyB0) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.200;;
    ttyB1) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.201;;
    ttyB2) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.202;;
esac

7. How do I track incoming telnet, finger, etc.?

    If you haven't installed the tcp wrappers suite, you should do so.
Note however, the Slackware and Yggdrasil distributions come with a tcpd 
compiled without two useful options: scripting language and rfc931 support.
Get the tcpd sources off of sunsite and recompile it. The tcp wrapper daemon
'tcpd' allows you to run programs in place of the normal daemons, and the
hosts.allow and hosts.deny files allow you to allow or deny access to
services based e.g. on host names, identd authentication, etc. I run
shell scripts which decide whether or not to allow a telnet to even
start up based on a combination of IP address and rfc931 authentication.

8. What's the easiest way to set up a menu system?

    I have found that the easiest way to create a spiffy menu with the
least amount of effort is to use the 'dialog' package, and write a bunch
of shell scripts to drive it.

9. I'm having no luck with agetty and/or getty_ps!

    Use Mgetty. Mgetty is a much better replacement getty. It requires
nearly nil configuration, and will even allow incoming and outgoing
FAXes! Not only that, but it also supports caller ID (for blacklisting,
tracking, etc.) and if you are lucky enough to have a modem that
supports it, Mgetty will do voice mail as well.

10. I can receive news, but posting through tin doesn't work!

    You probably forgot to put something like

export NNTPSERVER="your.host.name"

    in /etc/profile :)

11. How do I prevent users from logging onto multiple serial ports at
    the same time?

I had problems with people logging in on multiple lines and hogging the
dial-ins. Here's what I stuck into my /etc/profile. It prevents multiple
logins on /dev/ttyB* lines but allows any other kind of logins through
(e.g. telnet, etc.)

#
# Don't allow multiple logins on dial-in user lines.
# Log multiple login attempts.
#
logtty="`tty | grep ttyB | cut -b6-10`"
logptty="`tty | grep ttyp | cut -b6-9`"
logwho="`whoami | cut -b1-8`"
logmore="`who | grep ttyB | grep -w $logwho | cut -b10-14`"
if [ "$logtty" != "$logmore" ]; then
    if [ "$logptty" != "ttyp" ]; then
        cat /etc/not_allowed
        date >> /var/adm/multiple_login
        echo "Multiple login attempt: [$logwho] on [$logtty]" >> /var/adm/multiple_login
        echo "Currently on these lines:" >> /var/adm/multiple_login
        echo "$logmore" >> /var/adm/multiple_login
        echo "-------------------------" >> /var/adm/multiple_login
        exit
    fi
fi

The file /etc/not_allowed should contain a warning message to be displayed
to users when they try logging in on multiple lines.

If you have a terminal server, you are obviously out of luck using this
method.

12. My inetd keeps dying! Help!

Unfortunately the NET-2 package is not quite "there" yet. Until it is,
here's a patch that will watch to see when inetd dies, and respawn it if
it does.

[... script missing ...]

13. I'm using smail, and I can't mail any MX hosts!

The smail distributed with most versions of Linux is broken in several 
ways, the most notable flaw is that it does not have the 'bind' driver 
compiled in. This prevents smail from being able to look up MX hosts.
Symptoms of this problem include not being able to mail users at aol.com, 
etc.

Solution: download a fixed version of smail. Here's a source:

ftp://ftp.uu.net/networking/mail/smail
         smail-linuxbin-3.1.29.1.tar.gz (binary)
         smail-3.1.29.1.tar.gz (source)

Since many people will simply download the binary and won't RTFM, here's 
a tip: the binary version stores all the config files in /etc/smail, not 
/usr/lib/smail.

14. What packages in the Slackware distribution are broken?

Named is broken. Get a newer one.
Smail is broken (mainly with MX hosts). Get a newer one (see above).
Tcpd, while not broken, is compiled without many useful features. 
Download the source and re-compile it.

15. What about security?

Security Measures:
==================
Install shadow passwords. Do it. Now.

Filter out IP source routing in your router. This is to prevent IP address 
spoofing.

There are a number of rather good packages which, correctly applied, make 
for a nicely secure system:

'cfingerd' is a wonderfully configurable fingerd replacement. It is 
secure as you want to make it. It has a lot of very nice features. Available 
from ftp://bitgate.com:/pub/cfingerd/

'smtp_wrap', currently in development, will prevent e-mail forgery.

Security Holes:
===============
Versions of Thomas Koenig's "at/atrun" package earlier than version 2.7 
have a bug which can allow users root access. "at -V" will reveal which 
version you have. If you do not have version 2.7 or 2.7a you should upgrade 
immediately.

All known current distributions of Linux have an insecure portmapper 
(rpc.portmap) that should be replaced. The secure version can be 
downloaded from the following URL:

Secure portmapper:
ftp://linux.nrao.edu/pub/linux/security/nfsd/portmap-3.tar.gz

You will need the tcp wrapper library to compile and use the secure 
portmapper.

All known current distributions of Linux have an insecure NFS server 
(rpc.nfsd) that should be replaced. Download the latest secure version of 
the NFS server from the following URL:

Universal NFS Server 2.2alpha3:
ftp://linux.nrao.edu/pub/linux/security/nfsd/nfs-server-2.2alpha3.tar.gz

16. What about monitoring?

For monitoring a Linux based network, I have found a program called 
tkined immensely useful. It's a Tcl/Tk based X windows network 
administration / monitoring program that has support for SNMP.

I use it to monitor all our routers. Using SNMP, tkined can display the 
interface load of each router. tkined can also monitor the reachability 
of hosts on your network so you can use it to instantly alert you if a 
part of the network goes down. Very handy, it saves a lot of time when 
looking for the cause of a network outage.

17. Sources of information?

Here are some sources of information that should be of value to ISPs:

Mailing Lists
-------------
ISPA list (Internet Service Providers Association)
isp-assn-request@vector.net
body of text should contain one line - "subscribe"

IAP list (Small Internet Access Providers)
LISTSERV@VMA.CC.ND.EDU
body of text should contain one line - "subscribe iap"

Linux-ISP (Linux based Internet Access Providers)
linuxisp-request@lightning.com
body of text should contain one line - "subscribe"

BIG-LINUX (Linux Servers mailing list)
LISTSERV@NETSPACE.ORG
body of text should contain one line - "subscribe big-linux"

Web Pages
---------
Linux Internet Service Providers
http://www.infocom.net/~linuxisp/

So you wanna be an Internet Service Provider (ISP)
http://www.vicnet.net.au/vicnet/help/isp.htm

Internet Hardware, Software, Services and Information Suppliers List
http://www.portia.com/sup/supply.html

DNS Secondary Service Exchange
http://www.ua.com/dnsmatch/sites.html

18. Handy tidbits

From Scott Jennings on the BIG-LINUX mailing list comes the following 
cool tidbit to add to root's crontab:

# remove temp files older than 12 hours, every hour.
30 * * * * exec find /tmp/ -mmin +720 -exec rm -rf {} ;

Here's a crontab entry to keep your clock in sync with the NIST atomic clock:

# Sync with NIST clock
0 30 * * * *    /usr/sbin/netdate 132.163.135.130 >& /dev/null
# Write the new time to CMOS
5 30 * * * *    /sbin/clock -w

19. I can't get the last 4 ports of a second BOCA 2016 to work!

We recently put another BOCA 2016 in the system and were experiencing the
following problem:

When I tried to config the serial ports on the second board, all but the 
last 4 will configure correctly. The last 4 responded as follows:

   /dev/cua44: No such device
   /dev/cua45: No such device
   /dev/cua46: No such device
   /dev/cua47: No such device
 
As usual, Theodore T'so has the answer:

"You need to extend the rs_table[] structure in serial.c.  It currently
only reserves enough room for 12 ports after the standard BOCA ports,
since it was designed for two HUB6 ports.  You just need to add four
more lines to the rs_table[] structure."