NIS Network Information System is one of the centralized way to use the user through-out the network.
At Server
Install the nis server package
----->yum install -y ypserv
Add the needed users ,make sure that u give an uid that is normally not used ..go for 5000 + uids here i will be using ids at range of 6000 . This is may to avoid confilt with the local user uids
----->useradd -u 60000 nisuser1
----->passwd nisuser1
----->useradd -u 60001 nisuser2
----->passwd nisuser2
Give the nisdoamin name in /etc/sysconfig/network and we can make nis services use the port we say by giving following arguments
---->echo "
NISDOMAIN=virtual19
YPSERV_ARGS="-p 900"
YPPASSWRD_ARGS="-p 901"
YPXFRD_ARGS="-p 902"
" >> /etc/sysconfig/network
the -p argument will make the service use that port
Now to make the master nis server
----->service ypserv restart
----->/usr/lib64/yp/ypinit -m
will make the nis server and and make the needed changes
to make those changes permanent
------>make -C /var/yp
------>service ypserv restart
we can check the users by
getent passwd
-----------------------------
AT Client
-----------------------------
we neet to configure the authconfig-tui to nis
------->authconfig-tui
Now a window will be opened and we need to select the nis option,system will automatically start the needed service..you will be asked the nisdomain name and server ip we should provide that and when the window close the clinet configuration is complete
Now at client side if we do
------->getent passwd
we would be able to see the users...
to just see the nis users we need to use ypcat
------->ypcat passwd
this will only show the nis uses from passwd file
switch to the user just like we switch to normal users
at client ------->su nisuser1
Basically nis is not that much secure we can make its client restriction in file /var/yp/securenets .the ips or network given in that file only will have entry to nis server
To change passwd of the user from client we need to use yppasswdd sevice at server and same command at client side.
Tuesday, October 23, 2012
Monday, October 22, 2012
More about DNS and Security in Zone sharing
More about DNS
Bogus servers which give wrong information can be blocked or to make our server not to accept any information from them
server IP {bogus yes ;};
we can also create blackhole in dns where the server will not even acknowledge the other ip
blackhole {ips;};
version bind
this can be used to make the details of dns version IE bind version safe from the outsider
version "INFORMATION ....";
chrooting the bind
By installing the bind-chroot the dns configuration file will be moved to space where only root and named group has permission to edit those files
Making DNS Zone sharing safe
we could share a key between slave and master to make sure that update are send to only correct slaves.
This method in called TSIG transaction signature configuration
1.first start from client making the key
----->dnssec-keygen -a hmac-md5 -b 128 -n HOST virtual_key
----->cat Kvirtual_key.+157+56451.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yzkKqIIa4sUPXm+Oz7VNgg==
Bits: AAA=
Created: 20121022004959
Publish: 20121022004959
Activate: 20121022004959
**copy the key part and create a key file as follows
------->vim /etc/rndc.key
key "virtual_key"
{
algorithm HMAC-MD5;
secret "yzkKqIIa4sUPXm+Oz7VNgg==";
};
------->chgrp named /etc/rndc.key
**inside /etc/named.conf add
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
**and
allow-transfer { key virtul_key ;};
this forces the client to use the key we generate..
Now copy the rndc.key file to server
change the group to named at server
and include the file to /etc/named.conf and give allow-transfer at needed zones to make it more secure
at server /etc/named.conf
include "/etc/rndc.key" ;
allow-transfer { key virtual_key ;};
----------------------------------------------------------------------
master configuration
----------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
include "/etc/rndc.key" ;
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
allow-transfer { key virtual_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update {none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update {none ;};
};
};
#include "/etc/named.rfc1912.zones";
----------------------------------------------------------------------------
slave configuration
----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;192.168.100.0/24; };
allow-transfer { key virtul_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
allow-transfer { key virtual_key ;};
zone "virtual.com" IN {
type slave;
file "slaves/forwardvir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
file "slaves/reversevir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
};
Bogus servers which give wrong information can be blocked or to make our server not to accept any information from them
server IP {bogus yes ;};
we can also create blackhole in dns where the server will not even acknowledge the other ip
blackhole {ips;};
version bind
this can be used to make the details of dns version IE bind version safe from the outsider
version "INFORMATION ....";
chrooting the bind
By installing the bind-chroot the dns configuration file will be moved to space where only root and named group has permission to edit those files
Making DNS Zone sharing safe
we could share a key between slave and master to make sure that update are send to only correct slaves.
This method in called TSIG transaction signature configuration
1.first start from client making the key
----->dnssec-keygen -a hmac-md5 -b 128 -n HOST virtual_key
----->cat Kvirtual_key.+157+56451.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: yzkKqIIa4sUPXm+Oz7VNgg==
Bits: AAA=
Created: 20121022004959
Publish: 20121022004959
Activate: 20121022004959
**copy the key part and create a key file as follows
------->vim /etc/rndc.key
key "virtual_key"
{
algorithm HMAC-MD5;
secret "yzkKqIIa4sUPXm+Oz7VNgg==";
};
------->chgrp named /etc/rndc.key
**inside /etc/named.conf add
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
**and
allow-transfer { key virtul_key ;};
this forces the client to use the key we generate..
Now copy the rndc.key file to server
change the group to named at server
and include the file to /etc/named.conf and give allow-transfer at needed zones to make it more secure
at server /etc/named.conf
include "/etc/rndc.key" ;
allow-transfer { key virtual_key ;};
----------------------------------------------------------------------
master configuration
----------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
include "/etc/rndc.key" ;
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
allow-transfer { key virtual_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update {none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update {none ;};
};
};
#include "/etc/named.rfc1912.zones";
----------------------------------------------------------------------------
slave configuration
----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key" ;
server 192.168.100.1 {
keys { virtual_key ; };
};
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;192.168.100.0/24; };
allow-transfer { key virtul_key ;};
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
allow-transfer { key virtual_key ;};
zone "virtual.com" IN {
type slave;
file "slaves/forwardvir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
file "slaves/reversevir.zone";
masters {192.168.100.1 ; };
#allow-update {none;};
};
};
DNS Master Slave Configuration
1.Master and slave configuration
2.acl setting
3.view setting
For making the Dns a Master dns server we give the type master and for making that slave we give type slaves. And by defaults in slaves the files will be copied from master to slaves defautl /var/named/slaves/ directory.
Acl setting acl setting is used to group a set of networks or individual ip's under a single name.
View setting is used to isolate the dns zones for a specific network as per acl or given ip's.we could give the ip's or network or acl which has access to the view in match-client {;}; option inside the view option .
-----------------------------------------------------------------------------
MASTERS-configuration file
-----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
#i:nclude "/etc/named.rfc1912.zones";
-----------------------------------------------------------------------------
SLAVES-configuration file
In salves the zones will have the entry
-----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.100.0/24 ; };
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
zone "virtual.com" IN {
type slave;
masters { 192.168.100.1 ; };
file "slaves/forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.100.1 ; };
file "slaves/reversevir.zone";
allow-update { none; };
};
};
2.acl setting
3.view setting
For making the Dns a Master dns server we give the type master and for making that slave we give type slaves. And by defaults in slaves the files will be copied from master to slaves defautl /var/named/slaves/ directory.
Acl setting acl setting is used to group a set of networks or individual ip's under a single name.
View setting is used to isolate the dns zones for a specific network as per acl or given ip's.we could give the ip's or network or acl which has access to the view in match-client {;}; option inside the view option .
-----------------------------------------------------------------------------
MASTERS-configuration file
-----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "example" { 192.168.122.0/24 ; 127/8 ; };
acl "virtual" { 192.168.100.0/24 ; 127/8 ; };
options {
listen-on port 53 { 127.0.0.1; example ; virtual ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; example; virtual; };
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view mixed {
match-clients { 192.168.122.2; 192.168.100.1; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
view internal {
match-clients { example; };
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "reverse.zone";
allow-update { none; };
};
};
view external {
match-clients { virtual; };
zone "virtual.com" IN {
type master;
file "forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "reversevir.zone";
allow-update { none; };
};
};
#i:nclude "/etc/named.rfc1912.zones";
-----------------------------------------------------------------------------
SLAVES-configuration file
In salves the zones will have the entry
-----------------------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.100.0/24 ;};
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.100.0/24 ; };
recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view external {
match-clients { 192.168.100.0/24; };
zone "virtual.com" IN {
type slave;
masters { 192.168.100.1 ; };
file "slaves/forwardvir.zone";
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.100.1 ; };
file "slaves/reversevir.zone";
allow-update { none; };
};
};
Friday, October 19, 2012
Setting sendmail as default
alternatives --display mta
yum install sendmail
service postfix stop
chkconfig postfix off
vim /etc/mail/sendmail.mc
disable the line starting with DEAMON like below
dnl # DEAMON
make -C /etc/mail
alternatives --set Mta /usr/sbin/sendmail
service sendmail start
service sendmail restart
chkconfig sendmail on
yum install sendmail
service postfix stop
chkconfig postfix off
vim /etc/mail/sendmail.mc
disable the line starting with DEAMON like below
dnl # DEAMON
make -C /etc/mail
alternatives --set Mta /usr/sbin/sendmail
service sendmail start
service sendmail restart
chkconfig sendmail on
Wednesday, October 10, 2012
Apache + SSL = https
Here all my package are place in /apache directory
cd /apache
echo "Switching OFF httpd"
sleep 2
service httpd stop
chkconfig httpd off
echo "Installing needed packages..."
sleep 2
yum install -y pcre*
yum install -y gcc*
yum install -y libtool
yum install -y mod_ssl
yum install -y openssl*
yum install -y libxml*
updatedb
echo "Untaring apache..."
sleep 2
tar zxvf httpd-2.4.3.tar.gz
tar zxvf apr-1.4.6.tar.gz
tar zxvf apr-util-1.4.1.tar.gz
cd /apache
echo "Moving APR to directories..."
sleep 2
mv apr-1.4.6 /apache/httpd-2.4.3/srclib/apr
mv apr-util-1.4.1 /apache/httpd-2.4.3/srclib/apr-util
mkdir -p /http
cd httpd-2.4.3
echo "Compiling Apache..."
sleep 2
./configure --prefix=/http/ --enable-module=so --enable-rewrite=shared --with-included-apr --enable-cgi --enable-ssl
echo "Installing Apache..."
make
make install
echo "INSTALLATION COMPLETED...."
sleep 2
echo "Time for manual configuration..."
sleep 2
echo "Creating the SSL certificate and key"
sleep 2
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
echo "Copying the files to /http/conf"
sleep 2
cp server * /http/conf
echo "configure the ssl in apache"
gedit /http/conf/extra/httpd-ssl.conf
we should edit the ssl conf file to correct certificate and key file
echo "
#SSLEngine on
#SSLCertificateFile
#SSLCertificateKeyFile
" >> /http/conf/httpd.conf
tail -n 7 /etc/httpd/conf/httpd.conf >> /http/conf/httpd.conf
gedit /http/conf/httpd.conf
in httpd conf file we need to give the above 3 lines and path to certificate and key .we need to check whether the module is loaded or hashed ,if hashed we need to un hash it
the a proper service restart will ask for password
/http/bin/apachectl restart
cd /apache
echo "Switching OFF httpd"
sleep 2
service httpd stop
chkconfig httpd off
echo "Installing needed packages..."
sleep 2
yum install -y pcre*
yum install -y gcc*
yum install -y libtool
yum install -y mod_ssl
yum install -y openssl*
yum install -y libxml*
updatedb
echo "Untaring apache..."
sleep 2
tar zxvf httpd-2.4.3.tar.gz
tar zxvf apr-1.4.6.tar.gz
tar zxvf apr-util-1.4.1.tar.gz
cd /apache
echo "Moving APR to directories..."
sleep 2
mv apr-1.4.6 /apache/httpd-2.4.3/srclib/apr
mv apr-util-1.4.1 /apache/httpd-2.4.3/srclib/apr-util
mkdir -p /http
cd httpd-2.4.3
echo "Compiling Apache..."
sleep 2
./configure --prefix=/http/ --enable-module=so --enable-rewrite=shared --with-included-apr --enable-cgi --enable-ssl
echo "Installing Apache..."
make
make install
echo "INSTALLATION COMPLETED...."
sleep 2
echo "Time for manual configuration..."
sleep 2
echo "Creating the SSL certificate and key"
sleep 2
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
echo "Copying the files to /http/conf"
sleep 2
cp server * /http/conf
echo "configure the ssl in apache"
gedit /http/conf/extra/httpd-ssl.conf
we should edit the ssl conf file to correct certificate and key file
echo "
#SSLEngine on
#SSLCertificateFile
#SSLCertificateKeyFile
" >> /http/conf/httpd.conf
tail -n 7 /etc/httpd/conf/httpd.conf >> /http/conf/httpd.conf
gedit /http/conf/httpd.conf
in httpd conf file we need to give the above 3 lines and path to certificate and key .we need to check whether the module is loaded or hashed ,if hashed we need to un hash it
the a proper service restart will ask for password
/http/bin/apachectl restart
Saturday, October 6, 2012
NFS Sharing
Network File System Sharing is used for sharing the files/directory all through the network
port 2049
files used are
rpc.nfsd
rpc.mountd
rpc.lockd
rpc.statd
rpc.rquotandd
@ /usr/sbin
/etc/init.d/nfs
/etc/init.d/nfslock
/etc/exports
1.Server --- place from which we need to share the directory
---->yum install -y nfs-utils*
---->service nfs restart
---->chkconfig nfs on
---->vim /etc/exports
In this file we say about files we need to share ,the mode in which the files are to shared and network to which the files are to be shared
eg:
/nfs 192.168.0.0/24(ro)
/nfs 192.168.122.0/255.255.255.0(rw,sync)
/nfs 192.168.122.0/24(ro)
some of the modes in which directories can be shared are
crossmnt
no_subtree_check
root_squarch
---->exportfs -r
----****we should set the proper context ,sebool and setfacl for needed user
---->getsebool -a | grep nfs
this will list the needed Boolean we must set it according to the needs
---->setfacl -m u:nfsnobody:rwx /nfs
this will allow the nfsnobody user to use the /nfs directory this is needed if we are giving the write option to the directory
if more problems occur while sharing the directory we should also check the context for selinux or disable the selinux
showmount -e 192.168.0.1
will list the all the nfs shared directory by the server 192.168.0.1
2.Client --- where we will mount the shared directories
there are multiple ways to mount the directory
---->yum install -y nfs*
---->service nfs restart
---->chkconfig nfs on
a.every shared folders will be available at /net every time as readonly type we use that as following ,for first example of sharing
---->cd /net
---->cd 192.168.0.1 cd nfs
b.We can also mount the directory by simple mount command
mount nfs://192.168.0.1/nfs /data
one of the main default of this system is that if we give the entry for mount in fstab and server goes down and if we restart the client ,the client will have boot break to over come this problem we use autofs mounting systems
c.using autofs mounting system
here first we will edit /etc/auto.master file
---->vim /etc/auto.master
/data /etc/auto.nfs
---->vim /etc/auto.nfs
nfs -rw 192.168.122.1:/nfs
----->service autofs reload
----->chkconfig autofs on
here after reloading the autofs service we could browse to that folder
---->cd /data
---->cd nfs
---->ls
port 2049
files used are
rpc.nfsd
rpc.mountd
rpc.lockd
rpc.statd
rpc.rquotandd
@ /usr/sbin
/etc/init.d/nfs
/etc/init.d/nfslock
/etc/exports
1.Server --- place from which we need to share the directory
---->yum install -y nfs-utils*
---->service nfs restart
---->chkconfig nfs on
---->vim /etc/exports
In this file we say about files we need to share ,the mode in which the files are to shared and network to which the files are to be shared
eg:
/nfs 192.168.0.0/24(ro)
/nfs 192.168.122.0/255.255.255.0(rw,sync)
/nfs 192.168.122.0/24(ro)
some of the modes in which directories can be shared are
crossmnt
no_subtree_check
root_squarch
---->exportfs -r
----****we should set the proper context ,sebool and setfacl for needed user
---->getsebool -a | grep nfs
this will list the needed Boolean we must set it according to the needs
---->setfacl -m u:nfsnobody:rwx /nfs
this will allow the nfsnobody user to use the /nfs directory this is needed if we are giving the write option to the directory
if more problems occur while sharing the directory we should also check the context for selinux or disable the selinux
showmount -e 192.168.0.1
will list the all the nfs shared directory by the server 192.168.0.1
2.Client --- where we will mount the shared directories
there are multiple ways to mount the directory
---->yum install -y nfs*
---->service nfs restart
---->chkconfig nfs on
a.every shared folders will be available at /net every time as readonly type we use that as following ,for first example of sharing
---->cd /net
---->cd 192.168.0.1 cd nfs
b.We can also mount the directory by simple mount command
mount nfs://192.168.0.1/nfs /data
one of the main default of this system is that if we give the entry for mount in fstab and server goes down and if we restart the client ,the client will have boot break to over come this problem we use autofs mounting systems
c.using autofs mounting system
here first we will edit /etc/auto.master file
---->vim /etc/auto.master
/data /etc/auto.nfs
---->vim /etc/auto.nfs
nfs -rw 192.168.122.1:/nfs
----->service autofs reload
----->chkconfig autofs on
here after reloading the autofs service we could browse to that folder
---->cd /data
---->cd nfs
---->ls
Samba Sharing
Samba sharing use for sharing between linux and windows machines
port 137,139,138,445
configuration file /etc/samba/smb.conf
samba sharing can be of two types public and non public with username and passwd
1.public sharing
vim /etc/samba/smb.conf
74 workgroup = MYGROUP
75 server string = Samba Server Version %v
79 interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
80 hosts allow = 127. 192.168.12. 192.168.13.
last 8 lines
[public]
comment = Public Stuff
path = /smb
public = yes
writable = yes
printable = no
write list = +staff
browseable = no
here work group must be capital
server string is the name by which we select the sambaserver
interfaces as per needed
hosts allowed as per needed
later the share name in square bracket its the name by which we select the samba share from the server
path path to the directory
public yes for the public connection
browseable yes to enable browsing
here we are sharing the /smb directory,we should set the context,sebool and setfacl as need
---->chcon -t samba_share_t /smb
---->setfacl -m u:nobody:rwx /smb
and give needed sebool
getsebool -a | grep smb
getsebool -a | grep samba
2.Non public sharing
for a non public sharing the public tag should be no and we should add following tags from lines 252 to last part
valid users = ram
and we need to setfacl for ram to the directory /smb
---->setfacl -m u:ram:rwx /smb
and we need to give smbpasswd
smbpasswd -a ram
smbpasswd -e ram
-a for adding the user to samba users and -e to enable the samba passwd
we could see the hosted samba server by
smbclient -L 192.168.122.1 <---------IP of server
client part
1.public
smbclient -L 192.168.122.1
smbclient //server_string/sharename
2.Non public users
smbclient //server_string/sharename -U username
port 137,139,138,445
configuration file /etc/samba/smb.conf
samba sharing can be of two types public and non public with username and passwd
1.public sharing
vim /etc/samba/smb.conf
74 workgroup = MYGROUP
75 server string = Samba Server Version %v
79 interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
80 hosts allow = 127. 192.168.12. 192.168.13.
last 8 lines
[public]
comment = Public Stuff
path = /smb
public = yes
writable = yes
printable = no
write list = +staff
browseable = no
here work group must be capital
server string is the name by which we select the sambaserver
interfaces as per needed
hosts allowed as per needed
later the share name in square bracket its the name by which we select the samba share from the server
path path to the directory
public yes for the public connection
browseable yes to enable browsing
here we are sharing the /smb directory,we should set the context,sebool and setfacl as need
---->chcon -t samba_share_t /smb
---->setfacl -m u:nobody:rwx /smb
and give needed sebool
getsebool -a | grep smb
getsebool -a | grep samba
2.Non public sharing
for a non public sharing the public tag should be no and we should add following tags from lines 252 to last part
valid users = ram
and we need to setfacl for ram to the directory /smb
---->setfacl -m u:ram:rwx /smb
and we need to give smbpasswd
smbpasswd -a ram
smbpasswd -e ram
-a for adding the user to samba users and -e to enable the samba passwd
we could see the hosted samba server by
smbclient -L 192.168.122.1 <---------IP of server
client part
1.public
smbclient -L 192.168.122.1
smbclient //server_string/sharename
2.Non public users
smbclient //server_string/sharename -U username
Subscribe to:
Posts (Atom)