eBox 1.

4 for Network Administrators




eBox 1.4 for Network Administrators

This document is distributed under Creative Commons Attribution-Share Alike license version 2.5 ( http://creativecommons.org/licenses/by-sa/2.5/ )

This document uses images from “Tango Desktop Project” also distributed under Creative Commons Attribution-Share Alike license version 2.5.



1 eBox Platform: unified server for SMEs 1.1 1.2 1.3 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.3.1 1.3.2 1.3.3 1.4 1.5 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applying configuration changes . . . . . . . . . . . . . . . . . . . . . . . Modules status configuration . . . . . . . . . . . . . . . . . . . . . . . . Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 4 5 12 13 16 18 18 20 20 21 24 31 31 32 37 38 39 43 43 46 47 47 49 50 53

How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 1.5.2 1.5.3 Local network configuration . . . . . . . . . . . . . . . . . . . . . . . . . Network configuration with eBox Platform . . . . . . . . . . . . . . . . . . Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 eBox Infrastructure 2.1 2.2 Network configuration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.4 2.4.1 DHCP server configuration with eBox . . . . . . . . . . . . . . . . . . . . DNS cache server configuration with eBox . . . . . . . . . . . . . . . . . Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS server configuration with eBox . . . . . . . . . . . . . . . . . . . . . Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . NTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . .

Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . .

Time synchronization service (NTP)

3 eBox Gateway



High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 3.1.1 3.1.2 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The firewall in GNU/Linux: Netfilter . . . . . . . . . . . . . . . . . . . . . eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multigateway rules and load balancing WAN Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

53 53 55 58 58 58 63 63 69 71 73 73 74 76 77 78 79 80 81 82 82 89 89 90 97 97 98 98 98 101 104 106 107 110 111 117 117


Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2


Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 3.3.2 3.3.3


Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 3.4.2 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . QoS configuration in eBox . . . . . . . . . . . . . . . . . . . . . . . . .


RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.5.1 3.5.2 RADIUS server configuration with eBox . . . . . . . . . . . . . . . . . . . Access Point (AP) configuration . . . . . . . . . . . . . . . . . . . . . . . Access policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . Client connection to the proxy and transparent mode Web content filter . . . . . . . . . . . . Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6.1 3.6.2 3.6.3 3.6.4

4 eBox Office 4.1 4.2 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.2.6 4.2.7 4.3 4.4 Users and groups File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . eBox as file server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB/CIFS clients configuration . . . . . . . . . . . . . . . . . . . . . . . eBox as an authentication server . . . . . . . . . . . . . . . . . . . . . . PDC Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Printers sharing service Groupware Service 4.4.1

Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . .

5 eBox Unified Communications 5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . .


5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.2 5.3 5.2.1 5.3.1 5.3.2 5.3.3 5.3.4 5.4 5.4.1 5.4.2 5.4.3 5.4.4 5.4.5 5.4.6 5.4.7

How electronic mail works through the Internet

. . . . . . . . . . . . . . .

118 120 120 127 127 128 128 130 131 132 133 134 140 143 144 144 145 146 149 151 156 157 159 159 160 168 168 170 170 171 171 172 174 174 174 176 180

SMTP/POP3-IMAP4 server configuration with eBox . . . . . . . . . . . . . Receiving and relaying mail . . . . . . . . . . . . . . . . . . . . . . . . . SMTP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POP3 parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IMAP parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ManageSieve client parameters . . . . . . . . . . . . . . . . . . . . . . . Configuring a webmail in eBox . . . . . . . . . . . . . . . . . . . . . . . Configuring a Jabber/XMPP server with eBox . . . . . . . . . . . . . . . . Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up Jabber MUC (Multi User Chat) rooms . . . . . . . . . . . . . . . Practical example Protocols Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

WebMail service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . .

Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asterisk server configuration with eBox . . . . . . . . . . . . . . . . . . . Configuring a softphone to work with eBox . . . . . . . . . . . . . . . . . Using eBox VoIP features . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6 eBox Unified Threat Manager 6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.3 6.3.1 6.3.2 6.3.3 6.3.4 Mail filter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . External connection control lists . . . . . . . . . . . . . . . . . . . . . . Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . Filter profiles configuration . . . . . . . . . . . . . . . . . . . . . . . . . Filter profile per object . . . . . . . . . . . . . . . . . . . . . . . . . . . Group based filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group-based filtering for objects Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

HTTP Proxy advanced configuration . . . . . . . . . . . . . . . . . . . . . . . .

Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . Public Key Infrastructure (PKI) with a Certification Authority (CA) . . . . . . . Certification Authority configuration with eBox . . . . . . . . . . . . . . . . Configuring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . .



Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4.1 6.4.2 Setting up an IDS with eBox . . . . . . . . . . . . . . . . . . . . . . . . IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189 190 191 193 193 196 198 199 203 204 207 208 208 208 213 216 218 218 219 221 221 222 223

7 eBox Core 7.1 7.2 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.1 7.2.1 7.2.2 7.3 7.4 7.3.1 Backup 7.4.1 7.4.2 7.4.3 7.4.4 7.5 7.5.1 7.5.2 7.5.3 7.6 7.6.1 7.6.2 Logs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . Backup configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . Configuration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . Management of eBox components . . . . . . . . . . . . . . . . . . . . . System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subscribing eBox to the Control Center . . . . . . . . . . . . . . . . . . . Configuration backup to the Control Center . . . . . . . . . . . . . . . . .

Events and alerts

Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Control Center Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


Chapter 1 eBox Platform: unified server for SMEs


eBox Platform (<http://ebox-platform.com/>) is a unified network server that offers easy and efficient computer network management for small and medium enterprises (SMEs). eBox Platform can act as a Network Gateway, a Unified Threat Manager (UTM) 1 , an Office Server, an Infrastructure Manager, a Unified Communications Server or a combination of them. This manual is written for the 1.4 version of eBox Platform. All these functionalities are fully integrated and therefore automate most tasks, prevent manual errors and save time for system administrators. This wide range of network services is managed through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in each server only the necessary modules and easily extend the functionality according to your needs. Besides, eBox Platform is released under a free software license (GPL) 2 . The main features are: • Unified and efficient management of the services: – Task automation. – Service integration. • Easy and intuitive interface.
UTM (Unified Threat Management): Term that groups a series of functionalities related to computer network security: firewall, intrusion detection, antivirus, etc. 2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of derivative works with the same license.


eBox 1.4 for Network Administrators

• Extensible and adaptable to specific needs. • Hardware independent. • Open source software. The services currently offered are: • Network management: – Firewall and router * Traffic filtering * NAT and port redirection * Virtual local networks (VLAN 802.1Q) * Support for multiple gateways, load balancing and self-adaptation in case of loss of connectivity * Traffic shaping (with application-level filtering support) * Traffic monitoring * Dynamic DNS support – High-level network objects and services – Network infrastructure * DHCP server * DNS server * NTP server – Virtual private networks (VPN) * Dynamic auto-configuration of network paths – HTTP proxy * Cache * User authentication * Content filtering (with categorized lists) * Transparent antivirus



– Mail server * Spam filtering and antivirus * Transparent POP3 filter * White-, black- and grey-listing – Web server * Virtual domains – Intrusion Detection System (IDS) – Certification Authority • Groupware: – Shared directory using LDAP (Windows/Linux/Mac) * Shared authentication (including Windows PDC) – Shared storage as NAS (Network-attached storage) – Shared printers – Groupware server: calendars, address books, ... – VoIP server * Voicemail * Meetings * Calls through outside vendor – Instant messaging server (Jabber/XMPP) * Meetings – User corner to allow users to modify their data • Reports and monitoring – Dashboard to centralize the information – Disk, memory, load, temperature and host CPU monitoring – Software RAID status and information regarding the hard drive use


eBox 1.4 for Network Administrators

– Network service logs in databases, allowing you to have daily, weekly monthly and annual reports – Event-based system monitoring * Notification via Jabber, mail and RSS • Host management: – Configuration and data backup – Updates – Control Center to easily administer and monitor multiple eBox hosts from one central point


In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This does not prevent you from installing other unmanaged services, but these must be manually configured. eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of Ubuntu Server Edition distribution 4 . The installation can be done in two different ways: • Using the eBox Platform Installer (recommended). • Installing from an existing Ubuntu Server Edition installation. In the second case, you need to add the official eBox Platform repositories and to install the packages you are interested in. Nevertheless, the former one is easier since all the dependencies are in a single CD. Moreover, some pre-configuration is made during the installation process.



Figure 1.1: Installer language select

1.2.1 eBox Platform installer
The eBox Platform installer is based on the Ubuntu installer and therefore those who are already familiar with it will find the installation process very similar. You can install using the default mode which deletes all disk content and creates the partitions needed by eBox using LVM and asking less questions or using the expert mode which allows you to make your own partitioning. Most people should choose the default option unless they are installing on a server with special requirements, for instance software RAID. After installing the base system and rebooting, you can start installing eBox Platform. The first step will be create a user on the system. This user will be able to log on the system and will have sudo privileges. Then, you will be asked for a password for this user you just created. This password will be used to log on the eBox interface too. You have to enter this password twice. Now it is time to select which features you want to include on your system. There are two methods for this selection:
For additional information regarding the Control Center, please visit: http://www.eboxtechnologies.com/products/controlcenter/ the company behind eBox Platform development. 4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and servers <http://www.ubuntu.com/>.


eBox 1.4 for Network Administrators

Figure 1.2: Installer menu

Figure 1.3: Administration user

Figure 1.4: Administration password



Figure 1.5: Confirm administration password

Figure 1.6: Package selection method


eBox 1.4 for Network Administrators

Simple: Depending on the task the server will be dedicated to, you can install a set of packages that provides several features. Advanced: You can select the packages individually. If a package has dependencies on other packages, these will be automatically selected later. If you select the simple installation method, you get a list of available profiles. As shown in the figure eBox tasks to install, the mentioned list matches the following paragraphs of this manual.

Figure 1.7: eBox tasks to install

eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet access. eBox Unified Threat Manager: eBox protects the local network against external attacks, intrusions, internal security threats and enables secure interconnection between local networks via Internet or via other external networks. eBox Infrastructure: eBox manages the local network infrastructure including the following basic services: DHCP, DNS, NTP, HTTP server, etc. eBox Office: eBox is an office server that allows sharing the following resources through the local network: files, printers, calendars, contacts, authentication, users and groups profiles, etc. eBox Unified Communications: eBox becomes the unified communications server of your organization, including mail, instant messaging and voice over IP. You can select several profiles to make eBox play different roles in your network. However, if you select the advanced installation method, you get the complete list of eBox Platform modules and you can select individually the modules you are interested in.



Figure 1.8: eBox packages to install

Once you have completed the selection, the necessary additional packages will be installed. This selection is not final and you can install and remove packages according to your needs later. After you have selected the components to install, the installation process will begin and you will be shown a progress bar with the installation status. The installer will try to preconfigure some important configuration parameters. First will have to select the type of the server for the Users and Groups mode. If we just have one server choose standalone. If we are deploying a master-slave infrastructure or if we want to syncronize the users with a Microsoft Windows Active Directory, choose advanced. This step will appear only if usersandgroups module is installed. Also, it will ask if some of the network interfaces attached to the host are external (not within the local network, used to connect to the Internet or other external networks). Strict policies for all incoming traffic through external network interfaces will be applied. This step will appear only if network module was installed and the server has more than one network interface. After that, you will do the mail configuration, defining the default virtual domain. This step will appear only if mail is installed. Once you have answered these questions, every module you installed will be preconfigured and ready to be used via the web interface. Once the eBox Platform installation process is completed, you get graphical interface with a browser to authenticate in the eBox web interface using the password given in the first steps of the


eBox 1.4 for Network Administrators

Figure 1.9: Installing eBox packages

Figure 1.10: Type of the server



Figure 1.11: Select external interfaces

Figure 1.12: Mail configuration


eBox 1.4 for Network Administrators

Figure 1.13: Preconfiguring eBox packages


Figure 1.14: eBox administration web interface


Administration web interface
Once you have installed eBox Platform, you can access the administration web interface at the following URL: https://network_address/ebox/



Here network_address is the IP address or a host name that resolves to the address where eBox is running. Warning: To access the web interface you should use Mozilla Firefox as they are some known issues with another browsers such as Microsoft Internet Explorer. The first screen will ask for the administrator password:

After authentication you get the administration interface that is divided into three main sections: Left side menu: Contains links to all services, separated by categories, that can be configured using eBox. When you select a service, you might get a submenu to configure specific details of the selected service. Top menu: Contains actions to save the changes made to the content, make the changes effective and close the session. Main content: The main content is composed of one or several forms or tables with information about the service configuration and depends on the selection made in the left side menu and submenus. Sometimes you will get a tab bar at the top of the page: each tab represents a different subsection within the section you have accessed.

1.3.1 Dashboard
The dashboard is the initial screen of the web interface. It contains a number of configurable widgets. You can reorganize them at any moment simply by clicking and dragging the titles. By clicking on Configure Widgets the interface changes, allowing you to remove and add new widgets. To add a new widget, you search for it in the top menu and drag it to the main part of the page.


eBox 1.4 for Network Administrators

Figure 1.15: Main screen

Figure 1.16: Left side menu



Figure 1.17: Top menu

Figure 1.18: Web User Interface configuration forms

Figure 1.19: Dashboard


eBox 1.4 for Network Administrators

Figure 1.20: Dashboard configuration

Module status There is a very important widget within the dashboard which shows the status from all installed modules in eBox. The figure depicts the current status for a service and action to apply on it. The available status are the following: Running: The service daemons are running to accept connections from the network clients. You can restart the service using Restart. Running unmanaged: If you haven’t configured the service yet, it is possible to find it running with the default configuration from the distribution. Therefore it is not managed by eBox yet. Stopped: Some problem has happened since the service has to be running but it is stopped for some reason. In order to find it out, you should check the log files for the service or eBox log file itself as How does eBox Platform work? section describes. You may try to start the service by clicking on Start. Disabled: The service has been disabled explicitly by the system administrator as it is explained in Modules status configuration.

1.3.2 Applying configuration changes
An important detail to take into account is the method eBox uses to apply the configuration changes made through the interface. First of all, you have to accept changes in the current form, but, once this is done, to make these changes effective and apply them on a permanent basis, you must click on Save Changes from the top menu. This button will change to red if there are unsaved changes. Failure to follow this procedure will result in the loss of all changes you have made throughout the



Figure 1.21: Module status widget


eBox 1.4 for Network Administrators

session once you log out. There are some special cases when you don’t need to save the changes, but in these cases you will receive a notification.

Figure 1.22: Save changes

In addition to this, you can revert your changes. Hence if you have done something that you do not remember or you are unsure to do it, you can always discard them safely. Take into account, if you have made changes on the network interfaces configuration or the eBox Web administration port, then you may lose current connection to eBox, so you must rewrite the URL in the browser to reach administration interface again.

1.3.3 Modules status configuration
As it is discussed above, eBox is built up with modules. The majority of the modules are intended to manage network services that you must enable them through Module Status. Each module may have dependencies on others to work. For instance, DHCP service needs to have the network module enabled so that it can serve IP address leases through the configured network interfaces. Thus the dependencies are shown in Depends column. Enabling a module for the first time in eBox jargon is called configure the module. Configuration is done once per module. By clicking on Status checkbox, you enable the module. If it is the first time, a dialog is presented to accept to carry out a set of actions and file modifications that enabling the service implies 5 . After that, you may save changes to apply these modifications. Likewise, you may disable a module by unchecking the Status column for this module.


How does eBox Platform work?
eBox Platform is not just a simple web interface to manage the most common network services 6 . One of the main goals of eBox Platform is to unify a set of network services that otherwise would work independently.
5 6

You get longer support than on the normal version. With the LTS version you get 5 years of support on the server. This process is mandatory to comply the Debian Policy http://www.debian.org/doc/debian-policy/



Figure 1.23: Module status configuration

Figure 1.24: Confirm dialog to configure a module


eBox 1.4 for Network Administrators

All configuration of individual services is handled automatically by eBox. To do this eBox uses a template system. This automation prevents manual errors and saves administrators from having to know the details of each configuration file format. As eBox manages automatically these configuration files, you must not edit the original files as these will be overwritten as soon you save any configuration changes. Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are divided in the following files: /var/log/ebox/ebox.log: Errors related to eBox Platform. /var/log/ebox/error.log: Errors related to the web server. /var/log/ebox/access.log: Every access to the web server. If you want more information about an error that has occurred, you can enable the debugging mode by selecting the debug option in the /etc/ebox/99ebox.conf file. Once you have enabled this option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.


Location within the network
1.5.1 Local network configuration
eBox Platform can be used in two different ways:



• Router and filter of the Internet connection. • Server of different network services. Both functionalities can be combined in a single host or divided among several hosts. The figure Different locations within the network displays the different locations eBox Platform server can take in the network, either as a link between networks or a server within the network.

Figure 1.25: Different locations within the network

Throughout this documentation you will find out how to configure eBox Platform as a router and gateway. You will also learn how to configure eBox Platform in the case it acts as just another server within the network.

1.5.2 Network configuration with eBox Platform
If you place a server within a network, you will most likely be assigned an IP address via DHCP protocol. Through Network → Interfaces you can access each network card detected by the system and you can select between a static configuration (address configured manually), dynamic configuration (address configured via DHCP) or a Trunk 802.1Q to create VLANs. If you configure a static interface, you can associate one or more Virtual Interfaces to this real interface to serve additional IP addresses. These can be used to serve different networks or the same network with different address. If you don’t have a router with PPPoE support, eBox can also manage PPPoE connections just selecting PPPoE as Method and entering the User name and Password given by your DSL provider.

To enable eBox to resolve domain names, you must indicate the address of one or several domain name servers in Network → DNS.


eBox 1.4 for Network Administrators

Figure 1.26: Network interface configuration

Figure 1.27: Static configuration of network interfaces

Figure 1.28: PPPoE configuration of network interfaces



Figure 1.29: Configuration of DNS servers

If your Internet connection has a dynamic IP address and you want to map a domain name to your eBox, a third party dynamic DNS provider is required. eBox supports the connection to some of the most popular dynamic DNS providers. To configure dynamic DNS on eBox go to Network

→ DynDNS and select your service provider

and set up the user name, password and the domain name you want to update when your public address changes. Check the box Enable Dynamic DNS and Save changes.

Figure 1.30: Dynamic DNS configuration

eBox makes a connection to the provider getting your public IP address bypassing any NAT between you and Internet. If you are using this feature on a multigateway scenario 7 , don’t forget to create
In order to understand the magnitude of the project, you can visit the independent site ohloh.net, where you can find an extensive analysis of the eBox Platform code base <http://www.ohloh.net/p/ebox/analyses/latest>.


eBox 1.4 for Network Administrators

a rule that makes the connections to your provider use always the same gateway.

1.5.3 Network diagnosis
To check if you have configured the network correctly, you can use the tools available in Network Diagnosis.

Figure 1.31: Network diagnosis tools

Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular remote host is reachable by means of a simple “echo request”. Additionally you can use the traceroute tool that is used to determine the route taken by packages across different networks until reaching a given remote host. This tool allows to trace the route the packages follow in order to carry out more advanced diagnosis. Besides, you can use the dig tool, which is used to verify the correct functioning of the name service resolution.

Practical example A Let’s configure eBox so that it obtains the network configuration via DHCP. Therefore: 1. Action: Access the eBox interface, go to Network

→ Interfaces and, as network interface,

select eth0. Then choose the DHCP method. Click on Change. Effect: You have enabled the button Save Changes and the network interface maintains the entered data.



Figure 1.32: Ping tool


eBox 1.4 for Network Administrators

Figure 1.33: Traceroute tool



Figure 1.34: Dig tool


eBox 1.4 for Network Administrators

2. Action: Go to Module status and enable the Network module, in order to do this, check the box in the Status column. Effect: eBox asks for permission to overwrite some files. 3. Action: Read the changes that are going to be made in each modified file and grant eBox the permission to overwrite them. Effect: You have enabled the button Save Changes and you can enable some of the modules that depend on Network. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has finished, you are notified. Now eBox manages the network configuration. 5. Action: Access Network → Diagnosis tools. Ping ebox-platform.com. Effect: As a result, you are shown three successful connection attempts to the Internet server. 6. Action: Access Network → Diagnosis tools. Ping the eBox of a fellow classmate. Effect: As a result, you are shown three successful connection attempts to the host. 7. Action: Access Network → Diagnosis tools. Run a traceroute to ebox-technologies.com. Effect: As a result, you are shown a route of all the intermediate routers a packet traverses until it reaches the destination host.

Practical example B For the rest of the exercises of the manual, it is a good practice to enable the logs. Therefore: 1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order to do this, check the box in the Status column. Effect: eBox asks for permission to carry out a series of actions. 2. Action: Read the actions that are going to be made and accept them. Effect: You have enabled the button Save Changes.



3. Action: Save the changes. Effect: eBox displays the progress while the changes are implemented. Once it has finished, you are notified. Now eBox has enabled the logs. You can check them at Logs → Query logs in the section Logs.


eBox 1.4 for Network Administrators


Chapter 2 eBox Infrastructure

This section explains several of the services to manage and optimize internal traffic and the infrastructure of your local network, including domain management, automatic network configuration in network clients, publication of internal Web sites and time synchronization using the Internet. The configuration of these services requires great efforts, although they are easier to configure with eBox. The DHCP service is widely used to automatically configure different network parameters, such as the IP address of a host or the gateway to be used for Internet access. The DNS service provides access to services and hosts using names instead of IP addresses, which are more difficult to memorize. Many businesses use Web applications to which only internal access is available.


Network configuration service (DHCP)
As indicated, DHCP (Dynamic Host Configuration Protocol) is a protocol that enables a device to request and obtain an IP address from a server with a list of available addresses to assign. The DHCP service

is also used to obtain many other parameters, such as the default gateway,

the network mask, the IP addresses for the name servers or the search domain, among others. Hence, access to the network is made easier, without the need for manual configuration done by clients. When a DHCP client connects to the network, it sends a broadcast request and the DHCP server responds to valid requests with an IP address, the lease time granted for that IP and the parameters

eBox uses “ISC DHCP Software” (https://www.isc.org/software/dhcp) to configure the DHCP service.


eBox 1.4 for Network Administrators

explained above. The request usually happens during the client booting period and must be completed before going on with the remaining network services. There are two ways of assigning addresses: Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings, entered manually by the administrator. Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process that uses the lease concept with a controlled period in which the granted IP remains valid. The server keeps a table with the previous assignments to try to reassign the same IP to a client in successive requests.

2.1.1 DHCP server configuration with eBox
To configure the DHCP service with eBox, at least one statically configured interface is required. Once this is available, go to the DHCP menu, where the DHCP server can be configured. As indicated above, some network parameters can be sent with the IP address. These parameters can be configured in the Common options tab. Default gateway: This is the gateway to be used by the client if it is unaware of another route to send the package to its destination. Its value can be eBox, a gateway already configured in the Network → Gateways section or a custom IP address. Search domain: In a network with hosts named in line with <host>.sub.domain.com, the search domain can be configured as “sub.domain.com”. Hence, when seeking to resolve an unsuccessful domain name, another attempt can be made by adding the search domain to the end of it or parts of it. For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the client host. The search domain can be entered or one configured in the DNS service can be selected. Primary name server: This is the DNS server 2 that the client will use when a name is to be resolved or an IP address needs to be translated into a name. Its value can be local eBox DNS (if the eBox DNS server is to be queried, take into account dns module must be enabled) or an IP address of another DNS server.

Go to Name resolution service (DNS) section for more details about this service.



Figure 2.1: Overview of DHCP service configuration


eBox 1.4 for Network Administrators

Secondary name server: DNS server that the client will use if the primary one is not available. Its value must be the IP address of a DNS server. NTP server: This is the NTP (Network Transport Protocol)

server that the client will use when it

wants to synchronize its clock using the network. Its value can be none, local eBox NTP (take into account ntp module must be enabled) or a custom NTP server. WINS server: This is the WINS (Windows Internet Name Service) 4 server the client will use to resolve NetBIOS names. Its value can be none, local eBox (take into account samba must be enabled) or a custom one. The common options display the ranges of addresses distributed by DHCP and the addresses assigned manually. For the DHCP service to be active, there must be at least one range of addresses to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if the service is listening on all the network interfaces. The ranges of addresses and the static addresses available for assignment from a certain interface are determined by the static address assigned to that interface. Any free IP address from the corresponding subnet can be used in ranges or static assignments. Adding a range in the Ranges section is done by entering a name by which to identify the range and the values to be assigned within the range appearing above. Static assignments of IP addresses are possible to determined physical addresses in the Fixed Addresses section. An address assigned in this way cannot form part of any range. You may add an optional description for that assignment as well.

Figure 2.2: Appearance of the advanced configuration for DHCP
Check out Time synchronization service (NTP) section for details about the time synchronization service WINS is the implementation for NBNS (NetBIOS Name Service). For more information about it, check out File sharing service and remote authentication section.
4 3



The dynamic granting of addresses has a deadline before which renewal must be requested (configurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assignments do not expire and, therefore, are unlimited leases. A Lightweight Client is a special machine with no hard drive that is booted via the network by requesting the booting image (operating system) from a lightweight client server. eBox allows the PXE server 5 to which the client must connect to be configured. The PXE service, which is responsible for transmitting everything required for the lightweight client to be able to boot its system, must be configured separately. The PXE server may be an IP address or a name, in which case the path to the boot image or eBox must be indicated, in which case the image file can be loaded.

Dynamic DNS updates The DHCP server has the ability to dynamically update the DNS server 6 . That is, the DHCP server will update in real time the A and PTR records to map an IP address to a host name and vice versa when an IP address is leased and released. The way that is done, it depends on the DHCP server configuration. eBox provides dynamic DNS feature integrating dhcp and dns modules from the same box in Dynamic DNS Options tab. In order to enable this feature, the DNS module must be enabled as well. You may provide a Dynamic domain and a Static domain, which both will be added automatically to the DNS configuration. The dynamic domain maps the host names whose IP address corresponds from a range and the associated name follows this pattern: dhcp-<leased-IP-address>.<dynamicdomain>. Regarding to the static domain, the host name will follow this pattern: <name>.<staticdomain> being the name the one you set on Fixed addresses table. Take into account that any DHCP client name update is ignored from eBox. The update is done using a secure protocol 7 and, currently, only direct mapping is supported.
5 Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment) 6 The RFC 2136 explains how to do dynamic updates in the Domain Name System 7 Communication is done using TSIG (Transaction SIGnature) to authenticate the dynamic update requests using a shared secret key.


eBox 1.4 for Network Administrators

Figure 2.3: Dynamic DNS updates configuration

Practical example Configure the DHCP service to assign a range of 20 network addresses. Check from another client host using dhclient that it works properly. To configure DHCP, the Network module must be enabled and configured. The network interface on which the DHCP server is to be configured must be static (manually assigned IP address) and the range to assign must be within the subnet determined by the network mask of that interface (e.g. range of an interface 1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP module by marking its checkbox in the Status column. Effect: eBox requests permission to overwrite certain files. 2. Action: Read the changes of each of the files to be modified and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Enter DHCP and select the interface on which the server is to be configured. The gateway may be eBox itself, one of the eBox gateways, a specific address or none (no routing to other networks). Furthermore, the search domain (domain added to all DNS names that cannot be resolved) can be defined along with at least one DNS server (primary DNS server and optionally a secondary one). eBox then indicates the range of available addresses. Select a subset of 20 addresses and in Add new give a significant name to the range to be assigned by eBox. 4. Action: Save the changes.



Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. eBox now manages the DHCP server configuration. 5. Action: From another PC connected to this network, request a dynamic IP from the range using dhclient:

$ sudo dhclient eth0 There is already a pid file /var/run/dhclient.pid with pid 9922 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ wmaster0: unknown hardware address type 801 wmaster0: unknown hardware address type 801 Listening on LPF/eth0/00:1f:3e:35:21:4f Sending on LPF/eth0/00:1f:3e:35:21:4f Sending on Socket/fallback DHCPREQUEST on wlan0 to port 67 DHCPACK from bound to -- renewal in 1468 seconds.
6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is displayed.


Name resolution service (DNS)
As explained, the function of the DNS (Domain Name System) is to convert hostnames that are readable and easy to remember by users into IP addresses and vice versa. The name domain system is a tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.


eBox 1.4 for Network Administrators

2.2.1 DNS cache server configuration with eBox
A name server can act as a cache 8 for queries that it cannot respond to. In other words, it will initially query the appropriate server, as it is based on a database without data, but the cache will subsequently reply, with the consequent decrease in response time. At present, most modern operating systems have a local library to translate the names that is responsible for storing its own domain name cache with the requests made by system applications (browser, e-mail clients, etc.).

Practical example A Check the correct operation of the cache name server. What is the response time with regard to the same request www.example.com? 1. Action: Access eBox, enter Module status and enable the DNS module by marking the checkbox in the Status column. Effect: eBox requests permission to overwrite certain files. 2. Action: Read the changes of each of the files to be modified and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Network → DNS and add a new Domain name server with value Effect: eBox is established to translate names to IP and vice versa. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it is indicated as such. eBox now manages the DNS server configuration. 5. Action: Use the Domain name resolution tool available in Network checking the response time.

→ Diagnosis to check

the operation of the cache, querying the domain www.example.com consecutively and

A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or

compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).



2.2.2 DNS server configuration with eBox
DNS has a tree structure and the source is known as ‘.’ or root. Under ‘.’ are the TLDs (Top Level Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the answer, the tree is recursively searched until it is found. Each ‘.’ in an address (e.g. home.example.com) indicates a different branch of the DNS tree and a different query area. The name will be traversed from right to left.

Figure 2.4: DNS tree

As you may see on figure DNS tree, each zone has an authority name server 9 . When a client performs a query to a name server, it delegates the resolution to the name server pointed by a NS record which claims to be authoritative for that zone. For instance, a client queries for www.home.example.com IP address to a name server which is authoritative for example.com. As the name server has a record which indicates the authoritative name server for home.example.com zone (the NS record), then it delegates the answer to that server who should know the IP address for that host. Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP address to a domain name. Furthermore, as many aliases (or canonical names) as required can be added to each associated name and the same IP address can have several associated names.

A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.


eBox 1.4 for Network Administrators

Another important characteristic of the DNS is the MX record. This record indicates the place where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mail is to be sent to someone@example.com, the e-mail server will ask for the MX record of example.com and the service will reply that it is mail.example.com. The configuration in eBox is done through the DNS menu. In eBox, as many DNS domains as required can be configured. To configure a new domain, drop down the form by clicking on Add new. From here, the domain name and an optional IP address which the domain will refer to can be configured.

When a new domain is added, you may have noticed a field called dynamic is set to false. A domain is set as dynamic when it is updated automatically by a process without restarting the server. A typical example for this is a DHCP server which updates the DNS records when it leases/releases an IP address for a host. Check out Dynamic DNS updates section for details about this configuration with eBox. Currently, if a domain is set as dynamic, then no manual configuration can be done using eBox interface.

Once a correct domain has been created, e.g. home.example.com, it is possible to complete the hostnames list for the domain. As many IP addresses as required can be added using the names decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can also be used for each mapping.



eBox set automatically the authoritative name server for the configured domains to ns host name. If none is set, then is set as authoritative name server for those domains. If you want to configure the authoritative name server manually for your domains (NS records), go to name servers and choose one of the configured host names for that domain or set a custom one. In a typical scenario, you may configure a ns host name using as IP address one of the configured in Network → Interfaces section.

As an additional feature, e-mail server names can be added through mail exchangers by selecting a name for the domains in which eBox is the authority or an external one. Furthermore, a preference can be given, the lowest value of which gives highest priority, i.e. an e-mail client will first try the server with the lowest preference number.

For a more in-depth look into the operation of the DNS, let us see what happens depending on the query made through the dig diagnosis tool located in Network → Diagnosis. If a query is made for one of the domains added, eBox will reply with the appropriate answer immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as


eBox 1.4 for Network Administrators

soon as it gets an answer. It is important to be aware of the fact that the name servers configured in Network → DNS are used by client applications to resolve names, but are not used in any way by the DNS server. If you want eBox to resolve names using its own DNS server, you have to set up as primary DNS server in the aforementioned section.

Practical example B Add a new domain to the DNS service. Within this domain, assign a network address to a host name. From another host, check that it resolves correctly using the dig tool. 1. Action: Check that the DNS service is active through Dashboard in the Module status widget. If it is not active, enable it in Module status. 2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down where hostnames, mail servers for the domain and the domain address itself can be added. In Hostnames do the same by adding the host name and its associated IP address. 3. Action: Save the changes. Effect: eBox will request permission to write the new files. 4. Action: Accept the overwriting of these files and save the changes. Effect: The progress is displayed while the changes are being applied. Once this is complete it indicates as such. 5. Action: From another PC connected to this network, request the name resolution using dig, where is, for example, the address of eBox and mirror.ebox-platform.com the domain to be resolved:

$ dig mirror.ebox-platform.com @ ; <<>> DiG 9.5.1-P1 <<>> mirror.ebox-platform.com @ ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33835 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;mirror.ebox-platform.com.





;; ANSWER SECTION: mirror.ebox-platform.com. 600 ;; AUTHORITY SECTION: ebox-platform.com. ebox-platform.com. ;; ADDITIONAL SECTION: ns1.ebox-platform.com. ns2.ebox-platform.com. ;; ;; ;; ;;



600 600



ns1.ebox-platform.com. ns2.ebox-platform.com.

600 600



Query time: 169 msec SERVER: WHEN: Fri Mar 20 14:37:52 2009 MSG SIZE rcvd: 126


Web data publication service (HTTP)
The Web is one of the most common services on the Internet, so much that it has become its visible face for most users. A website started to become the most convenient way of publishing data on a network. All that was needed was a web browser, which is installed as standard in current desktop platforms. A website is easy to create and can be viewed from any computer. Over time, the possibilities of web interfaces have improved and true applications are now available that have nothing to envy of desktop applications. But... what is behind the web?

2.3.1 Hyper Text Transfer Protocol
One of the keys to the success of the web has been the application layer protocol used, HTTP (Hyper Text Transfer Protocol), as it is extremely simple yet flexible. HTTP is a request and response protocol. A client, also known as a User Agent, makes a request to a server. The server processes it and gives a response.


eBox 1.4 for Network Administrators

Figure 2.5: Request schema with GET headers between a client and the 200 OK response from the server. Routers and proxies in between.



By default, HTTP uses TCP port 80 for unencrypted connections and 443 for encrypted connections (HTTPS) using TLS technology 10 . A client request contains the following elements: • An initial line containing <method> <resource requested> <HTTP version>. For example, GET /index.html HTTP/1.1 requests the resource /index.html through GET and using protocol HTTP/1.1. • Headers, such as User-Agent: Mozilla/5.0 ... Firefox/3.0.6, which identify the type of client requesting the data. • A blank line. • An optional message. This is used, for example, to send files to the server using the POST method. There are several methods GET and POST: GET: GET is used to request a resource. It is a harmless method for the server, as no file has to be modified in the server if a request is made via GET. POST: POST is used to send data to be processed by the server. For example, when Send message is clicked in a webmail, the server is given the email data to be sent. The server must process this information and send the email. OPTIONS: This is used to request the methods that can be used on a resource. HEAD: Requests the same data as GET, although the response will not include the text, only the header. Hence, it is possible to obtain the metadata of the resource without downloading it. PUT: Requests the text data to be stored and accessible from the path indicated. DELETE: Requests the deletion of the resource indicated. TRACE: This informs the server that it must return the header sent by the client. It is useful to see how the request is modified by the intermediate proxies. CONNECT: The specification reserves this method for tunnels.


with which clients can request data. The most common ones are

TLS (Transport Layer Security ) and its predecessor SSL (Secure Sockets Layer ) are encryption protocols that provide

data security and integrity for Internet communications. The subject is discussed in further detail in section Virtual Private Network (VPN). 11 A more detailed explanation can be found in section 9. RFC 2616


eBox 1.4 for Network Administrators

The server response has the same structure as the client request, changing the first row. In this case, the first row is <status code> <text reason>, which corresponds to the response code and a text with the explanation, respectively. The most common response codes 12 are: 200 OK: The request has been processed correctly. 403 Forbidden: When the client has been authenticated, but does not have permission to operate on the resource requested. 404 Not Found: When the resource requested has not been found. 500 Internal Server Error: When an error has occurred in the server that has prevented the request from being correctly run. HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is unable to remember the clients between connections. This can be avoided by using cookies. Moreover, the server cannot start a conversation with the client. Should the client want to be notified by the server of something, this must be periodically requested. The HTTP service can offer dynamic data produced by different software applications. The client requests a certain URL with specific parameters and the software manages the request to return a result. The first method used was known as CGI (Common Gateway Interface), which runs one command per URL. This mechanism has mainly been deprecated due to its memory overload and low performance when compared to other solutions: FastCGI: A communication protocol between software applications and the HTTP server, with a single process to resolve requests made by the HTTP server. SCGI (Simple Common Gateway Interface): This is a simplified version of the FastCGI protocol. Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run within the server, this solution depends on the HTTP server used.

2.3.2 The Apache Web server
The Apache HTTP server

has been the most popular program for serving websites since April

1996. eBox uses this server for both its web interface and the web server module. Its aim is to offer
12 13

The full list of response codes for the HTTP server can be found in section 10 of RFC 2616. Apache HTTP Server project http://httpd.apache.org.



a secure, efficient and extendible system in line with HTTP standards. Its capacity to be extensible is based on adding features using modules that extend the core. Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for websites to be created using programming languages such as Perl, Python, TCL or PHP. It has several authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful URL rewriting system with mod_rewrite. It has a total of 57 officially documented modules that add functionality, although this number increases to 168 if you include those registered for the 2.2 version of Apache 14 .

2.3.3 Virtual domains
The purpose of a virtual domain is to host websites for several domain names in the same server. If the server has a public IP address for each website, a configuration can be made for every network interface. When seen from outside, they look like several hosts in the same network. The server will redirect the traffic from each interface to its corresponding website. However, it is more common to have one or two IPs per host. In this case, each website will have to be associated with its domain. The web server will read the headers sent in the client request and, depending on the domain of the request, will redirect it to one website or another. Each of these configurations is known as Virtual Host, as there is only one host in the network, but the existence of several is simulated.

2.3.4 HTTP server configuration with eBox
Through Web, it is possible to access the web service configuration. In the first form, it is possible to modify the following parameters: Listening port Where the daemon is to listen to HTTP requests. Enable public_html per user Through this option, if the Samba module (eBox as file server ) is enabled, users can create a subdirectory known as public_html in their private directory within samba that will be displayed by the web server via the URL http://<eboxIP>/~<username>/, where username is the name of the user that published contents.

There is a full list at http://modules.apache.org.


eBox 1.4 for Network Administrators

Figure 2.6: Appearance of the Web module configuration With regard to the Virtual domains, the only configuration needed is the name for the domain and whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module (if it is installed) so that, if the domain www.company.com is added, the domain company.com will be created with the host name www, the IP address of which will be the address of the first static network interface. To publish data, it must be under /var/www/<vHostname>, where vHostName is the name of the virtual domain. If any customized configuration is to be added, for example capacity to load applications in Python using mod_python, the necessary configuration files for this virtual domain must be created in the directory /etc/apache2/sites-available/user-ebox-<vHostName>/.

Practical example Enable the web server. Check that it is listening on port 80. Configure it to listen on a different port and verify that the change becomes effective. 1. Action: Access eBox, enter Module status and enable the Web server module by marking the checkbox in the Status column. This indicates the changes to be made in the system. Allow the operation by clicking on the Accept button. Effect: The guilabel:Save changes button has been enabled. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. The web server is enabled by default on port 80.



3. Action: Using a browser, access the following address: http://eBox_ip/. Effect: An Apache default page will be displayed with the message ‘It works!’. 4. Action: Access the Web menu. Change the port value from 80 to 1234 and click on the Change button. Effect: The guilabel:Save changes button has been enabled. 5. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete it indicates as such. Now the web server is listening on port 1234. 6. Action: Use the browser again to try to access http://<eBox_ip>/. Effect: A response is not obtained and, after a while, the browser will indicate that it was impossible to connect to the server. 7. Action: Now try to access http://<eBox_ip>:1234/. Effect: The server responds and the ‘It works!’ page is obtained.


Time synchronization service (NTP)
The NTP (Network Time Protocol) protocol was designed to synchronize the clocks in PCs in an unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to withstand the effects of jitter. It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can reach a precision of up to 200 µs or greater if the clock is in the local network. There are up to 16 levels defining the distance of the reference clock and its associated precision. Level 0 is for atomic clocks that are not connected to the network but to another level 1 computer with RS-232 serial connection. Level 2 are the computers connected via NTP to those of a higher level and are normally offered by default in the most common operating systems, such as GNU/Linux, Windows or MacOS.


eBox 1.4 for Network Administrators

2.4.1 NTP server configuration with eBox
To configure eBox to use the NTP architecture

, eBox must first be synchronized with an external

server of a higher level (normally 2) offered via System clients a relatively precise time over the Internet.

→ Date/Time. A list of these can be found

in the NTP pool (pool.ntp.org), which is a dynamic collection of NTP servers that voluntarily give their

Once eBox has been synchronized as an NTP client 16 , eBox can also act as an NTP server with a globally synchronized time.

Practical example Enable the NTP service and synchronize the time of your host using the command ‘ntpdate‘. Check that both eBox and the client host are set to the same time. 1. Action: Access eBox, enter Module status and enable the ntp module by marking the checkbox in the Status column. This will show the changes to be made to the system. Allow the operations by clicking on the Accept button. Effect: The Save changes button has been enabled. 2. Action: Access the System

→ Date/Time menu. In the Synchronization with NTP servers

section, select Enabled and click on Change.
15 16

NTP public service project http://support.ntp.org/bin/view/Main/WebHome.

eBox uses ntpdate to set the date the first time, once the date is set it uses ntpd to remain synchronized. http://www.ece.udel.edu/~mills/ntp/html/



Effect: The option to manually change the date and time is replaced by fields to enter the NTP servers with which to synchronize. 3. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, it notifies the user. Your eBox host will act as an NTP server. 4. Action: Install the ntpdate package in your client host. Run the command ntpdate <eBox_ip>. Effect: The time on the host will have been synchronized with that of the eBox host. You can check this by running the date command on both hosts.


eBox 1.4 for Network Administrators


Chapter 3 eBox Gateway

This section considers the main function of eBox as a gateway. eBox Gateway can make your network more reliable, optimized for your bandwidth and help you control whatever enters your network. This section includes a chapter that focuses on the functionality of the eBox firewall module, which enables you to manage rules for the incoming and outgoing traffic of your internal network. The firewall is not configured directly, but is supported by another two modules that provide easier network object and service management, as described in the first part of the section. Load balancing can be applied for Internet access, along with different rules depending on the outgoing traffic. Furthermore, this section explains traffic shaping, which is used to ensure critical applications are served correctly and to even limit any applications generating a lot of network traffic. Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or denies access from the internal network to the WWW using different filtering rules, including contentbased ones.


High-level eBox network abstractions
3.1.1 Network objects
Network objects are a way of giving a name to a network element or a group of elements. They are used to simplify and subsequently facilitate network configuration management by being able to select behavior for these objects.


eBox 1.4 for Network Administrators

To give an example, they can be used to give a significant name to an IP address or a group of IP addresses. In the case of the latter, instead of defining access rules for each of the addresses, they merely have to be defined for the network object so that all the addresses belonging to the object take on this configuration.

Figure 3.1: Representation of network objects

Management of network objects with eBox For object management in eBox, go to the submenu Objects and create new objects with an associated name and a series of members. Objects can be created, modified and deleted. These objects will be used later by other modules, such as the firewall, the Web cache proxy or the mail service. Each one will have at least the following values: name, IP address and network mask using CIDR notation. The physical address will only make sense for members with a single physical machine.



Figure 3.2: General appearance of the network object module

The members of an object can overlap the members of another; therefore, great care must be taken when using them in the remaining modules to obtain the desired configuration and avoid security problems.

3.1.2 Network services
A network service is the abstraction of one or more applicable protocols that can be used in other modules, such as the firewall or the traffic-shaping module. The use of the services is similar to that of the objects. It was seen that with the objects it was possible to make an easy reference to a group of IP addresses using a significant name. It is also possible to identify a group of numerical ports that are difficult to remember and time-consuming to enter several times in different configurations, with a name in line with its function (more typically, the name of the level-7 protocol or application using these ports).


eBox 1.4 for Network Administrators

Figure 3.3: Client connection to a server

Management of network services with eBox For management in eBox, go to the submenu Services, where it is possible to create new services, which will have an associated name, description and a flag indicating whether the service is external or internal. A service is internal if the ports configured for that service are being used in the machine in which eBox is installed. Furthermore, each service has a series of members. Each one will have the following values: protocol, source port and destination port. The value any can be entered in all of these fields, e.g. to specify services in which the source port is indifferent. Bear in mind that in network services based on the most commonly-used client/server model, clients often use any random port to connect to a known destination port. Well-known ports are considered those located between 0 and 1023, registered ports the ones located between 1024 and 49151 and private or dynamic ports are those located between 49152 and 65535. A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found in the /etc/services file. The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having to add the same port used for both protocols twice. Services can be created, modified and deleted. These services will be used later on in the firewall or traffic shaping by merely referring to the significant name.
The IANA (Internet Assigned Numbers Authority ) is responsible for establishing the services associated with wellknown ports. The full list can be found at http://www.iana.org/assignments/port-numbers.



Figure 3.4: General appearance of the network service module

Practical example
Create an object and add the following: a host with no MAC address, a host with a MAC address and a network address. To do so: 1. Action: Access Objects. Add accountancy hosts. Effect: The accountancy hosts object has been created. 2. Action: Access Members of the accountancy hosts object. Create accountancy server member with a network IP address, e.g. Create another member backup accountancy server with another IP address, e.g., and a valid MAC address, e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP address of a subnet of your local network, e.g. Finally, go to Save changes to confirm the configuration created. Effect: The accountancy hosts object will contain three permanent members, i.e. accountancy server, backup accountancy server and accountancy PC network.


eBox 1.4 for Network Administrators


We will configure a firewall to see the application of the network objects and services. A firewall is a system that strengthens the access control policies between networks. In our case, a host will be devoted to protecting our internal network and eBox from attacks from the external network. A firewall allows the user to define a series of access policies, such as which hosts can be connected to or which can receive data and the type thereof. In order to do this, it uses rules that can filter traffic depending on different parameters, such as the protocol, source or destination addresses or ports used. Technically speaking, the best solution is to have a computer with two or more network cards that isolate the different connected networks (or segments thereof) so that the firewall software is responsible for connecting the network packages and determining which can be passed or not and to which network they will be sent. By configuring the host as a firewall and gateway, traffic packages can be exchanged between networks in a more secure manner.

3.2.1 The firewall in GNU/Linux: Netfilter
Starting with the Linux 2.4 kernel, a filtering subsystem known as Netfilter is provided to offer packet filtering and Network Address Translation (NAT) 2 . The iptables command interface allows for the different configuration tasks to be performed for the rules affecting the filtering system (filter table), rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and handling options (mangle table). It is extremely flexible and orthogonal to handle, although it adds a great deal of complexity and has a steep learning curve.

3.2.2 eBox security model
The eBox security model is based on seeking to provide the utmost default security, in turn trying to minimize the work of the administrator regarding configuration when new services are added. When eBox acts as a firewall, it is normally installed between the local network and the gateway that connects that network to another, normally Internet. The network interfaces connecting the host to the external network (the gateway) must be marked as such. This enables the Firewall module to establish default filtering policies.
NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it passes through a router or firewall. Its main use is to provide several hosts in a private network with Internet access through a single public IP.



Figure 3.5: Internal network - Filtering rules - External network The policy for external interfaces is to deny all attempts of new connections to eBox. Internal interfaces are denied all connection attempts, except those made to internal services defined in the Services module, which are accepted by default. Furthermore, eBox configures the firewall automatically to provide NAT for packages entering through an internal interface and exiting through an external interface. Where this function is not required, it may be disabled using the nat_enabled variable in the firewall module configuration file in /etc/ebox/80firewall.conf.

Firewall configuration with eBox For easier handling of iptables in filtering tasks, the eBox interface in Firewall used. Where eBox acts as a gateway, filtering rules can be established to determine whether the traffic from a local or remote service must be accepted or not. There are five types of network traffic that can be controlled with the filtering rules: • Traffic from an internal network to eBox (e.g. allow SSH access from certain hosts). • Traffic among internal networks and from internal networks to the Internet (e.g. forbid Internet access from a certain internal network). • Traffic from eBox to external networks (e.g. allow files to be downloaded by FTP from the host using eBox). • Traffic from external networks to eBox (e.g. enable the Jabber server to be used from the Internet). • Traffic from external networks to internal networks (e.g. allow access to an internal Web server from the Internet).

→ Package filtering is


eBox 1.4 for Network Administrators

Bear in mind that the last two types of rules may jeopardize eBox and network security and, therefore, must be used with the utmost care. The filtering types can be seen in the following graphic:

Figure 3.6: Types of filtering rules

eBox provides a simple way to control access to its services and to external services from an internal interface (where the intranet is located) and the Internet. It is normally object-configured. Hence, it is possible to determine how a network object can access each of the eBox services. For example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet access rules are managed by eBox too, e.g. to configure Internet access, outgoing packages to TCP ports 80 and 443 to any address have to be allowed. Each rule has a source and destination that depend on the type of filtering used. For example, the filtering rules for eBox output only require the establishing of the destination, as the source is always eBox. A specific service or its reverse can be used to deny all output traffic, for example, except SSH traffic. In addition, it can be given a description for easier rule management. Finally, each rule has a decision that can have the following values: • Accept the connection. • Deny connection by ignoring the incoming packages and making the source suppose that connection could not be established.



Figure 3.7: List of package filtering rules from internal networks to eBox

• Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is possible to see whether a rule is working properly.

Port forwarding Port redirections (destination NAT) are configured through Firewall by translating the destination address. To configure a redirection, the following fields need to be specified: interface where the translation is to be made, the original destination (this could be eBox, an IP address or an object), the original destination port (this could be any, a range of ports or a single port), the protocol, the source from where the connection is to be started (in a normal configuration, its value will be any ), the destination IP and, finally, the port, where the target host is to receive the requests, which may or may not be the same as the original. There is also a optional field called description that is useful to add a comment describing the purpose of the rule.

→ Port Forwarding, where an

external port can be given and all traffic routed to a host listening on a certain port can be redirected


eBox 1.4 for Network Administrators

According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will be redirected to port 80/TCP of the host with IP address

Practical example Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a service and a firewall rule so that an internal host can access the service. To do so: 1. Action: Access eBox, enter Module status and enable the Firewall module by marking the checkbox in the Status column. Effect: eBox requests permission to take certain actions. 2. Action: Read the actions to be taken and grant permission to eBox to do so. Effect: The Save changes button has been enabled. 3. Action: Create an internal service as in serv-exer-ref of section High-level eBox network abstractions through Services with the name netcat and with the destination port 6970. Then go to Firewall → Package filtering in Filtering rules from internal networks to eBox and add the rule with at least the following fields: • Decision : ACCEPT



• Source : Any • Service : netcat. Created in this action. Once this is done, Save changes to confirm the configuration. Effect: The new netcat service has been created with a rule for internal networks to connect to it. 4. Action: From the eBox console, launch the following command:

nc -l -p 6970
5. Action: From the client host, check that there is access to this service using the command nc:

nc <ip_eBox> 6970
Effect: You can send data that will be displayed in the terminal where you launched netcat in eBox.


3.3.1 Routing tables
The term routing refers to the action of deciding through which interface a certain packet must be sent from a host. The operating system has a routing table with a set of rules to make this decision. Each of these rules has different fields, although the three most important ones are: destination address, interface and gateway. These must be read as follows: to reach a certain destination address, the packet must be directed through a gateway, which is accessible through a certain interface. When the message arrives, its destination address is compared to the entries in the table and is sent through the interface indicated in the rule that matches. The best match is considered the most specific rule. For example, if a rule is specified indicating that to reach network A (, gateway A must be used and another rule indicates that to reach network B (, which is a subnet of A, gateway B must be used. If a packet arrives with destination, then the operating system will decide to send it to gateway B, as there is a more specific rule. All hosts have at least one routing rule for the loopback interface, or local interface, and additional rules for other interfaces that connect it to other internal networks or to Internet.


eBox 1.4 for Network Administrators

To manually configure a static route table, Network

→ Routes is used (basically it is an interface

for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.

Figure 3.8: Route configuration

Gateway When sending a packet, if no route matches and there is a gateway configured, it will be sent through the gateway. The gateway is the route by default for packets sent to other networks. To configure a gateway, use Network → Gateways.



Enabled: Indicates if the gateway is really going to be used at the moment. Name: Name identifying the gateway. IP address: IP address of the gateway. This address must be accessible from the host containing eBox. Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent through this interface. Weight: The heavier the weight, the more traffic will be directed to this gateway when load balancing is enabled. Default: Indicates if this gateway should be used as the default one. If you have interfaces configured as DHCP or PPPoE you can’t add gateways for them as they are managed automatically. You still can enable and disable them, edit their Weight or set the Default one, but not the rest of attributes.

Figure 3.9: Gateway list showing DHCP and PPPoE gateways

Subnets and subnet routing As indicated above, initially there were classes of networks with associated fixed network masks, which were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain Routing) was created to allow for network masks of a variable size to be used, allowing, for example, for a class C network to be divided into several subnets of a smaller size or to aggregate several class C subnets into one of a larger size. This allows: • A more effective use of the scarce IPv4 address space.


eBox 1.4 for Network Administrators

• Better use of the hierarchy in address assignment (adding of prefixes), decreasing routing overload throughout the Internet. The number of bits interpreted as the subnet identifier is given by a netmask that is of the same length as the IP address. To find the network of an IP address with its mask, proceed as follows: Address with full stops IP address Netmask Network portion Binary 11000000.10101000.00000101.00001010 11111111.11111111.11111111.00000000 11000000.10101000.00000101.00000000

CIDR also introduced a new nomenclature that can be seen compared to the above in the following table: CIDR /32 /31 /25 /24 /21 Class 1/256 C 1/128 C 1/2 C 1C 8C N Hosts 1 2 128 256 2048 Mask

Practical example A
You will now configure the network interface statically. The class will be divided into two subnets. To do so: 1. Action: Access the eBox interface, enter Network

→ Interfaces and, for the network inter-

face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the instructor. As the Netmask, use Click on the Change button. The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and Y to the host. These values will be used from now on. Enter Network → DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add. Effect: The Save changes button has been enabled and the network interface keeps the data entered. A list is displayed containing the name servers, including the recently created server. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied.



3. Action: Access Network → Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:

connect: network is unreachable
4. Action: Access Network subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result. 5. Action: Access Network → Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: The following is given as the result:

→ Diagnosis. Ping to an eBox of a classmate part of the same

connect: network is unreachable

Practical example B
You will now configure a route to access hosts in other subnets. To do so: 1. Action: Access the eBox interface, enter Network the form with the following values: Network 10.1.X.0 / 24 Gateway Description route to the other subnet Click on the Add button. Effect: The Save changes button has been enabled. A list is displayed containing the routes, including the recently created one. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network → Diagnosis. Ping ebox-platform.com. Effect: The following is given as the result:

→ Routes and select Add new. Complete


eBox 1.4 for Network Administrators

connect: network is unreachable
4. Action: Access Network → Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.

Practical example C
You will now configure a gateway to connect to the remaining networks. To do so: 1. Action: Access the eBox interface, enter Network during the previous exercise. Enter Network → Gateways and select Add new. Complete with the following data: Name Default Gateway IP address 10.1.X.1 Interface eth0 Weight 1 Default yes Click on the Add button. Effect: The Save changes button has been enabled. The list of routes has disappeared. A list of gateways is displayed containing the recently created gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Access Network → Diagnosis. Ping ebox-platform.com. Effect: Three satisfactory connection attempts to the host are displayed as the result. 4. Action: Access Network → Diagnosis. Ping to the eBox of a classmate in the other subnet. Effect: Three satisfactory connection attempts to the host are displayed as the result.

→ Routes and delete the route created



3.3.2 Multigateway rules and load balancing
Multigateway rules are a tool that enables PCs in a network to use several Internet connections transparently. This is useful if, for example, an office has several ADSL connections and the entire bandwidth available is to be used without having to worry about distributing the work of the hosts manually between both gateways, so that the load is shared automatically between them. Basic load balancing evenly distributes the packets transferred from eBox to the Internet. The simplest form of configuration involves establishing different weights for each gateway so that, if the connections available have different capacities, they can be used optimally. Multigateway rules allow for certain traffic types to be sent permanently by the same gateway, where required. Common examples include sending emails through a certain gateway or ensuring that a certain subnet is always routed from the Internet through the same gateway. eBox uses the iproute2 and iptables tools for the configuration required for the multigateway function. iproute2 informs the kernel of the availability of several gateways. For multigateway rules, iptables is used to mark the packets of interest. These marks can be used from iproute2 to determine the gateway through which a packet must be sent. There are several possible problems that must be considered. Firstly, the connection concept does not exist in iproute2. Therefore, with no other type of configuration, the packets belonging to the same connection could end up being sent by different gateways, making communications impossible. To solve this, iptables is used to identify the different connections and ensure that all the packets of a connection are sent via the same gateway. The same applies to any incoming connections established. All response packets for a connection must be sent using the same gateway through which that connection was received. To establish a multigateway configuration with load balancing in eBox, as many gateways as required must be defined in Network

→ Gateways. Using the weight parameter when configuring a

gateway, it is possible to determine the proportion of packets that each one will send. Where two gateways are available and weights of 5 and 10, respectively, are established, 5 of every 15 packets will be sent through the first gateway, while the the remaining 10 will be sent via the second.


eBox 1.4 for Network Administrators

Multigateway rules and traffic balancing are established in the Network → Balance Traffic section. In this section, it is possible to add rules to send certain packets to a specific gateway, depending on the input interface, the source (this could be an IP address, an object, eBox or any), the destination (an IP address or a network object), the service with which this rule is to be associated and via which gateway the traffic type specified is to be directed. In order to enable load balancing, just enable Traffic balancing checkbox.

Practical example D Configure a multigateway scenario with several gateways with different weights and check that it works using the traceroute tool. To do so: 1. Action: In pairs, leave one eBox with the current configuration and add a new gateway in the other, accessing Network following data:

→ Gateways via the interface and clicking on Add new, with the



Name Gateway 2 IP address <classmate’s eBox IP> Interface eth0 Weight 1 Default yes Click on the Add button. Effect: The Save changes button has been enabled. A list of gateways is displayed containing the recently created gateway and the previous gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. 3. Action: Go to a console and run the following script:

for i in $(seq 1 254); do sudo traceroute -I -n 155.210.33.$i -m 6; done
Effect: The result of running traceroute shows the different gateways through which a packet passes to reach its destination. On running it in a host with multigateway configuration, the result of the first leaps between gateways should be different depending on the gateway chosen.

3.3.3 WAN Failover
If you are balancing traffic among two or more gateways, this feature is really useful. In a standard scenario without failover, imagine you are balancing the traffic between two gateways and one of them goes down. Assuming both gateways have the same weight, half of the traffic will keep going through the downed gateway, causing connectivity problems to all the clients in the network. In the failover configuration, you can define a set of rules for each gateway that needs to be checked. These rules can be a ping to the gateway, to another external host, a DNS resolution or a HTTP request. You can also define how many probes you need and the acceptation percentage. If any of the tests fails to reach the acceptation percentage, the associated gateway will be disabled. But the tests keep running, so if the gateway comes back to life all the tests should run successfully and it will be enabled again.


eBox 1.4 for Network Administrators

The gateway disabling without connection heads to all the traffic coming out through the other gateway instead of being balanced. That way the users in the network shouldn’t notice any big issue with the connection. Once eBox detects that the downed gateway is fully operative, the normal behavior of the traffic balance is restored. The failover is implemented as an eBox event. In order to use it, you first need to make sure that the Events module is enabled and also enable WAN Failover event.

To configure the failover options and rules go to the Network

→ WAN Failover menu. You can

specify the event period modifying the value of the Time between checks option. For adding a new rule, just click Add new and a form with the following fields will appear: Enabled: It indicates whether the rule is going to be applied or not when checking the connectivity of the gateways. You add different rules and enable or disable according to your needs instead of deleting and adding them again. Gateway: It is already filled with the list of configured gateways, so you just need to select one of them.

Check out Events and alerts chapter for details about how events work in eBox and how to configure them.



Test type: It may have any of the following values: Ping to gateway: It sends a ICMP echo packet with the IP address of the gateway as destination. Ping to host: It sends a ICMP echo packet with the IP address of a external host specified below as destination. DNS resolve: It tries to get the IP address for the host name specified below. HTTP request: It downloads the website content specified below. Host: The server to be used as target in the test, it is not applicable in case of the Ping to gateway type. Number of probes: Number of times that the test is tried. Required success ratio: Indicates how many successful attempts are needed to consider the test as passed. It is recommended to configure a event dispatcher in order to be aware of the connections and disconnections of the gateways. Otherwise, they will be logged only to the /var/log/ebox/ebox.log file.


Traffic shaping
3.4.1 Quality of Service (QoS)
Quality of Service (QoS) in computer networks refers to resource reservation control mechanisms to provide different priorities to different applications, users, or data flows, or to guarantee a certain level of performance according to the constraints imposed by the application. Constraints such as delay in delivery, the bit rate, the probability of packet loss or the variation delay per packet


be determined for various multimedia data stream applications such as voice or TV over IP. These mechanisms are only applied when resources are limited (wireless cellular networks) or when there is congestion in network, otherwise such QoS mechanisms are not required. There are several techniques to give quality of service: Reserving network resources: Using Resource reSerVation Protocol (RSVP) to request and reserve resources in the routers. However, this option has been neglected because it does not scale well with Internet growth.
jitter or Packet Delay Variation (PDV) is the difference in end-to-end delay between selected packets in a flow with any lost packets being ignored.


eBox 1.4 for Network Administrators

Differentiated services (DiffServ): In this model, packets are marked according to the type of service they need. In response to these marks, routers and switches use various queuing strategies to tailor performance to requirements. This approach is currently widely accepted. In addition to these systems, bandwidth management mechanisms may be used to further improve performance such as traffic shaping, Scheduling algorithms o congestion avoidance. Regarding traffic shaping, there are two predominant methods: Token bucket: It dictates when traffic can be transmitted, based on the presence of tokens in the bucket (an abstract container that holds aggregate network traffic to be transmitted). Each token in the bucket can represent a unit of bytes of predetermined size, so each time that traffic is transmitted, the tokens are removed (cashed in). When there are no tokens, a flow cannot transmit its packets. Periodically, tokens are added to the bucket. Using such mechanism, it is allowed to send data in peak burst rate. Leaky bucket: Conceptually based on considering a bucket with a hole in the bottom. If packets arrive, they are placed into the bucket until it becomes full, then packets are discarded. Packets are sent at a constant rate, which is equivalent to the size of the hole in the bucket.

3.4.2 QoS configuration in eBox
eBox uses Linux kernel features 5 to shape traffic using token bucket mechanisms that allow to assign a limited rate, a guaranteed rate and a priority to certain types of data flows through the Traffic Shaping

→ Rules menu.
In order to perform traffic shaping, it is required to have, at least, an internal network interface and an external one. You need, at least, one configured gateway as well. And you have also to set your bandwidth information in Traffic Shaping

→ Interface Rates. Set the upload and download rate that

provide the router that is connected to every external interface. The shaping rules are specific for each interface and they may be selected for those external network interfaces with assigned upload rate and all internal ones. If the external network interface is shaped, then you are limiting eBox output traffic to the Internet. If, however, you shape an internal network interface, then the eBox output to internal networks is limited. The maximum output and input rates are given by the configuration in Traffic Shaping

Interface Rates. As it can be seen, shaping input traffic is not possible directly, that is because input traffic is not predictable nor controllable in almost any way. There are specific techniques from various

Linux Advanced Routing & Traffic Control http://lartc.org



protocols to handle the incoming traffic, for instance, TCP by artificially adjusting the window size as well as controlling the rate of acknowledgements (ACK) segments being returned to the sender. Each network interface has a rule table to give priority (0: highest priority, 7: lowest priority), guaranteed rate and/or limited rate. These rules apply to traffic bound to a service, a source and/or a destination.

Figure 3.10: Traffic shaping rules

Practise example Set up a rule to shape incoming HTTP traffic by limiting it to 20KB/s. Check if it works properly. 1. Action: Add a gateway in Network → Gateways to your external network interface. Effect: The Save changes button is enabled. The gateway list displays a single gateway. 2. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is complete, it informs the user. 3. Action: Enter Services and add a new external service called HTTP with TCP protocol and destination port 80. Effect: eBox shows a list with all the services where the new service is displayed too. 4. Action: Enter Traffic Shaping → Rules. Select the internal interface from the interface list and, using Add new, set a new rule with the following details: Enabled Yes Service Port-based service / HTTP


eBox 1.4 for Network Administrators

Source any Destination any Priority 7 Guaranteed rate 0 Kb/s Limited rate 160 Kb/s Press the Add button. Effect: eBox displays a table with the new traffic shaping rule. 5. Action: Start downloading a huge file, which is reachable from the Internet (for example, a Ubuntu ISO image) from a host within your LAN (not eBox itself) using the wget command. Effect: The download rate is stable around 20 KB/s (160 Kbit/s).


Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization and Accounting (AAA) management for computers to connect and use a network service. The authentication and authorization flow in RADIUS works as follows: the user or machine sends a request to a Network Access Server (NAS), like it could be a wireless Access Point, using the proper link-layer protocol in order to gain access to a particular network resource using access credentials. In turn, the NAS sends an Access Request message to the RADIUS server, requesting authorization to grant access and including all the needed access credentials, not only username and password but probably also realm, IP address, VLAN to be assigned or maximum time to be connected. This information is checked using authentication schemes like Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP) or Extensible Authentication Protocol (EAP) and then a response is sent to the NAS: 1. Access Reject: when the user is denied access. 2. Access Challenge: when additional information is requested, like in TTLS where a tunneled dialog is established between the RADIUS server and the client for a second authentication phase.


These authentication protocols are defined in RFC 1334.



3. Access Accept: when the user is granted access. RADIUS official assigned IANA ports are 1812/UDP for Authentication and 1813/UDP for Accounting. This protocol does not transmit passwords in plain text between the NAS and the server (not even with PAP protocol), a shared secret is used to encrypt the communication between both parties. FreeRADIUS 7 server is being used for eBox RADIUS service.

3.5.1 RADIUS server configuration with eBox
If we want to give support to RADIUS server in eBox, first check in Module Status if the Users and Groups module is enabled, as RADIUS depends on it. Then, mark the RADIUS checkbox to enable the RADIUS eBox module.

Figure 3.11: RADIUS General Configuration

In order to configure the service, go to RADIUS in the left menu. There you will be able to setup the whether All users or only the users who belong to one of your groups will be granted access. All the NAS requesting authentication to eBox need to be defined on the RADIUS clients section. For each NAS client we can specify: Enabled: whether this NAS is enabled or not. Client: The name for this client, like it could be the hostname.

FreeRADIUS - The world’s most popular RADIUS Server <http://freeradius.org/>.


eBox 1.4 for Network Administrators

IP Address: The IP address or IP range allowed to send authentication requests to the RADIUS server. Shared Secret: A shared password between the RADIUS server and the NAS to authenticate and encrypt their communication.

3.5.2 Access Point (AP) configuration
On every NAS you will need to setup the address of eBox as the RADIUS server, the port, which defaults to UDP/1812 and the shared secret. WPA and WPA2, using TKIP or AES (recommended) can both be used with eBox RADIUS. The mode should be EAP.

Figure 3.12: Access Point Wireless Settings




HTTP Proxy Service
A Web Proxy Cache server is used to reduce the bandwidth used in HTTP (Web) 8 connections, control access and improve the browsing security and browsing speed. A proxy is a program that acts as intermediary in a connection, in this case a connection using the HTTP protocol. In this intermediation it can change the behaviour of the protocol, for example adding a cache or mangling the received data.

The HTTP proxy service available in eBox has the following features: • Web content cache. It speeds up the browsing and reduces the bandwidth consumption. • Access restriction. It can be restricted by source address, user or using a time table criteria. • Antivirus. It blocks infected files. • Content access restriction for given domains or file types. • Content filter. eBox uses Squid 9 as proxy, and draws on Dansguardian 10 for content control.
8 9 10

For more information about HTTP service, see the section Web data publication service (HTTP). Squid: http://www.squid-cache.org Squid Web Proxy Cache Dansguardian: http://www.dansguardian.org Web content filtering


eBox 1.4 for Network Administrators

3.6.1 Access policy configuration
The most important task when configuring the HTTP Proxy, is to set the access policy to the web content trough it. The policy determines whether the access to the web is allowed and whether the content filter is applied. The first step to do is to define a default police. We set it in the page HTTP Proxy choosing one of the six available policies: Allow all: This policy allows to browse without restriction. However it does not mean that the cache is not used. Deny all: This policy denies the web access. At first, it could seem not useful because you could too deny access with a firewall rule. However, as we will see later, we can define particular policies for each network object, so we could use this policy to deny as default and then override it in some objects. Filter: This policy allows the access and also enables the content filtering, so the access could be denied depending on the requested content. Authorize and allow, Authorize and deny, Authorize and filter: These policies are derived from the previous policies but with authorization added. The authorization will be explained in the section HTTP Proxy advanced configuration.

→ General,

After setting the default policy, we can refine our policy setting particular policies for each network object. To set them we must enter in the section HTTP Proxy → Objects policy.



We can choose any of the six policies for each object; when accessing the proxy from an object this policy will override the default policy. A network address can be contained in various objects so we can establish the priority rearranging the objects in the list. In this case, the policy with greater priority will be applied. It is also possible to define a timetable for each object, access outside the specified time will be denied. Warning: The timetable option is not compatible with policies that use the content filter.

Figure 3.13: Network objects’ web access policies

3.6.2 Client connection to the proxy and transparent mode
In order to connect to the HTTP proxy the users must configure their browser. The exact configuration method depends on the used browser but the information required is the eBox server’s address and the port used by the proxy. The eBox proxy only accepts connections received on its internal interfaces so an internal address must be used in the browser’s configuration. The default port is 3128 but it can be changed through the HTTP Proxy popular ports for HTTP proxy services are 8000 and 8080. To avoid that users could bypass the proxy and access directly to the web, you should deny the HTTP traffic in the firewall. One way to avoid the need to configure each browser is to use the transparent mode. In this mode, eBox should be the network gateway and the HTTP connections toward external servers (for example, Internet) will be redirected to the proxy. To activate this mode we should go to the HTTP Proxy

→ General page. Other


eBox 1.4 for Network Administrators

General and enable the Transparent Proxy checkbox. As we will see in HTTP Proxy advanced configuration, the transparent mode is incompatible with policies with authorization. Finally, it must be kept in mind that the secure web traffic (HTTPS) cannot be used in transparent mode. If you want to allow it, you must set a firewall rule that allows it. This traffic will not be managed by the proxy.

3.6.3 Cache parameters
In the section HTTP Proxy → General, is possible to define the disk cache size and which addresses are exempted from it. The cache size controls the maximum disk space used to store the cached web elements. This maximum size is set in the field Cache file size that we find under the heading General Settings. With a bigger size, the probability of recovering a web element from the cache increases, and as result the browsing speed could be increased and the bandwidth use could be reduced. In the other hand, the increase of size not only comes with a greater disk usage but also with a increase in the use of RAM memory because the cache must maintain in memory an index of the stored elements. It is the job of each system administrator to choose a size according to the server characteristics and the traffic profile. It is possible to establish domains that are exempted from cache usage. For example, you may have local web servers that a cache will not speed up and you will waste cache space with them. When a domain exempted from cache is requested, it will be contacted directly without any cache lookup and the response will be returned without being stored. The exempted domains are managed under the heading Cache Exemptions that we find at the page HTTP Proxy → General.

3.6.4 Web content filter
eBox allows to filter web pages according to their contents. To enable the filter, the default policy or the object policy of a given object should be either Filter or Authorize and Filter. With eBox, we can define multiple filter profiles but in this section we will only talk about the default profile, leaving the discussion of multiple profiles to the section HTTP Proxy advanced configuration. In order to configure the filter settings you have to go to the page HTTP Proxy select the configuration of the default profile.

→ Filter Profiles and



The content filtering is based in various test including virus filtering, heuristic word filter and simpler things like banned domains. The end result is the decision about whether to allow or deny the browsing of the page under analysis. The first filter is the virus filtering. To use it you should have the antivirus module installed and enabled. Then you can configure in the filter profile whether you want to use it or not. When enabled it will block HTTP traffic with infected contents. The text content filter analyzes the text contained in the web page, if it is considered not appropriate according to the rules (for example is considered a text of a pornographic page) the request will be blocked. To control this process we can establish a threshold that will be compared to the score assigned to the page by the filter, if the score is above the threshold, the page will be blocked. The threshold is set in the filter profile, at the section Content filtering threshold. This filter can also be disabled by choosing the value Disabled. Itx should be noted that the text analysis could result either in false positives or false negatives, blocking innocent pages or letting pass inappropriate ones; this problems can be mitigated using domain policies but it could happen again with unknown pages. There are more explicit filters: * By domain. For example, denying the access to a sport newspaper domain * By file extension. For example, forbidding the download of .EXE files. * By file MIME type. For example, forbidding the download of video files. These filters are presented in the filter profile configuration by means of three tabs, Files extension filter, MIME types filtering and Domains filtering.


eBox 1.4 for Network Administrators

In the Files extension filter table you can configure which file extensions should be blocked. Likewise, in the MIME types filtering table you can establish which MIME types should be blocked. The MIME types (Multipurpose Internet Mail Extensions) are a standard, originally conceived to extend the contents of email, which define the type of the content. They are used too by other protocols, HTTP among them, to determine the content of transfered files. An example of MIME type is text/html, which is the type for web pages. The first part of the type informs about the type of content stored (text, video, images, executables, ...) and the second about the format used (HTML, MPEG, gzip, .. ). In the Domains filtering section, you will found the parameters related to filtering websites according to its domain. They are two global settings: • Block not listed domains. This option will block domains that are not present in Domain rules or in the categories in Domain lists files. In this last case, the domains in a category with the policy of Ignore are considered not listed.



• Block sites specified only as IP. This option blocks pages requested using their IP address instead of their domain name. The purpose of this option is to avoid attempts to bypass domain rules using IP addresses. Next we have Domain rules, where you can introduce domains and assign them one of the following policies: Always allow: The access to the content of this domain is always allowed. All the content filters are ignored. Always deny: The access to the contents of this domains will be always blocked. Filter: The filters will be applied to this domain as usual. However it will not be automatically blocked if the Block not listed domains option is active.

In Domain list files, you can simplify the management of domains using classified lists of domains. These lists are usually maintained by third parties and they have the advantage that the domains are classified in categories, allowing to define policies for a full domain category. eBox supports the lists distributed by urlblacklist
11 12


, shalla’s blacklists


and any other that uses the same format.

URLBlacklist: http://www.urlblacklist.com Shalla’s blacklist: http://www.shallalist.de


eBox 1.4 for Network Administrators

This lists are distributed as compressed archives. Once downloaded, you can add the archive to your configuration and set policies for each category. The policies that can be set for each category are the same polices that can be applied to individual domains, and they will be enforced to all domains in the category. There is an additional policy called ignore, its effect is to ignore completely the presence of a category. This is the default policy for all categories.

Practical example Enable the transparent mode in the proxy. Check with the iptables command the added NAT rules which should have been added to enable this feature. 1. Action: Log into eBox, enter Module status and enable the HTTP Proxy module, to do this check its box in the column Status. Effect: eBox will ask for permission to overwrite some files. 2. Action: Read the reason for the changes on each file and grant permission to eBox to overwrite them. Effect: The Save changes button is highlighted. 3. Action: Go to HTTP Proxy

→ General, check the Transparent proxy checkbox. Make sure

that eBox can act as router, for this at least one internal and one external interfaces are required. Effect: The transparent mode is configured.



4. Action: Click into Save changes to enforce the new configuration. Effect: The firewall and HTTP proxy services will be restarted. 5. Action: In the console of the eBox computer, execute the command iptables -t nat -vL. Effect: The command output must be similar to this: Chain PREROUTING (policy ACCEPT 7289 packets, 1222K bytes) pkts bytes target prot opt in out source destination 799 88715 premodules all – any any anywhere anywhere Chain POSTROUTING (policy ACCEPT 193 packets, 14492 bytes) pkts bytes target prot opt in out source destination 29 2321 postmodules all – any any anywhere anywhere 0 0 SNAT all – any eth2 ! anywhere to: Chain OUTPUT (policy ACCEPT 5702 packets, 291K bytes) pkts bytes target prot opt in out source destination Chain postmodules (1 references) pkts bytes target prot opt in out source destination Chain premodules (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp – eth3 any anywhere ! tcp dpt:www redir ports 3129


eBox 1.4 for Network Administrators


Chapter 4 eBox Office

One of the fundamentals for the creation of computer networks was the sharing of resources and data

. This issue is particularly emphasized here and is possibly the most useful section for the daily

operations of many local area networks in offices or at home. Unified user and group management through a directory service for all network services, the use of shared files and printers and all groupware services, such as calendars, contacts and tasks, are discussed in this section.


Directory service (LDAP)
Directory services are used to store and sort the data relating to organizations (in this case, users and groups). They enable network administrators to handle access to resources by users by adding an abstraction layer between the resources and their users. This service gives a data access interface. It also acts as a central, common authority through which users can be securely authenticated. A directory service can be considered similar to the yellow pages. Its characteristics include: • The data is much more often read than written. • Hierarchical structure that simulates organizational architecture.

See net-intro-ref for further information.


eBox 1.4 for Network Administrators

• Properties are defined for each type of object, standardized by the IANA 2 , on which access control lists (ACLs) can be defined. There are many different implementations of the directory service, including NIS, OpenLDAP, ActiveDirectory, etc. eBox uses OpenLDAP as its directory service with Samba technology for Windows domain controller and to share files and printers.

4.1.1 Users and groups
Normally, in the management of any size of organization there is the concept of user or group. For easier shared resource administration, the difference is made between users and their groups. Each one may have different privileges in relation to the resources of the organization.

Management of users and groups in eBox

As it has been explained, eBox has a modular design, allowing an administrator to distribute services among several machines in the network. In order for this to be feasible, the users and groups module supports a master/slave architecture to share users between different eBoxes. By default, and unless indicated otherwise in the Users and Groups

→ Mode menu entry, the

module will set up a master LDAP directory. By default, the Distinguished Name (DN) 3 of the directory is set according to the current hostname, if a different one is desired, it can be set in the LDAP DN text entry.
Internet Assigned Numbers Authority (IANA) is responsible for assigning public IP addresses, top level domain (TLD) names, etc. http://www.iana.org/ 3 Each LDAP directory entry has a unique identifier called distinguished name which has similarities to the concept of full file path in a file system.



Other eBoxes can be configured to use a master as the source of their users, thus becoming directory slaves. In order to do this, the slave mode has to be selected in Users and Groups

Mode. The slave setup requires two extra parameters, the IP or hostname of the master directory and its LDAP password. This password is not the eBox one, but the one generated automatically when enabling the users and groups module. Its value can be obtained in the Password field in Users and Groups → LDAP Info in the master eBox.

There is one extra requirement before registering a slave in a master. The master has to be able to resolve the slave’s hostname via DNS. There are different ways to achieve this. The easiest one is adding an entry for the slave in the master’s /etc/hosts. Other option is to set up the DNS service in eBox, including the slave hostname and IP address. If the firewall module is enabled in the master eBox, it has to be configured in a way that allows incoming LDAP traffic from the slaves. By default, the firewall denies this traffic, so make sure to perform the necessary adjustments on the firewall before proceeding.


eBox 1.4 for Network Administrators

Once these parameters are set and the slave hostname can be resolved from the master, the slave can be registered in the master by enabling the users and groups module in Module Status. Slaves create a replica of the master directory when they register for the first time, and that replica is kept up to date automatically when new users and groups are added. A list of the slaves can be seen in the master in Users and Groups → Slave Status.

Modules that work with users such as mail or samba can be installed now in the slaves and they will use the users available in the master eBox. Some modules require some actions to be executed when new users are added, such as samba, which needs to create the home server. In order to do this, the master will notify the slaves about new users and groups when they are created, giving a chance to slaves to perform the appropriate actions. There might be problems executing these actions in some circumstances, for example if one of the slaves is down. In this case the master will remember that there are pending actions to be performed and will retry periodically. The user can also check the status of the slaves in Users and Groups Slave Status and force a retry manually. A slave can be deleted in this section as well. There is an important limitation in the current master/slave architecture. The master eBox cannot have any module depending on users and groups installed, for example, samba or mail among others. If the master has any of these modules installed, they have to be uninstalled before trying to register a slave on it. If at some point the mode of operation of the users and groups module needs to be changed, it can be done running this command:

# sudo /usr/share/ebox-usersandgroups/ebox-usersandgroups-reinstall
when it executed will completely remove the LDAP directory, deleting all the current users and groups and reinstall it from scratch so it can be set up in a different mode.



Users and groups creation
A group can be created from the Users and Groups → Groups menu in the master eBox. A group is identified by its name and can contain a description.

Through Users and Groups → Groups, the existing groups are displayed for edition or deletion. While a group is being edited, the users belonging to the group can be chosen. Some options belonging to the installed eBox modules with some specific configuration for the user groups can be changed too.

The following are possible with user groups, among others: • Provide a directory to be shared between users of a group. • Provide permission for a printer to all users of a group. • Create an alias for an e-mail account that redirects to all users of a group. • Assign access permission to the different eGroupware applications for all users of a group.


eBox 1.4 for Network Administrators

The users are created from the Users and Groups → Users menu, where the following data must be completed:

User name: Name of the user in the system, which will be the name used for identification in the authentication processes. First Name: User’s first name. Last Name: User’s last name. Comment: Additional data on the user. Password: Password to be used by the user in the authentication processes. This info must be provided twice to avoid misspellings in this vital data. Group: The user can be added to a group during its creation. From Users and Groups → Users, a list of users can be obtained, edited or deleted.

While a user is being edited, all the previous data can be changed, except for the user name. The data regarding the installed eBox modules that have some specific configuration for users can also be changed, as well as the list of groups to which the user belongs.



It is possible to edit a user to: • Create an account for the Jabber server. • Create an account for file or PDC sharing with a customized quota. • Provide permission for the user to use a printer. • Create an e-mail account for the user and aliases for it. • Assign access permission to the different eGroupware applications. • Assign a phone extension to the user. In a master/slave setup, the basic fields of users and groups can be edited in the master, while any further attributes pertaining to a given module installed in a slave have to be edited in that slave.

User Corner The user data can only be modified by the eBox administrator, which becomes non-scalable when the number of users managed becomes large. Administration tasks, such as changing a user’s password, may cause the person responsible to waste a lot of time. Hence the need for the user corner. This corner is an eBox service that allows users to change their own data. This function must be enabled like the other modules. The user corner is listening in another port through another process to increase system security.


eBox 1.4 for Network Administrators

Users can enter the user corner through: https://<eBox_ip>:<user_corner_port>/ Once users have entered their user name and password, changes can be made to their personal configuration. The features provided so far are: • Change current password • User voicemail configuration • Configure an external personal account to fetch mail to synchronize with the user’s mailbox in the eBox mail server.

Practical example A
Create a group in eBox called accountancy. To do so: 1. Action: Enable the users and groups module. Enter Module status and enable the module if it is not enabled. Effect: The module is enabled and ready for use.



2. Action: Access Users and Groups → Groups. Add accountancy as a group. The comments parameter is optional. Effect: The accountancy group has been created. The changes do not have to be saved, as any action on LDAP is instant.

Practical example B
Create the user peter and add him to the accountancy group. To do so: 1. Action: Access Users and Groups

→ Users. Complete the different fields for the new user.

The user peter can be added to the accountancy group from this screen. Effect: The user has been added to the system and to the accountancy group. Check from the console that the user has been correctly added: 1. Action: In the console, run the command:

# id peter
Effect: The result should be something like this:

uid=2003(pedro) gid=1901(__USERS__) groups=1901(__USERS__) ,2004(accountancy)


File sharing service and remote authentication
4.2.1 File sharing
The file sharing takes place through a network file system. The systems more widely used are: NFS (Network File System) by Sun Microsystems, which was the first one, AFS (Andrew File System) and CIFS (Common Internet File System), also known as SMB (Server Message Block ). The clients operate on files (opening, reading or writing files) as if they were locally stored in the machine, but the information can actually be stored in different places, location being completely transparent to the end user. Ideally, the client should not know whether the file is stored in the host


eBox 1.4 for Network Administrators

itself or it is spread all over the network. However, this is not possible due to the network delays and the issues related to concurrent file updates which should not interfere among them.

4.2.2 SMB/CIFS and its Linux Samba implementation
SMB (Server Message Block ) or CIFS (Common Internet File System) is used to share the access to: files, printers, serial ports and any other series of communications between nodes in a local network. It also offers authentication mechanisms between processes. It is mainly used among computers with Windows. However, there are also some implementations in other operating systems such as GNU/Linux using Samba, which implements Windows system protocols using reverse engineering 4 . Given the success of some file sharing systems, Microsoft decided to rename SMB as CIFS, adding new features to it, such as: symbolic and hard links and bigger file sizes, as well as avoiding the use of NetBIOS 5 in which SMB is based.

4.2.3 Primary Domain Controller (PDC)
A Primary Domain Controller (PDC) is a domain server for Windows NT versions previous to the Windows 2000 version. In this environment, a domain is a system which allows restricted access to a series of resources with a username and password. Therefore, it can be used to log in in the system through remote access control. PDC has also been recreated by Samba inside the SMB authentication system. In modern Windows versions it is denominated Domain Controller.

4.2.4 eBox as file server
eBox uses Samba SMB/CIFS implementation for Linux as a file server and Windows operative system authentication. The file sharing services are active when the File sharing module is active, regardless whether you are using eBox as PDC or not. The file sharing in eBox is integrated with the users and groups. As a result, each user will have a personal directory and each group can have a shared directory for all its users.
4 5

Reverse engineering tries to figure out the communication protocols just through observation of their messages. NetBIOS (Network Basic Input/Output System): API that allows communication among different computers in a local

area network. It gives a NetBIOS name and IP address to each one of the hosts.



The personal directory for the user is automatically shared and can only be accessed by the user.

Going to Groups → Edit Group a shared directory for a group can also be created. Every member of this group will have access to this directory, being able to write his own files and read all the files.

Go to File Sharing

→ General Settings to configure the general settings of file sharing service.

Domain will refer to the Windows local network name whereas NetBIOS Name will identify eBox inside the Windows network. You can also give a Description with the domain characteristics. Apart from that, and as an optional feature, a Quota Limit can be established. Using Samba group, you may optionally set a group to have a file sharing account instead of all users, the synchronization is done every hour. To add a new shared directory, go to File Sharing → Shares and click Add new.


eBox 1.4 for Network Administrators

Enabled: This option has to be marked whenever the directory needs to be shared. Unmarking the option will cause the directory to no longer be shared, while keeping the settings. Share name: This refers to the name of the shared directory. Share path: A path can be created either in the eBox directory /home/samba/shares or using an already existing directory path if File system path is chosen. Comment: A more detailed description of the share can be provided in this field.

Access Control can be configured from the shares list. You can go to Add New in order to give reading, writing and administration permissions to a given user or group. If a user has administration permission over a share they will be granted all the permissions over the files created by other users in this directory.

Going to Users and Groups → Groups → Edit Group a shared directory for a group can also be created. Every member of this group will have access to this directory, being able to read and write all the files. If you want to save the deleted files inside a special directory called RecycleBin, just go to File Sharing

→ Recycle Bin and check the Enable Recycle Bin option. If you don’t want to apply it to

all your shares you can add exceptions in the Samba shares Recycle Bin exceptions section. You



can also modify some default settings for this feature, like the name of the directory, by editing the /etc/ebox/80samba.conf file.

Under File Sharing → Antivirus there is also a checkbox to enable or disable the check for viruses in your shares and the possibility to add exceptions if there are shares that you don’t want to check. Note that if you want to access the antivirus configuration for the filesharing module the samba-vscan package must be installed in the system. The Antivirus module must be installed and enabled as well.

4.2.5 SMB/CIFS clients configuration
Files can be shared between Windows and GNU/Linux once the file sharing service is running.

Windows client The selected domain will be found in Network Places

→ All the Network. The server

host with the selected name will show the shared resources it has.


eBox 1.4 for Network Administrators

Linux client 1. Konqueror (KDE) When using Konqueror

smb:// should be introduced in the location bar in order to see the

Windows network, where you will be able to find the specified domain.

2. Nautilus (Gnome)



When using Nautilus (Gnome) go to Places

→ Network → Windows Network in order to find

the specified domain and the eBox server inside.

Taking into account that the personal directories are not shown when browsing the server resources, those will need to be introduced in the location bar. For example, if you need to have access to Peter’s personal directory, you will have to introduce the following address:

3. Smbclient Besides the graphical interfaces, there is a command line client which works in a similar way to FTP clients. Smbclient allows actions such as: file downloading and uploading or file and directory information gathering among others. This could be an example of a session:

$ smbclient -U joe // > get ejemplo > put eaea > ls > exit $ smbclient -U joe -L // Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian]


eBox 1.4 for Network Administrators

Sharename Type Comment -----------------_foo Disk _mafia Disk hp Printer br Printer IPC$ IPC IPC Service (eBox Samba Server) ADMIN$ IPC IPC Service (eBox Samba Server) joe Disk Home Directories Domain=[eBox] OS=[Unix] Server=[Samba 3.0.14a-Debian] Server Comment --------------DME01 PC Verificaci eBox-SMB3 eBox Samba Server WARP-T42 Workgroup Master --------------eBox eBox-SMB3 GRUPO_TRABAJO POINT INICIOMS WARHOL MSHOME SHINNER WARP WARP-JIMBO

4.2.6 eBox as an authentication server
You have to go to File Sharing → General Settings and check the Enable PDC option in order to have eBox working as an authentication server (PDC).



If the option Roaming Profiles is enabled, the PDC server will store all the user profiles. Any user profile will contain general information such as: Windows settings, Outlook e-mail accounts or its documents. Every time a user logs in an updated profile will be sent to them by the PDC server. The user can have access to his profile information from any computer. Please take into account the size of the users information when setting up your server in order to make sure there is enough space. In addition to that, the Disk Letter for the personal directory can be redefined. When a user logs into the domain his personal directory will be automatically mapped to a drive with this letter. Finally, you can define user policy passwords through File Sharing enforcement by the law. • Minimum Password Length • Maximum Password Age. The password has to be changed after this period. • Enforce Password History. Stores a number of passwords once modified. This policy only applies when a password is changed from Windows. Actually Windows will enforce the policy when a user logs in in a machine registered in the domain.

→ PDC. This is usually an


eBox 1.4 for Network Administrators

4.2.7 PDC Client Configuration
An account with administration rights will be needed in order to configure a PDC client, this can be done going to Users and Groups → Users → File Sharing or PDC Account. You can also establish a Disk Quota.

Now, go to a different machine in the same LAN (keep in mind that the SMB/CIFS protocol works using broadcast) that has a CIFS-capable Windows (i.e., Windows XP Professional). Click on My PC

→ Properties. This will launch the Network Id wizard. We will reboot the server

after entering the administratiion user name and password as well as the domain name given in the File Sharing configuration. The machine name can be the one already set, as long as it does not collide with an existing one already in the domain. After finishing the process, you need to reboot the machine. Every user can see their disk usage and quota in My PC.




Printers sharing service
In order to share a printer in our network, allowing or denying users and groups the access to it, we need to have access to that printer from a host running eBox. This can be done through: direct connection, i.e., with a USB

or parallel port, or through the local network. Besides that, if we want to

obtain good results on its operation, we will need to know certain information regarding the manufacturer, the model and the driver of the printer. Printers can be added going to Printers Once there, you will be asked to enter all the necessary details in a wizard. First of all, we need to name the printer and to establish a connection method for it. The following methods are currently supported by eBox: Parallel port: A physical printer connected to the eBox server using parallel port. USB: A physical printer connected to the eBox server using USB AppSocket: A remote printer that uses the AppSocket protocol, also known as JetDirect.

→ Add printer.

Universal Serial Bus (USB) is a serial bus standard to connect devices to a host computer.


eBox 1.4 for Network Administrators

IPP: A remote printer that uses the Internet Printing Protocol (IPP) 7 . LPD: A remote printer that uses the Line Printer Daemon protocol (LPD) 8 . Samba: A remote printer shared through Samba or Windows printer sharing.

We will need to configure the connection parameters according to the selected method. For example, if we have a network printer, we will have to set up an IP address and a listening port as the following figure shows:

In the next four steps we will configure the printer driver that eBox needs to use in order to send the jobs to be printed out, defining: the manufacturer, the model, the printer driver as well as other settings.

Internet Printing Protocol (IPP) is a standard network protocol for remote printing as well as for managing print jobs, media size, resolution, and so forth. More information available on RFC 2910. Line Printer Daemon protocol (LPD) is a set of programs that provide printer spooling and network printer server functionality for Unix-like systems. More information available on RFC 1179.




After these steps, the printer will be configured. Now you will be able to see not only the queued printing jobs but also the ones in progress. In addition to that, you can also modify any of the parameters already introduced in the wizard going to Printers → Manage printers. The printers managed by eBox are accessible using the Samba protocol. You can

also enable the printing daemon CUPS in order to share the printers using IPP too.

Once the service is enabled and you have saved changes, you can give access to the resources editing either the group or the user (Groups Printers).

→ Edit Group → Printers or Users → Edit User →


eBox 1.4 for Network Administrators


Groupware Service
Groupware, also known as collaborative software, is a set of applications integrating the work of different users in common projects. Each user can connect to the system from various working stations on the local network or from anywhere in the world via the Internet. Some of the most important features of groupware tools are: • Communication between users: mail, chat rooms, etc. • Information sharing: shared calendars, task lists, common address books, knowledge base, file sharing, news, etc. • Project management, resources, time management, bugtracking, etc.



There is a large number of groupware solutions available on the market. Among the Open Source alternatives, one of the most popular options is eGroupWare

which is the one selected for eBox

Platform to implement such an important feature in business environments. Setting up eGroupware with eBox Platform is very simple. The goal is for the user not to need to access the traditional configuration offered in eGroupware and to allow him to manage all the settings from eBox interface, unless some advanced customization is required. In fact, the password for the configuration of eGroupware is auto-generated and left in an unstable status.

by eBox and the administrator should use it under

her own responsibility: by taking any wrong action the module might become improperly configured

4.4.1 Groupware service settings with eBox
Most of eGroupware configuration is performed automatically by enabling the module and saving the changes. Without requiring any additional user intervention, eGroupware will be operating fully integrated with the eBox directory service (LDAP). All users being added to eBox from that moment on will be able to log in eGroupware without requiring any other action. In addition, we can integrate the webmail service provided by eGroupware with eBox mail module. For this the only action required is to select a pre-existing virtual domain and to enable the IMAP service, allowing for the reception of mail. This is done by the eBox installer automatically if you select ebox-egroupware to install. Instructions for creating a mail domain and configuring the IMAP service are fully explained in chapter Electronic Mail Service (SMTP/POP3-IMAP4). For the domain selection used by eGroupware, you should access the Groupware → Virtual Mail Domain tab. The interface is shown in the following image. It is only needed to select the desired domain and click the button Change. Although, as usual, this action does not take effect until the button Save Changes is pressed.
eGroupware: An enterprise ready groupware software for your network http://www.egroupware.org Note for eGroupware advanced users: The password is stored in the file /var/lib/ebox/conf/ebox-egroupware.passwd and usernames are admin and ebox for header and domain configuration respectively.
10 9


eBox 1.4 for Network Administrators

In order for users to be able to use the mail service they will need to have their own accounts created on it. The image below (Users and Groups eGroupware.

→ Users) shows that during the configuration of

eGroupware a notice is displayed indicating the name of the mail account that should be used from

eGroupware consists of several applications; in eBox you can edit access permissions to these applications for each user assigning a permission template, as shown in the image above. There is a default permission template but you can define other ad-hoc ones. The default permission template is useful for configuring most of the users of the system with the same permissions, so that when a new user is created permissions will be assigned automatically. To edit the default template go to the Groupware image.

→ Default Applications tab, as shown in the



For small groups of users such as administrators, you can define a custom permission template and apply it manually for these users. To define a new template go to Groupware

→ User Defined Permission Templates in the menu

and click on Add New. Once the name is entered it will appear on the table and you can edit the applications by clicking on Allowed Applications, in a similar way as with the default template.

Be aware that if you modify the default permission template, changes will only be applied to users that are created from that moment on. They will not be applied retroactively to users previously created. The same applies to the user-defined templates: if there were any users with that template applied on their configuration you should edit that user’s properties and apply the same template again once it has been modified.


eBox 1.4 for Network Administrators

Finally, once you have configured everything, you can access eGroupWare through the address http://<ebox_ip>/egroupware using the username and password defined in the eBox interface.

eGroupware management is beyond the scope of this manual. For any question, you should check the official eGroupware user manual. It is available on-line in the official website and it is also linked from within the application once you are inside.

Practical example Enable the Groupware module and check its integration with the mail. 1. Action: Access eBox, go to Module Status and activate module Groupware, checking the box in the column Status. You will be informed eGroupware configuration is about to change. Allow the operation by pressing the button Accept. Make sure you have previously enabled the modules on which it depends (Mail, Webserver, Users, ...). Effect: The button Save Changes is activated. 2. Action: Set up a virtual mail domain as shown in the example Practice example. In this example a user is added with her corresponding email account. Steps related to objects or forwarding policies in the example are not necessary. Follow the steps just until the point in which the user is added. Effect: The new user has a valid mail account. 3. Action: Access the :menuselection: Mail –> General menu and in the Mail Server Options tab check the box IMAP Service Enabled and click Change. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Access the :menuselection: Groupware menu and in the Virtual Mail Domain tab select the previously created domain and click Change.



Effect: The change is saved temporarily but it will not be effective until changes are saved. 5. Action: Save changes. Effect: eBox shows the progress while applying the changes and informs when it is done. From now on eGroupware is configured correctly to be integrated with your IMAP server. 6. Action: Access the eGroupware interface (http://<ebox_ip>/egroupware) with the user you created earlier. Access the eGroupware mail application and send an email to your own address. Effect: You will receive in your inbox the email you just sent.


eBox 1.4 for Network Administrators


Chapter 5 eBox Unified Communications

In this section we will see the different communication methods for sharing information that are centralized in eBox and are all accessible using the same username and password. First, the mail service is explained. It allows a quick and easy integration with the preferred mail client of the users of the network, offering also the latest techniques available to prevent spam. Second, the instant messaging service through the Jabber / XMPP protocol. It provides an internal IM service without having to rely on external companies or an Internet connection. It also offers conference rooms and can be used with any of the many clients available. It allows faster communication in the cases where the mail is not enough. Finally, we will see an introduction to voice over IP, which enables each person to have an extension to make calls or participate in conferences easily. Additionally, with an external provider, eBox can be configured to connect to the traditional telephone network.


Electronic Mail Service (SMTP/POP3-IMAP4)
The electronic mail service is a store and forward method messages over electronic communication systems.

to compose, send, store and receive


eBox 1.4 for Network Administrators

Figure 5.1: Diagram where Alice sends an email to Bob

5.1.1 How electronic mail works through the Internet
The diagram depicts a typical event sequence that takes place when Alice writes a message to Bob using her Mail User Agent (MUA). 1. Her MUA formats the message in email format and uses the Simple Mail Transfer Protocol (SMTP) to send the message to the local Mail Transfer Agent (MTA). 2. The MTA looks at the destination address provided in the SMTP (not from the message header), in this case bob@b.org, and resolves a domain name to determine the fully qualified domain name of the destination mail exchanger server (MX record that was explained in the DNS section). 3. smtp.a.org sends the message to mx.b.org using SMTP, which delivers it to the mailbox of the user bob. 4. Bob receives the message through his MUA, which picks up the message using Pop Office Protocol (POP3). There are many alternative possibilities and complications to the previous email system sequence. For instance, Bob may pick up his email in many ways, for example using the Internet Message Access Protocol (IMAP), by logging into mx.b.org and reading it directly, or by using a Webmail service.
Store and forward: Telecommunication technique in which information is sent to an intermediate station where it is kept and sent at a later time to the final destination or to another intermediate station.



The sending and reception of emails between mail servers is done through SMTP but the users pick up their email using POP3, IMAP or their secure versions (POP3S and IMAPS). Using these protocols provides interoperability among different servers and email clients. There are also proprietary protocols such as the ones used by Microsoft Exchange and IBM Lotus Notes.

POP3 vs. IMAP The POP3 design to retrieve email messages is useful for slow connections, allowing users to pick up all their email all at once to see and manage it without being connected. These messages are usually removed from the user mailbox in the server, although most MUAs allow to keep them on the server. The more modern IMAP, allows you to work on-line or offline as well as to explicitly manage server stored messages. Additionally, it supports simultaneous access by multiple clients to the same mailbox or partial retrievals from MIME messages among other advantages. However, it is a quite complicated protocol with more server work load than POP3, which puts most of the load on the client side. The main advantages over POP3 are: • Connected and disconnected modes of operation. • Multiple clients simultaneously connected to the same mailbox. • Access to MIME message parts and partial fetching. • Message state information using flags (read, removed, replied, ...). • Multiple mailboxes on the server (usually presented to the user as folders) allowing to make some of them public. • Server-side searches • Built-in extension mechanism Both POP3 and IMAP have secure versions, called respectively POP3S and IMAPS. The difference with its plain version is that they use TLS encryption so the content of the messages cannot be eavesdropped.


eBox 1.4 for Network Administrators

5.1.2 SMTP/POP3-IMAP4 server configuration with eBox
Setting up an email system service requires to configure an MTA to send and receive emails as well as IMAP and/or POP3 servers to allow users to retrieve their mails. To send and receive emails Postfix
3 2

acts as SMTP server. The email retrieval service (POP3,

IMAP4) is provided by Dovecot . Both servers support secure communication using SSL.

5.1.3 Receiving and relaying mail
In order to understand the mail system configuration, a distinction must be made between receiving mail and relaying mail. Reception is when the server accepts a mail message whose recipients contains an account that belongs to any of his virtual mail domains. Mail can be received from any client which is able to connect to the server. On the other hand, relay is done when the mail server receives a message whose recipients do not belong to any of his managed virtual mail domains, thus requiring forwarding the message to other server. Mail relay is restricted, otherwise spammers could use the server to send spam over the Internet. eBox allows mail relay in two cases: 1. an authenticated user 2. a source address that belongs to a network object which has a allowed relay policy

General configuration Through Mail → General → Mail server options → Authentication, you can manage the authentication options. The following options are available: TLS for SMTP server: Force the clients to connect to the mail server using TLS encryption, thus avoiding eavesdropping. Require authentication: This setting enables the authentication usage. A user must use his email address and his password to identify himself, authenticated users can relay mail through the server. An account alias cannot be used to authenticate.
2 3

Postfix The Postfix Home Page http://www.postfix.org . Dovecot Secure IMAP and POP3 Server http://www.dovecot.org .



In the Mail → General → Mail server options → Options section you may configure the general settings for the mail service: Smarthost to send mail: Domain name or IP address of the smarthost. You could also specify a port appending the text :[port_number ] after the address. The default port is the standard SMTP port, 25. If this option is set eBox will not send its messages directly, but each received email will be forwarded to the smarthost without keeping a copy. In this case, eBox would be an intermediary between the user who sends the email and the server which is the real message sender. Smarthost authentication: Whether the smarthost requires authentication using a user and password pair or not.


eBox 1.4 for Network Administrators

Server mailname: This sets the visible mail name of the system, it will be used by the mail server as the local address of the system. Postmaster address: The postmaster address by default is aliased to the root system user but it could be set to any account, belonging to any of managed virtual mail domains or not. This account is intended to be a standard way to reach the administrator of the mail server. Automatically-generated notification mails will typically use postmaster as reply address. Maximum mailbox size allowed: Using this option you could indicate a maximum size in MB for any user mailboxes. All mail which surpasses the limit will be rejected and the sender will be emailed a notification. This setting could be overridden for any user in the Users and Groups → Users page. Maximum message size accepted: Indicates, if necessary, the maximum message size accepted by the smarthost in MB. This is enforced regardless of any mailbox size limit. Expiration period for deleted mails: If you enable this option those mail messages which are in the users’ trash folder will be deleted when their dates passes the day limit. Expiration period for spam mails: This option applies the same way as above option but regarding to the users’ spam folder. In order to configure the mail retrieval services go to the Mail retrieval services section. There eBox may be configured as POP3 and/or IMAP server, their secure versions POP3S and IMAPS are available too. Also the retrieve email for external accounts and ManageSieve services could be enabled in this section, we will discuss those services in Mail retrieval from external accounts section. In addition to this, eBox may be configured to relay mail without authentication from some network addresses. To do so, you can add relay policies for network objects through Mail → General → Relay policy for network objects. The policies are based on the source mail client IP address. If the relay is allowed from an object, then each object member may relay emails through eBox.



Warning: Be careful when using an Open Relay policy, i.e., forwarding email from everywhere, since your mail server will probably become a spam source. Finally, the mail server may be configured to use a content filter for their messages 4 . To do so, the filter server must receive the message from a fixed port and send the result back to another established port where the mail server is bound to listen the response. Through Mail Mail filter options, you may choose a custom server or eBox as mail filter.

→ General →


In Mail Filter section this topic is deeply explained.


eBox 1.4 for Network Administrators

Email account creation through virtual domains In order to set up an email account with a mailbox, a virtual domain and a user are required. From Mail → Virtual Mail Domains, you may create as many virtual domains as you want. They provide the domain name for email accounts for eBox users. Moreover, it is possible to set aliases for a virtual domain. It does not make any difference to send an email to one virtual domain or any of its aliases.

In order to set up email accounts, you have to follow the same rules applied configuring any other user-based service . From Users and Groups

→ Users → Edit Users → Create mail account. You

select the main virtual domain for the user there. If you want to establish to the user more than a single email address, you can create aliases. Behind the scenes, the email messages are kept just once in a mailbox. However, it is not possible to use the alias to authenticate, you always have to use the real account.

Note that you can decide whether an email account should be created by default when a new user is added or not. You can change this behaviour in Users and Groups Mail Account. Likewise, you may set up aliases for user groups. Messages received by these aliases are sent to every user of the group which has an email account. Group aliases are created through Users and Groups → Groups → Create alias mail account to group. The group aliases are only available when, at least, one user of the group has an email account.

→ Default User Template →



You may define alias to external accounts as well. The mail sent to that alias will be forwarded to the external account. This kind of aliases are set on a virtual domain basis and does not require any email account and could be set in Mail → Virtual Domains → External accounts aliases.

Queue Management From Mail

→ Queue Management, you may see those email messages that haven’t already been

delivered. All the information about the messages is displayed. The allowed actions to perform are: deletion, content viewing or retrying sending (re-queuing the message again). There are also two buttons to delete or requeue all messages in queue.

Mail retrieval from external accounts You could configure eBox to retrieve email messages from external accounts, which are stored in external servers, and deliver them to the user’s mailboxes. In order to configure this you have to enable this service in Mail

→ General → Mail server options → Retrieval services section. Once it

is enabled, the users will have their mail fetched from their external accounts and delivered to their internal account’s mailbox. Each user can configure its external accounts through the user corner 5 . The user must have a email account to be able to do this. The external servers are pooled periodically so email retrieval is not instantaneous. To configure its external accounts, a user have to login in the user corner and click on Mail retrieval from external mail accounts in the left menu. In this page a list of user’s external accounts is shown, the user can add, edit and delete accounts. Each account has the following fields: External account: The username or the mail address required to login in the external mail retrieval service. Password: Password to authenticate the external account.

The user corner configuration is explained in User Corner section


eBox 1.4 for Network Administrators

Mail server: Address of the mail server which hosts the external account. Protocol: Mail retrieval protocol used by the external account, it may be one of the following: POP3, POP3S, IMAP or IMAPS. Port: Port used to connect to the external mail server.

For retrieving external emails, eBox uses the Fetchmail 6 software.

Sieve scripts and ManageSieve protocol The Sieve language 7 allows the user to control how his mail messages are delivered, so it is possible to classify it in IMAP folders, forward it or use a vacation message among other things. The ManageSieve is a network protocol that allows the users to easily manage their Sieve scripts. To be able to use ManageSieve, it is required an email client that understands this protocol.

To enable ManageSieve in eBox you have to turn on the service in Mail → General → Mail server options -> Retrieval services and it could be used by all the users with email account. In addition to this, if ManageSieve is enabled and the webmail scripts will be available in the webmail interface. The ManageSieve authentication is done with the email account of the user and its password. Sieve scripts of an account are executed regardless of the ManageSieve protocol option value.
6 7 8 9


module in use, a management interface for Sieve

Fetchmail The Fetchmail Home Page http://fetchmail.berlios.de/ . For more info check out this page http://sieve.info/ . See a list of clients in this page http://sieve.info/clients The webmail module is explained in WebMail service chapter.



Email client configuration Unless users may use email only through the webmail or the egroupware webmail application, users would like to configure their email clients to use eBox’s mail server. The values of the required parameters would depend on the exact configuration of the module. Please note that different email clients could use other names for these parameters, so due to the great number of clients available this section is merely guidance.

5.1.4 SMTP parameters
SMTP server: Enter the address of your eBox server. It could be either an IP address or a domain name. SMTP port: 25, if you are using TLS you could instead use the port 465. Secure connection: Select TLS if you have enabled TLS for SMTP server:, otherwise select none. If you are using TLS please read the warning below about SSL/TLS. SMTP username: Use this if you have enabled Require authentication. Use as username the full email address of the user, don’t use the username nor any of his mail aliases. SMTP password: It is the user password.

5.1.5 POP3 parameters
You can only use POP3 settings when POP3 or POP3S services are enabled in eBox. POP3 server: Enter your eBox address likewise in the SMTP parameters section above. POP3 port: 110 or 995 if you are using POP3S. Secure connection: Select SSL if you are using POP3S, otherwise none. If you are using POP3S please read the warning below about SSL/TLS. POP3 username: Full email address, as above avoid the user name or any of his email aliases. POP3 password: User’s password.


eBox 1.4 for Network Administrators

5.1.6 IMAP parameters
IMAP configuration could be only used if either IMAP or IMAPS services are enabled. As you will see the parameters are almost identical to POP3 parameters. IMAP server: Enter your eBox address likewise in the SMTP parameters section above. IMAP port: 443 or 993 if you are using IMAPS. Secure connection: Select SSL if you are using IMAPS, otherwise none. If you are using IMAPS please read the warning below about SSL/TLS. IMAP username: Full email address, as above avoid the user name or any of his email aliases. IMAP password: User’s password. Warning: In client implementations there are some confusion about the use of SSL and TLS

protocols. Some clients use SSL to mean that they will try to connect with TLS, others use TLS as a way to say that they will try to connect to the secure service through a port used normally by the plain version of the protocol.. In fact in some clients you will need to try both SSL and TLS modes to find which one works. You have more information about this issue in this page http://wiki.dovecot.org/SSL , from the dovecot’s wiki.

5.1.7 ManageSieve client parameters
To connect to ManageSieve, you will need the following parameters: Sieve server: The same that your IMAP or POP server. Port: 4190, be warned that some applications use, mistakenly, the port number 2000 as default for ManageSieve. Secure connection: Set to true Username: Full mail address, as above avoid the user name or any of his email aliases. Password: User’s password. Some clients allows you to select the same authentication than your IMAP or POP3 account if this is allowed, select it.



Catch-all account A catch-all account is those which receives a copy of all the mail sent and received by a mail domain. eBox allows you to define a catch-all account for every virtual domain; to define it you must go to Mail

→ Virtual Mail Domains and then click in the Settings cell.
All the messages sent and received by the domain will be emailed as Blind Carbon Copy (BCC) to the defined address. If the mail to the catch-all address bounces, it will be returned to the sender.

Practice example
Set up a virtual domain for the mail service. Create a user account and a mail account within the domain for that user. Configure the relay policy to send email messages. Send a test email message with the new account to an external mail account. 1. Action: Log into eBox, access Module status and enable Mail by checking its checkbox in the Status column. Enable Network and Users and Groups first if they are not already enabled. Effect: eBox requests permission to overwrite certain files. 2. Action: Read the changes of each of the files to be modified and grant eBox permission to overwrite them. Effect: The Save changes button has been enabled. 3. Action: Go to Mail → Virtual Mail Domains and click Add new to create a new domain. Enter the name in the appropriate field. Effect: eBox notifies you that you must save changes to use this virtual domain. 4. Action: Save the changes. Effect: eBox displays the progress while the changes are being applied. Once this is completed, you will be notified. Now you may use the newly created virtual mail domain. 5. Action: Enter Users and Groups Create and Edit button. Effect: The user is added immediately without saving changes. The edition screen is displayed for the newly created user.

→ Users → Add User, fill up the user data and click the


eBox 1.4 for Network Administrators

6. Action: (This action is only required if you have disable the automatic creation of email accounts in Users and Groups –> Default User Template –> Mail Account). Enter a name for the user mail account in Create mail account and create it. Effect: The account has been added immediately and options to delete it or add aliases for it are shown. 7. Action: Enter the Object → Add new menu. Fill in a name for the object and press Add. Click on Members in the created object. Fill in again a name for the member and write the host IP address where the mail will be sent from. Effect: The object has been added temporarily and you may use it in other eBox sections, but it is not persistent until you save changes. 8. Action: Enter Mail

→ General → Relay policy for network objects. Select the previously

created object making sure Allow relay is checked and add it. Effect: The Save changes button has been enabled. 9. Action: Save the changes Effect: A relay policy for that object has been added, which makes possible from that object to send e-mails to the outside. 10. Action: Configure a selected MUA in order to use eBox as SMTP server and send a test email message from this new account to an external one. Effect: After a brief period you should receive the message in your external account mailbox. 11. Action: Verify using the mail server log file /var/log/mail.log that the email message was delivered correctly.


WebMail service
The webmail service allows users to read and send mail using a web interface provided by the mail server itself. Its main advantages are the no client configuration required by the user and easily accessible from any web browser that could reach the server. Their downsides are that the user experience is poorer than with most dedicated email user software and that web access should be allowed by the server. It also increases the server work load to render the mail messages, this job is done by the client in traditional email software.



eBox uses Roundcube to implement this service 10 .

5.2.1 Configuring a webmail in eBox
The webmail service is enabled like another eBox service. However, it requires the mail module is configured to use either IMAP, IMAPS or both and the webserver module enabled. If it is not, webmail will refuse to enable itself.

Webmail options You can access to the options clicking in the Webmail section in the left menu. You may establish the title that will use the webmail to identify itself, this title will be shown in the login screen and in the page HTML titles.

Login into the webmail In order to log into the webmail, firstly HTTP traffic must be allowed by the firewall from the source address used. The webmail login screen is available at http://[eBox’s address]/webmail from the browser. Then it has to enter his email address and his password. He has to use his real email address, an alias will not work.
Roundcube webmail http://roundcube.net/ The mail configuration in eBox is deeply explained in Electronic Mail Service (SMTP/POP3-IMAP4) section and the webserver module is explained in Web data publication service (HTTP) section.
11 10


eBox 1.4 for Network Administrators

SIEVE filters The webmail software also includes an interface to manage SIEVE filters. It will only be available if the ManageSIEVE protocol is enabled in the mail service.


Instant Messaging (IM) Service (Jabber/XMPP)
Instant messaging (IM) applications manage a list of people with whom one wishes to stay in touch by exchanging messages. They convert the asynchronous communication provided by email in a synchronous communication in which participants can communicate in real time. Besides the basic conversation, IM has other benefits such as: • Chat rooms. • File transfer. • Status updates (e.g.: you are busy, on the phone, away or idle). • Shared whiteboard to view and show drawings with contacts. • Simultaneous connection from devices with different priorities (e.g.: from the mobile and the computer, giving preference to one of them for receiving messages). Nowadays, there are many instant messaging protocols such as ICQ, AIM, MSN or Yahoo! Messenger, whose operation is essentially privative and centralized. However, Jabber/XMPP is a set of protocols and technologies that enable the development of distributed messaging. These protocols are public, open, flexible, extensible, distributed and secure.

Check out Sieve scripts and ManageSieve protocol section for more information



Moreover, although Jabber/XMPP is still in the process of becoming an international standard, it has been adopted by Cisco or Google (for its messaging service Google Talk) among others. eBox employs Jabber/XMPP as its IM protocol integrating users with Jabber accounts. jabberd2

XMPP server is being used for eBox Jabber/XMPP service.

5.3.1 Configuring a Jabber/XMPP server with eBox
To configure the Jabber/XMPP server in eBox, first check in Module Status if the Users and Groups module is enabled, as Jabber depends on it. Then, mark the Jabber checkbox to enable the Jabber/XMPP eBox module.

Figure 5.2: Jabber General Configuration

To configure the service, go to Jabber in the left menu, setting the following parameters: Domain Name: Specifying the domain name of the server. User accounts will be user@domain. Tip: domain should have an entry in the DNS server, so it can be resolved from the clients. Connect to other servers: To allow our users contact users in external servers, and the other way around, check this box. Otherwise, if you want a private server for your internal network, it should be left unchecked.

jabberd2 - XMPP server <http://jabberd2.xiaoka.com/>.


eBox 1.4 for Network Administrators

Enable Multi User Chat (MUC): Enables conference rooms (chat for more than two users). Tip: the conference rooms are under the domain conference.domain which like the Domain Name should have an entry in the DNS server, so it can be resolved from the clients too. SSL Support: It specifies whether the communications (authentication and chat messages) with the server are encrypted or plaintext. You can disable it, make it mandatory or leave it as optional. If you set it as optional, this setting will be selected from the Jabber client. To create a Jabber/XMPP user account, go to Users → Add User if you want to create a new user account, or to Users → Edit User if you just want to enable the Jabber account for an already existing user account.

Figure 5.3: Setting up a Jabber account

As you can see, a section called Jabber Account will appear, where you can select whether the account is enabled or disabled. Moreover, you can specify whether the user will have administrator privileges. Administrator privileges allow to see which users are connected to the server, send them messages, set the message displayed when connecting (MOTD, Message Of The Day) and send a notice to all users connected (broadcast).

5.3.2 Setting up a Jabber client
To illustrate the configuration of a Jabber client, we will use Pidgin and Psi, but if you use another client, the next steps should be very similar.



Pidgin Pidgin 14 is a multi-protocol client that allows to manage multiple accounts at the same time. In addition to Jabber/XMPP, Pidgin supports many other protocols such as IRC, ICQ, AIM, MSN and Yahoo!. Pidgin was included by default in the Ubuntu desktop edition until Karmic, but still is the most popular IM client. You can find it in the menu Internet shown in the picture.

→ Pidgin Internet Messenger. When starting

Pidgin, if you do not have any account configured yet, the window to manage accounts will appear as

From this window, you can add new accounts, modify and delete existing accounts. Clicking on Add, two tabs with the basic and advanced configuration will appear. For the Basic configuration of your Jabber account, start by selecting the protocol XMPP. The Username and Password should be the same that the Jabber enabled user account has on eBox. The Domain must be the same that is set up in the Jabber/XMPP eBox module configuration. Optionally, in the field Local alias, write the name you want to show to your contacts.

Pidgin, the universal chat client <http://www.pidgin.im/>.


eBox 1.4 for Network Administrators

On the Advanced tab we can configure the SSL/TLS settings. By default Require SSL/TLS is checked, so if we disabled on eBox the SSL Support we must uncheck this and check Allow plaintext auth over unencrypted streams.



If we didn’t change the default SSL certificate a warning will be raised asking whether we want to accept it.


eBox 1.4 for Network Administrators

Psi Psi

is a Jabber/XMPP client that allows to manage multiple accounts at the same time. Fast and

lightweight, Psi is fully open-source and compatible with Windows, Linux, and Mac OS X. When starting Psi, if you do not have any account configured yet, a window will appear asking to use an existing account or registering a new one as shown in the picture. We will select Use existing account.

On the Account tab we will setup the basic configuration like the Jabber ID or JID which is user@domain and the Password. The user and password should be same that the Jabber enabled user account has on eBox. The domain must be the same that is set up in the Jabber/XMPP eBox module configuration.


Psi, The Cross-Platform Jabber/XMPP Client For Power Users <http://psi-im.org/>.



On the Connection tab we can find the SSL/TLS settings between other advanced configuration. By default Encrypt connection: When available is selected. If we disabled on eBox the SSL Support we must change Allow plaintext authentication to Always.

If we didn’t change the default SSL certificate a warning will be raised asking whether we want to accept it. To avoid this message check Ignore SSL warnings on the Connection tab from last step.

The first time we connect the client will raise a harmless error because we haven’t published our personal information on the server yet.


eBox 1.4 for Network Administrators

Optionally we can publish some information about ourselves here.

Once published, this error won’t appear again.

5.3.3 Setting up Jabber MUC (Multi User Chat) rooms
Jabber MUC or Multi User Chat is a service that allows multiple users exchange messages in the context of a room. Features like room topics, invitations, ability to kick and ban users, require password to join a room and many more are available in Jabber MUC rooms. For a full specification of MUC check, XEP-0045: Multi-User Chat 16 draft. Once we have enabled Enable Multi User Chat (MUC) on the Jabber eBox menu entry, all further room configuration is done from the Jabber clients. Everybody can create a room on the Jabber/XMPP eBox server and the user who creates a room is the administrator for that room. This administrator can set up all the settings, add other users as moderators or administrators and destroy the room.

The Jabber/XMPP chat rooms specification is available in <http://xmpp.org/extensions/xep-0045.html>.



One of the settings that we should highlight is Make Room Persistent. By default all the rooms are destroyed shortly after the last participant leaves. These are called dynamic rooms and are the preferred method for multi-user chats. On the other hand, persistent rooms must be destroyed by one of its administrators and are usually setup for work-groups or topics. On Pidgin to join a chat room go to Buddies –> Join a Chat.... A Join a Chat window will pop up asking for some information like the Room name, the Server which should be conference.domain, the user Handle or nickname and the room Password if needed.

First user in joining a non existent room will lock it and will be asked whether Configure Room or Accept Defaults.

On Room Configuration will be able to set up all the possible settings for the room. This configuration window can be opened later typing /config in the room chat window.


eBox 1.4 for Network Administrators

Once configured, other users will be able to join the room under the settings applied, leaving the room unlocked ready to use.

On Psi to join a chat room we should go to General –> Join Groupchat. A Join Groupchat window will pop up asking for some information like the Host which should be conference.domain, the Room name, the user Nickname and the room Password if needed.

First user joining a non existent room will lock it and will be asked to configure it. On the top right corner, a button will show a context menu with the Configure Room option.



On Room Configuration will be able to set up all the possible settings for the room.

Once configured, other users will be able to join the room under the settings applied, leaving the room unlocked ready to use.

5.3.4 Practical example
Enable the Jabber/XMPP service and assign to it a domain name that eBox and the clients are able to resolve. 1. Action: Go to Module Status and enable the module Jabber. When the info about the actions required in the system is displayed, allow them by clicking Accept. Effect: Enabled the button Save Changes. 2. Action: Add a domain with the desired name and whose IP address is the eBox server one, in the same way done in Practical example B.


eBox 1.4 for Network Administrators

Effect: You will be able to use the added domain as the domain for your Jabber/XMPP service. 3. Action: Access the menu Jabber. In the field Domain Name, write the domain name just added. Click Apply Changes. Effect: Save Changes has been enabled. 4. Action: Save the changes. Effect: eBox shows the progress while applying the changes. When it finish, a message will be displayed. Now the Jabber/XMPP service is ready to be used.


Voice over IP service
Voice over IP or VoIP involves transmitting voice over data networks using different protocols to send the digital signal through packets instead of using analog circuits. Any IP network can be used for this purpose, including private or public networks such as Internet. There are huge cost savings using the same network for data and voice without losing quality or reliability. The main issues of VoIP deployments over data networks are NAT difficulties and QoS considered.
18 17

with its management

, because of the need to offer a quality real-time service where latency (the

time it takes for data to arrive at destination), jitter (variations on latency) and bandwidth have to be

5.4.1 Protocols
There are several protocols involved in the voice transmission, from network protocols like IP and transport protocols like TCP or UDP, to voice protocols both for signaling and transport. VoIP signaling protocols accomplish the task of establishing and controlling the call. SIP, IAX2 and H.323 are signaling protocols. The most widely used voice transport protocol is RTP (Realtime Transport Protocol), which carries the encoded voice from origin to destination. This protocol starts once the call has been established by the signaling protocol.
17 18

Concept explained in Firewall section. Concept explained in Traffic shaping section.



SIP SIP (Session Initiation Protocol) is a protocol created by the IETF 19 for the establishment, modification and termination of interactive multimedia sessions. It incorporates many elements of HTTP and SMTP. SIP only handles signaling and works over the UDP/5060 port. Multimedia transmission is handled by RTP over the port range UDP/10000-20000.

IAX2 IAX2 is the second version of the Inter Asterisk eXchange protocol, created for connecting Asterisk

PBX systems. The main feature for this protocol is that voice and signaling travel through the same data stream, this is called trunking. This way it can traverse NAT easily and there is less overhead when trying to keep multiple communication channels open among servers. Also with this protocol the communication can be encrypted. IAX2 works on UDP/4569 port.

5.4.2 Codecs
A codec is an algorithm that adapts digital information (encoding at origin and decoding at destination) to compress it, reducing bandwidth usage, detecting and recovering from transmission errors. G.711, G.729, GSM and speex are common codecs for VoIP. G.711: It is one of the most used codecs. It comes in two flavors: an American one (ulaw) and an European one (alaw). This codec offers good quality, but it has significant bandwidth requirements (64kbps), which makes it a common choice for communication over local networks. G.729: It offers a better compression using only 8kbps, being ideal for Internet communications. There are some usage restrictions on this codec. GSM: It is the same codec that is used in mobile networks. Voice quality is not very good and it uses around 13kbps. speex: It is a patent-free codec specially designed for voice. It is very versatile, though it uses more CPU than others. It can work at different bit rates, such as 8KHz, 16KHz and 32KHz, usually referred as narrowband, wideband and ultra-wideband, each consuming 15.2kbps, 28kbps and 36kbps respectively.
19 20

Internet Engineering Task Force develops and promotes communication standards used on Internet. Asterisk is a PBX software that eBox uses for its VoIP module <http://www.asterisk.org/>.


eBox 1.4 for Network Administrators

5.4.3 Deployment
Let’s cover the elements involved in a VoIP deployment:

IP Phones They are phones with a traditional look but with a RJ45 connector to plug them to an Ethernet data network instead of the RJ11 connector for analog telephone networks. They add also new features like address book or call automation not present in regular analog phones. These phones talk usually SIP directly with the server and any other clients.

Analog Adapters Analog adapters, also known as ATA (Analog Telephony Adapter ) can connect a traditional analog phone to a data network and make it work like an IP phone. They have a RJ45 data port and one or more RJ11 analog ports.

Softphones Softphones are computer programs to make and receive calls without additional hardware (except the computer microphone and speakers). There are multiple applications for all platforms and operating systems. X-Lite and QuteCom (WengoPhone) are available for Windows, MacOS X and GNU/Linux. Ekiga or Twinkle are native GNU/Linux applications.



Figure 5.4: QuteCom


eBox 1.4 for Network Administrators

Figure 5.5: Twinkle

IP PBXs In contrast to traditional telephony which routed all calls through a central PBX, VoIP clients (IP phones or softphones) register on the server, ask him for the call recipient information and then establish the call directly. When establishing the call, the caller and the recipient negotiate a common codec for the voice transmission. Asterisk is a software only application that works in commodity servers, providing the features of a PBX (Private Branch eXchange): connect multiple phones amongst them and with a VoIP provider or the analog telephone network. It also offers services such as voice mail, conferences, interactive voice responses, etc. To connect the Asterisk server to the public network, it needs extra cards called FXO (Foreign eXchange Office) which allow Asterisk to act like a regular phone and route calls through the phone network. To connect an analog phone to the server, it needs a FXS (Foreign eXchange Station) card. That way, existing phones can be adapted to the new IP telephony network.

Figure 5.6: Digium TDM422E FXO and FXS card



5.4.4 Asterisk server configuration with eBox
eBox VoIP module allows you to manage an Asterisk server with the users that already exist on the system LDAP server, and the most common features configured.

As usual, the module must be enabled first. Go to Module Status and select the VoIP checkbox. If the Users and Groups is not enabled, it should be enabled beforehand. To change the general configuration, go to VoIP parameters should be configured:

→ General. Once there, the following general

Enable demo extensions: It enables extensions 400, 500 and 600. A call to extension 400 starts music on hold if configured. Extension 500 starts an IAX call to guest@pbx.digium.com. Extension 600 provides an echo test to estimate your call latency. These extensions can help to check if a client is well configured.


eBox 1.4 for Network Administrators

Enable outgoing calls: It enables outgoing calls through a SIP provider to call regular phones. To call through the SIP provider, add an additional zero before the number to call. For instance, to call eBox Technologies offices (+34 976733507 or 0034976733506) dial 00034976733506. Voicemail extension: It is the extension to call to check the voicemail. User and password are both the extension assigned by eBox when creating the user, or assigned for the first time. It is strongly recommended to change that password immediately from the User Corner

. The

application listening on this extension allows you to change the welcome message, listen to recorded messages and delete them. For security reasons, it is only accessible by the users of the eBox server, so it does not accept incoming calls from other servers. VoIP domain: It is the domain assigned to the user addresses. For example, a user user with an extension 1122 can be called at user@domain.tld or 1122@domain.tld. In the SIP provider section, enter the credentials supplied by the SIP provider, so eBox can route calls through it: Provider: If you are using eBox VoIP Credit

, select this option which will configure your provider

name and server. Otherwise use Custom. Name: It is the identifier of the provider in eBox. User name: It is the user name to log in the provider. Password: It is the password to log in the provider. Server: It is the provider server. Recipient of incoming calls: It is the internal extension that will receive the incoming calls to the provider account. The NAT configuration section defines the network location of your eBox host. If it has a public IP address, the default option eBox is behind NAT is not appropriate. If it has a private IP address, Asterisk needs to know your Internet public IP address. If you have a fixed public address, select Fixed IP address and enter it; if the IP is dynamic, configure the dynamic DNS service (DynDNS) available in Network hostname. In the Local networks section, you can add the local networks to which eBox has direct access without NAT, like VPN or not configured network segments, like a wireless network. This is required to make SIP work with NAT environments.
21 22

→ DynDNS (or configure it manually) and enter the domain name in Dynamic

Explained in the section User Corner . You may buy eBox VoIP credit in our store.



The conference configuration is accessed through VoIP

→ Meetings. There you can configure

multiple conference rooms. These rooms extension should fit in the 8001-8999 range and optionally have a password and a description. These extensions can be accessed from any server by dialing extension@domain.tld.

When editing a user, you will be able to enable and disable this user VoIP account and change his extension. Take in account that an extension can only be assigned to one user and no more, if you need to call more than one user from an extension, you must use queues. When editing a group, you will be able to enable and disable this group queue. A queue is an extension where all the users who belong to this queue ring when is called. If you want to configure music on hold, drop your MP3 songs to /var/lib/asterisk/mohmp3/ and install the mpg123 package.

5.4.5 Configuring a softphone to work with eBox
Ekiga (Gnome) Ekiga

is the softphone (or VoIP client) recommended by the Gnome desktop environment. When

first launched, Ekiga presents a wizard to configure the user’s personal data, audio and video devices, the connection to the Internet and the Ekiga.net‘s services. We can skip the configuration of both Ekiga.net and Ekiga Call Out. From Edit –> Accounts, selecting Accounts –> Add a SIP Account you can configure your VoIP account in eBox Platform. Name: Identifier of the account inside Ekiga.

Ekiga: Free your speech <http://ekiga.org/>


eBox 1.4 for Network Administrators




eBox 1.4 for Network Administrators

Register server: Domain name of the VoIP server. User and User for authentication: Both are the user name. Password: User password.

After setting the account, it will attempt to register on the server.

To make a call is as simple as typing the number or SIP address on the top bar, and call using the green phone icon to the right of the bar. To hang up, use the red phone icon.

Qutecom (Multiplatform) Qutecom 24 is a softphone that uses Qt4 libraries, what makes it available for the three more popular operating systems: GNU/Linux, OSX and Windows. When launched first time it shows a wizard to configure the VoIP account, as Ekiga does.

QuteCom: Free VOIP Softphone <http://www.qutecom.org>




eBox 1.4 for Network Administrators

You have a keypad or a list of contacts to make calls. Use the green/red buttons at the bottom to call and hang up.

5.4.6 Using eBox VoIP features
Call transferring The call transferring feature is quite simple. While you are on a conversation, press # and then dial the extension where you want to transfer the current call. You can hang up at that time as the call will be ringing on the called extension.

Call parking The extension 700 is the call parking. While you are on a conversation, press # to initiate a transfer, then dial 700. The extension where the call has been parked will the announced to the called, and the caller will listen the music on hold, if configured. You can hang up now. From a different phone or different user dial that announced extension and you will wake up the parked user and you will be able to speak with him. On eBox, the call parking can hold up to 20 current calls and the maximum time a call can wait parked is 300 seconds.



5.4.7 Example
Create a user with a VoIP account. Change the extension to 1500. 1. Action: Log into eBox, click on Module status and enable the VoIP module by clicking the checkbox in the Status column. If Users and Groups is not enabled you should enable it previously. Then you will be informed about the changes that are going to take place in the system. You should allow these actions by clicking the Accept button. Effect: The Save Changes button has been activated. 2. Action: Go to VoIP. Write the machine’s domain name in VoIP Domain. The domain should be resolvable from the machines of the service clients. Click on Change. 3. Action: Save the changes done. Effect: eBox shows its progress while applying the changes. Once it is done, it shows it. VoIP service is ready to be used. 4. Action: Access the Users and Groups → Users → Add User menu. Fill in the form to create a new user. Click on Create and Edit. Effect: eBox creates a new user and shows you its profile. 5. Action: In the section VoIP Account, eBox shows if the user has its account enabled or disabled, and also its extension. Make sure that the account is enabled, all the users created while the VoIP module is enabled should have their account also enabled. Finally, change the extension given by defect (say, the first free extension of the range of users), to the extension 1500. Click on Apply changes in the VoIP Account section. Effect: eBox apply the changes immediately. The user is able to receive calls in that extension.


eBox 1.4 for Network Administrators


Chapter 6 eBox Unified Threat Manager

This section will explain different techniques to protect your network beyond a simple firewall, preventing external attacks, and detecting possible intrusions into your network services. An email service without a spam filter is a waste of time and resources. This section shows different techniques to avoid junk mail (spam) and viruses in the email service provided by eBox. Web traffic can also bring problems depending on the sites visited. Therefore, in this section we explain the integration of the content filtering of the HTTP proxy with an antivirus and several advanced configurations to provide greater security to the Internet browsing of the users in the network. We will also explain how to allow the employees outside the office to securely connect your local network, or how to make connections between offices by using virtual private networks. For that we will define the bases of the network security. Finally, it is explained how the intrusion detection system uses rulesets to match the contents of the traffic packages in order to detect external attacks. You can get notifications of possible attacks and analyze the damage they may have caused.


Mail Filter
The main threats in electronic mail system are spam and virus. Spam, or not desired email, makes the user waste time looking for the legitimate emails in the inbox. Moreover, spam generates a lot of network traffic that could affect the network and email services.


eBox 1.4 for Network Administrators

Although the virus do not harm the system where eBox is installed, an infected email could affect other computers in the network.

6.1.1 Mail filter schema in eBox
To defend ourselves from these threats, eBox has a mail filter quite powerful and flexible.

Figure 6.1: eBox’s mail filter schema

In the figure, we can observe the different steps that a message follows before tagging it. First, the email server sends it to the greylisting policies manager. If the email passes through the filter, spam and viruses are checked next using a statistical filter. Finally, if everything is OK, the email is considered valid and is sent to its recipient or stored in the server’s mailbox. In the following section, details on those filters and its configuration will be explained in detail.

Greylist A greylist 1 is a method of defense against spam which does not discard emails, but makes life harder for the spammers. In the case of eBox, the strategy is to pretend to be out of service. When a server wants to send a new mail, eBox says “I’m out of service at this time, try in 300 seconds” 2 . If the server meets the specification, it will send the message again a bit later and eBox will consider it as a valid server.
1 2

eBox uses postgrey http://postgrey.schweikert.ch/ as the policy manager in postfix. Actually the mail server sends as response “Greylisted”, say, put on the greylist.



In eBox, the greylist exempts the mail sent from internal networks, from objects with an allowed mail relay policy and from addresses that are in the antispam whitelist. However, the servers that send spam do not usually follow the standard. They will not try to send the email again and we would have avoided the spam messages.

Figure 6.2: Schematic operation of a greylist

Greylisting is configured from Mail → Greylist with the following options:

Enabled: Set to enable greylisting. Greylist duration (seconds): Seconds the sending server must wait before sending the mail again. Retry window (hours): Time (in hours) when the sender server can send email. If the server has sent any mail during that time, that server will go down in the grey list. In a grey list, the mail server can send all the emails you want without temporary restrictions.


eBox 1.4 for Network Administrators

Entry time-to-live (days): Days that data will be stored in the servers evaluated in the greylist. After the configured days, the mail server will have to pass again through the greylisting process described above.

Content filtering system Mail content filtering is provided by the antivirus and spam detectors. To perform this task, eBox uses an interface between the MTA (postfix) and those programs. amavisd-new

talks with the MTA via

(E)SMTP or LMTP (Local Mail Transfer Protocol RFC 2033) to check that the emails are not spam neither contain viruses. Additionally, this interface performs the following checks: • White and black lists of files and extensions. • Malformed headers.

Antivirus The antivirus used by eBox is ClamAV 4 , which is an antivirus toolkit designed for UNIX to scan attachments in emails in an MTA. ClamAV updates its virus database through freshclam. This database is updated daily with new virus that have been found. Furthermore, the antivirus is able to scan a variety of file formats such as Zip, BinHex, PDF, etc.. In Antivirus, you can check if the antivirus is installed and up to date.

You can update it from Software Management, as we will see in Software Updates. If the antivirus is installed and up to date, eBox will use it in the following modules: SMTP proxy, POP proxy, HTTP proxy and even file sharing.
3 4

Amavisd-new: http://www.ijs.si/software/amavisd/ Clam Antivirus: http://www.clamav.net/



Antispam The spam filter works giving to each mail a spam score, if the mail reaches the spam threshold is considered as junk mail if not is considered as legitimate mail. The latter kind of mail is often called ham. The spam scanner uses the following techniques to assign scores: • DNS published blacklists (DNSBL). • URI blacklists that track spam websites. • Filters based on the checksum of messages. • Sender Policy Framework (SPF): RFC: 4408. • DomainKeys Identified Mail (DKIM) • Bayesian filter • Static rules • Other tests 5 Among this techniques the Bayesian filter should be further explained. This kind of filter does a statistical analysis content of the text of the message, giving a score which reflects the probability of being spam for the message. However, the analysis is not done against a set of static rules but against a dynamic one, which is created supplying ham and spam messages to the filter. So it could learn from them what are the statistical features from each type. The advantage of this technique is that the filter could adapt to the ever-changing flow of spam messages, the downsides are that the filter needs to be trained and its accuracy depends on the quality of the received training. eBox uses Spamassassin 6 as spam detector. The general configuration of the filter is done from Mail filter → Antispam:
5 6

A long list of antispam techniques can be found in http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail) The Powerful #1 Open-Source Spam Filter http://spamassassin.apache.org .


eBox 1.4 for Network Administrators

Spam threshold: Mail will be considered spam if the score is above this number. Spam subject tag: Tag to be added to the mail subject when it is classified as spam. Use Bayesian classifier: If it is marked, the Bayesian filter will be used. Otherwise, it will be ignored. Auto-whitelist: It takes into account the history of the sender when rating the message. That is, if the sender has sent some ham emails, it is highly probable that the next email sent by that sender is also ham. Auto-learn: If it is enabled, the filter will learn from messages which hit the self learning thresholds. Autolearn spam threshold: The automatic learning system will learn from spam emails that have a score above this value. It is not appropriate to set a low value, since it can subsequently lead to false positives. Its value must be greater than the spam threshold. Autolearn ham threshold: The automatic learning system will learn from ham emails that have a score below this value. It is not appropriate to put a high value, since it can cause false negatives. Its value should be less than 0.



From Sender Policy we can configure some senders so their mail is always accepted (whitelist), always marked as spam (blacklist) or always processed by the spam filter (process). From Train Bayesian spam filter we can train the Bayesian filter sending it a mailbox in mbox format [#] _ containing only spam or ham. There are many sample files in the Internet to train a Bayesian filter but normally is more accurate to use mail received by the sites which will be filtered. The more trained the filter is, the better the spam detection.

File-based ACLs It is possible to filter files attached to mails using Mail filter → Files ACL (Access Control Lists). There, we can allow or deny mail according to the extensions of the files attached or their Multipurpose Internet Mail Extensions (MIME) types.


eBox 1.4 for Network Administrators

Simple Mail Transfer Protocol (SMTP) mail filter From Mail filter

→ SMTP mail filter it is possible to configure the behavior of the filters when eBox

receives mail by SMTP. On the other hand, from General configuration we can set the general behavior for every incoming email:

Enabled: Check to enable the SMTP filter. Antivirus enabled: Check to make the filter look for viruses. Antispam enabled: Check to make the filter look for spam. Service’s port: Port to be used by the SMTP filter. Notify of non-spam problematic messages: We can send notifications to a mailbox when problematic (but not spam) emails are received, e.g., emails infected by virus. From Mail filter → Filter Policies, it is possible to configure what the filter must do with any kind of email.

For each kind of email problem, you can perform the following actions: Pass: Do nothing, let the mail reach its recipient. Reject: Discard the message before it reaches the recipient, notifying the sender that the message has been discarded.



Bounce: Like reject, but enclosing a copy of the message in the notification. Discard: Discards the message before it reaches the destination, without notice to the sender. From Mail Filter

→ Virtual Domains, the behavior of the filter for virtual email domains can be

configured. These settings override the general settings defined previously. To customize the configuration of a virtual domain email, click on Add new.

The parameters that can be overridden are the following: Domain: Virtual domain that we want to customize, from those configured in at Mail main. Use virus filtering / spam: If this is enabled, mail received for this domain will be filtered looking for viruses or spam. Spam threshold: You can use the default threshold score for spam or a custom value. Learn from accounts’ Spam IMAP folders: If enabled, when a email is put in the Spam IMAP folder the email is automatically learned as spam. Likewise if a email is moved from the Spam folder to a normal folder is learned as ham. Learning account for ham / spam: If enabled, ham@domain and spam@domain accounts will be created. spam. Once the domain is added, from Antispam policy for senders, it is possible to add addresses to its whilelist and its blacklist or even force every mail for the domain to be processed. Users can send emails to these accounts to train the filter. All mail sent to ham@domain will be learned as ham mail, while mail sent to spam@domain will be learned as

→ Virtual Do-


eBox 1.4 for Network Administrators

6.1.2 External connection control lists
From Mail Filter

→ SMTP Mail Filter → External connections, you can configure connections from

external MTAs, through its IP address or domain name, to the mail filter configured in eBox. In the same way, these external MTAs can be allowed to filter mail for those external virtual domains allowed in the configuration. This way, you can distribute your load between two machines, one acting as a mail server and another as a server to filter mail.

6.1.3 Transparent proxy for POP3 mailboxes
If eBox is configured as a transparent proxy, you can filter POP email. The eBox machine will be placed between the real POP server and the user to filter the content downloaded from the MTAs. To do this, eBox uses p3scan 7 . From Mail Filter → POP Transparent Proxy you can configure the behavior of the filtering:
Mbox and maildir are email storage formats, most email clients and servers use one of these. In the first one, all the emails in a directory are stored in a single file, while the second organizes the emails in different files within a directory.



Enabled: If checked, POP email will be filtered. Filter virus: If checked, POP email will be filtered to detect viruses. Filter spam: If checked, POP email will be filtered to detect spam. ISP spam subject: If the server marks spam mail with a tag, it can be specified here and the filter will consider these emails as spam.

Practical example Activate the mail filter and the antivirus. Send an email with a virus. Check that the filter is working properly. 1. Action: Access eBox, go to Module Status and enable the module mail filter. To do this, check the box in the column Status. You will have to enable network and firewall first in case they were not already. Effect: eBox asks for permission to override some files. 2. Action: Read the changes that are going to be made and grant eBox permission to perform them. Effect: Save Changes has been enabled. 3. Action: Go to Mail Filter → SMTP Mail Filter, check boxes for Enabled and Antivirus enabled and click on Change. Effect: eBox informs you about the success of the modifications with a Done message. 4. Action: Go to Mail → General → Mail filter options and select eBox internal mail filter. Effect: eBox will use its own filter system.


eBox 1.4 for Network Administrators

5. Action: Save changes. Effect: eBox shows the progress while applying the changes. Once it is done, it notifies about it. The mail filter with antivirus is enabled. 6. Action: Download the file http://www.eicar.org/download/eicar_com.zip, which contains a test virus and send it from your mail client to an eBox mailbox. Effect: The email will never reach its destination because the antivirus will discard it. 7. Action: Go to the console in the eBox machine and check the last lines of /var/log/mail.log using the tail command. Effect: There is a message in the log registering that the message with the virus was blocked, specifying the name of the virus: Blocked INFECTED (Eicar-Test-Signature)


HTTP Proxy advanced configuration
6.2.1 Filter profiles configuration
You can configure filter profiles in Proxy HTTP → Filter Profiles.

You can configure and create new profiles that could be used by user groups or network objects. The configuration options are exactly the same as the ones we explained for the default profile. There is just one thing that you have to take into account: it is possible to use the default profile values in other profiles. To do so, you only need to click on Use default configuration.



6.2.2 Filter profile per object
You can select a filter profile for a source object. The requests coming from this source will use the chosen profile instead of the default profile. To do so you should go to HTTP Proxy → Objects policy and change the filter profile in the object’s row. This option requires the object’s policy is set to Filter.

6.2.3 Group based filtering
You can use user groups as a way to control access and to apply different filtering profiles. The first step is to either set a global or a network object policy to any of these policies: Authorize and allow all, Authorize and deny all or Authorize and filter. If any of these policies is set, users will have to provide credentials to be able to use the HTTP proxy. Warning: Please note that you cannot use HTTP authentication with the transparent proxy mode enabled due to protocol limitations. If you set a global policy that uses authentication you will also be able to use this global policy for any group. This policy allows you to control the access of group members and apply a custom filtering profile. Group policies are managed in the menu entry named HTTP Proxy

→ Group Policy. You can

allow or deny the access for a given group. Note that this only affects the browsing. The use of the content filter for the group depends on whether you have a global policy or group policy that is set to filter. You can schedule when the group is allowed to browse. If a group member tries to use the proxy out of the set schedule they will be denied access.


eBox 1.4 for Network Administrators

Each group policy has a priority given by its position in the list (top-bottom priority). Priority is important because users can be members of several groups. The policy applied to the user will depend on the priority. You can also select which filtering profile will be applied to the group.

6.2.4 Group-based filtering for objects
Remember that you can configure custom policies for network objects that will override the global policy. Likewise, in case you pick a policy that enforces authorization, you can also set custom policies for a group. In this case, group policies only affect to the permissions for browsing and not to the content filtering. The content filtering policy is determined by the object policy. Authorization policies are incompatible with the transparent mode. Finally, you also have to take into account that you cannot set filtering profiles to groups in an object policy. This means a group will use the filtering profile that is set in its group global policy.

Practical Example The goal of this exercise is to set access policies for two groups: IT and Accounting. Members of the Accounting group will only be able to access the Internet during work time, and its filtering profile threshold will be set to very strict. On the other hand, members of the IT group will be able to use the Internet at any time. They will also skip the censorship of the content filter. However, they will not be able to access those domains that are explicitly denied to all the workers. For the sake of clarity, the needed users and groups are already created. These are steps you have to take: 1. Action: Go to eBox, click on Module Status and enable the HTTP Proxy.



Effect: Once changes have been saved, users will need to authenticate with their login and password in order to surf the Internet. 2. Action: Go to HTTP proxy -> Filter profiles. Add a list of forbidden domains to the default profile. You can do this by clicking on the Configuration cell of the default profile, and then, clicking on the tab labeled Domains filtering. You can now add youtube.com and popidol.com to the Domains rules section. Go back to HTTP proxy -> Filter Profiles. Add two new profiles for your groups, IT and Accounting. The Accounting profile must enforce a very strict threshold on the content filter. We will stick to the defaults for the other options. To do so, you have to check the Use default profile configuration field in Domains Filtering and File Extensions filtering. The IT profile will allow unfiltered access to everything but the forbidden domains. To enforce this policy, you need to check the Use default profile configuration field in Domains Filtering. You can grant free access for everything else by setting the content filter threshold to Disabled. Effect: We will enforce the required policy. 3. Action: Now you have to set a schedule and a filtering profile for groups. You can go to HTTP Proxy → Group Policy. Click on Add new, select the Accounting group. Set the schedule from Monday to Friday, from 9:00 to 18:00. And select the Accounting profile. Likewise, you have to set a policy for the IT group. In this case, you don’t have to add any restriction to the schedule. Effect: Once the changes have been saved, you can test if the configuration works as expected. You can use the proxy authentication with a user from each group. You will know that it is working properly if: • You can actually access www.playboy.com using the credentials of an IT user . However, if you use the credentials of an Accounting user, you are denied access. • You are not allowed to access any of the banned domains from any of the groups. • If you set the date in eBox to weekend, and you cannnot surf the Internet with an Accounting* user, but you can with an IT user.


eBox 1.4 for Network Administrators


Secure interconnection between local networks
6.3.1 Virtual Private Network (VPN)
The Virtual Private Networks were designed both to allow secure access to remote users to the corporate network and secure interconnection of geographically distant networks. A frequent situation is where remote users need to access resources located in the company local network, but those users are outside the facilities and cannot connect directly. The obvious solution is to allow the connection through the Internet. This would create security and configuration problems, which can be resolved through the use of virtual private networks. The solution offered by a VPN (Virtual Private Network ) to this problem is the use of encryption to only allow access to authorized users (hence the private adjective). And to ease the use and configuration, connections seem to be as if there were a network between the users and the local network (hence the virtual). The VPN’s usefulness is not limited to the access of remote users; a organization may wish to interconnect networks that are located in different places. For example, networks located in different cities. Some time ago, to solve this problem dedicated data lines were hired, but this service was expensive and slow to deploy. Later, the advance of the Internet provided a ubiquitous and cheap, but insecure, medium. And again, the security and virtualization features of the VPN were an appropriate response to this problem. In this regard, eBox Platform provides two modes of operation. It can work as a server for remote users and as a server and client for the connection between two networks.

6.3.2 Public Key Infrastructure (PKI) with a Certification Authority (CA)
The VPN used by eBox to ensure data privacy and integrity uses SSL as cypher technology. The SSL technology is used widely since a long time so we could reasonably trust its security. However, all cypher schemes have the problem of how to distribute the keys to their users without interception by third parties. In the VPN context, this step is required when a new participant joins the virtual network. The adopted solution is the use of a public key infrastructure (PKI). This technology allows the use of the key in a insecure medium, like the Internet, without allowing the interception of keys by anyone who snoops the communication. PKI is based in that each participant generates two keys: a public key and a private key. The public one can be distributed publicly and the private one must remain secret. Any participant who



wants to cypher a message can do it with the public key of the recipient but the message can only be deciphered with the private key of the recipient. As this key is kept secret, it is ensured that only the recipient can read the message. However, this solution creates a new problem. If anyone could present a public key, how we can guarantee that a participant is really who he claims to be and is not impersonating another identity? To solve this problem, certificates were created.

Figure 6.3: Public key encryption

Figure 6.4: Public key signature

The certificates use another PKI feature: the possibility of signing files. The private key is used to sign a file. The signature can be checked by anyone using the public key. A certificate is a file that contains a public key, signed for someone that is trusted. This trusted participant is used to verify identities and is called Certification Authority (CA).
There is a lot of information about public key encryption. You can begin here: http://en.wikipedia.org/wiki/Publickey_encryption


eBox 1.4 for Network Administrators

Figure 6.5: Diagram to issue a certificate

6.3.3 Certification Authority configuration with eBox
eBox Platform has integrated management of the Certification Authority and the life cycle of the issued certificates for your organization. It uses the OpenSSL 9 tools for this service. First of all, you need to generate the keys and issue the certificate of the CA itself. This step is needed to sign new certificates, so the remaining features of the module will not be available until the CA keys are generated and its certificate, which is self signed, is issued. Note that this module runs unmanaged and you don’t need to enable it in Module Status.

Go to Certification Authority → General and you will find the form to issue the CA certificate after generating automatically the key pair. It is required to fill in the Organization Name and Days to expire fields. When setting this duration you have to take into account its expiration will revoke all

OpenSSL - The open source toolkit for SSL/TLS <http://www.openssl.org/>.



certificates issued by this CA, stopping all services depending on those certificates. It is possible to add also these optional fields to the CA certificate: Country Code An acronym consisted of two letters defined in ISO-3166. City State

Once the CA has been created, you will be able to issue certificates signed by the CA. To do this, use the form now available at Certification Authority → General. The required data are the Common Name of the certificate and the Days to expire. This last field sets the number of days that the certificate will remain valid and the duration cannot surpass the duration of the CA. In case we are using the certificate for a service server like it could be a web server or mail server, the Common Name of the certificate should match the hostname or domain name of that server. Anyway, you could set any Alternative Subject Names 10 for the certificate in order to, for example, set any other common name for HTTP virtual hosts 11 or an IP address or even a mail address to sign e-mail messages. When the certificate is issued, it will appear in the list of certificates and it will be available to eBox services that use certificates and to external applications. Furthermore, several actions can be applied to the certificates through the certificate list:
10 11

For more information about subject alternative names, visit http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name For more information about HTTP virtual hosts, check out Virtual domains section for details


eBox 1.4 for Network Administrators

• Download a tarball archive containing the public key, private key and the certificate. • Renew the certificate. • Revoke the certificate. If you renew a certificate, the current certificate will be revoked and a new one with the new expiration date will be issued along with the key pair.

If you revoke a certificate you won’t be able to use it anymore as this action is permanent and you can’t go backwards. Optionally you can select the reason of the certificate revocation: unspecified keyCompromise The private key for this certificate has been compromised and now it is available for suspicious people. CACompromise The private key for the CA certificate has been compromised and now it is available for suspicious people. affilliationChanged The issued certificate has changed its affiliation to another certification authority from other organization. superseded The certificate will be renewed and this is no longer valid and thus replaced. cessationOfOperation The issued certificate has ceased its operation. certificateHold removeFromCRL Currently unimplemented delta CRLs support.



If you renew the CA certificate then all the certificates will be renewed with the new the CA. The old expiration date will be kept, if this is not possible it means that the old expiration date is a later date than the new CA expiration date, in this case the expiration date of the certificate will be set to the expiration date of the CA. When a certificate expires all the modules are notified. The expiration date of each certificate is automatically checked once a day and every time you access the certificate list page.

Services Certificates

On Certification Authority

→ Services Certificates we can find the list of eBox modules using

certificates for its secure services. By default, these are generated by each module, but if we are using the CA we can replace these self signed certificates with ones issued by our organization CA. You can define for each service the Common Name of the certificate and if there is a certificate with that Common Name available, the CA will issue one. In order to set these key pair and signed certificate to the service you have to Enable the certificate. Every time a certificate is renewed is pushed again to the eBox module but you need to restart the service to force the new certificate usage.


eBox 1.4 for Network Administrators

Practical example A Create a Certification Authority which will be valid for a year, then create a certificate called server and two client certificates called client1 and client2. 1. Action: Go to Certification Authority

→ General. In the form called Create Certification

Authority Certificate, fill in the fields Organization Name and Days to expire with reasonable values. Press Create to generate the Certification Authority. Effect: The key pair of the Certification Authority is generated and its certificate will be issued. Our new CA will be displayed in the list of certificates. The form for creating the CA will be replaced by another one intended to issue normal certificates. 2. Action: Using the form Issue a New Certificate to issue certificates, enter server as Common Name and then, in Days to expire, a number of days less than or equal to the one you entered for the CA certificate. Repeat these steps with the names client1 and client2. Effect: The new certificates will appear in the list of certificates, ready to be used.

6.3.4 Configuring a VPN with eBox
The software selected by eBox to create VPNs is OpenVPN tages: • Authentication using public key infrastructure. • Encryption based on SSL technology. • Clients available for Windows, MacOS X and Linux. • Code that runs in user space, without the need to modify the network stack (as opposed to IPSec). • Possibility to use network applications in a transparent way.


. OpenVPN has the following advan-

OpenVPN: An open source SSL VPN Solution by James Yonan http://openvpn.net.



Remote VPN Client eBox can be configured to support remote clients (familiarly known as road warriors). That is, an eBox machine can work as a gateway and OpenVPN server, allowing clients on the Internet (the road warriors) to connect to the network via the VPN service and access the local area network. The following figure can give a more accurate view of the scenario:

Figure 6.6: eBox and remote VPN clients

The goal is to connect the client number 3 with the other two remote clients (1 and 2) and also connect these two among themselves. To do this, we need to create a Certification Authority and certificates for the two remote clients. Note that you also need a certificate for the OpenVPN server itself, however, this certificate is automatically created when you add a new OpenVPN server. Here, the eBox machine also acts as a CA. Once we have the certificates, we should configure the OpenVPN server in eBox using Create a new server. To only parameter that you need to create a working OpenVPN server is its name. An OpenVPN server needs more parameters to work properly. eBox makes this easy and will try to automatically set valid parameters for you. The following configuration parameters will be added by eBox, feel free to adapt them to your needs: a port/protocol pair, a certificate ( eBox will create a certificate using the OpenVPN server’s name) and a network address for the VPN. Addresses belonging to the VPN network are assigned to the server and the clients. In case you need to change the network address and to avoid conflicts, you have to make sure that the network address is not used in any other part of your network. Furthermore, the local networks, i.e. the networks where the network interfaces are attached to, are advertised through the private network. The OpenVPN server will be listening on all the external interfaces. Therefore, we have to mark at least one of our interfaces as external via Network -> Interfaces. In this scenario only two interfaces


eBox 1.4 for Network Administrators

are needed, the internal one for the LAN and the external one for the Internet. You can configure the server to listen also on internal interfaces, activating the option Network Address Translation (NAT), but you can ignore it for the moment. If you want the clients to connect to each other using their VPN addresses, you have to activate the option Allow connections between clients. You can leave the rest of the options with their defaults.

After creating the OpenVPN server you have to enable the service and save the changes. Subsequently, you should check in Dashboard that the VPN service is running. After that, you may want to advertise networks through Advertised networks configuration for the VPN server. These networks will be accessible by OpenVPN authorized clients. Note that eBox will advertise all your local networks by default. Obviously, you can remove or add routes at your leisure. In our example scenario, the local network has been added automatically to make visible the client number 3 to the two other clients. Once done, it’s time to configure the clients. The easiest way to configure an OpenVPN client is using the bundles provided by eBox. These are available in the table in VPN -> Servers, by clicking the icon on the Download client bundle column. There are bundles for two types of operating system. If you are using MacOS X or GNU/Linux, you have to choose Linux as type. When a bundle is created, the certificates that will be given to the client are included, and the external IP address to which VPN clients have to connect is set. If the selected system is Windows, an OpenVPN for Win32 installer is



also included. The configuration bundles should be downloaded by the eBox administrator and he is responsible for distributing them to the clients in a proper and secure way.

A bundle includes the configuration file and other necessary files to start a VPN connection. For example, in Linux, simply extract the archive and execute it, within the newly created directory, using the following command:

openvpn --config filename
Now you have access to the client number 3 from the two remote clients. Bear in mind that the eBox DNS service will not work through the private network unless you configure the remote clients to use eBox as name resolver. That is why you cannot access the services of the hosts on the LAN by name, you have to do it by IP address. That also applies to the NetBIOS the broadcast traffic provided by the SMB/CIFS server. To enable the remote clients to connect between themselves, you need to activate the Allow client-to-client connections option in the VPN server configuration. To verify that the configuration is correct, look at the routing table of the client and check that the new networks were added to the tapX virtual interface. The current users connected to the VPN service are displayed in eBox Dashobard.

service when accessing

Windows shared resources, to browse the shared resources from the VPN, you must explicitly allow

Practical example B This example will configure a VPN server. A client on a computer located on a external network is going to be configured. Once connected it to the VPN, it will access another host in the local network, which is only accessible from the server through an internal interface.

For more information about file sharing, see section File sharing service and remote authentication


eBox 1.4 for Network Administrators

To do this: 1. Action: Access the eBox interface, go to Module Status and activate the VPN module by checking the box on the Status column. Effect: eBox requests permission to perform certain actions. 2. Action: Read about the actions that are going to be performed and grant permission to do them. Effect: Save Changes button is activated. 3. Action: Access the eBox web interface, enter the VPN -> Server section, click on Add new. A form with the fields Enabled and Name will appear. Enter a name for the server and leave it disabled until it is configured correctly. Effect: The new server appears in the list of servers. 4. Action: Click on Save Changes and accept all the changes. Effect: The server is active, you can verify its status in the Dashboard. 5. Action: To simplify the configuration of the client, download the configuration bundle. To do this, click the icon on the Download client bundle column. Fill in the configuration form with the following options: • Client type: select Linux, as it is the client OS. • Client certificate: select client1. If This certificate is not created, create it following the instructions from the previous example. • Server address: enter here the address that the client has to use to reach the VPN server. In this scenario, this address will be the one for the external interface connected to the same network as the computer client. Effect: Once the form is completed, a bundle file for the client will be downloaded. It will be a compressed file in .tar.gz format. 6. Action: Configure the client computer. For this, decompress the bundle in a directory. Note that the bundle contains files with the necessary certificates and a configuration file with the .conf extension. If there have been no mistakes in the steps earlier, you have all the necessary configuration and you only have to launch the program. To launch the client run the following command within the directory:



openvpn --config [ filename.conf ]
Effect: When launching the command in a terminal window the actions will be printed on it. If everything is correct, once the connection is ready Initialization Sequence Completed will appear on the terminal; otherwise error messages will appear to help you diagnose the problem. 7. Action: Before checking if there is a connection between the client and the computer on the private network, you have to be sure that the latter has a return route to the VPN client. If you are using eBox as the default gateway, there will be no problem. Otherwise you will need to add a route to the client. First you have to check if there is connection by using the ping command. Run the following command:

ping -c 3 [ another_computer_ip_address ]
To verify that there is not only communication, but also access to the resources of another computer, launch a remote console session. You can do it with the following command from the client computer:

ssh [ another_computer_ip_address ]
After accepting the identity of the computer and entering the user and the password, you will access the console of the remote computer as if it were physically on your local network.

Remote VPN Client with NAT
If you want to have a VPN server that is not the gateway of your LAN, i.e. the machine has no external interfaces, then you need to activate the Network Address Translation option. As this is a firewall feature, you have to make sure that the firewall module is active, otherwise you will not be able to activate this option. With this option, the VPN server will act as a representative of VPN clients within the network. In fact, it will be a representative of all the advertised networks, and it will receive the response packets and subsequently forward them through the private network to the clients. This situation is better explained with the following figure:


eBox 1.4 for Network Administrators

Figure 6.7: VPN connection from a client to the LAN using NAT with VPN

Secure interconnection between local networks
In this scenario there are two offices in different networks that need to be connected via a private network. To do this, eBox is used as gateway in both networks. One eBox will act as OpenVPN client and another as server. The following figure attempts to clarify the situation:

Figure 6.8: eBox vs OpenVPN as a server. eBox OpenVPN as a client

The goal is to connect the client on the LAN 1 with client 2 on the LAN 2, as if they were in the same local network. Therefore, you have to configure an OpenVPN server as done in Practical example B. However, you need to make two small changes. First, enable the Allow eBox-to-eBox tunnels option to exchange routes between eBox machines. Then enable password for the eBox-to-eBox tunnel to have a more secure connection environment. You have to bear in mind that you have to add the address of the LAN 1 in Advertised networks. To configure eBox as an OpenVPN client, you can do it through VPN -> Clients. You must give a name to activate the client and activate the service. You can set the client configuration manually or



automatically using the bundle from the VPN server, as done in the Practical example B. If not using the bundle, you will have to enter the IP address and the Server port pair where the server is listening. A eBox-to-eBox tunnel password and the certificates used by the client are also required. These certificates should have been issued by the same CA that is using the server.

When changes are saved, you can see in Dashboard a new OpenVPN daemon on the network 2 running as a client, connected to the other eBox in the LAN 1.

When the connection is complete, the server machine will have access to all routes of the client machines through the VPN. However, the client machines will have access only to the routes that the server has advertised explicitly.


eBox 1.4 for Network Administrators

Practical example C This example’s goal is to set up a tunnel between two networks that use eBox servers as gateways to an external network, so that members of both networks can connect with each other. 1. Action: Access the web interface of the eBox which is going to act as server in the tunnel. Make sure the VPN module is enabled and activate it if necessary. Once you are in the VPN -> Servers section, create a new server with the following settings: • Enable Allow eBox-to-eBox tunnels. This is the option indicating that it will be a tunnel server. • Enter a eBox-to-eBox tunnel password. • Finally, from the Interface to listen on select choose the external interface that the eBox client will connect to. Effect: Once all the above steps are done you have the server running. You can verify its status in the Dashboard. 2. Action: To ease the process of configuring the client, you can obtain a configuration bundle. To download it from the server, log back into the eBox web interface and go to VPN -> Servers, click on Download bundle client configuration in our server’s row. Before the download starts you have to enter some parameters in the form: • Client type: choose eBox to eBox tunnel. • Client certificate: choose a certificate different to the server one that is not in use in any other client either. If you do not have enough certificates, follow the steps of above examples to create a certificate that you can use for the client. • Server address: you have to enter the address which the client will use to connect to the server. In this case, the address of the external interface connected to the network visible by both server and client will be the appropriate one. After entering all the data press the Download button. Effect: You download a tar.gz archive containing the configuration data required for the client. 3. Action: Access the eBox server web interface that will take the role of client. Check that the VPN module is active, go to the VPN

→ Clients section. This section is an empty list of

clients. To create one, click Add client and enter a name for it. As it is unset, it cannot be enabled, so you have to return to the list of clients and configure it. Since you have a



client configuration bundle you do not need to complete the data in the section by hand. Using the Upload configuration’s bundle option, you can select the file obtained in the previous step and click on Change. Once the configuration is loaded, you can return to the list of clients and enable it. For this, click the Edit icon in the Action column. A form where you can tick the Enable option will appear. Now you have a fully configured client and the only thing left is saving changes. Effect: Once the changes are saved, the client will be active. You can check this in the Dashboard. If both client and server configurations are correct, the client will start the connection and the tunnel will be ready in a few seconds. 4. Action: Now you have to check if the hosts in the server’s internal networks and in the client ones can see each other. Besides the existence of the tunnel, there are the following requirements: • The hosts must know the return route to the other private network If, as in this case, eBox is being used as gateway, there is no need to setup additional routes. • The firewall must allow connections between the routes for the services you want to use. Once these requirements are met, you can test the connection. From one of the hosts on the private network of the VPN server do the following: • Ping a host on the network of the VPN client. • Attempt to initiate an SSH session on a host of the VPN client network. Once you have checked this, repeat it from a host on the network of the VPN client, choosing as target a host located in the network of the VPN server.


Intrusion Detection System (IDS)
An intrusion detection system (IDS) is an application designed to prevent unwanted access to our machines, mainly attacks coming from the Internet. The two main functions of an IDS are to detect potential attacks or intrusions, what is done through a set of rules that are matched against packets of inbound traffic. In addition to recording all suspicious events, it records useful information (such as the source IP address of the attacker) in a database or file. Combined with the firewall, some IDS can also block intrusion attempts.


eBox 1.4 for Network Administrators

There are different types of IDS, the most common one is the Network Intrusion Detection System (NIDS), which is responsible for checking all the traffic on a local network. One of the most popular NIDS is Snort 14 , which is the tool that eBox integrates to perform this task.

6.4.1 Setting up an IDS with eBox
The configuration of the IDS in eBox is very simple. You only need to activate or deactivate a number of elements. First, you have to specify which network interfaces you want the IDS to listen on. After that, you can select different sets of rules to match with the captured packets. Alerts will be fired in case of positive results. Both settings are accessed via the IDS menu. On the Interfaces tab a table with a list of all network interfaces that are configured is shown. By default, all of them are disabled due to the increased network latency and CPU consumption caused by the traffic inspection. However, you may enable any of them by clicking on the checkbox.

On the Rules tab you can see a table that is preloaded with all the Snort rulesets installed on your system (files under the directory /etc/snort/rules). A typical set of rules is enabled by default. If you want to save CPU time, it is advisable to disable those that are not of interest, for example, the ones related to services not available in your network. Also you can enable any other rules you find interesting if your hardware is powerful enough. The procedure for activating or disabling a rule is the same as for the interfaces.

Snort: A free lightweight network intrusion detection system for UNIX and Windows * http://www.snort.org



6.4.2 IDS Alerts
Now you have the IDS module running. At this point, the only thing you can do is observe alerts manually in the /var/log/snort/alert file. We are going to see how eBox can make this task easier and more efficient thanks to its logs and events subsystem. The IDS module is integrated with the eBox logs, so if it is enabled, you can query different IDS alerts through the usual procedure. Likewise, we can configure an event for any of these alerts in order to notify the system administrator by any of the different means available. For more information, see the Logs chapter.

Practical example Enable the IDS module and launch a port scanning “attack” against the eBox machine. 1. Action: Access the eBox web interface, go to Module Status and activate the IDS module by checking the box in the Status column. You will be notified of eBox wanting to modify the Snort configuration. Allow the operation by pressing the Accept button. Effect: Save Changes is activated.


eBox 1.4 for Network Administrators

2. Action: Similarly, activate the Logs module if it is not already activated. Effect: When the IDS is started, it will be ready to record its alerts. 3. Action: Access the IDS menu and select the Interfaces tab. Enable an interface that is reachable from the machine that will launch the attack. Effect: The change is saved temporarily but it will not be effective until changes are saved. 4. Action: Save the changes. Effect: eBox shows the progress while it is applying the changes. Once the process is completed you are notified. From now on, the IDS is analyzing the traffic on the selected interface. 5. Action: Install the nmap package on another machine using aptitude install nmap. Effect: The nmap tool is installed on the system. 6. Action: From the same machine run the nmap command passing only the IP address of the interface eBox previously selected as parameter. Effect: It will make attempts to connect to several ports on the eBox machine. You can interrupt the process at any moment by pressing: kbd: Ctrl-c. 7. Action: Access Logs -> Query logs and select Full report for the domain IDS. Effect: Entries related to the attack just performed are listed on the table.


Chapter 7 eBox Core

The target of eBox is not only the configuration of the integrated network services. It also offers a number of features that facilitate and make more efficient the administration of eBox itself. This feature set is what we call the eBox core. Backups to restore a previous state, logs of services to find out what happened and when, notifications for certain events or incidents, monitoring of the machine or security updates of the software are issues that will be explained in this section.


eBox provides an infrastructure for their modules that allows them to log different kind of events that may be useful for the administrator. These logs are available through the eBox interface. They are also stored in a database for making queries, reports and updates in an easier and more efficient way. The database management system used is PostgreSQL 1 . We can also configure different dispatchers for the events. That way the administrator can be notified by different means (email, RSS or Jabber 2 ). You can have logs for the following services: • OpenVPN (Virtual Private Network (VPN))
PostgreSQL The world’s most advanced open source database http://www.postgresql.org/. RSS Really Simple Syndication is an XML format used mainly to publish frequently updated works http://www.rssboard.org/rss-specification/.
2 1


eBox 1.4 for Network Administrators

• SMTP Filter (Simple Mail Transfer Protocol (SMTP) mail filter ) • POP3 proxy (Transparent proxy for POP3 mailboxes) • Printers (Printers sharing service) • Firewall (Firewall) • DHCP (Network configuration service (DHCP)) • Mail (Electronic Mail Service (SMTP/POP3-IMAP4)) • Proxy (HTTP HTTP Proxy Service) • File Sharing (File sharing service and remote authentication) • IDS (Intrusion Detection System (IDS)) Likewise, you can receive notifications of the following events: • Specific values inside the logs. • eBox health status. • Service status • Events from the software RAID subsystem. • Free disk space. • Problems with Internet routers. • Completion of a full data backup. First, before you can work with the logs, like other eBox modules, you have to make sure it is enabled. To enable it, go to Module Status and select Logs. In order to obtain reports from the existing logs, you can access the Logs -> Query Logs menu. You can get a Full report of all log domains. Moreover, some of them give us an interesting Summarized Report that provides an overview of the service for a period of time. In Full report, we have a list of all registered actions for the selected domain. Information provided is dependent on each domain. For example, for the OpenVPN domain you can see the connections to a VPN server of a client with a specific certificate, or for example, in the HTTP Proxy domain you can know which pages have been denied to a particular client. You can also make custom queries that allow filtering by time period or different values, depending on the domain. These queries can



Figure 7.1: Query logs

Figure 7.2: Full report example


eBox 1.4 for Network Administrators

be stored like an event that generates an alert when a match occurs. Furthermore, if you do a query without an upper bound in time, the results will be automatically refreshed with new data. The Summarized Report allows you to select the period of the report, which may be one hour, one day, a week or a month. The information you get is one or more graphs, accompanied by a summary table with total values for different data. In the picture you can see, for example, daily statistics about the requests and traffic of the HTTP proxy.

7.1.1 Logs configuration
Once you know how to check the logs, is also important to know how to configure them, through the Logs -> Configure logs menu on the eBox interface. The values you can configure for each installed domain are: Enabled: If this option is not activated no logs are written for this domain. Purge logs older than: Sets the maximum time that the logs will be saved. Every value whose age exceeds the specified period, will be discarded. You can also force the instant removal of all logs that are older than a certain period. You can do this using the Purge button inside of the Force log purge section, which allows you to select different intervals between one hour and 90 days.

Practical example Enable the logs module. Using the Practice example as a reference for generating email traffic containing viruses, spam, banned senders and forbidden files. Observe the results in :menuselection Logs -> Query Logs -> Full Report. 1. Action: Access eBox interface. Go to Module Status and activate the logs module. For this, check the box in the State column. You will be informed that a database to save the logs is going to be created. Allow the operation by pressing Accept. Effect: Save Changes button is now activated. 2. Action: Access Logs -> Configure Logs and check that the Mail domain is already enabled. Effect: You have enabled the Logs module and you have checked that the logs for mail are enabled. 3. Action: Save the changes.



Figure 7.3: Summarized report example


eBox 1.4 for Network Administrators

Figure 7.4: Configure logs

Effect: eBox shows the progress while applying the changes. Once the process is finished you are notified of that. From now on, all sent emails will be logged. 4. Action: Send a few problematic emails (with spam or virus) as it was done in the relevant chapter. Effect: As now the logs module is enabled, emails have been logged, unlike what happened when we sent them for the first time. 5. Action: Access Records -> Query Logs and Full report for the Mail domain. Effect: A table with entries for the emails that you have sent appears showing some information for each sent email.


The monitor module allows the eBox administrator to know the state of the resources of the eBox machine. This information is essential to both troubleshoot and plan in advance the necessary resources.



Monitoring implies knowing how to interpret some system values in order to decide if these values fall into an expected range, or otherwise, they are too high or too low. The main issue of monitoring is the selection of these ranges. As every machine can have different values depending on the kind of use. For example, in a file sharing server, the free storage space is a very important value that can change very quickly. However, in a router with an enabled content filter, free memory and CPU load are more interesting values. You should avoid fetching values that are useless for your scenario. This is the reason why eBox monitors only a few system metrics in its current version. These are: system load, CPU usage, memory usage, and file system usage. The monitor module displays the fetched data using graphs. This allows the user to easily visualize the evolution of the resources during time. To access these graphs you have to click on the menu entry labeled as Monitor. You can place the mouse pointer over any graph point to know the exact value at that point. You can see different time scales of the registered data: hourly, daily, monthly or yearly. You just need to click on the relevant tab.

7.2.1 Metrics


eBox 1.4 for Network Administrators

System load The system load tries to measure the rate of pending work over the completed work. This value is defined as the number of runnable tasks in the run-queue and is provided by many operating systems as a one, five or fifteen minutes average. This metric is the capacity of the used CPU over a given time. This means that a load of 1 represents a CPU working at full capacity. A load of 0.5 means that the CPU could take twice as much. Conversely, a load of 2 means that it would need another CPU to fullfill the requirements of the current work load. You have to take into account that those processes that are waiting for read/write operations in disk also contribute to this value.

CPU usage This graph shows detailed information of the CPU usage. In the case of having a multi-core or multicpu machine you will see one graph for each one of the cores. This graph represents the amount of time that the CPU spends in each of its states: running user code, system code, inactive, input/output wait, and so on. This measure is not a percentage, but scheduling units known as jiffies. In most Linux systems this value is 100 per second, but it can be different.



Memory usage This graphs shows the memory usage. The following variables are monitored: Free memory: Amount of memory not used Page cache: Amount of memory that is cached in disk swap Buffer cache: Amount of memory that is cached for input/output operations Memory used: Amount of memory that is not included in any of the above


eBox 1.4 for Network Administrators

File system usage This graph displays the used and free space of every mounting point.

Temperature This graph allows you to know the system temperature in degrees Celsius by using the ACPI system

. You need to have data available in these directories: /sys/class/thermal or /proc/acpi/thermal_zone.

3 Advanced Configuration and Power Interface (ACPI) is an open standard to configure devices focused on operating systems and power management. http://www.acpi.info/



7.2.2 Alerts
These graphs are not very helpful if in case of unexpected behaviour the administrator is not properly notified. By using alerts, you can know when the machine has reached an unusual system load or is approaching its full capacity. You can configure monitor alerts in Events monitor.

→ Configure Events. The relevant alert is called

You can access the configuration page by clicking on the configuration cell. In this page you can pick any monitored metric and set the threshold that will trigger an event.

There are two different thresholds, warning and failure, this allows the user to filter based on the event severity. You can use the option reverse: to swap the values that are considered right and wrong. Other important option is persistent:. Depending on the metric we can also set other parameters. Each measure has a metric that it is described as follows: System load: The values must be set in average number of runnable tasks in the run-queue.


eBox 1.4 for Network Administrators

CPU usage: The values to set must be jiffies or units of scheduling. Physical memory usage: The values to set must be bytes. File system: The values must be set in bytes. Temperature: The values to set must be grades. Once you have configured and enabled the event you will need to configure, at least, one observer. The observer configuration is the same as the configuration of any other event. Check the Events and alerts chapter for further information.


Events and alerts
The events module is a convenient service that allows you to receive notifications of certain events and alerts that happen in your eBox machine. eBox allows you to receive these alerts and events through the following dispatchers: • Mail 4 • Jabber • Logs • RSS Before enabling any event watcher you have to make sure that the events module is enabled. Go to Module status and check the events module. Unlike in the Logs module, where all services are enabled by default except the firewall, you have to enable those events that might be of your interest. To enable any events, you have to click on the menu entry Events

→ Configure Events. You can

edit an event state by clicking on the pencil icon. Tick the Enabled box and click on the Change button.

There are some events that need further configuration to work properly. This is the case for the log and free storage space observers. The configuration of the free storage observer is pretty straightforward. The only required parameter is the free space percentage that will trigger the event when its actual value goes under it.

The mail module needs to be installed and configured. (Electronic Mail Service (SMTP/POP3-IMAP4)).



Figure 7.5: Configure events page

For the log observer, the first step is to select which domains you want to generate events from. For every domain, you can add filtering rules that depend on the domain. Some examples are: denied HTTP requests by the proxy, DHCP leases for a giving IP, canceled printer jobs, and so on. You can also create an event filter from an existing log query by clicking on the Save as an event button through Logs → Query Logs → Full Report. So far, you know how to enable the generation of events and alerts. However, you also need these events and alerts to be sent to you in order to be read. That is what event dispatchers are for. Go to the Configure dispatchers tab. The procedure to enable event dispatchers is similar to enabling event watchers. You have to configure all the watchers except the log watcher. The latter will write its output to /var/log/ebox/ebox.log. The other dispatchers require further configuration. Mail: You have to set the email address of the recipient (usually the eBox administrator). You can also set the subject of the messages. Jabber: You have to set the Jabber server address and port that will be used to send the messages. You also have to set the username and password of the user that will send the messages. Finally, you have to set the Jabber address of the recipient.


eBox 1.4 for Network Administrators

Figure 7.6: Configure Log Observer page

Figure 7.7: Configure dispatchers page



RSS: You have to decide who will be able to read the RSS feed, and the feed link itself. You can make the channel public, private, or authorized by a source IP address-based policy. Note that you can also use objects instead of IP addresses.

7.3.1 Practical Example
Configure the events module to make it show the message “eBox is up and running in

/var/log/ebox/ebox.log. This message will be generated periodically, and every time
the events module is restarted. 1. Action: Access the eBox web interface, go to Module Status and enable events. Effect: The Save Changes button has turned red. 2. Action: Go to Events and click on the tab labeled Configure Events. Click on the pencil icon that is placed in the Status column. Check the Enabled field and click on:Change. Effect: The events table shows the event as enabled. 3. Action: Go to the tab labeled Configure dispatchers. Click on the pencil icon of the row that contains the Log event. Enable it and click on Change. Effect: The event disptacher table shows the log dispatcher as enabled. 4. Action: Save changes. Effect: eBox shows the progress of the saving changes process until it displays a message to let you know it is done. An event with the message ‘eBox is up and running’ /var/log/ebox/ebox.log. 5. Action: From the console on the eBox machine run: sudo /etc/init.d/ebox events restart. Effect: An event with the message ‘eBox is up and running’ will be written again in /var/log/ebox/ebox.log. will be written in


eBox 1.4 for Network Administrators


7.4.1 The backup system design
A data loss is an eventual accident that you have to be prepared to deal with. Hardware failures, software bugs or human mistakes can cause an irreparable loss of important data. It is an unavoidable task to design a well tested procedure to make, check and restore backups, taking into consideration both configuration-only and full backups. One of the first decisions we have to make is whether we are going to make full backups, what is an exact copy of the data or incremental backups that are copies of the differences from the first backup. Incremental backups use less space but need some computation to restore the copy. A combination of often incremental backups plus eventual full copies is the most usual choice but this will depend on your needs and available storage resources. Another important choice is whether to make the backups on the same host or to use a remote host. A remote host gives more security because of being on a different server. A hardware failure, software bug, human mistake or a security compromise shouldn’t affect the integrity of a remote backup. To minimize risks, the remote backup server should be used exclusively for this purpose. Two non-dedicated servers making backups of each other is definitely a bad idea, a compromise in one of them leads to a compromise in the other one leaving you without a safe backup copy.

7.4.2 Backup configuration with eBox
First of all, we need to decide if we are going to store our backups locally or remotely. In case of using the latter we also need to specify what protocol will be used to connect to the remote server. Method: The current supported methods are eBox Backup Storage (EU), eBox Backup Storage (US Denver), eBox Backup Storage (US West Coast), FTP, SCP and File System. Note that depending on the method you select you will have to provide more or less information such as the remote host address or user and password. All methods except File System are used to access remote servers. This means you will have to provide proper credentials to connect to the server. You may create an account in our store

for eBox Backup Storage methods, use

this service to have a quick and safe remote location to store your data. If you use any of eBox Backup Storage methods you will not need to introduce the remote server address as eBox will have it configured automatically. On the other hand, if you select, FTP or SCP you will need to provide the remote server address.

eBox Technologies store at https://store.ebox-technologies.com



Figure 7.8: Select Configuration

Warning: If you use SCP, you will need to execute sudo ssh user@server and accept the remote server’s fingerprint to add it to the list of SSH known hosts. If you don’t do this, the backup software will fail to connect to the server. Host or Destination: For FTP and SCP you will need to provide the remote host name or IP address to connect. In case of using File System, introduce a local file system path. If you use a eBox Backup Storage method, then only the relative path is required. User: User name to authenticate in the remote host. Password: Password to authenticate in the remote host. Encryption: You may cipher your backup data using a symmetric key by introducing it in the host, or you may select an already created GPG key to provide asymmetric encryption to your data. Full Backup Frequency: This is used to tell the module how often a full backup is carried out. Values are: Daily, Weekly, Monthly. Number of full copies to keep: This value is used to limit the number of full copies that are stored. This is an important value and you should understand what actually means. It is related to the Full Backup Frequency. If you set the frequency to Weekly, and the number of full copies to 2, your oldest backup copy will be two weeks old. Similarly, if you set it to Monthly and 4, your oldest backup copy will be 4 months old. Set this value according to how long you wish to store backups and how much disk space you have.


eBox 1.4 for Network Administrators

Incremental Backup Frequency: This value is also related to Number of full copies to keep. A normal backup setting might consist of taking incremental copies between full copies. Incremental copies should be done more frequently than full copies. This means that if you make weekly full copies, incremental copies should be set to daily, but it does not make sense to set it to same frequency as the full copies. To understand better this field let’s see an example: Full Backup Frequency is set to weekly. Number of full copies to keep is set to 4. Incremental Backup Frequency to daily. This means that you will end up having 4 weekly full backups, and between every weekly backup you will have daily backups. That is a month worth of backed up data. And it also means that you could restore any arbitrary day of that month. Backup process starts at: This field is used to set the time at when the backup process starts. It is a good idea to set it to times when nobody is in the office as it can consume a lot of upload bandwidth.

Configuring what directories and files are backed up The default configuration will backup the whole file system. This means that in the event of a disaster you will be able to restore the machine completely. It is a good idea not change this configuration unless the space on your remote server is very limited. A full backup of an eBox machine with all its modules takes around 300 MB.

Figure 7.9: Include and exclude list

The default list of excluded directories is: /mnt, /dev, /media, /sys, and /proc. It is usually a bad idea to include those directories, and in some cases, the backup process will fail.



The default list of included directories is: /. You can also exclude file extension using shell characters. For example, if you want to skip AVI files from the backup, you can select Exclude regexp and add *.avi.

Checking backup status You can check the status of your backup under the section Remote Backup Status. In that table, you will see the type of backup, full or incremental, and the date when it was taken.

Figure 7.10: Backup status

How to start a backup process manually The backup process is started automatically at configured time. However, if you need to start a backup process manually, you can run:

# /usr/share/ebox-ebackup/ebox-remote-ebackup --full
Or, to start an incremental backup:

# /usr/share/ebox-ebackup/ebox-remote-ebackup --incremental


eBox 1.4 for Network Administrators

Restoring files There are two ways of restoring a file. It depends on the size and type of the file or directory that you need to restore. It is possible to restore files directly from the eBox interface. In the section Backup

→ Restore

Files you have access to the list of all the remote files and directories, and also the available dates to be restored. Use this method with small data files, if they are too big it will take too long and you won’t be able to use the web interface during the process of the operation. You must be very careful with the type of file you are restoring. It is usually safe to restore data files that are not used by applications at the moment of the restoring process. This data files will be placed under /home/samba/. However, it is very dangerous to restore system directories such as /lib, /var, /usr while the system is running. Do not do that unless you know what you are doing.

Figure 7.11: Restore file

Big files and system directories must be restored manually. Depending on the use of the file, you can restore it safely while your system is running. However, for system directories you will have to use a rescue CD and proceed as we explain later. In any case, you must know how the underneath used software works. duplicity is tool used by eBox. The process to restore a file or directory is actually very simple. You must run the following




duplicity restore --file-to-restore -t 3D <file or dir to restore> <remote url
The flag -t is used to select the backup date to restore. In this case, 3D means to restore a copy that is three days old. Using now you can restore the latest available copy. You can fetch the <remote url and args> on the top note in the section Restore Files in the eBox interface.

Figure 7.12: Remote url and arguments

For example, if you need to recover the file /home/samba/users/john/balance.odc you would run the following command:

# duplicity restore --file-to-restore home/samba/users/john/balance.odc \ scp://backupuser@ --ssh-askpass --no-encryption /tmp/balance.odc
The above command would restore the file in /tmp/balance.odc. If you need to overwrite a file or directory during a restoring operation you will need to add the flag –force, otherwise duplicity will refuse to overwrite.

7.4.3 How to recover on a disaster
Knowing the procedure and having the abilities and experience to successfully restore a backup in a critical situation is as important as making backups. You should be able to restore services as soon as possible when a disaster interrupts the systems. To recover from a total disaster, you would have to boot the system using rescue CD-ROM that includes the backup software duplicity. We will be using grml.


eBox 1.4 for Network Administrators

Download the grml image and boot the machine with it. You can use the parameter nofb if you have issues with your screen size.

Figure 7.13: Boot grml

Once the boot process has finished you can start a shell by pressing return. If your network is not properly configured, you can run the command netcardconfig to configure it. Now you need to mount the hard disk where files will be restored. In this case, we suppose we have our root partition in /dev/sda1. So we need to run:

# mount /dev/sda1 /mnt
The above command will mount the partition under the /mnt directory. During this example, we make a full restore. And to do that we remove all existing directories in the partition. Of course, you could just remove and restore one directory if you need to do so. To remove the existing files to proceed with the full restore, run:



Figure 7.14: Start a shell

# rm -rf /mnt/*
We need to install duplicity if it’s not already installed with:

# apt-get update # apt-get install duplicity
Before restoring a full backup we need to restore /etc/passwd and /etc/group. Otherwise, we can end up with a wrong file owner. The main issue is that duplicity saves the user and group names of a file and not its numerical values. We will run into problems if we restore the file with a system that has different UID or GID number. To avoid this we can just overwrite /etc/passwd and /etc/group on the rescue system first. Run:

# duplicity restore --file-to-restore etc/passwd \ # scp://backupuser@ /etc/passwd --ssh-askpass --no-encryption --fo

# duplicity restore --file-to-restore etc/group \ # scp://backupuser@ /etc/group --ssh-askpass --no-encryption --for
Warning: If you use SCP, you will need to execute sudo ssh user@server to add the remote

server to the list of SSH known hosts. If you don’t do this, duplicity will fail to connect.


eBox 1.4 for Network Administrators

Now, we are ready to proceed with the a full restore running duplicity manually:

# duplicity restore

scp://backupuser@ /mnt/ --ssh-askpass --no-encryp

You have to create the directories excluded from the backup. You should also clean up the temporal directories.:

# # # # #

mkdir -p /mnt/dev mkdir -p /mnt/sys mkdir -p /mnt/proc rm -fr /mnt/var/run/* rm -fr /mnt/var/lock/*
The restoring proccess has finished and you can reboot now.

7.4.4 Configuration backups
In addition, eBox Platform has another way to make configuration backups and restore them from the interface itself. This method backs up the configuration of all modules that have been enabled at some point, as well as the LDAP users and any other additional files required by each of these modules. The backup can also include the data stored by these modules (home directories, voicemail, etc.) but from 1.2 onwards this way has been deprecated in favour of the first explained method because it can deal better with huge data sets. To make these backups, you should go, as usual, to System can see in the following image.

→ Backup. You will not be able to

make a new backup if you have modified the configuration and you have not saved changes as you



Once introduced the name for the backup, select the backup type (configuration or full) and click Backup. A screen will appear showing the progress through the modules until it finishes with Backup successfully finished. After this, if you go back you will see a Backup list. Through this list you will be able to restore, download to your local disk or delete any of the stored backup copies. Some information like backup type, date and size will be shown as well. On Restore backup from file you can upload a backup file that you have in your local disk, for example, from a previous eBox Platform deployment on a different server, and restore it using Restore. A confirmation will be requested on restore. You should be careful because all the current configuration will be replaced. This action is similar to the backup, a screen will appear, showing the progress and notifying whether the operation was successful or an error occurred.

Command line tools for configuration backups Two command line tools are provided to export and import the configuration from the console. They are available in /usr/share/ebox and are ebox-make-backup and ebox-restore-backup. ebox-make-backup allows you to make configuration backups. Among its options you can select the backup type to do. One of them is bug-report, which helps developers to debug bugs by including extra information in the backup. Passwords are replaced in order to maintain user’s privacy. This backup type can’t be done through the web interface. You can see all the options using the –help parameter.


eBox 1.4 for Network Administrators

ebox-restore-backup allows you to restore configuration backups. It also provides an option to extract information from the backup file. Another interesting feature is the possibility of making partial restorations, restoring only some specific modules. This is very useful when restoring a module from an old version or when restoring a module failed. You should be careful with the interdependencies between the modules. For example, if you restore a firewall module backup that uses objects and services you have to restore those first. But you still have the option to force the script to ignore the dependencies that you can use if really required. To see all options of this program use the –help parameter.


Software Updates
Like any other software system, eBox Platform requires periodic updates, either to add new features or to fix defects or system failures. eBox distributes its software as packages and it uses Ubuntu’s standard tool, APT 6 . However, in order to ease this task, eBox provides a web interface to simplify the process.[#]_ The web interface allows checking for new available versions of eBox components and installing them in a simple way. It also allows you to update the software supporting eBox, mainly to correct potential security flaws.

7.5.1 Management of eBox components
The management of eBox components allows you to install, update and remove eBox modules. The component manager is a module, and like any other eBox module must be enabled before being used. To manage eBox components you must access Software Management -> eBox components.
Advanced Packaging Tool (APT) is a system for the management of software packages created by the Debian Project that greatly simplifies the installation and removal of programs on the GNU / Linux operating system http://wiki.debian.org/Apt



A list of all eBox components is shown there, together with the installed version and the latest available version. Components that are not installed or up to date, can be installed or updated by clicking on the respective icon in the Actions column. There is a button called Update all packages to update all those packages with a new version available. It is also possible to uninstall components by clicking on the respective icon for this action. Before proceeding to uninstall, a dialogue will be displayed with the list of the software packages to be removed. This step is necessary because it might be about to eliminate a component that is used by others, which would be also removed. Some components are basic and cannot be uninstalled, as that would uninstall eBox Platform completely.

7.5.2 System Updates
System updates performs the updates of programs used by eBox. In order to carry out its function, eBox Platform integrates different system programs within eBox components’ packages. These programs are referenced as dependencies ensuring that when installing eBox, they are also installed. Similarly, these programs may have dependencies as well. Usually the update of a dependency is not important enough to create a new eBox package with new dependencies, but it may be interesting to install it in order to use its improvements or its patches for security flaws. To see updates of the system you must go to Software Management

→ System Updates. You

should see if your system is already updated or, otherwise, a list of packages that can be upgraded.


eBox 1.4 for Network Administrators



If you install packages on the machine without using the web interface, this data may be outdated. Therefore, every night a process is executed to search for available updates for the system. Such a search can be forced by running:

$ sudo ebox-software
For each update, you can determine whether it is a security update using the information icon. If it is a security update the details about the security flaw included in the package changelog will be displayed by clicking on the icon. If you want to perform an update you should select the packages on which to perform the action and press the appropriate button. As a shortcut, you can use the button Update all packages. Status messages will be displayed during the update operation.

7.5.3 Automatic Updates
Automatic updates allow eBox Platform to automatically install any updates available. This operation is performed daily at midnight. This feature can be activated by accessing the page Software Management -> Automatic Updates.

It is not advisable to use this option if the administrator wants to keep a higher level of security in the management of updates. When performing the updates manually, administrators can avoid possible errors going unnoticed.


Control Center Client
eBox Control Center is a fault-tolerant solution that allows centralized real-time monitoring and administration of multiple eBox Platform installations. It includes features such as remote, centralized and secure administration of groups of eBox installations, automatic remote configuration backup, network monitoring and customized reports.

Here we describe the client side configuration with eBox.



eBox 1.4 for Network Administrators

7.6.1 Subscribing eBox to the Control Center
In order to configure eBox to subscribe to the Control Center, you must install ebox-remoteservices package which is installed by default if you have used eBox installer. In addition to this, the Internet connection should be available. Once everything is ready, go to Control Center and fill the following fields: User Name or Email Address: You must set the user name or the email address you use to sign in the Control Center Web site. Password: The same pass phrase you use to sign in the Control Center Web site. eBox Name: The unique name for your eBox within Control Center. This name is displayed from the control panel and it must be a valid domain name. Each eBox should have a different name, if two eBoxes use the same name for connecting to the Control Center, just one will be connected.

Figure 7.16: Subscribing eBox to the Control Center After entering the data, the subscription will take about a minute. Be sure after subscribing, save changes. This process sets a VPN connection to the Control Center, therefore it enables vpn module.

Figure 7.17: After subscribing eBox to the Control Center

If the connection is working nicely with eBox Control Center, then a widget will be shown in the dashboard indicating the connection was done established correctly.

For more information about VPN module, go to Virtual Private Network (VPN) section.



Figure 7.18: Connection widget to the Control Center

7.6.2 Configuration backup to the Control Center
One of the features using the Control Center is the automatic configuration backup 9 is stored in eBox Control Center. This backup is done daily if any change has been done in eBox configuration. Go to System → Backup → Remote Backup to check the configuration backups that have been done. You may perform a manual configuration backup, if you want to be sure a current configuration is backed up correctly in eBox Control Center.

Figure 7.19: Remote configuration backup

You may restore, delete or download that configuration backup from the Control Center. Additionally, to improve the disaster recovery, you may restore or download the configuration backup from other subscribed eBoxes using your name/email address and password pair. To do so, go to the System → Backup → Remote Backup from Other Subscribed Hosts tab.


The configuration backup in eBox is explained in Configuration backups section


eBox 1.4 for Network Administrators

Figure 7.20: Remote configuration backup from other subscribed hosts


Sign up to vote on this title
UsefulNot useful