eBox unites platform networking services

eBox is a server framework and platform that allows administrators to set up network services such as Lightweight Directory Access Protocol (LDAP) or a firewall from scratch relatively easily. eBox does not offer management of every option found in all service configuration files. Instead, it focuses on managing network-centric services and messaging applications easy by offering a single Web GUI portal. In addition, eBox can be extended by programmers who wish to add other services and management modules of their own.

eBox is an open source project released under GPL and supported by Warp Networks, a relatively young company based in Spain that specializes in open source development, training, and consulting. The project has a burgeoning community growing around it, and development is fairly active.

The platform’s extensive list of features mostly falls in line with the modules that make up its modular design:

• Network objects: Lets you combine a range of IP addresses into a single object, allowing other tools to act on the single object instead of configuring the whole range every time. For example, an admin can attach firewall rules by simply specifying a particular network object instead of dealing with a range of IP addresses.
• Firewall: Help you set up a reasonable default firewall with network address translation (NAT) and packet filtering.
• HTTP proxy: Filters traffic using Squid and DansGuardian with blacklists, file extension filters, and MIME filters, among other tools.
• File and print server: You can configure Samba 3, Common Unix Printing System (CUPS), and OpenLDAP to act as a Windows NT Primary Domain Controller (PDC) or as a workgroup server. Other modules use the Users and Groups LDAP service.
• DHCP and DNS: Uses the Internet Systems Consortium (ISC) Dynamic Host Configuration Protocol (DHCP) service and bind for services including a Domain Name System (DNS) server for your network.
• Mail server: Provides the Postfix mail service, with SpamAssassin and Clam AntiVirus (ClamAV) for protection.
• Network Time Protocol (NTP): eBox can act as the network NTP server and synchronize with an out-of-network NTP server.
• Messaging: The Jabber service provides instant messaging within the network. You may also opt to connect with the worldwide Jabber IM network.
• Backups: Lets you easily create server configuration or data backups.
• OpenVPN: You can configure OpenVPN to offer VPN access to the network.
• Traffic shaping: You can configure eBox as a network edge router or gateway. Traffic shaping then allows you to set a maximum download or upload rate for certain services, such as SSH and HTTP.
• eBox control center: The eBox control center allows you to jointly manage several eBox servers from a single master console.

Installation

My test environment included a server with two 2.66GHz dual-core Intel processors, 4GB of memory, a SAS RAID array, and two Gigabit Ethernet network cards. I kept this test server on an isolated network with a direct connection between the server and the Fedora 8 laptop I used as the client.

eBox is based on Ubuntu and offers three different installation methods: through a CD, through apt-get, and from source. I used the CD installation, which uses a straightforward Ubuntu Server Edition curses-based install with no X Window System GUI. The eBox modules install automatically after you reboot the server for the first time. The only quirk in the process was that the CD ejected automatically, even though eBox requires it to be inserted when the server reboots for the first time.

After the initial install completes and the server reboots, eBox installs its packages from the CD, asks you to set the administrator password, and gives you the option to change the SSL port. The eBox modules then begin their initial startup (although they remain disabled), and generates 1,024-bit Diffie-Hellman keys for uses such as OpenVPN.

Administration

Once all the packages are installed, it’s time to configure eBox. From the laptop, I browsed to the IP address for the server, which I set manually during the installation: https://192.168.1.1. (It is possible to use DHCP to set the eBox server’s IP address, but production servers should have static IP addresses.) Of course, you can use its fully qualified domain name if you already have that set in a DNS server elsewhere. After logging in, you’re initially shown the status page for eBox. The left part of the page has links to each module’s configuration page, and some have sublinks that show up once you’ve clicked the module. In the top right of the page, the Save Changes box appears in green if no changes are pending. It turns red if any changes have been made and need to be saved. Once you click Save Changes, eBox writes the configuration changes and restarts the appropriate daemons automatically — an efficient and easy process.

Alternatively, you may SSH into the server directly to administer the box using a system login. This prevents you from using the Web GUI. Users set up in LDAP are not allowed to SSH by default, although hacking eBox’s pluggable authentication module (PAM) configuration files may open this up if you need to do so.

After configuring each of the major modules, I clicked on Module Status on the left pane and enabled each. The documentation states you can enable dependent modules as needed; I did not try this, but rather enabled dependencies beforehand. However, it would be useful to have the option to enable a module on the configuration page.

Next, I added a single test user and group. When adding the user, eBox told me that no email virtual domain was set up, and it gave me a link to set one up. Saving the user before clicking the link did not give me that direct link back, so I needed to navigate using the left pane instead. I spoke to eBox’s Javier Val, who told me that it’s possible to manually configure LDAP to authenticate against an external LDAP server or Active Directory. However, there are currently no plans to integrate this ability into the Web GUI in the near future due to the complexity involved.

The mail configuration module is chock-full of options, such as setting the smart host, maximum message size, relay policy, mail filters (such as general, MIME, badly formed header, and extension filters), antispam and antivirus settings, and adding virtual email domains. You can set most policies to pass, reject, bounce, or discard messages that fit the chosen criteria. ClamAV is set to update its antivirus database automatically, which is a big plus for security reasons.

Certificate management in eBox was simple. For the initial setup, you’re instructed to create a self-signed Certificate Authority (CA) by entering the organization name and the number of days until it expires. There is no way to import a CA certificate through the Web GUI, so outside users may get a warning for any certificates generated from the self-signed CA. An eBox representative said that you may import an external CA certificate manually, and a wiki entry is forthcoming to show how. Once the CA has been generated, you can generate, download, renew, or revoke regular certificates through the Web GUI. Clicking the ↓ download icon downloads a TGZ file with cert.pem, private-key.pem, and public-key.pem files.

File sharing has two different modes: a Primary Domain Controller (PDC) and a simple file server. When you set up a user in Users and Groups, you also create a directory labeled with their username and shared via Samba. I tried connecting from the Fedora 8 laptop to my share in PDC mode, but it would not connect even after I gave the appropriate password. eBox’s Samba log stated that the user test had an invalid SID (security identifier). I switched to File Server mode, and was able to connect to the share with no errors.

When you need to update your server software, the eBox Web GUI allows software management of its own components and system updates only, you can also add Ubuntu packages using apt-get from the command line. You may also opt to allow automatic security updates. Unless you have a compelling reason to add more software, using the Web GUI for software management appears to be sufficient for eBox’s purpose.

One of the most important eBox modules is backup. Although it should have more visibility and prevalence in the GUI and an eye-catching warning if no backups have ever been run, it is easy and intuitive to use. Click on System -> Backup, add a description, select a backup type (either configuration only or full), and click Back Up. Once finished, the backup appears in the Backups’ List section at the bottom, with three icons that allow you to restore from backup, download the backup file, or delete the backup. To store the backup offsite, you can use the download icon and save the tar file to some external medium.

Testing with httperf

As of the 0.11.100 version, eBox has no modules to set up Web sites on the server. You could add virtual host configuration text files to /etc/apache2/sites-enabled/, but this could be a turnoff for the targeted users, since they tend to expect a GUI interface instead of having to deal with text files. Fortunately, a module is already in the works for version 0.12 that will allow this kind of configuration.

I found a small HTML page on the server’s root URL, so I decided to test the service using httperf and the command httperf –server 192.168.1.1 –port 80 –hog –rate 150 –num-conn 27000 –num-call 1 –timeout 5. The results show it handles 150 connections a second easily:

Maximum connect burst length: 4

Total: connections 27000 requests 27000 replies 27000 test-duration 179.994 s

Connection rate: 150.0 conn/s (6.7 ms/conn, <=4 concurrent connections)
Connection time [ms]: min 0.1 avg 0.3 max 2.5 median 0.5 stddev 0.0
Connection time [ms]: connect 0.1
Connection length [replies/conn]: 1.000

Request rate: 150.0 req/s (6.7 ms/req)
Request size [B]: 64.0

Reply rate [replies/s]: min 149.8 avg 150.0 max 150.0 stddev 0.0 (36 samples)
Reply time [ms]: response 0.2 transfer 0.0
Reply size [B]: header 292.0 content 45.0 footer 0.0 (total 337.0)
Reply status: 1xx=0 2xx=27000 3xx=0 4xx=0 5xx=0

CPU time [s]: user 28.53 system 151.25 (user 15.8% system 84.0% total 99.9%)
Net I/O: 58.7 KB/s (0.5*10^6 bps)

Errors: total 0 client-timo 0 socket-timo 0 connrefused 0 connreset 0
Errors: fd-unavail 0 addrunavail 0 ftab-full 0 other 0

Conclusion

eBox meets its goal of offering an easy-to-use, intuitive Web interface that helps pull together some powerful networking services on a stable platform. Its modular design allows you to delete modules you don’t need and pull in new ones as they become available. Programmers can make new modules using the Mason engine, allowing eBox to support new services as needed. A few pieces are missing, but new features are on the horizon, and some of the rough edges are being ironed out.