REDhat 5.1
NOTES ON RHL-253
****************************************************************************
File Transfer Protocol (FTP)
****************************************************************************
Service Profile: FTP
=================
Type: System V-managed service
Package: vsftpd
Daemon: /usr/sbin/vsftpd
Script: /etc/init.d/vsftpd
Ports: 21 (ftp), 20 (ftp-data)
Configuration: /etc/vsftpd/vsftpd.conf /etc/vsftpd/ftpusers /etc/pam.d/vsftpd
Log: /var/log/xferlog
Related: tcp_wrappers, ip_conntrack_ftp, ip_nat_ftp
Installing and configuring FTP
=====================
1. Install vsftpd package
$ yum install vsftpd
2. Start and hangup the service
$ chkconfig vsftpd on
$ service vsftpd start
To disable anonymous access configure vsftpd.conf
$vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
Restart the service
$service vsftpd restart
To disable authenticated user access from ftp services
give entry of that user in /etc/vsftpd/ftpusers
***************************************************************************
Network File Service (NFS)
***************************************************************************
Service Profile: NFS
===============
Type: System V-managed service
Package: nfs-utils
Daemons: rpc.nfsd, rpc.lockd, rpciod, rpc.mountd, rpc.rquotad, rpc.statd
Scripts: /etc/init.d/nfs, /etc/init.d/nfslock
Ports: 2049(nfsd), Others assigned by portmap(111)
Configuration: /etc/exports
Related: portmap (mandatory), tcp_wrappers
Installing and configuring NFS
======================
To view nfs installations
$rpm –qa | grep nfs-utils
To view list of nfs status
$chkconfig --list portmap
$chkconfig --list nfslock
$chkconfig --list nfs
To start and hungup the service
$chkconfig nfs on
$service nfs start
To configure sharing data folder
$vim /etc/exports
/data *(ro,sync)
or
/data 192.168.7.0/24(ro,sync)
Restart the service
$service portmap restart
$service nfslock restart
$service nfs restart
To show share data
$showmount –e localhost
To mount share data
$mount –t nfs 192.168.7.254 :/data/mnt
$exportfs -v
****************************************************************************
Samba Service (SMB)
****************************************************************************
Service Profile: SMB
===============
Type: System V-managed service
Packages: samba, samba-common, samba-client
Daemons: /usr/sbin/nmbd, /usr/sbin/smbd
Script: /etc/init.d/smb
Ports: TCP: 445(-ds)
Configuration: /etc/samba/*
Related: system-config-samba, testparm
Installing samba server
=================
1. Install the samba package
#yum install samba -y
2. Configure global settings
#vim /etc/samba/smb.conf
3. Hangup the smb service in service tray
#chkconfig smb on
4. Start smb service
#service smb start
5. Adding user in samba database
#smbpasswd -a user_name
Access samba server
===============
1. View samba shares
#smbclient -L //192.168.8.254 -U jhon
2. Access samba shares
#smbclient //192.168.8.254/home/john -U john
Create a share folder using samba service
==============================
#vim /etc/samba/smb.conf
Configure Global Settings
Restricting samba service from undesired network
====================================
1. Globally allow/deny will effect on all share
2. sharewise allow/deny will effect only for that shar
[data]
comment = Colaboration directory for all
path = /data
public = yes
browseable = yes
writable = no
; printable = no
; write list = +staff
[technical]
comment = Colaboration directory for all
path = /technical
public = no
browseable = yes
writable = yes
; printable = no
; write list = +staff
****************************************************************************
HTTPD
****************************************************************************
Service Profile: HTTPD
=================
Type: System V-managed service
Packages: httpd, httpd-devel, httpd-manual
Daemon: /usr/sbin/httpd
Script: /etc/init.d/httpd
Ports: 80(http), 443(https)
Configuration: /etc/httpd/*, /var/www/*
Related: system-config-httpd, mod_ss1
Installing httpd service
=================
1. Install the package
#yum install httpd* -y
2. Hangup the service in service tray
#chkconfig httpd on
3. Start the service
#service httpd start
4. Test your system that whether httpd service have installed or not
#netstat -ntulp | grep ":80"
#links http://localhost
Configure default web site at your server
=============================
1. Edit /etc/httpd/conf/httpd.conf file and declare default site
#vim /etc/httpd/conf/httpd.conf
Example:
NameVirtualHost 192.168.8.215:80
<VirtualHost 192.168.8.215:80>
ServerAdmin root@station15.example.com
DocumentRoot /var/www/html/
ServerName station15.example.com
</VirtualHost>
2. Create default page for your site
#vim /var/www/html/index.html
3. Restart the service
#service httpd restart
Configuring virtual hosting
====================
1. Port based virtual hosting
2. Ip based virtual hosting
3. Name based virtual hosting
aTest second name
b
Port based virtual hosting
===================
1. Enable port to which server will listen
Listen 8080
2. Create virtual hosting entry in bellow of httpd.conf
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerAdmin webmaster@station13.example.com
DocumentRoot /var/www/employee
ServerName station13.example.com
</VirtualHost>
3. Restart the httpd service
$service httpd restart
Name based virtual hosting
====================
1. Create virtual hosting entry in bellow of httpd.conf
#vim /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerAdmin webmaster@www13.example.com
DocumentRoot /var/www/www13
ServerName www13.example.com
</VirtualHost>
2. Restart the httpd service
$service httpd restart
IP based virtual hosting
=================
1. Create virtual hosting entry in bellow of httpd.conf
#vim /etc/httpd/conf/httpd.conf
NameVirtualHost 192.168.8.254:8080
<VirtualHost 192.168.8.254:80>
ServerAdmin webmaster@www13.example.com
DocumentRoot /var/www/info
ServerName info.example.com
</VirtualHost>
2. Restart the httpd service
$service httpd restart
Restricting user access
=================
1. Enable authenticaion in httpd.conf file
#vim /etc/httpd/conf/httpd.conf
Example
<VirtualHost *:80>
ServerAdmin root@www2.example.com
DocumentRoot /var/www/site3
ServerName www2.example.com
DirectoryIndex index.html
<Directory /var/www/site2>
Options FollowSymLinks
AllowOverride Authconfig
</Directory>
</VirtualHost>
2. Create .htaccess file in the root directory
#vim /var/www/site3/.htaccess
AuthName "restricted user"
AuthType Basic
AuthUserFile /etc/httpd/conf/vir.passwd
require valid-user
3. Add user in vir.passwd file
#htpasswd -mc /etc/httpd/conf/vir.passwd admin
#htpasswd -c /etc/httpd/conf/vir.passwd anis
4. Change vir.passwd file permission for apache
#chgrp apache /etc/httpd/conf/vir.passwd
#chmod g+r /etc/httpd/conf/vir.passwd
5. Restart the service
#service httpd restart
Restricting Network access
====================
<Directory "/var/www/cgi-bin">
Order allow,deny
Allow from 192.168.8.
Deny from all
</Directory>
Configuring https server
==================
1. Install mod_ssl
#yum install mod_ssl -y
2. Edit /etc/httpd/conf.d/ssl.conf
#vim /etc/httpd/conf.d/ssl.conf
Example
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin root@station2.example.com
DocumentRoot /var/www/html
ServerName station2.example.com
</VirtualHost>
3. Restart httpd service
#service httpd restart
****************************************************************************
Proxy server (Squid)
****************************************************************************
Service Profile: Squid
================
Type: System V-managed service
Package: squid
Daemon: /usr/sbin/squid
Script: /etc/init.d/squid
Ports: 3128(squid), (configurable)
Configuration: /etc/squid/*
1. Installing squid
#yum install squid
2. Hang-up the service
#chkconfig squid on
3. Configuring squid
#vim /etc/squid/squid.conf
@Defining port for proxy service find http_port
http_port 8080
@Aware squide that whats your server name find visible_hostname
visible_hostname server5 (must be same as /etc/hosts or defined by dns)
@configure cache size find cach_mem
cach_mem 64 mb
@configure object size
maximum_object_size 10000 KB
maximum_object_size_in_memory 16 KB
@configure cache directory
cach_dir ufs /cache_dir 5000 16 256
Note: before using cache directory set permission
#chmod -R 755 /cache
#chown -R squid.squid /cache
@define log path
cache_access_log /etc/squid/logs/access.log
cache_log /etc/squid/logs/cache.log
ACL
@define rule for source subent
acl mynet src 192.168.9.0
acl badnet src 192.168.11.0
@define rule for source domain
acl mynet2 src .example.com
@define rules for individual users
acl rubel src 192.168.9.15
@define rules for destination domain
acl baddomain dstdomain .pornsite.com
Note: Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-sites.squid.
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
#vim /usr/local/etc/allowed-sites.squid
# File: /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com
#vim /usr/local/etc/restricted-sites.squid
# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com
@define time based rules S=Sunday, M=Monday, T=Tuesday, W=Wednesday, H=Thursday, F=Friday, A=Saturday
acl working_time MTWHF 09:00-17:00
@define port
acl safe_ports port 80 21 443 563 70 210 1025-65535
acl dangarous_ports port 7 9 19 22 23 25 53 109 110 119
Allow/Deny
http_access deny badnet
http_access deny rubel
http_access deny mynet2 working_time
http_access allow mynet working_time
4. hangup and start the service
#chkconfig squid on
#squid -z
#service squid start
To Test Proxy Server
================
For Linux: web browser>edit>preference>network>setting>proxy
For windows: internet explore>tools>internet options>connection>proxy server
Password Authentication NCSA
========================
@Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable.
#touch /etc/squid/squid_passwd
#chmod o+r /etc/squid/squid_passwd
@give user entry on passwd
#htpasswd /etc/squid/sq_passwd shahee
#htpasswd /etc/squid/sq_passwd oni
@ Find your ncsa_auth file using the locate command.
# locate ncsa_auth
/usr/lib/squid/ncsa_auth
@Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important:
#vim /etc/squid/squid.conf
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users
@This requires password authentication and allows access only during business hours. Once again, the order of the statements is important:
#vim /etc/squid/squid.conf
#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00
#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours
*************************Transparent Proxy **********************************
@configure squid work as a transparent proxy for pre squid.2.6
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy_on
httpd_accel_uses_host_header on
@configure squid work as a transparent proxy for post squid.2.6
http_port 3128 transparent
@configure iptables to transparent proxy
If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80. And eth0 connected to internet and eth1 is connected to lan.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
****************************************************************************
Sendmail
****************************************************************************
Service Profile: Sendmail
==================
Type: System V-managed service
Packages: sendmail, sendmail-cf, sendmail-doc
Daemon: /usr/sbin/sendmail
Script: /etc/init.d/sendmail
Port: 25 (smtp)
Configuration: /etc/mail/sendmail.mc, /etc/aliases, and others
Related: procmail(MDA), spamassassin, tcp_wrappers, sendmail-doc
Install and configure sendmail
======================
1. Install sendmail package
$yum install sendmail-cf
2. Check hostname, /etc/hosts entry, dig the hostname
3. Give hostname entry on the /etc/mail/local-host-names
example.com
station2.example.com
3. Edit sendmail.mc file to listen smtp on your phisical interface
$vim /etc/mail/sendmail.mc
dnl #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
LOCAL_DOMAIN(`station2.example.com')dnl
4. Configure sendmail.cf file by m4 macro
$m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
$make -C /etc/mail
5. Start the sendmail service
$chkconfig sendmail on
$service sendmail start
6. Chek whether snedmail is working or not
$netstat -ntulp | grep :25
$sendmail -d0 < /dev/null
Configure Relay restriction
====================
$vim /etc/mail/access
From: 90trialspammer@aol.com REJECT
Connect: spamRus.net REJECT
Connect: 10.3 OK
From: virtualdomain1.com RELAY
To: user@dom9.com ERROR: 550 mail discarded
To: nobody@ ERROR: 550 BAD NAME
***************************************************************************
Dovcot
****************************************************************************
Service Profile: Dovecot
==================
Type: System V-managed service
Package: dovecot
Daemon: /usr/sbin/dovecot
Script: /etc/init.d/dovecot
Port: 110(pop), 995(pop3s), 143(imap), 993(imaps)
Configuration: /etc/dovecot.conf
Related: procmail, fetchmail, openssl
Installing and configuring dovecot
=============================
$yum install dovecot
$vim /etc/dovecot.conf
protocols pop imap
$chkconfig dovecot on
$service dovecot start
$netstat -ntulp | grep dovecot
Testing POP3
============
[root@server1 ~]# telnet 192.168.7.203 110
Trying 192.168.7.203...
Connected to station3.example.com (192.168.7.203).
Escape character is '^]'.
+OK Dovecot ready.
user susan
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 421
.
retr 1
+OK 421 octets
Return-Path: <azad@example.com>
Received: from example.com (server1.example.com [192.168.7.254])
by station39.example.com (8.13.8/8.13.8) with SMTP id oASA2SuH003486
for susan@example.com; Sun, 28 Nov 2010 16:03:55 +0600
Date: Sun, 28 Nov 2010 16:02:28 +0600
From: azad@example.com
Message-Id: <201011281003.oASA2SuH003486@station39.example.com>
hi susan.
I am in bangladesh
you r most welcome at our land.
.
dele 1
+OK Marked to be deleted.
quit
+OK Logging out, messages deleted.
Connection closed by foreign host.
Testing IMAP
=============
[root@server1 ~]# telnet 192.168.7.203 143
Trying 192.168.7.203...
Connected to station3.example.com (192.168.7.203).
Escape character is '^]'.
* OK Dovecot ready.
a1 LOGIN azad redhat
a1 OK Logged in.
a2 LIST "" "*"
* LIST (\NoInferiors \Marked) "/" "INBOX"
a2 OK List completed.
a3 examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS ()] Read-only mailbox.
* 1 EXISTS
* 1 RECENT
* OK [UNSEEN 1] First unseen.
* OK [UIDVALIDITY 1290940448] UIDs valid
* OK [UIDNEXT 2] Predicted next UID
a3 OK [READ-ONLY] Select completed.
a4 fetch 1 body[]
* 1 FETCH (BODY[] {392}
Return-Path: <susan@example.com>
Received: from example.com (server1.example.com [192.168.7.254])
by station39.example.com (8.13.8/8.13.8) with SMTP id oASAIKEg003691
for azad@example.com; Sun, 28 Nov 2010 16:19:03 +0600
Date: Sun, 28 Nov 2010 16:18:20 +0600
From: susan@example.com
Message-Id: <201011281019.oASAIKEg003691@station39.example.com>
I am comming soon
so dont wory!
)
a4 OK Fetch completed.
a5 logout
* BYE Logging out
a5 OK Logout completed.
Connection closed by foreign host.
You have new mail in /var/spool/mail/root
***************************************************************************
DNS
****************************************************************************
Service Profile: DNS
================
Type: System V-managed service
Packages: bind, bind-utils, bind-chroot
Daemons: /usr/sbin/named, /usr/sbin/rndc
Script: /etc/init.d/named
Ports: 53 (domain), 953 (rndc)
Configuration: (Under /var/named/chroot/) /etc/named.conf, /var/named/*, /etc/rndc.key
Related: caching-nameserver, openss1
Resolver
1. /etc/hosts
2. /etc/nsswitch.conf
3. /etc/resolve.conf
Using dig command for resolving DNS server
Resolving particuler server excepting /etc/resolve.conf
# dig @server_name fqdn
#dig @192.168.8.254 server1.example.com
#dig +trace yahoo.com
forword lookup query
#dig fqdn
#dig station3.example.com
Reverselookup query
#dig -x ip_address
#dig -x 192.168.8.203
Resolving based on record
#dig -t mx example.com
To view total zone information by transfering zone
#dig -t axfr example.com @192.168.8.254
using host to resoleve name server
forward lookup query
#host server1.example.com
Reverse lookup query
#host 192.168.8.254
Resolving based on record
#host -t soa example.com
Configuring Bind
1.Install package
a.bind
b.bind-chroot
c.caching-nameserver
#yum install bind bind-chroot caching-nameserver -y
Caching only name server
===================
*Note: If you install only bind and caching-nameserver package.
DNS configuration file /etc/named.conf
Zone file /var/named/example.com.fz
If you install bind,bind-chroot and caching-nameserver package.
DNS configuration file /var/named/chroot/etc/named.conf
Zone file /var/named/chroot/var/named/example.com/fz
1.check whether package are installed or not
#rpm -qa | grep bind
#rpm -qa | grep caching-nameserver
2.copy named.caching-nameserver.conf to named.conf (/var/named/chroot/etc)
#cd /var/named/chroot/etc
#cp named.caching-nameserver.conf named.conf
3.Edit the file named.conf
#vim named.conf
a.listen-on port (add your interface ip_address)
listen-on port 53 { 127.0.0.1; 192.168.8.203; };
b.allow-query (add your network subnet address)
allow-query { localhost; 192.168.8.0/24; };
c.Add forward entry for ISP DNS server
forwarders { 192.168.8.254; };
c.make commented logging and view_local_host resolver
4.make named group as owner of the file named.conf
#chgrp named named.conf
5.start the service
#service named start
6.check the service is working
#netstat -ntulp | grep named
#netstat -ntulp | grep :53
#dig @127.0.0.1 www.yahoo.com
#Configuring Master Name server (forward lookup zone)#
=========================================
1.Edit named.conf file make enry for your zone
# vim /var/named/chroot/etc/named.conf
Example:
zone "zone_name" Class_type{
Type;
File_name;
};
2. Create zone file under directory /var/named/chroot/var/named
#cd /var/named/chroot/var/named
#cp localdomain.zone zone_file_name
3. Edit the zone file which you have created
#vim zone_file_name
4. Make named group as owner of zone_file
#chgrp named zone_file_name
5. Restart the named service
#service named restart
#Configuring Primary DNS (Reverse lookup zone)#
=====================================
1.Edit named.conf file make enry for your zone
# vim /var/named/chroot/etc/named.conf
Example:
zone "0.0.127.in-addr.arpa" IN {
type master;
file "rana.personal.rz";
2. Create zone file under directory /var/named/chroot/var/named
#cd /var/named/chroot/var/named
#cp localdomain.zone zone_file_name
3. Edit the zone file which you have created
#vim zone_file_name
4. Make named group as owner of zone_file
#chgrp named zone_file_name
5. Restart the named service
#service named restart
#Configuring Slave name server (forward lookup zone)#
=========================================
1. permit zone transfer from master to slave nameserver
zone "zone_name" Class_type{
Type;
File_name;
allow-transfer { 192.168.8.254; };
};
2. Create a NS record on Master name server in zone file
#vim named.conf
IN NS server1
server1 IN A 192.168.8.254
3. Install name service in slave server.
4. Create zone entry in named.conf
# vim /var/named/chroot/etc/named.conf
Example:
zone "anis.personal" IN {
type slave;
file "slaves/anis.personal.fz";
masters { 192.168.8.202; };
};
5. Restart the service
****************************************************************************
DHCP
****************************************************************************
Service Profile: DHCP
================
Type: System V-managed service
Package: dhcp
Daemon: /usr/sbin/dhcpd
Script: /etc/init.d/dhcpd
Ports: 67 (bootps), 68 (bootpc)
Configuration: /etc/dhcpd.conf, /var/lib/dhcpd/dhcpd.leases
Related: dhclient, dhcpv6_client, dhcpv6
****************************************************************************
Postfix
****************************************************************************
Service Profile: Postfix
=================
Type: System V-managed service
Package: postfix
Daemons: /usr/libexec/postfix/master and others
Script: /etc/init.d/postfix
Port: 25(smtp)
Configuration: /etc/postfix/main.cf and others
Related: procmail
****************************************************************************
SSH
****************************************************************************