Professional Documents
Culture Documents
Acknowledgement
Some portions of this reference documentation has been derived from various
sources including the HOWTO's, Guides from the Linux Documentation Project , Man
& Info pages, FAQ's and technical articles from several other sources on the World
Wide Web. We are thankful to and do hereby sincerely acknowledge the creators of
these documents.
This courseware is given free of cost as a reference material covering the topics
dealt with during the training programme(s) and on a few topics even going beyond
so as to provide an insight to the participants. It is precisely for internal circulation
only and is not intended for sale anywhere.
P Narasimhan
No Warranty Clause
The authors disclaim all warranties with regard to this document and the
configurations covered thereto, including all implied warranties of merchantability
and fitness for a certain purpose. In no even shall the authors be liable for any
special, indirect or consequential damages or any damage whatsoever resulting
from loss of data, or profits whether in action of contract, negligence or other
tortuous action, arising out of or in connection with the http://www.vvi.edu.in/use
of this document or any of the software mentioned therein.
TABLE
OF
CONTENTS
P Narasimhan
P Narasimhan
Chapter- 1
CHAPTER - 3
: A P P L I C ATI O N M A N A G E M E N T
THROUGH YUM
The packages in the above output are listed as having updates available. The first
package in the list is PackageKit, the graphical package manager. The line in the
output tells us:
P Narasimhan
- set global Yum options by editing the [main] section of the /etc/yum.conf
configuration file;
this
URL
is
an
HTTP
link,
such
as:
baseurl=http://path/to/repo/releases/$releasever/server/$basearch/os/
Yum always expands the $releasever, $arch and $basearch variables in URLs. See the
following section for explanations of all Yum variables: Section 5.3.3, Using Yum
Variables.
example,
if
repository
on
PackageKit
Red Hat provides PackageKit for viewing, managing, updating, installing and uninstalling
packages compatible with your system. PackageKit consists of several graphical
interfaces that can be opened from the GNOME panel menu, or from the Notification
Area when PackageKit alerts you that updates are available.
Updating Packages with Software Update
PackageKit displays a starburst icon in the Notification Area whenever updates are
available to be installed on your system. Clicking on the notification icon opens the
Software Update window. Alternatively, you can open Software Updates by clicking
System Administration Software Update from the GNOME panel, or running the gpkupdate-viewer command at the shell prompt. In the Software Updates window, all
available updates are listed along with the names of the packages being updated (minus
the .rpm suffix, but including the CPU architecture), a short summary of the package,
and, usually, short descriptions of the changes the update provides. Any updates you do
not wish to install can be de-selected here by unchecking the checkbox corresponding to
the update.
P Narasimhan
Sometimes it is necessary or useful to monitor network traffic on your computer. You can
monitor all the connections going in and out of your computer.
Netstat is a common command line TCP/IP networking utility available in most versions
of Windows, Linux, UNIX and other operating systems. Netstat provides information and
statistics about protocols in use and current TCP/IP network connections. (The name
derives from the words network and statistics.)
Using netstat you can monitor every connection going in and out of your computer. This
monitors all major protocols including tcp and udp, and every port. netstat is a standard
Unix program, so it is likely installed.
netstat also displays unix connections are fairly useless. To display only tcp and udp
connection.
- Execute: netstat -t -u
- For displaying continuously
- Execute: netstat -t -u -c
P Narasimhan
To display routing table a system use the parameter "-r" as shown below :
#netstat -r
To view the network statistics of the system use the following command
#netstat -s
Many people type netstat -a | grep -i LISTEN, but netstat -l will do the same: filter
the output to show sockets in the LISTEN state only. Very useful to quickly see what is
being served in your box. You can combine this with -u to only show UDP connections
or -t to restrict the output to TCP connections only.
P Narasimhan
# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
tcp
0
0 0.0.0.0:111
tcp
0
0 0.0.0.0:22
tcp
0
0 0.0.0.0:631
tcp
0
0 0.0.0.0:17500
...
Active UNIX domain sockets (only servers)
Proto RefCnt Flags
Type
State
unix 2
[ ACC ]
STREAM
LISTENING
/home/saml/.dropbox/command_socket
unix 2
[ ACC ]
STREAM
LISTENING
...
Foreign Address
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
I-Node Path
101544
101549 /home/saml/.dro
P Narasimhan
With -p, netstat shows what program/pid is using a given socket. Very handy to find
out whos listening on a port or holding a connection open. A personal favorite of mine is
netstat -lput, which displays all TCP and UDP sockets in the LISTEN state, plus the
name and pid of the program listening on that socket.
P Narasimhan
# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
tcp
0
0 0.0.0.0:111
tcp
0
0 0.0.0.0:22
tcp
0
0 0.0.0.0:631
tcp
0
0 0.0.0.0:17500
tcp
0
0 127.0.0.1:2143
...
Active UNIX domain sockets (only servers)
Proto RefCnt Flags
Type
State
unix 2
[ ACC ]
STREAM
LISTENING
/home/saml/.dropbox/command_socket
unix 2
[ ACC ]
STREAM
LISTENING
unix 2
[ ACC ]
STREAM
LISTENING
Foreign Address
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
Path
101549 4185/dropbox
11051 -
/home/sam
P Narasimhan
P Narasimhan
# netstat -tulnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 0.0.0.0:17500
0.0.0.0:*
tcp
0
0 127.0.0.1:2143
0.0.0.0:*
tcp
0
0 127.0.0.1:1986
0.0.0.0:*
tcp
0
0 127.0.0.1:2025
0.0.0.0:*
tcp
0
0 ::1:2143
:::*
tcp
0
0 ::1:2025
:::*
...
udp
0
0 0.0.0.0:111
0.0.0.0:*
udp
0
0 0.0.0.0:631
0.0.0.0:*
udp
0
0 0.0.0.0:727
0.0.0.0:*
udp
0
0 0.0.0.0:836
0.0.0.0:*
udp
0
0 0.0.0.0:17500
0.0.0.0:*
...
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
P Narasimhan
P Narasimhan
One of the very first steps in any network reconnaissance mission is to reduce a
(sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning
every port of every single IP address is slow and usually unnecessary. Of course what
makes a host interesting depends greatly on the scan purposes. Network administrators
may only be interested in hosts running a certain service, while security auditors may
care about every single device with an IP address. An administrator may be comfortable
using just an ICMP ping to locate hosts on his internal network, while an external
penetration tester may use a diverse set of dozens of probes in an attempt to evade
firewall restrictions.
P Narasimhan
P Narasimhan
P Narasimhan
P Narasimhan
port
is
80
(configurable
at
compile
time
by
changing
Tcpdump
The tcpdump tool is a command line utility for monitoring network traffic.
cpdump prints out a description of the contents of packets on a network interface that
match the boolean expression. It can also be run with the -w flag, which causes it to
save the packet data to a file for later analysis, and/or with the -r flag, which causes it
to read from a saved packet file rather than to read packets from a network interface.
In all cases, only packets that match expression will be processed by tcpdump.
Tcpdump will, if not run with the -c flag, continue capturing packets until it is
interrupted by a SIGINT signal (generated, for example, by typing your interrupt
character, typically control-C) or a SIGTERM signal (typically generated with the kill(1)
command); if run with the -c flag, it will capture packets until it is interrupted by a
SIGINT or SIGTERM signal or the specified number of packets have been processed.
When tcpdump finishes capturing packets, it will report counts of:
P Narasimhan
P Narasimhan
P Narasimhan
[bash]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.214.64.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 <-- ZEROCONF default IP route
0.0.0.0 10.214.64.254 0.0.0.0 UG 0 0 0 eth0
Netcraftz
P Narasimhan
The value for the "NOZEROCONF" parameter can actually be set to any value, the initscripts
only check to determine whether the parameter has zero length. So setting
"NOZEROCONF=no" will have the same effect as setting it to "yes". You will need to
comment or remove the variable to reactive ZEROCONF.
The networking service will need to be restarted before the changes will take effect.
[bash]# /etc/init.d/network restart
Checking the network routing table again will identify the ZEROCONF route has been
disabled and removed from the routing table.
[bash]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.214.64.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 10.214.64.254 0.0.0.0 UG 0 0 0 eth0
Netcraftz
P Narasimhan
C H A P T E R - 5 : AD VAN C E D N E T W O R K C O N F I G U R ATI O N
Netcraftz
P Narasimhan
P Narasimhan
32000
32
128
This is the same information seen if each of the files were viewed individually. The only
difference is the file location. For example, the /proc/sys/net/ipv4/route/min_delay
file is listed as net.ipv4.route.min_delay, with the directory slashes replaced by dots and
the proc.sys portion assumed.
The sysctl command can be used in place of echo to assign values to writable files in the
/proc/sys/ directory. For example, instead of using the command
echo 1 > /proc/sys/kernel/sysrq
use the equivalent sysctl command as follows:
sysctl -w kernel.sysrq="1"
kernel.sysrq = 1
Netcraftz
P Narasimhan
- usr/share/doc/kernel-doc-kernel_version/Documentation/filesystems/proc.txt
Contains assorted, but limited, information about all aspects of the /proc/
directory.
- /usr/share/doc/kernel-doc-kernel_version/Documentation/sysrq.txt An overview
of System Request Key options.
- /usr/share/doc/kernel-doc-kernel_version/Documentation/sysctl/ A directory
containing a variety of sysctl tips, including modifying values that concern the
kernel ( kernel.txt), accessing file systems ( fs.txt), and virtual memory use
( vm.txt).
CHAPTER- 6
Netcraftz
L I N U X F I R E WAL L C O N F I G U R ATI O N
P Narasimhan
CHAPTER- 7 :
CHAPTER- 8
Introduction to DNS
DNS (Domain Name System), also known as a nameserver, is a network system that
associates hostnames with their respective IP addresses. For users, this has the
advantage that they can refer to machines on the network by names that are usually
easier to remember than the numerical network addresses. For system administrators,
using the nameserver allows them to change the IP address for a host without ever
affecting the name-based queries, or to decide which machines handle these queries.
DNS is usually implemented using one or more centralized servers that are authoritative
for certain domains. When a client host requests information from a nameserver, it
usually connects to port 53. The nameserver then attempts to resolve the name
requested. If it does not have an authoritative answer, or does not already have the
answer cached from an earlier query, it queries other nameservers, called root
nameservers, to determine which nameservers are authoritative for the name in
question, and then queries them to get the requested name.
Nameserver Zones
Netcraftz
P Narasimhan
Nameserver Types
Netcraftz
P Narasimhan
BIND as a Nameserver
BIND consists of a set of DNS-related programs. It contains a nameserver called named,
an administration utility called rndc, and a debugging tool called dig.
Netcraftz
P Narasimhan
Netcraftz
/etc/named.conf
/etc/named/
P Narasimhan
If you have installed the bind-chroot package, the BIND service will run in the
/var/named/chroot environment. In that case, the initialization script will mount the
above configuration files using the mount --bind command, so that you can manage the
configuration outside this environment.
Common Statement Types
The following types of statements are commonly used in /etc/named.conf:
acl
The acl (Access Control List) statement allows you to define groups of hosts, so that they
can be permitted or denied access to the nameserver. It takes the following form:
acl acl-name {
match-element;
...
};
The acl-name statement name is the name of the access control list, and the matchelement option is usually an individual IP address (such as 10.0.1.1) or a CIDR (Classless
Inter-Domain Routing) network notation (for , 10.0.1.0/24).
Keyword
Description
any
localhost
localnets
none
Netcraftz
P Narasimhan
The acl statement can be especially useful in conjunction with other statements such as
options. In the described below Using acl in conjunction with options defines two
access control lists, black-hats and red-hats, and adds black-hats on the blacklist while
granting red-hats a normal access.
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
1234:5678::9abc/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-query-cache { red-hats; };
};
include
The include statement allows you to include files in the /etc/named.conf, so that
potentially sensitive data can be placed in a separate file with restricted permissions. It
takes the following form:
include "file-name"
The file-name statement name is an absolute path to a file.
for including a file to /etc/named.conf
include "/etc/named.rfc1912.zones";
options
The options statement allows you to define global server configuration options as well as
to set defaults for other statements. It can be used to specify the location of the named
working directory, the types of queries allowed, and much more. It takes the following
form:
options {
option;
...
};
Netcraftz
P Narasimhan
zone
The zone statement allows you to define the characteristics of a zone,
such as the location of its configuration file and zone-specific options,
and can be used to override the global options statements. It takes the
following form:
zone zone-name [zone-class] {
option;
...
};
Netcraftz
P Narasimhan
within
the
.com
zone
file.
Most
changes
to
the
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
$ORIGIN
The $ORIGIN directive allows you to append the domain name to
unqualified records, such as those with the hostname only. Note that the
use of this directive is not necessary if the zone is specified in
/etc/named.conf, since the zone name is used by default.
In the given below, Using the $ORIGIN directive, any names used in
resource records that do not end in a trailing period are appended
with .com.
$ORIGIN .com.
Netcraftz
P Narasimhan
P Narasimhan
MX
The Mail Exchange record specifies where the mail sent to a particular
namespace controlled by this zone should go. It takes the following
form:
IN MX preference-value emailserver-name
The email-server-name is a fully qualified domain name (FQDN). The
preference-value allows numerical ranking of the email servers for a
namespace, giving preference to some email systems over others. The
MX resource record with the lowest preference-value is preferred over
the others. However, multiple email servers can possess the same value
to distribute email traffic evenly among them.
In the given below, Using the MX resource record, the first mail..com
email server is preferred to the mail2..com email server when receiving
email destined for the .com domain.
.com. IN MX 10 mail..com.
IN MX 20 mail2..com.
NS
Netcraftz
P Narasimhan
PTR
The Pointer record points to another part of the namespace. It takes the
following form:
last-IP-digit IN PTR FQDN-of-system
The last-IP-digit directive is the last number in an IP address, and the
FQDN-of-system is a fully qualified domain name (FQDN). PTR records
are primarily used for reverse name resolution, as they point IP
addresses back to a particular name.
SOA
The Start of Authority record announces important authoritative
information about a namespace to the nameserver. Located after the
directives, it is the first resource record in a zone file. It takes the
following form:
@ IN SOA primary-name-server hostmaster-email (
serial-number
time-to-refresh
time-to-retry
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
Seconds
Other
Time
Units
60
1M
1800
30M
3600
1H
10800
3H
21600
6H
43200
12H
86400
1D
259200
3D
604800
1W
3153600
0
365D
P Narasimhan
Comment Tags
Additionally to resource records and directives, a zone file can also contain comments.
Comments are ignored by the named service, but can prove useful when providing
additional information to the user. Any text after the semicolon character to the end of
the line is considered a comment. For :
604800 ; expire after 1 week
Usage
The following s show the basic usage of zone files.
A Simple Zone File
In the given below, A simple zone file demonstrates the use of standard directives and
SOA values.
$ORIGIN .com.
$TTL 86400
@
IN SOA dns1..com. hostmaster..com. (
2001062501 ; serial
21600
; refresh after 6 hours
3600
; retry after 1 hour
604800
; expire after 1 week
86400 )
; minimum TTL of 1 day
;
;
IN NS
dns1..com.
IN NS
dns2..com.
dns1
IN A
10.0.1.1
IN AAAA aaaa:bbbb::1
dns2
IN A
10.0.1.2
IN AAAA aaaa:bbbb::2
;
;
@
IN MX
10 mail..com.
IN MX
20 mail2..com.
mail
IN A
10.0.1.5
IN AAAA aaaa:bbbb::5
mail2
IN A
10.0.1.6
IN AAAA aaaa:bbbb::6
;
;
Netcraftz
P Narasimhan
IN CNAME services..com.
IN CNAME services..com.
Netcraftz
P Narasimhan
IN NS dns1..com.
IN PTR dns1..com.
IN PTR dns2..com.
IN PTR server1..com.
IN PTR server2..com.
IN PTR ftp..com.
IN PTR ftp..com.
statement, except for the zone name. Note that a reverse name
resolution zone requires the first three blocks of the IP address reversed
followed by .in-addr.arpa. This allows the single block of IP numbers
used in the reverse name resolution zone file to be associated with the
zone.
Netcraftz
P Narasimhan
Path
Description
The default
/
configuration
etc/named.con file for the
f
named
service.
/etc/rndc.conf
The default
configuration
file for the
rndc utility.
/etc/rndc.key
The default
key location.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
P Narasimhan
Looking Up a Nameserver
To look up a nameserver for a particular domain, use the command in
the following form:
digname NS
In the given below, A sample nameserver lookup, the dig utility is used
to display nameservers for .com.
~]$ dig .com NS
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> .com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57883
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;.com.
IN
NS
;; ANSWER SECTION:
.com.
99374 IN
.com.
99374 IN
NS
NS
a.iana-servers.net.
b.iana-servers.net.
Netcraftz
P Narasimhan
Looking Up an IP Address
To look up an IP address assigned to a particular domain, use the
command in the following form:
digname A
In the given below, A sample IP address lookup, the dig utility is used
to display the IP address of .com.
~]$ dig .com A
;; QUESTION SECTION:
;.com.
IN
;; ANSWER SECTION:
.com.
155606 IN
192.0.32.10
;; AUTHORITY SECTION:
.com.
99175 IN
NS
a.iana-servers.net.
.com.
99175 IN
NS
b.iana-servers.net.
Netcraftz
P Narasimhan
Looking Up a Hostname
To look up a hostname for a particular IP address, use the command in
the following form:
dig
-x
address
In the given below, A sample hostname lookup, the dig utility is used
to display the hostname assigned to 192.0.32.10.
~]$ dig -x 192.0.32.10
IN
PTR
;; ANSWER SECTION:
10.32.0.192.in-addr.arpa. 21600 IN
PTR
www..com.
;; AUTHORITY SECTION:
Netcraftz
P Narasimhan
NS
b.iana-servers.org.
32.0.192.in-addr.arpa. 21600 IN
NS
c.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN
NS
d.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN
NS
ns.icann.org.
32.0.192.in-addr.arpa. 21600 IN
NS
a.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net.
13688 IN
192.0.34.43
b.iana-servers.org.
5844
IN
193.0.0.236
b.iana-servers.org.
5844
IN
AAAA
c.iana-servers.net.
12173 IN
c.iana-servers.net.
12173 IN
AAAA
ns.icann.org.
12884 IN
2001:610:240:2::c100:ec
139.91.1.10
2001:648:2c30::1:10
192.0.34.126
CHAPTER- 9
Netcraftz
: OPENSSH
SERVER
P Narasimhan
package
cryptographic
libraries,
openssl)
enabling
which
installs
OpenSSH
to
several
important
provide
encrypted
communications.
Netcraftz
P Narasimhan
Main Features
The SSH protocol provides the following safeguards:
Netcraftz
P Narasimhan
Protocol Versions
Netcraftz
P Narasimhan
P Narasimhan
Netcraftz
P Narasimhan
[3]
. Each of
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Configuring OpenSSH
There are two different sets of configuration files: those for client
programs (that is, ssh, scp, and sftp), and those for the server (the sshd
daemon).
System-wide SSH configuration information is stored in the /etc/ssh/
directory as described in the Table below, System-wide configuration
files. User-specific SSH configuration information is stored in ~/.ssh/
within the user's home directory as described in the following
tableUser-specific configuration files.
Netcraftz
P Narasimhan
Description
Contains
Diffie-Hellman
groups used
for the DiffieHellman key
exchange
which is
critical for
constructing a
secure
transport layer.
When keys are
/
exchanged at
etc/ssh/m the beginning
oduli
of an SSH
session, a
shared, secret
value is
created which
cannot be
determined by
either party
alone. This
value is then
used to
provide host
authentication.
The default
SSH client
configuration
/
file. Note that
etc/ssh/ss
it is overridden
h_config
by
~/.ssh/config if
it exists.
/
etc/ssh/ss
hd_confi
g
Netcraftz
The
configuration
file for the
sshd daemon.
P Narasimhan
Description
/
etc/ssh/ss
h_host_d
sa_key
The DSA
private key
used by the
sshd daemon.
/
etc/ssh/ss
h_host_d
sa_key.p
ub
The DSA
public key
used by the
sshd daemon.
The RSA
private key
/
used by the
etc/ssh/ss
sshd daemon
h_host_k
for version 1
ey
of the SSH
protocol.
The RSA
public key
/
used by the
etc/ssh/ss
sshd daemon
h_host_k
for version 1
ey.pub
of the SSH
protocol.
The RSA
private key
/
used by the
etc/ssh/ss
sshd daemon
h_host_rs
for version 2
a_key
of the SSH
protocol.
/
etc/ssh/ss
h_host_rs
a_key.pu
b
Netcraftz
The RSA
public key
used by the
sshd daemon
for version 2
of the SSH
protocol.
P Narasimhan
File
Description
Holds a list
of
authorized
public keys
for servers.
When the
client
connects to a
~/.ssh/authorized server, the
_keys
server
authenticates
the client by
checking its
signed
public key
stored
within this
file.
~/.ssh/id_dsa
Contains the
DSA private
key of the
user.
~/.ssh/id_dsa.pu
b
The DSA
public key
of the user.
~/.ssh/id_rsa
The RSA
private key
used by ssh
for version 2
of the SSH
protocol.
The RSA
public key
used by ssh
~/.ssh/id_rsa.pub
for version 2
of the SSH
protocol.
Netcraftz
P Narasimhan
~/.ssh/identity
Description
The RSA
private key
used by ssh
for version 1
of the SSH
protocol.
The RSA
public key
~/.ssh/identity.pu used by ssh
b
for version 1
of the SSH
protocol.
Contains
DSA host
keys of SSH
servers
accessed by
the user.
This file is
~/.ssh/known_ho
very
sts
important
for ensuring
that the SSH
client is
connecting
the correct
SSH server.
Netcraftz
P Narasimhan
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that the RSA host key has just been changed.
Requiring SSH for Remote Connections
For SSH to be truly effective, using insecure connection protocols should
be prohibited. Otherwise, a user's password may be protected using SSH
for one session, only to be captured later while logging in using Telnet.
Some services to disable include telnet, rsh, rlogin, and vsftpd.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
E. |
.. |
o.|
. .|
S.
.|
+ o o ..|
* * +oo|
O +..=|
o* o.|
+-----------------+
4. Change the permissions of the ~/.ssh/ directory:
~]$ chmod 755 ~/.ssh
5. Copy
the
content
of
~/.ssh/id_rsa.pub
into
the
P Narasimhan
| ...o Bo
| .. . + o.
|. . E o
| o..o S
Netcraftz
P Narasimhan
the
content
of
~/.ssh/id_dsa.pub
into
the
Enter
to
confirm
the
default
location
(that
is,
|
P Narasimhan
..
oo
+oE
.oS
=+ . |
the
content
of
~/.ssh/identity.pub
into
the
Netcraftz
P Narasimhan
5. Log out and then log back in. A dialog box will appear prompting
you for your passphrase. From this point on, you should not be
prompted for a password by ssh, scp, or sftp.
Entering a passphrase
To save your passphrase for a certain shell prompt, use the following
command:
~]$ ssh-add
Enter passphrase for /home/john/.ssh/id_rsa:
Note that when you log out, your passphrase will be forgotten. You must
execute the command each time you log in to a virtual console or a
terminal window.
OpenSSH Clients
To connect to an OpenSSH server from a client machine, you must have
the openssh-clients and openssh packages installed .
Netcraftz
P Narasimhan
P Narasimhan
Netcraftz
P Narasimhan
to
the
same
directory
on
the
remote
machine
To transfer a remote file to the local system, use the following syntax:
scp username@hostname:remotefile localfile
For instance, to download the .vimrc configuration file from the remote
machine, type:
~]$ scp john@penguin..com:.vimrc .vimrc
john@penguin..com's password:
.vimrc
100% 2233
2.2KB/s 00:00
P Narasimhan
Netcraftz
P Narasimhan
Description
ls [directory]
List the
content of a
remote
directory. If
none is
supplied, a
current
working
directory is
used by
default.
cd directory
Change the
remote
working
directory to
directory.
mkdir
directory
Create a
remote
directory.
rmdir path
Remove a
remote
directory.
put localfile
[remotefile]
Transfer
localfile to a
remote
machine.
Transfer
get remotefile remotefile
[localfile]
from a remote
machine.
Netcraftz
P Narasimhan
CHAPTER- 10
: W E B S E R V E R A PA C H E C O N F I G U R A T I O N
This section focuses on the Apache HTTP Server 2.2, a robust, fullfeatured open source web server developed by the Apache Software
Foundation, that is included in Red Hat Enterprise Linux 6. It describes
the basic configuration of the httpd service, and covers advanced topics
such as adding server modules, setting up virtual hosts, or configuring
the secure HTTP server.
Netcraftz
P Narasimhan
New Features
The Apache
HTTP Server
version
2.2
introduces
the
following
enhancements:
Improved
caching
modules,
that
is,
mod_cache
and
mod_disk_cache.
Support for proxy load balancing, that is, the mod_proxy_balancer
module.
Support for large files on 32-bit architectures, allowing the web
server to handle files greater than 2GB.
A new structure for authentication and authorization support,
replacing the authentication modules provided in previous
versions.
Notable Changes
Since version 2.0, few changes have been made to the default httpd
service configuration:
The following modules are no longer loaded by default:
mod_cern_meta and mod_asis.
The following module is newly loaded by default: mod_ext_filter.
Netcraftz
P Narasimhan
you
use
the
Apache
HTTP
Secure
Server,
edit
the
[ OK ]
If you want the service to start automatically at the boot time, use the
following command:
~]# chkconfig httpd on
Netcraftz
P Narasimhan
[ OK ]
[ OK ]
[ OK ]
This will stop the running httpd service, and then start it again.
Use this command after installing or removing a dynamically
loaded module such as PHP.
2. To only reload the configuration, type:
~]# service httpd reload
Netcraftz
P Narasimhan
Path
Description
/
The main
etc/httpd/conf/ configuration
httpd.conf
file.
An auxiliary
directory for
configuration
/
files that are
etc/httpd/conf.
included in
d/
the main
configuration
file.
Netcraftz
P Narasimhan
following
directives
are
commonly
used
in
the
</Directory>
The directory can be either a full path to an existing directory in the
local file system, or a wildcard expression.
Netcraftz
P Narasimhan
<IfDefine>
The IfDefine directive allows you to use certain directives only when a
particular parameter is supplied on the command line. It takes the
following form:
<IfDefine [!]parameter>
directive
</IfDefine>
The parameter can be supplied at a shell prompt using the -D parameter
command line option (for , httpd -DEnableHome). If the optional
exclamation mark (that is, !) is present, the enclosed directives are used
only when the parameter is not specified.
Using the <IfDefine> directive
<IfDefine EnableHome>
Netcraftz
P Narasimhan
</IfModule>
The module can be identified either by its name, or by the file name. If
the optional exclamation mark (that is, !) is present, the enclosed
directives are used only when the module is not loaded.
Using the <IfModule> directive
<IfModule mod_disk_cache.c>
CacheEnable disk /
CacheRoot /var/cache/mod_proxy
</IfModule>
<Location>
The <Location> directive allows you to apply certain directives to a
particular URL only. It takes the following form:
<Location url>
directive
</Location>
Netcraftz
P Narasimhan
<Proxy>
The <Proxy> directive allows you to apply certain directives to the proxy
server only. It takes the following form:
<Proxy pattern>
directive
</Proxy>
The pattern can be an external URL, or a wildcard expression (for ,
http://.com/*).
Using the <Proxy> directive
<Proxy *>
Order deny,allow
Deny from all
Allow from ..com
Netcraftz
P Narasimhan
<VirtualHost>
The <VirtualHost> directive allows you apply certain directives to
particular virtual hosts only. It takes the following form:
<VirtualHost address[:port]>
directive
</VirtualHost>
The address can be an IP address, a fully qualified domain name, or a
special form .
Available <VirtualHost> options
Option
Description
Represents
all IP
addresses.
_default_
Represents
unmatched
IP
addresses.
Netcraftz
P Narasimhan
<VirtualHost *:80>
ServerAdmin webmaster@penguin..com
DocumentRoot /www/docs/penguin..com
ServerName penguin..com
ErrorLog logs/penguin..com-error_log
CustomLog logs/penguin..com-access_log common
</VirtualHost>
AccessFileName
The AccessFileName directive allows you to specify the file to be used to
customize access control information for each directory. It takes the
following form:
AccessFileName filename
The filename is a name of the file to look for in the requested directory.
By default, the server looks for .htaccess.
For security reasons, the directive is typically followed by the Files tag
to prevent the files beginning with .ht from being accessed by web
clients. This includes the .htaccess and .htpasswd files.
Using the AccessFileName directive
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Netcraftz
P Narasimhan
Action
The Action directive allows you to specify a CGI script to be executed
when a certain media type is requested. It takes the following form:
Action content-type path
The content-type has to be a valid MIME type such as text/html,
image/png, or application/pdf. The path refers to an existing CGI script,
and must be relative to the directory specified by the DocumentRoot
directive (for , /cgi-bin/process-image.cgi).
Using the Action directive
Action image/png /cgi-bin/process-image.cgi
Alias
The Alias directive allows you to refer to files and directories outside the
default directory specified by the DocumentRoot directive. It takes the
following form:
Alias url-path real-path
The url-path must be relative to the directory specified by the
DocumentRoot directive (for , /images/). The real-path is a full path to a
file or directory in the local file system.
This directive is typically followed by the Directory tag with additional
permissions to access the target directory. By default, the /icons/ alias
is created so that the icons from /var/www/icons/ are displayed in
server-generated directory listings.
Using the Alias directive
Alias /icons/ /var/www/icons/
Netcraftz
P Narasimhan
Allow
The Allow directive allows you to specify which clients have permission
to access a given directory. It takes the following form:
Allow from client
The client can be a domain name, an IP address (both full and partial), a
network/ netmask pair, or all for all clients.
14.18.Using the Allow directive
Allow from 192.168.1.0/255.255.255.0
AllowOverride
The AllowOverride directive allows you to specify which directives in a .htaccess
file can override the default configuration. It takes the following form:
AllowOverride type
The type has to be one of the available grouping options as described below :
Available AllowOverride options
Netcraftz
P Narasimhan
Description
All
All directives in
.htaccess are allowed
to override earlier
configuration
settings.
None
No directive in
.htaccess is allowed
to override earlier
configuration
settings.
AuthConfig
FileInfo
Indexes
Limit
Netcraftz
P Narasimhan
Description
Options
[=option,]
Netcraftz
P Narasimhan
Deny
The Deny directive allows you to specify which clients are denied access
to a given directory. It takes the following form:
Deny from client
The client can be a domain name, an IP address (both full and partial), a
network/ netmask pair, or all for all clients.
Using the Deny directive
Deny from 192.168.1.1
DirectoryIndex
The DirectoryIndex directive allows you to specify a document to be
served to a client when a directory is requested (that is, when the URL
ends with the / character). It takes the following form:
DirectoryIndex filename
The filename is a name of the file to look for in the requested directory.
By default, the server looks for index.html, and index.html.var.
Using the DirectoryIndex directive
DirectoryIndex index.html index.html.var
DocumentRoot
The DocumentRoot directive allows you to specify the main directory
from which the content is served. It takes the following form:
DocumentRoot directory
The directory must be a full path to an existing directory in the local file system.
The default option is /var/www/html/.
Using the DocumentRoot directive
Netcraftz
P Narasimhan
ErrorLog logs/error_log
HostnameLookups
The HostnameLookups directive allows you to enable automatic resolving
of IP addresses. It takes the following form:
HostnameLookups option
Netcraftz
P Narasimhan
Option
Description
On
Enables
resolving the
IP address for
each
connection so
that the
hostname can
be logged.
However, this
also adds a
significant
processing
overhead.
Double
Enables
performing
the doublereverse DNS
lookup. In
comparison to
the above
option, this
adds even
more
processing
overhead.
Off
Disables
resolving the
IP address for
each
connection.
Netcraftz
P Narasimhan
Note that when the presence of hostnames is required in server log files,
it is often possible to use one of the many log analyzer tools that
perform the DNS lookups more efficiently.
Using the HostnameLookups directive
HostnameLookups Off
Include
The Include directive allows you to include other configuration files. It
takes the following form:
Include filename
The filename can be an absolute path, a path relative to the directory
specified by the ServerRoot directive, or a wildcard expression. All
configuration files from the /etc/httpd/conf.d/ directory are loaded by
default.
Using the Include directive
Include conf.d/*.conf
KeepAlive
The KeepAlive directive allows you to enable persistent connections. It
takes the following form:
KeepAlive option
The option has to be a valid keyword as described below.
Available KeepAlive options
Netcraftz
P Narasimhan
On
Enables the
persistent
connections.
In this case,
the server
will accept
more than
one request
per
connection.
Off
Disables the
keep-alive
connections.
Netcraftz
P Narasimhan
Note that when the persistent connections are enabled, on a busy server,
the number of child processes can increase rapidly and eventually reach
the maximum limit, slowing down the server significantly. To reduce the
risk, it is recommended that you set KeepAliveTimeout to a low number,
and monitor the /var/log/httpd/logs/error_log log file carefully.
Using the KeepAlive directive
KeepAlive Off
KeepAliveTimeout
The KeepAliveTimeout directive allows you to specify the amount of time
to wait for another request before closing the connection. It takes the
following form:
KeepAliveTimeout time
The ip-address is optional and unless supplied, the server will accept incoming
requests on a given port from all IP addresses. Since the protocol is determined
automatically from the port number, it can be usually omitted. The default option
is to listen to port 80.
Note that if the server is configured to listen to a port under 1024, only superuser
will be able to start the httpd service.
Listen 80
LoadModule
Netcraftz
P Narasimhan
The LogLevel directive allows you to customize the verbosity level of the
error log. It takes the following form:
LogLevel option
Available LogLevel options
Netcraftz
P Narasimhan
Description
emerg
Only the
emergency
situations
when the
server cannot
perform its
work are
logged.
alert
All situations
when an
immediate
action is
required are
logged.
crit
All critical
conditions
are logged.
error
All error
messages are
logged.
warn
All warning
messages are
logged.
notice
Even normal,
but still
significant
situations are
logged.
info
Various
informational
messages are
logged.
debug
Various
debugging
messages are
logged.
Netcraftz
P Narasimhan
LogLevel warn
MaxKeepAliveRequests
The MaxKeepAliveRequests directive allows you to specify the maximum
number of requests for a persistent connection. It takes the following
form:
MaxKeepAliveRequests number
A high number can improve the performance of the server. Note that
using 0 allows unlimited number of requests. The default option is 100.
Using the MaxKeepAliveRequests option
MaxKeepAliveRequests 100
NameVirtualHost
The NameVirtualHost directive allows you to specify the IP address and
port number for a name-based virtual host. It takes the following form:
NameVirtualHost ip-address[:port]
The ip-address can be either a full IP address, or an asterisk (that is, *)
representing all interfaces. Note that IPv6 addresses have to be enclosed
in square brackets (that is, [ and ]). The port is optional.
Name-based virtual hosting allows one Apache HTTP Server to serve
different domains without using multiple IP addresses.
Netcraftz
P Narasimhan
NameVirtualHost *:80
Options
The Options directive allows you to specify which server features are
available in a particular directory. It takes the following form:
Options option
Available server features
Netcraftz
P Narasimhan
Description
ExecCGI
Enables the
execution of CGI
scripts.
FollowSymLinks
Enables following
symbolic links in
the directory.
Includes
IncludesNOEXEC
Indexes
Enables servergenerated
directory listings.
MultiViews
Enables contentnegotiated
MultiViews.
SymLinksIfOwnerMatch
Enables following
symbolic links in
the directory
when both the
link and the target
file have the same
owner.
All
None
Netcraftz
P Narasimhan
Option
Description
Allow
allow,deny directives are
evaluated first.
Deny directives
deny,allow are evaluated
first.
Netcraftz
P Narasimhan
Order allow,deny
PidFile
The PidFile directive allows you to specify a file to which the process ID (
PID) of the server is stored. It takes the following form:
PidFile path
The path refers to a pid file, and can be either absolute, or relative to
the directory that is specified by the ServerRoot directive (that is,
/etc/httpd/ by default). The default option is run/httpd.pid.
PidFile run/httpd.pid
ProxyRequests
The ProxyRequests directive allows you to enable forward proxy requests. It takes
the following form:
ProxyRequests option
Optio
Description
n
On
Enables
forward
proxy
requests.
Off
Disables
forward
proxy
requests.
Netcraftz
P Narasimhan
ProxyRequests On
ServerAdmin
The ServerAdmin directive allows you to specify the email address of the
server administrator to be displayed in server-generated web pages. It
takes the following form:
ServerAdmin email
The default option is root@localhost.
This directive is commonly set to webmaster@hostname, where
hostname is the address of the server. Once set, alias webmaster to the
person responsible for the web server in /etc/aliases, and as superuser,
run the newaliases command.
ServerAdmin webmaster@penguin..com
ServerName
The ServerName directive allows you to specify the hostname and the
port number of a web server. It takes the following form:
ServerName hostname[:port]
The hostname has to be a fully qualified domain name ( FQDN) of the
server. The port is optional, but when supplied, it has to match the
number specified by the Listen directive.
When using this directive, make sure that the IP address and server name
pair are included in the /etc/hosts file.
Netcraftz
P Narasimhan
UseCanonicalName
The UseCanonicalName allows you to specify the way the server refers to itself. It
takes the following form:
UseCanonicalName option
Available UseCanonicalName options
Netcraftz
P Narasimhan
Description
On
Enables the
use of the
name that is
specified by
the
ServerName
directive.
Off
Disables the
use of the
name that is
specified by
the
ServerName
directive. The
hostname and
port number
provided by
the requesting
client are used
instead.
DNS
Disables the
use of the
name that is
specified by
the
ServerName
directive. The
hostname
determined by
a reverse DNS
lookup is used
instead.
Netcraftz
P Narasimhan
User
The User directive allows you to specify the user under which the httpd
service will run. It takes the following form:
User user
The user has to be an existing UNIX user. The default option is apache.
For security reasons, the httpd service should not be run with root
privileges. Note that User is no longer supported inside <VirtualHost>,
and has been replaced by the SuexecUserGroup directive.
Using the User directive
User apache
UserDir
The UserDir directive allows you to enable serving content from users'
home directories. It takes the following form:
UserDir option
The option can be either a name of the directory to look for in user's
home directory (typically public_html), or a valid keyword as described
in Table14.20, Available UserDir options. The default option is
disabled.
Available UserDir options
Netcraftz
P Narasimhan
enableduser
Description
Enables
serving
content
from home
directories
of given
users.
Disables
serving
content
from home
directories,
either for all
disabled[user] users, or, if
a space
separated
list of users
is supplied,
for given
users only.
Netcraftz
P Narasimhan
The option can be either a HTTP header field, a previously defined environment
variable name, or a valid keyword as described . The pattern is a regular
expression. The variable is an environment variable that is set when the option
matches the pattern. If the optional exclamation mark (that is, !) is present, the
variable is removed instead of being set.
Available SetEnvIf options
Netcraftz
P Narasimhan
Description
Remote_H
ost
Refers to
the client's
hostname.
Remote_A
ddr
Refers to
the client's
IP address.
Server_Ad
dr
Refers to
the server's
IP address.
Refers to
Request_M the request
ethod
method (for
, GET).
Refers to
the protocol
Request_Pr name and
otocol
version
(for ,
HTTP/1.1).
Refers to
Request_U the
RI
requested
resource.
Netcraftz
P Narasimhan
The SetEnvIf directive is used to disable HTTP keepalives, and to allow SSL to close
the connection without a closing notification from the client browser. This is
necessary for certain web browsers that do not reliably shut down the SSL
connection.
Using the SetEnvIf directive
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Note that for the /etc/httpd/conf.d/ssl.conf file to be present, the mod_ssl needs to be
installed.
Common Multi-Processing Module Directives
The Multi-Processing Module ( MPM) directives allow you to customize the behavior of a
particular MPM specific server-pool. Since its characteristics differ depending on which
MPM is used, the directives are embedded in IfModule. By default, the server-pool is
defined for both the prefork and worker MPMs.
The following MPM directives are commonly used in /etc/httpd/conf/httpd.conf:
MaxClients
The MaxClients directive allows you to specify the maximum number of
simultaneously connected clients to process at one time. It takes the following
form:
MaxClients number
A high number can improve the performance of the server, although it is not
recommended to exceed 256 when using the prefork MPM.
Using the MaxClients directive
MaxClients 256
MaxRequestsPerChild
The MaxRequestsPerChild directive allows you to specify the maximum number of
request a child process can serve before it dies. It takes the following form:
MaxRequestsPerChild number
P Narasimhan
MaxSpareServers
The MaxSpareServers directive allows you to specify the maximum number of spare
child processes. It takes the following form:
MaxSpareServers number
MaxSpareThreads
The MaxSpareThreads directive allows you to specify the maximum number of
spare server threads. It takes the following form:
MaxSpareThreads number
The number must be greater than or equal to the sum of MinSpareThreads and
ThreadsPerChild. This directive is used by the worker MPM only.
MaxSpareThreads 75
MinSpareServers
The MinSpareServers directive allows you to specify the minimum number of spare
child processes. It takes the following form:
MinSpareServers number
Note that a high number can create a heavy processing load on the server. This
directive is used by the prefork MPM only.
MinSpareServers 5
MinSpareThreads
The MinSpareThreads directive allows you to specify the minimum number of spare
server threads. It takes the following form:
MinSpareThreads number
Netcraftz
P Narasimhan
StartServers
The StartServers directive allows you to specify the number of child processes to
create when the service is started. It takes the following form:
StartServers number
Since the child processes are dynamically created and terminated according to the
current traffic load, it is usually not necessary to change this value.
StartServers 8
ThreadsPerChild
The ThreadsPerChild directive allows you to specify the number of threads a child
process can create. It takes the following form:
ThreadsPerChild number
located
in
/usr/lib/httpd/modules/
on
32-bit
and
in
Netcraftz
P Narasimhan
configuration.
Sample virtual host configuration
NameVirtualHost penguin..com:80
<VirtualHost penguin..com:80>
ServerAdmin webmaster@penguin..com
DocumentRoot /www/docs/penguin..com
ServerName penguin..com:80
ErrorLog logs/penguin..com-error_log
CustomLog logs/penguin..com-access_log common
</VirtualHost>
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
This
will
create
the
mod_ssl
configuration
file
at
Netcraftz
P Narasimhan
the
/etc/pki/tls/private/
and
/etc/pki/tls/certs/
directories
Netcraftz
P Narasimhan
To run the utility, use the genkey command followed by the appropriate hostname (for ,
penguin..com):
~]# genkey hostname
To complete the key and certificate creation, take the following steps:
1. Review the target locations in which the key and certificate will be stored.
Running the genkey utility
Use the Tab key to select the Next button, and press Enter to proceed to the next
screen.
2. Using the Up and down arrow keys, select the suitable key size. Note that while
the large key increases the security, it also increases the response time of your
server. Because of this, the recommended option is 1024 bits.
Selecting the key size
Once finished, use the Tab key to select the Next button, and press Enter to
initiate the random bits generation process. Depending on the selected key size,
this may take some time.
3. Decide whether you wish to send a certificate request to a certificate authority.
Generating a certificate request
Netcraftz
P Narasimhan
Use the Tab key to select the Next button, and press Enter to proceed to the next
screen.
5. If you have enabled the private key encryption, enter an adequate passphrase.
Note that for security reasons, it is not displayed as you type, and it must be at
least five characters long.
Use the Tab key to select the Next button, and press Enter to proceed to the next
screen.
Do not forget the passphrase
Entering the correct passphrase is required in order for the server to start. If you
lose it, you will need to generate a new key and certificate.
6. Customize the certificate details.
Specifying certificate information
Use the Tab key to select the Next button, and press Enter to finish the key
generation.
7. If you have previously enabled the certificate request generation, you will be
prompted to send it to a certificate authority.
Instructions on how to send a certificate request
Netcraftz
P Narasimhan
CHAPTER- 11
Netcraftz
P Narasimhan
/pub
nfs
rsize=8192,wsize=8192,timeo=14,intr
The mount point /pub must exist on the client machine before this
command can be executed. After adding this line to /etc/fstab on the
client system, type the command mount /pub at a shell prompt, and the
mount point /pub is mounted from the server.
Netcraftz
P Narasimhan
Note
The directory /misc must exist on the local file system. There should be
no subdirectories in /misc on the local file system.
To start the autofs service, at a shell prompt, type the following
command:
/sbin/service autofs restart
Netcraftz
P Narasimhan
To add an NFS share, click the Add button. The dialog box shown in Figure
Add Share appears.
The Basic tab requires the following information:
Directory Specify the directory to share, such as /tmp.
Host(s) Specify the host(s) with which to share the directory.
Basic permissions Specify whether the directory should have read-only or
read/write permissions.
The General Options tab allows the following options to be configured:
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Specify local group ID for anonymous users If Treat all client users as
anonymous users is selected, this option lets you specify a group ID for the
anonymous user. This option corresponds to anongid.
To edit an existing NFS share, select the share from the list, and click
the Properties button. To delete an existing NFS share, select the share
from the list, and click the Delete button.
After clicking OK to add, edit, or delete an NFS share from the list, the
changes take place immediately the server daemon is restarted and
the old configuration file is saved as /etc/exports.bak. The new
configuration is written to /etc/exports.
The NFS Server Configuration Tool reads and writes directly to the
/etc/exports configuration file. Thus, the file can be modified manually
after using the tool, and the tool can be used after modifying the file
manually (provided the file was modified with correct syntax).
Netcraftz
P Narasimhan
Warning
Be careful with spaces in the /etc/exports file. If there are no spaces
between the hostname and the options in parentheses, the options apply
only to the hostname. If there is a space between the hostname and the
options, the options apply to the rest of the world. For , examine the
following lines:
/misc/export speedy..com(rw,sync)
/misc/export speedy..com (rw,sync)
The first line grants users from speedy..com read-write access and
denies all other users. The second line grants users from speedy..com
read-only access (the default) and allows the rest of the world readwrite access.
Each time you change /etc/exports, you must inform the NFS daemon of
the change, or reload the configuration file with the following command:
/sbin/service nfs reload
Netcraftz
P Narasimhan
CHAPTER- 12
Netcraftz
: C R O S S - P L ATF O R M F I L E S E RV E R - S A M B A
P Narasimhan
Netcraftz
P Narasimhan
Introduction to Samba
The third major release of Samba, version 3.0.0, introduced numerous
improvements from prior versions, including:
The ability to join an Active Directory domain by means of the
Lightweight Directory Access Protocol ( LDAP) and Kerberos
Built in Unicode support for internationalization
Support for all recent Microsoft Windows server and client versions
to connect to Samba servers without needing local registry
hacking
Two new documents developed by the Samba.org team, which
include a 400+ page reference manual, and a 300+ page
implementation and integration manual.
Samba Features
Samba is a powerful and versatile server application. Even seasoned
system administrators must know its abilities and limitations before
attempting installation and configuration.
What Samba can do:
Serve directory trees and printers to Linux, UNIX, and Windows
clients
Assist in network browsing (with or without NetBIOS)
Authenticate Windows domain logins
Provide Windows Internet Name Service ( WINS) name server
resolution
Netcraftz
P Narasimhan
smbd
The smbd server daemon provides file sharing and printing services to
Windows clients. In addition, it is responsible for user authentication,
resource locking, and data sharing through the SMB protocol. The default
ports on which the server listens for SMB traffic are TCP ports 139 and
445.
The smbd daemon is controlled by the smb service.
nmbd
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Double-click one of the workgroup/domain icons to view a list of computers within the
workgroup/domain.
As you can see from Figure an icon exists for each machine within the
workgroup. Double-click on an icon to view the Samba shares on the
machine. If a username and password combination is required, you are
prompted for them.
Alternately, you can also specify the Samba server and sharename in the
Location: bar for Nautilus using the following syntax (replace
<servername> and <sharename> with the appropriate values):
smb://<servername>/<sharename>
Command Line
To query the network for Samba servers, use the findsmb command. For
each server found, it displays its IP address, NetBIOS name, workgroup
name, operating system, and SMB server version.
To connect to a Samba share from a shell prompt, type the following
command:
~]$smbclient //<hostname>/<sharename> -U <username>
Replace <hostname> with the hostname or IP address of the Samba
server you want to connect to, <sharename> with the name of the
shared directory you want to browse, and <username> with the Samba
username for the system. Enter the correct password or press Enter if no
password is required for the user.
If you see the smb:\> prompt, you have successfully logged in. Once you
are logged in, type help for a list of commands. If you wish to browse the
contents of your home directory, replace sharename with your
username. If the -U switch is not used, the username of the current user
is passed to the Samba server.
Netcraftz
P Narasimhan
-t
cifs
//<servername>/<sharename>
/mnt/point/
-o
username=<username>,password=<password>
This command mounts <sharename> from <servername> in the local
directory /mnt/point/.
P Narasimhan
P Narasimhan
Netcraftz
P Narasimhan
P Narasimhan
Netcraftz
P Narasimhan
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Data
path = /export
force user = docsbot
force group = users
read only = No
guest ok = Yes
Anonymous Print Server
The following /etc/samba/smb.conf file shows a sample configuration
needed to implement an anonymous print server. Setting browseable to
no as
shown
does
not
list
the
printer
in
Windows
Network
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Using WINS
All servers (including Samba) should connect to a WINS server to resolve
NetBIOS names. Without WINS, browsing only occurs on the local subnet.
Furthermore, even if a domain-wide list is somehow obtained, hosts
cannot be resolved for the client without WINS.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
smbcontrol -i <options>
smbcontrol <options> <destination> <messagetype> <parameters>
Netcraftz
P Narasimhan
smbstatus <options>
The smbstatus program displays the status of current connections to a Samba server.
smbtar
smbtar <options>
The smbtar program performs backup and restores of Windows-based share files and
directories to a local tape archive. Though similar to the tar command, the two are not
compatible.
testparm
P Narasimhan
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
CHAPTER- 13
CHAPTER- 14
S E RVE R C O N F I G U R ATI O N - P O S T F I X
Email was born in the 1960s. The mailbox was a file in a user's home
directory that was readable only by that user. Primitive mail applications
appended new text messages to the bottom of the file, making the user
wade through the constantly growing file to find any particular message.
This system was only capable of sending messages to users on the same
system.
The first network transfer of an electronic mail message file took place
in 1971 when a computer engineer named Ray Tomlinson sent a test
message between two machines via ARPANETthe precursor to the
Internet. Communication via email soon became very popular, comprising
75 percent of ARPANET's traffic in less than two years.
Today, email systems based on standardized network protocols have
evolved into some of the most widely used services on the Internet. Red
Hat Enterprise Linux offers many advanced applications to serve and
access email.
This chapter reviews modern email protocols in use today, and some of
the programs designed to send and receive email.
Email Protocols
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
RPOP POP3 with RPOP authentication. This uses a per-user ID, similar to a
password, to authenticate POP requests. However, this ID is not encrypted, so
RPOP is no more secure than standard POP.
For added security, it is possible to use Secure Socket Layer ( SSL)
encryption for client authentication and data transfer sessions. This can
be enabled by using the pop3s service, or by using the /usr/sbin/stunnel
application.
IMAP
The default IMAP server under Red Hat Enterprise Linux is Dovecot and is
provided by the dovecot package.
When using an IMAP mail server, email messages remain on the server
where users can read or delete them. IMAP also allows client
applications to create, rename, or delete mail directories on the server
to organize and store email.
IMAP is particularly useful for users who access their email using multiple
machines. The protocol is also convenient for users connecting to the
mail server via a slow connection, because only the email header
information is downloaded for messages until opened, saving bandwidth.
The user also has the ability to delete messages without viewing or
downloading them.
For convenience, IMAP client applications are capable of caching copies
of messages locally, so the user can browse previously read messages
when not directly connected to the IMAP server.
IMAP, like POP, is fully compatible with important Internet messaging
standards, such as MIME, which allow for email attachments.
For added security, it is possible to use SSL encryption for client
authentication and data transfer sessions. This can be enabled by using
the imaps service, or by using the /usr/sbin/stunnel program.
Other free, as well as commercial, IMAP clients and servers are
available, many of which extend the IMAP protocol and provide
additional functionality.
Netcraftz
P Narasimhan
P Narasimhan
move
or
delete
the
/etc/pki/dovecot/certs/dovecot.pem
files
and
/etc/pki/dovecot/private/dovecot.pem.
Execute the /usr/libexec/dovecot/mkcert.sh script which creates
the dovecot self signed certificates. These certificates are copied
in the /etc/pki/dovecot/certs and /etc/pki/dovecot/private
directories. To implement the changes, restart dovecot:
~]# systemctl restart dovecot
More details on dovecot can be found online at http://www.dovecot.org.
Netcraftz
P Narasimhan
Fetchmail
Fetchmail is an MTA which retrieves email from remote servers and
delivers it to the local MTA. Many users appreciate the ability to separate
the process of downloading their messages located on a remote server
from the process of reading and organizing their email in an MUA.
Designed with the needs of dial-up users in mind, Fetchmail connects
and quickly downloads all of the email messages to the mail spool file
using any number of protocols, including POP3 and IMAP. It can even
forward email messages to an SMTP server, if necessary.
Installing the fetchmail package
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
poll mail.domain2.com
user 'user5' there with password 'secret2' is user1 here
user 'user7' there with password 'secret3' is user1 here
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
kerberos_v5,
kerberos_v4,
and
ssh.
If
the
any
Netcraftz
P Narasimhan
"<command>"
Replace
<command>
with
P Narasimhan
Displays
every
possible
option
based
on
message is handed off to the MTA, which sends the message through a
series of MTAs until it reaches its destination.
-a Fetchmail downloads all messages from the remote email
server, whether new or previously viewed. By default, Fetchmail
only downloads new messages.
-k Fetchmail leaves the messages on the remote email server
after downloading them. This option overrides the default
behavior of deleting messages after downloading them.
-l <max-number-bytes> Fetchmail does not download any
messages over a particular size and leaves them on the remote
email server.
--quit Quits the Fetchmail daemon process.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Procmail Configuration
The Procmail configuration file contains important environmental
variables. These variables specify things such as which messages to sort
and what to do with the messages that do not match any recipes.
These environmental variables usually appear at the beginning of the
~/.procmailrc file in the following format:
<env-variable>="<value>"
In this , <env-variable> is the name of the variable and <value> defines
the variable.
There are many environment variables not used by most Procmail users
and many of the more important environment variables are already
defined by a default value. Most of the time, the following variables are
used:
DEFAULT Sets the default mailbox where messages that do not
match any recipes are placed.
The default DEFAULT value is the same as $ORGMAIL.
Netcraftz
P Narasimhan
INCLUDERC=$MAILDIR/lists.rc
INCLUDERC=$MAILDIR/spam.rc
To turn off Procmail filtering of email lists but leaving spam
control in place, comment out the first INCLUDERC line with a
hash sign ( #).
LOCKSLEEP Sets the amount of time, in seconds, between
attempts by Procmail to use a particular lockfile. The default is 8
seconds.
LOCKTIMEOUT Sets the amount of time, in seconds, that must
pass after a lockfile was last modified before Procmail assumes
that the lockfile is old and can be deleted. The default is 1024
seconds.
LOGFILE The file to which any Procmail information or error
messages are written.
MAILDIR Sets the current working directory for Procmail. If set,
all other Procmail paths are relative to this directory.
ORGMAIL Specifies the original mailbox, or another place to put
the messages if they cannot be placed in the default or reciperequired location.
By default, a value of /var/spool/mail/$LOGNAME is used.
SUSPEND Sets the amount of time, in seconds, that Procmail
pauses if a necessary resource, such as swap space, is not
available.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Introduction
Security-Enhanced Linux (SELinux) is an implementation of a mandatory
access control mechanism in the Linux kernel, checking for allowed
operations after standard discretionary access controls are checked. It
was created by the National Security Agency and can enforce rules on
files and processes in a Linux system, and on their actions, based on
defined policy.
When using SELinux, files, including directories and devices, are referred
to as objects. Processes, such as a user running a command or the
Mozilla Firefox application, are referred to as subjects.
Most operating systems use a Discretionary Access Control (DAC) system
that controls how subjects interact with objects, and how subjects
interact with each other. On operating systems using DAC, users control
the permissions of files (objects) that they own. For , on Linux
operating systems, users could
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
information that are used on processes, Linux users, and files, on Linux
operating systems that run SELinux. This information is called the
SELinux context, and is viewed using the ls -Z command:
$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this , SELinux provides a user (unconfined_u), a role (object_r), a type
(user_home_t), and a level (s0). This information is used to make access
control decisions. With DAC, access is controlled based only on Linux
user and group IDs. It is important to remember that SELinux policy rules
are checked after DAC rules. SELinux policy rules are not used if DAC
rules deny access first.
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
SELinux Contexts
Processes and files are labeled with an SELinux context that contains
additional information, such as an SELinux user, role, type, and,
optionally, a level. When running SELinux, all of this information is used
to make access control decisions. In Red Hat Enterprise Linux, SELinux
provides a combination of Role-Based Access Control (RBAC), Type
Enforcement (TE), and, optionally, Multi-Level Security (MLS).
The following is an showing SELinux context. SELinux contexts are used
on processes, Linux users, and files, on Linux operating systems that run
SELinux. Use the ls -Z command to view the SELinux context of files and
directories:
$ ls -Z file1
-rwxrw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
SELinux contexts follow the SELinux user:role:type:level syntax. The
fields are as follows:
SELinux user
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
P Narasimhan
selinux-policy,
libselinux,
libselinux-python,
command.
The
following
packages
are
optional:
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Description
-> off Allow ftp to read and
files
xguest_connect_network
Network Manager
The SELinux boolean column lists Boolean names. The Description
column lists whether the Booleans are on or off, and what they do. In
the following , the ftp_home_dir Boolean is off, preventing the FTP
daemon (vsftpd) from reading and writing to files in user home
directories:
ftp_home_dir
Netcraftz
P Narasimhan
/usr/sbin/getsebool
allow_console_login
allow_cvs_read_shadow
allow_daemons_dump_core
$
/usr/sbin/getsebool
allow_console_login
allow_cvs_read_shadow
allow_daemons_dump_core
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
Configuring Booleans
The setsebool boolean-name x command turns Booleans on or off, where
boolean-name is a Boolean name, and x is either on to turn the Boolean
on, or off to turn it off.
The
following
demonstrates
configuring
the
httpd_can_network_connect_db Boolean:
1.By default, the httpd_can_network_connect_db Boolean is off,
preventing Apache HTTP Server scripts and modules from connecting to
database servers:
$ /usr/sbin/getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off
Netcraftz
P Narasimhan
to
database
servers,
run
the
setsebool
that
persist
across
reboots,
run
the
setsebool
-P
Netcraftz
P Narasimhan
P Narasimhan
adds
the
following
entry
to
/etc/selinux/targeted/contexts/files/ file_contexts.local:
/etc/file1
unconfined_u:object_r:samba_share_t:s0
3. As the Linux root user, run the /sbin/restorecon -v /etc/file1
command to change the type. Since the semanage command added an
entry
to
file.contexts.local
for
/etc/file1,
the
/sbin/restorecon
P Narasimhan
CHAPTER- 16
Netcraftz
: TROUBLESHOOTING
THE
LINUX BOOT
PROCESS
P Narasimhan
Note
The following GRUB interfaces can only be accessed by pressing any key
within the three seconds of the GRUB menu bypass screen.
Menu Interface
This is the default interface shown when GRUB is configured by the
installation program. A menu of operating systems or pre-configured
kernels are displayed as a list, ordered by name. Use the arrow keys to
select an operating system or kernel version and press the Enter key to
boot it. If you do nothing on this screen, then after the time out period
expires GRUB will load the default option.
Press the e key to enter the entry editor interface or the c key to load a
command line interface.
Netcraftz
P Narasimhan
GRUB Commands
GRUB allows a number of useful commands in its command line
interface. Some of the commands accept options after their name; these
options should be separated from the command and other options on
that line by space characters.
The following is a list of useful commands:
boot Boots the operating system or chain loader that was last
loaded.
chainloader </path/to/file> Loads the specified file as a chain
loader. If the file is located on the first sector of the specified
partition, use the blocklist notation, +1, instead of the file name.
The following is a chainloader command:
chainloader +1
Netcraftz
P Narasimhan
<stage-1> Signifies a device, partition, and file where the first boot loader
image can be found, such as (hd0,0)/grub/stage1.
<install-disk> Specifies the disk where the stage 1 boot loader should be
installed, such as (hd0).
<stage-2> Passes the stage 2 boot loader location to the
stage 1 boot loader, such as (hd0,0)/grub/stage2.
p <config-file> This option tells the install command to look for the menu
configuration file specified by <config-file>, such as (hd0,0)/grub/grub.conf.
Warning
The install command overwrites any information already located
on the MBR.
P Narasimhan
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan
Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On
some systems, Home and End might also work.
Note that equivalent parameters, 1, s, and single, can be passed to the kernel as
well.
13.
Press Ctrl+x to boot the system with the parameter.
14.
15.
Emergency mode provides the most minimal environment possible and
allows you to repair your system even in situations when the system is unable to
enter rescue mode. In emergency mode, the system mounts the root file system
only for reading, does not attempt to mount any other local file systems, does not
activate network interfaces, and only starts few essential services. In RedHat
EnterpriseLinux7, emergency mode requires the root password.
16.
To enter emergency mode, on the GRUB 2 boot screen, press the e key for
edit.
17.
Add the following parameter at the end of the linux line on 64-Bit IBM
Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line
on UEFI systems:
systemd.unit=emergency.target
Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On
some systems, Home and End might also work.
Note that equivalent parameters, emergency and -b, can be passed to the kernel
as well.
18.
Press Ctrl+x to boot the system with the parameter.
19.
20.
Setting up the root password is a mandatory part of the RedHat
EnterpriseLinux7 installation. If you forget or lose the root password it is possible
to reset it, however users who are members of the wheel group can change the
root password as follows:
Netcraftz
P Narasimhan
22.
Note that in GRUB 2, resetting the password is no longer performed in
single-user mode as it was in GRUB included in RedHat EnterpriseLinux6. The root
password is now required to operate in single-user mode as well as in emergency
mode.
23.
Two procedures for resetting the root password are shown here:
This takes you to a shell prompt, without having to edit the grub menu. It is the
shorter of the two procedures and it is also the recommended method. You can
use a boot disk or a normal RedHat EnterpriseLinux7 installation disk.
This makes use of rd.break to interrupt the boot process before control is passed
from initramfs to systemd. The disadvantage of this method is that it requires
more steps, includes having to edit the GRUB menu, and involves choosing
between a possibly time consuming SELinux file relabel or changing the SELinux
enforcing mode and then restoring the SELinux security context for /etc/shadow/
when the boot completes.
24.
25.
Start the system and when BIOS information is displayed, select the option
for a boot menu and select to boot from the installation disk.
26.
Choose Troubleshooting.
27.
Choose Rescue a Red Hat Enterprise Linux System.
28.
Choose Continue which is the default option. At this point you will be
promoted for a passphrase if an encrypted file system is found.
29.
Press OK to acknowledge the information displayed until the shell prompt
appears.
30.
Change the file system root as follows:
sh-4.2#chroot /mnt/sysimage
31.
Enter the passwd command and follow the instructions displayed on the
command line to change the root password.
32.
Remove the autorelable file to prevent a time consuming SELinux relabel of
the disk:
sh-4.2#rm -f /.autorelabel
33.
Enter the exit command to exit the chroot environment.
34.
Enter the exit command again to resume the initialization and finish the
system boot.
35.
36.
Start the system and, on the GRUB 2 boot screen, press the e key for edit.
37.
Remove the rhgb and quiet parameters from the end, or near the end, of
the linux16 line, or linuxefi on UEFI systems.
Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On
some systems, Home and End might also work.
Important
Netcraftz
P Narasimhan
Adding the enforcing=0 option enables omitting the time consuming SELinux
relabeling process.
The initramfs will stop before passing control to the Linux kernel, enabling you to
work with the root file system.
Note that the initramfs prompt will appear on the last console specified on the
Linux line.
39.
Press Ctrl+x to boot the system with the changed parameters.
With an encrypted file system, a password is required at this point. However the
password prompt might not appear as it is obscured by logging messages. You can
press the Backspace key to see the prompt. Release the key and enter the
password for the encrypted file system, while ignoring the logging messages.
The initramfs switch_root prompt appears.
40.
The file system is mounted read-only on /sysroot/. You will not be allowed
to change the password if the file system is not writable.
Remount the file system as writable:
switch_root:/#mount -o remount,rw /sysroot
41.
The file system is remounted with write enabled.
Change the file system's root as follows:
switch_root:/#chroot /sysroot
43.
Updating the password file results in a file with the incorrect SELinux
security context. To relabel all files on next system boot, enter the following
command:
sh-4.2#touch /.autorelabel
Alternatively, to save the time it takes to relabel a large disk, you can omit this
step provided you included the enforcing=0 option in step 3.
44.
Remount the file system as read only:
sh-4.2#mount -o remount,ro /
45.
Netcraftz
Netcraftz
P Narasimhan
Share T/
Installing Docker
Step 2: It will list operating systems (in my case only CentOS
installed) that you have installed on the machine, In below that you might find some
information about booting the OS and editing the parameters of menu. If you want to
enter into single user mode; select the operating system and press e edit arguments
of kernel.
Step 3: Once you have pressed, you should see the information about the selected
operating system. It gives you the information about the hard disk and partition where
the OS installed, location of the kernel, language, video output, keyboard type,
keyboard table, crash kernel and initrd (Initial ram disk).
To enter into single user mode; Go to second last line (Starts with linux 16 or linuxefi)
using up and down arrow then modify the ro argument.
Step 5: Modify it to rw init=/sysroot/bin/sh. Once done, press Ctrl+x
Now you should be in command line mode with root privileges (without entering
password). Now you can start to troubleshoot your system or can do maintenance of your
system.
Thats all, You must chroot to reset root password in CentOS 7 / RHEL 7
Netcraftz
P Narasimhan
Netcraftz
P Narasimhan