linux guide

To Change owner of a file
chown user_name file_name
Example: You want to make gautam as owner of beragautam.tx
chown gautam beragautam.tx

To change owner and group of a file
chown user_name.group_name file_name

You can also use this command as follows –
chown user_nam:group_name file_name
(Please note, you can use either “:” or “.”)

If you want to assign a file would be used by a group use the following command.
chgrp special atanu.tx
Here group name is special and file name is beragautam.tx

What is a group?
A group is used to represent users, who have similar characteristics,exercise similar tasks and
enjoy similar permission and environment in a network. Now think about the situation here.
You have a group of users who need similar type of access to a file, beragautam.tx. What you will do? Very simple

Create a group.

Issue the command that enables the group to access the file

Give file access permission to this group. (Example, all permissions to owner and read and
execute permissions to group)

Make the users members of a group.

Do these tasks as defined below.
groupadd newgroup
chgrp newgroup bera.tx
chmod 750 beragautam.tx

And then add the user to this group.

vi /etc/group
At the bottom of the file verify the entry related to newgroup and add the user name. It
will look like –
newgroup:x:600:beragautam,gautam

Here, beragautam and gautam are members of the newly created group, ‘newgroup’. The thing
must be noted is, usernames are specified by comma (,) separated form. However,
instead of editing th e /etc/group file directly, we can use commands to add or remove
users from a group.

If we want to add members (in our example, the name of the group is acct and the
members are red and green), we can use the following command –
gpasswd –M red,green acct

If we want to add user ‘blue’ in the ‘acct’ group we can use the following command –
gpasswd –a blue acct

To remove user red from the acct group, we can use the following command –
gpasswd –d red acct

Labels: command, configuration, edit, file system, guide to linux, job, kernel, Linux, linux administrator guide, linux config, Linux installation guide, pocket linux guide, red hat linux guide

In a TCP/IP network, each host should have a unique IP address according to the Network address.The clients may also require other information to access different services and resources.In a large network it increase the overhead for an administrator. DHCP Server automates this. DHCP Server provides clients with an IP address along with some host specific configuration parameters. A DHCP Server can be used for dynamic allocation, or it can be used just as a bearer.
In RedHat linux, the main configuration file is /etc/dhcpd.conf

DHCP related information are stored in /var/lib/dhcp/dhcpd.leases file
By default, the /etc/dhcpd.conf file not exists in your system. Though you can copy a
sample file, /usr/share/doc/dhcp-3.0.1/dhcpd.conf.sample, to /etc/dhcpd.conf.

Some options and systaxes in /etc/dhcpd.conf file:

default-lease-time 720;
max-lease-time 86400;
(Values are in seconds)
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.10 192.168.100.50;
range 192.168.100.101 192.168.100.150;
}
(Specifies subnet address with mask followed by subnet address range. Here, addresses
from 192.168.100.51 to 192.168.100.100 will never allocated to any systems)

host comp1 {
hardware Ethernet 00:04:5A:4F:8E:4B;
fixed address 192.168.100.60;
}
(You are supplying ip address ( 192.168.100.60) to comp1 whose NIC mac address is
00:04:5A: 4F:8E:4B.)

option routers 192.168.100.1;
(Gateway address)

option domain-name-servers 192.168.100.2,192.168.100.3;
(Ip address of your Primary and Secondary DNS Server)

option time-servers 192.168.100.2;
(Clients synchronizes time from this Time Server)
option netbios-name-servers 192.168.100.4;
(Microsoft WINS Server)

Check out the following example of a /etc/dhcpd.conf file for your perusal: -




To start the DHCP Server –

/etc/init.d/dhcpd start or
service dhcpd start

To start the service automatically during the boot time –
chkconfig dhcpd on

Labels: configure dhcp server, dhcp server, guide to linux, Linux, linux administrator guide, Linux installation guide, pocket linux guide, red hat linux guide, redhat server

TCP WRAPPERS
To provide a better degree of access control, some service like sshd, portmap, xinetd are compiled with libwrap.a library. These are called “Tcp-wrapped” service.
Now, we are going to implement control on tcp-wrapped service. We will modify /etc/hosts.deny file here as follows – see the highlighted section in the screenshot below.


Here, in the highlighted section –
• The 1st line defines “ssh connection from any system will be disallowed”
• The 2nd line defines “only a computer with IP address 172.16.1.38 will be allowed to establish ssh session – others will be disallowed”
• The 3rd line defines “ssh connection from any system will be disallowed but the system will allow 172.16.1.38 and 172.16.1.178 to establish ssh session”
• The 4th line allows “computer from 172.16.0.0/255.255.248.0 network will be establis allowed to h ssh session – other will be disallowed”
• The 5th line defines “computer from 172.16.0.0/255.255.248.0 network, except 172.16.1.38, will be allowed and other systems will be disallowed to establish ssh session.
• The 6th line defines “the same rule as it is defined in the 5th line, where the rule is here for telnet and ssh service”
• The last line defines “all tcp-wrapped service can only be accessible from
abc.com domain”

In the screen shot above the last line is activated only as it is not commented out using #.
Have a note, you do not need to start or restart any service to control tcp-wrapped service using tcp-wrapper. All you have to do is just modify the /etc/hosts.deny file.
There is another important file, /etc/hosts.allow, as far as tcp wrapper is concerned. The system will check the /etc/hosts.allow file first, service will be accessible to users using it. Then the system will go through /etc/hosts.deny file and act accordingly.
Let us assume, we have a requirement where we want only ssh service will be accessible from 172.16.1.38 and other “tcp-wrapped” services will be blocked from any user.
The easiest solution is add the following line in /etc/hosts.deny file –
ALL: ALL
Add the following line in /etc/hosts.allow file –
ssh: 172.16.1.38

Labels: command, guide to linux, Linux, linux administrator guide, Linux installation guide, linux security, pocket linux guide, red hat linux guide, redhat server, TCP WRAPPERS

Configure secure imap – imaps

First of all check whether your mail server is running. If everything is going file, follow the steps –

1. Have backup copy of dovecot.pem file
cd /usr/share/ssl/certs
mv dovecot.pem org.dovecot.pem
cd ../private
mv dovecot.pem org.dovecot.pem
cd –

2. Create new dovecot.pem file with your customized setting, execute make
dovecot.pem. See the screen shot below


At this point your system will ask you to supply some information like – Country name
etc. See what I have done in my case below –



Carefully note the Common Name section. Here, you must supply the FQDN of your mailserver.
At this point the /usr/share/ssl/certs/dovecot.pem is created. If there is any problem, remove the dovecot.pem file and recreate it.

3. Copy the file to /usr/share/ssl/private directory –
cp dovecot.pem ../private
4. Modify /etc/dovecot.conf file as follows –
protocols = ipop3 pop3 imap imaps
5. Restart the servers –
service dovecot restart
service sendmail restart

Labels: command, configuration, Configure secure imap, fqdn, guide to linux, imap, linux administrator guide, Linux installation guide, linux security, pocket linux guide, red hat linux guide

When you have a system available from the Internet or remote location, you must consider applying some security on your system. In Redhat there are some services run by xinetd server. xinetd is consider a “super server” in Redhat linux environment.
Here I am going to show you how you can implement security on a service under xinetd in your system.
Below I have printed a sample /etc/xinetd.d/telnet file for our purpose –
# a sample /etc/xinetd.d/telnet file
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
only_from = 172.16.0.0/16
no_access = 172.16.1.2
per_source = 1
instances = 4
access_times = 13:00-17:00
}
# end of file
In the above sample file, -
disable = no (enable telnet service)
only_from = 172.16.0.0/16 (Telnet server will respond to clients from
no_access = 172.16.1.2 172.16.0.0/16 network only, except
172.16.1.2)
per_source = 1 (Per source only one connection will be
allowed)
instances = 4 (Total number of connection allowed is 4)
access_times = 13:00-15:00 (Connection will be allowed between 13 and
15 hrs)
However, whenever you modify /etc/xinetd.d/telnet file, never forget to restart the xinetd service. Run – service xinetd restart

Labels: command, linux administrator guide, Linux installation guide, linux security, modify xinetd service., pocket linux guide, red hat linux guide, service, xinetd, xinetd Access Control, xinetd server

Squid Proxy Server
Basic Configuration
The main configuration file for squid proxy server is /etc/squid/squid.conf.

The Squid Proxy Server has a dependency on a DNS Server. Please be noted,
while configuring the proxy client, what you only need to do is, specify the proxy
server’s address and the port number the proxy server is listen to in the browser
setting. There is no need to define the DNS or Router’s address in the TCP/IP
properties in the client machine.

So, please check the /etc/resolv.conf file whether you have already putted any
‘nameserver’ entry on not. The Squid Proxy Server listens to Port 3128 by default.
And by default it will reject all packets. If you want to allow users from your
network only to get the service from squid proxy server – modify the
/etc/squid/squid.conf file as follows. Here we are assuming our network address
is 192.168.0.0/24.

First of all find out the visible_hostname directive in the squid.conf file. By
default it sets to none. Just below the line # none – place an entry like this –

visible_hostname hostname or FQDN

Now find out ‘acl all’ directive in the file. You will find a line like the following –
acl all src 0.0.0.0/0.0.0.0

The above directive is a way to define every hosts in every network, src keyword
define the “source”, by “all” access control list name. If you move downwords,
you will find a line like this –
http_access deny all

Using the two lines, acl all src 0.0.0.0/0.0.0.0 and http_access deny all, the
squid proxy server disallow all the clients to access the proxy service. If you
replace deny with allow in http_access deny all line here, it will allow all clients
to access the serveice. However our task here is to allow our network only. So
put a line that will define you network with an acl name and allow it using the
http_access directive while keeping the default setting. You can write a directive
like this just after the acl all src 0.0.0.0/0.0.0.0 line –
acl ourlan src 192.168.0.0/255.255.255.0

Also put a line just before the http_access deny all directive like the following –
http_access allow ourlan

While allowing clients, Squid Proxy Server goes through the policy one after
another, top to bottom. If it finds any match related to the current packet, it
takes decision on that - whether the client will be allowed or denied.

To start/stop/restart the squid service you can execute the following command
respectively –

service squid start
service squid stop
service squid restart

chkconfig squid on command will start squid automatically at booting time.


User authenticated access to Squid Proxy

The user can be authenticated from the local system (the squid proxy server) through
ncsa authentication or from an LDAP server like Novell' s NDS or e-Directory or Microsoft's
Active Directory.

I am sending you the ncsa authentication implementation....

1. First of all, create a password file for the users and assign read permission to all.

touch /etc/squid/squid_passwd
chmod o+r /etc/squid/squid_passwd

2. Create Users and Passwords for the users -

htpasswd /etc/squid/squid_passwd user_1
htpasswd /etc/squid/squid_passwd user_2
htpasswd /etc/squid/squid_passwd user_n

3. Modify /etc/squid/squid.conf to support ncsa_auth program
Open the /etc/squid/squid.conf in vi editor, find out auth_param directives, and add the
following line just below the last auth_param directives -

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

Move to acl section in the /etc/squid/squid.conf file - you can find out acl all directive
by pressing /acl all and press . Add the follwing line -

acl ncsa_users proxy_auth REQUIRED

Scroll down to http_access deny all directive and insert a line at the top as follows -

http_access allow ncsa_users

4. Restart your Squid proxy server -

service squid restart

Web site restriction through Squid Proxy

Open the /etc/squid/squid.conf in vi editor - move to acl ncsa_users proxy_auth
REQUIRED
add a line as follows -

acl blockdomain dstdomain "/etc/squid/blocked-domain-list"

Scroll down to http_access allow ncsa_users
put a line at the top like this -

http_access deny blockdomain

After modification, it will look like these -
...
http_access deny blockdomain
http_access allow ncsa_users
http_access deny all

Now create a file in /etc/squid, named blocked-domain-list

Define the name of th e web sites you want to block as follows -
.xxx.com
.yyy.com

Please be noted, you can only define one domain name in a single line.

Restart your Squid proxy server -

service squid restart

There are several methods of using a block list with squid. One of them is the Malware
Block list. Let us check how to use this list.

Now, it is time to check, the activities of squid proxy server. By default squid
generates log report in /var/log/squid directory. The access.log reports you
information about website access using your proxy server where cache.log and
store.log keep information about cached information. Commands are available
to pipe out information. However, there are so many utilities available in the
Internet to show you information in easily readable format.

In production environment I use SARG – the Squid Analysis Report Generator.
SARG helps you to analysis squid-log information using a browser where you can
categorize information. Top of that it is free.

First of all, download the software. I have downloaded it, sarg-2.2.2.tar.gz, from
http://sarg.sourceforge.net/sarg.php.

Go to the directory where you have downloaded the software and extract it using
the following command.
tar xzvf sarg-2.2.2.tar.gz

The command will extract the file in sarg-2.2.2 directory. Change your working
directory there – execute cd sarg-2.2.2
./configure –-enable-htmldir=/var/www/html/report
It is time to compile and install the software. Execute the following commands –
make && make install

By default the sarg binary directory is /usr/bin, where the sarg configuration file
is saved in /usr/local/sarg directory. The name of the configuration file is
sarg.conf.

Now you have to modify /usr/local/sarg/sarg.conf so that it will find the
access.log file, generated by squid, and generate a report by creating necessary
files in a directory.

In my case, I define minimum parameters like follows –
access_log /var/log/squid/access.log
output_dir /var/www/html/squid/squid-reports

You will find the access_log and output_dir parameters in sarg.conf file. Remove
the # and make necessary changes. In my case the squid directory is created in
/var/www/html directory. You do not need to create squid-report directory, rather
the sarg software will create it. You have to make it sure whether squid has
enough permission to create file there in /var/www/html/squid directory.

Now, generate the report that will be used by “sarg” using the following command
–
sarg –f /usr/local/sarg/sarg.conf

Now, configure Apache to access this report from your browser. What I usually do
is, I put the following Alias directives in my /etc/httpd/conf/httpd.conf file –

Alias /report “/var/www/html/squid/squid-reports/”

Options Indexes Includes


Restart your apache web server. From your web browser see the fascinating
report using – http://squid_server’s_ip_address/report

Here I am putting some screen shots –







Thing is that whenever you run sarg –f /usr/local/sarg/sarg.conf, sarg-report
will be created. We can submit a cron job, so that the system will execute it
automatically. In my network, I put the following line after executing crontab –e,

0 * * * * /usr/bin/sarg –f /usr/local/sarg/sarg.conf


Setting customized message

Create an html file with customized message and save it to /etc/squid/error
directory.

Now put the following directives in /etc/squid/httpd.conf –

acl blacklist dstdomain “/var/lib/squidguard/BL/blacklist”
http_access deny blacklist
deny_info blocked.htm blacklist

Restart squid proxy server and try to access any restricted site, as per
/var/lib/squidguard/BL/blacklist, from your workstation.

See the result in my case –

Labels: configuration, firewall, guide to linux, instalation, linux administrator guide, linux config, Linux installation guide, pocket linux guide, Proxy server, red hat linux guide, squid proxy server

By default the RedHat linux has built in Kernel support for NFS.
The Filesystem to share are defined in /etc/exports file.
In our lab session, we will configure our web server so that users can access their respective home directory and will have read- only access to /all directory. We must remind whatever share permission we specify in the /etc/exports file, the most restrictive settings will activated. The IP address of our NFS server is 192.168.100.2.
First of all, edit the /etc/exports file by inserting the following lines
/all *(ro)
/home *(rw)
Export the share using the following command –
exportfs –a –v
Restart the service –
service nfs restart
service nfslock restart

Check which folders are NFS shared –
exportfs
Go to any client computer, make a directory using mkdir command say /all
mkdir /all
Assign necessary permission, here we will set – chmod 705 –R /all
Mount the NFS shared directory to your client’s computer
mount 192.168.100.2:/all /all
At this point, users from your client computer will access /all directory in your NFS server.
Yes, it is read-only access.
Now, you have to configure your network such a way, so that, whenever a user logs in to any computer, he will get the same file system and hierarchy in his/her home directory.
In fact, whenever a user saves files to his/her home directory, it will be saved to NFS Server.

Labels: book, command, guide to linux, Linux, linux administrator guide, linux config, Linux installation guide, mail server, NFS, NFS File server, pocket linux guide, red hat linux guide