• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Complete Linux Servers - Installation and Configuration

on

  • 3,307 views

Configure all Linux Servers like NFS, FTP, DHCP, DNS, SQUID, SAMBA, PRINTER, VNC, SYSLOG, PROXY, WEB, APACHE, YUM etc.....

Configure all Linux Servers like NFS, FTP, DHCP, DNS, SQUID, SAMBA, PRINTER, VNC, SYSLOG, PROXY, WEB, APACHE, YUM etc.....

Statistics

Views

Total Views
3,307
Views on SlideShare
3,307
Embed Views
0

Actions

Likes
1
Downloads
443
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Complete Linux Servers - Installation and Configuration Complete Linux Servers - Installation and Configuration Document Transcript

    • Chetan Soni – Security Specialist COMPLETE LINUX SERVERS Installation and Configuration By CHETAN SONI1|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAbout MeI am a social-techno-learner who believes in its own efficiency first and thenimplements with the suggestions of my strong and enthusiastic Team which helps metakes everything into its perfection level.At Present, I am the Founder & Admin of blog Just Do Hackers(JDH), a security basedblog and the overall resource person of a Online Digital Library named as Seculabswhich is a product of Secugenius Security Solutions.I conducted more than 100 workshops on topics like ―Botnets, Metasploit Framework,Vulnerability Assessment, Penetration Testing, Cyber Crime Investigation & Forensics,Ethical Hacking ‖ at various institutions/Colleges/Companies all across the world. Chetan Soni2|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIntroduction To LINUX Administration:- With the role of an IT professional not restricted to one technology alone,the industry requires one to have all-round knowledge of computer hardware &networking concepts and technologies The average salaries of such networkprofessionals which have done a complete course range to more than $90,000 perannum. The course creates great job prospects for the candidates who have a keeninclination towards making their career in managing IT Infrastructure along with theirgraduation such that when they complete the course with graduation they are industryready and the most sought after professionals. 1. Basic Hardware and Server Technology 2. Advanced Networking and Security 3. System Engineering on Microsoft Technologies 4. Networking Technology & Devices 5. Linux Administration & Security (RHCE) 6. Notebook Technology. 7. Wireless Network Administration. In late 1991, Torvalds published the first version of this kernel on theInternet, calling it "Linux" (a play on both Minix and his own name).When Torvalds published Linux, he used the copy left software license published by theGNU Project, the GNU General Public License. Doing so made his software free to use,copy, and modify by anyone--provided any copies or variations were kept equally free.Torvalds also invited contributions by other programmers, and these contributionscame; slowly at first but, as the Internet grew, thousands of hackers and programmersfrom around the globe contributed to his free software project.3|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistGeneral Overview of the RedHat File SystemThe simplest description of the Unix system, which is generally applicable to Linux andRedHat, is:"On a Unix system, everything is a file. If it is not a file, it is a process." This is partially true, because there are special files that are more than justfiles (named pipes and sockets, for instance), but to keep things simple, saying thateverything is a file is an acceptable generalization. A Linux system, just like UNIX,makes no difference between a file and a directory, since a directory is just a filecontaining names of other files. Programs, services, texts, images, etc. are all files.Input and output devices, and generally every device, is considered to be a file,according to the system. In order to manage all those files in an orderly fashion, we like to think ofthem as an ordered tree-like structure on the hard disk, relating back to DOS. There arethen big branches containing more branches, and the branches at the end contain thetree leaves or normal files. For now, we will stick to this image of the tree, but we willfind out later why it is not actually an exact image.Sorts of files Most files are just files, called regular files: they contain normal data, e.g.text files, executable files or programs, input for or output from a program, etc.While it is reasonably safe to suppose that everything you encounter on a Linux systemis a file, there are some exceptions. Directories: files that are lists of other files. Special Files: the mechanism used for input and output. Most special files are in /dev Links: a system to make a file or directory visible in multiple parts of the systems file tree. (Domain) Sockets: a special file type, similar to TCP/IP sockets, providing inter- process networking protected by the file systems access control.Partitioning Most people have a vague feeling about what a partition is, since almostevery operating system has the possibility to create them. The fact that Linux usesmore than one partition on the same disk, even when using the standard installationprocedure, may seem strange at first. The goal of having different partitions is to achieve higher data security incase of a disaster. By dividing the hard disk in partitions, data can be grouped andseparated. When an accident occurs, e.g. an electricity failure, the optical reader may4|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialistcrash into the hard disk. Only the data in the partition that got hit will be damaged,while the data on the other partitions will most likely survive. Imagine the tree again;when lightening should break off one branch, the rest of the tree grows on. This principle dates from the days when Linux didnt have ―journaled‖ filesystems yet. A (V) 15 uses RedHat 6.2 and does not journal, but the use of partitionsremains for security reasons, so a security breach on one part of the system doesntautomatically mean that the whole computer is in danger.There are two kinds of major partitions on a Linux system: Data Partition: normal Linux system data, including the root partition containing all the data to start up and run the system; and Swap Partition: expansion of the computers physical memory, extra memory on hard disk. On a server system, system data tends to be separated from user data.Programs that offer services are kept in a different place than the data handled by thisservice. Different partitions will be created on such systems, e.g. a partition with alldata necessary to boot the machine, a partition with configuration data and serverprograms, one or more partitions containing the server data, e.g. a database, usermails, an ftp archive etc., a partition with user programs and application and one ormore partitions for the user specific files. Servers usually have more memory and thusmore swap. Certain server processes, such as databases, may require more swap spacethan usual, see the specific documentation for detailed information. For betterperformance, swap is often divided into different swap partitions.File System Layout For convenience, the Linux file system is usually thought of as a treestructure, you will find the layout generally follows the scheme. The tree of the file system starts at the trunk or slash, indicated by aforward slash (/). This directory, containing all underlying directories and files, is alsocalled the root directory or "the root" of the file system Directories that are only onelevel below the root directory are often preceded by a slash, to indicate their positionand prevent confusion with other directories that could have the same name.5|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (I) NFS Server NFS, or Network File System, is a server-client protocol for sharing filesbetween computers on a common network. NFS enables you to mount a file system ona remote computer as if it were local to your own system. You can then directly accessany of the files on that remote file system. The server and client do not have to use thesame operating system. The client system just needs to be running an NFS clientcompatible with the NFS server. For example, NFS server could be a Linux system and UNIX could be a client.But it can’t be a window system because window is not NFS compatible. The NFS serverexports one or more directories to the client systems, and the client systems mount oneor more of the shared directories to local directories called mount points. After theshare is mounted, all I/O operations are written back to the server, and all clients noticethe change as if it occurred on the local filesystem.A manual refresh is not needed because the client accesses the remote filesystem as ifit were local, because access is granted by IP address; a username and password arenot required. However, there are security risks to consider because the NFS serverknows nothing about the users on the client system. 1. Configure NFS Server In this example we will configure a nfs server and will mount shared directory fromclient side. For this example we are using two systems one Linux server one Linuxclients. To complete these per quest of nfs server follow this link a) Per quest of nfs server  A linux server with ip address 192.168.0.254 and hostname Server.  A linux client with ip address 192.168.0.1 and hostname Client1.  Updated /etc/hosts file on both linux system.  Running portmap and xinetd services.  Firewall should be off on server.We have configured all these steps in our pervious article. b) Necessary Configuration for NFS ServerWe suggest you to review that article before start configuration of nfs server. Once youhave completed the necessary steps follow this guide.6|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist Three rpm are required to configure nfs server. nfs, portmap, xinetd check them if not found then install.Now check nfs, portmap, xinetd service in system service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]nfsNow restart xinetd and portmap serviceTo keep on these services after reboot on then via chkconfig commandAfter reboot verify their status. It must be in running conditionNow create a /data directory and grant full permission to it7|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open /etc/exports fileShare data folder for the network of 192.168.0.254/24 with read and writeaccessSave file with :wq! and exitNow restart the nfs service and also on it with chkconfigAlso restart nfs daemons with expotfsVerify with Showmount Command that you have successfully Shared DataFolder8|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist2. Configure Client System Ping Form NFS Server and Check the Share Folder Now Mount this Share Folder on /mnt Mount Point. To Test this Share Folder Change Directory to /mnt and Create a Test File. After use you should always unmount from mnt Mount Point. In this way you can use shared folder. But this share folder will be available till system is up. It will not be available after reboot. To keep it available after reboot make its entry in fstab Create a Mount Point, by Making a Directory Now Open /etc/fstab File Make Entry for NFS Shared Directory and Define /temp to Mount Point 9|Page www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistSave the with :wq and Exit Reboot the system with reboot -f command#reboot –fAfter Reboot Check /temp Directory It Should Show all the Shared Data10 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn Short: 1. Packages Required: nfs-utils-0.1.6-2.i386.rpm 2. Services in NFS: Portmap & NFS 3. Procedure : a) First Insert the DVD into DVD-Rom & Mount this DVD into your System- mount /dev/dvd /mnt b) Create Directory named as /dump. c) Copy-Paste the RedHat DVD into ur system named as /dump - cp –rf /mnt/* /dump/ d) Now Install the createrepo Package from your /dump Directory by rpm command rpm –ivh /dump/Server/createrepo* --force –nodeps e) After finishing this command type createrepo –v /dump f) Now open two Configurations Files 1. vi /etc/yum.repos.d/rhel-debuginfo.repo 2. vi /etc/exports g) Open First Configuration File and Write these Lines: [Redhat] name=Redhat 5.3 baseurl =file:///dump enabled = 1 gpgcheck =0 h) Open Second Configuration File and Write these Lines: /dump *(rw,sync) i) Now Start the Services Service portmap restart & Service nfs restart j) On Daemon Service Chkconfig portmap on Chkconfig nfs on k) Check the status of NFS service weather it is starting or not Service nfs status l) For checking Sharing Directory into Your System: Showmount –e 192.168.1.10 (Client IP address) m) For checking Sharing Directory into Another System: Showmount –e 192.168.1.254 (Server IP address)11 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (II) FTP Server 1. Introduction The File Transfer Protocol (FTP) is used as one of the most common means ofcopying files between servers over the Internet. Most web based download sites usethe built in FTP capabilities of web browsers and therefore most server orientedoperating systems usually include an FTP server application as part of the softwaresuite. Linux is no exception. 2. FTP Overview FTP relies on a pair of TCP ports to get the job done. It operates in twoconnection channels as :FTP Control Channel, TCP Port 21: All commands you send and the ftp serversresponses to those commands will go over the control connection, but any data sentback (such as "ls" directory lists or actual file data in either direction) will go over thedata connection.FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfersbetween the client and server.In addition to these channels, there are several varieties of FTP.Types of FTPFrom a networking perspective, the two main types of FTP are active and passive.In active FTP, the FTP server initiates a data transfer connection back to the client.For passive FTP, the connection is initiated from the FTP client. From a user management perspective there are also two types of FTP: regularFTP in which files are transferred using the username and password of a regular userFTP server, and anonymous FTP in which general access is provided to the FTP serverusing a well known universal login method.12 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistActive FTPThe sequence of events for active FTP is: 1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over this connection. 2. Whenever the client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port (greater than 1024) on the client. 3. Thus the ls listing that you asked for comes back over the port 20 to high port connection, not the port 21 control connection. FTP active mode therefore transfers data in a counter intuitive way to the TCPstandard, as it selects port 20 as its source port (not a random high port thats greaterthan 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.13 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistPassive FTPPassive FTP works differently: 1. Your client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Your commands such as ls and get are sent over that connection. 2. Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server. Passive FTP should be viewed as the server never making an active attempt toconnect to the client for FTP data transfers. Because client always initiates the requiredconnections, passive FTP works better for clients protected by a firewall.As Windows defaults to active FTP, and Linux defaults to passive, youll probably haveto accommodate both forms when deciding upon a security policy for your FTP server.Regular FTP By default, the VSFTPD package allows regular Linux users to copy files toand from their home directories with an FTP client using their Linux usernames andpasswords as their login credentials.VSFTPD also has the option of allowing this type of access to only a group of Linuxusers, enabling you to restrict the addition of new files to your system to authorizedpersonnel.The disadvantage of regular FTP is that it isnt suitable for general downloaddistribution of software as everyone either has to get a unique Linux user account orhas to use a shared username and password. Anonymous FTP allows you to avoid thisdifficulty.Anonymous FTP Anonymous FTP is the choice of Web sites that need to exchange fileswith numerous unknown remote users. Common uses include downloading softwareupdates and MP3s and uploading diagnostic information for a technical supportengineers attention. Unlike regular FTP where you login with a preconfigured Linuxusername and password, anonymous FTP requires only a username of anonymous andyour email address for the password. Once logged in to a VSFTPD server, youautomatically have access to only the default anonymous FTP directory (/var/ftp in thecase of VSFTPD) and all its subdirectories.14 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn Practical: FTP Server is used to transfer files between server and clients. All majoroperating system supports ftp. Ftp is the most used protocol over internet to transferfiles. Like most Internet operations, FTP works on a client/ server model. FTP clientprograms can enable users to transfer files to and from a remote system running anFTP server program. Any Linux system can operate as an FTP server. It has to run only the serversoftware—an FTP daemon with the appropriate configuration. Transfers are madebetween user accounts on client and server systems. A user on the remote system hasto log in to an account on a server and can then transfer files to and from thataccounts directories only. A special kind of user account, named ftp, allows any user to log in to it withthe username “anonymous.” This account has its own set of directories and files thatare considered public, available to anyone on the network who wants to downloadthem. The numerous FTP sites on the Internet are FTP servers supporting FTP useraccounts with anonymous login. Any Linux system can be configured to supportanonymous FTP access, turning them into network FTP sites. Such sites can work on anintranet or on the Internet. a) Configuring the ftp Server The vsftpd RPM package is required to configure a Red Hat Enterprise Linuxsystem as an ftp server. If it is not already installed, install it with rpm commands asdescribed in our pervious article. After it is installed, start the service as root with thecommand service vsftpd start. The system is now an ftp server and can acceptconnections. To configure the server to automatically start the service at boot time,execute the command chkconfig vsftpd on as root. To stop the server, execute thecommand service vsftpd stop. To verify that the server is running, use the commandservice vsftpd status. b) Configure vsftpd server In this example we will configure a vsftpd server and will transfer files from clientside.For this example we are using three systems one Linux server one Linux clients and onewindow xp clients. To complete these per quest of ftp server follow this link15 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (i) Per Quest of vsftpd Server A Linux server with ip address 192.168.0.254 and hostname Server A Linux client with ip address 192.168.0.1 and hostname Client1 A window client with ip address 192.168.0.2 and hostname Client2 Updated /etc/hosts file on both Linux system Running Portmap and xinetd services Firewall should be off on serverWe have configured all these steps in our pervious article. (ii) Necessary Configuration for vsftpd ServerWe suggest you to review that article before start configuration of ssh server. Once youhave completed the necessary steps follow this guide.Three rpm are required to configure ssh server. vsftpd, portmap, xinetdcheck them if not found then installNow check vsftpd, portmap, xinetd service in system service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]vsftpdNow restart xinetd and portmap and vsftpd service16 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistTo keep on these services after reboot on then via chkconfig commandAfter reboot verify their status. It must be in running conditionCreate a Normal user Named vinitaLogin for this user on Other Terminal and Create a Test File17 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist On Linux client Ping From Ftp Server and Run Ftp Command and Give Username and Password. After Login you can Download Files From the Specified Directories Most commonly commands used on ftp Prompt are: put To upload files on server get To download files from server mput To upload all files mget To download all files ? To see all available command on ftp prompts cd To change remote directory lcd To change local directory 18 | P a g e www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist On Window Client Now go on window clients and create a file. copy con command is used to create files on window. To save use CTRL+Z Now ping from ftp server and invoke ftp session from server, login from user account and download as well as uploads files Enable root account for ftp session and set permission on user By default on vsftpd server root account is disable. You cannot login from root account. 19 | P a g e www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow we will enable root account for ftp session and same time we willdisable our normal user vinita to use ftp sessions.Open file /etc/vsftpd/ftpusers . Users whose name are set in this file will notallowed to login from ftp.By default this file have an entry for root that why root are not allowed touse ftp. remove root from list and add user vinitaNow remove entry form /etc/vsftpd/user_list files.Users whose names are set in this file are also not allowed to login from ftpeven they are not prompt for password.By default this file have an entry for root that way root is denied form logineven not asked for password remove root from list and add user chetan20 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAfter saving change in these files Restart the vsftpd serviceNow go on Client System and Login from root this time root will loginNow try to login form user vinita He should not prompt form password also21 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist How to set login banner for ftp server To Set Login Banner Open /etc/vsftpd/vsftpd.conf file and Search for this tag Uncomment this Tag and Set your Banner and Save File , and Restart the vsftpd Service Go on Client System and Check Banner It will appear before User Login. 22 | P a g e www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn Short: 1. Packages Required: vsftpd-1.2.1-5.i386.rpm 2. Services in FTP: Portmap & Vsftpd 3. Procedure : a) First Insert the DVD into DVD-Rom b) Mount this DVD into your System- mount /dev/dvd /mnt c) Create Directory named as /dump. d) Copy-Paste the Redhat DVD into ur system - cp –rf /mnt/* /dump e) Now Install the createrepo Package from ur /dump Directory by rpm command rpm –ivh /dump/Server/createrepo* --force –nodeps f) After finishing this command type createrepo –v /dump g) Now open two Configurations Files 1. vi /etc/yum.repos.d/rhel-debuginfo.repo 2. vi /etc/exports h) Open First Configuration File and Write these Lines: [Redhat] name=Redhat 5.3 baseurl =file:///dump enabled = 1 gpgcheck =0 i) Open Second Configuration File and Write these Lines: /dump *(rw,sync) /pub *(rw,sync) j) Now Start the Services Service portmap restart Service vsftpd restart k) On Daemon Service Chkconfig portmap on Chkconfig vsftpd on l) Check the status of NFS service whether it is starting or not Service vsftpd status m) For checking Sharing Directory into Your System: Showmount –e 192.168.1.10 (Client IP address) n) For checking Sharing Directory into Another System: Showmount –e 192.168.1.254 (Server IP address)23 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist o) Give Full Permissions to these Two Directories: Chmod 777 /dump Chmod 777 /var/ftp/pub p) Now Open FTP of your Own Linux System [root@chetan ~]# ftp 192.168.1.10 Connected to 192.168.1.10 (192.168.1.10) 220 ready, dude (vsFTPd 1.1.0: beat me, break me) Name (192.168.1.10:root): ftp 331 Please specify the password. Password: 230 Login successful. Have fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> q) To download File from Ftp Get filename r) To Upload File in FTP Put filename s) There are two default FTP Users ftp and Anonymous t) Open Configuration File for FTP Server: vi /etc/vsftpd/vsftpd.conf # Allow anonymous FTP? anonymous_enable=YES ... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. ......... ......... u) We can Also Login from local User in FTP by changing this configuration File: Vi /etc/passwd24 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (III) DHCP Server Dynamic Host Configuration Protocol (DHCP) automatically assignsIP addresses and other network configuration information (subnet mask, broadcastaddress, etc) to computers on a network. A client configured for DHCP will send out a broadcast request to theDHCP server requesting an address. The DHCP server will then issue a "lease" andassign it to that client. The time period of a valid lease can be specified on the server. DHCP reduces the amount of time required to configure clients andallows one to move a computer to various networks and be configured with theappropriate IP address, gateway and subnet mask. For ISPs it conserves the limitednumber of IP addresses it may use. DHCP servers may assign a "static" IP address tospecified hardware. Microsoft NetBios information is often included in the networkinformation sent by the DHCP server.25 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist DHCP, or Dynamic Host Configuration Protocol, allows an administrator toconfigure network settings for all clients on a central server.The DHCP clients request an IP address and other network settings from the DHCPserver on the network. The DHCP server in turn leases the client an IP address withina given range or leases the client an IP address based on the MAC address of theclients network interface card (NIC). The information includes its IP address, along withthe networks name server, gateway, and proxy addresses, including the netmask.Nothing has to be configured manually on the local system, except to specify the DHCPserver it should get its network configuration from. If an IP address is assignedaccording to the MAC address of the clients NIC, the same IP address can be leased tothe client every time the client requests one. DHCP makes network administrationeasier and less prone to error.Exam Question Configure the DHCP server by matching the followingconditions:  Subnet and netmask should be 192.168.0.0 255.255.255.0  Gateway Should be 192.168.0.254  DNS Sever Should be 192.168.0.254  Domain Name should be example.com  Range from 192.168.0.10-50Exam Question You have DHCP server, which assigns the IP, gateway andDNS server ip to Clients. There is one DNS servers having MAC address(00:50:FC:98:8D:00 in your LAN, But it always required fixed IP address(192.168.0.10). Configure the DHCP server to assign the fixed IP address toDNS server. 1) Configure DHCP ServerIn this example we will configure a dhcp server and will lease ip address to clients.For this example we are using three systems one linux server one linux clients and onewindow clients.DHCP rpm is required to configure DHCP Server. Check it if not found theninstall26 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow check dhcpd service in system service it should be on#setupSelect System service from list[*]dhcpd 2) To Assign to DHCP Server.DHCP server have a static a IP Address. First configure the ip address192.168.0.254 with netmask of 255.255.255.0 on server.Run setup command form Root User.#setupThis will launch a new Window Select Network ConfigurationNow a new Window will show you all available LAN card select your LAN card( If you don’t see any LAN card here mean you don’t have Install Driver)27 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAssign IP in this Box and Click OK.click on ok, quit and again quit to come back on root prompt.Restart the Network Service so new IP Address can Take place on LAN card#service network restartMain configuration file of DHCP server is dhcpd.conf. This file located on /etc directory. If this file is not present there or you have corrupted this file, then copy new file first, if ask for overwrite press y28 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow Open /etc/dhcpd.confDefault Entry in this file look like thisMake these Change in this file to Configure DHCP Server.remove this line# - - - default gatewayset option routers to192.168.0.254set option subnet-mask to255.255.255.0option nis domain toexample.comoption domain-name toexample.comoption domain-name-servers to192.168.0.254range dynamic-bootp to192.168.0.10 192.168.0.50;29 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAfter change this file should look like this3) Assign fix IP Address to any HostLocate this Paragraph and Change Hardware Ethernet to Clients MacAddress and fixed -address to IP Address which you want to provide thathost.After making Necessary Change Save File and Exit.Now Create a Blank File use to store the allocated IP Address Information30 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow Restart HDCP service and on it with chkconfig Commands. 4) Linux Client configurationClient Configuration is very easy and Straightforward. All you need to do isset IP Address to Dynamic in the Properties of lan card.#setupSelect Network Configuration from menu listSelect Lan card and enter on OKSelect Use DHCP and Enter on OKNow click on it and Quit to Come back on Root Prompt Now Restart the Network Service to Obtain IP from DHCP Server31 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist5) Window Client configurationTo Configure Windows System as DHCP Clients open Lan Card Properties andSelect TCP/IP and Click on Properties and Set Obtain IP AddressAutomatically.Go on Command Prompt and Check new IP AddressCheck lease on DHCP server32 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistYou can check allocated Address on Server.33 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn Short: 1. Packages Required: dhcpd-5.16-5.i386.rpm 2. Services in DHCP: dhcpd 3. Procedure : a) First Give IP address to your System IP Address=192.168.1.10 Subnet Mask = 255.255.255.0 DNS = 192.168.1.1 b) Restart Your Network Service: service network restart c) Now Install DHCP Package yum install dhcp* d) Open Configuration File of this Server vi /etc/dhcpd.conf e) Write these lines in this configuration file: Open Another file in this File: : r /usr/share/doc/dhcp-3.0.5/dhcp.conf.sample Now Save this File f) Now Again Open this File & Changes these Lines: ddns-update-style interim; ignore client-updates; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.128 192.168.1.254; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.1; option domain-name "your-domain.org"; option domain-name-servers 40.175.42.254, 40.175.42.253; # Default DNS to be used by DHCP clients option netbios-name-servers 192.168.1.100; # (Optional. Specify if used on your network) # DHCP requests are not forwarded. Applies when there is more than one ethernet device and forwarding is configured. g) Save this Configuartion File h) Now Restart your Network Service service network restart i) Restart Your DHCP Service service dhcpd restart34 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (IV) SAMBA Server Samba is a strong network service for file and print sharing that works on themajority of operating systems available today. When well implemented by theadministrator, its faster and more secure than the native file sharing services availableon Microsoft Windows machines. Samba is the protocol by which a lot of PC-related machines share files andprinters, and other information, such as lists of available files and printers. Operatingsystems that support this natively include Windows 95/98/NT, OS/2, and Linux, and addon packages that achieve the similar thing are available for DOS, Windows, VMS, Unixof all kinds, MVS, and more. Apple Macs and some Web Browsers can speak this protocol as well.Alternatives to SMB include Netware, NFS, AppleTalk, Banyan Vines, Decnet etc. Many of these have advantages but none are public specifications and widelyimplemented in desktop machines by default. Samba software includes an SMB server,to provide Windows NT and LAN Manager-style file and print services to SMB clientssuch as Windows 95, Warp Server, smbfs and others, a NetBIOS, rfc1001/1002 nameserver, which amongst other things gives browsing support, an ftp-like SMB client sothat you can access PC resources; disks and printers from Unix, Netware and otheroperating systems, and finally, a tar extension to the client for backing up PCs.35 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist Most Linux systems are the part of networks that also run Windows systems.Using Linux Samba servers, your Linux and Windows systems can share directoriesand printers. This is most use full situation where your clients are window native andyou want to use the linux security features. 1) Configure samba server In this example we will configure a samba server and will transfer files fromclient side.For this example we are using two systems one linux server one windowclients.a) Per quest of Samba Server  A linux server with ip address 192.168.0.254 and hostname Server  A window client with ip address 192.168.0.2 and hostname Client2  Updated /etc/hosts file on linux system  Running portmap and xinetd services  Firewall should be off on serverWe have configured all these steps in our pervious article.b) Necessary Configuration for Samba ServerWe suggest you to review that article before start configuration of samba server. Onceyou have completed the necessary steps follow this guide.samba rpm is required to configure samba server.Check them if not found then installNow check smb, portmap, xinetd service in system service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]smbNow restart xinetd and portmap and smb service36 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistTo keep on these services after reboot on then via chkconfig commandAfter Reboot verify their status. It must be in running conditionCreate a Normal User named vinitaNow Create /data Directory and Grant it full permissionOpen /etc/samba/smb.conf main samba Configuration FilesBy default name of Workgroup is MYGROUP in smb.conf file.You can change it with desire name37 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistOur Task is to share data folder for vinita User so go in the end of file and doeditingSave file with :wq and ExitNow add vinita user to Samba UserWe have made Necessary Change now on smb service and check it StatusIf you already have on this Service then Restart it with Service smb RestartCommands.38 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist2) Client configuration for samba server Go on windows system and ping samba server, change computer name to client2 and workgroup name to MYGROUP Reboot system after changing workgroup name After reboot open my network place here you can see samba server [ if not see then click on view workgroup computer in right pane, if still not see then use search button from tool bar and search computer samba server form ip ] First try to login from user vinita He will not successes as vinita have not permission to login. 39 | P a g e www.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow login from user vinita [ give the password which you set withsmbpasswd command ]As you can see in image user vinita gets the /data folder which we sharefrom Samba Server .40 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistCopy some window Files in data Folder 3) Check status on samba serverOn Samba Server you can check runtime status of samba server to check itrun smbstatus commandIn Output you see that one Samba Shared directory is used on windowsystem41 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn Short: 1. Packages Required: samba-3.0.3-5.i386.rpm 2. Services in SAMBA: smb 3. Procedure : a) First Give IP address to your System IP Address=192.168.1.10 Subnet Mask = 255.255.255.0 DNS = 192.168.1.1 b) Restart Your Network Service: service network restart c) Now Install SAMBA Package yum install samba* d) Open Configuration File of this Server vi /etc/samba/smb.conf e) Write these lines in this configuration file: [CHETAN] Comment=This is Samba Server Path=/home/chetan Public=yes Writable=yes Printable=yes Writelist=hello Readlist=hello Valid users=chetan,hello Browsable=yes f) Save this configuration File g) Also Changes to Workgroup Name in this configuration File: workgroup=WORKGROUP interfaces=lo eth0 192.168.1.10/255.255.255.0 hosts allow = 127. 192.168.1. h) Now add a user in your System adduser chetan i) Give Samba Password to this user smbpasswd –a chetan j) Now Restart the samba Service service smb restart k) Now open Samba Client smbclient –L 192.168.1.10 –U chetan42 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist Passwd->chetan Retype->chetan l) Now open This User Smbclient //192.168.1.10/chetan –U chetan Smb:> ls m) Go to Window XP system n) Share the C:> Drive with share name <Window> o) Now In Linux System Type the following Command: Smbclient –L 192.168.1.13 –U hcl Smbclient //192.168.1.10/Window –U hcl43 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (V) SQUID Server Proxy servers operate as an intermediary between a local network andInternet. Requests from local clients for web services can be handled by the proxyserver. Squid is a high-performance HTTP and FTP caching proxy server. It is alsoknown as a Web proxy cache. As it stores data from frequently used Web pages andfiles, it can often give your users the data they need without their systems having tolook to the Internet.From squid web proxy server you can control what should be access on your networkfrom internet. It could be act as a filter that could filter everything from porn site toadvertise , videos.In our example we will configure squid web proxy server and filter sites anddeny permission to specific host from accessing internet. 1) Configure squid web proxy serverSquid rpm is required to configure squid web proxy server check it for installif not found install it.Check the Hostname and IP Address of server it will be use in editing ofsquid.conf44 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistOpen /etc/squid/squid.conf for EditingShow Hidden line with :set nu option on vi command modeYou need to add three lines to the squid.conf file in the /etc/squid/ directory beforeactivating SquidFirst editing is about hostname locate visible_hostname tag near about lineno 2835Go in the end of this tag near about line no and add the hostname which youhave checked in pervious commandBy default squid works on port no 3128 but can change this.Port tag is located near line no 73For our example we using the default port.Next editing is to create access control list.Access control tag is located near the line no 222645 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistWe will create three access list.  First to block host with ip address 192.168.1.7 from accessing internet.  Second to block a particular site.  Third to allow our lab network for accessing internet.Go in the end of access control tag near about line 2410 and create accesslist as show hereFinal editing is to implement whatever access list you have configured inaccess list tag go to http access tag near line no 2482In the end of this tag near line no 2529 apply the configured access list Be very careful about the order of access list alway put http_access denyall line in the end of all line. Whatever access list defined below the http_access deny allline will never be checked.You have made necessary changed in squid.conf now save it and return tocommand prompt.We have created a access list web_deny to filter the web traffic. We have sethttp_access deny web_deny tag in squid.conf. Now you can add the url of thosewebsites in this file which you want block.46 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow create /etc/squid/web_deny file.For testing purpose in our example we are blocking www.google.comYou can add any sites url in this file which you want to block.You have completed all necessary steps now start the squid service. 2) Squid client configurationOn client set the IP Configuration. Set proxy servers ip 192.168.1.3 to defaultgetway and dns server ip on client system.47 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open the web browser and set the port number and ip address of proxyserver in connection tab48 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIf you can Successful Retrieve website mean Squid is working correctlyNow try to open www.google.comNow go system which ip address is 192.168.1.7 and Try to access after doingsame setting49 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (VI) DNS Server A DNS server, or name server, is used to resolve an IP address to a hostname or viceversa.You can set up four different types of DNS servers:  A master DNS server for your domain(s), which stores authoritative records for your domain.  A slave DNS server, which relies on a master DNS server for data.  A caching-only DNS server, which stores recent requests like a proxy server. It otherwise refers to other DNS servers.  A forwarding-only DNS server, which refers all requests to other DNS servers. Before configuring BIND to create a DNS server, you must understand some basic DNS concepts.The entire hostname with its domain such as server.example.com is called a fullyqualified domain name (FQDN). The right-most part of the FQDN such as .com or .netis called the top level domain, with the remaining parts of the FQDN, which areseparated by periods, being sub-domains.These sub-domains are used to divide FQDNs into zones, with the DNS information foreach zone being maintained by at least one authoritative name server.The authoritative server that contains the master zone file, which can be modified toupdate DNS information about the zone, is called the primary master server, or justmaster server.The additional name servers for the zone are called secondary servers or slaveservers. Secondary servers retrieve information about the zone through a zonetransfer from the master server or from another secondary server. DNS informationabout a zone is never modified directly on the secondary server 1) Chroot Features Chroot feature is run named as user named, and it also limit the files named cansee. When installed, named is fooled into thinking that the directory/var/named/chroot is actually the root or / directory.Therefore, named files normally found in the /etc directory are found in/var/named/chroot/etc directory instead, and those you would expect to find in/var/named are actually located in /var/named/chroot/var/named.50 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist The advantage of the Chroot feature is that if a hacker enters your system via aBIND exploit, the hackers access to the rest of your system is isolated to the files underthe chroot directory and nothing else. This type of security is also known as a Chrootjail. 2) Configure DNS ServerIn this example we will configure a DNS server and will test from client side.For this example we are using three systems one Linux server one Linux clients and onewindow clients.Bind and Caching-Nameserver rpm is required to configure DNS.Check them for install if not found install them.Set Hostname to server.example.com and IP Address to 192.168.0.254 Main configuration file for dns server is named.conf. By default this fileis not created in /var/named/chroot/etc/ directory.51 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist Instead of named.conf a sample file/var/named/chroot/etc/named.caching-nameserver.conf is created. This file isuse to make a caching only name server. You can also do editing in this file afterchanging its name to named.conf to configure master dns server or you can manuallycreate a new named.conf file.In our example we are creating a new named.conf fileWe are using binds chroot features so all our necessary files will be located in chrootdirectory. Set directory location to /var/named. Further we will set the location offorward zone and reverse lookup zone files. If you cannot create this file manuallythen download this file and copy to /var/named/chroot/etc/Save this file with :wq and Exit. 3) Configure zone file We have defined two zone files example.com.zone for forward zone and0.168.192.in-addr.arpa for reverse zone. These files will be store in/var/named/chroot/var/named/ location. We will use two sample files for creatingthese files.Change directory to /var/named/chroot/var/named and Copy the samplefiles to name which we have set in named.conf52 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open forward zone file example.com.zoneBy default this file will look like thisChange this file exactly as shown in image belowIf you feel difficulty to modify this file then download this configured file andcopy to /var/named/chroot/var/named . Now open reverse lookup zone file0.168.192.in-addr.arpaBy default this file will look like this53 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistChange this file exactly as shown in image belowIf you feel difficulty to modify this file then download this configured file andcopy to /var/named/chroot/var/namedNow changed the ownership of these zone files to named groupNow start the Named ServiceIf service restart without any error means you have successfully configuredmaster name server in our next article we will learn how to configure salvedns server and test it.54 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (VII) MAIL Server In a company environment, email is an essential component to the workday. Email is used to communicate with both internal employees and externalcustomers. In exam you will be tested to configure the send mail server for you localLAN. By default sendmail server allows to connect to local host only. So we shouldedit the /etc/mail/sendmail.mc file to allow connect to other hosts.The sendmail daemon is configured from a directory of files in /etc/mail and adirectory of configuration files in /usr/share/sendmail-cf. There are two basicconfiguration files:  sendmail.cf The main sendmail configuration file.  sendmail.mc A macro thats easier to edit, which can be used to generate a new sendmail.cf file.For this example we are using two systems one linux server one linux clients. These arethe pre quest for a sendmail server  A linux server with ip address 192.168.0.254 and hostname Server  A linux client with ip address 192.168.0.1 and hostname Client1  A Configured DNS server on Linux server  Updated /etc/hosts file on both linux system  Running portmap and xinetd services  Firewall should be off on serverWe have configured all these steps in our pervious article. 1) Configure sendmail serverSendmail and m4 rpm are required to configure Sendmail server check themfor install if not found install them. Mail server program reads the /etc/mail/sendmail.cf. To change theconfiguration on mail server, we should edit the /etc/mail/sendmail.mc file. When55 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistSendmail is started or restarted with the service sendmail restart command a newsendmail.cf file is automatically generated if sendmail.mc has been modified. Inexam you should generate it with m4 command.Open /etc/mail/sendmail.mc for EditingShow Hidden line with :set nu option on vi command modeBy default, the following line limits sendmail access to Connect local hostonly[line no 116]You can allow other computers to use your sendmail server by commentingout this line. In the sendmail.mc file , lines that begin with dnl, which stands for deleteto new line, are considered comments. Some lines end with dnl, but lines ending in dnlare not commentsComment this line with dnl keyword followed by # signSave this file with :wq and exit.Now generate new sendmail.cf file by using m4 command as shown hereNow restart sendmail service and also set it on with chkconfig56 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIf Sendmail Service restart without any error means you have configuredsendmail successfully. 2) Configure sendmail client sideWe are using another linux system to test sendmail server. All configuration are sameas you have done on server system.Check sendmail and m4 rpm for install. Open /etc/mail/sendmail.mc file andlocate line no 116 and put a dnl with # sing and save file. All step are samewhich you have done on server.Now generate new sendmail.cf file by using m4 command as shown hereNow restart sendmail service and also set it on with chkconfig 3) Testing of sendmail server We will test sendmail server by sending and receiving mail in labenvironment.For this we use two user one on each system.57 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow create one user on each system vinita on serverAnd nikita on client systemNow send mail from user vinita to nikita and from nikita to user vinita andalso check each others mail by mail commandUse full user name to send mail.58 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistFor example to send mail to nikita use nikita@client1 and to send mail tovinita use vinita@server.example.com59 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (VIII) TELNETServer Telnet Server is used to login into another system. You can use the telnetcommand to log in remotely to another system on your network. The system can be onyour local area network or available through an Internet connection. Telnet operatesas if you were logging in to another system from a remote terminal. You will be askedfor a login name and password. In effect, you are logging in to another account onanother system. In fact, if you have an account on another system, you could useTelnet to log in to it.You invoke the Telnet utility with the keyword telnet. If you know the name of the siteyou want to connect with, you can enter telnet and the name of the site on the Linuxcommand line.CAUTION The original version of Telnet is noted for being very insecure. Forsecure connections over a network or the Internet, you should use theSecure Shell (SSH). We will cover SSH server in next article. SSH operate inthe same way as the original but use authentication and encryption to securethe Telnet connection. Even so, it is advisable never to use Telnet to log in toyour root account. That why by defaults root account is disable for root login. 1) Configure telnet serverIn this example we will configure a telnet server and will invoke connection from clientside.For this example we are using three systems one linux server one linux clients and onewindow clients. To complete these per quest of telnet server Follow this link a) Per Quest of Telnet Server  A linux server with ip address 192.168.0.254 and hostname Server  A linux client with ip address 192.168.0.1 and hostname Client1  A windows xp system with ip address 192.168.0.2 and hostname Client2  Updated /etc/hosts file on both linux system  Running portmap and xinetd services  Firewall should be off on server60 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist b) Necessary Configuration for Telnet ServerWe suggest you to review that article before start configuration of telnet server. Onceyou have completed the necessary steps follow this guide.Four rpm are required to configure telnet server.telnet, telnet-server, portmap, xinetdcheck them if not found then installNow check telnet, portmap, xinetd Service in System Service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]telnetNow restart xinetd and portmap serviceTo keep on these services after reboot on then via chkconfig commandAfter reboot verify their status.It must be in running condition61 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistCreate a normal user named vinita 2) On Linux clientPing from Telnet Server and Run Telnet Command and Give user name andpassword 3) On Window clientPing from Telnet Server and Run Telnet CommandGive user name and password62 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist 4) Enable Root Login from Telnet ServerOn Linux Server open File SecurityIn the end of file add pts/0 to enable one telnet session for root.If you need to open more telnet session for root and add more pts/1 pts/2and so on.Now restart xinetd and portmap serviceVerfiy from window by login from Root.63 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (IX) SSH SERVER Telnet and FTP are well-known protocol but they send data in plain textformat, which can be captured by someone using another system on the same network,including the Internet. On the other hand, all data transferred using OpenSSH tools is encrypted,making it inherently more secure. The OpenSSH suite of tools includes ssh for securelylogging in to a remote system and executing remote commands, scp for encryptingfiles while transferring them to a remote system, and sftp for secure FTP transfers.OpenSSH uses a server-client relationship. The system being connected to is referredto as the server. The system requesting the connection is referred to as the client. Asystem can be both an SSH server and a client. OpenSSH also has the added benefitsof X11 forwarding and port forwarding.X11 forwarding, if enabled on both the server and client, allows users to display agraphical application from the system they are logged in to on the system they arelogged in from.Port forwarding allows a connection request to be sent to one server but beforwarded to another server that actually accepts the request.In this article we will discusses how to use OpenSSH, both from the server-side andthe client-side. 1) Configuring the ssh ServerThe openssh-server RPM package is required to configure a Red HatEnterprise Linux system as an OpenSSH server. If it is not already installed,install it with rpm commands as described in our pervious article. After it isinstalled, start the service as root with the command service sshd start . Thesystem is now an SSH server and can accept connections. To configure theserver to automatically start the service at boot time, execute the commandchkconfig sshd on as root. To stop the server, execute the command servicesshd stop. To verify that the server is running, use the command service sshdstatus. 2) Configure ssh serverIn this example we will configure a ssh server and will invoke connection from clientside.64 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistFor this example we are using two systems one linux server one linux clients . Tocomplete these per quest of ssh server Follow this link a) Per quest of ssh server  A linux server with ip address 192.168.0.254 and hostname Server  A linux client with ip address 192.168.0.1 and hostname Client1  Updated /etc/hosts file on both linux system  Running portmap and xinetd services  Firewall should be off on serverWe have configured all these steps in our pervious article. b) Necessary configuration for ssh serverWe suggest you to review that article before start configuration of ssh server. Once youhave completed the necessary steps follow this guide.Three rpm are required to configure ssh server.Openssh-server, portmap, xinetd check them if not found then installNow check sshd, portmap, xinetd service in System Service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]sshdNow restart xinetd and portmap and sshd Service.65 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistTo keep on these services after reboot on then via chkconfig commandAfter reboot verify their status. It must be in running conditionCreate a normal user named vinita 3) On Linux clientPing from ssh server and run ssh command and give root password66 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistBy default ssh command will enable root session.If you want to login from normal user then specify his name with -l options.With ssh you can run any command on server without login (user passwordrequire)67 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (X) SYSLOG Server An important part of maintaining a secure system is keeping track of theactivities that take place on the system. If you know what usually happens, such asunderstanding when users log into your system, you can use log files to spot unusualactivity. You can configure what syslogd records through the /etc/syslog.confconfiguration file.The syslogd daemon manages all the logs on your system and coordinates with anyof the logging operations of other systems on your network. Configuration informationfor syslogd is held in the /etc/syslog.conf file, which contains the names andlocations for your system log files.By Default system accept the logs only generated from local host. In this example wewill configure a log server and will accept logs from client side.For this example we are using two systems one linux server one linux clients . Tocomplete these per quest of log server Follow this link a) Per quest of log server  A linux server with ip address 192.168.0.254 and hostname Server  A linux client with ip address 192.168.0.1 and hostname Client1  Updated /etc/hosts file on both linux system  Running portmap and xinetd services  Firewall should be off on serverWe have configured all these steps in our pervious article. b) Necessary Configuration for log serverWe suggest you to review that article before start configuration of log server. Once youhave completed the necessary steps follow this guide.Check syslog, portmap, xinetd service in system service it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]syslog68 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow restart xinetd and portmap Service.To keep on these services after reboot on then via chkconfig commandAfter reboot verify their status.It must be in running conditionNow open the /etc/sysconfig/syslog fileAnd locate SYSLOGD_OPTIONS tagadd -r option in this tag to accepts logs from clients-m 0 disables MARK messages.-r enables logging from remote machines-x disables DNS lookups on messages recieved with –r69 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAfter saving file restart service with service syslog restart command 1) On Linux clientPing from log server and open /etc/syslog.conf fileNow go to the end of file and do entry for serve as user.* @ [ server IP] asshownAfter saving file restart service with service syslog restart commandNow restart the client so it can send log entry to server.( Note that these logs will generate when client boot, so do it restart notshutdown)70 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist2) Check clients log on Log server To check the message of client on server open In the end of this file you can check the log from clients 71 | P a g e www.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (XI) NIS Server NIS, or Network Information Systems, is a network service that allowsauthentication and login information to be stored on a centrally located server. Thisincludes the username and password database for login authentication, database ofuser groups, and the locations of home directories. 1) Configure NIS serverIn this example we will configure a NIS server and a user nis1 will login from client side.For this example we are using two systems one linux server one linux clients . Tocomplete these per quest of ssh server Follow this link a) Per quest of nis server  A linux server with ip address 192.168.0.254 and hostname Server  A linux client with ip address 192.168.0.1 and hostname Client1  Updated /etc/hosts file on both linux system  Running portmap and xinetd services  Firewall should be off on server b) Necessary configuration for nis serverSeven rpm are required to configure nis server.ypserv, cach, nfs, make, ypbind, portmap, xinetd check them if not foundthen install72 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow check nfs,ypserv,yppasswdd,ypbind, portmap, xinetd service in systemservice it should be on#setupSelect System service from list[*]portmap[*]xinetd[*]nfs[*]ypserv[*]yppasswdd[*]ypbindNow open /etc/sysconfig/network fileSet hostname and NIS domain name as shown here and save fileNow create a user named nis1 and give his home directory on /rhome withfull permissionNow open /etc/exports fileShare /rhome/nis1 directory for networkSave this with :wq and exitNow open /var/yp/Makefile fileAnd locate line number 109 [ use ESC + : +set nu command to show hidden73 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialistlines or read our vi editor article to know more about vi command line option]Now remove other entry from this line excepts passwd group hosts netidsave this with :wq and exitNow restart these service#service portmap restart#service xinetd restart#service nfs restart#service ypserv restart#service yppasswdd restartDont restart ypbind service at this time as we havent updated our databaseNow change directory to /var/yp and run make command to create databaseNow update this database by running this commands .[first add server and then add all client machine one by one. After adding press CTRL+D to save, confirm by pressing y]74 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow once again restart all these service this time there should be no error#service portmap restart#service xinetd restart#service nfs restart#service ypserv restart#service yppasswdd restart#service ypbind restartNow set all these service to on with chkconfig so these could be on afterrestart#chkconfig portmap on#chkconfig xinetd on#chkconfig nfs on#chkconfig ypserv on#chkconfig yppasswdd on#chkconfig ypbind on 2) Client configurationBefore you start client configuration we suggest you to check proper connectivity betweenserver and client.First try to login on NIS server from telnet. If you can successfully login via telnet then try tomount /rhome/nis1 directory via nfs server.If you get any error in telnet or nfs then remove those error first. You can read ourpervious article for configuration related help.Once you successfully completed necessary test then start configuration of client sides.75 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistTwo rpm are required to configure clients yp-tools and ypbind check them forinstallNow open /etc/sysconfig/network FileAnd make change as shown hereNow run setup command and select authentication configuration from list#setupNow check mark on NIS and Enter on Next76 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistSet domain name to RHCEand server to 192.168.0.254 and click on OKNo error should be occurred here if you see any error then Check allConfiguration.No open /etc/auto.master fileIn the end of file do editing of /rhome as Shown here77 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistSave the file with :wq and ExitNow open /etc/auto.misc fileIn the end of file do editing of user nis1 as shown hereSave the file with :wq and exitNow restart autofs and ypbind serviceSet these Service on via chkconfig Commands#chkconfig autofs on#chkconfig ypbind onNow Restart the System#reboot –fLogin from nis1 user on client system78 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (XII) WEB Server When you view a web page over the Internet, the code to create that pagemust be retrieved from a server somewhere on the Internet. The server that sends yourweb browser the code to display a web page is called a web server. There are countlessweb servers all over the Internet serving countless websites to people all over theworld. Whether you need a web server to host a website on the Internet a Red HatEnterprise Linux server can function as a web server using the Apache HTTP server.The Apache HTTP server is a popular, open source server application that runs on manyUNIX-based systems as well as Microsoft Windows. 1) Configure web serverIn this example we will configure a web server.Necessary rpm for web server is httpd, httpd-devel and apr check them forInstallNow configure the IP Address to 192.168.0.254 and check it79 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistStart httpd daemons and verify its running Status 2) Configure virtual hostingIn this example we will host a website www.vinita.com to apache webserver. create a documents root directory for this website and a index pageFor testing purpose we are writing site name in its index pageSave file and exitNow open /etc/hosts fileIn the end of file bind system IP with www.vinita.com80 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open /etc/httpd/conf/httpd.conf main configuration file of ApacheServer .Locate Virtual Host TagRemove # from the beginning and add the IP of hostNow go in the end of file and copy last seven line [ virtual host tag ] andpaste them in the end of file.Change these seven lines as shown in imageNow save this file and exit from it81 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist You have done necessary configuration now restart the httpd serviceand test this configuration run links commandIf links command retrieve your home pageMeans you have successfully configured the virtual host now test it with sitenameIn output of links command you should see the index page of site 3) Configure multiple site with same ip addressAt this point you have configured one site www.vinita.com with the ip address192.168.0.254. Now we will configure one more site www.nikita.com with same ipaddressCreate a documents root directory for www.nikita.com website and a indexpageFor testing purpose we are writing site name in its index pageSave file and exitNow open /etc/hosts file and bind system ip with www.nikita.com82 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open /etc/httpd/conf/httpd.conf main configuration file of ApacheServerNow go in the end of file and copy last seven line [ virtual host tag ] andpaste them in the end of file. change these seven lines as shown in imageNow save this file and exit from itYou have done necessary configuration now restart the httpd serviceTest this configuration run links command83 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist 4) Configure multiple site with multiple ip address Now we will host multiple sites with multiple ip address. Create a virtual lan cardon server and assign its an ip address of 192.168.0.253.We will create a testing site www.nidhi.com and will bind it with ip address of192.168.0.253Create a documents root directory for www.nidhi.com website and a indexpageFor testing purpose we are writing site name in its index pageSave File and ExitNow open /etc/hosts file and bind system ip with www.nidhi.comNow open /etc/httpd/conf/httpd.conf main configuration file of apacheserverNow go in the end of file and copy last seven line [ virtual host tag ] andpaste them in the end of file.Change these seven lines as shown in image84 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow save this file and exit from itYou have done necessary configuration now restart the httpd serviceTest this configuration run links commandIn output of links command you should see the index page of site 5) How to create site aliasNow I will show you that how can you use site alias to configure more name of samesite. we configure a site www.vinita.com in stating of example. now we will createwww.goswami.com site alias for this site so this site can be access with both name.To create alias first make its entry in /etc/hosts file as shown here85 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow open main apache configuration /etc/httpd/conf/httpd.confNow go in the end of file and copy last seven line [ virtual host tag ] andpaste them in the end of file. change these seven lines as shown in imageNow save this file and exit from itYou have done necessary configuration now restart the httpd service andtest this configuration run links commandIn output of links command you should see the index page of site86 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (XIII) VNC Server VNC server is a used to share desktop with remote computer. VNC works onclient server architecture. To share desktop you need vnc-server package and toaccess from other computers you need vnc-viewer. In this tutorials I will show you howto configure vnc server. 1) To configure VNC- ServerBoot system in init 5 or graphic mode.Vnc-server rpm is required to configure server check it if not found install it.Now click on preferences from system and select Remote Desktop87 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistThis will launch a new window where you can set sharing and security forremote desktopAllow other users to view your desktop check this option if you to presentyour desktop on other computerAllow other users to control your desktop Check this options if you want togrant permission to control user desktop to other userIn security tab you can set password for the user who want to connect with server[Recommended] 2) Configure Linux clientGo on client system and ping server.vnc-viewer rpm is required to configure clients .88 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistCheck it and if not found install .Now select accessories from application menu and click on vnc viewerThis will launch a window Give vnc Server IP it and click on ok.Once connected it will ask for password Give the password which you set onserverOn server side it will show a pop up and ask for permission click on allow89 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistAfter getting permission from server side you can use server desktop onclient side90 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (XIV) PRINTER Server Linux uses the Common UNIX Printing System, also known as CUPS. CUPSuses the Internet Printing Protocol (IPP) to allow local printing and print sharing. The/etc/cups/ directory stores all the configuration files for printing. However, these filescan be easily managed with the Printer Configuration Tool in Linux. Before you can use any printer, you first have to install it on a Linux system on your network. To start the Printer Configuration Tool, go to the System menu on the top panel and select Administration, Printing or execute the command system-config-printer.If no printers are available for the system, only the Server Settings view isavailable for selection. If local printers are configured, a Local Printers menuwill available. 1) Install new printerClick New Printer on the toolbar.91 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistIn the dialog window that appears, accept the default queue name or changeit to a short, descriptive name that begins with a letter and does not containspaces. Then select printer from list and click on forward and click on finsh.spool directories When your system prints a file, it makes use of special directoriescalled spool directories. The location of the spool directory is obtained fromthe printers entry in its configuration file. On Linux, the spool directory islocated at /var/spool/cups under a directory with the name of the printer.print job A print job is a file to be printed. When you send a file to a printer, acopy of it is made and placed in a spool directory set up for that printer.Classes CUPS features a way to let you select a group of printers to print a jobinstead of selecting just one. That way, if one printer is busy or down,another printer can be automatically selected to perform the job. Suchgroupings of printers are called classes. Once you have installed yourprinters, you can group them into different classes.Once you have successfully installed local printer it will show in right pane.and in left pane you can see all administrative options.92 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist  To view shared printer on other system Tick mark on first option  To share locally attached printer tick mark on second option  To allow remote administration of this printer check mark on third optionTick mark on appropriate option and click on apply 2) Configure window clientsGo on window system and ping from printer server and open internetexplorer and give the ip address of server with printer port 631This will launch CUPS web application click on manage printer93 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow you will see the shared printer on server click on print test pageA test page will be send on printer server copy this url of printerClick on start button select printer and fax and click on add new printer. thiswill launch add new printer wizard click next on welcome screen and selectnetwork printer94 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistOn this screen select internet printer and paste the url which you copied frominternet explorerInstall appropriate driver from list or use have disk option you have drive cdand click next. On next screen set this printer defaults and click on next andfinish.95 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist 3) Remote administration of print serverGo on linux system and ping from server and click on printing fromadministration menuNow click on go to serverNow give print server ip address96 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist It will take few minute to connect from server depending on network speedNow give root password to connect printer serverYou can see all print administrative Manu in right pane Once you haveconnected with sever97 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist 4) Configure Linux clientsGo on linux system and ping from server and click on printing fromadministration menuNow click on new printer98 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistClick on forward In the next New Printer screen, select the type ofconnection to internet printing protocols and in hostname give server ip andprinter name in printer nameSelect the appropriate model. If multiple drivers are available, select the onemost appropriate for your configuration. If you do not want to choose thedefault and click forward and finish. The main Printer Configuration windowshould now include the name of your printer.To print test page click on print test page and a test page will send to printserver99 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist 5) Managing Printers from the Command-LineThe lpadmin command enables you to perform most printer administrationtasks from the command-line.lpc To view all known queueslpr To send print requests to any local print queuelpq To see the print queuelprm To delete the jobs of your choice use it with the job numberlp To print any file.100 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security Specialist (XV) YUM Server YUM stands for Yellow dog Updater, Modified because it is based onYUP, the Yellow dog Updater. Yellow Dog is a version of Linux for the PowerArchitecture hardware. YUP, and later YUM, were written by the Linux community as away to maintain an RPM-based system.Advantages of YUMAutomatic resolution of software dependencies. If a package installation orupgrade request is made and requires the installation or upgrade of additionalpackages, YUM can list these dependencies and prompt the user to install or upgradethem.Command-line and graphical versions. The command-line version can be run on asystem with a minimal number of software packages. The graphical versions offer ease-of-use and a user-friendly graphical interface to software management.Multiple software locations at one time. YUM can be configured to look forsoftware packages in more than one location at a time.Ability to specify particular software versions or architectures. Softwarelocations accessible by YUM can contain multiple versions of the same RPM packageand different builds for different architectures such as one for i686 and one for x86_64.yum can easily check the appropriate version and download it.While its unlikely that youll have an Internet connection during the exam, you could have anetwork connection to a local repository. So you should be ready to use the yum commandduring the Red Hat exam. 1) Create dump of RHEL CDWhether you perform network installation or create yum repository file you need dumpof RHEL CD. It is generally created on server in RHCE exam. Candidate is given alocation of this dump to perform network installation.We will create dump of RHEL CD on /var/ftp/pub and use this for network installation orto create yum repository files.Check how many space is available on /var partition mimimun 4 GB space isrequired101 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow mount RHEL dvd on mnt and copy entire disk on /var/ftp/pubDump is created on /var/ftp/pub now you can umount RHEL dvd2) Configure yum server a) Pre quest of yum serverwe assume that you have completed these pre quest of yum server  A Linux system with hostname Server.example.com and with ip address of 192.168.0.254  Dump of RHEL disk on /var/ftp/pub locationOnce you have completed these pre quests follow this guide.Change directory to /var/ftp/pub/ServerYum and Createrepo rpm are required for Yum server install them102 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow install createrepo rpmAfter installing necessary package change directory to /var/ftp/pubNow create repository of Server directoryRepository of all rpm will be created in few minute103 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow create repository for VTIn few second all necessary repository will be created for VTNow create errata directory and repository for itDuring the process of creating repository two hidden directory with named.olddata is created automatically remove them104 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistNow check hostname and change directory to /etc/yum.repos.d. copy samplerepository file to the file with hostname and open itDefault repository file look like theseRemove defaults line and set new location of Sever and VT as shown hereSave file with :wq and ExitNow remove all temporary data file with yum clean all command105 | P a g ewww.facebook.com/er.chetansoni
    • Chetan Soni – Security SpecialistTo test yum server remove telnet package,after checking all dependences it will ask for conformation press yNow install telnet package from yum serverAfter checking all dependences it will ask for conformation press y106 | P a g ewww.facebook.com/er.chetansoni