How to setup Linux as an ISP - The Linux-Public-Access-HOWTO
Last modification date : Sun Jun 18 17:05:25 PDT 1995
*****************************************************************************
** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING **
*****************************************************************************
This HOWTO is not even NEAR finished. As such don't take anything in here
as gospel! In fact, use any of this information at your own risk! I am not
responsible for any nausea, convulsions, brain damage, etc. resulting from
the use, misuse, abuse, or disuse of this document. Do not insert document in
ear canal or expose to mucus membranes. You have been warned.
*****************************************************************************
** WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING **
*****************************************************************************
=============================================================================
I am currently looking for contributors to this HOWTO. If you run Linux as
an ISP and feel you have something to contribute, I'd like to hear about it.
=============================================================================
The Linux-Public-Access-HOWTO
by Dan Hollis, [email protected]
v1.51, 18 June 1995
This document lists common problems encountered while setting up a Linux
system for public access.
1. Introduction
This is the Linux Public Access Box HOWTO. Common problems and issues
most system admins encounter while setting up Linux for public access
will be covered here. However, much of this document is not Linux-
specific and could be just as easily applied to many other Unices. For
the most part however, we will be focusing on problems most commonly
encountered with Linux.
1.1. Copyright
The Linux Public Access HOWTO is copyright (C) 1994 by Dan Hollis. Linux
HOWTO documents may be reproduced and distributed in whole or in part,
in any medium physical or electronic, as long as this copyright notice
is retained on all copies. Commercial redistribution is allowed and
encouraged; however, the author would like to be notified of any such
distributions.
All translations, derivative works, or aggregate works incorporating
any Linux HOWTO documents must be covered under this copyright notice.
That is, you may not produce a derivative work from a HOWTO and impose
additional restrictions on its distribution. Exceptions to these rules
may be granted under certain conditions; please contact the Linux
HOWTO coordinator at the address given below.
In short, we wish to promote dissemination of this information through
as many channels as possible. However, we do wish to retain copyright
on the HOWTO documents, and would like to be notified of any plans to
redistribute the HOWTOs.
If you have questions, please contact Matt Welsh, the Linux HOWTO
coordinator, at [email protected]. You may finger this address for phone
number and additional contact information.
1.2. Other sources of information
o man pages for: mgetty, setserial, zsh, identd, tcpd, smail
1.3. New versions of this document
New versions will be placed on
sunsite.unc.edu:/pub/Linux/docs/HOWTO/LPA-HOWTO,
and the mirror sites. The Linux-Public-Access-HOWTO
(http://sunsite.unc.edu/mdw/HOWTO/LPA-HOWTO.html) is also available
for WWW clients such as mosaic.
1.4. Feedback
Please send me any questions, comments, suggestions, or additional
material. I'm always eager to hear about what you think about the
HOWTO. I'm also always on the lookout for improvements! Tell me
exactly what you don't understand, or what could be clearer. You can
reach me at [email protected] via email. I can also be reached at:
Dan Hollis
P.O. Box 1588
Grants Pass, OR 97526
via snail mail, and at my home page (http://www.anime.net/LPA-HOWTO)
via the WWW.
Please include the version number of the LPA-HOWTO when writing,
this is version 1.4.
1.5. Disclaimer
Your milage may vary. The answers given may not work for all systems
and all setup combinations.
Table of contents:
1. What distribution of Linux do I use?
2. What equipment do I use?
3. What can I do to maximize performance?
4. When users hangup, processes are left hanging on 'con'!
5. All the users on ttyS16-ttyS32 don't show up in 'who'!
6. Setting up a PPP server
7. How do I track incoming telnet, finger, etc.?
8. What's the easiest way to set up a menu system?
9. I'm having no luck with agetty and/or getty_ps!
10. I can receive news, but posting through tin doesn't work!
11. How do I prevent users from logging onto multiple serial ports at
the same time?
12. My inetd keeps dying! Help!
13. I'm using smail, and I can't mail any MX hosts!
14. What packages in the Slackware distribution are broken?
15. What about security?
16. What about monitoring?
17. Sources of information?
18. Handy tidbits
19. I can't get the last 4 ports of a second BOCA 2016 to work!
1. What distribution of Linux do I use?
By far the simplest installation is Slackware. A number of packages are
broken, but are widely known and easily replaced (see item #14).
Comments on other distributions (Debian? MCC? Yggdrasil?) are welcome.
2. What equipment do I use?
Serial boards vs. Terminal Servers
==================================
What are the specific advantages between a terminal server and a
multiport serial board?
Serial board
------------
Advantages : Super cheap (in comparison to a terminal server). Lets an ISP
"get their foot in the door" so to speak. A bit easier to configure and
control than a terminal server, since the ports hang directly off the
main CPU.
Disadvantages : Loads down the CPU with serial processing. Takes up a
motherboard slot.
Terminal server
---------------
Advantages : Offloads serial processing from the main CPU. Most Terminal
Servers can handle PPP/SLIP, so if your main CPU crashes the Terminal
Server can still give your users PPP/SLIP. Doesn't use a motherboard slot :)
Disadvantages : Expensive -- your average terminal server can run $2500.
Can be difficult to configure.
Serial Boards
=============
I have had great success with the BOCA 2016 board. It's super cheap,
and provides 16 ports (each having a 16550A UART) on a single shared
IRQ. It's very simple to configure for Linux (you use setserial), and
works very well. The 2016 supports full hardware flow control and can go
up to 115k on all ports. The 2016 is a single half-length ISA card with
a thick centronics-like connector in the back that goes into an external
box with 16 RJ45 sockets in it. You then use RJ45 25 pin RS232
connectors to connect to your modems.
For those planning on making their own cables, beware : the 2016
uses non-standard *10 WIRE* RJ45 25 pin RS232 connectors. RJ45 is
usually 8 wire, you will have a difficult time finding 10 wire
connectors. You are generally better off buying your cables pre-made from
BOCA.
WARNING! The BOCA 1008 and 1004 do _not_ support RI, DCD, DSR, or DTR,
making them quite worthless for modems. They work great for dumb
terminals however.
For an excellent article on intelligent serial boards (Comtrol,
Cyclades, Stallion, Digiboard) read the "Review: Intelligent Multiport
Serial Boards" article in the June 1995 Linux Journal. You can retrieve
benchmark results via the WWW at http://www.ssc.com/LJ/issue14/serial/
Terminal Servers
================
It's not often you find a piece of hardware as highly recommended as the
Livingston Portmaster line. We purchased several PM2eR's which are
combination Terminal Servers/Routers. Lots of bang for the buck. Livingston's
direct software support for Linux is to be commended as well. For an ISP, a
PM2eR is about as close to a "POP in a box" as you can get.
Note: PM2eR's make fantastic terminal servers, but rather poor
routers. As long as your routing requirements are very modest, you'll love
these things to death. You just better be prepared to settle for RIP (no
BGP) and rather restrictive subnet and interface allocation.
Modems
======
Personally I recommend the AT&T Dataport Express for 14.4 modems. Note
BTW that the AT&T 28.8 is exactly the opposite, totally unreliable.
Some ISPs swear by the USR Sportster. Other ISPs swear at it.
3. What can I do to maximize performance?
The biggest performance hit will most likely come from thrashing. This
is caused by a lack of RAM. Memory pressures on an overloaded machine
will cause it to constantly page virtual RAM to and from your swap
partition. Unfortunately, this takes large amounts of time, and bashes
your drive.
You can alleviate part of the problem by placing the swap partition
on a drive that is completely separate from your root partition.
You can avoid thrashing altogether by maintaining enough RAM for
programs (and preferably a little breathing room for some disk buffers).
A good rule of thumb seems to be 2mb RAM per user.
Generally you will find that adding more RAM will speed your machine
up more than upgrading your CPU.
4. When users hangup, processes are left hanging on 'con'!
You are probably using bash for the login shell. Bash handles killing
child processes in a way that does not seem suitable for dial-in shells.
The solution is to change to a shell that kills its child processes
properly (I use Zsh).
Don't think you'll avoid this problem by using a terminal server. It
affects both terminal servers and multiport serial cards.
5. All the users on ttyS16-ttyS32 don't show up in 'who'!
From a post on comp.os.linux.help (truncated for only the relevant bits):
Newsgroups: comp.os.linux.help
From: [email protected]
Date: Tue, 10 Jan 1995 20:14:26 UTC
Subject: Strange problem w/talk & finger
Here's the problem:
At different times, a given individual may want to execute the talk command
to another on-line user. No problem, right? That's what we thought, too.
However, the finger and talk commands often do not acknowledge that a user is
logged on to our machine. In fact, their output varies considerably from time
to time, causing great headaches for myself and my partners. I have included
two sample runs, which I'll show now. In each case, I am logged in as mschaff,
and you'll notice that several others are logged in as well. (I first include
the output from ps -aux, then from the finger command). Each time, the finger
output is way off. Here's the first sample (btw, our host is named host1):
host1:~$ ps -aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bwalton 14947 0.0 5.5 348 400 s17 S 19:44 0:00 -bash
bwalton 14957 0.0 5.8 365 420 s17 S 19:47 0:00 -bash
bwalton 14965 0.0 8.1 697 592 s17 S 19:48 0:01 lynx http://www.timeinc
jhodges 15551 0.0 6.6 376 484 s16 S 21:59 0:00 -bash
jhodges 15620 0.1 8.0 676 584 s16 S 22:09 0:01 lynx
mschaff 15680 0.7 6.6 376 484 s19 S 22:25 0:01 -bash
mschaff 15708 0.0 2.8 81 208 s19 R 22:28 0:00 ps -aux
host1:~$ finger
Login Name Tty Idle Login Time Office Office Phone
mschaff Mitchell Schaff S1 Jan 2 22:25
As you can see, the users bwalton and jhodges did not show up on the finger
command, though they were clearly logged on. Now, here's a second example,
taken about 20 minutes later:
host1:~$ ps -aux
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
bwalton 14947 0.0 5.5 348 400 s17 S 19:44 0:00 -bash
bwalton 14957 0.0 5.8 365 420 s17 S 19:47 0:00 -bash
bwalton 14965 0.0 8.1 697 592 s17 S 19:48 0:01 lynx http://www.timeinc
jhodges 15551 0.0 6.6 376 484 s16 S 21:59 0:00 -bash
jhodges 15788 0.0 2.8 85 204 s16 S 22:39 0:00 sz tennis.zip
mschaff 15680 0.1 6.8 380 492 s19 S 22:25 0:01 -bash
mschaff 16279 0.0 2.8 81 208 s19 R 22:45 0:00 ps -aux
tjerde 15649 0.0 6.7 380 488 s18 S 22:20 0:00 -bash
tjerde 15786 0.0 3.4 112 248 s18 S 22:37 0:00 telnet 139.103.2.5 4321
host1:~$ finger
Login Name Tty Idle Login Time Office Office Phone
tjerde Todd Jerde S1 Jan 2 22:37
This time, you'll notice that the mschaff login (mine) does not show up, and
neither do those of bwalton or jhodges. Interestingly enough, tjerde does.
Oh, one other thing. If I issue the the talk command to a user who is logged
on, but does not show up on the finger command, the talk output informs me that
the user is not logged on. However, if another user lucks out, and my userid
shows up on the finger command and they start a talk session with me, I *CAN*
then issue the talk command, and the talk session proceeds normally. Is this
wierd, or what?
Regards,
Mitchell Schaff
System Administrator
Dakota Internet Access
[email protected]
(701) 572-2903
-------------------------------------------------------------------------
Ok, let's look at this problem a little closer:
ps shows tjerde logged into ttyS18:
tjerde 15649 0.0 6.7 380 488 s18 S 22:20 0:00 -bash
however finger shows tjerde logged into ttyS1:
Login Name Tty Idle Login Time Office Office Phone
tjerde Todd Jerde S1 Jan 2 22:37
The default Linux distributions use devices ttyS16 through ttyS32.
Unfortunately, it seems login is truncating the tty to 5 characters. 6
char device names like ttyS16 get cut off, therefore confusing programs
like 'who', 'finger', and 'talk' into thinking people are not really
logged on. The solution? Rename your devices to 5 character names. I use ttyB0
through ttyBF. (The 'B' meaning Boca Board :)
6. Setting up a PPP server
By far, the easiest way to set up a PPP is to call pppd using the
'proxyarp' option. The NET-2 HOWTO docs say this is a bad idea, why? This
is currently the only way for this to work.
Here's example scripts for zero care and feeding for a dynamically
assigned PPP server:
/etc/passwd:
------------
user:password:uid:gid:Real Name:/home/user:/bin/zsh
Puser:password:uid:gid:Real Name (PPP):/tmp:/etc/ppp/dynamic_ppp
/etc/ppp/options:
-----------------
-detach modem crtscts proxyarp
/etc/ppp/dynamic_ppp:
-----------------
#
# Dynamic PPP allocation script
# Assigns PPP based on tty
#
choice=`tty | cut -b6-10`
case $choice in
ttyB0) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.200;;
ttyB1) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.201;;
ttyB2) exec /usr/lib/ppp/pppd :xxx.xxx.xxx.202;;
esac
7. How do I track incoming telnet, finger, etc.?
If you haven't installed the tcp wrappers suite, you should do so.
Note however, the Slackware and Yggdrasil distributions come with a tcpd
compiled without two useful options: scripting language and rfc931 support.
Get the tcpd sources off of sunsite and recompile it. The tcp wrapper daemon
'tcpd' allows you to run programs in place of the normal daemons, and the
hosts.allow and hosts.deny files allow you to allow or deny access to
services based e.g. on host names, identd authentication, etc. I run
shell scripts which decide whether or not to allow a telnet to even
start up based on a combination of IP address and rfc931 authentication.
8. What's the easiest way to set up a menu system?
I have found that the easiest way to create a spiffy menu with the
least amount of effort is to use the 'dialog' package, and write a bunch
of shell scripts to drive it.
9. I'm having no luck with agetty and/or getty_ps!
Use Mgetty. Mgetty is a much better replacement getty. It requires
nearly nil configuration, and will even allow incoming and outgoing
FAXes! Not only that, but it also supports caller ID (for blacklisting,
tracking, etc.) and if you are lucky enough to have a modem that
supports it, Mgetty will do voice mail as well.
10. I can receive news, but posting through tin doesn't work!
You probably forgot to put something like
export NNTPSERVER="your.host.name"
in /etc/profile :)
11. How do I prevent users from logging onto multiple serial ports at
the same time?
I had problems with people logging in on multiple lines and hogging the
dial-ins. Here's what I stuck into my /etc/profile. It prevents multiple
logins on /dev/ttyB* lines but allows any other kind of logins through
(e.g. telnet, etc.)
#
# Don't allow multiple logins on dial-in user lines.
# Log multiple login attempts.
#
logtty="`tty | grep ttyB | cut -b6-10`"
logptty="`tty | grep ttyp | cut -b6-9`"
logwho="`whoami | cut -b1-8`"
logmore="`who | grep ttyB | grep -w $logwho | cut -b10-14`"
if [ "$logtty" != "$logmore" ]; then
if [ "$logptty" != "ttyp" ]; then
cat /etc/not_allowed
date >> /var/adm/multiple_login
echo "Multiple login attempt: [$logwho] on [$logtty]" >> /var/adm/multiple_login
echo "Currently on these lines:" >> /var/adm/multiple_login
echo "$logmore" >> /var/adm/multiple_login
echo "-------------------------" >> /var/adm/multiple_login
exit
fi
fi
The file /etc/not_allowed should contain a warning message to be displayed
to users when they try logging in on multiple lines.
If you have a terminal server, you are obviously out of luck using this
method.
12. My inetd keeps dying! Help!
Unfortunately the NET-2 package is not quite "there" yet. Until it is,
here's a patch that will watch to see when inetd dies, and respawn it if
it does.
[... script missing ...]
13. I'm using smail, and I can't mail any MX hosts!
The smail distributed with most versions of Linux is broken in several
ways, the most notable flaw is that it does not have the 'bind' driver
compiled in. This prevents smail from being able to look up MX hosts.
Symptoms of this problem include not being able to mail users at aol.com,
etc.
Solution: download a fixed version of smail. Here's a source:
ftp://ftp.uu.net/networking/mail/smail
smail-linuxbin-3.1.29.1.tar.gz (binary)
smail-3.1.29.1.tar.gz (source)
Since many people will simply download the binary and won't RTFM, here's
a tip: the binary version stores all the config files in /etc/smail, not
/usr/lib/smail.
14. What packages in the Slackware distribution are broken?
Named is broken. Get a newer one.
Smail is broken (mainly with MX hosts). Get a newer one (see above).
Tcpd, while not broken, is compiled without many useful features.
Download the source and re-compile it.
15. What about security?
Security Measures:
==================
Install shadow passwords. Do it. Now.
Filter out IP source routing in your router. This is to prevent IP address
spoofing.
There are a number of rather good packages which, correctly applied, make
for a nicely secure system:
'cfingerd' is a wonderfully configurable fingerd replacement. It is
secure as you want to make it. It has a lot of very nice features. Available
from ftp://bitgate.com:/pub/cfingerd/
'smtp_wrap', currently in development, will prevent e-mail forgery.
Security Holes:
===============
Versions of Thomas Koenig's "at/atrun" package earlier than version 2.7
have a bug which can allow users root access. "at -V" will reveal which
version you have. If you do not have version 2.7 or 2.7a you should upgrade
immediately.
All known current distributions of Linux have an insecure portmapper
(rpc.portmap) that should be replaced. The secure version can be
downloaded from the following URL:
Secure portmapper:
ftp://linux.nrao.edu/pub/linux/security/nfsd/portmap-3.tar.gz
You will need the tcp wrapper library to compile and use the secure
portmapper.
All known current distributions of Linux have an insecure NFS server
(rpc.nfsd) that should be replaced. Download the latest secure version of
the NFS server from the following URL:
Universal NFS Server 2.2alpha3:
ftp://linux.nrao.edu/pub/linux/security/nfsd/nfs-server-2.2alpha3.tar.gz
16. What about monitoring?
For monitoring a Linux based network, I have found a program called
tkined immensely useful. It's a Tcl/Tk based X windows network
administration / monitoring program that has support for SNMP.
I use it to monitor all our routers. Using SNMP, tkined can display the
interface load of each router. tkined can also monitor the reachability
of hosts on your network so you can use it to instantly alert you if a
part of the network goes down. Very handy, it saves a lot of time when
looking for the cause of a network outage.
17. Sources of information?
Here are some sources of information that should be of value to ISPs:
Mailing Lists
-------------
ISPA list (Internet Service Providers Association)
[email protected]
body of text should contain one line - "subscribe"
IAP list (Small Internet Access Providers)
[email protected]
body of text should contain one line - "subscribe iap"
Linux-ISP (Linux based Internet Access Providers)
[email protected]
body of text should contain one line - "subscribe"
BIG-LINUX (Linux Servers mailing list)
[email protected]
body of text should contain one line - "subscribe big-linux"
Web Pages
---------
Linux Internet Service Providers
http://www.infocom.net/~linuxisp/
So you wanna be an Internet Service Provider (ISP)
http://www.vicnet.net.au/vicnet/help/isp.htm
Internet Hardware, Software, Services and Information Suppliers List
http://www.portia.com/sup/supply.html
DNS Secondary Service Exchange
http://www.ua.com/dnsmatch/sites.html
18. Handy tidbits
From Scott Jennings on the BIG-LINUX mailing list comes the following
cool tidbit to add to root's crontab:
# remove temp files older than 12 hours, every hour.
30 * * * * exec find /tmp/ -mmin +720 -exec rm -rf {} ;
Here's a crontab entry to keep your clock in sync with the NIST atomic clock:
# Sync with NIST clock
0 30 * * * * /usr/sbin/netdate 132.163.135.130 >& /dev/null
# Write the new time to CMOS
5 30 * * * * /sbin/clock -w
19. I can't get the last 4 ports of a second BOCA 2016 to work!
We recently put another BOCA 2016 in the system and were experiencing the
following problem:
When I tried to config the serial ports on the second board, all but the
last 4 will configure correctly. The last 4 responded as follows:
/dev/cua44: No such device
/dev/cua45: No such device
/dev/cua46: No such device
/dev/cua47: No such device
As usual, Theodore T'so has the answer:
"You need to extend the rs_table[] structure in serial.c. It currently
only reserves enough room for 12 ports after the standard BOCA ports,
since it was designed for two HUB6 ports. You just need to add four
more lines to the rs_table[] structure."