Introduction To System Services: 1 Red Hat Enterprise Linux More Bhushan
Introduction To System Services: 1 Red Hat Enterprise Linux More Bhushan
More Bhushan
More Bhushan
SELINUX (SECURITY ENHANCED LINUX) : Security enhanced Linux (SELinux) has been around for some time,
but has recently seen a rise in popularity. It was developed by
National Security Agency (NSA), as a research project.
Linux was selected because it is open source and therefore easier to
get people involved. It also makes it easier to prove the technology.
The primary goal of SELinux was to protect user-space from systemspace & protect user data from system services.
With SELinux they introduced a concept called Mandatory Access
Control (MAC). With MAC, the security administrator decides who
can do what to which files.
SELinux installation options : During the installation, SELinux is automatically activated.
Disabled: -This option turn of the SELinux features
Permissive: - This option sets up some default policies &
logging
Enforcing: -SELinux is now enforced, but it will affect certain
daemons.
Controlling SELinux: 1. system-config-securitylevel
2. vim /etc/sysconfig/selinux
More Bhushan
More Bhushan
DOMAIN-NAMESPACE
It is a hierarchical, tree-structured namespace, starting at an unnamed
root used for all DNS operations. In the DNS namespace, each node
and leaf object in the domain namespace tree represents a named
domain. Each domain can have additional child domains.
More Bhushan
Forward lookup Zone: It is used for resolving the Domain name to an IP address.
Reverse Lookup Zone: It is used for resolving an IP address to the domain name.
Some Full forms for resource records: 1. A
address
2. NS
nameserver
3. SOA
start of authority
4. PTR
pointer
5. MX
mail exchanger
6. CNAME
canonical name
More Bhushan
More Bhushan
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost." IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa." IN {
type master;
file "named.local";
allow-update { none; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."
IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa." IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa." IN {
type master;
file "named.zero";
allow-update { none; };
};
8
More Bhushan
include "/etc/rndc.key";
After changes: // Red Hat BIND Configuration Tool
//
// Default initial "Caching Only" name server configuration
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
/*zone "." IN {
type hint;
file "named.root";
};*/
zone "localdomain." IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost." IN {
type master;
file "localhost.zone";
9
More Bhushan
allow-update { none; };
};
zone "0.0.127.in-addr.arpa." IN {
type master;
file "named.local";
allow-update { none; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."
IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa." IN {
type master;
file "named.broadcast";
allow-update { none; };
};
zone "0.in-addr.arpa." IN {
type master;
file "named.zero";
allow-update { none; };
};
zone "example.com" IN {
type master;
file "forward.zone";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa." IN {
type master;
10
More Bhushan
file "reverse.zone";
allow-update { none; };
};
include "/etc/rndc.key";
7. cd /var/named/chroot/var/named/
8. ls
9. cp localhost.zone forward.zone
10.
cp named.local reverse.zone
11.
vim forward.zone
IN NS
IN A
IN AAAA
root (
42
3H
15M
1W
1D )
@
127.0.0.1
::1
After changes: 11
More Bhushan
$TTL 86400
@
IN SOA
server
www
station1
IN NS
IN A
IN A
IN CNAME
IN A
12.
vim reverse.zone
server.example.com.
root (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
server.example.com.
192.168.0.254
192.168.0.254
server.example.com.
station1.example.com.
IN
IN
localhost. root.localhost. (
42
; Serial
28800
; Refresh
14400
; Retry
3600000 ; Expire
86400 ) ; Minimum
NS
localhost.
PTR localhost.
Before changes: -
12
More Bhushan
$TTL 86400
@
IN
SOA server.example.com. root.server.example.com.
(
42
; Serial
28800
; Refresh
14400
; Retry
3600000 ; Expire
86400 ) ; Minimum
IN
NS
server.example.com.
254
IN
PTR server.example.com.
1
IN
PTR station1.example.com.
13.
vim /etc/resolv.conf
Add an entry
search example.com
nameserver 192.168.0.254
14.
ifconfig
15.
hostname
16.
service named start
17.
chkconfig named on
18.
service network restart
19.
nslookup
>192.168.0.254
>example.com
More Bhushan
14
More Bhushan
DHCP work on the basis of dhcp messages, all dhcp messages are
carried in UDP datagrams using the port number 67 at the server
& 68 at the client.
DHCP message types
1 DHCPDISCOVER: - To find out the dhcp availability
2 DHCPPFER: -Response to client computer, along with offered
configuration
parameters.
3 DHCPREQUEST: -Acceptance of the offered address and
parameters
4 DHCPDECLINE: - Declined of the offered address and
parameters.
5 DHCPACK: -To confirm an IP address.
6 DHCPNACK: -To deny an IP address.
7 DHCPRELEASE: - To cancel remaining lease
8 DHCPINFORM: - For additional local Configuration
parameters.
DHCP Leases: - A DHCP lease defines the duration for which a
DHCP server loans an IP address to a DHCP client. The lease
duration can be between 1 minute and 999 days, or it can be
unlimited. The default lease duration is eight days (11520
Minutes).
15
More Bhushan
192.168.0.1;
255.255.255.0;
option nis-domain
"domain.org";
option domain-name
"domain.org";
option domain-name-servers
192.168.1.1;
option time-offset
-18000;
# Eastern Standard
Time
16
More Bhushan
#
option ntp-servers
192.168.1.1;
#
option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this
unless
# -- you understand Netbios very well
#
option netbios-node-type 2;
range dynamic-bootp 192.168.0.128 192.168.0.254
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns {
next-server marvin.redhat.com;
hardware ethernet 12:34:56:78:AB:CD;
fixed-address 207.175.42.254;
}
5.
6.
7.
8.
[root@station1] ifconfig
[root@station1] service dhcpd start
[root@station1] chkconfig dhcpd on
[root@station1] less /var/lib/dhcpd/dhcpd.leases.
More Bhushan
1. Network file sharing (NFS): The nfs server is used to share a database between to computers
within a network.
The NFS uses the port no 2049.
Configuration: 1. rpm qa | grep nfs*
2. mkdir /share
3. cd /share
4. create the database which you want to share
5. vim /etc/exports
Add an entry,
/share
192.168.0.1/255.255.255.0(rw,sync)
-------------for particular host
/share
192.168.0.0/255.255.255.0(ro,sync)
-------------for particular
network
/share
*(ro,sync)---------------------for all networks
6. service nfs start
7. service portmap restart
8. service nfslock stop
9. chkconfig nfs on
10. chkconfig nfslock off
11. showmount -e
FILE TRANSFER PROTOCOL (FTP): The ftp server is used to share database over network in secure
18
More Bhushan
SAMBA: The samba server is used for sharing between the Linux &
Windows oss with help of samba services. With the help of samba
19
More Bhushan
we can share the database as well as the printer within the network.
The samba uses the port no 445.
The samba works on the two services : a. smbd: - For the authentication & authorization
b. nmbd: -For the resource browsing
Configuration: 1. yum install samba*
Or rpm ivh aid force samba-3.0.23c-2.i386.rpm
rpm ivh aid force samba-swat-3.0.23c-2.i386.rpm
2. vim /etc/samba/smb.conf
Make the changes as follows
On a line 26,
Replace the MYGROUP by the WORKGROUP
On a line 41,
Remove the ; and mention the network id in format 192.168.0.
On a line 274, add entries,
[share name]
comment=Station1 share
path=/share
browsable=yes
public=yes
writable=yes
valid users = user1,user2
create mask = 0765
write list = user1
3. services smb start
4. chkconfig smb on
5. useradd samba
6. smbpasswd -a samba
7. smbclient -L <host IP address> -U <username>
SENDMAIL
Sendmail is an electronic mail transport agent.Sendmail sends a
message to one or more recipients , routing the message over network
s are necessary. Sendmail does internetwork forwarding as necessary
20
More Bhushan
DNS
SMTP
UDP
IMAP
POP
More Bhushan
3.
4.
5.
6.
7.
More Bhushan
Static IP address
Yum server within a network
Configuration: 1. yum install http*
or rpm ivh force /opt/Server/http*
2. vim /etc/httpd/conf/httpd.conf
On a line 264,
Add a line
ServerName <hostname>:80
On a line 280,
Check
DocumentRoot /var/www/html
On a line 383,
DirectoryIndex index.html index.html.var
Remove the index.html.var
3. cd /var/www/html
4. vim index.html
<write the html coding for the home page of your server>
5. nslookup
>hostname
6. ifconfig
7. service httpd start
8. chkconf ig httpd on
9. elinks
URL=http://<hostname>/ or http://<ip address>/
Virtual Hosting
Virtual Hosting is mostly used at the time of internet.With the help of
23
More Bhushan
virtual hosting you can publish different web pages over a single
static ip, for the virtual hoasting you requires multiple entries for the
single host in DNS.(Means in forward & reverse zone).
Forward
station1.example.com
IN A 192.168.0.1
www1.example.com
IN A 192.168.0.1
Reverse
192.168.0.1
IN PTR station1
192.168.0.1
IN PTR www1
Configuring the virtual host
1. nslookup
>station1
>www1
2. vim /etc/httpd/conf/httpd.conf
3. On a line 264,
Before editing
ServerName <hostname>:80
After editing
#ServerName <hostname>:80
On a line 280,
Before editing
DocumentRoot /var/www/html
After editing
#DocumentRoot /var/www/html
On a line 383,
Before editing
DirectoryIndex index.html index.html.var
After editing
#DirectoryIndex index.html index.html.var
On a line 971,
Add a line,
NameVirtualHost <IP Address>:80
24
More Bhushan
On a line 990,
Add these lines,
<VirtualHost <IP Address>:80>
ServerName
station1.example.com
DocumentRoot /var/www/html
DirectoryIndex station1.html
</VirtualHost>
<VirtualHost <IP Address>:80>
ServerName
www1.example.com
DocumentRoot /var/www/html
DirectoryIndex www1.html
</VirtualHost>
4. cd /var/www/html
5. vim station1.html
<WRITE DOWN THE CODE FOR THE SITE
STATION1.EXAMPLE.COM>
6. vim www1.html
<WRITE DOWN THE CODE FOR THE SITE
WWW.EXAMPLE.COM>
7. service httpd restart
8. chkconfig httpd on
9. elinks
URL=station1.example.com
URL=www1.example.com
More Bhushan
driven process. Squid keeps meta data and especially hot objects
cached in RAM, caches DNS lookups, supports non-blocking DNS
lookups, and implements negative caching of failed requests.
Squid supports SSL, extensive access controls, full request logging.
By using lightweight Internet caching Protocol, squid caches can be
arranged in a hierarchy or mesh for additional bandwidth savings.
Squid consists of a main server program squid, a Domain Name
System lookup program dnsserver, some optional programs for
rewriting requests and performing authentication, and some
management ans client tools.
Configuration: - The configuration file /etc/squid/squid.conf
Acl is used to define lables for a network.(On a line 2394)
acl <variable anme> <element> <ip address or network
address>
Http_access uses the lables for excuting commands.(On a line
2507)
http_access allow or deny <variable name>
Elements
src
dst
srcdomain
dstdomain
time
Example
A
Allow Computer network
acl allow_net src 192.168.0.0/255.255.255.0
http_access allow allow_net
For domain
26
More Bhushan
IPTABLES (FIREWALL)
If your oraganization network is connected to inertnet oe any other
network you should consider puting a firewall in place between your
network (LAN) and external network.
Firewall is used to secure to internal network by controlling who can
connect to system in internal network and by controlling what kind of
27
More Bhushan
SYNTAX
More Bhushan
-D
-R
-N
-X
<match sepcifications>
-s
source
-d
destination
--sport
source port
--dport destination port
-p
protocol
<target>
ACCEPT
DROP
REJECT
Example
1. iptables t filter A INPUT s 192.168.0.254 d 192.168.0.0 -p
tcp dport 22 j REJECT
NOTE
After adding the rules you have start service,
service iptables start
If you want to save the current table,
service iptables save
29
More Bhushan