Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP

REDhat 5.1

NOTES ON RHL-253

****************************************************************************

File Transfer Protocol (FTP)

****************************************************************************

Service Profile: FTP

=================

Type: System V-managed service

Package: vsftpd

Daemon: /usr/sbin/vsftpd

Script: /etc/init.d/vsftpd

Ports: 21 (ftp), 20 (ftp-data)

Configuration: /etc/vsftpd/vsftpd.conf /etc/vsftpd/ftpusers /etc/pam.d/vsftpd

Log: /var/log/xferlog

Related: tcp_wrappers, ip_conntrack_ftp, ip_nat_ftp

Installing and configuring FTP

=====================

1. Install vsftpd package

$ yum install vsftpd

2. Start and hangup the service

$ chkconfig vsftpd on

$ service vsftpd start

To disable anonymous access configure vsftpd.conf

$vim /etc/vsftpd/vsftpd.conf

anonymous_enable=NO

Restart the service

$service vsftpd restart

To disable authenticated user access from ftp services

give entry of that user in /etc/vsftpd/ftpusers

***************************************************************************

Network File Service (NFS)

***************************************************************************

Service Profile: NFS

===============

Type: System V-managed service

Package: nfs-utils

Daemons: rpc.nfsd, rpc.lockd, rpciod, rpc.mountd, rpc.rquotad, rpc.statd

Scripts: /etc/init.d/nfs, /etc/init.d/nfslock

Ports: 2049(nfsd), Others assigned by portmap(111)

Configuration: /etc/exports

Related: portmap (mandatory), tcp_wrappers

Installing and configuring NFS

======================

To view nfs installations

$rpm –qa | grep nfs-utils

To view list of nfs status

$chkconfig --list portmap

$chkconfig --list nfslock

$chkconfig --list nfs

To start and hungup the service

$chkconfig nfs on

$service nfs start

To configure sharing data folder

$vim /etc/exports

/data *(ro,sync)

/data 192.168.7.0/24(ro,sync)

Restart the service

$service portmap restart

$service nfslock restart

$service nfs restart

To show share data

$showmount –e localhost

To mount share data

$mount –t nfs 192.168.7.254 :/data/mnt

$exportfs -v

****************************************************************************

Samba Service (SMB)

****************************************************************************

Service Profile: SMB

===============

Type: System V-managed service

Packages: samba, samba-common, samba-client

Daemons: /usr/sbin/nmbd, /usr/sbin/smbd

Script: /etc/init.d/smb

Ports: TCP: 445(-ds)

Configuration: /etc/samba/*

Related: system-config-samba, testparm

Installing samba server

=================

1. Install the samba package

#yum install samba -y

2. Configure global settings

#vim /etc/samba/smb.conf

3. Hangup the smb service in service tray

#chkconfig smb on

4. Start smb service

#service smb start

5. Adding user in samba database

#smbpasswd -a user_name

Access samba server

===============

1. View samba shares

#smbclient -L //192.168.8.254 -U jhon

2. Access samba shares

#smbclient //192.168.8.254/home/john -U john

Create a share folder using samba service

==============================

#vim /etc/samba/smb.conf

Configure Global Settings

Restricting samba service from undesired network

====================================

1. Globally allow/deny will effect on all share

2. sharewise allow/deny will effect only for that shar

[data]

comment = Colaboration directory for all

path = /data

public = yes

browseable = yes

writable = no

; printable = no

; write list = +staff

[technical]

comment = Colaboration directory for all

path = /technical

public = no

browseable = yes

writable = yes

; printable = no

; write list = +staff

****************************************************************************

HTTPD

****************************************************************************

Service Profile: HTTPD

=================

Type: System V-managed service

Packages: httpd, httpd-devel, httpd-manual

Daemon: /usr/sbin/httpd

Script: /etc/init.d/httpd

Ports: 80(http), 443(https)

Configuration: /etc/httpd/*, /var/www/*

Related: system-config-httpd, mod_ss1

Installing httpd service

=================

1. Install the package

#yum install httpd* -y

2. Hangup the service in service tray

#chkconfig httpd on

3. Start the service

#service httpd start

4. Test your system that whether httpd service have installed or not

#netstat -ntulp | grep ":80"

#links http://localhost

Configure default web site at your server

=============================

1. Edit /etc/httpd/conf/httpd.conf file and declare default site

#vim /etc/httpd/conf/httpd.conf

Example:

NameVirtualHost 192.168.8.215:80

ServerAdmin root@station15.example.com

DocumentRoot /var/www/html/

ServerName station15.example.com

</VirtualHost>

2. Create default page for your site

#vim /var/www/html/index.html

3. Restart the service

#service httpd restart

Configuring virtual hosting

====================

1. Port based virtual hosting

2. Ip based virtual hosting

3. Name based virtual hosting

aTest second name

Port based virtual hosting

===================

1. Enable port to which server will listen

Listen 8080

2. Create virtual hosting entry in bellow of httpd.conf

#vim /etc/httpd/conf/httpd.conf

NameVirtualHost *:8080

ServerAdmin webmaster@station13.example.com

DocumentRoot /var/www/employee

ServerName station13.example.com

</VirtualHost>

3. Restart the httpd service

$service httpd restart

Name based virtual hosting

====================

1. Create virtual hosting entry in bellow of httpd.conf

#vim /etc/httpd/conf/httpd.conf

ServerAdmin webmaster@www13.example.com

DocumentRoot /var/www/www13

ServerName www13.example.com

</VirtualHost>

2. Restart the httpd service

$service httpd restart

IP based virtual hosting

=================

1. Create virtual hosting entry in bellow of httpd.conf

#vim /etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.8.254:8080

ServerAdmin webmaster@www13.example.com

DocumentRoot /var/www/info

ServerName info.example.com

</VirtualHost>

2. Restart the httpd service

$service httpd restart

Restricting user access

=================

1. Enable authenticaion in httpd.conf file

#vim /etc/httpd/conf/httpd.conf

Example

ServerAdmin root@www2.example.com

DocumentRoot /var/www/site3

ServerName www2.example.com

DirectoryIndex index.html

Options FollowSymLinks

AllowOverride Authconfig

</Directory>

</VirtualHost>

2. Create .htaccess file in the root directory

#vim /var/www/site3/.htaccess

AuthName "restricted user"

AuthType Basic

AuthUserFile /etc/httpd/conf/vir.passwd

require valid-user

3. Add user in vir.passwd file

#htpasswd -mc /etc/httpd/conf/vir.passwd admin

#htpasswd -c /etc/httpd/conf/vir.passwd anis

4. Change vir.passwd file permission for apache

#chgrp apache /etc/httpd/conf/vir.passwd

#chmod g+r /etc/httpd/conf/vir.passwd

5. Restart the service

#service httpd restart

Restricting Network access

====================

Order allow,deny

Allow from 192.168.8.

Deny from all

</Directory>

Configuring https server

==================

1. Install mod_ssl

#yum install mod_ssl -y

2. Edit /etc/httpd/conf.d/ssl.conf

#vim /etc/httpd/conf.d/ssl.conf

Example

NameVirtualHost *:443

ServerAdmin root@station2.example.com

DocumentRoot /var/www/html

ServerName station2.example.com

</VirtualHost>

3. Restart httpd service

#service httpd restart

****************************************************************************

Proxy server (Squid)

****************************************************************************

Service Profile: Squid

================

Type: System V-managed service

Package: squid

Daemon: /usr/sbin/squid

Script: /etc/init.d/squid

Ports: 3128(squid), (configurable)

Configuration: /etc/squid/*

1. Installing squid

#yum install squid

2. Hang-up the service

#chkconfig squid on

3. Configuring squid

#vim /etc/squid/squid.conf

@Defining port for proxy service find http_port

http_port 8080

@Aware squide that whats your server name find visible_hostname

visible_hostname server5 (must be same as /etc/hosts or defined by dns)

@configure cache size find cach_mem

cach_mem 64 mb

@configure object size

maximum_object_size 10000 KB

maximum_object_size_in_memory 16 KB

@configure cache directory

cach_dir ufs /cache_dir 5000 16 256

Note: before using cache directory set permission

#chmod -R 755 /cache

#chown -R squid.squid /cache

@define log path

cache_access_log /etc/squid/logs/access.log

cache_log /etc/squid/logs/cache.log

ACL

@define rule for source subent

acl mynet src 192.168.9.0

acl badnet src 192.168.11.0

@define rule for source domain

acl mynet2 src .example.com

@define rules for individual users

acl rubel src 192.168.9.15

@define rules for destination domain

acl baddomain dstdomain .pornsite.com

Note: Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.

acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"

acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"

#vim /usr/local/etc/allowed-sites.squid

# File: /usr/local/etc/allowed-sites.squid

www.openfree.org

linuxhomenetworking.com

#vim /usr/local/etc/restricted-sites.squid

# File: /usr/local/etc/restricted-sites.squid

www.porn.com

illegal.com

@define time based rules S=Sunday, M=Monday, T=Tuesday, W=Wednesday, H=Thursday, F=Friday, A=Saturday

acl working_time MTWHF 09:00-17:00

@define port

acl safe_ports port 80 21 443 563 70 210 1025-65535

acl dangarous_ports port 7 9 19 22 23 25 53 109 110 119

Allow/Deny

http_access deny badnet

http_access deny rubel

http_access deny mynet2 working_time

http_access allow mynet working_time

4. hangup and start the service

#chkconfig squid on

#squid -z

#service squid start

To Test Proxy Server

================

For Linux: web browser>edit>preference>network>setting>proxy

For windows: internet explore>tools>internet options>connection>proxy server

Password Authentication NCSA

========================

@Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.

#touch /etc/squid/squid_passwd

#chmod o+r /etc/squid/squid_passwd

@give user entry on passwd

#htpasswd /etc/squid/sq_passwd shahee

#htpasswd /etc/squid/sq_passwd oni

@ Find your ncsa_auth file using the locate command.

# locate ncsa_auth

/usr/lib/squid/ncsa_auth

@Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:

#vim /etc/squid/squid.conf

# Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf

acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section of squid.conf

http_access allow ncsa_users

@This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:

#vim /etc/squid/squid.conf

# Add this to the auth_param section of squid.conf

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf

acl ncsa_users proxy_auth REQUIRED

acl business_hours time M T W H F 9:00-17:00

# Add this at the top of the http_access section of squid.conf

http_access allow ncsa_users business_hours

*************************Transparent Proxy **********************************

@configure squid work as a transparent proxy for pre squid.2.6

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy_on

httpd_accel_uses_host_header on

@configure squid work as a transparent proxy for post squid.2.6

http_port 3128 transparent

@configure iptables to transparent proxy

If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80. And eth0 connected to internet and eth1 is connected to lan.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128

iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80

iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80

****************************************************************************

Sendmail

****************************************************************************

Service Profile: Sendmail

==================

Type: System V-managed service

Packages: sendmail, sendmail-cf, sendmail-doc

Daemon: /usr/sbin/sendmail

Script: /etc/init.d/sendmail

Port: 25 (smtp)

Configuration: /etc/mail/sendmail.mc, /etc/aliases, and others

Related: procmail(MDA), spamassassin, tcp_wrappers, sendmail-doc

Install and configure sendmail

======================

1. Install sendmail package

$yum install sendmail-cf

2. Check hostname, /etc/hosts entry, dig the hostname

3. Give hostname entry on the /etc/mail/local-host-names

example.com

station2.example.com

3. Edit sendmail.mc file to listen smtp on your phisical interface

$vim /etc/mail/sendmail.mc

dnl #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

LOCAL_DOMAIN(`station2.example.com')dnl

4. Configure sendmail.cf file by m4 macro

$m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

$make -C /etc/mail

5. Start the sendmail service

$chkconfig sendmail on

$service sendmail start

6. Chek whether snedmail is working or not

$netstat -ntulp | grep :25

$sendmail -d0 < /dev/null

Configure Relay restriction

====================

$vim /etc/mail/access

From: 90trialspammer@aol.com REJECT

Connect: spamRus.net REJECT

Connect: 10.3 OK

From: virtualdomain1.com RELAY

To: user@dom9.com ERROR: 550 mail discarded

To: nobody@ ERROR: 550 BAD NAME

***************************************************************************

Dovcot

****************************************************************************

Service Profile: Dovecot

==================

Type: System V-managed service

Package: dovecot

Daemon: /usr/sbin/dovecot

Script: /etc/init.d/dovecot

Port: 110(pop), 995(pop3s), 143(imap), 993(imaps)

Configuration: /etc/dovecot.conf

Related: procmail, fetchmail, openssl

Installing and configuring dovecot

=============================

$yum install dovecot

$vim /etc/dovecot.conf

protocols pop imap

$chkconfig dovecot on

$service dovecot start

$netstat -ntulp | grep dovecot

Testing POP3

============

[root@server1 ~]# telnet 192.168.7.203 110

Trying 192.168.7.203...

Connected to station3.example.com (192.168.7.203).

Escape character is '^]'.

+OK Dovecot ready.

user susan

+OK

pass redhat

+OK Logged in.

list

+OK 1 messages:

1 421

retr 1

+OK 421 octets

Return-Path: <azad@example.com>

Received: from example.com (server1.example.com [192.168.7.254])

by station39.example.com (8.13.8/8.13.8) with SMTP id oASA2SuH003486

for susan@example.com; Sun, 28 Nov 2010 16:03:55 +0600

Date: Sun, 28 Nov 2010 16:02:28 +0600

From: azad@example.com

Message-Id: <201011281003.oASA2SuH003486@station39.example.com>

hi susan.

I am in bangladesh

you r most welcome at our land.

dele 1

+OK Marked to be deleted.

quit

+OK Logging out, messages deleted.

Connection closed by foreign host.

Testing IMAP

=============

[root@server1 ~]# telnet 192.168.7.203 143

Trying 192.168.7.203...

Connected to station3.example.com (192.168.7.203).

Escape character is '^]'.

* OK Dovecot ready.

a1 LOGIN azad redhat

a1 OK Logged in.

a2 LIST "" "*"

* LIST (\NoInferiors \Marked) "/" "INBOX"

a2 OK List completed.

a3 examine inbox

* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)

* OK [PERMANENTFLAGS ()] Read-only mailbox.

* 1 EXISTS

* 1 RECENT

* OK [UNSEEN 1] First unseen.

* OK [UIDVALIDITY 1290940448] UIDs valid

* OK [UIDNEXT 2] Predicted next UID

a3 OK [READ-ONLY] Select completed.

a4 fetch 1 body[]

* 1 FETCH (BODY[] {392}

Return-Path: <susan@example.com>

Received: from example.com (server1.example.com [192.168.7.254])

by station39.example.com (8.13.8/8.13.8) with SMTP id oASAIKEg003691

for azad@example.com; Sun, 28 Nov 2010 16:19:03 +0600

Date: Sun, 28 Nov 2010 16:18:20 +0600

From: susan@example.com

Message-Id: <201011281019.oASAIKEg003691@station39.example.com>

I am comming soon

so dont wory!

)

a4 OK Fetch completed.

a5 logout

* BYE Logging out

a5 OK Logout completed.

Connection closed by foreign host.

You have new mail in /var/spool/mail/root

***************************************************************************

DNS

****************************************************************************

Service Profile: DNS

================

Type: System V-managed service

Packages: bind, bind-utils, bind-chroot

Daemons: /usr/sbin/named, /usr/sbin/rndc

Script: /etc/init.d/named

Ports: 53 (domain), 953 (rndc)

Configuration: (Under /var/named/chroot/) /etc/named.conf, /var/named/*, /etc/rndc.key

Related: caching-nameserver, openss1

Resolver

1. /etc/hosts

2. /etc/nsswitch.conf

3. /etc/resolve.conf

Using dig command for resolving DNS server

Resolving particuler server excepting /etc/resolve.conf

# dig @server_name fqdn

#dig @192.168.8.254 server1.example.com

#dig +trace yahoo.com

forword lookup query

#dig fqdn

#dig station3.example.com

Reverselookup query

#dig -x ip_address

#dig -x 192.168.8.203

Resolving based on record

#dig -t mx example.com

To view total zone information by transfering zone

#dig -t axfr example.com @192.168.8.254

using host to resoleve name server

forward lookup query

#host server1.example.com

Reverse lookup query

#host 192.168.8.254

Resolving based on record

#host -t soa example.com

Configuring Bind

1.Install package

a.bind

b.bind-chroot

c.caching-nameserver

#yum install bind bind-chroot caching-nameserver -y

Caching only name server

===================

*Note: If you install only bind and caching-nameserver package.

DNS configuration file /etc/named.conf

Zone file /var/named/example.com.fz

If you install bind,bind-chroot and caching-nameserver package.

DNS configuration file /var/named/chroot/etc/named.conf

Zone file /var/named/chroot/var/named/example.com/fz

1.check whether package are installed or not

#rpm -qa | grep bind

#rpm -qa | grep caching-nameserver

2.copy named.caching-nameserver.conf to named.conf (/var/named/chroot/etc)

#cd /var/named/chroot/etc

#cp named.caching-nameserver.conf named.conf

3.Edit the file named.conf

#vim named.conf

a.listen-on port (add your interface ip_address)

listen-on port 53 { 127.0.0.1; 192.168.8.203; };

b.allow-query (add your network subnet address)

allow-query { localhost; 192.168.8.0/24; };

c.Add forward entry for ISP DNS server

forwarders { 192.168.8.254; };

c.make commented logging and view_local_host resolver

4.make named group as owner of the file named.conf

#chgrp named named.conf

5.start the service

#service named start

6.check the service is working

#netstat -ntulp | grep named

#netstat -ntulp | grep :53

#dig @127.0.0.1 www.yahoo.com

#Configuring Master Name server (forward lookup zone)#

=========================================

1.Edit named.conf file make enry for your zone

# vim /var/named/chroot/etc/named.conf

Example:

zone "zone_name" Class_type{

Type;

File_name;

};

2. Create zone file under directory /var/named/chroot/var/named

#cd /var/named/chroot/var/named

#cp localdomain.zone zone_file_name

3. Edit the zone file which you have created

#vim zone_file_name

4. Make named group as owner of zone_file

#chgrp named zone_file_name

5. Restart the named service

#service named restart

#Configuring Primary DNS (Reverse lookup zone)#

=====================================

1.Edit named.conf file make enry for your zone

# vim /var/named/chroot/etc/named.conf

Example:

zone "0.0.127.in-addr.arpa" IN {

type master;

file "rana.personal.rz";

2. Create zone file under directory /var/named/chroot/var/named

#cd /var/named/chroot/var/named

#cp localdomain.zone zone_file_name

3. Edit the zone file which you have created

#vim zone_file_name

4. Make named group as owner of zone_file

#chgrp named zone_file_name

5. Restart the named service

#service named restart

#Configuring Slave name server (forward lookup zone)#

=========================================

1. permit zone transfer from master to slave nameserver

zone "zone_name" Class_type{

Type;

File_name;

allow-transfer { 192.168.8.254; };

};

2. Create a NS record on Master name server in zone file

#vim named.conf

IN NS server1

server1 IN A 192.168.8.254

3. Install name service in slave server.

4. Create zone entry in named.conf

# vim /var/named/chroot/etc/named.conf

Example:

zone "anis.personal" IN {

type slave;

file "slaves/anis.personal.fz";

masters { 192.168.8.202; };

};

5. Restart the service

****************************************************************************

DHCP

****************************************************************************

Service Profile: DHCP

================

Type: System V-managed service

Package: dhcp

Daemon: /usr/sbin/dhcpd

Script: /etc/init.d/dhcpd

Ports: 67 (bootps), 68 (bootpc)

Configuration: /etc/dhcpd.conf, /var/lib/dhcpd/dhcpd.leases

Related: dhclient, dhcpv6_client, dhcpv6

****************************************************************************

Postfix

****************************************************************************

Service Profile: Postfix

=================

Type: System V-managed service

Package: postfix

Daemons: /usr/libexec/postfix/master and others

Script: /etc/init.d/postfix

Port: 25(smtp)

Configuration: /etc/postfix/main.cf and others

Related: procmail

****************************************************************************

SSH

****************************************************************************

Page updated

Google Sites

Report abuse