AfNOG 2005 Workshop

Track 1 - Scalable Internet Services

This is part of the AfNOG 2005 Workshop, held in conjunction 
with the AfNOG meeting in Maputo, Mozambique, in April 2005. 

Daily Time Schedule: Morning ------- Session-1 08:45 - 10:45 Tea Break 10:45 - 11:00 Session-2 11:00 - 13:00 Lunch Break 13:00 - 14:00 Afternoon --------- Session-3 14:00 - 16:00 Coffee Break 16:00 - 16:15 Session-4 16:15 - 18:15 In addition to this detailed timetable you can see a summary timetable as well. Monday morning 8:45am o Introduction and logistics -- Ayitey Bulley o Why did we choose FreeBSD? -- Ayitey Bulley o FreeBSD Tutorial -- Joel Jaeggli and Emmanuel Odoom * FreeBSD Tutorial Materials. + Accounts information + Creating a user account for exim and yourself + Some basic FreeBSD commands + Post-installation configuration + Short example using FreeBSD commands + Getting FreeBSD 5.2.1 files and others + pkg_add: Adding packages or ports by hand + Network Information - ifconfig - rc.conf - Stopping and starting the network - Stopping and starting services + Installation Notes + Slices and partitions + Distribution sets + Quick installation guide (using CD-ROM) + The FreeBSD Directory Structure + A few differences from Linux
Monday morning 11:00am o DNS Session-1 (Fundamentals): -- Ayitey Bulley and Alain Aina * DNS Materials. * Goal: to understand overall purpse and structure of DNS + IP addresses vs. names + DNS as a distributed, hierarchical database + Domain names and resource records: - A, PTR, MX, CNAME, TXT, SOA/NS + Domain name lookup responses + Reverse DNS + DNS as client-server model - Resolver - Cache - Authoritative server + Testing DNS (dig) + Understanding output from dig + Practical Exercises: - Configure Unix resolver - Use dig { A, other (e.g. MX), non-existent answer, reverse lookup } - Use tcpdump to show queries being sent to cache Monday afternoon 2:00pm o DNS Session-2 (DNS Caching Operation & DNS Debugging): -- Ayitey Bulley and Alain Aina * Goal: to understand operation of a recursive nameserver + Recap of previous session + DNS as a distributed database. + Resource record NS: referral of answer + Caching nameserver and root servers + Caching used to reduce load (esp. top level servers) + Issue of stale data in caches (problems with distributed systems). - TTL records on each record - Negative TTL in SOA + Recursion and caching (dig +norec) + Demo: www.ticscali.co.uk + Practical Exercise: - Debugging DNS Worksheet (with dig +norec ): . Students work on their own examples + Configuring a caching nameserver - check /var/named/etc/namedb/named.conf - run tcpdump - rndc start - change /etc/resolv.conf to point to your nameserver - querry two times - { Look at 'aa' flag, TTL, query time } - rndc flush - cache is authoritative for 127.0.0.1 Monday afternoon 2:00pm o DNS Session-2 (Continued): -- Ayitey Bulley and Alain Aina + What sort of hardware would you choosing when building a DNS cache? + Improving the configuration of a cache NS + Managing a caching nameserver + Practical Exercise: - Building your own cache nameserver - Improving the configuration of the cache NS + Question and Answer session + Summary Tuesday morning 8:45am o DNS Session-3 (Configuring Authoritative Name Servers): -- -- Ayitey Bulley and Alain Aina * Goal: to properly configure an authoritative nameserver + Recap of caching NS + DNS Replication + Outside world cannot tell the difference between master and slave + When does replication take place? + Two (2) Dangers with serial numbers + Configuration of Master & Slave NS - Format of Resource Records { SOA and NS } + Ten (10) Common DNS Operational and Configuration Errors (RFC1912) + Reverse DNS (in-addr.arpa.) + Delegating Sub-domains Tuesday morning 11:00am o Practical Exercise (Configuring authoritative nameservers): -- Ayitey Bulley and Alain Aina + Configuring autoritative nameservers { spill over to Tuesday afternoon } + Sub-domain delegation - { may go into an evening session } + Reverse DNS (/24) - { may go into an evening session } + Reverse DNS (less than /24) - { may go into an evening session }
Tuesday afternoon 2:00pm o Web/Proxy/SSL -- Joel Jaeggli and Emmanuel Odoom * Web/Proxy/SSL Materials + Installation of Squid from source + Step-by-step overview of the squid configuration file Tuesday afternoon 4:15pm o Web/Proxy/SSL ( Continued) + Scaling squid and transparent proxy issues (discussion) - Client Configuration for Proxy Server Use - Auto Discovery of Proxy in IE Issue - WPAD Expired RFC + Clustering of squid caching servers (discussion) Wednesday morning 8:45am o Web/Proxy/SSL -- Joel Jaeggli and Patrick Okui + Installing Apache-1.3+mod_ssl from FreeBSD ports + Configure Apache with basic configuration + Start Apache httpsd daemon and connect to local box + Verify local ssl certificate works + Configuring Apache with SSL + Example SSL Apache configuration file + Sample config for Virtual Hosting
Wednesday morning 11:00am o Mail/Exim -- Philip Hazel and Emmanuel Odoom * Exim Materials + Introduction to Internet Mail - Mail agents - MUA and MTA - Message format - Authentication - SMTP - Message in transit - Use of DNS for email - Delivering a message - Relay control - Policy control on email + Practical Exercise: - Installation of Exim and basic tests Wednesday afternoon 2:00pm: o Mail/Exim -- Philip Hazel and Emmanuel Odoom + Exim Routers and Transports configuration - Configuration file - Changing runtime configuraiton - Configuration file sections - Default configuration file layout - Common global options - Exim 4 routing - Simple routing configuration - Default routers - Default transports - Routing to smarthosts - Virtual domains - Access control lists - Good and bad relaying - Message filtering - Large installations - Separating mail functions + Practical Exercise: - Modify routing, virtual domains practical exercises Wednesday afternoon 4:15pm o Mail/Exim -- Philip Hazel and Emmanuel Odoom + Access Control Lists + Practical Exercise: - Setting up a relaying host Thursday morning 8:45am o Mail/Exim -- Philip Hazel and Emmanuel Odoom + Practical Exercise: - Setting up a relaying host Thursday morning 11:00am o Mail/Exim -- Philip Hazel and Emmanuel Odoom + Practical Exercise: - Exim system filtering - Spamassassin Installation - Modifying Exim configuration file for spam filtering - ClamAV Installation - Modifying Exim configuration file for virus filtering Thursday afternoon 2:00pm o Mail/Exim -- Philip Hazel and Emmanuel Odoom + Managing SPAM - Filtering unwanted E-mails - What are the main sources of junk E-mail? - What are thecosts? - Where can you filter? - Legal problems with filtering - Ways to identify spam - Exim implementation of SRS - Minimising the joe-jobs we relay - What should you do?
Thursday afternoon 4:15pm o POP, IMAP and Web email servers -- Ayitey Bulley * POP3/Mail Materials: + Mailserver scalability - Linear password files - Linear mbox files - Too many files in one directory - CPU limits - Disk performance - Keep your SMTP (smarthost) and POP3 services separate + FreeBSD mailserver performance tuning - Increase kernel limits - Enable softupdates - Use SCSI disks - Spread mail directories across multiple disks - Put in as much RAM as possible - Use PCI cards, not ISA - Maildir and courier-imap POP3/IMAP + Practical Exercise: - Reconfigure exim for Maildir delivery - Courier practical exercises . Install courier-authlib from FreeBSD ports collection . Install courier-imap from FreeBSD ports collection . Configure the daemons . Start the daemons . POP3 and IMAP over SSL . Install Sqwebmail from FreeBSD ports collection Friday morning 8:45am o POP, IMAP and Web email servers -- Ayitey Bulley + Practical Exercise ( continued ): Friday morning 11:00am o POP, IMAP and Web email servers -- Ayitey Bulley + Notes and Clustering and NFS - Using Network File System (NFS) - Using Proxies - Load balancing - Database backends - FreeBSD NFS
Friday afternoon 2:00pm o Security - Joel Jaggeli * Security Section Materials + Authentication + Authorisation + Integrity + Confidentiality + Availability (DoS) + Host access controls + Network access controls + Attacks on the host vs. attacks no the network + smurf attacks + Some Available Resources + Cryptographic Methods - Private key or symmetric ciphers - Hashing or one-way encryption - Integrity checks - Generating encryption keys - Public key ciphers - Digital signatures - Man in the middle attacks - PGP and SSH notes Friday afternoon 2:00pm o Security - Joel Jaggeli + SSH Discussion - Security at the Application Layer - known_hosts files and authorization - Password challenge authentication - RSA/DSA Private/Public Key generation - Public/Private Key use with SSH - ssh-agent and ssh-add - Using tunnels with SSH
o Other stuff: + DNS+LDAP -- Alain Aina + Nagios config files

Return to AfNOG Workshop Main Page