Ebox For Network Administrators

eBox 1.
4 for Network Administrators

R EVISION 1.4
E B OX P LATFORM - T RAINING
http://www.ebox-technologies.com/
S TUDENT G UIDE
eBox 1.4 for Network Administrators
This document is distributed under Creative Commons Attribution-Share Alike license version 2.5
( http://creativecommons.org/licenses/by-sa/2.5/ )
This document uses images from “Tango Desktop Project” also distributed under Creative Com-
mons Attribution-Share Alike license version 2.5.
http://tango.freedesktop.org/
Contents
1 eBox Platform: unified server for SMEs 1

1.1 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.3.1 Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3.2 Applying configuration changes . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.3 Modules status configuration . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4 How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5 Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.5.1 Local network configuration . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.5.2 Network configuration with eBox Platform . . . . . . . . . . . . . . . . . . 21
1.5.3 Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2 eBox Infrastructure 31
2.1 Network configuration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 31
2.1.1 DHCP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 32
2.2 Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.2.1 DNS cache server configuration with eBox . . . . . . . . . . . . . . . . . 38
2.2.2 DNS server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 39
2.3 Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . . 43
2.3.1 Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . 43
2.3.2 The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.3.3 Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.3.4 HTTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 47
2.4 Time synchronization service (NTP) . . . . . . . . . . . . . . . . . . . . . . . . 49
2.4.1 NTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 50
3 eBox Gateway 53
i
3.1 High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 53
3.1.1 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.1.2 Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.2 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.2.1 The firewall in GNU/Linux: Netfilter . . . . . . . . . . . . . . . . . . . . . 58
3.2.2 eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.1 Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.2 Multigateway rules and load balancing . . . . . . . . . . . . . . . . . . . 69
3.3.3 WAN Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.4 Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.4.1 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.4.2 QoS configuration in eBox . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.5 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.5.1 RADIUS server configuration with eBox . . . . . . . . . . . . . . . . . . . 77
3.5.2 Access Point (AP) configuration . . . . . . . . . . . . . . . . . . . . . . . 78
3.6 HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.6.1 Access policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.6.2 Client connection to the proxy and transparent mode . . . . . . . . . . . . 81
3.6.3 Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.6.4 Web content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4 eBox Office 89
4.1 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.1.1 Users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.2 File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . 97
4.2.1 File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.2.2 SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . 98
4.2.3 Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . 98
4.2.4 eBox as file server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.2.5 SMB/CIFS clients configuration . . . . . . . . . . . . . . . . . . . . . . . 101
4.2.6 eBox as an authentication server . . . . . . . . . . . . . . . . . . . . . . 104
4.2.7 PDC Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.3 Printers sharing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.4 Groupware Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.4.1 Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . . 111
5 eBox Unified Communications 117

5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . . 117
ii
5.1.1 How electronic mail works through the Internet . . . . . . . . . . . . . . . 118
5.1.2 SMTP/POP3-IMAP4 server configuration with eBox . . . . . . . . . . . . . 120
5.1.3 Receiving and relaying mail . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.1.4 SMTP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.1.5 POP3 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.1.6 IMAP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.1.7 ManageSieve client parameters . . . . . . . . . . . . . . . . . . . . . . . 128
5.2 WebMail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
5.2.1 Configuring a webmail in eBox . . . . . . . . . . . . . . . . . . . . . . . 131
5.3 Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . . 132
5.3.1 Configuring a Jabber/XMPP server with eBox . . . . . . . . . . . . . . . . 133
5.3.2 Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.3.3 Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . 140
5.3.4 Practical example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
5.4 Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.4.1 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
5.4.2 Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
5.4.3 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
5.4.4 Asterisk server configuration with eBox . . . . . . . . . . . . . . . . . . . 149
5.4.5 Configuring a softphone to work with eBox . . . . . . . . . . . . . . . . . 151
5.4.6 Using eBox VoIP features . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.4.7 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
6 eBox Unified Threat Manager 159

6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
6.1.1 Mail filter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . 160
6.1.2 External connection control lists . . . . . . . . . . . . . . . . . . . . . . 168
6.1.3 Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . 168
6.2 HTTP Proxy advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . 170
6.2.1 Filter profiles configuration . . . . . . . . . . . . . . . . . . . . . . . . . 170
6.2.2 Filter profile per object . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.2.3 Group based filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
6.2.4 Group-based filtering for objects . . . . . . . . . . . . . . . . . . . . . . 172
6.3 Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . 174
6.3.1 Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . 174
6.3.2 Public Key Infrastructure (PKI) with a Certification Authority (CA) . . . . . . . 174
6.3.3 Certification Authority configuration with eBox . . . . . . . . . . . . . . . . 176
6.3.4 Configuring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . . 180
iii
6.4 Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . 189
6.4.1 Setting up an IDS with eBox . . . . . . . . . . . . . . . . . . . . . . . . 190
6.4.2 IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7 eBox Core 193

7.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.1.1 Logs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
7.2.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.2.2 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.3 Events and alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.3.1 Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
7.4 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
7.4.1 The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . 208
7.4.2 Backup configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . 208
7.4.3 How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . 213
7.4.4 Configuration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
7.5 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
7.5.1 Management of eBox components . . . . . . . . . . . . . . . . . . . . . 218
7.5.2 System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
7.5.3 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.6 Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
7.6.1 Subscribing eBox to the Control Center . . . . . . . . . . . . . . . . . . . 222
7.6.2 Configuration backup to the Control Center . . . . . . . . . . . . . . . . . 223
iv
Chapter 1
eBox Platform: unified server for SMEs
1.1 Presentation
eBox Platform (<http://ebox-platform.com/>) is a unified network server that offers easy and efficient
computer network management for small and medium enterprises (SMEs). eBox Platform can act as
a Network Gateway, a Unified Threat Manager (UTM) 1 , an Office Server, an Infrastructure Manager,
a Unified Communications Server or a combination of them. This manual is written for the 1.4 version
of eBox Platform.
All these functionalities are fully integrated and therefore automate most tasks, prevent manual
errors and save time for system administrators. This wide range of network services is managed
through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in
each server only the necessary modules and easily extend the functionality according to your needs.
Besides, eBox Platform is released under a free software license (GPL) 2 . The main features are:
• Unified and efficient management of the services:
– Task automation.
– Service integration.
• Easy and intuitive interface.

1
UTM (Unified Threat Management): Term that groups a series of functionalities related to computer network security:
firewall, intrusion detection, antivirus, etc.
2
GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of
derivative works with the same license.
1
• Extensible and adaptable to specific needs.
• Hardware independent.
• Open source software.
The services currently offered are:
• Network management:
– Firewall and router
* Traffic filtering
* NAT and port redirection
* Virtual local networks (VLAN 802.1Q)
* Support for multiple gateways, load balancing and self-adaptation in case of loss of
connectivity
* Traffic shaping (with application-level filtering support)
* Traffic monitoring
* Dynamic DNS support

– High-level network objects and services
– Network infrastructure
* DHCP server
* DNS server
* NTP server
– Virtual private networks (VPN)
* Dynamic auto-configuration of network paths

– HTTP proxy
* Cache
* User authentication
* Content filtering (with categorized lists)
* Transparent antivirus
2
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
– Mail server
* Spam filtering and antivirus
* Transparent POP3 filter
* White-, black- and grey-listing

– Web server
* Virtual domains
– Intrusion Detection System (IDS)
– Certification Authority
• Groupware:
– Shared directory using LDAP (Windows/Linux/Mac)
* Shared authentication (including Windows PDC)

– Shared storage as NAS (Network-attached storage)
– Shared printers
– Groupware server: calendars, address books, ...
– VoIP server
* Voicemail
* Meetings
* Calls through outside vendor

– Instant messaging server (Jabber/XMPP)
* Meetings
– User corner to allow users to modify their data
• Reports and monitoring
– Dashboard to centralize the information
– Disk, memory, load, temperature and host CPU monitoring
– Software RAID status and information regarding the hard drive use
3
– Network service logs in databases, allowing you to have daily, weekly monthly and annual
reports
– Event-based system monitoring
* Notification via Jabber, mail and RSS

• Host management:
– Configuration and data backup
– Updates
– Control Center to easily administer and monitor multiple eBox hosts from one central point
3
1.2 Installation
In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine.
This does not prevent you from installing other unmanaged services, but these must be manually
configured.
eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of
Ubuntu Server Edition distribution 4 . The installation can be done in two different ways:
• Using the eBox Platform Installer (recommended).
• Installing from an existing Ubuntu Server Edition installation.
In the second case, you need to add the official eBox Platform repositories and to install the
packages you are interested in.
Nevertheless, the former one is easier since all the dependencies are in a single CD. Moreover,
some pre-configuration is made during the installation process.
4
Figure 1.1: Installer language select
1.2.1 eBox Platform installer
The eBox Platform installer is based on the Ubuntu installer and therefore those who are already
familiar with it will find the installation process very similar.
You can install using the default mode which deletes all disk content and creates the partitions
needed by eBox using LVM and asking less questions or using the expert mode which allows you to
make your own partitioning. Most people should choose the default option unless they are installing
on a server with special requirements, for instance software RAID.
After installing the base system and rebooting, you can start installing eBox Platform. The first
step will be create a user on the system. This user will be able to log on the system and will have sudo
privileges.
Then, you will be asked for a password for this user you just created. This password will be used
to log on the eBox interface too.
You have to enter this password twice.
Now it is time to select which features you want to include on your system. There are two methods
for this selection:
3
For additional information regarding the Control Center, please visit: http://www.ebox-
technologies.com/products/controlcenter/ the company behind eBox Platform development.
4
Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and
servers <http://www.ubuntu.com/>.
5
Figure 1.2: Installer menu
Figure 1.3: Administration user
Figure 1.4: Administration password
6
Figure 1.5: Confirm administration password
Figure 1.6: Package selection method
7
Simple: Depending on the task the server will be dedicated to, you can install a set of packages that
provides several features.
Advanced: You can select the packages individually. If a package has dependencies on other pack-
ages, these will be automatically selected later.
If you select the simple installation method, you get a list of available profiles. As shown in the
figure eBox tasks to install, the mentioned list matches the following paragraphs of this manual.
Figure 1.7: eBox tasks to install
eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet ac-
cess.
eBox Unified Threat Manager: eBox protects the local network against external attacks, intrusions,
internal security threats and enables secure interconnection between local networks via Internet
or via other external networks.
eBox Infrastructure: eBox manages the local network infrastructure including the following basic ser-
vices: DHCP, DNS, NTP, HTTP server, etc.
eBox Office: eBox is an office server that allows sharing the following resources through the local
network: files, printers, calendars, contacts, authentication, users and groups profiles, etc.
eBox Unified Communications: eBox becomes the unified communications server of your organi-
zation, including mail, instant messaging and voice over IP.
You can select several profiles to make eBox play different roles in your network.
However, if you select the advanced installation method, you get the complete list of eBox Platform
modules and you can select individually the modules you are interested in.
8
Figure 1.8: eBox packages to install
Once you have completed the selection, the necessary additional packages will be installed. This
selection is not final and you can install and remove packages according to your needs later.
After you have selected the components to install, the installation process will begin and you will
be shown a progress bar with the installation status.
The installer will try to preconfigure some important configuration parameters. First will have to
select the type of the server for the Users and Groups mode. If we just have one server choose stan-
dalone. If we are deploying a master-slave infrastructure or if we want to syncronize the users with a
Microsoft Windows Active Directory, choose advanced. This step will appear only if usersandgroups
module is installed.
Also, it will ask if some of the network interfaces attached to the host are external (not within the
local network, used to connect to the Internet or other external networks). Strict policies for all incoming
traffic through external network interfaces will be applied. This step will appear only if network module
was installed and the server has more than one network interface.
After that, you will do the mail configuration, defining the default virtual domain. This step will
appear only if mail is installed.
Once you have answered these questions, every module you installed will be preconfigured and
ready to be used via the web interface.
Once the eBox Platform installation process is completed, you get graphical interface with a
browser to authenticate in the eBox web interface using the password given in the first steps of the
9
Figure 1.9: Installing eBox packages
Figure 1.10: Type of the server
10
Figure 1.11: Select external interfaces
Figure 1.12: Mail configuration
11
Figure 1.13: Preconfiguring eBox packages
installer.
Figure 1.14: eBox administration web interface
1.3 Administration web interface
Once you have installed eBox Platform, you can access the administration web interface at the follow-
ing URL:
https://network_address/ebox/
12
Here network_address is the IP address or a host name that resolves to the address where eBox
is running.
Warning: To access the web interface you should use Mozilla Firefox as they are some known
issues with another browsers such as Microsoft Internet Explorer.
The first screen will ask for the administrator password:
After authentication you get the administration interface that is divided into three main sections:
Left side menu: Contains links to all services, separated by categories, that can be configured using
eBox. When you select a service, you might get a submenu to configure specific details of the
selected service.
Top menu: Contains actions to save the changes made to the content, make the changes effective
and close the session.
Main content: The main content is composed of one or several forms or tables with information about
the service configuration and depends on the selection made in the left side menu and sub-
menus. Sometimes you will get a tab bar at the top of the page: each tab represents a different
subsection within the section you have accessed.
1.3.1 Dashboard
The dashboard is the initial screen of the web interface. It contains a number of configurable widgets.
You can reorganize them at any moment simply by clicking and dragging the titles.
By clicking on Configure Widgets the interface changes, allowing you to remove and add new
widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the
page.
13
Figure 1.15: Main screen
Figure 1.16: Left side menu
14
Figure 1.17: Top menu
Figure 1.18: Web User Interface configuration forms
Figure 1.19: Dashboard
15
Figure 1.20: Dashboard configuration
Module status
There is a very important widget within the dashboard which shows the status from all installed mod-
ules in eBox.
The figure depicts the current status for a service and action to apply on it. The available status
are the following:
Running: The service daemons are running to accept connections from the network clients. You can
restart the service using Restart.
Running unmanaged: If you haven’t configured the service yet, it is possible to find it running with
the default configuration from the distribution. Therefore it is not managed by eBox yet.
Stopped: Some problem has happened since the service has to be running but it is stopped for some
reason. In order to find it out, you should check the log files for the service or eBox log file
itself as How does eBox Platform work? section describes. You may try to start the service by
clicking on Start.
Disabled: The service has been disabled explicitly by the system administrator as it is explained in
Modules status configuration.
1.3.2 Applying configuration changes
An important detail to take into account is the method eBox uses to apply the configuration changes
made through the interface. First of all, you have to accept changes in the current form, but, once
this is done, to make these changes effective and apply them on a permanent basis, you must click
on Save Changes from the top menu. This button will change to red if there are unsaved changes.
Failure to follow this procedure will result in the loss of all changes you have made throughout the
16
Figure 1.21: Module status widget
17
session once you log out. There are some special cases when you don’t need to save the changes,
but in these cases you will receive a notification.
Figure 1.22: Save changes
In addition to this, you can revert your changes. Hence if you have done something that you do
not remember or you are unsure to do it, you can always discard them safely. Take into account, if
you have made changes on the network interfaces configuration or the eBox Web administration port,
then you may lose current connection to eBox, so you must rewrite the URL in the browser to reach
administration interface again.
1.3.3 Modules status configuration
As it is discussed above, eBox is built up with modules. The majority of the modules are intended to
manage network services that you must enable them through Module Status.
Each module may have dependencies on others to work. For instance, DHCP service needs
to have the network module enabled so that it can serve IP address leases through the configured
network interfaces. Thus the dependencies are shown in Depends column.
Enabling a module for the first time in eBox jargon is called configure the module. Configuration
is done once per module. By clicking on Status checkbox, you enable the module. If it is the first time,
a dialog is presented to accept to carry out a set of actions and file modifications that enabling the
service implies 5 . After that, you may save changes to apply these modifications. Likewise, you may
disable a module by unchecking the Status column for this module.
1.4 How does eBox Platform work?
eBox Platform is not just a simple web interface to manage the most common network services 6 . One
of the main goals of eBox Platform is to unify a set of network services that otherwise would work
independently.
5
You get longer support than on the normal version. With the LTS version you get 5 years of support on the server.
6
This process is mandatory to comply the Debian Policy http://www.debian.org/doc/debian-policy/
18
Figure 1.23: Module status configuration
Figure 1.24: Confirm dialog to configure a module
19
All configuration of individual services is handled automatically by eBox. To do this eBox uses a
template system. This automation prevents manual errors and saves administrators from having to
know the details of each configuration file format. As eBox manages automatically these configuration
files, you must not edit the original files as these will be overwritten as soon you save any configuration
changes.
Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are
divided in the following files:
/var/log/ebox/ebox.log: Errors related to eBox Platform.
/var/log/ebox/error.log: Errors related to the web server.
/var/log/ebox/access.log: Every access to the web server.
If you want more information about an error that has occurred, you can enable the debugging
mode by selecting the debug option in the /etc/ebox/99ebox.conf file. Once you have enabled this
option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.
1.5 Location within the network
1.5.1 Local network configuration
eBox Platform can be used in two different ways:
20
• Router and filter of the Internet connection.
• Server of different network services.
Both functionalities can be combined in a single host or divided among several hosts.
The figure Different locations within the network displays the different locations eBox Platform
server can take in the network, either as a link between networks or a server within the network.
Figure 1.25: Different locations within the network
Throughout this documentation you will find out how to configure eBox Platform as a router and
gateway. You will also learn how to configure eBox Platform in the case it acts as just another server
within the network.
1.5.2 Network configuration with eBox Platform
If you place a server within a network, you will most likely be assigned an IP address via DHCP pro-
tocol. Through Network → Interfaces you can access each network card detected by the system and
you can select between a static configuration (address configured manually), dynamic configuration
(address configured via DHCP) or a Trunk 802.1Q to create VLANs.
If you configure a static interface, you can associate one or more Virtual Interfaces to this real
interface to serve additional IP addresses. These can be used to serve different networks or the same
network with different address.
If you don’t have a router with PPPoE support, eBox can also manage PPPoE connections just
selecting PPPoE as Method and entering the User name and Password given by your DSL provider.
To enable eBox to resolve domain names, you must indicate the address of one or several domain
name servers in Network → DNS.
21
Figure 1.26: Network interface configuration
Figure 1.27: Static configuration of network interfaces
Figure 1.28: PPPoE configuration of network interfaces
22
Figure 1.29: Configuration of DNS servers
If your Internet connection has a dynamic IP address and you want to map a domain name to your
eBox, a third party dynamic DNS provider is required. eBox supports the connection to some of the
most popular dynamic DNS providers.
To configure dynamic DNS on eBox go to Network → DynDNS and select your service provider
and set up the user name, password and the domain name you want to update when your public
address changes. Check the box Enable Dynamic DNS and Save changes.
Figure 1.30: Dynamic DNS configuration
eBox makes a connection to the provider getting your public IP address bypassing any NAT be-
tween you and Internet. If you are using this feature on a multigateway scenario 7 , don’t forget to create
7
In order to understand the magnitude of the project, you can visit the independent site ohloh.net, where you can find
an extensive analysis of the eBox Platform code base <http://www.ohloh.net/p/ebox/analyses/latest>.
23
a rule that makes the connections to your provider use always the same gateway.
1.5.3 Network diagnosis
To check if you have configured the network correctly, you can use the tools available in Network →
Diagnosis.
Figure 1.31: Network diagnosis tools
Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular
remote host is reachable by means of a simple “echo request”.
Additionally you can use the traceroute tool that is used to determine the route taken by packages
across different networks until reaching a given remote host. This tool allows to trace the route the
packages follow in order to carry out more advanced diagnosis.
Besides, you can use the dig tool, which is used to verify the correct functioning of the name
service resolution.
Practical example A
Let’s configure eBox so that it obtains the network configuration via DHCP.
Therefore:
1. Action: Access the eBox interface, go to Network → Interfaces and, as network interface,
select eth0. Then choose the DHCP method. Click on Change.
Effect: You have enabled the button Save Changes and the network interface maintains the
entered data.
24
Figure 1.32: Ping tool
25
Figure 1.33: Traceroute tool
26
Figure 1.34: Dig tool
27
2. Action: Go to Module status and enable the Network module, in order to do this, check the
box in the Status column.
Effect: eBox asks for permission to overwrite some files.
3. Action: Read the changes that are going to be made in each modified file and grant eBox the
permission to overwrite them.
Effect: You have enabled the button Save Changes and you can enable some of the modules
that depend on Network.
4. Action: Save the changes.
Effect: eBox displays the progress while the changes are implemented. Once it has finished,
you are notified.
Now eBox manages the network configuration.
5. Action: Access Network → Diagnosis tools. Ping ebox-platform.com.
Effect: As a result, you are shown three successful connection attempts to the Internet server.
6. Action: Access Network → Diagnosis tools. Ping the eBox of a fellow classmate.
Effect: As a result, you are shown three successful connection attempts to the host.
7. Action: Access Network → Diagnosis tools. Run a traceroute to ebox-technologies.com.
Effect: As a result, you are shown a route of all the intermediate routers a packet traverses
until it reaches the destination host.
Practical example B
For the rest of the exercises of the manual, it is a good practice to enable the logs.
Therefore:
1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order
to do this, check the box in the Status column.
Effect: eBox asks for permission to carry out a series of actions.
2. Action: Read the actions that are going to be made and accept them.
Effect: You have enabled the button Save Changes.
28
Effect:
eBox displays the progress while the changes are implemented. Once it has fin-
ished, you are notified.
Now eBox has enabled the logs. You can check them at Logs → Query logs in the
section Logs.
29
30
Chapter 2
eBox Infrastructure
This section explains several of the services to manage and optimize internal traffic and the infrastruc-
ture of your local network, including domain management, automatic network configuration in network
clients, publication of internal Web sites and time synchronization using the Internet. The configuration
of these services requires great efforts, although they are easier to configure with eBox.
The DHCP service is widely used to automatically configure different network parameters, such
as the IP address of a host or the gateway to be used for Internet access.
The DNS service provides access to services and hosts using names instead of IP addresses,
which are more difficult to memorize.
Many businesses use Web applications to which only internal access is available.
2.1 Network configuration service (DHCP)
As indicated, DHCP (Dynamic Host Configuration Protocol) is a protocol that enables a device to
request and obtain an IP address from a server with a list of available addresses to assign.
1
The DHCP service is also used to obtain many other parameters, such as the default gateway,
the network mask, the IP addresses for the name servers or the search domain, among others. Hence,
access to the network is made easier, without the need for manual configuration done by clients.
When a DHCP client connects to the network, it sends a broadcast request and the DHCP server
responds to valid requests with an IP address, the lease time granted for that IP and the parameters
1
eBox uses “ISC DHCP Software” (https://www.isc.org/software/dhcp) to configure the DHCP service.
31
explained above. The request usually happens during the client booting period and must be completed
before going on with the remaining network services.
There are two ways of assigning addresses:
Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings,
entered manually by the administrator.
Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process
that uses the lease concept with a controlled period in which the granted IP remains valid. The
server keeps a table with the previous assignments to try to reassign the same IP to a client in
successive requests.
2.1.1 DHCP server configuration with eBox
To configure the DHCP service with eBox, at least one statically configured interface is required. Once
this is available, go to the DHCP menu, where the DHCP server can be configured.
As indicated above, some network parameters can be sent with the IP address. These parameters
can be configured in the Common options tab.
Default gateway: This is the gateway to be used by the client if it is unaware of another route to send
the package to its destination. Its value can be eBox, a gateway already configured in the
Network → Gateways section or a custom IP address.
Search domain: In a network with hosts named in line with <host>.sub.domain.com, the search do-
main can be configured as “sub.domain.com”. Hence, when seeking to resolve an unsuccessful
domain name, another attempt can be made by adding the search domain to the end of it or
parts of it.
For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the
client host.
The search domain can be entered or one configured in the DNS service can be selected.
Primary name server: This is the DNS server 2 that the client will use when a name is to be resolved
or an IP address needs to be translated into a name. Its value can be local eBox DNS (if the
eBox DNS server is to be queried, take into account dns module must be enabled) or an IP
address of another DNS server.
2
Go to Name resolution service (DNS) section for more details about this service.
32
CHAPTER 2. EBOX INFRASTRUCTURE
Figure 2.1: Overview of DHCP service configuration
33
Secondary name server: DNS server that the client will use if the primary one is not available. Its
value must be the IP address of a DNS server.
3
NTP server: This is the NTP (Network Transport Protocol) server that the client will use when it
wants to synchronize its clock using the network. Its value can be none, local eBox NTP (take
into account ntp module must be enabled) or a custom NTP server.
WINS server: This is the WINS (Windows Internet Name Service) 4 server the client will use to resolve
NetBIOS names. Its value can be none, local eBox (take into account samba must be enabled)
or a custom one.
The common options display the ranges of addresses distributed by DHCP and the addresses
assigned manually. For the DHCP service to be active, there must be at least one range of addresses
to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if
the service is listening on all the network interfaces.
The ranges of addresses and the static addresses available for assignment from a certain inter-
face are determined by the static address assigned to that interface. Any free IP address from the
corresponding subnet can be used in ranges or static assignments.
Adding a range in the Ranges section is done by entering a name by which to identify the range
and the values to be assigned within the range appearing above.
Static assignments of IP addresses are possible to determined physical addresses in the Fixed
Addresses section. An address assigned in this way cannot form part of any range. You may add an
optional description for that assignment as well.
Figure 2.2: Appearance of the advanced configuration for DHCP

3
Check out Time synchronization service (NTP) section for details about the time synchronization service
4
WINS is the implementation for NBNS (NetBIOS Name Service). For more information about it, check out File sharing
service and remote authentication section.
34
The dynamic granting of addresses has a deadline before which renewal must be requested (con-
figurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assign-
ments do not expire and, therefore, are unlimited leases.
A Lightweight Client is a special machine with no hard drive that is booted via the network by
requesting the booting image (operating system) from a lightweight client server.
eBox allows the PXE server 5 to which the client must connect to be configured. The PXE service,
which is responsible for transmitting everything required for the lightweight client to be able to boot its
system, must be configured separately.
The PXE server may be an IP address or a name, in which case the path to the boot image or
eBox must be indicated, in which case the image file can be loaded.
Dynamic DNS updates
The DHCP server has the ability to dynamically update the DNS server 6 . That is, the DHCP server
will update in real time the A and PTR records to map an IP address to a host name and vice versa
when an IP address is leased and released. The way that is done, it depends on the DHCP server
configuration.
eBox provides dynamic DNS feature integrating dhcp and dns modules from the same box in
Dynamic DNS Options tab. In order to enable this feature, the DNS module must be enabled as well.
You may provide a Dynamic domain and a Static domain, which both will be added automatically
to the DNS configuration. The dynamic domain maps the host names whose IP address corresponds
from a range and the associated name follows this pattern: dhcp-<leased-IP-address>.<dynamic-
domain>. Regarding to the static domain, the host name will follow this pattern: <name>.<static-
domain> being the name the one you set on Fixed addresses table. Take into account that any
DHCP client name update is ignored from eBox.
The update is done using a secure protocol 7 and, currently, only direct mapping is supported.
5
Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage
devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment)
6
The RFC 2136 explains how to do dynamic updates in the Domain Name System
7
Communication is done using TSIG (Transaction SIGnature) to authenticate the dynamic update requests using a
shared secret key.
35
Figure 2.3: Dynamic DNS updates configuration
Practical example
Configure the DHCP service to assign a range of 20 network addresses. Check from another client
host using dhclient that it works properly.
To configure DHCP, the Network module must be enabled and configured. The network interface
on which the DHCP server is to be configured must be static (manually assigned IP address) and the
range to assign must be within the subnet determined by the network mask of that interface (e.g. range
10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0).
1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP
module by marking its checkbox in the Status column.
Effect: eBox requests permission to overwrite certain files.
2. Action: Read the changes of each of the files to be modified and grant eBox permission to
overwrite them.
Effect: The Save changes button has been enabled.
3. Action: Enter DHCP and select the interface on which the server is to be configured. The gate-
way may be eBox itself, one of the eBox gateways, a specific address or none (no routing
to other networks). Furthermore, the search domain (domain added to all DNS names
that cannot be resolved) can be defined along with at least one DNS server (primary DNS
server and optionally a secondary one).
eBox then indicates the range of available addresses. Select a subset of 20 addresses
and in Add new give a significant name to the range to be assigned by eBox.
36
Effect: eBox displays the progress while the changes are being applied. Once this is complete
it indicates as such.
eBox now manages the DHCP server configuration.
5. Action: From another PC connected to this network, request a dynamic IP from the range
using dhclient:
$ sudo dhclient eth0

There is already a pid file /var/run/dhclient.pid with pid 9922
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
wmaster0: unknown hardware address type 801

wmaster0: unknown hardware address type 801
Listening on LPF/eth0/00:1f:3e:35:21:4f
Sending on LPF/eth0/00:1f:3e:35:21:4f
Sending on Socket/fallback
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 10.1.2.254
bound to 10.1.2.1 -- renewal in 1468 seconds.
6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is dis-
played.
2.2 Name resolution service (DNS)
As explained, the function of the DNS (Domain Name System) is to convert hostnames that are read-
able and easy to remember by users into IP addresses and vice versa. The name domain system is a
tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for
domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.
37
2.2.1 DNS cache server configuration with eBox
A name server can act as a cache 8 for queries that it cannot respond to. In other words, it will initially
query the appropriate server, as it is based on a database without data, but the cache will subsequently
reply, with the consequent decrease in response time.
At present, most modern operating systems have a local library to translate the names that is
responsible for storing its own domain name cache with the requests made by system applications
(browser, e-mail clients, etc.).
Practical example A
Check the correct operation of the cache name server. What is the response time with regard to the
same request www.example.com?
1. Action: Access eBox, enter Module status and enable the DNS module by marking the check-
box in the Status column.
overwrite them.
3. Action: Go to Network → DNS and add a new Domain name server with value 127.0.0.1.
Effect: eBox is established to translate names to IP and vice versa.
it is indicated as such.
eBox now manages the DNS server configuration.
5. Action: Use the Domain name resolution tool available in Network → Diagnosis to check
the operation of the cache, querying the domain www.example.com consecutively and
checking the response time.
8
A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or
compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).
38
2.2.2 DNS server configuration with eBox
DNS has a tree structure and the source is known as ‘.’ or root. Under ‘.’ are the TLDs (Top Level
Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the an-
swer, the tree is recursively searched until it is found. Each ‘.’ in an address (e.g. home.example.com)
indicates a different branch of the DNS tree and a different query area. The name will be traversed
from right to left.
Figure 2.4: DNS tree
As you may see on figure DNS tree, each zone has an authority name server 9 . When a
client performs a query to a name server, it delegates the resolution to the name server pointed
by a NS record which claims to be authoritative for that zone. For instance, a client queries for
www.home.example.com IP address to a name server which is authoritative for example.com. As
the name server has a record which indicates the authoritative name server for home.example.com
zone (the NS record), then it delegates the answer to that server who should know the IP address for
that host.
Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP

address to a domain name. Furthermore, as many aliases (or canonical names) as required can be
added to each associated name and the same IP address can have several associated names.
9
A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.
39
Another important characteristic of the DNS is the MX record. This record indicates the place
where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mail is to be
sent to someone@example.com, the e-mail server will ask for the MX record of example.com and the
service will reply that it is mail.example.com.
The configuration in eBox is done through the DNS menu. In eBox, as many DNS domains as
required can be configured.
To configure a new domain, drop down the form by clicking on Add new. From here, the domain
name and an optional IP address which the domain will refer to can be configured.
When a new domain is added, you may have noticed a field called dynamic is set to false. A
domain is set as dynamic when it is updated automatically by a process without restarting the server.
A typical example for this is a DHCP server which updates the DNS records when it leases/releases
an IP address for a host. Check out Dynamic DNS updates section for details about this configuration
with eBox. Currently, if a domain is set as dynamic, then no manual configuration can be done using
eBox interface.
Once a correct domain has been created, e.g. home.example.com, it is possible to complete the
hostnames list for the domain. As many IP addresses as required can be added using the names
decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can
also be used for each mapping.
40
eBox set automatically the authoritative name server for the configured domains to ns host name.
If none is set, then 127.0.0.1 is set as authoritative name server for those domains. If you want to
configure the authoritative name server manually for your domains (NS records), go to name servers
and choose one of the configured host names for that domain or set a custom one. In a typical
scenario, you may configure a ns host name using as IP address one of the configured in Network →
Interfaces section.
As an additional feature, e-mail server names can be added through mail exchangers by selecting
a name for the domains in which eBox is the authority or an external one. Furthermore, a preference
can be given, the lowest value of which gives highest priority, i.e. an e-mail client will first try the server
with the lowest preference number.
For a more in-depth look into the operation of the DNS, let us see what happens depending on the
query made through the dig diagnosis tool located in Network → Diagnosis.
If a query is made for one of the domains added, eBox will reply with the appropriate answer
immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as
41
soon as it gets an answer. It is important to be aware of the fact that the name servers configured in
Network → DNS are used by client applications to resolve names, but are not used in any way by the
DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1
as primary DNS server in the aforementioned section.
Practical example B
Add a new domain to the DNS service. Within this domain, assign a network address to a host name.
From another host, check that it resolves correctly using the dig tool.
1. Action: Check that the DNS service is active through Dashboard in the Module status widget.
If it is not active, enable it in Module status.
2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down
where hostnames, mail servers for the domain and the domain address itself can be
added. In Hostnames do the same by adding the host name and its associated IP
address.
Effect: eBox will request permission to write the new files.
4. Action: Accept the overwriting of these files and save the changes.
Effect: The progress is displayed while the changes are being applied. Once this is complete
5. Action: From another PC connected to this network, request the name resolution using dig,
where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the
domain to be resolved:
$ dig mirror.ebox-platform.com @10.1.2.254
; <<>> DiG 9.5.1-P1 <<>> mirror.ebox-platform.com @10.1.2.254

;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33835
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mirror.ebox-platform.com. IN A
42
;; ANSWER SECTION:
mirror.ebox-platform.com. 600 IN A 87.98.190.119
;; AUTHORITY SECTION:
ebox-platform.com. 600 IN NS ns1.ebox-platform.com.
ebox-platform.com. 600 IN NS ns2.ebox-platform.com.
;; ADDITIONAL SECTION:
ns1.ebox-platform.com. 600 IN A 67.23.0.68
ns2.ebox-platform.com. 600 IN A 209.123.162.63
;; Query time: 169 msec

;; SERVER: 10.1.2.254#53(10.1.2.254)
;; WHEN: Fri Mar 20 14:37:52 2009
;; MSG SIZE rcvd: 126
2.3 Web data publication service (HTTP)
The Web is one of the most common services on the Internet, so much that it has become its visible
face for most users.
A website started to become the most convenient way of publishing data on a network. All that
was needed was a web browser, which is installed as standard in current desktop platforms. A website
is easy to create and can be viewed from any computer.
Over time, the possibilities of web interfaces have improved and true applications are now available
that have nothing to envy of desktop applications.
But... what is behind the web?
2.3.1 Hyper Text Transfer Protocol
One of the keys to the success of the web has been the application layer protocol used, HTTP (Hyper
Text Transfer Protocol), as it is extremely simple yet flexible.
HTTP is a request and response protocol. A client, also known as a User Agent, makes a request
to a server. The server processes it and gives a response.
43
Figure 2.5: Request schema with GET headers between a client and the 200 OK response from the
server. Routers and proxies in between.
44
By default, HTTP uses TCP port 80 for unencrypted connections and 443 for encrypted connec-
tions (HTTPS) using TLS technology 10 .
A client request contains the following elements:
• An initial line containing <method> <resource requested> <HTTP version>. For example,
GET /index.html HTTP/1.1 requests the resource /index.html through GET and using protocol
HTTP/1.1.
• Headers, such as User-Agent: Mozilla/5.0 ... Firefox/3.0.6, which identify the type of client
requesting the data.
• A blank line.
• An optional message. This is used, for example, to send files to the server using the POST
method.
11
There are several methods with which clients can request data. The most common ones are
GET and POST:
GET: GET is used to request a resource. It is a harmless method for the server, as no file has to be
modified in the server if a request is made via GET.
POST: POST is used to send data to be processed by the server. For example, when Send message
is clicked in a webmail, the server is given the email data to be sent. The server must process
this information and send the email.
OPTIONS: This is used to request the methods that can be used on a resource.
HEAD: Requests the same data as GET, although the response will not include the text, only the
header. Hence, it is possible to obtain the metadata of the resource without downloading it.
PUT: Requests the text data to be stored and accessible from the path indicated.
DELETE: Requests the deletion of the resource indicated.
TRACE: This informs the server that it must return the header sent by the client. It is useful to see
how the request is modified by the intermediate proxies.
CONNECT: The specification reserves this method for tunnels.

10
TLS (Transport Layer Security ) and its predecessor SSL (Secure Sockets Layer ) are encryption protocols that provide
data security and integrity for Internet communications. The subject is discussed in further detail in section Virtual Private
Network (VPN).
11
A more detailed explanation can be found in section 9. RFC 2616
45
The server response has the same structure as the client request, changing the first row. In this
case, the first row is <status code> <text reason>, which corresponds to the response code and a text
with the explanation, respectively.
The most common response codes 12 are:
200 OK: The request has been processed correctly.
403 Forbidden: When the client has been authenticated, but does not have permission to operate on
the resource requested.
404 Not Found: When the resource requested has not been found.
500 Internal Server Error: When an error has occurred in the server that has prevented the request
from being correctly run.
HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is
unable to remember the clients between connections. This can be avoided by using cookies. Moreover,
the server cannot start a conversation with the client. Should the client want to be notified by the server
of something, this must be periodically requested.
The HTTP service can offer dynamic data produced by different software applications. The client
requests a certain URL with specific parameters and the software manages the request to return
a result. The first method used was known as CGI (Common Gateway Interface), which runs one
command per URL. This mechanism has mainly been deprecated due to its memory overload and low
performance when compared to other solutions:
FastCGI: A communication protocol between software applications and the HTTP server, with a single
process to resolve requests made by the HTTP server.
SCGI (Simple Common Gateway Interface): This is a simplified version of the FastCGI protocol.
Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run
within the server, this solution depends on the HTTP server used.
2.3.2 The Apache Web server
13
The Apache HTTP server has been the most popular program for serving websites since April
1996. eBox uses this server for both its web interface and the web server module. Its aim is to offer
12
The full list of response codes for the HTTP server can be found in section 10 of RFC 2616.
13
Apache HTTP Server project http://httpd.apache.org.
46
a secure, efficient and extendible system in line with HTTP standards. Its capacity to be extensible is
based on adding features using modules that extend the core.
Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for web-
sites to be created using programming languages such as Perl, Python, TCL or PHP. It has several
authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows
the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful
URL rewriting system with mod_rewrite. It has a total of 57 officially documented modules that add
functionality, although this number increases to 168 if you include those registered for the 2.2 version
of Apache 14 .
2.3.3 Virtual domains
The purpose of a virtual domain is to host websites for several domain names in the same server.
If the server has a public IP address for each website, a configuration can be made for every
network interface. When seen from outside, they look like several hosts in the same network. The
server will redirect the traffic from each interface to its corresponding website.
However, it is more common to have one or two IPs per host. In this case, each website will
have to be associated with its domain. The web server will read the headers sent in the client request
and, depending on the domain of the request, will redirect it to one website or another. Each of these
configurations is known as Virtual Host, as there is only one host in the network, but the existence of
several is simulated.
2.3.4 HTTP server configuration with eBox
Through Web, it is possible to access the web service configuration.
In the first form, it is possible to modify the following parameters:
Listening port Where the daemon is to listen to HTTP requests.
Enable public_html per user Through this option, if the Samba module (eBox as file server ) is en-
abled, users can create a subdirectory known as public_html in their private directory within
samba that will be displayed by the web server via the URL http://<eboxIP>/~<username>/,
where username is the name of the user that published contents.
14
There is a full list at http://modules.apache.org.
47
Figure 2.6: Appearance of the Web module configuration
With regard to the Virtual domains, the only configuration needed is the name for the domain and
whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module
(if it is installed) so that, if the domain www.company.com is added, the domain company.com will be
created with the host name www, the IP address of which will be the address of the first static network
interface.
To publish data, it must be under /var/www/<vHostname>, where vHostName is the name of the
virtual domain. If any customized configuration is to be added, for example capacity to load applications
in Python using mod_python, the necessary configuration files for this virtual domain must be created
in the directory /etc/apache2/sites-available/user-ebox-<vHostName>/.
Practical example
Enable the web server. Check that it is listening on port 80. Configure it to listen on a different port
and verify that the change becomes effective.
1. Action: Access eBox, enter Module status and enable the Web server module by marking the
checkbox in the Status column. This indicates the changes to be made in the system. Allow
the operation by clicking on the Accept button.
Effect: The guilabel:Save changes button has been enabled.
The web server is enabled by default on port 80.
48
3. Action: Using a browser, access the following address: http://eBox_ip/.
Effect: An Apache default page will be displayed with the message ‘It works!’.
4. Action: Access the Web menu. Change the port value from 80 to 1234 and click on the Change
button.
Effect: The guilabel:Save changes button has been enabled.
Now the web server is listening on port 1234.
6. Action: Use the browser again to try to access http://<eBox_ip>/.
Effect: A response is not obtained and, after a while, the browser will indicate that it was
impossible to connect to the server.
7. Action: Now try to access http://<eBox_ip>:1234/.
Effect: The server responds and the ‘It works!’ page is obtained.
2.4 Time synchronization service (NTP)
The NTP (Network Time Protocol) protocol was designed to synchronize the clocks in PCs in an
unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to
withstand the effects of jitter.
It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can
reach a precision of up to 200 µs or greater if the clock is in the local network. There are up to 16 levels
defining the distance of the reference clock and its associated precision. Level 0 is for atomic clocks
that are not connected to the network but to another level 1 computer with RS-232 serial connection.
Level 2 are the computers connected via NTP to those of a higher level and are normally offered by
default in the most common operating systems, such as GNU/Linux, Windows or MacOS.
49
2.4.1 NTP server configuration with eBox
15
To configure eBox to use the NTP architecture , eBox must first be synchronized with an external
server of a higher level (normally 2) offered via System → Date/Time. A list of these can be found
in the NTP pool (pool.ntp.org), which is a dynamic collection of NTP servers that voluntarily give their
clients a relatively precise time over the Internet.
Once eBox has been synchronized as an NTP client 16 , eBox can also act as an NTP server with
a globally synchronized time.
Practical example
Enable the NTP service and synchronize the time of your host using the command ‘ntpdate‘. Check
that both eBox and the client host are set to the same time.
1. Action: Access eBox, enter Module status and enable the ntp module by marking the check-
box in the Status column. This will show the changes to be made to the system. Allow the
operations by clicking on the Accept button.
2. Action: Access the System → Date/Time menu. In the Synchronization with NTP servers
section, select Enabled and click on Change.
15
NTP public service project http://support.ntp.org/bin/view/Main/WebHome.
16
eBox uses ntpdate to set the date the first time, once the date is set it uses ntpd to remain synchronized.
http://www.ece.udel.edu/~mills/ntp/html/
50
Effect: The option to manually change the date and time is replaced by fields to enter the NTP
servers with which to synchronize.
Effect: eBox displays the progress while the changes are being applied. Once this is com-
pleted, it notifies the user.
Your eBox host will act as an NTP server.
4. Action: Install the ntpdate package in your client host. Run the command ntpdate <eBox_ip>.
Effect: The time on the host will have been synchronized with that of the eBox host.
You can check this by running the date command on both hosts.
51
52
Chapter 3
eBox Gateway
This section considers the main function of eBox as a gateway. eBox Gateway can make your network
more reliable, optimized for your bandwidth and help you control whatever enters your network.
This section includes a chapter that focuses on the functionality of the eBox firewall module, which
enables you to manage rules for the incoming and outgoing traffic of your internal network.
The firewall is not configured directly, but is supported by another two modules that provide easier
network object and service management, as described in the first part of the section.
Load balancing can be applied for Internet access, along with different rules depending on the
outgoing traffic. Furthermore, this section explains traffic shaping, which is used to ensure critical
applications are served correctly and to even limit any applications generating a lot of network traffic.
Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or
denies access from the internal network to the WWW using different filtering rules, including content-
based ones.
3.1 High-level eBox network abstractions
3.1.1 Network objects
Network objects are a way of giving a name to a network element or a group of elements. They are
used to simplify and subsequently facilitate network configuration management by being able to select
behavior for these objects.
53
To give an example, they can be used to give a significant name to an IP address or a group of IP
addresses. In the case of the latter, instead of defining access rules for each of the addresses, they
merely have to be defined for the network object so that all the addresses belonging to the object take
on this configuration.
Figure 3.1: Representation of network objects
Management of network objects with eBox
For object management in eBox, go to the submenu Objects and create new objects with an associated
name and a series of members.
Objects can be created, modified and deleted. These objects will be used later by other modules,
such as the firewall, the Web cache proxy or the mail service.
Each one will have at least the following values: name, IP address and network mask using CIDR
notation. The physical address will only make sense for members with a single physical machine.
54
CHAPTER 3. EBOX GATEWAY
Figure 3.2: General appearance of the network object module
The members of an object can overlap the members of another; therefore, great care must be
taken when using them in the remaining modules to obtain the desired configuration and avoid security
problems.
3.1.2 Network services
A network service is the abstraction of one or more applicable protocols that can be used in other
modules, such as the firewall or the traffic-shaping module.
The use of the services is similar to that of the objects. It was seen that with the objects it was
possible to make an easy reference to a group of IP addresses using a significant name. It is also
possible to identify a group of numerical ports that are difficult to remember and time-consuming to
enter several times in different configurations, with a name in line with its function (more typically, the
name of the level-7 protocol or application using these ports).
55
Figure 3.3: Client connection to a server
Management of network services with eBox
For management in eBox, go to the submenu Services, where it is possible to create new services,
which will have an associated name, description and a flag indicating whether the service is external
or internal. A service is internal if the ports configured for that service are being used in the machine
in which eBox is installed. Furthermore, each service has a series of members. Each one will have
the following values: protocol, source port and destination port.
The value any can be entered in all of these fields, e.g. to specify services in which the source
port is indifferent.
Bear in mind that in network services based on the most commonly-used client/server model,
clients often use any random port to connect to a known destination port. Well-known ports are con-
sidered those located between 0 and 1023, registered ports the ones located between 1024 and 49151
and private or dynamic ports are those located between 49152 and 65535.
A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found
in the /etc/services file.
The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having
to add the same port used for both protocols twice.
Services can be created, modified and deleted. These services will be used later on in the firewall
or traffic shaping by merely referring to the significant name.
1
The IANA (Internet Assigned Numbers Authority ) is responsible for establishing the services associated with well-
known ports. The full list can be found at http://www.iana.org/assignments/port-numbers.
56
Figure 3.4: General appearance of the network service module
Practical example
Create an object and add the following: a host with no MAC address, a host with a MAC address
and a network address.
To do so:
1. Action: Access Objects. Add accountancy hosts.
Effect: The accountancy hosts object has been created.
2. Action: Access Members of the accountancy hosts object. Create accountancy server
member with a network IP address, e.g. 192.168.0.12/32. Create another member backup
accountancy server with another IP address, e.g. 192.168.0.13/32, and a valid MAC address,
e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP ad-
dress of a subnet of your local network, e.g. 192.168.0.64/26. Finally, go to Save changes to
confirm the configuration created.
Effect: The accountancy hosts object will contain three permanent members, i.e. accoun-
tancy server, backup accountancy server and accountancy PC network.
57
3.2 Firewall
We will configure a firewall to see the application of the network objects and services. A firewall is
a system that strengthens the access control policies between networks. In our case, a host will be
devoted to protecting our internal network and eBox from attacks from the external network.
A firewall allows the user to define a series of access policies, such as which hosts can be con-
nected to or which can receive data and the type thereof. In order to do this, it uses rules that can
filter traffic depending on different parameters, such as the protocol, source or destination addresses
or ports used.
Technically speaking, the best solution is to have a computer with two or more network cards
that isolate the different connected networks (or segments thereof) so that the firewall software is
responsible for connecting the network packages and determining which can be passed or not and to
which network they will be sent. By configuring the host as a firewall and gateway, traffic packages can
be exchanged between networks in a more secure manner.
3.2.1 The firewall in GNU/Linux: Netfilter
Starting with the Linux 2.4 kernel, a filtering subsystem known as Netfilter is provided to offer packet
filtering and Network Address Translation (NAT) 2 . The iptables command interface allows for the
different configuration tasks to be performed for the rules affecting the filtering system (filter table),
rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and
handling options (mangle table). It is extremely flexible and orthogonal to handle, although it adds a
great deal of complexity and has a steep learning curve.
3.2.2 eBox security model
The eBox security model is based on seeking to provide the utmost default security, in turn trying to
minimize the work of the administrator regarding configuration when new services are added.
When eBox acts as a firewall, it is normally installed between the local network and the gateway
that connects that network to another, normally Internet. The network interfaces connecting the host
to the external network (the gateway) must be marked as such. This enables the Firewall module to
establish default filtering policies.
2
NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it
passes through a router or firewall. Its main use is to provide several hosts in a private network with Internet access
through a single public IP.
58
Figure 3.5: Internal network - Filtering rules - External network
The policy for external interfaces is to deny all attempts of new connections to eBox. Internal
interfaces are denied all connection attempts, except those made to internal services defined in the
Services module, which are accepted by default.
Furthermore, eBox configures the firewall automatically to provide NAT for packages entering
through an internal interface and exiting through an external interface. Where this function is not
required, it may be disabled using the nat_enabled variable in the firewall module configuration file in
/etc/ebox/80firewall.conf.
Firewall configuration with eBox
For easier handling of iptables in filtering tasks, the eBox interface in Firewall → Package filtering is
used.
Where eBox acts as a gateway, filtering rules can be established to determine whether the traffic
from a local or remote service must be accepted or not. There are five types of network traffic that can
be controlled with the filtering rules:
• Traffic from an internal network to eBox (e.g. allow SSH access from certain hosts).
• Traffic among internal networks and from internal networks to the Internet (e.g. forbid Internet
access from a certain internal network).
• Traffic from eBox to external networks (e.g. allow files to be downloaded by FTP from the host
using eBox).
• Traffic from external networks to eBox (e.g. enable the Jabber server to be used from the
Internet).
• Traffic from external networks to internal networks (e.g. allow access to an internal Web server
from the Internet).
59
Bear in mind that the last two types of rules may jeopardize eBox and network security and,
therefore, must be used with the utmost care. The filtering types can be seen in the following graphic:
Figure 3.6: Types of filtering rules
eBox provides a simple way to control access to its services and to external services from an
internal interface (where the intranet is located) and the Internet. It is normally object-configured.
Hence, it is possible to determine how a network object can access each of the eBox services. For
example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet
access rules are managed by eBox too, e.g. to configure Internet access, outgoing packages to TCP
ports 80 and 443 to any address have to be allowed.
Each rule has a source and destination that depend on the type of filtering used. For example,
the filtering rules for eBox output only require the establishing of the destination, as the source is
always eBox. A specific service or its reverse can be used to deny all output traffic, for example,
except SSH traffic. In addition, it can be given a description for easier rule management. Finally,
each rule has a decision that can have the following values:
• Accept the connection.
• Deny connection by ignoring the incoming packages and making the source suppose that con-
nection could not be established.
60
Figure 3.7: List of package filtering rules from internal networks to eBox
• Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is
possible to see whether a rule is working properly.
Port forwarding
Port redirections (destination NAT) are configured through Firewall → Port Forwarding, where an
external port can be given and all traffic routed to a host listening on a certain port can be redirected
by translating the destination address.
To configure a redirection, the following fields need to be specified: interface where the translation
is to be made, the original destination (this could be eBox, an IP address or an object), the original
destination port (this could be any, a range of ports or a single port), the protocol, the source from
where the connection is to be started (in a normal configuration, its value will be any ), the destination
IP and, finally, the port, where the target host is to receive the requests, which may or may not be the
same as the original. There is also a optional field called description that is useful to add a comment
describing the purpose of the rule.
61
According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will
be redirected to port 80/TCP of the host with IP address 10.10.10.10.
Practical example
Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a
service and a firewall rule so that an internal host can access the service.
To do so:
1. Action: Access eBox, enter Module status and enable the Firewall module by marking the
checkbox in the Status column.
Effect: eBox requests permission to take certain actions.
2. Action: Read the actions to be taken and grant permission to eBox to do so.
3. Action: Create an internal service as in serv-exer-ref of section High-level eBox network ab-
stractions through Services with the name netcat and with the destination port 6970. Then
go to Firewall → Package filtering in Filtering rules from internal networks to eBox and add
the rule with at least the following fields:
• Decision : ACCEPT
62
• Source : Any
• Service : netcat. Created in this action.
Once this is done, Save changes to confirm the configuration.
Effect: The new netcat service has been created with a rule for internal networks to connect
to it.
4. Action: From the eBox console, launch the following command:
nc -l -p 6970
5. Action: From the client host, check that there is access to this service using the command nc:
nc <ip_eBox> 6970
Effect: You can send data that will be displayed in the terminal where you launched netcat in
eBox.
3.3 Routing
3.3.1 Routing tables
The term routing refers to the action of deciding through which interface a certain packet must be sent
from a host. The operating system has a routing table with a set of rules to make this decision.
Each of these rules has different fields, although the three most important ones are: destination
address, interface and gateway. These must be read as follows: to reach a certain destination
address, the packet must be directed through a gateway, which is accessible through a certain inter-
face.
When the message arrives, its destination address is compared to the entries in the table and
is sent through the interface indicated in the rule that matches. The best match is considered the
most specific rule. For example, if a rule is specified indicating that to reach network A (10.15.0.0/16),
gateway A must be used and another rule indicates that to reach network B (10.15.23.0/24), which is
a subnet of A, gateway B must be used. If a packet arrives with destination 10.15.23.23/32, then the
operating system will decide to send it to gateway B, as there is a more specific rule.
All hosts have at least one routing rule for the loopback interface, or local interface, and additional
rules for other interfaces that connect it to other internal networks or to Internet.
63
To manually configure a static route table, Network → Routes is used (basically it is an interface
for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.
Figure 3.8: Route configuration
Gateway
When sending a packet, if no route matches and there is a gateway configured, it will be sent through
the gateway.
The gateway is the route by default for packets sent to other networks.
To configure a gateway, use Network → Gateways.
64
Enabled: Indicates if the gateway is really going to be used at the moment.
Name: Name identifying the gateway.
IP address: IP address of the gateway. This address must be accessible from the host containing
eBox.
Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent
through this interface.
Weight: The heavier the weight, the more traffic will be directed to this gateway when load balancing
is enabled.
Default: Indicates if this gateway should be used as the default one.
If you have interfaces configured as DHCP or PPPoE you can’t add gateways for them as they are
managed automatically. You still can enable and disable them, edit their Weight or set the Default
one, but not the rest of attributes.
Figure 3.9: Gateway list showing DHCP and PPPoE gateways
Subnets and subnet routing
As indicated above, initially there were classes of networks with associated fixed network masks, which
were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain
Routing) was created to allow for network masks of a variable size to be used, allowing, for example,
for a class C network to be divided into several subnets of a smaller size or to aggregate several class
C subnets into one of a larger size. This allows:
• A more effective use of the scarce IPv4 address space.
65
• Better use of the hierarchy in address assignment (adding of prefixes), decreasing routing over-
load throughout the Internet.
The number of bits interpreted as the subnet identifier is given by a netmask that is of the same
length as the IP address. To find the network of an IP address with its mask, proceed as follows:
Address with full stops Binary

IP address 192.168.5.10 11000000.10101000.00000101.00001010
Netmask 255.255.255.0 11111111.11111111.11111111.00000000
Network portion 192.168.5.0 11000000.10101000.00000101.00000000
CIDR also introduced a new nomenclature that can be seen compared to the above in the following
table:
CIDR Class N Hosts Mask
/32 1/256 C 1 255.255.255.255
/31 1/128 C 2 255.255.255.254
/25 1/2 C 128 255.255.255.128
/24 1C 256 255.255.255.0
/21 8C 2048 255.255.248.0
Practical example A
You will now configure the network interface statically. The class will be divided into two subnets.
To do so:
1. Action: Access the eBox interface, enter Network → Interfaces and, for the network inter-
face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the
instructor. As the Netmask, use 255.255.255.0. Click on the Change button.
The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and
Y to the host. These values will be used from now on.
Enter Network → DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add.
Effect: The Save changes button has been enabled and the network interface keeps the data
entered. A list is displayed containing the name servers, including the recently created
server.
Effect: eBox displays the progress while the changes are being applied.
66
3. Action: Access Network → Diagnosis. Ping ebox-platform.com.
Effect: The following is given as the result:
connect: network is unreachable
4. Action: Access Network → Diagnosis. Ping to an eBox of a classmate part of the same
subnet.
Effect: Three satisfactory connection attempts to the host are displayed as the result.
5. Action: Access Network → Diagnosis. Ping to the eBox of a classmate in the other subnet.
Practical example B
You will now configure a route to access hosts in other subnets.
To do so:
1. Action: Access the eBox interface, enter Network → Routes and select Add new. Complete
the form with the following values:
Network 10.1.X.0 / 24
Gateway 10.1.1.1
Description route to the other subnet
Click on the Add button.
Effect: The Save changes button has been enabled. A list is displayed containing the routes,
including the recently created one.
67
Practical example C
You will now configure a gateway to connect to the remaining networks.
To do so:
1. Action: Access the eBox interface, enter Network → Routes and delete the route created
during the previous exercise.
Enter Network → Gateways and select Add new. Complete with the following data:
Name Default Gateway
IP address 10.1.X.1
Interface eth0
Weight 1
Default yes
Effect: The Save changes button has been enabled. The list of routes has disappeared. A list
of gateways is displayed containing the recently created gateway.
68
3.3.2 Multigateway rules and load balancing
Multigateway rules are a tool that enables PCs in a network to use several Internet connections
transparently. This is useful if, for example, an office has several ADSL connections and the entire
bandwidth available is to be used without having to worry about distributing the work of the hosts
manually between both gateways, so that the load is shared automatically between them.
Basic load balancing evenly distributes the packets transferred from eBox to the Internet. The
simplest form of configuration involves establishing different weights for each gateway so that, if the
connections available have different capacities, they can be used optimally.
Multigateway rules allow for certain traffic types to be sent permanently by the same gateway,
where required. Common examples include sending emails through a certain gateway or ensuring
that a certain subnet is always routed from the Internet through the same gateway.
eBox uses the iproute2 and iptables tools for the configuration required for the multigateway
function. iproute2 informs the kernel of the availability of several gateways. For multigateway rules,
iptables is used to mark the packets of interest. These marks can be used from iproute2 to determine
the gateway through which a packet must be sent.
There are several possible problems that must be considered. Firstly, the connection concept
does not exist in iproute2. Therefore, with no other type of configuration, the packets belonging to the
same connection could end up being sent by different gateways, making communications impossible.
To solve this, iptables is used to identify the different connections and ensure that all the packets of a
connection are sent via the same gateway.
The same applies to any incoming connections established. All response packets for a connection
must be sent using the same gateway through which that connection was received.
To establish a multigateway configuration with load balancing in eBox, as many gateways as re-
quired must be defined in Network → Gateways. Using the weight parameter when configuring a
gateway, it is possible to determine the proportion of packets that each one will send. Where two gate-
ways are available and weights of 5 and 10, respectively, are established, 5 of every 15 packets will be
sent through the first gateway, while the the remaining 10 will be sent via the second.
69
Multigateway rules and traffic balancing are established in the Network → Balance Traffic section.
In this section, it is possible to add rules to send certain packets to a specific gateway, depending on
the input interface, the source (this could be an IP address, an object, eBox or any), the destination
(an IP address or a network object), the service with which this rule is to be associated and via which
gateway the traffic type specified is to be directed. In order to enable load balancing, just enable
Traffic balancing checkbox.
Practical example D
Configure a multigateway scenario with several gateways with different weights and check that it works
using the traceroute tool.
To do so:
1. Action: In pairs, leave one eBox with the current configuration and add a new gateway in the
other, accessing Network → Gateways via the interface and clicking on Add new, with the
following data:
70
Name Gateway 2
IP address <classmate’s eBox IP>
Interface eth0
Weight 1
Default yes
Effect: The Save changes button has been enabled. A list of gateways is displayed containing
the recently created gateway and the previous gateway.
3. Action: Go to a console and run the following script:
for i in $(seq 1 254); do sudo traceroute -I -n 155.210.33.$i -m 6; done
Effect: The result of running traceroute shows the different gateways through which a packet
passes to reach its destination. On running it in a host with multigateway configuration, the
result of the first leaps between gateways should be different depending on the gateway
chosen.
3.3.3 WAN Failover
If you are balancing traffic among two or more gateways, this feature is really useful. In a standard
scenario without failover, imagine you are balancing the traffic between two gateways and one of them
goes down. Assuming both gateways have the same weight, half of the traffic will keep going through
the downed gateway, causing connectivity problems to all the clients in the network.
In the failover configuration, you can define a set of rules for each gateway that needs to be
checked. These rules can be a ping to the gateway, to another external host, a DNS resolution or a
HTTP request. You can also define how many probes you need and the acceptation percentage. If
any of the tests fails to reach the acceptation percentage, the associated gateway will be disabled. But
the tests keep running, so if the gateway comes back to life all the tests should run successfully and it
will be enabled again.
71
The gateway disabling without connection heads to all the traffic coming out through the other
gateway instead of being balanced. That way the users in the network shouldn’t notice any big issue
with the connection. Once eBox detects that the downed gateway is fully operative, the normal behavior
of the traffic balance is restored.
The failover is implemented as an eBox event. In order to use it, you first need to make sure that
3
the Events module is enabled and also enable WAN Failover event.
To configure the failover options and rules go to the Network → WAN Failover menu. You can
specify the event period modifying the value of the Time between checks option. For adding a new
rule, just click Add new and a form with the following fields will appear:
Enabled: It indicates whether the rule is going to be applied or not when checking the connectivity of
the gateways. You add different rules and enable or disable according to your needs instead of
deleting and adding them again.
Gateway: It is already filled with the list of configured gateways, so you just need to select one of
them.
3
Check out Events and alerts chapter for details about how events work in eBox and how to configure them.
72
Test type: It may have any of the following values:
Ping to gateway: It sends a ICMP echo packet with the IP address of the gateway as destina-
tion.
Ping to host: It sends a ICMP echo packet with the IP address of a external host specified
below as destination.
DNS resolve: It tries to get the IP address for the host name specified below.
HTTP request: It downloads the website content specified below.
Host: The server to be used as target in the test, it is not applicable in case of the Ping to gateway
type.
Number of probes: Number of times that the test is tried.
Required success ratio: Indicates how many successful attempts are needed to consider the test as
passed.
It is recommended to configure a event dispatcher in order to be aware of the connections and

disconnections of the gateways. Otherwise, they will be logged only to the /var/log/ebox/ebox.log file.
3.4 Traffic shaping
3.4.1 Quality of Service (QoS)
Quality of Service (QoS) in computer networks refers to resource reservation control mechanisms
to provide different priorities to different applications, users, or data flows, or to guarantee a certain
level of performance according to the constraints imposed by the application. Constraints such as
4
delay in delivery, the bit rate, the probability of packet loss or the variation delay per packet may
be determined for various multimedia data stream applications such as voice or TV over IP. These
mechanisms are only applied when resources are limited (wireless cellular networks) or when there is
congestion in network, otherwise such QoS mechanisms are not required.
There are several techniques to give quality of service:
Reserving network resources: Using Resource reSerVation Protocol (RSVP) to request and re-
serve resources in the routers. However, this option has been neglected because it does not
scale well with Internet growth.
4
jitter or Packet Delay Variation (PDV) is the difference in end-to-end delay between selected packets in a flow with any
lost packets being ignored.
73
Differentiated services (DiffServ): In this model, packets are marked according to the type of ser-
vice they need. In response to these marks, routers and switches use various queuing strate-
gies to tailor performance to requirements. This approach is currently widely accepted.
In addition to these systems, bandwidth management mechanisms may be used to further improve
performance such as traffic shaping, Scheduling algorithms o congestion avoidance.
Regarding traffic shaping, there are two predominant methods:
Token bucket: It dictates when traffic can be transmitted, based on the presence of tokens in the
bucket (an abstract container that holds aggregate network traffic to be transmitted). Each
token in the bucket can represent a unit of bytes of predetermined size, so each time that traffic
is transmitted, the tokens are removed (cashed in). When there are no tokens, a flow cannot
transmit its packets. Periodically, tokens are added to the bucket. Using such mechanism, it is
allowed to send data in peak burst rate.
Leaky bucket: Conceptually based on considering a bucket with a hole in the bottom. If packets
arrive, they are placed into the bucket until it becomes full, then packets are discarded. Packets
are sent at a constant rate, which is equivalent to the size of the hole in the bucket.
3.4.2 QoS configuration in eBox
eBox uses Linux kernel features 5 to shape traffic using token bucket mechanisms that allow to assign
a limited rate, a guaranteed rate and a priority to certain types of data flows through the Traffic Shaping
→ Rules menu.
In order to perform traffic shaping, it is required to have, at least, an internal network interface and
an external one. You need, at least, one configured gateway as well. And you have also to set your
bandwidth information in Traffic Shaping → Interface Rates. Set the upload and download rate that
provide the router that is connected to every external interface. The shaping rules are specific for each
interface and they may be selected for those external network interfaces with assigned upload rate and
all internal ones.
If the external network interface is shaped, then you are limiting eBox output traffic to the Internet.
If, however, you shape an internal network interface, then the eBox output to internal networks is
limited. The maximum output and input rates are given by the configuration in Traffic Shaping →
Interface Rates. As it can be seen, shaping input traffic is not possible directly, that is because input
traffic is not predictable nor controllable in almost any way. There are specific techniques from various
5
Linux Advanced Routing & Traffic Control http://lartc.org
74
protocols to handle the incoming traffic, for instance, TCP by artificially adjusting the window size as
well as controlling the rate of acknowledgements (ACK) segments being returned to the sender.
Each network interface has a rule table to give priority (0: highest priority, 7: lowest priority),
guaranteed rate and/or limited rate. These rules apply to traffic bound to a service, a source and/or
a destination.
Figure 3.10: Traffic shaping rules
Practise example
Set up a rule to shape incoming HTTP traffic by limiting it to 20KB/s. Check if it works properly.
1. Action: Add a gateway in Network → Gateways to your external network interface.
Effect: The Save changes button is enabled. The gateway list displays a single gateway.
Effect: eBox displays the progress while the changes are being applied. Once this is complete,
it informs the user.
3. Action: Enter Services and add a new external service called HTTP with TCP protocol and
destination port 80.
Effect: eBox shows a list with all the services where the new service is displayed too.
4. Action: Enter Traffic Shaping → Rules. Select the internal interface from the interface list and,
using Add new, set a new rule with the following details:
Enabled Yes
Service Port-based service / HTTP
75
Source any
Destination any
Priority 7
Guaranteed rate 0 Kb/s
Limited rate 160 Kb/s
Press the Add button.
Effect: eBox displays a table with the new traffic shaping rule.
5. Action: Start downloading a huge file, which is reachable from the Internet (for example, a
Ubuntu ISO image) from a host within your LAN (not eBox itself) using the wget command.
Effect: The download rate is stable around 20 KB/s (160 Kbit/s).
3.5 RADIUS
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides central-
ized Authentication, Authorization and Accounting (AAA) management for computers to connect and
use a network service.
The authentication and authorization flow in RADIUS works as follows: the user or machine sends
a request to a Network Access Server (NAS), like it could be a wireless Access Point, using the proper
link-layer protocol in order to gain access to a particular network resource using access credentials.
In turn, the NAS sends an Access Request message to the RADIUS server, requesting authorization
to grant access and including all the needed access credentials, not only username and password
but probably also realm, IP address, VLAN to be assigned or maximum time to be connected. This
information is checked using authentication schemes like Password Authentication Protocol (PAP),
6
Challenge-Handshake Authentication Protocol (CHAP) or Extensible Authentication Protocol (EAP)
and then a response is sent to the NAS:
1. Access Reject: when the user is denied access.
2. Access Challenge: when additional information is requested, like in TTLS where a tunneled
dialog is established between the RADIUS server and the client for a second authentication
phase.
6
These authentication protocols are defined in RFC 1334.
76
3. Access Accept: when the user is granted access.
RADIUS official assigned IANA ports are 1812/UDP for Authentication and 1813/UDP for Account-
ing. This protocol does not transmit passwords in plain text between the NAS and the server (not even
with PAP protocol), a shared secret is used to encrypt the communication between both parties.
FreeRADIUS 7 server is being used for eBox RADIUS service.
3.5.1 RADIUS server configuration with eBox
If we want to give support to RADIUS server in eBox, first check in Module Status if the Users and
Groups module is enabled, as RADIUS depends on it. Then, mark the RADIUS checkbox to enable
the RADIUS eBox module.
Figure 3.11: RADIUS General Configuration
In order to configure the service, go to RADIUS in the left menu. There you will be able to setup
the whether All users or only the users who belong to one of your groups will be granted access.
All the NAS requesting authentication to eBox need to be defined on the RADIUS clients section.
For each NAS client we can specify:
Enabled: whether this NAS is enabled or not.
Client: The name for this client, like it could be the hostname.
7
FreeRADIUS - The world’s most popular RADIUS Server <http://freeradius.org/>.
77
IP Address: The IP address or IP range allowed to send authentication requests to the RADIUS
server.
Shared Secret: A shared password between the RADIUS server and the NAS to authenticate and
encrypt their communication.
3.5.2 Access Point (AP) configuration
On every NAS you will need to setup the address of eBox as the RADIUS server, the port, which
defaults to UDP/1812 and the shared secret. WPA and WPA2, using TKIP or AES (recommended)
can both be used with eBox RADIUS. The mode should be EAP.
Figure 3.12: Access Point Wireless Settings
78
3.6 HTTP Proxy Service
A Web Proxy Cache server is used to reduce the bandwidth used in HTTP (Web) 8 connections, control
access and improve the browsing security and browsing speed.
A proxy is a program that acts as intermediary in a connection, in this case a connection using the
HTTP protocol. In this intermediation it can change the behaviour of the protocol, for example adding
a cache or mangling the received data.
The HTTP proxy service available in eBox has the following features:
• Web content cache. It speeds up the browsing and reduces the bandwidth consumption.
• Access restriction. It can be restricted by source address, user or using a time table criteria.
• Antivirus. It blocks infected files.
• Content access restriction for given domains or file types.
• Content filter.
eBox uses Squid 9 as proxy, and draws on Dansguardian 10 for content control.
8
For more information about HTTP service, see the section Web data publication service (HTTP).
9
Squid: http://www.squid-cache.org Squid Web Proxy Cache
10
Dansguardian: http://www.dansguardian.org Web content filtering
79
3.6.1 Access policy configuration
The most important task when configuring the HTTP Proxy, is to set the access policy to the web
content trough it. The policy determines whether the access to the web is allowed and whether the
content filter is applied.
The first step to do is to define a default police. We set it in the page HTTP Proxy → General,
choosing one of the six available policies:
Allow all: This policy allows to browse without restriction. However it does not mean that the cache
is not used.
Deny all: This policy denies the web access. At first, it could seem not useful because you could too
deny access with a firewall rule. However, as we will see later, we can define particular policies
for each network object, so we could use this policy to deny as default and then override it in
some objects.
Filter: This policy allows the access and also enables the content filtering, so the access could be
denied depending on the requested content.
Authorize and allow, Authorize and deny, Authorize and filter: These policies are derived from
the previous policies but with authorization added. The authorization will be explained in the
section HTTP Proxy advanced configuration.
After setting the default policy, we can refine our policy setting particular policies for each network
object. To set them we must enter in the section HTTP Proxy → Objects policy.
80
We can choose any of the six policies for each object; when accessing the proxy from an object
this policy will override the default policy. A network address can be contained in various objects so we
can establish the priority rearranging the objects in the list. In this case, the policy with greater priority
will be applied. It is also possible to define a timetable for each object, access outside the specified
time will be denied.
Warning: The timetable option is not compatible with policies that use the content filter.
Figure 3.13: Network objects’ web access policies
3.6.2 Client connection to the proxy and transparent mode
In order to connect to the HTTP proxy the users must configure their browser. The exact configuration
method depends on the used browser but the information required is the eBox server’s address and
the port used by the proxy.
The eBox proxy only accepts connections received on its internal interfaces so an internal address
must be used in the browser’s configuration.
The default port is 3128 but it can be changed through the HTTP Proxy → General page. Other
popular ports for HTTP proxy services are 8000 and 8080.
To avoid that users could bypass the proxy and access directly to the web, you should deny the
HTTP traffic in the firewall.
One way to avoid the need to configure each browser is to use the transparent mode. In this mode,
eBox should be the network gateway and the HTTP connections toward external servers (for example,
Internet) will be redirected to the proxy. To activate this mode we should go to the HTTP Proxy →
81
General and enable the Transparent Proxy checkbox. As we will see in HTTP Proxy advanced
configuration, the transparent mode is incompatible with policies with authorization.
Finally, it must be kept in mind that the secure web traffic (HTTPS) cannot be used in transparent
mode. If you want to allow it, you must set a firewall rule that allows it. This traffic will not be managed
by the proxy.
3.6.3 Cache parameters
In the section HTTP Proxy → General, is possible to define the disk cache size and which addresses
are exempted from it.
The cache size controls the maximum disk space used to store the cached web elements. This
maximum size is set in the field Cache file size that we find under the heading General Settings.
With a bigger size, the probability of recovering a web element from the cache increases, and as
result the browsing speed could be increased and the bandwidth use could be reduced. In the other
hand, the increase of size not only comes with a greater disk usage but also with a increase in the use
of RAM memory because the cache must maintain in memory an index of the stored elements.
It is the job of each system administrator to choose a size according to the server characteristics
and the traffic profile.
It is possible to establish domains that are exempted from cache usage. For example, you may
have local web servers that a cache will not speed up and you will waste cache space with them. When
a domain exempted from cache is requested, it will be contacted directly without any cache lookup and
the response will be returned without being stored.
The exempted domains are managed under the heading Cache Exemptions that we find at the
page HTTP Proxy → General.
3.6.4 Web content filter
eBox allows to filter web pages according to their contents. To enable the filter, the default policy or the
object policy of a given object should be either Filter or Authorize and Filter.
With eBox, we can define multiple filter profiles but in this section we will only talk about the default
profile, leaving the discussion of multiple profiles to the section HTTP Proxy advanced configuration.
In order to configure the filter settings you have to go to the page HTTP Proxy → Filter Profiles and
select the configuration of the default profile.
82
The content filtering is based in various test including virus filtering, heuristic word filter and simpler
things like banned domains. The end result is the decision about whether to allow or deny the browsing
of the page under analysis.
The first filter is the virus filtering. To use it you should have the antivirus module installed and
enabled. Then you can configure in the filter profile whether you want to use it or not. When enabled
it will block HTTP traffic with infected contents.
The text content filter analyzes the text contained in the web page, if it is considered not appropriate
according to the rules (for example is considered a text of a pornographic page) the request will be
blocked.
To control this process we can establish a threshold that will be compared to the score assigned
to the page by the filter, if the score is above the threshold, the page will be blocked. The threshold
is set in the filter profile, at the section Content filtering threshold. This filter can also be disabled
by choosing the value Disabled. Itx should be noted that the text analysis could result either in false
positives or false negatives, blocking innocent pages or letting pass inappropriate ones; this problems
can be mitigated using domain policies but it could happen again with unknown pages.
There are more explicit filters: * By domain. For example, denying the access to a sport newspaper
domain * By file extension. For example, forbidding the download of .EXE files. * By file MIME type.
For example, forbidding the download of video files.
These filters are presented in the filter profile configuration by means of three tabs, Files exten-
sion filter, MIME types filtering and Domains filtering.
83
In the Files extension filter table you can configure which file extensions should be blocked.
Likewise, in the MIME types filtering table you can establish which MIME types should be blocked.
The MIME types (Multipurpose Internet Mail Extensions) are a standard, originally conceived to extend
the contents of email, which define the type of the content. They are used too by other protocols, HTTP
among them, to determine the content of transfered files. An example of MIME type is text/html, which
is the type for web pages. The first part of the type informs about the type of content stored (text, video,
images, executables, ...) and the second about the format used (HTML, MPEG, gzip, .. ).
In the Domains filtering section, you will found the parameters related to filtering websites ac-
cording to its domain. They are two global settings:
• Block not listed domains. This option will block domains that are not present in Domain
rules or in the categories in Domain lists files. In this last case, the domains in a
category with the policy of Ignore are considered not listed.
84
• Block sites specified only as IP. This option blocks pages requested using their IP address
instead of their domain name. The purpose of this option is to avoid attempts to bypass domain
rules using IP addresses.
Next we have Domain rules, where you can introduce domains and assign them one of the
following policies:
Always allow: The access to the content of this domain is always allowed. All the content filters are
ignored.
Always deny: The access to the contents of this domains will be always blocked.
Filter: The filters will be applied to this domain as usual. However it will not be automatically blocked
if the Block not listed domains option is active.
In Domain list files, you can simplify the management of domains using classified lists of domains.
These lists are usually maintained by third parties and they have the advantage that the domains are
classified in categories, allowing to define policies for a full domain category. eBox supports the lists
11 12
distributed by urlblacklist , shalla’s blacklists and any other that uses the same format.
11
URLBlacklist: http://www.urlblacklist.com
12
Shalla’s blacklist: http://www.shallalist.de
85
This lists are distributed as compressed archives. Once downloaded, you can add the archive to
your configuration and set policies for each category.
The policies that can be set for each category are the same polices that can be applied to individual
domains, and they will be enforced to all domains in the category. There is an additional policy called
ignore, its effect is to ignore completely the presence of a category. This is the default policy for all
categories.
Practical example
Enable the transparent mode in the proxy. Check with the iptables command the added NAT rules
which should have been added to enable this feature.
1. Action: Log into eBox, enter Module status and enable the HTTP Proxy module, to do this
check its box in the column Status.
Effect: eBox will ask for permission to overwrite some files.
2. Action: Read the reason for the changes on each file and grant permission to eBox to overwrite
them.
Effect: The Save changes button is highlighted.
3. Action: Go to HTTP Proxy → General, check the Transparent proxy checkbox. Make sure
that eBox can act as router, for this at least one internal and one external interfaces are required.
Effect: The transparent mode is configured.
86
4. Action: Click into Save changes to enforce the new configuration.
Effect: The firewall and HTTP proxy services will be restarted.
5. Action: In the console of the eBox computer, execute the command iptables -t nat -vL.
Effect: The command output must be similar to this:
Chain PREROUTING (policy ACCEPT 7289 packets, 1222K bytes)
pkts bytes target prot opt in out source destination 799 88715 pre-
modules all – any any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 193 packets, 14492 bytes)
pkts bytes target prot opt in out source destination
29 2321 postmodules all – any any anywhere anywhere 0 0 SNAT

all – any eth2 !10.1.1.1 anywhere to:10.1.1.1
Chain OUTPUT (policy ACCEPT 5702 packets, 291K bytes) pkts bytes tar-
get prot opt in out source destination
Chain postmodules (1 references) pkts bytes target prot opt in out source
destination
Chain premodules (1 references)
pkts bytes target prot opt in out source destination 0 0 REDIRECT

tcp – eth3 any anywhere !192.168.45.204 tcp dpt:www redir ports 3129
87
88
Chapter 4
eBox Office
One of the fundamentals for the creation of computer networks was the sharing of resources and data
1
. This issue is particularly emphasized here and is possibly the most useful section for the daily
operations of many local area networks in offices or at home.
Unified user and group management through a directory service for all network services, the use
of shared files and printers and all groupware services, such as calendars, contacts and tasks, are
discussed in this section.
4.1 Directory service (LDAP)
Directory services are used to store and sort the data relating to organizations (in this case, users
and groups). They enable network administrators to handle access to resources by users by adding
an abstraction layer between the resources and their users. This service gives a data access interface.
It also acts as a central, common authority through which users can be securely authenticated.
A directory service can be considered similar to the yellow pages. Its characteristics include:
• The data is much more often read than written.
• Hierarchical structure that simulates organizational architecture.

1
See net-intro-ref for further information.
89
• Properties are defined for each type of object, standardized by the IANA 2 , on which access
control lists (ACLs) can be defined.
There are many different implementations of the directory service, including NIS, OpenLDAP, Ac-
tiveDirectory, etc. eBox uses OpenLDAP as its directory service with Samba technology for Windows
domain controller and to share files and printers.
4.1.1 Users and groups
Normally, in the management of any size of organization there is the concept of user or group. For
easier shared resource administration, the difference is made between users and their groups. Each
one may have different privileges in relation to the resources of the organization.
Management of users and groups in eBox
Modes
As it has been explained, eBox has a modular design, allowing an administrator to distribute
services among several machines in the network. In order for this to be feasible, the users and
groups module supports a master/slave architecture to share users between different eBoxes.
By default, and unless indicated otherwise in the Users and Groups → Mode menu entry, the
module will set up a master LDAP directory. By default, the Distinguished Name (DN) 3 of the direc-
tory is set according to the current hostname, if a different one is desired, it can be set in the LDAP
DN text entry.
2
Internet Assigned Numbers Authority (IANA) is responsible for assigning public IP addresses, top level domain (TLD)
names, etc. http://www.iana.org/
3
Each LDAP directory entry has a unique identifier called distinguished name which has similarities to the concept of
full file path in a file system.
90
CHAPTER 4. EBOX OFFICE
Other eBoxes can be configured to use a master as the source of their users, thus becoming
directory slaves. In order to do this, the slave mode has to be selected in Users and Groups →
Mode. The slave setup requires two extra parameters, the IP or hostname of the master directory and
its LDAP password. This password is not the eBox one, but the one generated automatically when
enabling the users and groups module. Its value can be obtained in the Password field in Users and
Groups → LDAP Info in the master eBox.
There is one extra requirement before registering a slave in a master. The master has to be able
to resolve the slave’s hostname via DNS. There are different ways to achieve this. The easiest one is
adding an entry for the slave in the master’s /etc/hosts. Other option is to set up the DNS service in
eBox, including the slave hostname and IP address.
If the firewall module is enabled in the master eBox, it has to be configured in a way that allows
incoming LDAP traffic from the slaves. By default, the firewall denies this traffic, so make sure to
perform the necessary adjustments on the firewall before proceeding.
91
Once these parameters are set and the slave hostname can be resolved from the master, the
slave can be registered in the master by enabling the users and groups module in Module Status.
Slaves create a replica of the master directory when they register for the first time, and that replica
is kept up to date automatically when new users and groups are added. A list of the slaves can be
seen in the master in Users and Groups → Slave Status.
Modules that work with users such as mail or samba can be installed now in the slaves and they
will use the users available in the master eBox. Some modules require some actions to be executed
when new users are added, such as samba, which needs to create the home server. In order to do
this, the master will notify the slaves about new users and groups when they are created, giving a
chance to slaves to perform the appropriate actions.
There might be problems executing these actions in some circumstances, for example if one of the
slaves is down. In this case the master will remember that there are pending actions to be performed
and will retry periodically. The user can also check the status of the slaves in Users and Groups →
Slave Status and force a retry manually. A slave can be deleted in this section as well.
There is an important limitation in the current master/slave architecture. The master eBox cannot
have any module depending on users and groups installed, for example, samba or mail among
others. If the master has any of these modules installed, they have to be uninstalled before trying to
register a slave on it.
If at some point the mode of operation of the users and groups module needs to be changed, it
can be done running this command:
# sudo /usr/share/ebox-usersandgroups/ebox-usersandgroups-reinstall
when it executed will completely remove the LDAP directory, deleting all the current users and
groups and reinstall it from scratch so it can be set up in a different mode.
92
Users and groups creation
A group can be created from the Users and Groups → Groups menu in the master eBox. A group
is identified by its name and can contain a description.
Through Users and Groups → Groups, the existing groups are displayed for edition or deletion.
While a group is being edited, the users belonging to the group can be chosen. Some options
belonging to the installed eBox modules with some specific configuration for the user groups can be
changed too.
The following are possible with user groups, among others:
• Provide a directory to be shared between users of a group.
• Provide permission for a printer to all users of a group.
• Create an alias for an e-mail account that redirects to all users of a group.
• Assign access permission to the different eGroupware applications for all users of a group.
93
The users are created from the Users and Groups → Users menu, where the following data must
be completed:
User name: Name of the user in the system, which will be the name used for identification in the
authentication processes.
First Name: User’s first name.
Last Name: User’s last name.
Comment: Additional data on the user.
Password: Password to be used by the user in the authentication processes. This info must be
provided twice to avoid misspellings in this vital data.
Group: The user can be added to a group during its creation.
From Users and Groups → Users, a list of users can be obtained, edited or deleted.
While a user is being edited, all the previous data can be changed, except for the user name. The
data regarding the installed eBox modules that have some specific configuration for users can also be
changed, as well as the list of groups to which the user belongs.
94
It is possible to edit a user to:
• Create an account for the Jabber server.
• Create an account for file or PDC sharing with a customized quota.
• Provide permission for the user to use a printer.
• Create an e-mail account for the user and aliases for it.
• Assign access permission to the different eGroupware applications.
• Assign a phone extension to the user.
In a master/slave setup, the basic fields of users and groups can be edited in the master, while
any further attributes pertaining to a given module installed in a slave have to be edited in that slave.
User Corner
The user data can only be modified by the eBox administrator, which becomes non-scalable when the
number of users managed becomes large. Administration tasks, such as changing a user’s password,
may cause the person responsible to waste a lot of time. Hence the need for the user corner. This
corner is an eBox service that allows users to change their own data. This function must be enabled
like the other modules. The user corner is listening in another port through another process to increase
system security.
95
Users can enter the user corner through:
https://<eBox_ip>:<user_corner_port>/
Once users have entered their user name and password, changes can be made to their personal
configuration. The features provided so far are:
• Change current password
• User voicemail configuration
• Configure an external personal account to fetch mail to synchronize with the user’s mailbox in
the eBox mail server.
Practical example A
Create a group in eBox called accountancy.
To do so:
1. Action: Enable the users and groups module. Enter Module status and enable the module if
it is not enabled.
Effect: The module is enabled and ready for use.
96
2. Action: Access Users and Groups → Groups. Add accountancy as a group. The comments
parameter is optional.
Effect: The accountancy group has been created. The changes do not have to be saved, as
any action on LDAP is instant.
Practical example B
Create the user peter and add him to the accountancy group.
To do so:
1. Action: Access Users and Groups → Users. Complete the different fields for the new user.
The user peter can be added to the accountancy group from this screen.
Effect: The user has been added to the system and to the accountancy group.
Check from the console that the user has been correctly added:
1. Action: In the console, run the command:
# id peter
Effect: The result should be something like this:
uid=2003(pedro) gid=1901(__USERS__)
groups=1901(__USERS__) ,2004(accountancy)
4.2 File sharing service and remote authentication
4.2.1 File sharing
The file sharing takes place through a network file system. The systems more widely used are: NFS
(Network File System) by Sun Microsystems, which was the first one, AFS (Andrew File System) and
CIFS (Common Internet File System), also known as SMB (Server Message Block ).
The clients operate on files (opening, reading or writing files) as if they were locally stored in
the machine, but the information can actually be stored in different places, location being completely
transparent to the end user. Ideally, the client should not know whether the file is stored in the host
97
itself or it is spread all over the network. However, this is not possible due to the network delays and
the issues related to concurrent file updates which should not interfere among them.
4.2.2 SMB/CIFS and its Linux Samba implementation
SMB (Server Message Block ) or CIFS (Common Internet File System) is used to share the access to:
files, printers, serial ports and any other series of communications between nodes in a local network.
It also offers authentication mechanisms between processes. It is mainly used among computers
with Windows. However, there are also some implementations in other operating systems such as
GNU/Linux using Samba, which implements Windows system protocols using reverse engineering 4 .
Given the success of some file sharing systems, Microsoft decided to rename SMB as CIFS,
adding new features to it, such as: symbolic and hard links and bigger file sizes, as well as avoiding
the use of NetBIOS 5 in which SMB is based.
4.2.3 Primary Domain Controller (PDC)
A Primary Domain Controller (PDC) is a domain server for Windows NT versions previous to the
Windows 2000 version. In this environment, a domain is a system which allows restricted access to a
series of resources with a username and password. Therefore, it can be used to log in in the system
through remote access control. PDC has also been recreated by Samba inside the SMB authentication
system. In modern Windows versions it is denominated Domain Controller.
4.2.4 eBox as file server
eBox uses Samba SMB/CIFS implementation for Linux as a file server and Windows operative system
authentication.
The file sharing services are active when the File sharing module is active, regardless whether
you are using eBox as PDC or not.
The file sharing in eBox is integrated with the users and groups. As a result, each user will have a
personal directory and each group can have a shared directory for all its users.
4
Reverse engineering tries to figure out the communication protocols just through observation of their messages.
5
NetBIOS (Network Basic Input/Output System): API that allows communication among different computers in a local
area network. It gives a NetBIOS name and IP address to each one of the hosts.
98
The personal directory for the user is automatically shared and can only be accessed by the user.
Going to Groups → Edit Group a shared directory for a group can also be created. Every member
of this group will have access to this directory, being able to write his own files and read all the files.
Go to File Sharing → General Settings to configure the general settings of file sharing service.
Domain will refer to the Windows local network name whereas NetBIOS Name will identify eBox inside
the Windows network. You can also give a Description with the domain characteristics. Apart from
that, and as an optional feature, a Quota Limit can be established. Using Samba group, you may
optionally set a group to have a file sharing account instead of all users, the synchronization is done
every hour.
To add a new shared directory, go to File Sharing → Shares and click Add new.
99
Enabled: This option has to be marked whenever the directory needs to be shared. Unmarking the
option will cause the directory to no longer be shared, while keeping the settings.
Share name: This refers to the name of the shared directory.
Share path: A path can be created either in the eBox directory /home/samba/shares or using an
already existing directory path if File system path is chosen.
Comment: A more detailed description of the share can be provided in this field.
Access Control can be configured from the shares list. You can go to Add New in order to give
reading, writing and administration permissions to a given user or group. If a user has administration
permission over a share they will be granted all the permissions over the files created by other users
in this directory.
Going to Users and Groups → Groups → Edit Group a shared directory for a group can also be
created. Every member of this group will have access to this directory, being able to read and write all
the files.
If you want to save the deleted files inside a special directory called RecycleBin, just go to File
Sharing → Recycle Bin and check the Enable Recycle Bin option. If you don’t want to apply it to
all your shares you can add exceptions in the Samba shares Recycle Bin exceptions section. You
100
can also modify some default settings for this feature, like the name of the directory, by editing the
/etc/ebox/80samba.conf file.
Under File Sharing → Antivirus there is also a checkbox to enable or disable the check for viruses
in your shares and the possibility to add exceptions if there are shares that you don’t want to check.
Note that if you want to access the antivirus configuration for the filesharing module the samba-vscan
package must be installed in the system. The Antivirus module must be installed and enabled as well.
4.2.5 SMB/CIFS clients configuration
Files can be shared between Windows and GNU/Linux once the file sharing service is running.
Windows client
The selected domain will be found in Network Places → All the Network. The server
host with the selected name will show the shared resources it has.
101
Linux client
1. Konqueror (KDE)
When using Konqueror smb:// should be introduced in the location bar in order to see the
Windows network, where you will be able to find the specified domain.
2. Nautilus (Gnome)
102
When using Nautilus (Gnome) go to Places → Network → Windows Network in order to find
the specified domain and the eBox server inside.
Taking into account that the personal directories are not shown when browsing the server re-
sources, those will need to be introduced in the location bar. For example, if you need to have
access to Peter’s personal directory, you will have to introduce the following address:
smb://<ip_de_ebox>/peter
3. Smbclient
Besides the graphical interfaces, there is a command line client which works in a similar way
to FTP clients. Smbclient allows actions such as: file downloading and uploading or file and
directory information gathering among others. This could be an example of a session:
$ smbclient -U joe //192.168.45.90/joe

> get ejemplo
> put eaea
> ls
> exit
$ smbclient -U joe -L //192.168.45.90/
Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]
103
Sharename Type Comment

--------- ---- -------
_foo Disk
_mafia Disk
hp Printer
br Printer
IPC$ IPC IPC Service (eBox Samba Server)
ADMIN$ IPC IPC Service (eBox Samba Server)
joe Disk Home Directories
Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]
Server Comment
--------- -------
DME01 PC Verificaci
eBox-SMB3 eBox Samba Server
WARP-T42
Workgroup Master
--------- -------
eBox eBox-SMB3
GRUPO_TRABAJO POINT
INICIOMS WARHOL
MSHOME SHINNER
WARP WARP-JIMBO
4.2.6 eBox as an authentication server
You have to go to File Sharing → General Settings and check the Enable PDC option in order to have
eBox working as an authentication server (PDC).
104
If the option Roaming Profiles is enabled, the PDC server will store all the user profiles. Any
user profile will contain general information such as: Windows settings, Outlook e-mail accounts or its
documents. Every time a user logs in an updated profile will be sent to them by the PDC server. The
user can have access to his profile information from any computer. Please take into account the size
of the users information when setting up your server in order to make sure there is enough space.
In addition to that, the Disk Letter for the personal directory can be redefined. When a user logs
into the domain his personal directory will be automatically mapped to a drive with this letter.
Finally, you can define user policy passwords through File Sharing → PDC. This is usually an
enforcement by the law.
• Minimum Password Length
• Maximum Password Age. The password has to be changed after this period.
• Enforce Password History. Stores a number of passwords once modified.
This policy only applies when a password is changed from Windows. Actually Windows will enforce
the policy when a user logs in in a machine registered in the domain.
105
4.2.7 PDC Client Configuration
An account with administration rights will be needed in order to configure a PDC client, this can be
done going to Users and Groups → Users → File Sharing or PDC Account. You can also establish a
Disk Quota.
Now, go to a different machine in the same LAN (keep in mind that the SMB/CIFS protocol works
using broadcast) that has a CIFS-capable Windows (i.e., Windows XP Professional).
Click on My PC → Properties. This will launch the Network Id wizard. We will reboot the server
after entering the administratiion user name and password as well as the domain name given in the
File Sharing configuration. The machine name can be the one already set, as long as it does not
collide with an existing one already in the domain. After finishing the process, you need to reboot the
machine.
Every user can see their disk usage and quota in My PC.
106
4.3 Printers sharing service
In order to share a printer in our network, allowing or denying users and groups the access to it, we
need to have access to that printer from a host running eBox. This can be done through: direct con-
6
nection, i.e., with a USB or parallel port, or through the local network. Besides that, if we want to
obtain good results on its operation, we will need to know certain information regarding the manufac-
turer, the model and the driver of the printer. Printers can be added going to Printers → Add printer.
Once there, you will be asked to enter all the necessary details in a wizard.
First of all, we need to name the printer and to establish a connection method for it. The following
methods are currently supported by eBox:
Parallel port: A physical printer connected to the eBox server using parallel port.
USB: A physical printer connected to the eBox server using USB
AppSocket: A remote printer that uses the AppSocket protocol, also known as JetDirect.
6
Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer.
107
IPP: A remote printer that uses the Internet Printing Protocol (IPP) 7 .
LPD: A remote printer that uses the Line Printer Daemon protocol (LPD) 8 .
Samba: A remote printer shared through Samba or Windows printer sharing.
We will need to configure the connection parameters according to the selected method. For ex-
ample, if we have a network printer, we will have to set up an IP address and a listening port as the
following figure shows:
In the next four steps we will configure the printer driver that eBox needs to use in order to send
the jobs to be printed out, defining: the manufacturer, the model, the printer driver as well as other
settings.
7
Internet Printing Protocol (IPP) is a standard network protocol for remote printing as well as for managing print jobs,
media size, resolution, and so forth. More information available on RFC 2910.
8
Line Printer Daemon protocol (LPD) is a set of programs that provide printer spooling and network printer server
functionality for Unix-like systems. More information available on RFC 1179.
108
After these steps, the printer will be configured. Now you will be able to see not only the queued
printing jobs but also the ones in progress. In addition to that, you can also modify any of the parame-
ters already introduced in the wizard going to Printers → Manage printers.
The printers managed by eBox are accessible using the Samba protocol. You can
also enable the printing daemon CUPS in order to share the printers using IPP too.
Once the service is enabled and you have saved changes, you can give access to the resources
editing either the group or the user (Groups → Edit Group → Printers or Users → Edit User →
Printers).
109
4.4 Groupware Service
Groupware, also known as collaborative software, is a set of applications integrating the work of
different users in common projects. Each user can connect to the system from various working stations
on the local network or from anywhere in the world via the Internet.
Some of the most important features of groupware tools are:
• Communication between users: mail, chat rooms, etc.
• Information sharing: shared calendars, task lists, common address books, knowledge base, file
sharing, news, etc.
• Project management, resources, time management, bugtracking, etc.
110
There is a large number of groupware solutions available on the market. Among the Open Source
9
alternatives, one of the most popular options is eGroupWare which is the one selected for eBox
Platform to implement such an important feature in business environments.
Setting up eGroupware with eBox Platform is very simple. The goal is for the user not to need to
access the traditional configuration offered in eGroupware and to allow him to manage all the settings
from eBox interface, unless some advanced customization is required. In fact, the password for the
10
configuration of eGroupware is auto-generated by eBox and the administrator should use it under
her own responsibility: by taking any wrong action the module might become improperly configured
and left in an unstable status.
4.4.1 Groupware service settings with eBox
Most of eGroupware configuration is performed automatically by enabling the module and saving the
changes. Without requiring any additional user intervention, eGroupware will be operating fully inte-
grated with the eBox directory service (LDAP). All users being added to eBox from that moment on will
be able to log in eGroupware without requiring any other action.
In addition, we can integrate the webmail service provided by eGroupware with eBox mail module.
For this the only action required is to select a pre-existing virtual domain and to enable the IMAP
service, allowing for the reception of mail. This is done by the eBox installer automatically if you select
ebox-egroupware to install. Instructions for creating a mail domain and configuring the IMAP service
are fully explained in chapter Electronic Mail Service (SMTP/POP3-IMAP4).
For the domain selection used by eGroupware, you should access the Groupware → Virtual Mail
Domain tab. The interface is shown in the following image. It is only needed to select the desired
domain and click the button Change. Although, as usual, this action does not take effect until the
button Save Changes is pressed.
9
eGroupware: An enterprise ready groupware software for your network http://www.egroupware.org
10
Note for eGroupware advanced users: The password is stored in the file /var/lib/ebox/conf/ebox-egroupware.passwd
and usernames are admin and ebox for header and domain configuration respectively.
111
In order for users to be able to use the mail service they will need to have their own accounts
created on it. The image below (Users and Groups → Users) shows that during the configuration of
eGroupware a notice is displayed indicating the name of the mail account that should be used from
eGroupware.
eGroupware consists of several applications; in eBox you can edit access permissions to these
applications for each user assigning a permission template, as shown in the image above. There is a
default permission template but you can define other ad-hoc ones.
The default permission template is useful for configuring most of the users of the system with the
same permissions, so that when a new user is created permissions will be assigned automatically.
To edit the default template go to the Groupware → Default Applications tab, as shown in the
image.
112
For small groups of users such as administrators, you can define a custom permission template
and apply it manually for these users.
To define a new template go to Groupware → User Defined Permission Templates in the menu
and click on Add New. Once the name is entered it will appear on the table and you can edit the
applications by clicking on Allowed Applications, in a similar way as with the default template.
Be aware that if you modify the default permission template, changes will only be applied to users
that are created from that moment on. They will not be applied retroactively to users previously created.
The same applies to the user-defined templates: if there were any users with that template applied on
their configuration you should edit that user’s properties and apply the same template again once it
has been modified.
113
Finally, once you have configured everything, you can access eGroupWare through the address
http://<ebox_ip>/egroupware using the username and password defined in the eBox interface.
eGroupware management is beyond the scope of this manual. For any question, you should check
the official eGroupware user manual. It is available on-line in the official website and it is also linked
from within the application once you are inside.
Practical example
Enable the Groupware module and check its integration with the mail.
1. Action: Access eBox, go to Module Status and activate module Groupware, checking the box
in the column Status. You will be informed eGroupware configuration is about to change.
Allow the operation by pressing the button Accept. Make sure you have previously en-
abled the modules on which it depends (Mail, Webserver, Users, ...).
Effect: The button Save Changes is activated.
2. Action: Set up a virtual mail domain as shown in the example Practice example. In this ex-
ample a user is added with her corresponding email account. Steps related to objects or
forwarding policies in the example are not necessary. Follow the steps just until the point
in which the user is added.
Effect: The new user has a valid mail account.
3. Action: Access the :menuselection: Mail –> General menu and in the Mail Server Options
tab check the box IMAP Service Enabled and click Change.
Effect: The change is saved temporarily but it will not be effective until changes are
saved.
4. Action: Access the :menuselection: Groupware menu and in the Virtual Mail Domain tab
select the previously created domain and click Change.
114
saved.
5. Action: Save changes.
Effect: eBox shows the progress while applying the changes and informs when it is done.
From now on eGroupware is configured correctly to be integrated with your IMAP

server.
6. Action: Access the eGroupware interface (http://<ebox_ip>/egroupware) with the user you cre-
ated earlier. Access the eGroupware mail application and send an email to your own
address.
Effect: You will receive in your inbox the email you just sent.
115
116
Chapter 5
eBox Unified Communications
In this section we will see the different communication methods for sharing information that are cen-
tralized in eBox and are all accessible using the same username and password.
First, the mail service is explained. It allows a quick and easy integration with the preferred mail
client of the users of the network, offering also the latest techniques available to prevent spam.
Second, the instant messaging service through the Jabber / XMPP protocol. It provides an internal
IM service without having to rely on external companies or an Internet connection. It also offers con-
ference rooms and can be used with any of the many clients available. It allows faster communication
in the cases where the mail is not enough.
Finally, we will see an introduction to voice over IP, which enables each person to have an extension
to make calls or participate in conferences easily. Additionally, with an external provider, eBox can be
configured to connect to the traditional telephone network.
5.1 Electronic Mail Service (SMTP/POP3-IMAP4)
1
The electronic mail service is a store and forward method to compose, send, store and receive
messages over electronic communication systems.
117
Figure 5.1: Diagram where Alice sends an email to Bob
5.1.1 How electronic mail works through the Internet
The diagram depicts a typical event sequence that takes place when Alice writes a message to Bob
using her Mail User Agent (MUA).
1. Her MUA formats the message in email format and uses the Simple Mail Transfer Protocol
(SMTP) to send the message to the local Mail Transfer Agent (MTA).
2. The MTA looks at the destination address provided in the SMTP (not from the message header),
in this case bob@b.org, and resolves a domain name to determine the fully qualified domain
name of the destination mail exchanger server (MX record that was explained in the DNS sec-
tion).
3. smtp.a.org sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the
user bob.
4. Bob receives the message through his MUA, which picks up the message using Pop Office
Protocol (POP3).
There are many alternative possibilities and complications to the previous email system sequence.
For instance, Bob may pick up his email in many ways, for example using the Internet Message Access
Protocol (IMAP), by logging into mx.b.org and reading it directly, or by using a Webmail service.
1
Store and forward: Telecommunication technique in which information is sent to an intermediate station where it is
kept and sent at a later time to the final destination or to another intermediate station.
118
CHAPTER 5. EBOX UNIFIED COMMUNICATIONS
The sending and reception of emails between mail servers is done through SMTP but the users
pick up their email using POP3, IMAP or their secure versions (POP3S and IMAPS). Using these
protocols provides interoperability among different servers and email clients. There are also proprietary
protocols such as the ones used by Microsoft Exchange and IBM Lotus Notes.
POP3 vs. IMAP
The POP3 design to retrieve email messages is useful for slow connections, allowing users to pick up
all their email all at once to see and manage it without being connected. These messages are usually
removed from the user mailbox in the server, although most MUAs allow to keep them on the server.
The more modern IMAP, allows you to work on-line or offline as well as to explicitly manage server
stored messages. Additionally, it supports simultaneous access by multiple clients to the same mailbox
or partial retrievals from MIME messages among other advantages. However, it is a quite complicated
protocol with more server work load than POP3, which puts most of the load on the client side. The
main advantages over POP3 are:
• Connected and disconnected modes of operation.
• Multiple clients simultaneously connected to the same mailbox.
• Access to MIME message parts and partial fetching.
• Message state information using flags (read, removed, replied, ...).
• Multiple mailboxes on the server (usually presented to the user as folders) allowing to make
some of them public.
• Server-side searches
• Built-in extension mechanism
Both POP3 and IMAP have secure versions, called respectively POP3S and IMAPS. The differ-
ence with its plain version is that they use TLS encryption so the content of the messages cannot be
eavesdropped.
119
5.1.2 SMTP/POP3-IMAP4 server configuration with eBox
Setting up an email system service requires to configure an MTA to send and receive emails as well
as IMAP and/or POP3 servers to allow users to retrieve their mails.
2
To send and receive emails Postfix acts as SMTP server. The email retrieval service (POP3,
3
IMAP4) is provided by Dovecot . Both servers support secure communication using SSL.
5.1.3 Receiving and relaying mail
In order to understand the mail system configuration, a distinction must be made between receiving
mail and relaying mail.
Reception is when the server accepts a mail message whose recipients contains an account that
belongs to any of his virtual mail domains. Mail can be received from any client which is able to connect
to the server.
On the other hand, relay is done when the mail server receives a message whose recipients
do not belong to any of his managed virtual mail domains, thus requiring forwarding the message to
other server. Mail relay is restricted, otherwise spammers could use the server to send spam over the
Internet.
eBox allows mail relay in two cases:
1. an authenticated user
2. a source address that belongs to a network object which has a allowed relay policy
General configuration
Through Mail → General → Mail server options → Authentication, you can manage the authentication
options. The following options are available:
TLS for SMTP server: Force the clients to connect to the mail server using TLS encryption, thus
avoiding eavesdropping.
Require authentication: This setting enables the authentication usage. A user must use his email
address and his password to identify himself, authenticated users can relay mail through the
server. An account alias cannot be used to authenticate.
2
Postfix The Postfix Home Page http://www.postfix.org .
3
Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .
120
In the Mail → General → Mail server options → Options section you may configure the general
settings for the mail service:
Smarthost to send mail: Domain name or IP address of the smarthost. You could also specify a port
appending the text :[port_number ] after the address. The default port is the standard SMTP
port, 25.
If this option is set eBox will not send its messages directly, but each received email will be
forwarded to the smarthost without keeping a copy. In this case, eBox would be an intermediary
between the user who sends the email and the server which is the real message sender.
Smarthost authentication: Whether the smarthost requires authentication using a user and pass-
word pair or not.
121
Server mailname: This sets the visible mail name of the system, it will be used by the mail server as
the local address of the system.
Postmaster address: The postmaster address by default is aliased to the root system user but it
could be set to any account, belonging to any of managed virtual mail domains or not.
This account is intended to be a standard way to reach the administrator of the mail server.
Automatically-generated notification mails will typically use postmaster as reply address.
Maximum mailbox size allowed: Using this option you could indicate a maximum size in MB for any
user mailboxes. All mail which surpasses the limit will be rejected and the sender will be emailed
a notification. This setting could be overridden for any user in the Users and Groups → Users
page.
Maximum message size accepted: Indicates, if necessary, the maximum message size accepted
by the smarthost in MB. This is enforced regardless of any mailbox size limit.
Expiration period for deleted mails: If you enable this option those mail messages which are in the
users’ trash folder will be deleted when their dates passes the day limit.
Expiration period for spam mails: This option applies the same way as above option but regarding
to the users’ spam folder.
In order to configure the mail retrieval services go to the Mail retrieval services section. There
eBox may be configured as POP3 and/or IMAP server, their secure versions POP3S and IMAPS
are available too. Also the retrieve email for external accounts and ManageSieve services could be
enabled in this section, we will discuss those services in Mail retrieval from external accounts section.
In addition to this, eBox may be configured to relay mail without authentication from some network
addresses. To do so, you can add relay policies for network objects through Mail → General → Relay
policy for network objects. The policies are based on the source mail client IP address. If the relay is
allowed from an object, then each object member may relay emails through eBox.
122
Warning: Be careful when using an Open Relay policy, i.e., forwarding email from everywhere,
since your mail server will probably become a spam source.
Finally, the mail server may be configured to use a content filter for their messages 4 . To do
so, the filter server must receive the message from a fixed port and send the result back to another
established port where the mail server is bound to listen the response. Through Mail → General →
Mail filter options, you may choose a custom server or eBox as mail filter.
4
In Mail Filter section this topic is deeply explained.
123
Email account creation through virtual domains
In order to set up an email account with a mailbox, a virtual domain and a user are required. From
Mail → Virtual Mail Domains, you may create as many virtual domains as you want. They provide the
domain name for email accounts for eBox users. Moreover, it is possible to set aliases for a virtual
domain. It does not make any difference to send an email to one virtual domain or any of its aliases.
In order to set up email accounts, you have to follow the same rules applied configuring any other
user-based service . From Users and Groups → Users → Edit Users → Create mail account. You
select the main virtual domain for the user there. If you want to establish to the user more than a single
email address, you can create aliases. Behind the scenes, the email messages are kept just once in
a mailbox. However, it is not possible to use the alias to authenticate, you always have to use the real
account.
Note that you can decide whether an email account should be created by default when a new user
is added or not. You can change this behaviour in Users and Groups → Default User Template →
Mail Account.
Likewise, you may set up aliases for user groups. Messages received by these aliases are sent
to every user of the group which has an email account. Group aliases are created through Users and
Groups → Groups → Create alias mail account to group. The group aliases are only available when,
at least, one user of the group has an email account.
124
You may define alias to external accounts as well. The mail sent to that alias will be forwarded to
the external account. This kind of aliases are set on a virtual domain basis and does not require any
email account and could be set in Mail → Virtual Domains → External accounts aliases.
Queue Management
From Mail → Queue Management, you may see those email messages that haven’t already been
delivered. All the information about the messages is displayed. The allowed actions to perform are:
deletion, content viewing or retrying sending (re-queuing the message again). There are also two
buttons to delete or requeue all messages in queue.
Mail retrieval from external accounts
You could configure eBox to retrieve email messages from external accounts, which are stored in
external servers, and deliver them to the user’s mailboxes. In order to configure this you have to
enable this service in Mail → General → Mail server options → Retrieval services section. Once it
is enabled, the users will have their mail fetched from their external accounts and delivered to their
internal account’s mailbox. Each user can configure its external accounts through the user corner 5 .
The user must have a email account to be able to do this. The external servers are pooled periodically
so email retrieval is not instantaneous.
To configure its external accounts, a user have to login in the user corner and click on Mail retrieval
from external mail accounts in the left menu. In this page a list of user’s external accounts is shown,
the user can add, edit and delete accounts. Each account has the following fields:
External account: The username or the mail address required to login in the external mail retrieval
service.
Password: Password to authenticate the external account.

5
The user corner configuration is explained in User Corner section
125
Mail server: Address of the mail server which hosts the external account.
Protocol: Mail retrieval protocol used by the external account, it may be one of the following: POP3,
POP3S, IMAP or IMAPS.
Port: Port used to connect to the external mail server.
For retrieving external emails, eBox uses the Fetchmail 6 software.
Sieve scripts and ManageSieve protocol
The Sieve language 7 allows the user to control how his mail messages are delivered, so it is possible
to classify it in IMAP folders, forward it or use a vacation message among other things.
The ManageSieve is a network protocol that allows the users to easily manage their Sieve scripts.
8
To be able to use ManageSieve, it is required an email client that understands this protocol.
To enable ManageSieve in eBox you have to turn on the service in Mail → General → Mail server
options -> Retrieval services and it could be used by all the users with email account. In addition to
9
this, if ManageSieve is enabled and the webmail module in use, a management interface for Sieve
scripts will be available in the webmail interface.
The ManageSieve authentication is done with the email account of the user and its password.
Sieve scripts of an account are executed regardless of the ManageSieve protocol option value.
6
Fetchmail The Fetchmail Home Page http://fetchmail.berlios.de/ .
7
For more info check out this page http://sieve.info/ .
8
See a list of clients in this page http://sieve.info/clients
9
The webmail module is explained in WebMail service chapter.
126
Email client configuration
Unless users may use email only through the webmail or the egroupware webmail application, users
would like to configure their email clients to use eBox’s mail server. The values of the required param-
eters would depend on the exact configuration of the module.
Please note that different email clients could use other names for these parameters, so due to the
great number of clients available this section is merely guidance.
5.1.4 SMTP parameters
SMTP server: Enter the address of your eBox server. It could be either an IP address or a domain
name.
SMTP port: 25, if you are using TLS you could instead use the port 465.
Secure connection: Select TLS if you have enabled TLS for SMTP server:, otherwise select none.
If you are using TLS please read the warning below about SSL/TLS.
SMTP username: Use this if you have enabled Require authentication. Use as username the full
email address of the user, don’t use the username nor any of his mail aliases.
SMTP password: It is the user password.
5.1.5 POP3 parameters
You can only use POP3 settings when POP3 or POP3S services are enabled in eBox.
POP3 server: Enter your eBox address likewise in the SMTP parameters section above.
POP3 port: 110 or 995 if you are using POP3S.
Secure connection: Select SSL if you are using POP3S, otherwise none. If you are using POP3S
please read the warning below about SSL/TLS.
POP3 username: Full email address, as above avoid the user name or any of his email aliases.
POP3 password: User’s password.
127
5.1.6 IMAP parameters
IMAP configuration could be only used if either IMAP or IMAPS services are enabled. As you will see
the parameters are almost identical to POP3 parameters.
IMAP server: Enter your eBox address likewise in the SMTP parameters section above.
IMAP port: 443 or 993 if you are using IMAPS.
Secure connection: Select SSL if you are using IMAPS, otherwise none. If you are using IMAPS
please read the warning below about SSL/TLS.
IMAP username: Full email address, as above avoid the user name or any of his email aliases.
IMAP password: User’s password.
Warning: In client implementations there are some confusion about the use of SSL and TLS
protocols. Some clients use SSL to mean that they will try to connect with TLS, others use TLS
as a way to say that they will try to connect to the secure service through a port used normally
by the plain version of the protocol.. In fact in some clients you will need to try both SSL and
TLS modes to find which one works. You have more information about this issue in this page
http://wiki.dovecot.org/SSL , from the dovecot’s wiki.
5.1.7 ManageSieve client parameters
To connect to ManageSieve, you will need the following parameters:
Sieve server: The same that your IMAP or POP server.
Port: 4190, be warned that some applications use, mistakenly, the port number 2000 as default for
ManageSieve.
Secure connection: Set to true
Username: Full mail address, as above avoid the user name or any of his email aliases.
Password: User’s password. Some clients allows you to select the same authentication than your
IMAP or POP3 account if this is allowed, select it.
128
Catch-all account
A catch-all account is those which receives a copy of all the mail sent and received by a mail domain.
eBox allows you to define a catch-all account for every virtual domain; to define it you must go to Mail
→ Virtual Mail Domains and then click in the Settings cell.
All the messages sent and received by the domain will be emailed as Blind Carbon Copy (BCC)
to the defined address. If the mail to the catch-all address bounces, it will be returned to the sender.
Practice example
Set up a virtual domain for the mail service. Create a user account and a mail account within the
domain for that user. Configure the relay policy to send email messages. Send a test email message
with the new account to an external mail account.
1. Action: Log into eBox, access Module status and enable Mail by checking its checkbox in the
Status column. Enable Network and Users and Groups first if they are not already enabled.
overwrite them.
3. Action: Go to Mail → Virtual Mail Domains and click Add new to create a new domain. Enter
the name in the appropriate field.
Effect: eBox notifies you that you must save changes to use this virtual domain.
Effect: eBox displays the progress while the changes are being applied. Once this is com-
pleted, you will be notified.
Now you may use the newly created virtual mail domain.
5. Action: Enter Users and Groups → Users → Add User, fill up the user data and click the
Create and Edit button.
Effect: The user is added immediately without saving changes. The edition screen is displayed
for the newly created user.
129
6. Action: (This action is only required if you have disable the automatic creation of email accounts
in Users and Groups –> Default User Template –> Mail Account). Enter a name for the user
mail account in Create mail account and create it.
Effect: The account has been added immediately and options to delete it or add aliases for it
are shown.
7. Action: Enter the Object → Add new menu. Fill in a name for the object and press Add. Click
on Members in the created object. Fill in again a name for the member and write the host IP
address where the mail will be sent from.
Effect: The object has been added temporarily and you may use it in other eBox sections, but
it is not persistent until you save changes.
8. Action: Enter Mail → General → Relay policy for network objects. Select the previously
created object making sure Allow relay is checked and add it.
9. Action: Save the changes
Effect: A relay policy for that object has been added, which makes possible from that object to
send e-mails to the outside.
10. Action: Configure a selected MUA in order to use eBox as SMTP server and send a test email
message from this new account to an external one.
Effect: After a brief period you should receive the message in your external account mailbox.
11. Action: Verify using the mail server log file /var/log/mail.log that the email message was deliv-
ered correctly.
5.2 WebMail service
The webmail service allows users to read and send mail using a web interface provided by the mail
server itself.
Its main advantages are the no client configuration required by the user and easily accessible from
any web browser that could reach the server. Their downsides are that the user experience is poorer
than with most dedicated email user software and that web access should be allowed by the server.
It also increases the server work load to render the mail messages, this job is done by the client in
traditional email software.
130
eBox uses Roundcube to implement this service 10 .
5.2.1 Configuring a webmail in eBox
The webmail service is enabled like another eBox service. However, it requires the mail module is
configured to use either IMAP, IMAPS or both and the webserver module enabled. If it is not, webmail
11
will refuse to enable itself.
Webmail options
You can access to the options clicking in the Webmail section in the left menu. You may establish the
title that will use the webmail to identify itself, this title will be shown in the login screen and in the page
HTML titles.
Login into the webmail
In order to log into the webmail, firstly HTTP traffic must be allowed by the firewall from the source ad-
dress used. The webmail login screen is available at http://[eBox’s address]/webmail from the browser.
Then it has to enter his email address and his password. He has to use his real email address, an
alias will not work.
10
Roundcube webmail http://roundcube.net/
11
The mail configuration in eBox is deeply explained in Electronic Mail Service (SMTP/POP3-IMAP4) section and the
webserver module is explained in Web data publication service (HTTP) section.
131
SIEVE filters
The webmail software also includes an interface to manage SIEVE filters. It will only be available if
12
the ManageSIEVE protocol is enabled in the mail service.
5.3 Instant Messaging (IM) Service (Jabber/XMPP)
Instant messaging (IM) applications manage a list of people with whom one wishes to stay in touch
by exchanging messages. They convert the asynchronous communication provided by email in a
synchronous communication in which participants can communicate in real time.
Besides the basic conversation, IM has other benefits such as:
• Chat rooms.
• File transfer.
• Status updates (e.g.: you are busy, on the phone, away or idle).
• Shared whiteboard to view and show drawings with contacts.
• Simultaneous connection from devices with different priorities (e.g.: from the mobile and the
computer, giving preference to one of them for receiving messages).
Nowadays, there are many instant messaging protocols such as ICQ, AIM, MSN or Yahoo! Mes-
senger, whose operation is essentially privative and centralized.
However, Jabber/XMPP is a set of protocols and technologies that enable the development of
distributed messaging. These protocols are public, open, flexible, extensible, distributed and secure.
12
Check out Sieve scripts and ManageSieve protocol section for more information
132
Moreover, although Jabber/XMPP is still in the process of becoming an international standard, it has
been adopted by Cisco or Google (for its messaging service Google Talk) among others.
eBox employs Jabber/XMPP as its IM protocol integrating users with Jabber accounts. jabberd2
13
XMPP server is being used for eBox Jabber/XMPP service.
5.3.1 Configuring a Jabber/XMPP server with eBox
To configure the Jabber/XMPP server in eBox, first check in Module Status if the Users and Groups
module is enabled, as Jabber depends on it. Then, mark the Jabber checkbox to enable the Jab-
ber/XMPP eBox module.
Figure 5.2: Jabber General Configuration
To configure the service, go to Jabber in the left menu, setting the following parameters:
Domain Name: Specifying the domain name of the server. User accounts will be user@domain.
Tip: domain should have an entry in the DNS server, so it can be resolved from the clients.
Connect to other servers: To allow our users contact users in external servers, and the other way
around, check this box. Otherwise, if you want a private server for your internal network, it
should be left unchecked.
13
jabberd2 - XMPP server <http://jabberd2.xiaoka.com/>.
133
Enable Multi User Chat (MUC): Enables conference rooms (chat for more than two users).
Tip: the conference rooms are under the domain conference.domain which like the Domain
Name should have an entry in the DNS server, so it can be resolved from the clients too.
SSL Support: It specifies whether the communications (authentication and chat messages) with the
server are encrypted or plaintext. You can disable it, make it mandatory or leave it as optional.
If you set it as optional, this setting will be selected from the Jabber client.
To create a Jabber/XMPP user account, go to Users → Add User if you want to create a new user
account, or to Users → Edit User if you just want to enable the Jabber account for an already existing
user account.
Figure 5.3: Setting up a Jabber account
As you can see, a section called Jabber Account will appear, where you can select whether the
account is enabled or disabled. Moreover, you can specify whether the user will have administrator
privileges. Administrator privileges allow to see which users are connected to the server, send them
messages, set the message displayed when connecting (MOTD, Message Of The Day) and send a
notice to all users connected (broadcast).
5.3.2 Setting up a Jabber client
To illustrate the configuration of a Jabber client, we will use Pidgin and Psi, but if you use another
client, the next steps should be very similar.
134
Pidgin
Pidgin 14 is a multi-protocol client that allows to manage multiple accounts at the same time. In addition
to Jabber/XMPP, Pidgin supports many other protocols such as IRC, ICQ, AIM, MSN and Yahoo!.
Pidgin was included by default in the Ubuntu desktop edition until Karmic, but still is the most
popular IM client. You can find it in the menu Internet → Pidgin Internet Messenger. When starting
Pidgin, if you do not have any account configured yet, the window to manage accounts will appear as
shown in the picture.
From this window, you can add new accounts, modify and delete existing accounts.
Clicking on Add, two tabs with the basic and advanced configuration will appear.
For the Basic configuration of your Jabber account, start by selecting the protocol XMPP. The
Username and Password should be the same that the Jabber enabled user account has on eBox. The
Domain must be the same that is set up in the Jabber/XMPP eBox module configuration. Optionally,
in the field Local alias, write the name you want to show to your contacts.
14
Pidgin, the universal chat client <http://www.pidgin.im/>.
135
On the Advanced tab we can configure the SSL/TLS settings. By default Require SSL/TLS is
checked, so if we disabled on eBox the SSL Support we must uncheck this and check Allow plaintext
auth over unencrypted streams.
136
If we didn’t change the default SSL certificate a warning will be raised asking whether we want to
accept it.
137
Psi
15
Psi is a Jabber/XMPP client that allows to manage multiple accounts at the same time. Fast and
lightweight, Psi is fully open-source and compatible with Windows, Linux, and Mac OS X.
When starting Psi, if you do not have any account configured yet, a window will appear asking to
use an existing account or registering a new one as shown in the picture. We will select Use existing
account.
On the Account tab we will setup the basic configuration like the Jabber ID or JID which is
user@domain and the Password. The user and password should be same that the Jabber enabled
user account has on eBox. The domain must be the same that is set up in the Jabber/XMPP eBox
module configuration.
15
Psi, The Cross-Platform Jabber/XMPP Client For Power Users <http://psi-im.org/>.
138
On the Connection tab we can find the SSL/TLS settings between other advanced configuration.
By default Encrypt connection: When available is selected. If we disabled on eBox the SSL Support
we must change Allow plaintext authentication to Always.
If we didn’t change the default SSL certificate a warning will be raised asking whether we want to
accept it. To avoid this message check Ignore SSL warnings on the Connection tab from last step.
The first time we connect the client will raise a harmless error because we haven’t published our
personal information on the server yet.
139
Optionally we can publish some information about ourselves here.
Once published, this error won’t appear again.
5.3.3 Setting up Jabber MUC (Multi User Chat) rooms
Jabber MUC or Multi User Chat is a service that allows multiple users exchange messages in the
context of a room. Features like room topics, invitations, ability to kick and ban users, require password
to join a room and many more are available in Jabber MUC rooms. For a full specification of MUC
check, XEP-0045: Multi-User Chat 16 draft.
Once we have enabled Enable Multi User Chat (MUC) on the Jabber eBox menu entry, all further
room configuration is done from the Jabber clients.
Everybody can create a room on the Jabber/XMPP eBox server and the user who creates a room
is the administrator for that room. This administrator can set up all the settings, add other users as
moderators or administrators and destroy the room.
16
The Jabber/XMPP chat rooms specification is available in <http://xmpp.org/extensions/xep-0045.html>.
140
One of the settings that we should highlight is Make Room Persistent. By default all the rooms
are destroyed shortly after the last participant leaves. These are called dynamic rooms and are the
preferred method for multi-user chats. On the other hand, persistent rooms must be destroyed by one
of its administrators and are usually setup for work-groups or topics.
On Pidgin to join a chat room go to Buddies –> Join a Chat.... A Join a Chat window will pop up
asking for some information like the Room name, the Server which should be conference.domain, the
user Handle or nickname and the room Password if needed.
First user in joining a non existent room will lock it and will be asked whether Configure Room or
Accept Defaults.
On Room Configuration will be able to set up all the possible settings for the room. This config-
uration window can be opened later typing /config in the room chat window.
141
Once configured, other users will be able to join the room under the settings applied, leaving the
room unlocked ready to use.
On Psi to join a chat room we should go to General –> Join Groupchat. A Join Groupchat
window will pop up asking for some information like the Host which should be conference.domain, the
Room name, the user Nickname and the room Password if needed.
First user joining a non existent room will lock it and will be asked to configure it. On the top right
corner, a button will show a context menu with the Configure Room option.
142
On Room Configuration will be able to set up all the possible settings for the room.
Once configured, other users will be able to join the room under the settings applied, leaving the
room unlocked ready to use.
5.3.4 Practical example
Enable the Jabber/XMPP service and assign to it a domain name that eBox and the clients are able to
resolve.
1. Action: Go to Module Status and enable the module Jabber. When the info about the actions
required in the system is displayed, allow them by clicking Accept.
Effect: Enabled the button Save Changes.
2. Action: Add a domain with the desired name and whose IP address is the eBox server one, in
the same way done in Practical example B.
143
Effect: You will be able to use the added domain as the domain for your Jabber/XMPP service.
3. Action: Access the menu Jabber. In the field Domain Name, write the domain name just
added. Click Apply Changes.
Effect: Save Changes has been enabled.
Effect: eBox shows the progress while applying the changes. When it finish, a message will
be displayed.
Now the Jabber/XMPP service is ready to be used.
5.4 Voice over IP service
Voice over IP or VoIP involves transmitting voice over data networks using different protocols to send
the digital signal through packets instead of using analog circuits.
Any IP network can be used for this purpose, including private or public networks such as Internet.
There are huge cost savings using the same network for data and voice without losing quality or
17
reliability. The main issues of VoIP deployments over data networks are NAT with its management
18
difficulties and QoS , because of the need to offer a quality real-time service where latency (the
time it takes for data to arrive at destination), jitter (variations on latency) and bandwidth have to be
considered.
5.4.1 Protocols
There are several protocols involved in the voice transmission, from network protocols like IP and
transport protocols like TCP or UDP, to voice protocols both for signaling and transport.
VoIP signaling protocols accomplish the task of establishing and controlling the call. SIP, IAX2
and H.323 are signaling protocols.
The most widely used voice transport protocol is RTP (Realtime Transport Protocol), which
carries the encoded voice from origin to destination. This protocol starts once the call has been
established by the signaling protocol.
17
Concept explained in Firewall section.
18
Concept explained in Traffic shaping section.
144
SIP
SIP (Session Initiation Protocol) is a protocol created by the IETF 19 for the establishment, modification
and termination of interactive multimedia sessions. It incorporates many elements of HTTP and SMTP.
SIP only handles signaling and works over the UDP/5060 port. Multimedia transmission is handled by
RTP over the port range UDP/10000-20000.
IAX2
20
IAX2 is the second version of the Inter Asterisk eXchange protocol, created for connecting Asterisk
PBX systems. The main feature for this protocol is that voice and signaling travel through the same
data stream, this is called trunking. This way it can traverse NAT easily and there is less overhead
when trying to keep multiple communication channels open among servers. Also with this protocol the
communication can be encrypted. IAX2 works on UDP/4569 port.
5.4.2 Codecs
A codec is an algorithm that adapts digital information (encoding at origin and decoding at destination)
to compress it, reducing bandwidth usage, detecting and recovering from transmission errors. G.711,
G.729, GSM and speex are common codecs for VoIP.
G.711: It is one of the most used codecs. It comes in two flavors: an American one (ulaw) and
an European one (alaw). This codec offers good quality, but it has significant bandwidth requirements
(64kbps), which makes it a common choice for communication over local networks.
G.729: It offers a better compression using only 8kbps, being ideal for Internet communications.
There are some usage restrictions on this codec.
GSM: It is the same codec that is used in mobile networks. Voice quality is not very good and it
uses around 13kbps.
speex: It is a patent-free codec specially designed for voice. It is very versatile, though it uses
more CPU than others. It can work at different bit rates, such as 8KHz, 16KHz and 32KHz, usually
referred as narrowband, wideband and ultra-wideband, each consuming 15.2kbps, 28kbps and 36kbps
respectively.
19
Internet Engineering Task Force develops and promotes communication standards used on Internet.
20
Asterisk is a PBX software that eBox uses for its VoIP module <http://www.asterisk.org/>.
145
5.4.3 Deployment
Let’s cover the elements involved in a VoIP deployment:
IP Phones
They are phones with a traditional look but with a RJ45 connector to plug them to an Ethernet data
network instead of the RJ11 connector for analog telephone networks. They add also new features
like address book or call automation not present in regular analog phones. These phones talk usually
SIP directly with the server and any other clients.
Analog Adapters
Analog adapters, also known as ATA (Analog Telephony Adapter ) can connect a traditional analog
phone to a data network and make it work like an IP phone. They have a RJ45 data port and one or
more RJ11 analog ports.
Softphones
Softphones are computer programs to make and receive calls without additional hardware (except the
computer microphone and speakers). There are multiple applications for all platforms and operating
systems. X-Lite and QuteCom (WengoPhone) are available for Windows, MacOS X and GNU/Linux.
Ekiga or Twinkle are native GNU/Linux applications.
146
Figure 5.4: QuteCom
147
Figure 5.5: Twinkle
IP PBXs
In contrast to traditional telephony which routed all calls through a central PBX, VoIP clients (IP phones
or softphones) register on the server, ask him for the call recipient information and then establish the
call directly. When establishing the call, the caller and the recipient negotiate a common codec for the
voice transmission.
Asterisk is a software only application that works in commodity servers, providing the features of
a PBX (Private Branch eXchange): connect multiple phones amongst them and with a VoIP provider
or the analog telephone network. It also offers services such as voice mail, conferences, interactive
voice responses, etc.
To connect the Asterisk server to the public network, it needs extra cards called FXO (Foreign
eXchange Office) which allow Asterisk to act like a regular phone and route calls through the phone
network. To connect an analog phone to the server, it needs a FXS (Foreign eXchange Station) card.
That way, existing phones can be adapted to the new IP telephony network.
Figure 5.6: Digium TDM422E FXO and FXS card
148
5.4.4 Asterisk server configuration with eBox
eBox VoIP module allows you to manage an Asterisk server with the users that already exist on the
system LDAP server, and the most common features configured.
As usual, the module must be enabled first. Go to Module Status and select the VoIP checkbox.
If the Users and Groups is not enabled, it should be enabled beforehand.
To change the general configuration, go to VoIP → General. Once there, the following general
parameters should be configured:
Enable demo extensions: It enables extensions 400, 500 and 600. A call to extension 400 starts
music on hold if configured. Extension 500 starts an IAX call to guest@pbx.digium.com. Ex-
tension 600 provides an echo test to estimate your call latency. These extensions can help to
check if a client is well configured.
149
Enable outgoing calls: It enables outgoing calls through a SIP provider to call regular phones. To
call through the SIP provider, add an additional zero before the number to call. For instance, to
call eBox Technologies offices (+34 976733507 or 0034976733506) dial 00034976733506.
Voicemail extension: It is the extension to call to check the voicemail. User and password are both
the extension assigned by eBox when creating the user, or assigned for the first time. It is
21
strongly recommended to change that password immediately from the User Corner . The
application listening on this extension allows you to change the welcome message, listen to
recorded messages and delete them. For security reasons, it is only accessible by the users of
the eBox server, so it does not accept incoming calls from other servers.
VoIP domain: It is the domain assigned to the user addresses. For example, a user user with an
extension 1122 can be called at user@domain.tld or 1122@domain.tld.
In the SIP provider section, enter the credentials supplied by the SIP provider, so eBox can route
calls through it:
22
Provider: If you are using eBox VoIP Credit , select this option which will configure your provider
name and server. Otherwise use Custom.
Name: It is the identifier of the provider in eBox.
User name: It is the user name to log in the provider.
Password: It is the password to log in the provider.
Server: It is the provider server.
Recipient of incoming calls: It is the internal extension that will receive the incoming calls to the
provider account.
The NAT configuration section defines the network location of your eBox host. If it has a public
IP address, the default option eBox is behind NAT is not appropriate. If it has a private IP address,
Asterisk needs to know your Internet public IP address. If you have a fixed public address, select
Fixed IP address and enter it; if the IP is dynamic, configure the dynamic DNS service (DynDNS)
available in Network → DynDNS (or configure it manually) and enter the domain name in Dynamic
hostname.
In the Local networks section, you can add the local networks to which eBox has direct access
without NAT, like VPN or not configured network segments, like a wireless network. This is required to
make SIP work with NAT environments.
21
Explained in the section User Corner .
22
You may buy eBox VoIP credit in our store.
150
The conference configuration is accessed through VoIP → Meetings. There you can configure
multiple conference rooms. These rooms extension should fit in the 8001-8999 range and optionally
have a password and a description. These extensions can be accessed from any server by dialing
extension@domain.tld.
When editing a user, you will be able to enable and disable this user VoIP account and change his
extension. Take in account that an extension can only be assigned to one user and no more, if you
need to call more than one user from an extension, you must use queues.
When editing a group, you will be able to enable and disable this group queue. A queue is an
extension where all the users who belong to this queue ring when is called.
If you want to configure music on hold, drop your MP3 songs to /var/lib/asterisk/mohmp3/ and
install the mpg123 package.
5.4.5 Configuring a softphone to work with eBox
Ekiga (Gnome)
23
Ekiga is the softphone (or VoIP client) recommended by the Gnome desktop environment. When
first launched, Ekiga presents a wizard to configure the user’s personal data, audio and video devices,
the connection to the Internet and the Ekiga.net‘s services. We can skip the configuration of both
Ekiga.net and Ekiga Call Out.
From Edit –> Accounts, selecting Accounts –> Add a SIP Account you can configure your VoIP
account in eBox Platform.
Name: Identifier of the account inside Ekiga.

23
Ekiga: Free your speech <http://ekiga.org/>
151
152
153
Register server: Domain name of the VoIP server.
User and User for authentication: Both are the user name.
Password: User password.
After setting the account, it will attempt to register on the server.
To make a call is as simple as typing the number or SIP address on the top bar, and call using the
green phone icon to the right of the bar. To hang up, use the red phone icon.
Qutecom (Multiplatform)
Qutecom 24 is a softphone that uses Qt4 libraries, what makes it available for the three more popular
operating systems: GNU/Linux, OSX and Windows. When launched first time it shows a wizard to
configure the VoIP account, as Ekiga does.
24
QuteCom: Free VOIP Softphone <http://www.qutecom.org>
154
155
You have a keypad or a list of contacts to make calls. Use the green/red buttons at the bottom to
call and hang up.
5.4.6 Using eBox VoIP features
Call transferring
The call transferring feature is quite simple. While you are on a conversation, press # and then dial
the extension where you want to transfer the current call. You can hang up at that time as the call will
be ringing on the called extension.
Call parking
The extension 700 is the call parking. While you are on a conversation, press # to initiate a transfer,
then dial 700. The extension where the call has been parked will the announced to the called, and
the caller will listen the music on hold, if configured. You can hang up now. From a different phone or
different user dial that announced extension and you will wake up the parked user and you will be able
to speak with him.
On eBox, the call parking can hold up to 20 current calls and the maximum time a call can wait
parked is 300 seconds.
156
5.4.7 Example
Create a user with a VoIP account. Change the extension to 1500.
1. Action: Log into eBox, click on Module status and enable the VoIP module by clicking the
checkbox in the Status column. If Users and Groups is not enabled you should enable it
previously. Then you will be informed about the changes that are going to take place in the
system. You should allow these actions by clicking the Accept button.
Effect: The Save Changes button has been activated.
2. Action: Go to VoIP. Write the machine’s domain name in VoIP Domain. The domain should
be resolvable from the machines of the service clients. Click on Change.
3. Action: Save the changes done.
Effect: eBox shows its progress while applying the changes. Once it is done, it shows it.
VoIP service is ready to be used.
4. Action: Access the Users and Groups → Users → Add User menu. Fill in the form to create
a new user. Click on Create and Edit.
Effect: eBox creates a new user and shows you its profile.
5. Action: In the section VoIP Account, eBox shows if the user has its account enabled or dis-
abled, and also its extension. Make sure that the account is enabled, all the users created
while the VoIP module is enabled should have their account also enabled. Finally, change the
extension given by defect (say, the first free extension of the range of users), to the extension
1500. Click on Apply changes in the VoIP Account section.
Effect: eBox apply the changes immediately. The user is able to receive calls in that extension.
157
158
Chapter 6
eBox Unified Threat Manager
This section will explain different techniques to protect your network beyond a simple firewall, prevent-
ing external attacks, and detecting possible intrusions into your network services.
An email service without a spam filter is a waste of time and resources. This section shows
different techniques to avoid junk mail (spam) and viruses in the email service provided by eBox.
Web traffic can also bring problems depending on the sites visited. Therefore, in this section we
explain the integration of the content filtering of the HTTP proxy with an antivirus and several advanced
configurations to provide greater security to the Internet browsing of the users in the network.
We will also explain how to allow the employees outside the office to securely connect your local
network, or how to make connections between offices by using virtual private networks. For that we
will define the bases of the network security.
Finally, it is explained how the intrusion detection system uses rulesets to match the contents of
the traffic packages in order to detect external attacks. You can get notifications of possible attacks
and analyze the damage they may have caused.
6.1 Mail Filter
The main threats in electronic mail system are spam and virus.
Spam, or not desired email, makes the user waste time looking for the legitimate emails in the
inbox. Moreover, spam generates a lot of network traffic that could affect the network and email
services.
159
Although the virus do not harm the system where eBox is installed, an infected email could affect
other computers in the network.
6.1.1 Mail filter schema in eBox
To defend ourselves from these threats, eBox has a mail filter quite powerful and flexible.
Figure 6.1: eBox’s mail filter schema
In the figure, we can observe the different steps that a message follows before tagging it. First,
the email server sends it to the greylisting policies manager. If the email passes through the filter,
spam and viruses are checked next using a statistical filter. Finally, if everything is OK, the email is
considered valid and is sent to its recipient or stored in the server’s mailbox.
In the following section, details on those filters and its configuration will be explained in detail.
Greylist
A greylist 1 is a method of defense against spam which does not discard emails, but makes life harder
for the spammers.
In the case of eBox, the strategy is to pretend to be out of service. When a server wants to send
a new mail, eBox says “I’m out of service at this time, try in 300 seconds” 2 . If the server meets the
specification, it will send the message again a bit later and eBox will consider it as a valid server.
1
eBox uses postgrey http://postgrey.schweikert.ch/ as the policy manager in postfix.
2
Actually the mail server sends as response “Greylisted”, say, put on the greylist.
160
CHAPTER 6. EBOX UNIFIED THREAT MANAGER
In eBox, the greylist exempts the mail sent from internal networks, from objects with an allowed
mail relay policy and from addresses that are in the antispam whitelist.
However, the servers that send spam do not usually follow the standard. They will not try to send
the email again and we would have avoided the spam messages.
Figure 6.2: Schematic operation of a greylist
Greylisting is configured from Mail → Greylist with the following options:
Enabled: Set to enable greylisting.
Greylist duration (seconds): Seconds the sending server must wait before sending the mail again.
Retry window (hours): Time (in hours) when the sender server can send email. If the server has
sent any mail during that time, that server will go down in the grey list. In a grey list, the mail
server can send all the emails you want without temporary restrictions.
161
Entry time-to-live (days): Days that data will be stored in the servers evaluated in the greylist. After
the configured days, the mail server will have to pass again through the greylisting process
described above.
Content filtering system
Mail content filtering is provided by the antivirus and spam detectors. To perform this task, eBox uses
3
an interface between the MTA (postfix) and those programs. amavisd-new talks with the MTA via
(E)SMTP or LMTP (Local Mail Transfer Protocol RFC 2033) to check that the emails are not spam
neither contain viruses. Additionally, this interface performs the following checks:
• White and black lists of files and extensions.
• Malformed headers.
Antivirus
The antivirus used by eBox is ClamAV 4 , which is an antivirus toolkit designed for UNIX to scan attach-
ments in emails in an MTA. ClamAV updates its virus database through freshclam. This database is
updated daily with new virus that have been found. Furthermore, the antivirus is able to scan a variety
of file formats such as Zip, BinHex, PDF, etc..
In Antivirus, you can check if the antivirus is installed and up to date.
You can update it from Software Management, as we will see in Software Updates.
If the antivirus is installed and up to date, eBox will use it in the following modules: SMTP proxy,
POP proxy, HTTP proxy and even file sharing.
3
Amavisd-new: http://www.ijs.si/software/amavisd/
4
Clam Antivirus: http://www.clamav.net/
162
Antispam
The spam filter works giving to each mail a spam score, if the mail reaches the spam threshold is
considered as junk mail if not is considered as legitimate mail. The latter kind of mail is often called
ham.
The spam scanner uses the following techniques to assign scores:
• DNS published blacklists (DNSBL).
• URI blacklists that track spam websites.
• Filters based on the checksum of messages.
• Sender Policy Framework (SPF): RFC: 4408.
• DomainKeys Identified Mail (DKIM)
• Bayesian filter
• Static rules
• Other tests 5
Among this techniques the Bayesian filter should be further explained. This kind of filter does a
statistical analysis content of the text of the message, giving a score which reflects the probability of
being spam for the message. However, the analysis is not done against a set of static rules but against
a dynamic one, which is created supplying ham and spam messages to the filter. So it could learn
from them what are the statistical features from each type.
The advantage of this technique is that the filter could adapt to the ever-changing flow of spam
messages, the downsides are that the filter needs to be trained and its accuracy depends on the quality
of the received training.
eBox uses Spamassassin 6 as spam detector.
The general configuration of the filter is done from Mail filter → Antispam:
5
A long list of antispam techniques can be found in http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail)
6
The Powerful #1 Open-Source Spam Filter http://spamassassin.apache.org .
163
Spam threshold: Mail will be considered spam if the score is above this number.
Spam subject tag: Tag to be added to the mail subject when it is classified as spam.
Use Bayesian classifier: If it is marked, the Bayesian filter will be used. Otherwise, it will be ignored.
Auto-whitelist: It takes into account the history of the sender when rating the message. That is, if the
sender has sent some ham emails, it is highly probable that the next email sent by that sender
is also ham.
Auto-learn: If it is enabled, the filter will learn from messages which hit the self learning thresholds.
Autolearn spam threshold: The automatic learning system will learn from spam emails that have a
score above this value. It is not appropriate to set a low value, since it can subsequently lead to
false positives. Its value must be greater than the spam threshold.
Autolearn ham threshold: The automatic learning system will learn from ham emails that have a
score below this value. It is not appropriate to put a high value, since it can cause false nega-
tives. Its value should be less than 0.
164
From Sender Policy we can configure some senders so their mail is always accepted (whitelist),
always marked as spam (blacklist) or always processed by the spam filter (process).
From Train Bayesian spam filter we can train the Bayesian filter sending it a mailbox in mbox
format [#] _ containing only spam or ham. There are many sample files in the Internet to train a
Bayesian filter but normally is more accurate to use mail received by the sites which will be filtered.
The more trained the filter is, the better the spam detection.
File-based ACLs
It is possible to filter files attached to mails using Mail filter → Files ACL (Access Control Lists).
There, we can allow or deny mail according to the extensions of the files attached or their Multi-
purpose Internet Mail Extensions (MIME) types.
165
Simple Mail Transfer Protocol (SMTP) mail filter
From Mail filter → SMTP mail filter it is possible to configure the behavior of the filters when eBox
receives mail by SMTP. On the other hand, from General configuration we can set the general behavior
for every incoming email:
Enabled: Check to enable the SMTP filter.
Antivirus enabled: Check to make the filter look for viruses.
Antispam enabled: Check to make the filter look for spam.
Service’s port: Port to be used by the SMTP filter.
Notify of non-spam problematic messages: We can send notifications to a mailbox when problem-
atic (but not spam) emails are received, e.g., emails infected by virus.
From Mail filter → Filter Policies, it is possible to configure what the filter must do with any kind of
email.
For each kind of email problem, you can perform the following actions:
Pass: Do nothing, let the mail reach its recipient.
Reject: Discard the message before it reaches the recipient, notifying the sender that the message
has been discarded.
166
Bounce: Like reject, but enclosing a copy of the message in the notification.
Discard: Discards the message before it reaches the destination, without notice to the sender.
From Mail Filter → Virtual Domains, the behavior of the filter for virtual email domains can be
configured. These settings override the general settings defined previously.
To customize the configuration of a virtual domain email, click on Add new.
The parameters that can be overridden are the following:
Domain: Virtual domain that we want to customize, from those configured in at Mail → Virtual Do-
main.
Use virus filtering / spam: If this is enabled, mail received for this domain will be filtered looking for
viruses or spam.
Spam threshold: You can use the default threshold score for spam or a custom value.
Learn from accounts’ Spam IMAP folders: If enabled, when a email is put in the Spam IMAP folder
the email is automatically learned as spam. Likewise if a email is moved from the Spam folder
to a normal folder is learned as ham.
Learning account for ham / spam: If enabled, ham@domain and spam@domain accounts will be
created. Users can send emails to these accounts to train the filter. All mail sent to
ham@domain will be learned as ham mail, while mail sent to spam@domain will be learned as
spam.
Once the domain is added, from Antispam policy for senders, it is possible to add addresses to its
whilelist and its blacklist or even force every mail for the domain to be processed.
167
6.1.2 External connection control lists
From Mail Filter → SMTP Mail Filter → External connections, you can configure connections from
external MTAs, through its IP address or domain name, to the mail filter configured in eBox. In the
same way, these external MTAs can be allowed to filter mail for those external virtual domains allowed
in the configuration. This way, you can distribute your load between two machines, one acting as a
mail server and another as a server to filter mail.
6.1.3 Transparent proxy for POP3 mailboxes
If eBox is configured as a transparent proxy, you can filter POP email. The eBox machine will be
placed between the real POP server and the user to filter the content downloaded from the MTAs. To
do this, eBox uses p3scan 7 .
From Mail Filter → POP Transparent Proxy you can configure the behavior of the filtering:
7
Mbox and maildir are email storage formats, most email clients and servers use one of these. In the first one, all the
emails in a directory are stored in a single file, while the second organizes the emails in different files within a directory.
168
Enabled: If checked, POP email will be filtered.
Filter virus: If checked, POP email will be filtered to detect viruses.
Filter spam: If checked, POP email will be filtered to detect spam.
ISP spam subject: If the server marks spam mail with a tag, it can be specified here and the filter will
consider these emails as spam.
Practical example
Activate the mail filter and the antivirus. Send an email with a virus. Check that the filter is working
properly.
1. Action: Access eBox, go to Module Status and enable the module mail filter. To do this, check
the box in the column Status. You will have to enable network and firewall first in case they
were not already.
Effect: eBox asks for permission to override some files.
2. Action: Read the changes that are going to be made and grant eBox permission to perform
them.
Effect: Save Changes has been enabled.
3. Action: Go to Mail Filter → SMTP Mail Filter, check boxes for Enabled and Antivirus enabled
and click on Change.
Effect: eBox informs you about the success of the modifications with a Done message.
4. Action: Go to Mail → General → Mail filter options and select eBox internal mail filter.
Effect: eBox will use its own filter system.
169
Effect: eBox shows the progress while applying the changes. Once it is done, it notifies about
it.
The mail filter with antivirus is enabled.
6. Action: Download the file http://www.eicar.org/download/eicar_com.zip, which contains a test

virus and send it from your mail client to an eBox mailbox.
Effect: The email will never reach its destination because the antivirus will discard it.
7. Action: Go to the console in the eBox machine and check the last lines of /var/log/mail.log
using the tail command.
Effect: There is a message in the log registering that the message with the virus was blocked,
specifying the name of the virus:
Blocked INFECTED (Eicar-Test-Signature)
6.2 HTTP Proxy advanced configuration
6.2.1 Filter profiles configuration
You can configure filter profiles in Proxy HTTP → Filter Profiles.
You can configure and create new profiles that could be used by user groups or network objects.
The configuration options are exactly the same as the ones we explained for the default profile.
There is just one thing that you have to take into account: it is possible to use the default profile values
in other profiles. To do so, you only need to click on Use default configuration.
170
6.2.2 Filter profile per object
You can select a filter profile for a source object. The requests coming from this source will use the
chosen profile instead of the default profile.
To do so you should go to HTTP Proxy → Objects policy and change the filter profile in the object’s
row. This option requires the object’s policy is set to Filter.
6.2.3 Group based filtering
You can use user groups as a way to control access and to apply different filtering profiles. The first
step is to either set a global or a network object policy to any of these policies: Authorize and allow
all, Authorize and deny all or Authorize and filter.
If any of these policies is set, users will have to provide credentials to be able to use the HTTP
proxy.
Warning: Please note that you cannot use HTTP authentication with the transparent proxy mode
enabled due to protocol limitations.
If you set a global policy that uses authentication you will also be able to use this global policy for
any group. This policy allows you to control the access of group members and apply a custom filtering
profile.
Group policies are managed in the menu entry named HTTP Proxy → Group Policy. You can
allow or deny the access for a given group. Note that this only affects the browsing. The use of the
content filter for the group depends on whether you have a global policy or group policy that is set to
filter. You can schedule when the group is allowed to browse. If a group member tries to use the proxy
out of the set schedule they will be denied access.
171
Each group policy has a priority given by its position in the list (top-bottom priority). Priority is
important because users can be members of several groups. The policy applied to the user will depend
on the priority.
You can also select which filtering profile will be applied to the group.
6.2.4 Group-based filtering for objects
Remember that you can configure custom policies for network objects that will override the global
policy.
Likewise, in case you pick a policy that enforces authorization, you can also set custom policies
for a group. In this case, group policies only affect to the permissions for browsing and not to the
content filtering. The content filtering policy is determined by the object policy. Authorization policies
are incompatible with the transparent mode.
Finally, you also have to take into account that you cannot set filtering profiles to groups in an
object policy. This means a group will use the filtering profile that is set in its group global policy.
Practical Example
The goal of this exercise is to set access policies for two groups: IT and Accounting. Members of
the Accounting group will only be able to access the Internet during work time, and its filtering profile
threshold will be set to very strict. On the other hand, members of the IT group will be able to use the
Internet at any time. They will also skip the censorship of the content filter. However, they will not be
able to access those domains that are explicitly denied to all the workers. For the sake of clarity, the
needed users and groups are already created.
These are steps you have to take:
1. Action: Go to eBox, click on Module Status and enable the HTTP Proxy.
172
Effect: Once changes have been saved, users will need to authenticate with their login and
password in order to surf the Internet.
2. Action:
Go to HTTP proxy -> Filter profiles. Add a list of forbidden domains to the default profile. You
can do this by clicking on the Configuration cell of the default profile, and then, clicking on the
tab labeled Domains filtering. You can now add youtube.com and popidol.com to the Domains
rules section.
Go back to HTTP proxy -> Filter Profiles. Add two new profiles for your groups, IT and Ac-
counting.
The Accounting profile must enforce a very strict threshold on the content filter. We will stick
to the defaults for the other options. To do so, you have to check the Use default profile
configuration field in Domains Filtering and File Extensions filtering.
The IT profile will allow unfiltered access to everything but the forbidden domains. To enforce
this policy, you need to check the Use default profile configuration field in Domains Filtering.
You can grant free access for everything else by setting the content filter threshold to Disabled.
Effect: We will enforce the required policy.
3. Action:
Now you have to set a schedule and a filtering profile for groups. You can go to HTTP Proxy →
Group Policy.
Click on Add new, select the Accounting group. Set the schedule from Monday to Friday, from
9:00 to 18:00. And select the Accounting profile.
Likewise, you have to set a policy for the IT group. In this case, you don’t have to add any
restriction to the schedule.
Effect:
Once the changes have been saved, you can test if the configuration works as
expected. You can use the proxy authentication with a user from each group.
You will know that it is working properly if:
• You can actually access www.playboy.com using the credentials of an IT user .

However, if you use the credentials of an Accounting user, you are denied access.
• You are not allowed to access any of the banned domains from any of the groups.
• If you set the date in eBox to weekend, and you cannnot surf the Internet with an
Accounting* user, but you can with an IT user.
173
6.3 Secure interconnection between local networks
6.3.1 Virtual Private Network (VPN)
The Virtual Private Networks were designed both to allow secure access to remote users to the
corporate network and secure interconnection of geographically distant networks.
A frequent situation is where remote users need to access resources located in the company local
network, but those users are outside the facilities and cannot connect directly. The obvious solution is
to allow the connection through the Internet. This would create security and configuration problems,
which can be resolved through the use of virtual private networks.
The solution offered by a VPN (Virtual Private Network ) to this problem is the use of encryption
to only allow access to authorized users (hence the private adjective). And to ease the use and
configuration, connections seem to be as if there were a network between the users and the local
network (hence the virtual).
The VPN’s usefulness is not limited to the access of remote users; a organization may wish to
interconnect networks that are located in different places. For example, networks located in different
cities. Some time ago, to solve this problem dedicated data lines were hired, but this service was
expensive and slow to deploy. Later, the advance of the Internet provided a ubiquitous and cheap, but
insecure, medium. And again, the security and virtualization features of the VPN were an appropriate
response to this problem.
In this regard, eBox Platform provides two modes of operation. It can work as a server for remote
users and as a server and client for the connection between two networks.
6.3.2 Public Key Infrastructure (PKI) with a Certification Authority (CA)
The VPN used by eBox to ensure data privacy and integrity uses SSL as cypher technology. The SSL
technology is used widely since a long time so we could reasonably trust its security. However, all
cypher schemes have the problem of how to distribute the keys to their users without interception by
third parties. In the VPN context, this step is required when a new participant joins the virtual network.
The adopted solution is the use of a public key infrastructure (PKI). This technology allows the use of
the key in a insecure medium, like the Internet, without allowing the interception of keys by anyone
who snoops the communication.
PKI is based in that each participant generates two keys: a public key and a private key. The
public one can be distributed publicly and the private one must remain secret. Any participant who
174
wants to cypher a message can do it with the public key of the recipient but the message can only
be deciphered with the private key of the recipient. As this key is kept secret, it is ensured that only
the recipient can read the message. However, this solution creates a new problem. If anyone could
present a public key, how we can guarantee that a participant is really who he claims to be and is not
8
impersonating another identity? To solve this problem, certificates were created.
Figure 6.3: Public key encryption
Figure 6.4: Public key signature
The certificates use another PKI feature: the possibility of signing files. The private key is used
to sign a file. The signature can be checked by anyone using the public key. A certificate is a file
that contains a public key, signed for someone that is trusted. This trusted participant is used to verify
identities and is called Certification Authority (CA).
8
There is a lot of information about public key encryption. You can begin here: http://en.wikipedia.org/wiki/Public-
key_encryption
175
Figure 6.5: Diagram to issue a certificate
6.3.3 Certification Authority configuration with eBox
eBox Platform has integrated management of the Certification Authority and the life cycle of the issued
certificates for your organization. It uses the OpenSSL 9 tools for this service.
First of all, you need to generate the keys and issue the certificate of the CA itself. This step is
needed to sign new certificates, so the remaining features of the module will not be available until the
CA keys are generated and its certificate, which is self signed, is issued. Note that this module runs
unmanaged and you don’t need to enable it in Module Status.
Go to Certification Authority → General and you will find the form to issue the CA certificate after
generating automatically the key pair. It is required to fill in the Organization Name and Days to
expire fields. When setting this duration you have to take into account its expiration will revoke all
9
OpenSSL - The open source toolkit for SSL/TLS <http://www.openssl.org/>.
176
certificates issued by this CA, stopping all services depending on those certificates. It is possible to
add also these optional fields to the CA certificate:
Country Code An acronym consisted of two letters defined in ISO-3166.
City
State
Once the CA has been created, you will be able to issue certificates signed by the CA. To do this,
use the form now available at Certification Authority → General. The required data are the Common
Name of the certificate and the Days to expire. This last field sets the number of days that the
certificate will remain valid and the duration cannot surpass the duration of the CA. In case we are
using the certificate for a service server like it could be a web server or mail server, the Common
Name of the certificate should match the hostname or domain name of that server. Anyway, you could
set any Alternative Subject Names 10 for the certificate in order to, for example, set any other common
name for HTTP virtual hosts 11 or an IP address or even a mail address to sign e-mail messages.
When the certificate is issued, it will appear in the list of certificates and it will be available to eBox
services that use certificates and to external applications. Furthermore, several actions can be applied
to the certificates through the certificate list:
10
For more information about subject alternative names, visit http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name
11
For more information about HTTP virtual hosts, check out Virtual domains section for details
177
• Download a tarball archive containing the public key, private key and the certificate.
• Renew the certificate.
• Revoke the certificate.
If you renew a certificate, the current certificate will be revoked and a new one with the new
expiration date will be issued along with the key pair.
If you revoke a certificate you won’t be able to use it anymore as this action is permanent and you
can’t go backwards. Optionally you can select the reason of the certificate revocation:
unspecified
keyCompromise The private key for this certificate has been compromised and now it is available for
suspicious people.
CACompromise The private key for the CA certificate has been compromised and now it is available
for suspicious people.
affilliationChanged The issued certificate has changed its affiliation to another certification authority
from other organization.
superseded The certificate will be renewed and this is no longer valid and thus replaced.
cessationOfOperation The issued certificate has ceased its operation.
certificateHold
removeFromCRL Currently unimplemented delta CRLs support.
178
If you renew the CA certificate then all the certificates will be renewed with the new the CA. The
old expiration date will be kept, if this is not possible it means that the old expiration date is a later
date than the new CA expiration date, in this case the expiration date of the certificate will be set to the
expiration date of the CA.
When a certificate expires all the modules are notified. The expiration date of each certificate is
automatically checked once a day and every time you access the certificate list page.
Services Certificates
On Certification Authority → Services Certificates we can find the list of eBox modules using
certificates for its secure services. By default, these are generated by each module, but if we are using
the CA we can replace these self signed certificates with ones issued by our organization CA. You
can define for each service the Common Name of the certificate and if there is a certificate with that
Common Name available, the CA will issue one. In order to set these key pair and signed certificate
to the service you have to Enable the certificate.
Every time a certificate is renewed is pushed again to the eBox module but you need to restart the
service to force the new certificate usage.
179
Practical example A
Create a Certification Authority which will be valid for a year, then create a certificate called server and
two client certificates called client1 and client2.
1. Action:
Go to Certification Authority → General. In the form called Create Certification

Authority Certificate, fill in the fields Organization Name and Days to expire with
reasonable values. Press Create to generate the Certification Authority.
Effect: The key pair of the Certification Authority is generated and its certificate will
be issued. Our new CA will be displayed in the list of certificates. The form
for creating the CA will be replaced by another one intended to issue normal
certificates.
2. Action:
Using the form Issue a New Certificate to issue certificates, enter server as
Common Name and then, in Days to expire, a number of days less than or
equal to the one you entered for the CA certificate. Repeat these steps with
the names client1 and client2.
Effect: The new certificates will appear in the list of certificates, ready to be used.
6.3.4 Configuring a VPN with eBox
12
The software selected by eBox to create VPNs is OpenVPN . OpenVPN has the following advan-
tages:
• Authentication using public key infrastructure.
• Encryption based on SSL technology.
• Clients available for Windows, MacOS X and Linux.
• Code that runs in user space, without the need to modify the network stack (as opposed to
IPSec).
• Possibility to use network applications in a transparent way.

12
OpenVPN: An open source SSL VPN Solution by James Yonan http://openvpn.net.
180
Remote VPN Client
eBox can be configured to support remote clients (familiarly known as road warriors). That is, an
eBox machine can work as a gateway and OpenVPN server, allowing clients on the Internet (the road
warriors) to connect to the network via the VPN service and access the local area network.
The following figure can give a more accurate view of the scenario:
Figure 6.6: eBox and remote VPN clients
The goal is to connect the client number 3 with the other two remote clients (1 and 2) and also
connect these two among themselves.
To do this, we need to create a Certification Authority and certificates for the two remote clients.
Note that you also need a certificate for the OpenVPN server itself, however, this certificate is au-
tomatically created when you add a new OpenVPN server. Here, the eBox machine also acts as a
CA.
Once we have the certificates, we should configure the OpenVPN server in eBox using Create
a new server. To only parameter that you need to create a working OpenVPN server is its name.
An OpenVPN server needs more parameters to work properly. eBox makes this easy and will try to
automatically set valid parameters for you.
The following configuration parameters will be added by eBox, feel free to adapt them to your
needs: a port/protocol pair, a certificate ( eBox will create a certificate using the OpenVPN server’s
name) and a network address for the VPN. Addresses belonging to the VPN network are assigned to
the server and the clients. In case you need to change the network address and to avoid conflicts, you
have to make sure that the network address is not used in any other part of your network. Furthermore,
the local networks, i.e. the networks where the network interfaces are attached to, are advertised
through the private network.
The OpenVPN server will be listening on all the external interfaces. Therefore, we have to mark
at least one of our interfaces as external via Network -> Interfaces. In this scenario only two interfaces
181
are needed, the internal one for the LAN and the external one for the Internet. You can configure the
server to listen also on internal interfaces, activating the option Network Address Translation (NAT),
but you can ignore it for the moment.
If you want the clients to connect to each other using their VPN addresses, you have to activate
the option Allow connections between clients.
You can leave the rest of the options with their defaults.
After creating the OpenVPN server you have to enable the service and save the changes. Subse-
quently, you should check in Dashboard that the VPN service is running.
After that, you may want to advertise networks through Advertised networks configuration for the
VPN server. These networks will be accessible by OpenVPN authorized clients. Note that eBox will
advertise all your local networks by default. Obviously, you can remove or add routes at your leisure.
In our example scenario, the local network has been added automatically to make visible the client
number 3 to the two other clients.
Once done, it’s time to configure the clients. The easiest way to configure an OpenVPN client is
using the bundles provided by eBox. These are available in the table in VPN -> Servers, by clicking the
icon on the Download client bundle column. There are bundles for two types of operating system. If
you are using MacOS X or GNU/Linux, you have to choose Linux as type. When a bundle is created,
the certificates that will be given to the client are included, and the external IP address to which VPN
clients have to connect is set. If the selected system is Windows, an OpenVPN for Win32 installer is
182
also included. The configuration bundles should be downloaded by the eBox administrator and he is
responsible for distributing them to the clients in a proper and secure way.
A bundle includes the configuration file and other necessary files to start a VPN connection. For
example, in Linux, simply extract the archive and execute it, within the newly created directory, using
the following command:
openvpn --config filename
Now you have access to the client number 3 from the two remote clients. Bear in mind that the
eBox DNS service will not work through the private network unless you configure the remote clients to
use eBox as name resolver. That is why you cannot access the services of the hosts on the LAN by
13
name, you have to do it by IP address. That also applies to the NetBIOS service when accessing
Windows shared resources, to browse the shared resources from the VPN, you must explicitly allow
the broadcast traffic provided by the SMB/CIFS server.
To enable the remote clients to connect between themselves, you need to activate the Allow
client-to-client connections option in the VPN server configuration. To verify that the configuration is
correct, look at the routing table of the client and check that the new networks were added to the tapX
virtual interface.
The current users connected to the VPN service are displayed in eBox Dashobard.
Practical example B
This example will configure a VPN server. A client on a computer located on a external network is
going to be configured. Once connected it to the VPN, it will access another host in the local network,
which is only accessible from the server through an internal interface.
13
For more information about file sharing, see section File sharing service and remote authentication
183
To do this:
1. Action: Access the eBox interface, go to Module Status and activate the VPN module by
checking the box on the Status column.
Effect: eBox requests permission to perform certain actions.
2. Action: Read about the actions that are going to be performed and grant permission to do
them.
Effect: Save Changes button is activated.
3. Action: Access the eBox web interface, enter the VPN -> Server section, click on Add new.
A form with the fields Enabled and Name will appear. Enter a name for the server and
leave it disabled until it is configured correctly.
Effect: The new server appears in the list of servers.
4. Action: Click on Save Changes and accept all the changes.
Effect: The server is active, you can verify its status in the Dashboard.
5. Action: To simplify the configuration of the client, download the configuration bundle. To do
this, click the icon on the Download client bundle column. Fill in the configuration form
with the following options:
• Client type: select Linux, as it is the client OS.
• Client certificate: select client1. If This certificate is not created, create it follow-
ing the instructions from the previous example.
• Server address: enter here the address that the client has to use to reach the
VPN server. In this scenario, this address will be the one for the external inter-
face connected to the same network as the computer client.
Effect: Once the form is completed, a bundle file for the client will be downloaded. It will
be a compressed file in .tar.gz format.
6. Action: Configure the client computer. For this, decompress the bundle in a directory. Note
that the bundle contains files with the necessary certificates and a configuration file with
the .conf extension. If there have been no mistakes in the steps earlier, you have all the
necessary configuration and you only have to launch the program.
To launch the client run the following command within the directory:
184
openvpn --config [ filename.conf ]
Effect: When launching the command in a terminal window the actions will be printed
on it. If everything is correct, once the connection is ready Initialization Sequence
Completed will appear on the terminal; otherwise error messages will appear to help
you diagnose the problem.
7. Action: Before checking if there is a connection between the client and the computer on the
private network, you have to be sure that the latter has a return route to the VPN client. If
you are using eBox as the default gateway, there will be no problem. Otherwise you will
need to add a route to the client.
First you have to check if there is connection by using the ping command. Run the
following command:
ping -c 3 [ another_computer_ip_address ]
To verify that there is not only communication, but also access to the resources of another
computer, launch a remote console session. You can do it with the following command
from the client computer:
ssh [ another_computer_ip_address ]
After accepting the identity of the computer and entering the user and the password,
you will access the console of the remote computer as if it were physically on your local
network.
Remote VPN Client with NAT
If you want to have a VPN server that is not the gateway of your LAN, i.e. the machine has no
external interfaces, then you need to activate the Network Address Translation option. As this is a
firewall feature, you have to make sure that the firewall module is active, otherwise you will not be
able to activate this option. With this option, the VPN server will act as a representative of VPN clients
within the network. In fact, it will be a representative of all the advertised networks, and it will receive
the response packets and subsequently forward them through the private network to the clients. This
situation is better explained with the following figure:
185
Figure 6.7: VPN connection from a client to the LAN using NAT with VPN
Secure interconnection between local networks
In this scenario there are two offices in different networks that need to be connected via a private
network. To do this, eBox is used as gateway in both networks. One eBox will act as OpenVPN client
and another as server. The following figure attempts to clarify the situation:
Figure 6.8: eBox vs OpenVPN as a server. eBox OpenVPN as a client
The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same
local network. Therefore, you have to configure an OpenVPN server as done in Practical example B.
However, you need to make two small changes. First, enable the Allow eBox-to-eBox tunnels
option to exchange routes between eBox machines. Then enable password for the eBox-to-eBox
tunnel to have a more secure connection environment. You have to bear in mind that you have to add
the address of the LAN 1 in Advertised networks.
To configure eBox as an OpenVPN client, you can do it through VPN -> Clients. You must give a
name to activate the client and activate the service. You can set the client configuration manually or
186
automatically using the bundle from the VPN server, as done in the Practical example B. If not using
the bundle, you will have to enter the IP address and the Server port pair where the server is listening.
A eBox-to-eBox tunnel password and the certificates used by the client are also required. These
certificates should have been issued by the same CA that is using the server.
When changes are saved, you can see in Dashboard a new OpenVPN daemon on the network 2
running as a client, connected to the other eBox in the LAN 1.
When the connection is complete, the server machine will have access to all routes of the client
machines through the VPN. However, the client machines will have access only to the routes that the
server has advertised explicitly.
187
Practical example C
This example’s goal is to set up a tunnel between two networks that use eBox servers as gateways to
an external network, so that members of both networks can connect with each other.
1. Action: Access the web interface of the eBox which is going to act as server in the tunnel.
Make sure the VPN module is enabled and activate it if necessary. Once you are in the
VPN -> Servers section, create a new server with the following settings:
• Enable Allow eBox-to-eBox tunnels. This is the option indicating that it will be a
tunnel server.
• Enter a eBox-to-eBox tunnel password.
• Finally, from the Interface to listen on select choose the external interface that the
eBox client will connect to.
Effect: Once all the above steps are done you have the server running. You can verify
its status in the Dashboard.
2. Action: To ease the process of configuring the client, you can obtain a configuration bundle.
To download it from the server, log back into the eBox web interface and go to VPN ->
Servers, click on Download bundle client configuration in our server’s row. Before the
download starts you have to enter some parameters in the form:
• Client type: choose eBox to eBox tunnel.
• Client certificate: choose a certificate different to the server one that is not in use
in any other client either. If you do not have enough certificates, follow the steps of
above examples to create a certificate that you can use for the client.
• Server address: you have to enter the address which the client will use to connect
to the server. In this case, the address of the external interface connected to the
network visible by both server and client will be the appropriate one.
After entering all the data press the Download button.
Effect: You download a tar.gz archive containing the configuration data required for the
client.
3. Action: Access the eBox server web interface that will take the role of client. Check that the
VPN module is active, go to the VPN → Clients section. This section is an empty list of
clients. To create one, click Add client and enter a name for it. As it is unset, it cannot
be enabled, so you have to return to the list of clients and configure it. Since you have a
188
client configuration bundle you do not need to complete the data in the section by hand.
Using the Upload configuration’s bundle option, you can select the file obtained in the
previous step and click on Change. Once the configuration is loaded, you can return to
the list of clients and enable it. For this, click the Edit icon in the Action column. A form
where you can tick the Enable option will appear. Now you have a fully configured client
and the only thing left is saving changes.
Effect: Once the changes are saved, the client will be active. You can check this in the
Dashboard. If both client and server configurations are correct, the client will start
the connection and the tunnel will be ready in a few seconds.
4. Action: Now you have to check if the hosts in the server’s internal networks and in the client
ones can see each other. Besides the existence of the tunnel, there are the following
requirements:
• The hosts must know the return route to the other private network If, as in this case,
eBox is being used as gateway, there is no need to setup additional routes.
• The firewall must allow connections between the routes for the services you want to
use.
Once these requirements are met, you can test the connection. From one of the hosts on
the private network of the VPN server do the following:
• Ping a host on the network of the VPN client.
• Attempt to initiate an SSH session on a host of the VPN client network.
Once you have checked this, repeat it from a host on the network of the VPN client,
choosing as target a host located in the network of the VPN server.
6.4 Intrusion Detection System (IDS)
An intrusion detection system (IDS) is an application designed to prevent unwanted access to our
machines, mainly attacks coming from the Internet.
The two main functions of an IDS are to detect potential attacks or intrusions, what is done through
a set of rules that are matched against packets of inbound traffic. In addition to recording all suspicious
events, it records useful information (such as the source IP address of the attacker) in a database or
file. Combined with the firewall, some IDS can also block intrusion attempts.
189
There are different types of IDS, the most common one is the Network Intrusion Detection System
(NIDS), which is responsible for checking all the traffic on a local network. One of the most popular
NIDS is Snort 14 , which is the tool that eBox integrates to perform this task.
6.4.1 Setting up an IDS with eBox
The configuration of the IDS in eBox is very simple. You only need to activate or deactivate a number
of elements. First, you have to specify which network interfaces you want the IDS to listen on. After
that, you can select different sets of rules to match with the captured packets. Alerts will be fired in
case of positive results.
Both settings are accessed via the IDS menu. On the Interfaces tab a table with a list of all network
interfaces that are configured is shown. By default, all of them are disabled due to the increased
network latency and CPU consumption caused by the traffic inspection. However, you may enable any
of them by clicking on the checkbox.
On the Rules tab you can see a table that is preloaded with all the Snort rulesets installed on
your system (files under the directory /etc/snort/rules). A typical set of rules is enabled by default. If
you want to save CPU time, it is advisable to disable those that are not of interest, for example, the
ones related to services not available in your network. Also you can enable any other rules you find
interesting if your hardware is powerful enough. The procedure for activating or disabling a rule is the
same as for the interfaces.
14
Snort: A free lightweight network intrusion detection system for UNIX and Windows * http://www.snort.org
190
6.4.2 IDS Alerts
Now you have the IDS module running. At this point, the only thing you can do is observe alerts
manually in the /var/log/snort/alert file. We are going to see how eBox can make this task easier and
more efficient thanks to its logs and events subsystem.
The IDS module is integrated with the eBox logs, so if it is enabled, you can query different IDS
alerts through the usual procedure. Likewise, we can configure an event for any of these alerts in order
to notify the system administrator by any of the different means available.
For more information, see the Logs chapter.
Practical example
Enable the IDS module and launch a port scanning “attack” against the eBox machine.
1. Action: Access the eBox web interface, go to Module Status and activate the IDS module by
checking the box in the Status column. You will be notified of eBox wanting to modify the
Snort configuration. Allow the operation by pressing the Accept button.
Effect: Save Changes is activated.
191
2. Action: Similarly, activate the Logs module if it is not already activated.
Effect: When the IDS is started, it will be ready to record its alerts.
3. Action: Access the IDS menu and select the Interfaces tab. Enable an interface that is reach-
able from the machine that will launch the attack.
saved.
Effect: eBox shows the progress while it is applying the changes. Once the process is
completed you are notified.
From now on, the IDS is analyzing the traffic on the selected interface.
5. Action: Install the nmap package on another machine using aptitude install nmap.
Effect: The nmap tool is installed on the system.
6. Action: From the same machine run the nmap command passing only the IP address of the
interface eBox previously selected as parameter.
Effect: It will make attempts to connect to several ports on the eBox machine. You can
interrupt the process at any moment by pressing: kbd: Ctrl-c.
7. Action: Access Logs -> Query logs and select Full report for the domain IDS.
Effect: Entries related to the attack just performed are listed on the table.
192
Chapter 7
eBox Core
The target of eBox is not only the configuration of the integrated network services. It also offers a
number of features that facilitate and make more efficient the administration of eBox itself. This feature
set is what we call the eBox core.
Backups to restore a previous state, logs of services to find out what happened and when, notifi-
cations for certain events or incidents, monitoring of the machine or security updates of the software
are issues that will be explained in this section.
7.1 Logs
eBox provides an infrastructure for their modules that allows them to log different kind of events that
may be useful for the administrator. These logs are available through the eBox interface. They are
also stored in a database for making queries, reports and updates in an easier and more efficient way.
The database management system used is PostgreSQL 1 .
We can also configure different dispatchers for the events. That way the administrator can be
notified by different means (email, RSS or Jabber 2 ).
You can have logs for the following services:
• OpenVPN (Virtual Private Network (VPN))

1
PostgreSQL The world’s most advanced open source database http://www.postgresql.org/.
2
RSS Really Simple Syndication is an XML format used mainly to publish frequently updated works
http://www.rssboard.org/rss-specification/.
193
• SMTP Filter (Simple Mail Transfer Protocol (SMTP) mail filter )
• POP3 proxy (Transparent proxy for POP3 mailboxes)
• Printers (Printers sharing service)
• Firewall (Firewall)
• DHCP (Network configuration service (DHCP))
• Mail (Electronic Mail Service (SMTP/POP3-IMAP4))
• Proxy (HTTP HTTP Proxy Service)
• File Sharing (File sharing service and remote authentication)
• IDS (Intrusion Detection System (IDS))
Likewise, you can receive notifications of the following events:
• Specific values inside the logs.
• eBox health status.
• Service status
• Events from the software RAID subsystem.
• Free disk space.
• Problems with Internet routers.
• Completion of a full data backup.
First, before you can work with the logs, like other eBox modules, you have to make sure it is
enabled.
To enable it, go to Module Status and select Logs. In order to obtain reports from the existing
logs, you can access the Logs -> Query Logs menu.
You can get a Full report of all log domains. Moreover, some of them give us an interesting
Summarized Report that provides an overview of the service for a period of time.
In Full report, we have a list of all registered actions for the selected domain. Information provided
is dependent on each domain. For example, for the OpenVPN domain you can see the connections
to a VPN server of a client with a specific certificate, or for example, in the HTTP Proxy domain you
can know which pages have been denied to a particular client. You can also make custom queries
that allow filtering by time period or different values, depending on the domain. These queries can
194
CHAPTER 7. EBOX CORE
Figure 7.1: Query logs
Figure 7.2: Full report example
195
be stored like an event that generates an alert when a match occurs. Furthermore, if you do a query
without an upper bound in time, the results will be automatically refreshed with new data.
The Summarized Report allows you to select the period of the report, which may be one hour, one
day, a week or a month. The information you get is one or more graphs, accompanied by a summary
table with total values for different data. In the picture you can see, for example, daily statistics about
the requests and traffic of the HTTP proxy.
7.1.1 Logs configuration
Once you know how to check the logs, is also important to know how to configure them, through the
Logs -> Configure logs menu on the eBox interface.
The values you can configure for each installed domain are:
Enabled: If this option is not activated no logs are written for this domain.
Purge logs older than: Sets the maximum time that the logs will be saved. Every value whose age
exceeds the specified period, will be discarded.
You can also force the instant removal of all logs that are older than a certain period. You can do
this using the Purge button inside of the Force log purge section, which allows you to select different
intervals between one hour and 90 days.
Practical example
Enable the logs module. Using the Practice example as a reference for generating email traffic con-
taining viruses, spam, banned senders and forbidden files. Observe the results in :menuselection Logs
-> Query Logs -> Full Report.
1. Action: Access eBox interface. Go to Module Status and activate the logs module. For this,
check the box in the State column. You will be informed that a database to save the logs
is going to be created. Allow the operation by pressing Accept.
Effect: Save Changes button is now activated.
2. Action: Access Logs -> Configure Logs and check that the Mail domain is already enabled.
Effect: You have enabled the Logs module and you have checked that the logs for mail
are enabled.
196
Figure 7.3: Summarized report example
197
Figure 7.4: Configure logs
Effect: eBox shows the progress while applying the changes. Once the process is fin-
ished you are notified of that.
From now on, all sent emails will be logged.
4. Action: Send a few problematic emails (with spam or virus) as it was done in the relevant
chapter.
Effect: As now the logs module is enabled, emails have been logged, unlike what hap-
pened when we sent them for the first time.
5. Action: Access Records -> Query Logs and Full report for the Mail domain.
Effect: A table with entries for the emails that you have sent appears showing some
information for each sent email.
7.2 Monitoring
The monitor module allows the eBox administrator to know the state of the resources of the eBox ma-
chine. This information is essential to both troubleshoot and plan in advance the necessary resources.
198
Monitoring implies knowing how to interpret some system values in order to decide if these values
fall into an expected range, or otherwise, they are too high or too low. The main issue of monitoring
is the selection of these ranges. As every machine can have different values depending on the kind
of use. For example, in a file sharing server, the free storage space is a very important value that can
change very quickly. However, in a router with an enabled content filter, free memory and CPU load
are more interesting values. You should avoid fetching values that are useless for your scenario.
This is the reason why eBox monitors only a few system metrics in its current version. These are:
system load, CPU usage, memory usage, and file system usage.
The monitor module displays the fetched data using graphs. This allows the user to easily visualize
the evolution of the resources during time. To access these graphs you have to click on the menu entry
labeled as Monitor. You can place the mouse pointer over any graph point to know the exact value at
that point.
You can see different time scales of the registered data: hourly, daily, monthly or yearly. You just
need to click on the relevant tab.
7.2.1 Metrics
199
System load
The system load tries to measure the rate of pending work over the completed work. This value is
defined as the number of runnable tasks in the run-queue and is provided by many operating systems
as a one, five or fifteen minutes average.
This metric is the capacity of the used CPU over a given time. This means that a load of 1
represents a CPU working at full capacity. A load of 0.5 means that the CPU could take twice as
much. Conversely, a load of 2 means that it would need another CPU to fullfill the requirements of the
current work load.
You have to take into account that those processes that are waiting for read/write operations in
disk also contribute to this value.
CPU usage
This graph shows detailed information of the CPU usage. In the case of having a multi-core or multi-
cpu machine you will see one graph for each one of the cores.
This graph represents the amount of time that the CPU spends in each of its states: running user
code, system code, inactive, input/output wait, and so on. This measure is not a percentage, but
scheduling units known as jiffies. In most Linux systems this value is 100 per second, but it can be
different.
200
Memory usage
This graphs shows the memory usage. The following variables are monitored:
Free memory: Amount of memory not used
Page cache: Amount of memory that is cached in disk swap
Buffer cache: Amount of memory that is cached for input/output operations
Memory used: Amount of memory that is not included in any of the above
201
File system usage
This graph displays the used and free space of every mounting point.
Temperature
This graph allows you to know the system temperature in degrees Celsius by using the ACPI system
3
. You need to have data available in these directories: /sys/class/thermal or /proc/acpi/thermal_zone.
3
Advanced Configuration and Power Interface (ACPI) is an open standard to configure devices focused on operating
systems and power management. http://www.acpi.info/
202
7.2.2 Alerts
These graphs are not very helpful if in case of unexpected behaviour the administrator is not properly
notified. By using alerts, you can know when the machine has reached an unusual system load or is
approaching its full capacity.
You can configure monitor alerts in Events → Configure Events. The relevant alert is called
monitor.
You can access the configuration page by clicking on the configuration cell. In this page you can
pick any monitored metric and set the threshold that will trigger an event.
There are two different thresholds, warning and failure, this allows the user to filter based on the
event severity. You can use the option reverse: to swap the values that are considered right and wrong.
Other important option is persistent:. Depending on the metric we can also set other parameters.
Each measure has a metric that it is described as follows:
System load: The values must be set in average number of runnable tasks in the run-queue.
203
CPU usage: The values to set must be jiffies or units of scheduling.
Physical memory usage: The values to set must be bytes.
File system: The values must be set in bytes.
Temperature: The values to set must be grades.
Once you have configured and enabled the event you will need to configure, at least, one observer.
The observer configuration is the same as the configuration of any other event. Check the Events and
alerts chapter for further information.
7.3 Events and alerts
The events module is a convenient service that allows you to receive notifications of certain events
and alerts that happen in your eBox machine.
eBox allows you to receive these alerts and events through the following dispatchers:
• Mail 4
• Jabber
• Logs
• RSS
Before enabling any event watcher you have to make sure that the events module is enabled. Go
to Module status and check the events module.
Unlike in the Logs module, where all services are enabled by default except the firewall, you have
to enable those events that might be of your interest.
To enable any events, you have to click on the menu entry Events → Configure Events. You can
edit an event state by clicking on the pencil icon. Tick the Enabled box and click on the Change button.
There are some events that need further configuration to work properly. This is the case for the
log and free storage space observers.
The configuration of the free storage observer is pretty straightforward. The only required param-
eter is the free space percentage that will trigger the event when its actual value goes under it.
4
The mail module needs to be installed and configured. (Electronic Mail Service (SMTP/POP3-IMAP4)).
204
Figure 7.5: Configure events page
For the log observer, the first step is to select which domains you want to generate events from.
For every domain, you can add filtering rules that depend on the domain. Some examples are: denied
HTTP requests by the proxy, DHCP leases for a giving IP, canceled printer jobs, and so on. You can
also create an event filter from an existing log query by clicking on the Save as an event button
through Logs → Query Logs → Full Report.
So far, you know how to enable the generation of events and alerts. However, you also need these
events and alerts to be sent to you in order to be read. That is what event dispatchers are for. Go to
the Configure dispatchers tab.
The procedure to enable event dispatchers is similar to enabling event watchers. You have to con-
figure all the watchers except the log watcher. The latter will write its output to /var/log/ebox/ebox.log.
The other dispatchers require further configuration.
Mail: You have to set the email address of the recipient (usually the eBox administrator). You can also
set the subject of the messages.
Jabber: You have to set the Jabber server address and port that will be used to send the messages.
You also have to set the username and password of the user that will send the messages.
Finally, you have to set the Jabber address of the recipient.
205
Figure 7.6: Configure Log Observer page
Figure 7.7: Configure dispatchers page
206
RSS: You have to decide who will be able to read the RSS feed, and the feed link itself. You can make
the channel public, private, or authorized by a source IP address-based policy. Note that you
can also use objects instead of IP addresses.
7.3.1 Practical Example
Configure the events module to make it show the message “eBox is up and running in
/var/log/ebox/ebox.log. This message will be generated periodically, and every time
the events module is restarted.
1. Action: Access the eBox web interface, go to Module Status and enable events.
Effect: The Save Changes button has turned red.
2. Action: Go to Events and click on the tab labeled Configure Events. Click on the pencil icon
that is placed in the Status column. Check the Enabled field and click on:Change.
Effect: The events table shows the event as enabled.
3. Action: Go to the tab labeled Configure dispatchers. Click on the pencil icon of the row that
contains the Log event. Enable it and click on Change.
Effect: The event disptacher table shows the log dispatcher as enabled.
Effect: eBox shows the progress of the saving changes process until it displays a message to
let you know it is done.
An event with the message ‘eBox is up and running’ will be written in

/var/log/ebox/ebox.log.
5. Action: From the console on the eBox machine run: sudo /etc/init.d/ebox events restart.
Effect: An event with the message ‘eBox is up and running’ will be written again in
/var/log/ebox/ebox.log.
207
7.4 Backup
7.4.1 The backup system design
A data loss is an eventual accident that you have to be prepared to deal with. Hardware failures,
software bugs or human mistakes can cause an irreparable loss of important data.
It is an unavoidable task to design a well tested procedure to make, check and restore backups,
taking into consideration both configuration-only and full backups.
One of the first decisions we have to make is whether we are going to make full backups, what
is an exact copy of the data or incremental backups that are copies of the differences from the first
backup. Incremental backups use less space but need some computation to restore the copy. A
combination of often incremental backups plus eventual full copies is the most usual choice but this
will depend on your needs and available storage resources.
Another important choice is whether to make the backups on the same host or to use a remote
host. A remote host gives more security because of being on a different server. A hardware fail-
ure, software bug, human mistake or a security compromise shouldn’t affect the integrity of a remote
backup. To minimize risks, the remote backup server should be used exclusively for this purpose. Two
non-dedicated servers making backups of each other is definitely a bad idea, a compromise in one of
them leads to a compromise in the other one leaving you without a safe backup copy.
7.4.2 Backup configuration with eBox
First of all, we need to decide if we are going to store our backups locally or remotely. In case of using
the latter we also need to specify what protocol will be used to connect to the remote server.
Method: The current supported methods are eBox Backup Storage (EU), eBox Backup Storage (US
Denver), eBox Backup Storage (US West Coast), FTP, SCP and File System. Note that de-
pending on the method you select you will have to provide more or less information such as
the remote host address or user and password. All methods except File System are used to
access remote servers. This means you will have to provide proper credentials to connect to
5
the server. You may create an account in our store for eBox Backup Storage methods, use
this service to have a quick and safe remote location to store your data. If you use any of eBox
Backup Storage methods you will not need to introduce the remote server address as eBox will
have it configured automatically. On the other hand, if you select, FTP or SCP you will need to
provide the remote server address.
5
eBox Technologies store at https://store.ebox-technologies.com
208
Figure 7.8: Select Configuration
Warning: If you use SCP, you will need to execute sudo ssh user@server and accept the remote
server’s fingerprint to add it to the list of SSH known hosts. If you don’t do this, the backup software
will fail to connect to the server.
Host or Destination: For FTP and SCP you will need to provide the remote host name or IP address
to connect. In case of using File System, introduce a local file system path. If you use a eBox
Backup Storage method, then only the relative path is required.
User: User name to authenticate in the remote host.
Password: Password to authenticate in the remote host.
Encryption: You may cipher your backup data using a symmetric key by introducing it in the host, or
you may select an already created GPG key to provide asymmetric encryption to your data.
Full Backup Frequency: This is used to tell the module how often a full backup is carried out. Values
are: Daily, Weekly, Monthly.
Number of full copies to keep: This value is used to limit the number of full copies that are stored.
This is an important value and you should understand what actually means. It is related to the
Full Backup Frequency. If you set the frequency to Weekly, and the number of full copies to 2,
your oldest backup copy will be two weeks old. Similarly, if you set it to Monthly and 4, your
oldest backup copy will be 4 months old. Set this value according to how long you wish to store
backups and how much disk space you have.
209
Incremental Backup Frequency: This value is also related to Number of full copies to keep. A nor-
mal backup setting might consist of taking incremental copies between full copies. Incremental
copies should be done more frequently than full copies. This means that if you make weekly full
copies, incremental copies should be set to daily, but it does not make sense to set it to same
frequency as the full copies. To understand better this field let’s see an example:
Full Backup Frequency is set to weekly. Number of full copies to keep is set to 4. Incremen-
tal Backup Frequency to daily. This means that you will end up having 4 weekly full backups,
and between every weekly backup you will have daily backups. That is a month worth of backed
up data. And it also means that you could restore any arbitrary day of that month.
Backup process starts at: This field is used to set the time at when the backup process starts. It is
a good idea to set it to times when nobody is in the office as it can consume a lot of upload
bandwidth.
Configuring what directories and files are backed up
The default configuration will backup the whole file system. This means that in the event of a disaster
you will be able to restore the machine completely. It is a good idea not change this configuration
unless the space on your remote server is very limited. A full backup of an eBox machine with all its
modules takes around 300 MB.
Figure 7.9: Include and exclude list
The default list of excluded directories is: /mnt, /dev, /media, /sys, and /proc. It is usually a bad
idea to include those directories, and in some cases, the backup process will fail.
210
The default list of included directories is: /.
You can also exclude file extension using shell characters. For example, if you want to skip AVI
files from the backup, you can select Exclude regexp and add *.avi.
Checking backup status
You can check the status of your backup under the section Remote Backup Status. In that table, you
will see the type of backup, full or incremental, and the date when it was taken.
Figure 7.10: Backup status
How to start a backup process manually
The backup process is started automatically at configured time. However, if you need to start a backup
process manually, you can run:
# /usr/share/ebox-ebackup/ebox-remote-ebackup --full
Or, to start an incremental backup:
# /usr/share/ebox-ebackup/ebox-remote-ebackup --incremental
211
Restoring files
There are two ways of restoring a file. It depends on the size and type of the file or directory that you
need to restore.
It is possible to restore files directly from the eBox interface. In the section Backup → Restore
Files you have access to the list of all the remote files and directories, and also the available dates to
be restored. Use this method with small data files, if they are too big it will take too long and you won’t
be able to use the web interface during the process of the operation. You must be very careful with the
type of file you are restoring. It is usually safe to restore data files that are not used by applications at
the moment of the restoring process. This data files will be placed under /home/samba/. However, it
is very dangerous to restore system directories such as /lib, /var, /usr while the system is running. Do
not do that unless you know what you are doing.
Figure 7.11: Restore file
Big files and system directories must be restored manually. Depending on the use of the file, you
can restore it safely while your system is running. However, for system directories you will have to use
a rescue CD and proceed as we explain later.
In any case, you must know how the underneath used software works. duplicity is tool used by
eBox. The process to restore a file or directory is actually very simple. You must run the following
212
command:
duplicity restore --file-to-restore -t 3D <file or dir to restore> <remote url
The flag -t is used to select the backup date to restore. In this case, 3D means to restore a copy
that is three days old. Using now you can restore the latest available copy.
You can fetch the <remote url and args> on the top note in the section Restore Files in the eBox
interface.
Figure 7.12: Remote url and arguments
For example, if you need to recover the file /home/samba/users/john/balance.odc you would run
the following command:
# duplicity restore --file-to-restore home/samba/users/john/balance.odc \

scp://backupuser@192.168.122.1 --ssh-askpass --no-encryption /tmp/balance.odc
The above command would restore the file in /tmp/balance.odc. If you need to overwrite a file
or directory during a restoring operation you will need to add the flag –force, otherwise duplicity will
refuse to overwrite.
7.4.3 How to recover on a disaster
Knowing the procedure and having the abilities and experience to successfully restore a backup in a
critical situation is as important as making backups. You should be able to restore services as soon as
possible when a disaster interrupts the systems.
To recover from a total disaster, you would have to boot the system using rescue CD-ROM that
includes the backup software duplicity. We will be using grml.
213
Download the grml image and boot the machine with it. You can use the parameter nofb if you
have issues with your screen size.
Figure 7.13: Boot grml
Once the boot process has finished you can start a shell by pressing return.
If your network is not properly configured, you can run the command netcardconfig to configure it.
Now you need to mount the hard disk where files will be restored. In this case, we suppose we
have our root partition in /dev/sda1. So we need to run:
# mount /dev/sda1 /mnt
The above command will mount the partition under the /mnt directory. During this example, we
make a full restore. And to do that we remove all existing directories in the partition. Of course, you
could just remove and restore one directory if you need to do so.
To remove the existing files to proceed with the full restore, run:
214
Figure 7.14: Start a shell
# rm -rf /mnt/*
We need to install duplicity if it’s not already installed with:
# apt-get update
# apt-get install duplicity
Before restoring a full backup we need to restore /etc/passwd and /etc/group. Otherwise, we can
end up with a wrong file owner. The main issue is that duplicity saves the user and group names of a
file and not its numerical values. We will run into problems if we restore the file with a system that has
different UID or GID number. To avoid this we can just overwrite /etc/passwd and /etc/group on the
rescue system first. Run:
# duplicity restore --file-to-restore etc/passwd \

# scp://backupuser@192.168.122.1 /etc/passwd --ssh-askpass --no-encryption --fo
# duplicity restore --file-to-restore etc/group \

# scp://backupuser@192.168.122.1 /etc/group --ssh-askpass --no-encryption --for
Warning: If you use SCP, you will need to execute sudo ssh user@server to add the remote
server to the list of SSH known hosts. If you don’t do this, duplicity will fail to connect.
215
Now, we are ready to proceed with the a full restore running duplicity manually:
# duplicity restore scp://backupuser@192.168.122.1 /mnt/ --ssh-askpass --no-encryp
You have to create the directories excluded from the backup. You should also clean up the temporal
directories.:
# mkdir -p /mnt/dev
# mkdir -p /mnt/sys
# mkdir -p /mnt/proc
# rm -fr /mnt/var/run/*
# rm -fr /mnt/var/lock/*
The restoring proccess has finished and you can reboot now.
7.4.4 Configuration backups
In addition, eBox Platform has another way to make configuration backups and restore them from the
interface itself. This method backs up the configuration of all modules that have been enabled at some
point, as well as the LDAP users and any other additional files required by each of these modules.
The backup can also include the data stored by these modules (home directories, voicemail, etc.)
but from 1.2 onwards this way has been deprecated in favour of the first explained method because it
can deal better with huge data sets.
To make these backups, you should go, as usual, to System → Backup. You will not be able to
make a new backup if you have modified the configuration and you have not saved changes as you
can see in the following image.
216
Once introduced the name for the backup, select the backup type (configuration or full) and click
Backup. A screen will appear showing the progress through the modules until it finishes with Backup
successfully finished.
After this, if you go back you will see a Backup list. Through this list you will be able to restore,
download to your local disk or delete any of the stored backup copies. Some information like backup
type, date and size will be shown as well.
On Restore backup from file you can upload a backup file that you have in your local disk, for
example, from a previous eBox Platform deployment on a different server, and restore it using Restore.
A confirmation will be requested on restore. You should be careful because all the current configu-
ration will be replaced. This action is similar to the backup, a screen will appear, showing the progress
and notifying whether the operation was successful or an error occurred.
Command line tools for configuration backups
Two command line tools are provided to export and import the configuration from the console. They
are available in /usr/share/ebox and are ebox-make-backup and ebox-restore-backup.
ebox-make-backup allows you to make configuration backups. Among its options you can select
the backup type to do. One of them is bug-report, which helps developers to debug bugs by including
extra information in the backup. Passwords are replaced in order to maintain user’s privacy. This
backup type can’t be done through the web interface. You can see all the options using the –help
parameter.
217
ebox-restore-backup allows you to restore configuration backups. It also provides an option to

extract information from the backup file. Another interesting feature is the possibility of making partial
restorations, restoring only some specific modules. This is very useful when restoring a module from
an old version or when restoring a module failed. You should be careful with the interdependencies
between the modules. For example, if you restore a firewall module backup that uses objects and
services you have to restore those first. But you still have the option to force the script to ignore the
dependencies that you can use if really required.
To see all options of this program use the –help parameter.
7.5 Software Updates
Like any other software system, eBox Platform requires periodic updates, either to add new features
or to fix defects or system failures.
eBox distributes its software as packages and it uses Ubuntu’s standard tool, APT 6 . However, in
order to ease this task, eBox provides a web interface to simplify the process.[#]_
The web interface allows checking for new available versions of eBox components and installing
them in a simple way. It also allows you to update the software supporting eBox, mainly to correct
potential security flaws.
7.5.1 Management of eBox components
The management of eBox components allows you to install, update and remove eBox modules.
The component manager is a module, and like any other eBox module must be enabled before
being used. To manage eBox components you must access Software Management -> eBox compo-
nents.
6
Advanced Packaging Tool (APT) is a system for the management of software packages created by the De-
bian Project that greatly simplifies the installation and removal of programs on the GNU / Linux operating system
http://wiki.debian.org/Apt
218
A list of all eBox components is shown there, together with the installed version and the latest
available version. Components that are not installed or up to date, can be installed or updated by
clicking on the respective icon in the Actions column. There is a button called Update all packages to
update all those packages with a new version available.
It is also possible to uninstall components by clicking on the respective icon for this action. Be-
fore proceeding to uninstall, a dialogue will be displayed with the list of the software packages to be
removed. This step is necessary because it might be about to eliminate a component that is used by
others, which would be also removed.
Some components are basic and cannot be uninstalled, as that would uninstall eBox Platform
completely.
7.5.2 System Updates
System updates performs the updates of programs used by eBox. In order to carry out its function,
eBox Platform integrates different system programs within eBox components’ packages. These pro-
grams are referenced as dependencies ensuring that when installing eBox, they are also installed.
Similarly, these programs may have dependencies as well.
Usually the update of a dependency is not important enough to create a new eBox package with
new dependencies, but it may be interesting to install it in order to use its improvements or its patches
for security flaws.
To see updates of the system you must go to Software Management → System Updates. You
should see if your system is already updated or, otherwise, a list of packages that can be upgraded.
219
220
If you install packages on the machine without using the web interface, this data may be outdated.
Therefore, every night a process is executed to search for available updates for the system. Such a
search can be forced by running:
$ sudo ebox-software
For each update, you can determine whether it is a security update using the information icon.
If it is a security update the details about the security flaw included in the package changelog will be
displayed by clicking on the icon.
If you want to perform an update you should select the packages on which to perform the action
and press the appropriate button. As a shortcut, you can use the button Update all packages. Status
messages will be displayed during the update operation.
7.5.3 Automatic Updates
Automatic updates allow eBox Platform to automatically install any updates available. This operation
is performed daily at midnight.
This feature can be activated by accessing the page Software Management -> Automatic Updates.
It is not advisable to use this option if the administrator wants to keep a higher level of security
in the management of updates. When performing the updates manually, administrators can avoid
possible errors going unnoticed.
7.6 Control Center Client
eBox Control Center is a fault-tolerant solution that allows centralized real-time monitoring and ad-
ministration of multiple eBox Platform installations. It includes features such as remote, centralized and
secure administration of groups of eBox installations, automatic remote configuration backup, network
7
monitoring and customized reports.
Here we describe the client side configuration with eBox.

7
http://www.ebox-technologies.com/products/controlcenter/
221
7.6.1 Subscribing eBox to the Control Center
In order to configure eBox to subscribe to the Control Center, you must install ebox-remoteservices
package which is installed by default if you have used eBox installer. In addition to this, the Internet
connection should be available. Once everything is ready, go to Control Center and fill the following
fields:
User Name or Email Address: You must set the user name or the email address you use to sign in
the Control Center Web site.
Password: The same pass phrase you use to sign in the Control Center Web site.
eBox Name: The unique name for your eBox within Control Center. This name is displayed from the
control panel and it must be a valid domain name. Each eBox should have a different name, if
two eBoxes use the same name for connecting to the Control Center, just one will be connected.
Figure 7.16: Subscribing eBox to the Control Center
After entering the data, the subscription will take about a minute. Be sure after subscribing, save
changes. This process sets a VPN connection to the Control Center, therefore it enables vpn module.
8
Figure 7.17: After subscribing eBox to the Control Center
If the connection is working nicely with eBox Control Center, then a widget will be shown in the
dashboard indicating the connection was done established correctly.
8
For more information about VPN module, go to Virtual Private Network (VPN) section.
222
Figure 7.18: Connection widget to the Control Center
7.6.2 Configuration backup to the Control Center
One of the features using the Control Center is the automatic configuration backup 9 is stored in eBox
Control Center. This backup is done daily if any change has been done in eBox configuration. Go to
System → Backup → Remote Backup to check the configuration backups that have been done. You
may perform a manual configuration backup, if you want to be sure a current configuration is backed
up correctly in eBox Control Center.
Figure 7.19: Remote configuration backup
You may restore, delete or download that configuration backup from the Control Center. Addition-
ally, to improve the disaster recovery, you may restore or download the configuration backup from other
subscribed eBoxes using your name/email address and password pair. To do so, go to the System →
Backup → Remote Backup from Other Subscribed Hosts tab.
9
The configuration backup in eBox is explained in Configuration backups section
223
Figure 7.20: Remote configuration backup from other subscribed hosts
224

Ebox For Network Administrators

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ebox For Network Administrators

Transféré par

Droits d'auteur :

Formats disponibles

eBox 1.

4 for Network Administrators

1 eBox Platform: unified server for SMEs 1

5 eBox Unified Communications 117

6 eBox Unified Threat Manager 159

7 eBox Core 193

eBox Platform: unified server for SMEs

• Unified and efficient management of the services:

• Easy and intuitive interface.

• Extensible and adaptable to specific needs.

• Open source software.

The services currently offered are:

– Firewall and router

* NAT and port redirection

* Virtual local networks (VLAN 802.1Q)

* Traffic shaping (with application-level filtering support)

* Dynamic DNS support

* Dynamic auto-configuration of network paths

* Content filtering (with categorized lists)

* Spam filtering and antivirus

* Transparent POP3 filter

* White-, black- and grey-listing

– Shared directory using LDAP (Windows/Linux/Mac)

* Shared authentication (including Windows PDC)

– Groupware server: calendars, address books, ...

* Calls through outside vendor

• Reports and monitoring

– Dashboard to centralize the information

– Disk, memory, load, temperature and host CPU monitoring

– Event-based system monitoring

* Notification via Jabber, mail and RSS

– Configuration and data backup

• Using the eBox Platform Installer (recommended).

• Installing from an existing Ubuntu Server Edition installation.

Figure 1.1: Installer language select

1.2.1 eBox Platform installer

You have to enter this password twice.

Figure 1.2: Installer menu

Figure 1.3: Administration user

Figure 1.4: Administration password

Figure 1.5: Confirm administration password

Figure 1.6: Package selection method

Figure 1.7: eBox tasks to install

Figure 1.8: eBox packages to install

Figure 1.9: Installing eBox packages

Figure 1.10: Type of the server

Figure 1.11: Select external interfaces

Figure 1.12: Mail configuration

Figure 1.13: Preconfiguring eBox packages

Figure 1.14: eBox administration web interface

1.3 Administration web interface

The first screen will ask for the administrator password:

Figure 1.15: Main screen

Figure 1.16: Left side menu

Figure 1.17: Top menu

Figure 1.18: Web User Interface configuration forms

Figure 1.19: Dashboard

Figure 1.20: Dashboard configuration

1.3.2 Applying configuration changes

Figure 1.21: Module status widget

Figure 1.22: Save changes

1.3.3 Modules status configuration

1.4 How does eBox Platform work?