This is part of the AfNOG 2005 Workshop, held in conjunction
with the AfNOG meeting in Maputo, Mozambique, in April 2005.
Daily Time Schedule:
Morning
-------
Session-1 08:45 - 10:45
Tea Break 10:45 - 11:00
Session-2 11:00 - 13:00
Lunch Break 13:00 - 14:00
Afternoon
---------
Session-3 14:00 - 16:00
Coffee Break 16:00 - 16:15
Session-4 16:15 - 18:15
In addition to this detailed timetable you can see a summary timetable as well.
Monday morning 8:45am
o Introduction and logistics -- Ayitey Bulley
o Why did we choose FreeBSD? -- Ayitey Bulley
o FreeBSD Tutorial -- Joel Jaeggli and Emmanuel Odoom
* FreeBSD Tutorial Materials.
+ Accounts information
+ Creating a user account for exim and yourself
+ Some basic FreeBSD commands
+ Post-installation configuration
+ Short example using FreeBSD commands
+ Getting FreeBSD 5.2.1 files and others
+ pkg_add: Adding packages or ports by hand
+ Network Information
- ifconfig
- rc.conf
- Stopping and starting the network
- Stopping and starting services
+ Installation Notes
+ Slices and partitions
+ Distribution sets
+ Quick installation guide (using CD-ROM)
+ The FreeBSD Directory Structure
+ A few differences from Linux
Monday morning 11:00am
o DNS Session-1 (Fundamentals): -- Ayitey Bulley and Alain Aina
* DNS Materials.
* Goal: to understand overall purpse and structure of DNS
+ IP addresses vs. names
+ DNS as a distributed, hierarchical database
+ Domain names and resource records:
- A, PTR, MX, CNAME, TXT, SOA/NS
+ Domain name lookup responses
+ Reverse DNS
+ DNS as client-server model
- Resolver
- Cache
- Authoritative server
+ Testing DNS (dig)
+ Understanding output from dig
+ Practical Exercises:
- Configure Unix resolver
- Use dig { A, other (e.g. MX), non-existent answer, reverse lookup }
- Use tcpdump to show queries being sent to cache
Monday afternoon 2:00pm
o DNS Session-2 (DNS Caching Operation & DNS Debugging): -- Ayitey Bulley and Alain Aina
* Goal: to understand operation of a recursive nameserver
+ Recap of previous session
+ DNS as a distributed database.
+ Resource record NS: referral of answer
+ Caching nameserver and root servers
+ Caching used to reduce load (esp. top level servers)
+ Issue of stale data in caches (problems with distributed systems).
- TTL records on each record
- Negative TTL in SOA
+ Recursion and caching (dig +norec)
+ Demo: www.ticscali.co.uk
+ Practical Exercise:
- Debugging DNS Worksheet (with dig +norec ):
. Students work on their own examples
+ Configuring a caching nameserver
- check /var/named/etc/namedb/named.conf
- run tcpdump
- rndc start
- change /etc/resolv.conf to point to your nameserver
- querry two times - { Look at 'aa' flag, TTL, query time }
- rndc flush
- cache is authoritative for 127.0.0.1
Monday afternoon 2:00pm
o DNS Session-2 (Continued): -- Ayitey Bulley and Alain Aina
+ What sort of hardware would you choosing when building a DNS cache?
+ Improving the configuration of a cache NS
+ Managing a caching nameserver
+ Practical Exercise:
- Building your own cache nameserver
- Improving the configuration of the cache NS
+ Question and Answer session
+ Summary
Tuesday morning 8:45am
o DNS Session-3 (Configuring Authoritative Name Servers): -- -- Ayitey Bulley and Alain Aina
* Goal: to properly configure an authoritative nameserver
+ Recap of caching NS
+ DNS Replication
+ Outside world cannot tell the difference between master and slave
+ When does replication take place?
+ Two (2) Dangers with serial numbers
+ Configuration of Master & Slave NS
- Format of Resource Records { SOA and NS }
+ Ten (10) Common DNS Operational and Configuration Errors (RFC1912)
+ Reverse DNS (in-addr.arpa.)
+ Delegating Sub-domains
Tuesday morning 11:00am
o Practical Exercise (Configuring authoritative nameservers): -- Ayitey Bulley and Alain Aina
+ Configuring autoritative nameservers { spill over to Tuesday afternoon }
+ Sub-domain delegation - { may go into an evening session }
+ Reverse DNS (/24) - { may go into an evening session }
+ Reverse DNS (less than /24) - { may go into an evening session }
Tuesday afternoon 2:00pm
o Web/Proxy/SSL -- Joel Jaeggli and Emmanuel Odoom
* Web/Proxy/SSL Materials
+ Installation of Squid from source
+ Step-by-step overview of the squid configuration file
Tuesday afternoon 4:15pm
o Web/Proxy/SSL ( Continued)
+ Scaling squid and transparent proxy issues (discussion)
- Client Configuration for Proxy Server Use
- Auto Discovery of Proxy in IE Issue
- WPAD Expired RFC
+ Clustering of squid caching servers (discussion)
Wednesday morning 8:45am
o Web/Proxy/SSL -- Joel Jaeggli and Patrick Okui
+ Installing Apache-1.3+mod_ssl from FreeBSD ports
+ Configure Apache with basic configuration
+ Start Apache httpsd daemon and connect to local box
+ Verify local ssl certificate works
+ Configuring Apache with SSL
+ Example SSL Apache configuration file
+ Sample config for Virtual Hosting
Wednesday morning 11:00am
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
* Exim Materials
+ Introduction to Internet Mail
- Mail agents - MUA and MTA
- Message format
- Authentication
- SMTP - Message in transit
- Use of DNS for email
- Delivering a message
- Relay control
- Policy control on email
+ Practical Exercise:
- Installation of Exim and basic tests
Wednesday afternoon 2:00pm:
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
+ Exim Routers and Transports configuration
- Configuration file
- Changing runtime configuraiton
- Configuration file sections
- Default configuration file layout
- Common global options
- Exim 4 routing
- Simple routing configuration
- Default routers
- Default transports
- Routing to smarthosts
- Virtual domains
- Access control lists
- Good and bad relaying
- Message filtering
- Large installations
- Separating mail functions
+ Practical Exercise:
- Modify routing, virtual domains practical exercises
Wednesday afternoon 4:15pm
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
+ Access Control Lists
+ Practical Exercise:
- Setting up a relaying host
Thursday morning 8:45am
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
+ Practical Exercise:
- Setting up a relaying host
Thursday morning 11:00am
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
+ Practical Exercise:
- Exim system filtering
- Spamassassin Installation
- Modifying Exim configuration file for spam filtering
- ClamAV Installation
- Modifying Exim configuration file for virus filtering
Thursday afternoon 2:00pm
o Mail/Exim -- Philip Hazel and Emmanuel Odoom
+ Managing SPAM
- Filtering unwanted E-mails
- What are the main sources of junk E-mail?
- What are thecosts?
- Where can you filter?
- Legal problems with filtering
- Ways to identify spam
- Exim implementation of SRS
- Minimising the joe-jobs we relay
- What should you do?
Thursday afternoon 4:15pm
o POP, IMAP and Web email servers -- Ayitey Bulley
* POP3/Mail Materials:
+ Mailserver scalability
- Linear password files
- Linear mbox files
- Too many files in one directory
- CPU limits
- Disk performance
- Keep your SMTP (smarthost) and POP3 services separate
+ FreeBSD mailserver performance tuning
- Increase kernel limits
- Enable softupdates
- Use SCSI disks
- Spread mail directories across multiple disks
- Put in as much RAM as possible
- Use PCI cards, not ISA
- Maildir and courier-imap POP3/IMAP
+ Practical Exercise:
- Reconfigure exim for Maildir delivery
- Courier practical exercises
. Install courier-authlib from FreeBSD ports collection
. Install courier-imap from FreeBSD ports collection
. Configure the daemons
. Start the daemons
. POP3 and IMAP over SSL
. Install Sqwebmail from FreeBSD ports collection
Friday morning 8:45am
o POP, IMAP and Web email servers -- Ayitey Bulley
+ Practical Exercise ( continued ):
Friday morning 11:00am
o POP, IMAP and Web email servers -- Ayitey Bulley
+ Notes and Clustering and NFS
- Using Network File System (NFS)
- Using Proxies
- Load balancing
- Database backends
- FreeBSD NFS
Friday afternoon 2:00pm
o Security - Joel Jaggeli
* Security Section Materials
+ Authentication
+ Authorisation
+ Integrity
+ Confidentiality
+ Availability (DoS)
+ Host access controls
+ Network access controls
+ Attacks on the host vs. attacks no the network
+ smurf attacks
+ Some Available Resources
+ Cryptographic Methods
- Private key or symmetric ciphers
- Hashing or one-way encryption
- Integrity checks
- Generating encryption keys
- Public key ciphers
- Digital signatures
- Man in the middle attacks
- PGP and SSH notes
Friday afternoon 2:00pm
o Security - Joel Jaggeli
+ SSH Discussion - Security at the Application Layer
- known_hosts files and authorization
- Password challenge authentication
- RSA/DSA Private/Public Key generation
- Public/Private Key use with SSH
- ssh-agent and ssh-add
- Using tunnels with SSH
o Other stuff:
+ DNS+LDAP -- Alain Aina
+ Nagios config files
Return to AfNOG Workshop Main Page