AfNOG 2006 Workshop

Track 1 - Scalable Internet Services

This is part of the AfNOG 2006 Workshop, held in conjunction 
with the AfNOG meeting in Nairobi, Kenya, in May 2006. 

Daily Time Schedule: Morning ------- Session-1 08:45 - 10:45 Tea Break 10:45 - 11:00 Session-2 11:00 - 13:00 Lunch Break 13:00 - 14:00 Afternoon --------- Session-3 14:00 - 16:00 Coffee Break 16:00 - 16:15 Session-4 16:15 - 18:15 In addition to this detailed timetable you can see a summary timetable as well. Monday morning 8:45am o Introduction and logistics -- Ayitey Bulley o Why did we choose FreeBSD? -- Ayitey Bulley o FreeBSD Tutorial -- Joel Jaeggli and Emmanuel Odoom * FreeBSD Tutorial Materials. + Accounts information + Creating a user account for exim and yourself + Some basic FreeBSD commands + Post-installation configuration + Short example using FreeBSD commands + Getting FreeBSD 5.2.1 files and others + pkg_add: Adding packages or ports by hand + Network Information - ifconfig - rc.conf - Stopping and starting the network - Stopping and starting services + Installation Notes + Slices and partitions + Distribution sets + Quick installation guide (using CD-ROM) + The FreeBSD Directory Structure + A few differences from Linux
Monday morning 11:00am o DNS Session-1 (Fundamentals): -- Ayitey Bulley and Joe Abley * DNS Materials. * Goal: to understand overall purpse and structure of DNS + IP addresses vs. names + DNS as a distributed, hierarchical database + Domain names and resource records: - A, PTR, MX, CNAME, TXT, SOA/NS + Domain name lookup responses + Reverse DNS + DNS as client-server model - Resolver - Cache - Authoritative server + Testing DNS (dig) + Understanding output from dig + Practical Exercises: - Configure Unix resolver - Use dig { A, other (e.g. MX), non-existent answer, reverse lookup } - Use tcpdump to show queries being sent to cache Monday afternoon 2:00pm o DNS Session-2 (DNS Caching Operation & DNS Debugging): -- Ayitey Bulley and Joe Abley * Goal: to understand operation of a recursive nameserver + Recap of previous session + DNS as a distributed database. + Resource record NS: referral of answer + Caching nameserver and root servers + Caching used to reduce load (esp. top level servers) + Issue of stale data in caches (problems with distributed systems). - TTL records on each record - Negative TTL in SOA + Recursion and caching (dig +norec) + Demo: www.ticscali.co.uk + Practical Exercise: - Debugging DNS Worksheet (with dig +norec ): . Students work on their own examples + Configuring a caching nameserver - check /var/named/etc/namedb/named.conf - run tcpdump - rndc start - change /etc/resolv.conf to point to your nameserver - querry two times - { Look at 'aa' flag, TTL, query time } - rndc flush - cache is authoritative for 127.0.0.1 Monday afternoon 2:00pm o DNS Session-2 (Continued): -- Ayitey Bulley and Joe Abley + What sort of hardware would you choosing when building a DNS cache? + Improving the configuration of a cache NS + Managing a caching nameserver + Practical Exercise: - Building your own cache nameserver - Improving the configuration of the cache NS + Question and Answer session + Summary Monday afternoon 4:15pm o DNS Session-3 (Configuring Authoritative Name Servers): -- Ayitey Bulley and Joe Abley * Goal: to properly configure an authoritative nameserver + Recap of caching NS + DNS Replication + Outside world cannot tell the difference between master and slave + When does replication take place? + Two (2) Dangers with serial numbers + Configuration of Master & Slave NS - Format of Resource Records { SOA and NS } + Ten (10) Common DNS Operational and Configuration Errors (RFC1912) Tuesday morning 8:45am o DNS Session-3 (Continued) Exercises: -- Ayitey Bulley and Joe Abley * Setting up a an authoritative name services for a domain + Master & Slave nameserver exercises Tuesday morning 11:00am o DNS Session-4 (Delegation & Reverse DNS) -- Ayitey Bulley and Joe Abley * Presentation: + Domain delegation + About Glue records + Reverse DNS (/24) + Reverse DNS (less than /24) * Exercise: + Delegation + Reverse DNS (in-addr.arpa) + Setting up flexible logging
Tuesday afternoon 2:00pm o RADIUS -- Joel Jaeggli and Emmanuel Odoom * Materials * Presentation: + What is RADIUS? + What does RADIUS do? + Why do we need RADIUS? + Other AAA services + About FreeRADIUS * Exercise: + Build and install freeRADIUS. + Configure and start the RADIUS server. + Test authentication + Convert a service to support Radius. Tuesday afternoon 4:15pm o Web/SSL -- Joel Jaeggli and Emmanuel Odoom * Materials + Installing Apache-1.3+mod_ssl from FreeBSD ports + Configure Apache with basic configuration + Start Apache httpsd daemon and connect to local box + Verify local ssl certificate works + Configuring Apache with SSL + Example SSL Apache configuration file + Sample config for Virtual Hosting Wednesday morning 8:45am o DNS Exercises continued -- Ayitey Bulley and Joe Abley + Reverse DNS (in-addr.arpa) + Setting up flexible logging + Securing DNS + More DNS stuff
Wednesday morning 11:00am o Mail/Exim -- Tony Finch and Emmanuel Odoom * Exim Materials + Introduction to Internet Mail - Mail agents - MUA and MTA - Message format - Authentication - SMTP - Message in transit - Use of DNS for email - Delivering a message - Relay control - Policy control on email + Practical Exercise: - Installation of Exim and basic tests Wednesday afternoon 2:00pm: o Mail/Exim -- Tony Finch and Emmanuel Odoom + Exim Routers and Transports configuration - Configuration file - Changing runtime configuraiton - Configuration file sections - Default configuration file layout - Common global options - Exim 4 routing - Simple routing configuration - Default routers - Default transports - Routing to smarthosts - Virtual domains - Access control lists - Good and bad relaying - Message filtering - Large installations - Separating mail functions + Practical Exercise: - Modify routing, virtual domains practical exercises Wednesday afternoon 4:15pm o Mail/Exim -- Tony Finch and Emmanuel Odoom + Access Control Lists + Practical Exercise: - Setting up a relaying host Thursday morning 8:45am o Mail/Exim -- Tony Finch and Emmanuel Odoom + Practical Exercise: - Setting up a relaying host Thursday morning 11:00am o Mail/Exim -- Tony Finch and Emmanuel Odoom + Practical Exercise: - Exim system filtering - Spamassassin Installation - Modifying Exim configuration file for spam filtering - ClamAV Installation - Modifying Exim configuration file for virus filtering Thursday afternoon 2:00pm o Mail/Exim -- Tony Finch and Emmanuel Odoom + Managing SPAM - Filtering unwanted E-mails - What are the main sources of junk E-mail? - What are thecosts? - Where can you filter? - Legal problems with filtering - Ways to identify spam - Exim implementation of SRS - Minimising the joe-jobs we relay - What should you do?
Thursday afternoon 4:15pm o POP, IMAP and Web email servers -- Emmanuel Odoom * POP3/Mail Materials: + Mailserver scalability - Linear password files - Linear mbox files - Too many files in one directory - CPU limits - Disk performance - Keep your SMTP (smarthost) and POP3 services separate + FreeBSD mailserver performance tuning - Increase kernel limits - Enable softupdates - Use SCSI disks - Spread mail directories across multiple disks - Put in as much RAM as possible - Use PCI cards, not ISA - Maildir and courier-imap POP3/IMAP + Practical Exercise: - Reconfigure exim for Maildir delivery - Courier practical exercises . Install courier-authlib from FreeBSD ports collection . Install courier-imap from FreeBSD ports collection . Configure the daemons . Start the daemons . POP3 and IMAP over SSL . Install Sqwebmail from FreeBSD ports collection Friday morning 8:45am o POP, IMAP and Web email servers -- Emmanuel Odoom + Practical Exercise ( continued ): Friday morning 11:00am o POP, IMAP and Web email servers -- Emmanuel Odoom + Notes and Clustering and NFS - Using Network File System (NFS) - Using Proxies - Load balancing - Database backends - FreeBSD NFS
Friday afternoon 2:00pm o Security - Joel Jaggeli * Security Section Materials + Authentication + Authorisation + Integrity + Confidentiality + Availability (DoS) + Host access controls + Network access controls + Attacks on the host vs. attacks no the network + smurf attacks + Some Available Resources + Cryptographic Methods - Private key or symmetric ciphers - Hashing or one-way encryption - Integrity checks - Generating encryption keys - Public key ciphers - Digital signatures - Man in the middle attacks - PGP and SSH notes Friday afternoon 2:00pm o Security - Joel Jaggeli + SSH Discussion - Security at the Application Layer - known_hosts files and authorization - Password challenge authentication - RSA/DSA Private/Public Key generation - Public/Private Key use with SSH - ssh-agent and ssh-add - Using tunnels with SSH
o Other stuff: + DNS+LDAP -- Alain Aina (AfNOG 2005) + Nagios config files

Return to AfNOG Workshop Main Page