Virtual hosting allows you to host multiple websites, accessed by unique domain names, from the same IP address (same server). I use this technique on my web server to host multiple websites for myself and a few others. Setting up virtual hosting is not difficult, and can be done with a stock Ubuntu 8.04 server installation and multiple domain names.

What you’ll need:

* Configured Server: Install and configure Ubuntu Server 8 at least to the specifications mentioned in my installation and domain name configuration tutorials. You must have command line access to the server (physical or via ssh).
* Domain Names: In order for virtual hosting to be effective, you obviously need more than one domain name. If you do not own multiple domains, you can create sub-domains (”sub.domain.com”). This can be done in your Namecheap domain manager on the Domain Registration page. You can modify the sub-domains once you create them on the All Host Records Page. When a new domain or sub-domain is added, it will take up to two days to process before it can be accessed. Note: All sub-domains will have the same Dynamic DNS password as their parent domain.

Server Configuration:

* Setup User Accounts: Each of the virtual sites that you setup will have an author with a user account on the server. These users must have access to a home directory to store their website. The user can then transfer files to and from the server via SSH/SFTP (look for a FTP server tutorial in the future). To setup these accounts, type the following into the server command line, replacing newuser with the desired username of the web author, and password with the desired initial password of the web author:

sudo useradd newuser -d /home/newuser

sudo mkdir /home/newuser

sudo passwd newuser password

sudo chown newuser /home/newuser

Repeat this for each website (with related author) you plan to add to your server. Provide the new user with the password you just created for them, and instruct them to change it when they login (SSH) by typing passwd into the server command line.
* Setup Site Directory: In my installation tutorial, we moved the web directory for the server’s default website to /home/yourusername/www. This is fine for a simple, single-website server, but since we will be setting up new virtual sites anyway, we might as well set up an organized website directory structure. Your web directory should consist of three parts, a documents folder where your pages are stored, a cgi-bin folder where your cgi scripts are stored, and a logs folder where your access and error logs are stored. Since you will have different sites with different owners, replicate this structure in the home folder of each site’s author. To do this, type the following into the server command line, replacing username with the username of the web author:

sudo mkdir /home/username/htdocs

sudo chown username /home/username/htdocs

sudo mkdir /home/username/cgi-bin

sudo chown username /home/username/cgi-bin

sudo mkdir /home/username/logs

sudo chown username /home/username/logs

Repeat this for each web author. Note: If you already have an established website for yourself in /home/yourusername/www folder such as mentioned in my installation tutorial, just rename the folder to “htdocs”. Type the following into the server command line, replacing yourusername with your username:

sudo mv /home/yourusername/www /home/yourusername/htdocs

* Enable Virtual Hosting:The first step to setting up virtual hosting is to enable virtual hosts in Apache. This is done by creating a virtual hosts configuration file. Type the following into the server command line:

sudo nano /etc/apache2/conf.d/virtual.conf

Add the following line to the new file:

NameVirtualHost *

Press ctrl+x to quit, y to save changes, then enter to confirm.
* Setup Virtual Sites: Apache makes managing multiple virtual sites easy with its modular structure. It stores each sites configuration file in the /etc/apache2/sites-available/ directory, and allows the administrator to enable or disable them individually with a single command. First, we need to disable and delete the configuration for the default site. Type the following into the server command line:

sudo a2dissite default

sudo /etc/init.d/apache2 reload

sudo rm /etc/apache2/sites-available/default

Now that the default site is gone, create a virtual site for each web author. Type the following into the server command line, replacing sub.domain.com with the [sub]domain name of your site:

sudo nano /etc/apache2/sites-available/sub.domain.com

Now paste the following into the new file, replacing the italicized portions with the appropriate values discussed previously:

#
# sub.domain.com (/etc/apache2/sites-available/sub.domain.com)
#

ServerAdmin youremailaddress
ServerName sub.domain.com
ServerAlias sub.domain.com

# Indexes + Directory Root.
DirectoryIndex index.html index.htm index.php
DocumentRoot /home/authorsusername/htdocs/
# CGI Directory
ScriptAlias /cgi-bin/ /home/authorsusername/cgi-bin/

Options +ExecCGI

# Logfiles
ErrorLog /home/authorsusername/logs/error.log
CustomLog /home/authorsusername/logs/access.log combined

Press ctrl+x to quit, y to save changes, then enter to confirm. Repeat this step for each virtual website.
* Enable site: Now that you have setup your virtual websites, all that is left to do is enable them. Enable each virtual website, one at a time by typing the following into the server command line, replacing sub.domain.com with the names of sites you added in the previous step:

sudo a2ensite sub.domain.com

Note: you can disable a site by typing the similar command into the server command line:

sudo a2dissite sub.domain.com

That’s it! Now, just restart the Apache server and your sites should be online. Type the following into the server command line:

sudo /etc/init.d/apache2 reload

Now you can access separate websites on the same server via unique [sub]domain names. Please comment with any suggestions or additions to these instructions.

from: http://www.corey-m.com/blog/?p=315

DESCRIPTION

The file freshclam.conf configures the Clam AntiVirus Database Updater,
freshclam(1).
The file consists of comments and options with arguments. Each line
that starts with a hash (#) symbol is a comment. Options and arguments
are case sensitive and of the form Option Argument. The (possibly
optional) arguments are of the following types:

STRING String without blank characters.

SIZE Size in bytes. You can use ’M’ or ’m’ modifiers for megabytes
and ’K’ or ’k’ for kilobytes.

NUMBER Unsigned integer.

DIRECTIVES

When an option is not used (hashed or doesn’t exist in the configura‐
tion file) freshclam takes a default action.

Example
If this option is set freshclam will not run.

DatabaseOwner STRING
When started by root, drop privileges to a specified user.
Default:

AllowSupplementaryGroups
Initialize supplementary group access (freshclam must be started
by root).
Default: disabled

DatabaseDirectory STRING
Path to a directory containing database files.
Default: /var/lib/clamav/

Checks NUM
Number of database checks per day.
Default: 12

UpdateLogFile STRING
Enable logging to a specified file. Highly recommended.
Default: disabled.

LogSyslog
Enable logging to Syslog. May be used in combination with
UpdateLogFile.
Default: disabled.

LogFacility
Specify the type of syslog messages - please refer to ’man sys‐
log’ for facility names.
Default: LOG_LOCAL6

PidFile
This option allows you to save the process identifier of the
daemon.
Default: disabled

LogVerbose
Enable verbose logging.
Default: disabled

DNSDatabaseInfo STRING
This directive enables database and software version verifica‐
tion through DNS TXT records.
Default: enabled, pointing to current.cvd.clamav.net

DatabaseMirror STRING
Server name where database updates are downloaded from. In order
to download the database from the closest mirror you should con‐
figure freshclam to use db.xy.clamav.net where xy represents
your country code. If this option is given multiple times,
freshclam(1) tries them in the order given. It’s strongly recom‐
mended that you use db.xy.clamav.net as the first mirror and
database.clamav.net as the second.
Default: database.clamav.net

MaxAttempts NUM
Freshclam(1) tries every mirror this number of times before
switching to the next mirror.
Default: 3 (per mirror)

HTTPProxyServer STR, HTTPProxyPort NUM
Use given proxy server and TCP port for database downloads.

HTTPProxyUsername STR,HTTPProxyPassword STR
Proxy usage is authenticated through given username and pass‐
word.
Default: no proxy authentication

LocalIPAddress IP
Use IP as client address for downloading databases. Useful for
multi homed systems.
Default: Use OS´es default outgoing IP address.

NotifyClamd [STRING]
Notify a running clamd(8) to reload its database after a down‐
load has occurred. Optionally a clamd.conf(5) file location may
be given to tell freshclam(1) how to communicate with clamd(8).
Default: The default is to not notify clamd. See clamd.conf(5)´s
option SelfCheck for how clamd(8) handles database updates in
this case.

OnUpdateExecute STRING
Execute this command after the database has been successfully
updated.
Default: disabled

OnErrorExecute STRING
Execute this command after a database update has failed.
Default: disabled

NOTE

While not reasonable, any configuration option from clamd.conf(5) may
be given.

FILES

/etc/clamav/freshclam.conf
AUTHOR
Lamy,T,. freshclam.conf - Configuration file for Clam AntiVirus Database Updater, Available from:
< http://manpages.ubuntu.com/manpages/dapper/man5/freshclam.conf.html> [02/11/2008/]
Clam AV nuts and bolts
To install Clam Antivirus:

sudo apt-get install clamav
(Providing that your /etc/apt/sources.list file is up to date, you will get a good recent version of Clam antivirus installed on your machine.)

To update your virus definitions:

freshclam

To check files in your home directory:

clamscan

To check files in the entire home directory:

clamscan -r /home

To check files on the entire drive (displaying everything):

clamscan -r /

To check files on the entire drive but only display infected files and ring a bell when found:

clamscan -r –bell –mbox -i /

Run Clam AV from a terminal window!

Why would you run an antivirus scan on an Ubuntu Linux Hoary computer. At this time, the only reason is if you transfer files back and forth to a Windows machine or transfer/serve email. There are yet no known virus/worm/trojan/root-violation problems with properly set-up Ubuntu computers. However, if you use a Hoary distribution as a computer to transfer files from one location to another, they originate/end up on Windows machines, or if you want to scan a network.. this can be useful.

Here is a sample readout from: clamscan -r –bell –mbox -i /home

Quote:
clamscan -r –bell –mbox -i /home
(infected file would be listed here)

———– SCAN SUMMARY ———–
Known viruses: 33840
Scanned directories: 145
Scanned files: 226
Infected files: 1
Data scanned: 54.22 MB
I/O buffer size: 131072 bytes
Time: 20.831 sec (0 m 20 s)
Here is a sample readout from freshclam :
Quote:
root@ubuntu4:/etc/clamav # freshclam
ClamAV update process started at Wed Apr 27 00:06:47 2005
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm)
daily.cvd is up to date (version: 855, sigs: 714, f-level: 4, builder: ccordes)
To find out what version you have:
Quote:
root@ubuntu4:/etc/clamav # clamscan -V
ClamAV 0.83/855/Tue Apr 26 06:40:32 2005
You can use the –remove flag (clamscan –remove) too automatically remove virus-infected files, but it is not recommended it. Sometimes, clam AV will figure a file is a virus when it is not. Thus, I look at the results and make a decision whether a file should be removed.

For learning about more flags for clamscan, try man clamscan or info clamscan

You can use the at command to schedule clamscan and/or freshclam.
For example:
at 3:30 tomorrow
at>freshclam
at>
job 3 at 2005-04-28 03:30
(You have scheduled and confirmed that the Clam AV update will occur at 3:30 AM tomorrow.

crazybill; April 27th, 2005
http://ubuntuforums.org/showthread.php?t=30060

In order to write DVD/DVD-RW from shell prompt you need to install a package called dvd+rw-tools.

DVD is another good option for backup, archiving, data exchange etc. You can install dvd+rw-tools with following commands. Also note that this package works under *BSD, HP-UX, Solaris and other UNIX like operating systems.

Debian installation:
# apt-get install ‘dvd+rw-tools’

Fedora Core Linux installation:
# yum install ‘dvd+rw-tools’

RedHat Enterprise Linux installation:
# up2date ‘dvd+rw-tools’

First create the ISO image
# mkisofs -r -o /tmp/data.iso /home/data

Now use the growisofs command to write the ISO onto the DVD:
# growisofs -Z /dev/dvd=/tmp/var-www-disk1.iso

To append more data for same DVD:
# growisofs -M /dev/dvd /tmp/file.1

To format (erase) a DVD:
# dvd+rw-format -force /dev/dvd
OR
# dvd+rw-format -force=full /dev/dvd

The dvd+rw-format command formats dvd disk in the specified dvd drive.

To display information about dvd drive and disk using dvd+rw-mediainfo command:
# dvd+rw-mediainfo /dev/dvd

Updating all the software on your system can be a pain, but with Linux it doesn’t have to be that way. We’ll show you how to combine the apt package management system with a task scheduler to automatically update your system.

If you’ve been using Linux for even a short time you’ll surely have experienced the wonders of having a package management system at your disposal. For Debian and Ubuntu users the package manager you get is the excellent apt-get system. apt-get makes installing a new program (e.g. xclock, a graphical clock) as simple as:

% apt-get install xclock

That’s nice, but the real reason apt is so useful is that updating your entire system all at once is just as easy:

% apt-get update
…
% apt-get upgrade
…

This will refresh the apt system with the newest information about packages and then download and install any packages that have newer versions. Do it regularly and you can be sure that you’ve got the latest and most secure software on your machine, without needing to hunt down the newest edition of each program individually.

You can make things even easier, however, by combining the apt system with the Linux scheduling daemon cron. cron let’s you schedule any command to run periodically at given intervals. Take the following command:

% (apt-get update && apt-get -y upgrade) > /dev/null

Which both updates the apt cache and upgrades the system. The -y flag tells apt-get to answer yes to every question, which prevents the process from hanging waiting for user input, say in the middle of the night so the bandwidth from the downloads won’t bother anyone. It’s also a good idea to redirect the output of the command to /dev/null, so that your terminal is not flooded with the results of automatic maintenance.

It’s a bad idea to just install everything regardless of errors, sometimes incompatible software can creep into the repository, and that can bring down your whole system. A better idea if you want to be more careful with what your machine is doing is to add the -d flag, which tells apt to merely download the packages, but not install them. You can then run apt-get dist-upgrade later to install the packages without waiting for them to download, and letting you keep a watchful eye over what’s being installed without having to wait for everything to download.

If you want to use this approach then you can add the following lines to your crontab using crontab -e, which will download new packages every Sunday morning at 12am:

# Automatic package upgrades
0 0 * * 0 root (apt-get update && apt-get -y -d upgrade) > /dev/null

There is still an easier way — using the cron-apt package, which as the name might suggest, combines the cron and apt utilities, but provides a bit more flexibility and a simpler interface — as well as supporting e-mail alerts on errors or new information. cron-apt automatically adds the -d flag, so you’ll have to run apt-get dist-upgrade to install the changes. You can install cron-apt like any other common utility by using apt:

% apt-get install cron-apt

The configuration for cron-apt reside in /etc/cron-apt/config — except how often the script runs, that’s depended on cron so you can find it in /etc/cron.d/cron-apt. One popular configuration change is to add the line:

MAILON=”always”

This will make sure an e-mail is always sent when the update runs, rather than only when an error occurs.

That’s it. Setting up your machine to automatically update itself is as simple as a couple of lines in the console. If you need to have closer control over what is happening during the automatic update process then you’ll want to write your own script, the Ubuntu help pages have a good run down of how to write a script around aptitude to achieve the same results.

Source from: http://www.linux.com/articles/113867
By David Coulson on November 25, 2004 (8:00:00 AM)

With ever-present threats from online attackers and script kiddies, administrators need a firewall on the border of any network. A Linux box can make a particularly effective and capable firewall at a fraction of the cost of a Cisco or Check Point system.

The most obvious use for a firewall is to block unwanted traffic from entering or leaving a network. Firewalls can also make specific connections from outside hosts to internal systems, such as a mail or Web server, either behind the firewall or on a trusted or “de-militarized zone” (DMZ) segment.

Almost every version of the 2.x series of the Linux kernel has a different firewall implementation, with 2.0 using ipfwadm, 2.2 using ipchains, and 2.4 implementing netfilter. 2.6 continues to use netfilter, as it is essentially a plug-in framework within the network subsystem for whichever firewall implementation we choose to use. 2.4 and 2.6 support both ipfwadm and ipchains through backports of the systems to netfilter. They also support iptables, which was specifically written for use with netfilter. iptables is now the standard firewall on Linux systems. With a wide range of plug-in modules and third-party additions, it fits almost every need.

Getting the kernel ready for iptables

Nearly all distributions come with support for iptables. For those who like their own fresh kernel, compiled from scratch, simply select all of the options under “IPv4: netfilter” to provide support for everything iptables has on offer. Once you have a kernel with netfilter and iptables support, verify that iptables is available with the following command:

# iptables -L| grep Chain
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

If iptables is compiled as modules, as it is in many distributions, the kernel will automatically load the necessary modules for you when it first executes iptables and as you add rules that require a specific module.

iptables structures the filtering processes into a number of tables, which are built by the kernel at boot time. Each table has a distinct function within the network stack and allows an administrator to construct a variety of rules to perform operations against packets heading to, from, or through a firewall. A standard installation will have three distinct tables: filter, which is used to perform filtering on IP packets; nat, used to modify IP or port information to permit, for example, Internet access by a non-routable block; and mangle, which allows you to modify packets’ Type of Service (ToS) values, or to mark packets for lookup in another rule. 2.6 kernels also have a “raw” table, used to perform packet filtering outside of the connection tracking processes.

Filtering packets

The filter table is split up into three separate chains, a list of rules, filtering packets at specific parts of the routing system on the firewall. The INPUT chain is used to match packets hitting the firewall host, OUTPUT to match packets originating on the firewall, and FORWARD contains rules to match packets routed from one interface to another across the firewall.

iptables offers support for connection tracking, which was lacking in both ipchains and ipfwadm. With connection tracking, the kernel keeps a database of existing connections to allow return packets for connections to pass through the firewall. Previous Linux firewall implementations had to check for specific packet types that were common with new connections, or even open ports up for connections. iptables instead allows the state of a connection to be used in a rule, permitting new or existing connections to be handled differently by the kernel. The connection tracking processes within iptables also track multiple connections that are associated with each other, such as FTP data traffic, or ICMP packets returned from a failed connection.

Generally it’s a good idea to populate a firewall ruleset with rules to allow all loopback traffic on the firewall, and allow existing connections permitted by other rules to pass traffic across the firewall. Firewall rules are constructed using a variety of checks, to match our rule against a specific type of packet, a packet to a host or port, or even a packet to or from a specific interface. Rules are inserted into the specific chain as desired by the location in the routeing process when we want to check packets. Should a packet match a rule, the kernel will process the packet based upon the target of the chain, such as dropping the packet, or allowing it to pass through the firewall unfiltered.

The iptables command manages the kernel iptables system, through which you can add, insert, and delete rules on the firewall. As we’ve not selected a specific table, our rules will manipulate the filter table, and the appropriate chain as defined in the command. Firewall rules are very simple, and have a selection of attributes which must be matched for the packet to activate the specific target. The structure of a typical firewall rule entry would be as follows, although IP arguments can be ommitted if they are no necessary for the rule to be matched. You can find detailed information on the specific format of each argument, and the variety of targets available, within the netfilter documentation.

We build our initial configuration with the following commands:

Drop all packets on the firewall in each of the three chains:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Allow traffic in and out over the loopback address for local services on the firewall:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Drop packets with unknown connection states, such as TCP acknowledgement packets not related to an existing connection:
iptables -A FORWARD -m state –state INVALID -j DROP

Allow packets which are from an existing connection, or packets which are associated with another active connection:
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

At this point the firewall is somewhat limited, as it does not allow connections in or out, nor does it allow any traffic to be forwarded between interfaces. If we have eth0 as our outside interface, facing the Internet, eth1 our DMZ with our untrusted hosts on, and eth2 as our trusted network, we can continue the configuration to permit traffic between and to the specific network interfaces:

iptables -A INPUT -i eth2 -p tcp –dport 22 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

The first rule allows anyone coming from our internal network to connect to our firewall via SSH, which runs on TCP port 22. The iptables -p switch selects the IP protocol used, which could be tcp, udp, icmp, and so forth depending upon the specific requirements of the connection. We also allow the internal network attached to eth2 to connect to our DMZ network on eth1, as well as hosts on the Internet, without restriction.

Network address translation

It is rare nowadays for a network to use only routable IP blocks. The majority of production environments include address blocks commonly known as 1918 addresses, as they are defined in RFC1918. These specific addresses, 10.x.x.x, 172.16.x.x, and 192.168.x.x, are not routed on the Internet, so must be converted to a permitted address before you attempt to make a connection from the internal network to the Internet. This process of rewriting the addresses on a packet is known as network address translation. NAT can also be used to allow hosts on the Internet to access network services that run on devices with non-routable addresses. This means you can run multiple network services on the same public IP address, with each existing on distinct hosts on the DMZ or internal networks.

You add a NAT rule using iptables in almost exactly the same way you add a filter rule, although the target is somewhat different because you must inform the kernel you want to rewrite the packet.

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j SNAT -to 207.166.198.1

This rule will rewrite any packet leaving eth0 that currently has a source address of 10.1.0.0/16, which would be a block within our internal network, so it leaves eth0 with a source address of 207.166.198.1. This type of rule is known as a Source NAT rule, as it modifies the source address of the packet, which is always placed into the POSTROUTING chain within the nat table. The kernel checks the POSTROUTING chain following the routing decision by the kernel to learn which interface the packet will head out of. You can also establish a Destination NAT rule, where you rewrite a packet coming in from the outside and translate it onto an internal address. These rules are placed in the PREROUTING chain, which is checked as soon as the packet enters the firewall, allowing the kernel to perform the routing based upon the translated destination, rather than the outside address.

For instance, if you wanted to permit Web traffic from the outside to reach the internal IP address 10.2.1.2 of your Web server on the DMZ, you would specify:

iptables -t nat -A PREROUTING -i eth0 -d 207.166.198.20 -p tcp –dport 80 -j SNAT –to 10.2.1.2

This rule rewrites packets heading to TCP port 80 on 207.166.198.20, an outside IP address, to the internal IP of 10.2.1.2. As we’ve not specified a TCP port for the inside address, the destination port will not be modified, so you can run the Web service on port 80 as you normally would.

Mangle

The mangle chain is rarely used, although it is particularly powerful as the basis for routing table manipulation or traffic prioritization on the network. The most common use for mangle is to mark a packet with an integer value, which can be looked up in another rule. Alternativly, using iproute2, we allow the packet to be handled by a distinct routing table. For example, if you use the POSTROUTING chain in the nat table, you can’t match rules against the interface the packet came in on. However, if you mark the packet using the mangle table when it first enters the firewall, you can create a POSTROUTING rule that checks for the mark and rewrites the packet on the way out as appropriate:

iptables -t mangle -A PREROUTING -i eth2 -j MARK –set-mark 0×2 iptables -t nat -I POSTROUTING -o eth2 -m mark -mark 0×2 -j SNAT –to 192.168.1.4

Going further

I’ve only touched the surface of what you can accomplish using iptables and netfilter. The projects have a substantial user base, with very active mailing lists and an IRC channel on irc.freenode.net, #netfilter, where users can discuss configuration issues.