linux guide

If we have logical volume we can dynamicly add or remove diskspace to or from it. Any disk partitions to used as physical volumes need to have their partition types set to 8e, Linux LVM. After creating Primary Volu me, we must create a Volume Group with any name.After that we will create Logical Volume. Not only to the Logical Volume, we can extend or reduce the size of a Volume Group.
Lets start -
Create a Partition of LVM type using fdisk and reboot the system. –

fdisk /dev/hda
n
(define/accept the first cylinder)
(define the last cylinder) +100M
n
(define/accept the first cylinder)
(define the last cylinder) +150M
p (check the newly created partitions at the bottom, note down the partition no.
We are assuming /dev/hda10 and /dev/hda11 are created)
t
10 (partition no)
l ( to list codes - please note the code for Linux LVM, it is 8e)
8e
t
11 (partition no)
8e
w ( to write to partition table and exit from fdisk)

reboot ( reboot your system)

Initialize the LVM Configuration Files
vgscan

Initialize the LVM partitions as physical volumes.
pvcreate /dev/hda10 /dev/hda11

Create Vouume Group.
vgcreate vg1 /dev/ hda10
Here, vg1 is volume group name

Create Logical Volume.

lvcreate -L 50M -n lvm1 vg1
Here, lvm1 is logical volume name

Make filesystem.

mkfs /dev/vg1/lvm1
Mount the newly created logical volume to a directory, say /lvmone
mount /dev/vg1/lvm1 /lvmone

Check the volume size.

lvdisplay /dev/vg1/lvm1


If you want to resize it, first unmount the partion and run
e2fsadm -L+25M /dev/vg1/lvm1

Check the volume size once again. If you want to reduce the partition size run -
e2fsadm -L-20M /dev/vg1/lvm1

Run the following command to see the volume group size and space left on it.
vgdisplay

To extend the volume group size

vgextend vg1 /dev/hda11

Run ‘vgdisplay’ once again to check the volume group size, allocated space and free space.

Labels: command, configuration, edit, file system, guide to linux, instalation, Linux, linux administrator guide, linux config, lvm.LOGICAL VOLUME MANAGER, pocket linux guide, red hat linux guide

To Change owner of a file
chown user_name file_name
Example: You want to make gautam as owner of beragautam.tx
chown gautam beragautam.tx

To change owner and group of a file
chown user_name.group_name file_name

You can also use this command as follows –
chown user_nam:group_name file_name
(Please note, you can use either “:” or “.”)

If you want to assign a file would be used by a group use the following command.
chgrp special atanu.tx
Here group name is special and file name is beragautam.tx

What is a group?
A group is used to represent users, who have similar characteristics,exercise similar tasks and
enjoy similar permission and environment in a network. Now think about the situation here.
You have a group of users who need similar type of access to a file, beragautam.tx. What you will do? Very simple

Create a group.

Issue the command that enables the group to access the file

Give file access permission to this group. (Example, all permissions to owner and read and
execute permissions to group)

Make the users members of a group.

Do these tasks as defined below.
groupadd newgroup
chgrp newgroup bera.tx
chmod 750 beragautam.tx

And then add the user to this group.

vi /etc/group
At the bottom of the file verify the entry related to newgroup and add the user name. It
will look like –
newgroup:x:600:beragautam,gautam

Here, beragautam and gautam are members of the newly created group, ‘newgroup’. The thing
must be noted is, usernames are specified by comma (,) separated form. However,
instead of editing th e /etc/group file directly, we can use commands to add or remove
users from a group.

If we want to add members (in our example, the name of the group is acct and the
members are red and green), we can use the following command –
gpasswd –M red,green acct

If we want to add user ‘blue’ in the ‘acct’ group we can use the following command –
gpasswd –a blue acct

To remove user red from the acct group, we can use the following command –
gpasswd –d red acct

Labels: command, configuration, edit, file system, guide to linux, job, kernel, Linux, linux administrator guide, linux config, Linux installation guide, pocket linux guide, red hat linux guide

In a TCP/IP network, each host should have a unique IP address according to the Network address.The clients may also require other information to access different services and resources.In a large network it increase the overhead for an administrator. DHCP Server automates this. DHCP Server provides clients with an IP address along with some host specific configuration parameters. A DHCP Server can be used for dynamic allocation, or it can be used just as a bearer.
In RedHat linux, the main configuration file is /etc/dhcpd.conf

DHCP related information are stored in /var/lib/dhcp/dhcpd.leases file
By default, the /etc/dhcpd.conf file not exists in your system. Though you can copy a
sample file, /usr/share/doc/dhcp-3.0.1/dhcpd.conf.sample, to /etc/dhcpd.conf.

Some options and systaxes in /etc/dhcpd.conf file:

default-lease-time 720;
max-lease-time 86400;
(Values are in seconds)
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.10 192.168.100.50;
range 192.168.100.101 192.168.100.150;
}
(Specifies subnet address with mask followed by subnet address range. Here, addresses
from 192.168.100.51 to 192.168.100.100 will never allocated to any systems)

host comp1 {
hardware Ethernet 00:04:5A:4F:8E:4B;
fixed address 192.168.100.60;
}
(You are supplying ip address ( 192.168.100.60) to comp1 whose NIC mac address is
00:04:5A: 4F:8E:4B.)

option routers 192.168.100.1;
(Gateway address)

option domain-name-servers 192.168.100.2,192.168.100.3;
(Ip address of your Primary and Secondary DNS Server)

option time-servers 192.168.100.2;
(Clients synchronizes time from this Time Server)
option netbios-name-servers 192.168.100.4;
(Microsoft WINS Server)

Check out the following example of a /etc/dhcpd.conf file for your perusal: -




To start the DHCP Server –

/etc/init.d/dhcpd start or
service dhcpd start

To start the service automatically during the boot time –
chkconfig dhcpd on

Labels: configure dhcp server, dhcp server, guide to linux, Linux, linux administrator guide, Linux installation guide, pocket linux guide, red hat linux guide, redhat server

TCP WRAPPERS
To provide a better degree of access control, some service like sshd, portmap, xinetd are compiled with libwrap.a library. These are called “Tcp-wrapped” service.
Now, we are going to implement control on tcp-wrapped service. We will modify /etc/hosts.deny file here as follows – see the highlighted section in the screenshot below.


Here, in the highlighted section –
• The 1st line defines “ssh connection from any system will be disallowed”
• The 2nd line defines “only a computer with IP address 172.16.1.38 will be allowed to establish ssh session – others will be disallowed”
• The 3rd line defines “ssh connection from any system will be disallowed but the system will allow 172.16.1.38 and 172.16.1.178 to establish ssh session”
• The 4th line allows “computer from 172.16.0.0/255.255.248.0 network will be establis allowed to h ssh session – other will be disallowed”
• The 5th line defines “computer from 172.16.0.0/255.255.248.0 network, except 172.16.1.38, will be allowed and other systems will be disallowed to establish ssh session.
• The 6th line defines “the same rule as it is defined in the 5th line, where the rule is here for telnet and ssh service”
• The last line defines “all tcp-wrapped service can only be accessible from
abc.com domain”

In the screen shot above the last line is activated only as it is not commented out using #.
Have a note, you do not need to start or restart any service to control tcp-wrapped service using tcp-wrapper. All you have to do is just modify the /etc/hosts.deny file.
There is another important file, /etc/hosts.allow, as far as tcp wrapper is concerned. The system will check the /etc/hosts.allow file first, service will be accessible to users using it. Then the system will go through /etc/hosts.deny file and act accordingly.
Let us assume, we have a requirement where we want only ssh service will be accessible from 172.16.1.38 and other “tcp-wrapped” services will be blocked from any user.
The easiest solution is add the following line in /etc/hosts.deny file –
ALL: ALL
Add the following line in /etc/hosts.allow file –
ssh: 172.16.1.38

Labels: command, guide to linux, Linux, linux administrator guide, Linux installation guide, linux security, pocket linux guide, red hat linux guide, redhat server, TCP WRAPPERS

Protecting the /boot/grub/grub.conf with md5 password:

For trouble shooting purpose, administrator sometimes boot the linux computer in single user mode. We will learn how to boot a linux system in single user mode shortly.
If you boot a Linux computer in single user mode the system will never ask you to authenticate and assume you as root user. It is really helpful in case you forgot root user’s password, or the root password has expired, or you want to recover the grub boot loader in a dual-boot system etc.
But there is a security risk also. For example, any one can change the root user’s password after booting the computer in single user mode.
To protect unauthorized user to start the Linux computer in single user mode, it is recommended to set md5 password on grub. The md5 password can be implemented during the time of installation of the Linux computer. It is also possible to set the md5 password on grub after installation.
Here, I will show you, how to set md5 password on grub after installation.
Run, grub-md5-crypt
The system will ask you to enter the password. Supply it.
The system will return you a string on your monitor like this -
$1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/
Note down the string very carefully.
Now, open the /boot/grub/grub.conf file in vi editor
Just below the splashimage=(hd0,1)/grub/splash.xpm.gz line in the file, place the following line –
password—md5 $1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/

After modification, the /boot/grub/grub.conf will look like –
# grub.conf generated by anaconda
#
#boot=/dev/hda
default=0
timeout=20
splashimage=(hd0,1)/grub/splash.xpm.gz
password --md5 $1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/
title DOS
rootnoverify (hd0,0)
chainloader +1
title Red Hat Linux (2.4.18-14)
root (hd0,1)
kernel /vmlinuz-2.4.18-14 ro root=LABEL=/
initrd /initrd-2.4.18-14.img
# end of file
gr
However, I never do the task the same way I describe you above. Rather I append the output of grub-md5-crypt to /etc/grub.conf by executing the following command –
grub-md5-crypt >> /etc/grub.conf
Then I delete unnecessary lines there in the grub.conf file and cut the string and paste it to right place.
At this point if you reboot the computer and try to start the computer with single user mode, you need to supply the grub password, by default the system will boot according to the configuration in the /etc/inittab file.

Labels: boot, boot loader, command, grub, grub.conf, guide to linux, linux administrator guide, linux boot loader, linux security, pocket linux guide, red hat linux guide, redhat server, single user mode

Remote Administration Telnet, SSH and telnet:
Telnet
Telnet is basically a virtual terminal program that helps you to configure a system remotely. In production environment, telnet is rarely used as it transfer keystroke in clear text.To enable telnet all you have to do is, run the following two commands
chkconfig telnet on
service xinetd restart
By default, telnet to remote system using root user is disabled. You have to log into the telnet server as a non-privileged user then you can change your identity as root using the following command –
su – root

SSH

Unlike telnet, ssh is considered a Secure Shell Service. Ssh runs on public/private key infrastructure using rsa or dsa technology.
It is very easy to start ssh. Execute service sshd restart command.
By default any user can establish ssh session. However, this can be controlled by modifying the /etc/ssh/sshd_config file. See the following screen shot. Here I have denied atanu and allowed all other users to establish an ssh session.
We can also allow or deny one or multiple group using AllowGroups or DenyGroups directive, like AllowGroups acct mrkt.
The modification can only be effected when you restart the ssh server.
Check the last two lines in the screen shot in the page –


In my network, I always use ssh to configure remote servers. Generally I configure my linux laptop as an ssh client. I have a RHEL 4 system and I use this particular computer to administer my proxy server that is running on 172.16.1.12. See, what I usually do –In my laptop I execute the following command to create the key –
ssh-keygen –t dsa
You can also use rsa here. See the following screen shot –


Check the output, in the screen shot, carefully. In the 3rd Line, it is saying the key will be saved in /root/.ssh directory. If the .ssh directory is not exist in /root, the sshkeygen command will create it, check the 4th line. After creating /root/.ssh directory, the system will ask you to supply the passphrase. I enter empty passphrase, means just press enter twice. My identification is now saved in /root/.ssh/id_dsa file and the public key is id_dsa.pub.
It is time to copy the id_dsa.pub in the /root/.ssh/ directory in my proxy server and the name of the file will be authorized_keys. I will be using the following command assuming in my proxy server, running on 172.16.1.12, the /root/.ssh directory exists.
scp –rp /root/.ssh/id_dsa.pub root@172.16.1.12:/root/.ssh/authorized_keys
See the output in the following screenshot. After executing the above command the system will ask your confirmation, type yes and press enter, supply root’s password for 172.16.1.12 and the file will be copied securely.

The scp will be discussed shortly.
Now, from your client computer if you execute ssh 172.16.1.12 the system will never ask you to supply the password!!


SCP

Using scp, you can copy files from or to a remote linux system. In ssh section above, see how we use scp to copy id_dsa.pub. To refer a remote system we use user@machin_name_or_ip_address:/any/directory and a source can also be a remote system.
While working with Windows system, I use winscp to communicate with linux system. The winscp382setup.exe is freely available for download in sourceforge.net.
Please be noted, when you establish an ssh or scp session with a computer for the first time, the remote system related information is added in /root/.ssh/known_hosts text file. And if the remote system is re-installed you will be failed to establish ssh or scp session until you remove the system’s information from the /root/.ssh/known_hosts file.

Labels: allow, command, conf, configuration, edit, guide to linux, Linux, modify, network, password, proxy, redhat server, Remote Administration Telnet, rhel, scp, services, squid, SSH, telnet, user

PLUGGABLE AUTHENTICATION MODULE (PAM)
If you want to disallow console logins to all but root
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:ALL EXCEPT root sync:LOCAL
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
The above task will disallow console login locally. The user will be able to login to your server from remote system using telnet or ssh.
To disallow local as well as virtual terminal login
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_listfile.so item=user sense=allow
onerr=fail file=/etc/security/validusers
Do not be confused. I am repeating, the above is a single line input. It looks different because it does not fit into my document.
Now, create the /etc/security/validusers file and add users’ name there one in a single line like –
root
user1

The above configuration will allow root and user only to log into your system’s terminal. If you replace sense=allow with sense=deny in the directive in
/etc/pam.d/system-auth file, it will disallow root and .
If you want to disallow a user from login from any terminal except ttyx
Open the /etc/security/access.conf file in any editor
Copy the follwing line and paste it at the next line -
# -:ALL EXCEPT wheel shutdown sync:LOCAL
Modify the line as follows -
-:red:ALL EXCEPT tty3
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_access.so
Login Time Restriction
Open the /etc/security/time.conf in any editor
Add the following lines there -
login;*;red;MoTuWeThFr0000-2400
login;*;green;Mo1000-2400|TuWeThFr0000-2400|Sa0000-1400
Edit the /etc/pam.d/system-auth file - add the following line
account required /lib/security/pam_time.so
Here, user red will be allowed to login from Monday to Friday. And
user green will be allowed to login to the system from Monday 10 hrs to Saturday 14 hrs.
We refer day by using the first two characters of it. For example to refer Sunday, we will be using Su only.
We can use ! for reverse action. Check the following line–
login;*;red;!MoTuWeThFr0000-2400
Here, user red will be disallowed to login from Monday to Friday.

Labels: command, configuration, guide to linux, linux administrator guide, linux security, PLUGGABLE AUTHENTICATION MODULE, pocket linux guide, red hat linux guide