linux guide

In a TCP/IP network, each host should have a unique IP address according to the Network address.The clients may also require other information to access different services and resources.In a large network it increase the overhead for an administrator. DHCP Server automates this. DHCP Server provides clients with an IP address along with some host specific configuration parameters. A DHCP Server can be used for dynamic allocation, or it can be used just as a bearer.
In RedHat linux, the main configuration file is /etc/dhcpd.conf

DHCP related information are stored in /var/lib/dhcp/dhcpd.leases file
By default, the /etc/dhcpd.conf file not exists in your system. Though you can copy a
sample file, /usr/share/doc/dhcp-3.0.1/dhcpd.conf.sample, to /etc/dhcpd.conf.

Some options and systaxes in /etc/dhcpd.conf file:

default-lease-time 720;
max-lease-time 86400;
(Values are in seconds)
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.10 192.168.100.50;
range 192.168.100.101 192.168.100.150;
}
(Specifies subnet address with mask followed by subnet address range. Here, addresses
from 192.168.100.51 to 192.168.100.100 will never allocated to any systems)

host comp1 {
hardware Ethernet 00:04:5A:4F:8E:4B;
fixed address 192.168.100.60;
}
(You are supplying ip address ( 192.168.100.60) to comp1 whose NIC mac address is
00:04:5A: 4F:8E:4B.)

option routers 192.168.100.1;
(Gateway address)

option domain-name-servers 192.168.100.2,192.168.100.3;
(Ip address of your Primary and Secondary DNS Server)

option time-servers 192.168.100.2;
(Clients synchronizes time from this Time Server)
option netbios-name-servers 192.168.100.4;
(Microsoft WINS Server)

Check out the following example of a /etc/dhcpd.conf file for your perusal: -




To start the DHCP Server –

/etc/init.d/dhcpd start or
service dhcpd start

To start the service automatically during the boot time –
chkconfig dhcpd on

Labels: configure dhcp server, dhcp server, guide to linux, Linux, linux administrator guide, Linux installation guide, pocket linux guide, red hat linux guide, redhat server

TCP WRAPPERS
To provide a better degree of access control, some service like sshd, portmap, xinetd are compiled with libwrap.a library. These are called “Tcp-wrapped” service.
Now, we are going to implement control on tcp-wrapped service. We will modify /etc/hosts.deny file here as follows – see the highlighted section in the screenshot below.


Here, in the highlighted section –
• The 1st line defines “ssh connection from any system will be disallowed”
• The 2nd line defines “only a computer with IP address 172.16.1.38 will be allowed to establish ssh session – others will be disallowed”
• The 3rd line defines “ssh connection from any system will be disallowed but the system will allow 172.16.1.38 and 172.16.1.178 to establish ssh session”
• The 4th line allows “computer from 172.16.0.0/255.255.248.0 network will be establis allowed to h ssh session – other will be disallowed”
• The 5th line defines “computer from 172.16.0.0/255.255.248.0 network, except 172.16.1.38, will be allowed and other systems will be disallowed to establish ssh session.
• The 6th line defines “the same rule as it is defined in the 5th line, where the rule is here for telnet and ssh service”
• The last line defines “all tcp-wrapped service can only be accessible from
abc.com domain”

In the screen shot above the last line is activated only as it is not commented out using #.
Have a note, you do not need to start or restart any service to control tcp-wrapped service using tcp-wrapper. All you have to do is just modify the /etc/hosts.deny file.
There is another important file, /etc/hosts.allow, as far as tcp wrapper is concerned. The system will check the /etc/hosts.allow file first, service will be accessible to users using it. Then the system will go through /etc/hosts.deny file and act accordingly.
Let us assume, we have a requirement where we want only ssh service will be accessible from 172.16.1.38 and other “tcp-wrapped” services will be blocked from any user.
The easiest solution is add the following line in /etc/hosts.deny file –
ALL: ALL
Add the following line in /etc/hosts.allow file –
ssh: 172.16.1.38

Labels: command, guide to linux, Linux, linux administrator guide, Linux installation guide, linux security, pocket linux guide, red hat linux guide, redhat server, TCP WRAPPERS

Protecting the /boot/grub/grub.conf with md5 password:

For trouble shooting purpose, administrator sometimes boot the linux computer in single user mode. We will learn how to boot a linux system in single user mode shortly.
If you boot a Linux computer in single user mode the system will never ask you to authenticate and assume you as root user. It is really helpful in case you forgot root user’s password, or the root password has expired, or you want to recover the grub boot loader in a dual-boot system etc.
But there is a security risk also. For example, any one can change the root user’s password after booting the computer in single user mode.
To protect unauthorized user to start the Linux computer in single user mode, it is recommended to set md5 password on grub. The md5 password can be implemented during the time of installation of the Linux computer. It is also possible to set the md5 password on grub after installation.
Here, I will show you, how to set md5 password on grub after installation.
Run, grub-md5-crypt
The system will ask you to enter the password. Supply it.
The system will return you a string on your monitor like this -
$1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/
Note down the string very carefully.
Now, open the /boot/grub/grub.conf file in vi editor
Just below the splashimage=(hd0,1)/grub/splash.xpm.gz line in the file, place the following line –
password—md5 $1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/

After modification, the /boot/grub/grub.conf will look like –
# grub.conf generated by anaconda
#
#boot=/dev/hda
default=0
timeout=20
splashimage=(hd0,1)/grub/splash.xpm.gz
password --md5 $1$Hk/zc0$k3vGSgE0kYxqMKzF6Qi3g/
title DOS
rootnoverify (hd0,0)
chainloader +1
title Red Hat Linux (2.4.18-14)
root (hd0,1)
kernel /vmlinuz-2.4.18-14 ro root=LABEL=/
initrd /initrd-2.4.18-14.img
# end of file
gr
However, I never do the task the same way I describe you above. Rather I append the output of grub-md5-crypt to /etc/grub.conf by executing the following command –
grub-md5-crypt >> /etc/grub.conf
Then I delete unnecessary lines there in the grub.conf file and cut the string and paste it to right place.
At this point if you reboot the computer and try to start the computer with single user mode, you need to supply the grub password, by default the system will boot according to the configuration in the /etc/inittab file.

Labels: boot, boot loader, command, grub, grub.conf, guide to linux, linux administrator guide, linux boot loader, linux security, pocket linux guide, red hat linux guide, redhat server, single user mode

Remote Administration Telnet, SSH and telnet:
Telnet
Telnet is basically a virtual terminal program that helps you to configure a system remotely. In production environment, telnet is rarely used as it transfer keystroke in clear text.To enable telnet all you have to do is, run the following two commands
chkconfig telnet on
service xinetd restart
By default, telnet to remote system using root user is disabled. You have to log into the telnet server as a non-privileged user then you can change your identity as root using the following command –
su – root

SSH

Unlike telnet, ssh is considered a Secure Shell Service. Ssh runs on public/private key infrastructure using rsa or dsa technology.
It is very easy to start ssh. Execute service sshd restart command.
By default any user can establish ssh session. However, this can be controlled by modifying the /etc/ssh/sshd_config file. See the following screen shot. Here I have denied atanu and allowed all other users to establish an ssh session.
We can also allow or deny one or multiple group using AllowGroups or DenyGroups directive, like AllowGroups acct mrkt.
The modification can only be effected when you restart the ssh server.
Check the last two lines in the screen shot in the page –


In my network, I always use ssh to configure remote servers. Generally I configure my linux laptop as an ssh client. I have a RHEL 4 system and I use this particular computer to administer my proxy server that is running on 172.16.1.12. See, what I usually do –In my laptop I execute the following command to create the key –
ssh-keygen –t dsa
You can also use rsa here. See the following screen shot –


Check the output, in the screen shot, carefully. In the 3rd Line, it is saying the key will be saved in /root/.ssh directory. If the .ssh directory is not exist in /root, the sshkeygen command will create it, check the 4th line. After creating /root/.ssh directory, the system will ask you to supply the passphrase. I enter empty passphrase, means just press enter twice. My identification is now saved in /root/.ssh/id_dsa file and the public key is id_dsa.pub.
It is time to copy the id_dsa.pub in the /root/.ssh/ directory in my proxy server and the name of the file will be authorized_keys. I will be using the following command assuming in my proxy server, running on 172.16.1.12, the /root/.ssh directory exists.
scp –rp /root/.ssh/id_dsa.pub root@172.16.1.12:/root/.ssh/authorized_keys
See the output in the following screenshot. After executing the above command the system will ask your confirmation, type yes and press enter, supply root’s password for 172.16.1.12 and the file will be copied securely.

The scp will be discussed shortly.
Now, from your client computer if you execute ssh 172.16.1.12 the system will never ask you to supply the password!!


SCP

Using scp, you can copy files from or to a remote linux system. In ssh section above, see how we use scp to copy id_dsa.pub. To refer a remote system we use user@machin_name_or_ip_address:/any/directory and a source can also be a remote system.
While working with Windows system, I use winscp to communicate with linux system. The winscp382setup.exe is freely available for download in sourceforge.net.
Please be noted, when you establish an ssh or scp session with a computer for the first time, the remote system related information is added in /root/.ssh/known_hosts text file. And if the remote system is re-installed you will be failed to establish ssh or scp session until you remove the system’s information from the /root/.ssh/known_hosts file.

Labels: allow, command, conf, configuration, edit, guide to linux, Linux, modify, network, password, proxy, redhat server, Remote Administration Telnet, rhel, scp, services, squid, SSH, telnet, user