Linux Installation

Welcome to Red Hat Enterprise Linux

The Welcome screen does not prompt you for any input. Read over the help text in the left panel for
additional instructions and information on where to register your Red Hat Enterprise Linux product.

Notice the Hide Help button at the bottom left corner of the screen. The help screen is open by
default. To minimize the help text, click on Hide Help.

Click on the Next button to continue.

Language Selection

Using your mouse, select a language to use for the installation. Selecting the appropriate language
also helps target your time zone configuration later in the installation. The installation program tries to
define the appropriate time zone based on what you specify on this screen.

Once you select the appropriate language, click Next to continue.

Disk Partitioning Setup

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Partitioning allows you to divide your hard drive into isolated sections, where each section behaves as
its own hard drive. Partitioning is particularly useful if you run multiple operating systems.

On this screen, you can choose to perform automatic partitioning, or manual partitioning using Disk
Druid.

Automatic partitioning allows you to perform an installation without having to partition your drive(s)
yourself. If you do not feel comfortable with partitioning your system, it is recommended that you do
not choose to partition manually and instead let the installation program partition for you.

To partition manually, choose the Disk Druid partitioning tool.

Disk Partitioning Setup.

Partitioning Your System

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

If you chose to partition manually, you must tell the installation program where to install Red Hat
Enterprise Linux. This is done by defining mount points for one or more disk partitions in which Red
Hat Enterprise Linux is installed.

The partitioning tool used by the installation program is Disk Druid. With the exception of certain
esoteric situations, Disk Druid can handle the partitioning requirements for a typical installation.

Disk Druid's Buttons

These buttons control Disk Druid's actions. They are used to change the attributes of a partition (for
example the file system type and mount point) and also to create RAID devices. Buttons on this
screen are also used to accept the changes you have made, or to exit Disk Druid. For further
explanation, take a look at each button in order:

Edit: Used to modify attributes of the partition currently selected in the Partitions section.
Selecting Edit opens a dialog box. Some or all of the fields can be edited, depending on whether the
partition information has already been written to disk.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

To make a RAID device, you must first create (or reuse existing) software RAID partitions. Once you

have created two or more software RAID partitions, select Make RAID to join the software RAID
partitions into a RAID device.

Partition Fields

Above the partition hierarchy are labels which present information about the partitions you are
creating. The labels are defined as follows:

o Device: This field displays the partition's device name.

o Mount Point/RAID/Volume: A mount point is the location within the directory hierarchy at

which a volume exists; the volume is "mounted" at this location. This field indicates where the
partition is mounted. If a partition exists, but is not set, then you need to define its mount
point. Double-click on the partition or click the Edit button.
o Type: This field shows the partition's file system type (for example, ext2 or ext3).

o Format: This field shows if the partition being created will be formatted.

o Size (MB): This field shows the partition's size (in MB).

o Start: This field shows the cylinder on your hard drive where the partition begins.

o End: This field shows the cylinder on your hard drive where the partition ends.

Recommended Partitioning Scheme

The following is a list of recommendations for partitioning your system:

o A swap partition (at least 256 MB) — swap partitions are used to support virtual memory. In
other words, data is written to a swap partition when there is not enough RAM to store the
data your system is processing.
o If you are unsure about what size swap partition to create, make it twice the amount of RAM
on your machine. It must be of type swap.
o Creation of the proper amount of swap space varies depending on a number of factors
including the following (in descending order of importance):
o The applications running on the machine.

o The amount of physical RAM installed on the machine.

o The version of the OS.

o Swap should equal 2x physical RAM for up to 2 GB of physical RAM, and then 1x physical RAM
for any amount above 2 GB, but never less than 32 MB.

Using this formula, a system with 2 GB of physical RAM would have 4 GB of swap, while one
with 3 GB of physical RAM would have 5 GB of swap. Creating a large swap space partition can
be especially helpful if you plan to upgrade your RAM at a later time.

o For systems with really large amounts of RAM (more than 32 GB) you can likely get away with
a smaller swap partition (around 1x, or less, of physical RAM).

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 o A root partition (500 MB - 5.0 GB) — this is where "/" (the root directory) is located. In this
setup, all files — except for files stored in /boot (on x86, AMD64, and Intel EM64T) are on the
root partition.

A 500 MB partition allows you to install a minimal installation; while a 5.0 GB root
partition lets you perform a full installation, choosing all package groups.

It is recommended that you create a /boot/ partition (100 MB). /boot/ contains the
kernels, along with files used during the bootstrap process

Network Configuration

If you do not have a network device, this screen does not appear during your installation and you
should advance to

The installation program automatically detects any network devices you have and displays them in the

Network Devices list.

Once you have selected a network device, click Edit. From the Edit Interface pop-up screen, you can
choose to configure the IP address and Netmask of the device via DHCP (or manually if DHCP is not
selected) and you can choose to activate the device at boot time. If you select Activate on boot, your
network interface is started when you boot. If you do not have DHCP client access or you are unsure
what to provide here, please contact your network administrator.

Firewall Configuration

Red Hat Enterprise Linux offers firewall protection for enhanced system security. A firewall exists
between your computer and the network, and determines which resources on your computer remote

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

users on the network can access. A properly configured firewall can greatly increase the security of
your system.

Firewall Configuration

Next, you can decide whether to enable a firewall for your Red Hat Enterprise Linux system.

No firewall

No firewall provides complete access to your system and does no security checking. Security checking

is the disabling of access to certain services. This should only be selected if you are running on a
trusted network (not the Internet) or plan to do more firewall configuration later.

Enable firewall

If you choose Enable firewall, connections are not accepted by your systems (other than the default
settings) that are not explicitly defined by you. By default, only connections in response to outbound
requests, such as DNS replies or DHCP requests are allowed. If access to services running on this
machine is needed, you can choose to allow specific services through the firewall.

If you are connecting your system to the Internet, this is the safest option to choose.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Next, select which services, if any, should be allowed to pass through the firewall.

Enabling these options allow the specified services to pass through the firewall. Note, these services
may not be installed on the system by default. Make sure you choose to enable any options that you
may need.

Remote Login (SSH)

Secure Shell (SSH) is a suite of tools for logging in to and executing commands on a remote machine.
If you plan to use SSH tools to access your machine through a firewall, enable this option. You need to

have the openssh-server package installed in order to access your machine remotely, using SSH
tools.

Web Server (HTTP, HTTPS)

The HTTP and HTTPS protocols are used by Apache (and by other Web servers) to serve webpages. If
you plan on making your Web server publicly available, enable this option. This option is not required

for viewing pages locally or for developing webpages. You must install the httpd package if you
want to serve webpages.

File Transfer (FTP)

The FTP protocol is used to transfer files between machines on a network. If you plan on making your

FTP server publicly available, enable this option. You must install the vsftpd package in order to
publicly serve files.

Mail Server (SMTP)

If you want to allow incoming mail delivery through your firewall, so that remote hosts can connect
directly to your machine to deliver mail, enable this option. You do not need to enable this if you
collect your mail from your Internet Service Provider's server using POP3 or IMAP, or if you use a tool

such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to
use your server to send spam.

Language Support Selection

You can install and support multiple languages for use on your system.

You must select a language to use as the default language. The default language is the language used
on the system once the installation is complete. Typically, the default language is the language you
selected to use during the installation. If you choose to install other languages during this installation,
you can change your default language after the installation. If you are only going to use one language

on your system, selecting only that language saves significant disk space. Caution

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

If you select only one language, you can only use that specified language after the installation is
complete.

Language Support Selection

To use more than one language on your system, choose specific languages to be installed or select all
languages to have all available languages installed on your Red Hat Enterprise Linux system.

Use the Reset button to cancel your selections. Resetting reverts to the default; only the language

you selected for use during the installation is installed. Tip

To change the language configuration after you have completed the installation, use the Language
Configuration Tool.

Type the system-config-language command in a shell prompt to launch the Language

Configuration Tool. If you are not root, it prompts you for the root password to continue.

Time Zone Configuration

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Set your time zone by selecting the city closest to your computer's physical location.

There are two ways for you to select your time zone:

o Using your mouse, click on the interactive map to select a specific city (represented by a
yellow dot). A red X appears indicating your selection.
o You can also scroll through the list at the bottom of the screen to select your time zone. Using
your mouse, click on a location to highlight your selection.

Configuring the Time Zone

Select System Clock uses UTC if you know that your system is set to UTC.

To change your time zone configuration after you have completed the installation, use the Time and
Date Properties Tool.

Type the system-config-date command in a shell prompt to launch the Time and Date
Properties Tool. If you are not root, it prompts you for the root password to continue.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

To run the Time and Date Properties Tool as a text-based application, use the command

timeconfig.

Set Root Password

Setting up a root account and password is one of the most important steps during your installation.
Your root account is similar to the administrator account used on Windows NT machines. The root
account is used to install packages, upgrade RPMs, and perform most system maintenance. Logging in

as root gives you complete control over your system. Note

The root user (also known as the superuser) has complete access to the entire system; for this
reason, logging in as the root user is best done only to perform system maintenance or
administration.

Root Password

Use the root account only for system administration. Create a non-root account for your general use

and su - to root when you need to fix something quickly. These basic rules minimize the chances of a
typo or an incorrect command doing damage to your system.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

To become root, type su - at the shell prompt in a terminal window and then press Enter. Then,
enter the root password and press Enter.

The installation program prompts you to set a root password for your system. You cannot proceed to
the next stage of the installation process without entering a root password

The root password must be at least six characters long; the password you type is not echoed to the
screen. You must enter the password twice; if the two passwords do not match, the installation
program asks you to enter them again.

Tip

To change your root password after you have completed the installation, use the Root Password
Tool.

Type the system-config-rootpassword command in a shell prompt to launch the

Root Password Tool. If you are not root, it prompts you for the root password to continue.

A root password is the administrative password for your Red Hat Enterprise Linux system. You should
only log in as root when needed for system maintenance. The root account does not operate within
the restrictions placed on normal user accounts, so changes made as root can have implications for
your entire system.

Package Group Selection

Now that you have made most of the choices for your installation, you are ready to confirm the default
package selection or customize packages for your system.

The Package Installation Defaults screen appears and details the default
package set for your Red Hat Enterprise Linux installation. This screen varies depending on the version
of Red Hat Enterprise Linux you are installing.

To customize your package set further, select Customize the set of packages to
be installed option on the screen. Clicking Next takes you to the Package Group Selection
screen.

You can select package groups, which group components together according to function (for example,

X Window System and Editors), individual packages, or a combination of the two.

To select a component, click on the checkbox beside it.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Package Group Selection

Select each component you wish to install. Selecting Everything (at the end of the component list)
installs all packages included with Red Hat Enterprise Linux.

Once a package group has been selected, click on Details to view which packages are installed by
default, and to add or remove optional packages from that group. (Package Group Details)

Preparing to Install

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

A screen preparing you for the installation of Red Hat Enterprise Linux now appears.

For your reference, a complete log of your installation can be found in /root/install.log once you
reboot your system.

Warning

If, for some reason, you would rather not continue with the installation process, this is your last

opportunity to safely cancel the process and reboot your machine. Once you press the Next button,
partitions are written and packages are installed. If you wish to abort the installation, you should
reboot now before any existing information on any hard drive is rewritten.

Installing Packages

At this point there is nothing left for you to do until all the packages have been installed. How quickly
this happens depends on the number of packages you have selected and your computer's speed.

Installation Complete

Congratulations! Your Red Hat Enterprise Linux installation is now complete!

The installation program prompts you to prepare your system for reboot.

DOS versus Linux commands

In this appendix, we matched DOS commands with their Linux equivalent.

As an extra means of orientation for new users with a Windows background,

the table below lists MS-DOS commands with their Linux counterparts. Keep
in mind that Linux commands usually have a number of options. Read the
Info or man pages on the command to find out more.

Table B-1. Overview of DOS/Linux commands

DOS commands Linux command

man <command> or command
<command> /?
--help
cd cd
chdir pwd
cls clear
copy cp
date date
del rm

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

DOS commands Linux command
dir ls
echo echo
edit vim (or other editor)
exit exit
fc diff
find grep
format mke2fs or mformat
mem free
mkdir mkdir
more more or even less
move mv
ren mv
time date

Absolute Pathnames

Absolute pathnames begin with a slash (/).

For example: /usr/share/doc/HTML/index.html

/usr/share

/home/javed

Relative Pathnames

Relative pathnames don’t begin with slash (/)

For example: HTML/index.html

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 Doc/HTML/index.html

../index.html

Redirect Standard output

Redirect standard output with >

For example: #ls –a > outputfile1

# find / -name passwd > outputfile2

Redirect Standard output & Error

Redirect standard output and error with &>

For example: $ find / -name passwd &> outputfile2

Translate A to a

For example: # cat file.txt | tr ‘a-z’ ‘A-Z’

Printout from CLI

lpr sends file input to printer

for example: #ls –l | lpr -------- It will send output on default printer

# cat file.txt | lpr –p pritnername -- send print on non default printer

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Using the Vi editor

All about Vi
This is probably the most popular text editor for Linux. Even if you don't like
it, you may end up using it quite often. If you need to make a quick change
to a file, you can't beat 'vi'. This is not meant to be an exhaustive guide to
vi. This is just meant to show you how to use the most common (and useful)
commands. Let's start by opening a file.

Sometimes you need Vi

I had an unpleasant surprise once. A friend of mine who had installed
Linux had somehow changed the default editor from vi to joe. He called
to tell me that his crontab entries didn't do anything. One more reason to
get to know vi. Crontab is designed for vi and may not work if you use
certain alternative editors

Example 1. Open file with vi

vi /etc/hosts.allow
Miscellaneous:
Esc i Insert Text
Esc a Append Text
Esc u undo
Esc: w save file
Esc: wq save file and quit
Esc ZZ save file and quit
Esc: q! Quit without saving

Basic operations
These are some popular vi commands:

• dd will delete n lines starting from the current cursor position.

• dw will delete n words at the right side of the cursor.
• x will delete the character on which the cursor is positioned
• :n moves to line n of the file.
• :w will save (write) the file
• :q will exit the editor.
• :q! forces the exit when you want to quit a file containing unsaved
changes.
• :wq will save and exit
• :w newfile will save the text to newfile.
• :wq! overrides read-only permission (if you have the permission to
override permissions, for instance when you are using the root
account.
• /astring will search the string in the file and position the cursor on
the first match below its position.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 • / will perform the same search again, moving the cursor to the next
match.
• yy will copy a block of text.
• p will paste it n times.
• :recover will recover a file after an unexpected interruption.

Removing Red Hat Enterprise Linux

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

To uninstall Red Hat Enterprise Linux from your x86-based system, you must remove the Red Hat
Enterprise Linux boot loader information from your master boot record (MBR).

Note

It is always a good idea to backup any data that you have on your system(s). Mistakes do happen and
can result in the loss all of your data.

In DOS and Windows, use the Windows fdisk utility to create a new MBR with flag /mbr. This ONLY
rewrites the MBR to boot the primary DOS partition. The command should look like the following:

fdisk /mbr

If you need to remove Linux from a hard drive and have attempted to do this with the default DOS

(Windows) fdisk, you will experience the Partitions exist but they do not exist problem. The best
way to remove non-DOS partitions is with a tool that understands partitions other than DOS.

2nd Method

To begin, insert the Red Hat Enterprise Linux CD #1 and boot your system. Once you have booted off

the CD, a boot prompt appears. At the boot prompt, type: linux rescue. This starts the
rescue mode program.

You are prompted for your keyboard and language requirements. Enter these values as you would
during the installation of Red Hat Enterprise Linux.

Next, a screen appears telling you that the program attempts to find a Red Hat Enterprise Linux install
to rescue. Select Skip on this screen.

After selecting Skip, you are given a command prompt where you can access the partitions you would
like to remove.

First, type the command list-harddrives. This command lists all hard drives on your system
that are recognizable by the installation program, as well as their sizes in megabytes.

Be careful to remove only the necessary Red Hat Enterprise Linux partitions. Removing other
partitions could result in data loss or a corrupted system environment.

To remove partitions, use the partitioning utility parted.

Start parted, where /dev/hda is the device on which to remove the partition:

1. parted /dev/hda

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Using the print command, view the current partition table to determine the minor number of the
partition to remove:

2. print

The print command also displays the partition's type (such as linux-swap, ext2, ext3, and so on).
Knowing the type of the partition helps you in determining whether to remove the partition.

Remove the partition with the command rm. For example, to remove the partition with minor number
3:

3. rm 3

Important

The changes start taking place as soon as you press [Enter], so review the command before
committing to it.

After removing the partition, use the print command to confirm that it is removed from the partition
table.

Once you have removed the Linux partitions and made all of the changes you need to make,

type quit to quit parted.

After quitting parted, type exit at the boot prompt to exit rescue mode and reboot your system,
instead of continuing with the installation. The system should reboot automatically. If it does not, you
can reboot your computer using Control-Alt-Delete.

The Linux Boot Process

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 The BIOS tests the system, looks for and checks peripherals, and then looks for a drive to use
to boot the system. Usually it checks the floppy drive (or CD-ROM. The order of the drives used for
booting is usually controlled by a particular BIOS setting on the system. Once Linux is installed on the
hard drive of a system, the BIOS looks for a Master Boot Record (MBR) starting at the first sector on
the first hard drive, loads its contents into memory, then passes control to it.

This MBR contains instructions on how to load the GRUB (or LILO) boot-loader, using a pre-selected
operating system. The MBR then loads the boot-loader, which takes over the process (if the boot-
loader is installed in the MBR). In the default Red Hat Linux configuration, GRUB uses the settings in
the MBR to display boot options in a menu.

First Stage Boot Loader

• Two boot loaders are available: Linux Loader (lilo) and Grand Unified Bootloader (grub)

• The first-stage boot loader

 Reads in the partition table and looks for the second-stage boot loader on the partition
configured as bootable (/boot partition).
 Launches the second stage boot loader

Second Stage Boot Loader

• Presents the user with different OS kernels it has been configured to boot.

• Finds the kernel image in the /boot directory.

 The kernel binary is named /boot/vmlinuz-<kernel-version>

• Places the appropriate initial RAM disk image, called an initrd, into memory. The initrd is used
by the kernel to load drivers necessary to boot the system.

The Linux Boot Sequence

Linux is supplied with the GRUB boot loader which is fairly sophisticated and therefore cannot
entirely fit in the 512 bytes of the MBR. The GRUB MBR boot loader merely searches for a special boot
partition and loads a second stage boot loader. This then reads the data in the
/boot/grub/grub.conf configuration file, which lists all the available operating systems and their
booting parameters. When this is complete, the second stage boot loader then displays the familiar
Linux screen that lists all the configured operating system kernels for your choice.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Sample grub.conf file

When Linux begins to boot with its kernel, it first runs the /sbin/init program, which does some system
checks, such as verifying the integrity of the file systems, and starts vital programs needed for the
operating system to function properly. It then inspects the /etc/inittab file to determine Linux's overall
mode of operation or runlevel. A listing of valid runlevels can be seen in Table 7-1.

Table 7-1 Linux Runlevels

Mode Directory Run Level Description

0 /etc/rc.d/rc0.d Halt

1 /etc/rc.d/rc1.d Single-user mode

2 /etc/rc.d/rc2.d Not used (user-definable)

3 /etc/rc.d/rc3.d Full multi-user mode (no GUI interface)

4 /etc/rc.d/rc4.d Not used (user-definable)

5 /etc/rc.d/rc5.d Full multiuser mode (with GUI interface)

6 /etc/rc.d/rc6.d Reboot

Based on the selected runlevel, the init process then executes startup scripts located in subdirectories
of the /etc/rc.d directory. Scripts used for runlevels 0 to 6 are located in subdirectories /etc/rc.d/rc0.d
through /etc/rc.d/rc6.d, respectively.

Here is a directory listing of the scripts in the /etc/rc.d/rc3.d directory:

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

# ls /etc/rc.d/rc3.d
... ... K75netfs K96pcmcia ... ...
... ... K86nfslock S05kudzu ... ...
... ... K87portmap S09wlan ... ...
... ... K91isdn S10network ... ...
... ... K92iptables S12syslog ... ...
... ... K95firstboot S17keytable ... ...

Default Boot runlevel

The default boot runlevel is set in the file /etc/inittab with the initdefault variable. When set to 3,
the system boots up with the text interface on the VGA console; when set to 5, you get the GUI. Here
is a snippet of the file (delete the initdefault line you don't need):

# Default runlevel. The runlevels used by RHS are:

# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault: # Console Text Mode
id:5:initdefault: # Console GUI Mode

Note the following:

• Most home users boot up with a Windows like GUI (runlevel 5)

• Most users will tend to boot up with a plain text-based command-line-type interface
(runlevel 3)
• Changing initdefault from 3 to 5, or vice-versa, has an effect upon your next reboot. See the
following section on how to get a GUI login all the time until the next reboot.
• Of course, don't set the initdefault value to 6 or your system will constantly reboot. Setting it
to 0 will never allow it to start!

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Linux Important File Summary << Back

File Directory Description

at.allow, /etc If at.allow exists, then only the user accounts listed in
at.deny the file may use the at or batch commands. If at.deny
exists, then any user account listed in the file may not
use the at or batch commands.

.bash_logout /home/<user> Shell script to clean up any personalized environment

settings during logout.

.bash_profile /home/<user> Shell script to set personalized environment settings for

each login.

.bashrc /home/<user> Shell script to set personalized functions and aliases for
each newly created shell or subshell.

bashrc /etc Shell script to set system-wide functions and aliases.

Usually called by /home/<user>/.bashrc.

cron.allow, /etc If cron.allow exists, then only the user accounts listed
cron.deny in the file may use the crontab command. If cron.deny
exists, then any user account listed in the file may not
use the crontab command.

crontab /etc Master cron scheduling file for system-wide jobs. On Red
Hat systems, the crontab file uses the run-parts script
to schedule any script in the appropriately-named
/etc/cron.* directory.

fstab /etc Filesystem declaration and default mount configuration

settings.

group /etc List of all user groups on the system and the user
membership list for each group.

grub.conf /boot/grub GRUB bootloader configuration settings. Usually linked

to from /etc/grub.conf.

inittab /etc init process configuration settings: virtual terminals,

default runlevel, runlevel-dependent rc scripts,
Ctrl+Alt+Del interrupt handler, X Windows display
manager.

lilo.conf /etc LILO bootloader configuration settings.

login.defs /etc Default configuration settings for newly created user

accounts and user groups.

logrotate.conf /etc Configuration settings for the cron-scheduled logrotate

job. On Red Hat distributions, the logrotate.conf file
usually includes other logrotate configuration files from
the /etc/logrotate.d directory.

lpd.conf /etc Configuration settings for the lpd print daemon, and
defaults for the printcap file.

module-info /boot Kernel Loadable Module definitions and device driver

parameters.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

modules.conf /etc Configuration files for loading Kernel Loadable Modules
during startup. Also known as conf.modules on some
Linux distributions.

passwd /etc List of all user accounts on the system. Also includes the
user's UID, GID, full name, home directory, and default
shell. Passwords tend to be stored in /etc/shadow on
most systems.

printcap /etc Configuration settings for print queues, used by both the
lpr command and lpd daemon. Some distributions
automatically regenerate this file during startup and use
the /etc/printcap.local file to store user
customizations.

profile /etc Shell script to set system-wide shell environment

settings for all logins.

rc /etc/rc.d Shell script responsible for running the runlevel-

dependent shell scripts under the appropriate
/rc.d/rcN.d directory, where N is the runlevel.

rc.local /etc/rc.d Last rc shell script run, usually as part of all startup
runlevels (1-5). A common location for user-defined
startup commands.

rc.sysinit /etc/rc.d Runlevel-independent shell script that mounts

filesystems, enables virtual memory swapping, and
synchronizes the OS time with the CMOS clock.

services /etc Reference list of common TCP and UDP port numbers
and their related services.

shadow /etc Encrypted passwords for all user accounts on the

system. Also contains password aging and expiry
settings.

syslog.conf /etc Configuration settings for the syslogd and klogd

logging daemons.

useradd /etc/default Default configuration settings for newly created user

accounts using the useradd command.

XF86Config /etc/X11 Configuration settings for X Windows (XFree86). On

some systems, this file may be in the
/usr/X11R6/lib/X11 directory.

vmlinuz /boot Compressed Linux kernel image. Usually a symbolic link

to the current image file.

Adding Users

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 • useradd (in /usr/sbin):

useradd is a utility for adding new users to a UNIX system. It adds new user information
to the /etc/passwd file and creates a new home directory for the user. When you add a new
user, you should also set their password (using the -p option on useradd, or using the
passwd utility):

# useradd javed
# passwd javed

Controlling User Groups

• groupadd (in /usr/sbin):

groupadd creates a new user group and adds the new information to /etc/group:

# groupadd staff

• usermod (in /usr/sbin):

Every user belongs to a primary group and possibly also to a set of supplementary
groups. To modify the group permissions of an existing user, use

# usermod -g initialgroup username -G othergroups

where othergroups is a list of supplementary group names separated by commas

(with no intervening whitespace).

• groups
You can find out which groups a user belongs to by typing:

# groups username

File and Directory Permissions

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 Permission File Directory
User can look at
read the contents of the User can list the files in the directory
file
User can modify
User can create new files and remove existing
write the contents of the
files in the directory
file
User can change into the directory, but cannot
User can use the
list the files unless (s)he has read permission.
execute filename as a UNIX
User can read files if (s) he has read permission
command
on them.

As we have seen in the previous chapter, every file or directory on a UNIX system has three
types of permissions, describing what operations can be performed on it by various
categories of users. The permissions are read (r), write (w) and execute (x), and the three
categories of users are user/owner (u), group (g) and others (o). Because files and
directories are different entities, the interpretation of the permissions assigned to each
differs slightly, as shown in Fig 3.1.

Note:
File and directory permissions can only be modified by their owners, or by the superuser
(root), by using the chmod system utility.

• chmod (change [file or directory] mode)

$ chmod options files

chmod accepts options in two forms. Firstly, permissions may be specified as a sequence of
3 octal digits. Each octal digit represents the access permissions for the user/owner, group
and others respectively. The mappings of permissions onto their corresponding octal digits
are as follows:

(r,w,x)(4, 2, 1)

--- 0
--x 1
-w- 2
-wx 3
r-- 4
r-x 5
rw- 6
rwx 7

For example the command:

# chmod 600 private.txt

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Sets the permissions on private.txt to rw------- (i.e. only the owner can read and write to
the file).

Detail about Permission

Permissions may be specified symbolically, using the symbols u (user), g (group), o

(other), a (all), r (read), w (write), x (execute), + (add permission), - (take away
permission) and = (assign permission). For example, the command:

# chmod ug=rw,o-rw,a-x *.txt

Sets the permissions on all files ending in *.txt to rw-rw---- (i.e. the owner and
users in the file's group can read and write to the file, while the general public do not have
any sort of access).

chmod also supports a -R option which can be used to recursively modify file permissions,
e.g.

# chmod -R go+r play

It will grant group and other read rights to the directory play and all of the files and
directories within play.

• chgrp (change group)

$ chgrp group files

It can be used to change the group that a file or directory belongs to. It also supports a -R
option.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Backup, Compress and Uncompress Files

.tar (Backup file extension)

.tar.gz (Compressed after Backup)
.tgz (Backup and compress at same time)

Commands Detail

# tar cvf /opt/backup/backup.tar /home /boot

-c Stands for create

-v Stands for verbose mode, means show files & full path
-f Stands for target means add target

/opt/backup/backup.tar------------- Target path

/home /boot-------------------------- Source Directories

Comments: Take backup of two directories /home and /boot in backup.tar file.

Compress/uncompress Tar file

#gzip backup.tar (Compress tar file, output file will be backup.tar.gz)

#gunzip backup.tar.gz (Uncompress this file, output will be backup.tar)

Backup and compress at same time

#tar czvf backup.tgz /home (Backup of home directory in compress form)

#tar xzvf backup.tgz (Uncompress bakup.tgz file and Untar)

New Compression Utilities

#du –h /filename (Check the file size)

#bzip2 –v filename (Use to compress the file)

#du –h /filename (Check the file size)

#bunzip2 compressedfilename (Uncompress file)

Restore Backup
Use the following commands to restore backup,

#tar xvf backup.tar (Extract tar file)

##tar xzvf backup.tgz (Extract the compress backup)

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Increase the size of SWAP partition

You installed a new Linux system, but forgot to set enough swap space for your
needs. Do you need to repartition and reinstall? No, the swap utilities on Linux allow you to
make a real file and use it as swap space.
The trick is to make a file and then tell the swapon program to use it.
Here's how to create, for example, a 500mb swap file on your root partition.

dd if=/dev/zero of=/swapfile bs=500M count=1

This will make a 500mb file on your hard drive. You now need to initialize it:

mkswap /swapfile
And you can then add it to your swap pool:

swapon /swapfile

With that you 500mb of swap added. Don't forget to add the swapon command to your startup
files so the command will be repeated at each reboot.

Verify the swap size

Note: If Swap partition is not created then we face error during the creation of swap file.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Permanently Active Swapfile

To enable the /etc/fstab to include:

/swapfile swap swap defaults 0 0

The next time the system boots, it will enable the new swap file.

2nd Option to Active it

To add the swapon command in startup file, so the command will be executed at each
boot.

vi /etc/rc.local

swapon /swapfile

 After adding the new swap file and enabling it, make sure it is enabled by viewing the output
of the following command

cat /proc/swaps or free

Create Swap Partition after Installation:

Create a partition with fdisk like /dev/hda5 then use commands to activate it
as swap.
mkswap /dev/hda5

then add a line like this to your /etc/fstab

/dev/hda5 swap swap defaults 0 0

Note:

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

What do you use to format a swap partition, mkfs.swap ???
Swap is not a file system. You format swap with mkswap.
See man mkswap.

/dev/zero
In Unix-like operating systems, /dev/zero is a special file that provides as many null characters
(ASCII NUL, 0x00) as are read from it. One of the typical uses is to provide a character stream
for overwriting information. Another might be to generate a clean file of a certain size. Using it
to create virtual file shared memory.

Destroy data on a partition

#Do not execute this code on any computer unless you want to destroy
all data on a partition!
dd if=/dev/zero of=/dev/hda8
Like /dev/null, /dev/zero acts as a source and sink for data. All writes to /dev/zero succeed
with no other effects (the same as for /dev/null, although /dev/null is the more commonly used
data sink); all reads on /dev/zero return as many NULs as characters requested.

Disk Management:

Linux Hard Drive Naming

Convention:

The partitions on each drive are referred numerically. The first partition on the first drive is
referred to as hda1, the second as hda2, and the third as hda3 etc...

Linux IDE naming conventions:

Device Description Configuration

/dev/hda 1st (Primary) IDE controller Master
/dev/hdb 1st (Primary) IDE controller Slave
2nd (Secondary) IDE
/dev/hdc Master
controller
2nd (Secondary) IDE
/dev/hdd Slave
controller

Note: SCSI disks are labeled /dev/sda, /dev/sdb, /dev/sdc etc... To represent the first, second,
third... SCSI hard drive partitions are represented by an additional number. i.e. First drive first
partition, /dev/sda1, second partition, /dev/sda2,... Other SCSI devices such as tape backup are
labeled /dev/st0 for the first, /dev/st1 for the second and so forth. See Linux SCSI tutorial for
more info.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Command and Response Dialog of Adding
a New IDE Drive:
Linux’s fdisk is a text-based tool that requires you to type one-letter commands. You can
obtain a list of commands by typing ? or m at the fdisk prompt. The most important fdisk
commands are listed in Table.
TABLE fdisk Commands
Small Description of Commands

Command Description
d Delete a partition
n Create a new partition
p Displays (prints) the partitions layout
q Quits without saving changes
T Change the partition’s type
w Writes (Save) changes and quits.

As root perform the following: (as highlighted in bold)

[root]# fdisk /dev/hdb

Command (m for help): m (Enter the letter "m" to get list of
commands)
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)

Command (m for help): n

Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 1

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

First cylinder (1-2654, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-2654, default 2654):
Using default value 2654

Command (m for help): p

Disk /dev/hdb: 240 heads, 63 sectors, 2654 cylinders

Units = cylinders of 15120 * 512 bytes

Device Boot Start End Blocks Id System

/dev/hdb1 1 2654 20064208+ 5 Extended

Command (m for help): w (Write and save partition table)

[root]# mkfs -t ext3 /dev/hdb1

mke2fs 1.27 (8-Mar-2008)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
2508352 inodes, 5016052 blocks
250802 blocks (5.00%) reserved for the super user
First data block=0
154 block groups
32768 blocks per group, 32768 fragments per group
16288 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632,
2654208,
4096000

Writing inode tables: done

Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 34 mounts or

180 days, whichever comes first. Use tune2fs -c or -i to override.
[root]# mkdir /opt2
[root]# mount -t ext3 /dev/hdb1 /opt2

Note: A computer system may have multiple drives with primary

partitions but only one primary partition may be active on one drive only.
The active primary partition is used for booting the system and is referenced
by the Master Boot Record (MBR). Each hard drive may only have a
maximum of four primary partitions. One may only boot an OS from a

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

primary partition. Extended partitions allow one to place up to 24 partitions
on a single drive.

FTP Server

The File Transfer Protocol (FTP) is used to copying files between computers over the
LAN/WAN.

Package: Very Secure FTP Server (vsftpd) vsftpd.beasts.org

Configuration File: /etc/vsftpd/vsftpd.conf

Red Hat FTP Server Directories

Red Hat currently installs the vsftpd server package along with anonymous FTP support
during installation. At that time, an ftp directory is created along with several subdirectories
where you can place files for FTP access.

For example, on Red Hat this would be at /var/ftp/pub.

Upload with Anonymous user

The vsftpd FTP package does not create a directory where users can upload files to the
FTP site. If you want to upload files then you will have to create a directory, and make it part of
the ftp group, and then set its permissions to allow users write access.

chgrp ftp /var/ftp/pub/upload

chmod g+w /var/ftp/pub/upload

Configuring vsftpd

You configure vsftpd using one configuration file, /etc/vsftpd/vsftpd.conf. Red Hat installs a
default vsftpd.conf file in the /etc/vsftpd directory. The man page for vsftpd.conf lists all
options, providing a detailed explanation for each.

Configuration file:

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

# Allow anonymous FTP?
anonymous_enable=YES
...
# The directory which vsftpd will try to change
# into after an anonymous login. (Default = /var/ftp)
anon_root=/data/directory
...
# Uncomment this to allow local users to log in.
local_enable=YES
...
# Uncomment this to enable any form of FTP write command.
# (Needed even if you want local users to be able to upload files)
write_enable=YES
...
# Uncomment to allow the anonymous FTP user to upload files. This only
# has an effect if global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
...
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
...
# Activate logging of uploads/downloads.
xferlog_enable=YES
...
# You may override where the log file goes if you like.
# The default is shown below.
xferlog_file=/var/log/vsftpd.log\
……………..

More detail
Configuration Options for vsftpd.conf
Option Description
listen Set standalone mode
listen_port Specify port for standalone mode
anonymous_enable Enable anonymous user access
local_enable Enable access by local users
no_anon_password Specify whether anonymous users must submit a password
anon_upload_enable Enable uploading by anonymous users
anon_mkdir_write_enable Allow anonymous users to create directories
aonon_world_readable_only Make uploaded files read only to all users
idle_session_timeout Time limit in seconds for idle sessions
data_connection_timeouts Time limit in seconds for failed connections
dirmessage_enable Display directory messages
ftpd_banner Display FTP login message
xferlog_enable Enable logging of transmission transactions
xferlog_file Specify log file
deny_email_enable Enable denying anonymous users whose e-mail addresses
are specified in vsftpd.banned
userlist_enable Deny access to users specified in vsftp.user_list file

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 Configuration Options for vsftpd.conf
Option Description
userlist_file Deny or allow users access depending on setting of
userlist_deny
userlist_deny When set to YES, userlist_file list users are denied access.
When set to NO, userlist_file list users, and only those users,
are allowed access
chroot_list_enable Restrict users to their home directories
chroot_list_file Allow users access to home directories. Unless
chroot_local_user is set to YES, this file contains list of
users not allowed access to their home directories
chroot_local_user Allow access by all users to their home directories
pam_service_name Specify PAM script
ls_recurse_enable Enable recursive listing

Command Access files

Command usage is highly restricted by vsftpd.

Files for vsftpd

File Description
vsftpd.ftpusers Users always denied access
vsftpd.user_list Specified users denied access (allowed access if
userlist_deny is NO)
vsftpd.chroot_list Local users allowed access (denied access if
chroot_local_user is on)
/etc/vsftpd/vsftpd.conf vsftpd configuration file
/etc/pam.d/vsftpd PAM vsftpd script
/etc/rc.d/init.d/vsftpd Service vsftpd server script, standalone (Red Hat default)
/etc/xinetd.d/vsftpd Xinetd vsftpd server script

Restrict Specific Users

The /etc/vsftpd.ftpusers File

For added security, you may restrict FTP access to certain users by adding them to the list
of users in the /etc/vsftpd.ftpusers file.

Allow Access to Specific Users

For allow access for certain users then edit the /etc/vsftpd/vsftpd.conf file.
Do following things; vi /etc/vsftpd/vsftpd.conf

userlist_enable=YES
userlist_deny=NO

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

:wq

Then open the file vi /etc/vsftpd.user_list and add the users account which you want to allow.

See the detail below………..

userlist_enable Deny access to users specified in vsftp.user_list file

userlist_file Deny or allow users access depending on setting of
userlist_deny
userlist_deny When set to YES, userlist_file list users are denied access.
When set to NO, userlist_file list users, and only those users,
are allowed access

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Telnet

You use the telnet command to log in remotely to another system on your network. The
system can be on your local area network or available through an Internet connection

Enable Telnet Services: you have to enable the telnet by edition of following file

/etv/xinetd.d/krb5-telnet

Here change the disable=yes (default) to disable=no to use this service.

$ telnet 200.10.250.139
Connected to garnet
login:

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Samba Server
With Samba, you can connect your Windows clients on a Microsoft Windows
network to services such as shared files, systems, and printers controlled by the
Linux Samba server, and, at the same time, allow Linux systems to access shared
files and printers on Windows systems

Package: Samba
Configure File: /etc/samba/smb.conf
Service : smb

Review the detail about Samba Applications;

Samba Applications
Application Description
smbd Samba server daemon that provides file and printer services to SMB
clients
nmbd Samba daemon that provides NetBIOS name resolution and service
browser support
smbclient Provides FTP-like access by Linux clients to Samba services
smbmount Mounts Samba share directories on Linux clients
smbumount Unmounts Samba share directories mounted on Linux clients
smbpasswd Changes SMB-encrypted passwords on Samba servers
smbstatus Displays the current status of the SMB network connections
smbrun Interface program between smbd and external programs
testparm Tests the Samba configuration file, smb.conf
smbtar Backs up SMB/CIFS-shared resources directly to a Unix tape drive
nmblookup Maps the NetBIOS name of a Windows PC to its IP address
redhat-config-samba Samba GUI configuration tool (System Settings:Server
Setttings:Samba Server)
SWAT Samba Web administration tool for configuring smb.conf with a
Web browser; enables you to use a Web page interface to create and
maintain your Samba configuration file, smb.conf
windbind Uses authentication services provided by Windows domain

/etc/samba/smbpasswd

Samba maintains its own password file.

Starting Up Samba

For a simple Samba setup, you should be able to use the default smb.conf file installed
with the Linux distribution package of Samba. If you need to make changes, however, you must
restart the Samba server to have the changes take effect. Starting, stopping, and restarting the

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Samba server is managed by the /etc/rc.d/init.d/smb script using the options start, stop, and
restart. On Red Hat, you can run the smb script directly as shown here:

service smb restart

Accessing Samba from Linux

To test your connection from a Linux system, you can use the smbclient command to query the
Samba server. To access the home directory of a user on the Samba server, use the IP or
hostname address of the Samba server, along with the homes section. With the -U option,
specify a user to connect to on the system, as shown here:

smbclient //200.100.200.29/homes -U javed

You are then prompted for a password. If the client password is different from the server
password, use the server password. Once connected, you are presented with the SMB client
prompt as shown here. You can then access the files on the user's home directory:

smb: \>

Accessing Samba from Windows

To set up a connection for a Windows client, you need to specify the Windows workgroup name
and configure the password. The workgroup name is the name that appears in the Entire Network
window in the Network Neighborhood on the Windows desktop (My Network Places on
Windows 2000, XP). In the smb.conf file, you specify the workgroup name in the workgroup=
entry in the global section. The workgroup name should be uppercase, no more than eight
characters, and contain no spaces.

You can then restart the Samba server. On a Windows client, you see the workgroup name in the
Entire Network folder in your Network Neighborhood. Within the workgroup is an icon for the
Samba server and within that is an icon for the user directory, as specified in the homes section
of the smb.conf file.

Samba Configuration File and Tools

Samba configuration options are kept in the /etc/samba/smb.conf file. You edit this file to make
changes to the configuration. Once you finish making any changes, you should test your
smb.conf file using the testparm program. The testparm program checks the validity of your
configuration entries. By default, testparm uses the /etc/samba/smb.conf file, although you can
supply a different configuration file as an argument:

testparm

smbstatus
To check your network connections, use the smbstatus command. This command
returns a listing of all active SMB connections.

Domain Name System (DNS)

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Reference Book: The Complete Reference Enterprise Linux & Fedora Edition

The Domain Name System (DNS) is a service that locates and

translates domain names into their corresponding Internet Protocol (IP)
addresses.

Manual Translations: /etc/hosts

Any computer on the Internet can maintain a file that manually

associates IP addresses with domain names. On Linux and Unix systems,
this file is called the /etc/hosts file. Here, you can enter the IP addresses
and domain names of computers you commonly access. Using this method,
however, each computer needs a complete listing of all other computers on
the Internet, and that listing must be updated constantly. Early on, this
became clearly impractical for the Internet, though it is still feasible for small
isolated networks.

Package: BIND (Berkely Internet Name Domain)

Service: named
Configuration file: /etc/named.conf,
/var/named/file.forward (Create a file)
/var/named/file.reverse

Server Hierarchy
Your network can have a master DNS server and several slave DNS
servers to help carry the workload. A slave DNS server automatically copies
its configuration files, including all zone files, from the master DNS server.

Any changes to the master configuration files trigger an automatic download

of these files to the slave servers.

• Master Name Serve

o It contains the master copy of data for zone

• Slave Name Server

o It provides a backup to the master name sever.
o All slave servers maintain synchronization with their
master name server.

• Forwarder server A server that forwards unresolved DNS

requests to outside DNS servers. Can be used to keep other
servers on a local network hidden from the Internet.
• Caching only server Caches DNS information it receives from
DNS servers and uses it to resolve local requests.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 • Forward zone The forward zone lists name servers outside your
network that should be searched if your network's name server fails to
resolve an address.
• IN-ADDR.ARPA zone: DNS can also provide reverse resolutions,
where an IP address is used to determine the associated domain name
address. Such lookups are provided by IN-ADDR.ARPA zone files.

• Hint zone A hint zone specifies the root name servers and is
denoted by a period (.). A DNS server is normally connected to a
larger network, such as the Internet, which has its own DNS servers.
DNS servers are connected this way hierarchically, with each server
having its root servers to which it can send resolution queries. The
root servers are designated in the hint zone.

DNS BIND Zone Types

Type Description
master Primary DNS zone
slave Slave DNS server; controlled by a master DNS server
hint Set of root DNS Internet servers
forward Forwards any queries in it to other servers
stub Like a slave zone, but holds only names of DNS servers

Forward Zone File in named.conf

zone “my-web-site.org” {

type master;
file “my-site.forward”;

};

zone “another-web-site.com” {

type master;
notify no;
file “another-site.forward”;

};

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 BIND Configuration Statements
Statements Description
/* comment */ BIND comment in C syntax.
// comment BIND comment in C++ syntax.
# comment BIND comment in Unix shell and Perl syntax.

Directory Option
A critically important option found in most configuration files is the
directory option, which holds the location of the name server's zone and
cache files on your system. The following example is taken from the Red Hat
/etc/named.conf file. This example specifies the zone files are located in
the /var/named directory. In this directory, you can find your zone files,
including those used for your local system.

options {
directory "/var/named";
forwarders { 192.168.0.34;
192.168.0.47;
};

forwarders Option

Another commonly used global option is the forwarders option. With

the forwarders option, you can list several DNS servers to which queries
can be forwarded if they cannot be resolved by the local DNS server. This is
helpful for local networks that may need to use a DNS server connected to
the Internet. The forwarders option can also be placed in forward zone
entries.

notify Option

With the notify option turned on, the master zone DNS servers send
messages to any slave DNS servers whenever their configuration has
changed. The slave servers can then perform zone transfers in which they
download the changed configuration files. Slave servers always use the DNS
configuration files copied from their master DNS servers. notify takes one
argument, yes or no, where yes is the default. With the no argument, you
can have the master server not send out any messages to the slave servers,
in effect preventing any zone transfers. (Mentioned in above example)

named.conf Example

/etc/named.conf

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

//
// A simple BIND 9 configuration
//

logging {
category cname { null; };
};

options {
directory "/var/named";
};

zone "." {
type hint;
file "named.ca";
};

zone "my-site.org" {
type master;
file "my-site.forward";
};

zone "1.168.192.IN-ADDR.ARPA" {
type master;
file "my-site.rev";
};

zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "named.local";
};

Resource Record Types

Most Commonly Used Resource Records

ecord Record Type Brief Definition of Record

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 Name

Maps an IP Address in standard dot notation

A Address (IP)
to a host name.

Identifies an authoritative name server for a

NS Name Server
domain zone.

Canonical
CNAME Alias hostname for the official hostname.
NAME

Identifies the best name server for

Start Of
SOA information on a unique domain. Only one
Authority
SOA can be used per zone.

Reversely maps an IP address to a name

PTR PoinTeR versus mapping a name to an IP address like
an "A record"

Identifies a host that will deliver, receive and

MX Mail EXchange
forward mail.

Domain Name Service Resource Record Types

Type Description
A An IPv4 host address, maps hostname to IPv4 address
A6 An IPv6 host address
NS Authoritative name server for this zone
CNAME Canonical name, used to define an alias for a hostname
SOA Start of Authority, starts DNS entries in zone file, specifies
name server for domain, and other features such as server
contact and serial number
WKS Well-known service description
PTR Pointer record, for performing reverse domain name lookups,
maps IP address to hostname
RP Text string that contains contact information about a host
HINFO Host information
MINFO Mailbox or mail list information
MX Mail exchanger, informs remote site of your zone's mail
server
TXT Text strings, usually information about a host
KEY Domain private key
SIG Resource record signature
NXT Next resource record

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Start of Authority: SOA

A zone or reverse mapping file always begins with a special resource record
called the Start of Authority (SOA) record. This record specifies that all the
following records are authoritative for this domain. It also holds information
about the name server's domain, which is to be given to other name servers.
An SOA record has the same format as other resource records, though its
data segment is arranged differently. The format for an SOA record follows:

name {ttl} class SOA Origin Person-in-charge (

Serial number
Refresh
Retry
Expire
Minimum )

Each zone has its own SOA record. The SOA begins with the zone name
specified in the named.conf zone entry. This is usually a domain name. An
@ symbol is usually used for the name and acts like a macro expanding to
the domain name. The class is usually the Internet class, IN. SOA is the
type. Origin is the machine that is the origin of the records, usually the
machine running your name server daemon. The person-in-charge is the e-
mail address for the person managing the name server (use dots, not @, for
the e-mail address, as this symbol is used for the domain name).

The following example shows an SOA record. The machine running the name
server is server.my-site.com, and the e-mail address of the person
responsible for the server is javed.my-site.com.

@ IN SOA server.my-site.com. javed.my-site.com. (

2008060301 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum

Name Server: NS

The name server record specifies the name of the name server for this
zone. These have a resource record type of NS. If you have more than one
name server, list them in NS records. These records usually follow the SOA
record. As they usually apply to the same domain as the SOA record, their
name field is often left blank to inherit the server's domain name specified
by the @ symbol in the previous SOA record.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 IN NS server.my-site.com.

You can, if you wish, enter the domain name explicitly as shown here:

my-site.com. IN NS server.my-site.com.

Address Record: A

Resource records of type A are address records that associate a fully

qualified domain name with an IP address. Often, only their hostname is
specified. Any domain names without a terminating period automatically
have the domain appended to them. Given the domain my-site.com, the
server name in the following example is expanded to server.my-site.com:

Server2.my-site.com. IN A 192.168.0.2
server IN A 192.168.0.1

The SOA Record Format

Field Description

Name The root name of the zone. The “@” sign is a shorthand
reference to the current origin (zone) in the /etc/named.conf file
for that particular database file.

Class There are a number of different DNS classes. Home/SOHO will be

limited to the IN or Internet class used when defining IP address
mapping information for BIND. Other classes exist for non
Internet protocols and functions but are very rarely used.

Type The type of DNS resource record. In the example, this is an SOA
resource record. Other types of records exist, which I’ll cover
later.

Name- Fully qualified name of your primary name server. Must be

server followed by a period.

Email- The e-mail address of the name server administrator. The

address regular @ in the e-mail address must be replaced with a period
instead. The e-mail address must also be followed by a period.

Serial-no A serial number for the current configuration. You can use the
date format YYYYMMDD with an incremented single digit number
tagged to the end. This will allow you to do multiple edits each
day with a serial number that both increments and reflects the
date on which the change was made.

Refresh Tells the slave DNS server how often it should check the master
DNS server. Slaves aren’t usually used in home / SOHO
environments.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Retry The slave’s retry interval to connect the master in the event of a
connection failure. Slaves aren’t usually used in home / SOHO
environments.

Expiry Total amount of time a slave should retry to contact the master
before expiring the data it contains. Future references will be
directed towards the root servers. Slaves aren’t usually used in
home/SOHO environments.

Minimum- There are times when remote clients will make queries for
TTL subdomains that don’t exist. Your DNS server will respond with a
no domain or NXDOMAIN response that the remote client caches.
This value defines the caching duration your DNS includes in this
response.

Mail Exchanger: MX

The Mail Exchanger record, MX, specifies the mail server that is used
for this zone or for a particular host. The mail exchanger is the server to
which mail for the host is sent. In the following example, the mail server is
specified as server.my-site.com. Any mail sent to the address for any
machines in that zone will be sent to the mail server, which in turn will send
it to the specific machines. For example, mail sent to a user on server2.my-
site.com will first be sent to server.my-site.com, which will then send it
on to server2.my-site.com. In the following example, the host
192.168.0.1 (server.my-site.com) is defined as the mail server for the

my-site.com domain:

My-site.com. IN MX 10 server.my-site.com.

You could also inherit the domain name from the SOA record, leaving the
domain name entry blank.

IN MX server.my-site.com.

You could use the IP address instead, but in larger networks, the domain
name may be needed to search for and resolve the IP address of a particular
machine, which could change.

My-site.com. IN MX 10 192.168.0.1

An MX record recognizes an additional field that specifies the ranking for a

mail exchanger. If your zone has several mail servers, you can assign them
different rankings in their MX records. The smaller number has a higher
ranking. This way, if mail cannot reach the first mail server, it can be routed
to an alternate server to reach the host. In the following example, mail for
hosts on the my-site.com domain is first routed to the mail server at

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

192.168.0.1 (server.my-site.com), and if that fails, it is routed to the mail
server at 192.168.0.2 (server2.my-site.com).

My-site.com. IN MX 10 server.my-ste.com.
IN MX 20 server2.my-site.com.

Aliases: CNAME

Resource records of type CNAME are used to specify alias names for a
host in the zone. Aliases are often used for machines running several
different types of servers, such as both Web and FTP servers. They are also
used to locate a host when it changes its name. The old name becomes an
alias for the new name. In the following example, ftp.my-site.com is an
alias for a machine actually called sever.my-site.com:

ftp.my-site.com. IN CNAME server.my-site.com.

The term CNAME stands for canonical name. The canonical name is the
actual name of the host. In the preceding example, the canonical name is
server.my-site.com. The alias, also known as the CNAME, is ftp.my-
site.com. In a CNAME entry, the alias points to the canonical name.

Aliases cannot be used for NS (name server) or MX (mail server)

entries. For those records, you need to use the original domain name
or IP address.

A more stable way to implement aliases is simply to create another address

record for a host or domain. You can have as many hostnames for the same
IP address as you want, provided they are certified. For example, to make
www.my-site.com an alias for server.my-site.com, you only have to add
another address record for it, giving it the same IP address as server.my-
site.com.

server.my-site.com. IN A 192.168.0.1
www.my-site.com. IN A 192.168.0.1

Pointer Record: PTR

A PTR record is used to perform reverse mapping from an IP address to a

host. PTR records are used in the reverse mapping files. The name entry
holds a reversed IP address, and the data entry holds the name of the host.
The following example maps the IP address 192.168.0.1 to server.my-
site.com:

1.1.168.192 IN PTR server.my-site.com.

In a PTR record, you can specify just that last number segment of the
address (the host address) and let DNS fill in the domain part of the

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

address. In the next example, 1 has the domain address, 1.168.192,
automatically added to give 1.1.168.192:

1 IN PTR server.my-site.com.

Forward Zone Files

A zone file holds resource records that follow a certain format. The file
begins with general directives to define default domains or to include other
resource record files. These are followed by a single SOA record, name
server and domain resource records, and then resource records for the
different hosts. Comments begin with a semicolon and can be placed
throughout the file. The @ symbol operates like a special macro,
representing the domain name of the zone to which the records apply. The
@ symbol is used in the first field of a resource or SOA record as the zone's
domain name.

Example of Forward zone file

A zone file begins with an SOA record specifying the machine the name
server is running on, among other specifications. The @ symbol is used for
the name of the SOA record, denoting the zone's domain name. After the
SOA, the name server resource records (NS) are listed. Just below the name
server records are resource records for the domain itself. Resource records
for host addresses (A), aliases (CNAME), and mail exchangers (MX) follow.
The next example shows a sample zone file, which begins with an SOA
record and is followed by an NS record, resource records for the domain,
and then resource records for individual hosts:

; Authoritative data for server.my-site.com

;
@ IN SOA server.my-site.com.javed.server.my-site.com.(
93071200 ; Serial number
10800 ; Refresh 3 hours
3600 ; Retry 1 hour
3600000 ; Expire 1000 hours
86400 ) ; Minimum 24 hours

IN NS server.my-site.com.
IN A 192.168.0.1
IN MX 10 server.my-site.com.
IN MX 15 server2.my-site.com.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

server IN A 192.168.0.1
ftp IN CNAME my-site.com.
www IN A 192.168.0.1

server2 IN A 192.168.0.2

Nameserver Record

The next resource record specifies the name server for this zone. Here,
it is my-site.com. Notice the name for this resource record is blank. If the
name is blank, a resource record inherits the name from the previous
record. In this case, the NS record inherits the value of @ in the SOA record,
its previous record. This is the zone's domain, and the NS record specifies

server.my-site.com as the name server for this zone.

IN NS server.my-site.com.

Here the domain name is inherited. The entry can be read as the following.
Notice the trailing period at the end of the domain name:

my-site.com. IN NS server.my-site.com.

Subdomain Zones

The name for the subdomain could be a different name altogether or a

name with the same suffix as the primary domain. In the following example,
the subdomain is called beach.my-site.com. It could just as easily be
called mybeach.com. The name server to that domain is on the host
crab.beach.my-site.com, in this example. Its IP address is 192.168.0.33
and its zone file is beach.my-site.com. The beach.my-site.com zone file
holds DNS entries for all the hosts being serviced by this name server. The
following example shows zone entries for its named.conf:

zone "beach.my-site.com" {
type master;
file "beach.my-site.com";
};

zone "1.168.192.IN-ADDR.ARPA" {
type master;
file "192.168.0";
};

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Subdomain Records

On the primary DNS server, in the example server.my-site.com, you would

place entries in the master zone file to identify the subdomain server's host
and designate it as a name server. Such entries are also known as glue
records. In this example, you would place the following entries in the my-
site.com zone file on server.my-site.com:

beach.my-site.com. IN NS beach.my-site.com.
beach.my-site.com. IN A 192.168.0.33.

URL references to hosts serviced by server3.my-site.com can now be

reached from any host serviced by my-site.com, which does not need to
maintain any information about the server3.my-site.com hosts. It simply
refers such URL references to the server3.my-site.com name server.

Slave Servers

A slave DNS server is tied directly to a master DNS server and periodically
receives DNS information from it. You use a master DNS server to configure
its slave DNS servers automatically. Any changes you make to the master
server are automatically transferred to its slave servers. This transfer of
information is called a zone transfer. Zone transfers are automatically
initiated whenever the slave zone's refresh time is reached or the slave
server receives a notify message from the master. The refresh time is the
second argument in the zone's SOA entry. A notify message is automatically
sent by the master whenever changes are made to the master zone's
configuration files and the named daemon is restarted. In effect, slave
zones are automatically configured by the master zone, receiving the master
zone's zone files and making them their own.

Slave Zones

Using the previous examples, suppose you want to set up a slave server on
server2.my-site.com, Zone entries, as shown in the following example, are
set up in the named.conf configuration file for the slave DNS server on
server2.my-site.com. The slave server is operating in the same domain as
the master, and so it has the same zone name, my-site.com. Its SOA file is
named slave.my-site.com. The term "slave" in the filename is merely a
convention that helps identify it as a slave server configuration file. The
masters statement lists its master DNS server—in this case, 192.168.0.1.
Whenever the slave needs to make a zone transfer, it transfers data from
that master DNS server. The entry for the reverse mapping file for this slave
server lists its reverse mapping file as slave.192.168.0.

zone "my-site.com" {
type slave;
file "slave.my-site.com";

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 masters { 192.168.0.1;
};

zone "1.168.192.IN-ADDR.ARPA" {
type slave;
file "slave.192.168.0";
masters { 192.168.0.1;
};

NFS (Network file System)

The Network File System protocol (NFS) is used when disks need to be shared
between Linux Machines.

Ref Site: http://www.linuxhomenetworking.com,

Ref Book: The Complete Reference Enterprise Linux & Fedora Edition

Package: nfs
Service: nfs, portmap, nfslock,netfs
Configuration file: /etc/exports

General NFS Rules

You should follow some general rules when configuring NFS.

1. Only export directories beneath the / directory.

2. Do not export a subdirectory of a directory that has already been exported. The
exception being when the subdirectory is on a different physical device. Likewise, do
not export the parent of a subdirectory unless it is on a separate device.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 3. Only export local filesystems. Keep in mind that when you mount any filesystem on a
directory, the original contents of the directory are ignored, or obscured, in favor of
the files in the mounted filesystem. When the filesystem is unmounted, then the
original files in the directory reappear unchanged.

VFS

The virtual filesystem (VFS) interface is the mechanism used by NFS to

transparently and automatically redirect all access to NFS-mounted files to
the remote server. This is done in such a way that files on the remote NFS
server appear to the user to be no different than those on a local disk.

Important NFS Daemons

NFS isn't a single program, but a suite of interrelated programs that work
together to get the job done.

• rpcbind: (portmap in older versions of Linux) The primary daemon upon which all
the others rely, rpcbind manages connections for applications that use the RPC
specification. By default, rpcbind listens to TCP port 111 on which an initial
connection is made. This is then used to negotiate a range of TCP ports, usually
above port 1024, to be used for subsequent data transfers. You need to run rpcbind
on both the NFS server and client.

• nfs: Starts the RPC processes needed to serve shared NFS file systems. The nfs
daemon needs to be run on the NFS server only.

• nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The
nfslock daemon needs to be run on both the NFS server and client.

• netfs: Allows RPC processes run on NFS clients to mount NFS filesystems on the
server.

Now take a look at how to configure these daemons to create functional NFS
client/server.

Installing NFS
RedHat Linux installs nfs by default, and also by default nfs is
activated when the system boots. You can determine whether you have nfs
installed using the RPM command in conjunction with the grep command to
search for all installed nfs packages.

[root@bigboy tmp]# rpm -qa | grep nfs

system-config-nfs-1.1.3-1
nfs-utils-1.0.1-3.9
[root@bigboy tmp]#

Now verify potmap or rpcbind package is installed or not.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

[root@bigboy tmp]# rpm -q rpcbind/portmap
portmap-4.0-57
[root@bigboy tmp]#

Configuring NFS on the Server

Both the NFS server and NFS client have to have parts of the NFS
package installed and running. The server needs rpcbind, nfs, and nfslock
operational, as well as a correctly configured /etc/exports file.

The /etc/exports File

The /etc/exports file is the main NFS configuration file, and it consists
of two columns. The first column lists the directories you want to make
available to the network. The second column has two parts. The first part
lists the networks or DNS domains that can get access to the directory, and
the second part lists NFS options in brackets.

For the scenario you need:

• Read-only access to the /data/files directory to all networks

• Read/write access to the /home directory from all servers on the

192.168.1.0 /24 network, which is all addresses from 192.168.1.0 to
192.168.1.255

• Read/write access to the /data/test directory from servers in the my-

site.com DNS domain

• Read/write access to the /data/database directory from a single server

192.168.1.203.

In all cases, use the sync option to ensure that file data cached in memory is
automatically written to the disk after the completion of any disk data
copying operation.
#/etc/exports
/data/files *(ro,sync)
/home 192.168.1.0/24(rw,sync)
/data/test *.my-site.com(rw,sync)
/data/database 192.168.1.203(rw,sync)

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Starting NFS on the Server

Configuring an NFS server is straightforward:

1) Use the chkconfig command to configure the required nfs and RPC
rpcbind or portmap daemons to start at boot. You also should activate NFS
file locking to reduce the risk of corrupted data.

[root@bigboy tmp]# chkconfig --level 35 nfs on

[root@bigboy tmp]# chkconfig --level 35 nfslock on
[root@bigboy tmp]# chkconfig --level 35 portmap on

2) Use the init scripts in the /etc/init.d directory to start the nfs and portmap
daemons. The examples use the start option, but when needed, you can also
stop and restart the processes with the stop and restart options.

[root@bigboy tmp]# service portmap start

[root@bigboy tmp]# service nfs start
[root@bigboy tmp]# service nfslock start

Configuring NFS on The Client

NFS configuration on the client requires you to start the NFS

application; create a directory on which to mount the NFS server's
directories that you exported via the /etc/exports file, and finally to mount
the NFS server's directory on your local directory, or mount point. Here's
how to do it all.

Starting NFS on the Client

Three more steps easily configure NFS on the client.

1) Use the chkconfig command to configure the required nfs and RPC
rpcbind or portmap daemons to start at boot. Activate nfslock to lock the
files and reduce the risk of corrupted data.

[root@smallfry tmp]# chkconfig --level 35 netfs on

[root@smallfry tmp]# chkconfig --level 35 nfslock on
[root@smallfry tmp]# chkconfig --level 35 portmap on

2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC
rpcbind or portmap daemons. As on the server, the examples use the start
option, but you can also stop and restart the processes with the stop and
restart options.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

[root@smallfry tmp]# service portmap start
[root@smallfry tmp]# service netfs start
[root@smallfry tmp]# service nfslock start

Accessing NFS Server Directories from the Client

In most cases, users want their NFS directories to be permanently
mounted using file /etc/fstab

The /etc/fstab file lists all the partitions that need to be auto-mounted when
the system boots. Therefore, you need to edit the /etc/fstab file if you need
the NFS directory to be made permanently available to users on the NFS.

For the example, mount the /data/files directory on server (IP address
192.16801.100) as an NFS-type filesystem using the local /mnt/nfs mount
point directory.

#/etc/fstab
#Directory Mount Point Type Options Dump FSCK
192.168.1.100:/data/files /mnt/nfs nfs soft 0 0

Permanently Mounting the NFS Directory

You'll now create a mount point directory, /mnt/nfs, on which to

mount the remote NFS directory and then use the mount -a command
activate the mount.

[root@smallfry tmp]# ls /mnt/nfs

[root@smallfry tmp]# mount -a

Each time your system boots, it reads the /etc/fstab file and executes the
mount -a command, thereby making this a permanent NFS mount.

Manually Mounting NFS File Systems

If you don't want a permanent NFS mount, then you can use the
mount command without the /etc/fstab entry to gain access only when
necessary. This is a manual process;

In this case, you're mounting the /data/files directory as an NFS-type

filesystem on the /mnt/nfs mount point. The NFS server is bigboy whose IP
address is 192.168.1.100.

Notice how before mounting there were no files visible in the /mnt/nfs
directory, this changes after the mounting is complete:

[root@smallfry tmp]# mkdir /mnt/nfs

[root@smallfry tmp]# ls /mnt/nfs

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

[root@smallfry tmp]# mount -t nfs 192.168.1.100:/data/files /mnt/nfs
[root@smallfry tmp]# ls /mnt/nfs
ISO ISO-RedHat kickstart RedHat

Congratulations! You've made your first steps towards being an NFS

administrator.

Activating Modifications To The /etc/exports File

You can force your system to re-read the /etc/exports file by restarting
NFS. In a nonproduction environment, this may cause disruptions when an
exported directory suddenly disappears without prior notification to users.
Here are some methods you can use to update and activate the file with the
least amount of inconvenience to others.

New Exports File

When no directories have yet been exported to NFS,

use the exportfs -a command.

[root@bigboy tmp]# exportfs -a

Adding A Shared Directory To An Existing Exports File

When adding a shared directory, you can use the exportfs -r command to
export only the new entries.

[root@bigboy tmp]# exportfs -r

Deleting, Moving Or Modifying A Share

Removing an exported directory from the /etc/exports file requires work on

both the NFS client and server. The steps are:

1) Unexport the mount point directory on the NFS client using the umount
command. In this case, you're unmounting the /mnt/nfs mount point.

[root@smallfry tmp]# umount /mnt/nfs

Note: You may also need to edit the /etc/fstab file of any entries related to
the mount point if you want to make the change permanent even after
rebooting.

2) Comment out the corresponding entry in the NFS server's /etc/exports file
and reload the modified file.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

[root@bigboy tmp]# exportfs -ua
[root@bigboy tmp]# exportfs -a

Troubleshooting NFS
A basic NFS configuration usually works without problems when the
client and server are on the same network. The most common problems are
caused by forgetting to start NFS, to edit the /etc/fstab file, or to export
the /etc/exports file. Another common cause of failure is the iptables firewall
daemon running on either the server or client without the administrator
realizing it.

As always, no troubleshooting plan would be complete without frequent

reference to the /var/log/messages file when searching for additional clues.
Table 29.2 shows some common NFS errors you'll encounter.

Table 29.2 Some Common NFS Error Messages

Error Description

Too many levels Attempting to mount a filesystem that has already been
of remote in mounted.
path

Permission User is denied access. This could be the client's root user
denied who has unprivileged status on the server due to the
root_squash option. Could also be because the user on
the client doesn't exist on the server.

No such host Typographical or DNS configuration error in the name of

the server.

No such file or Typographical error in the name of the file or directory:

directory they don't exist.

NFS server is The server could be overloaded or down.

not responding

Stale file handle A file that was previously accessed by the client was
deleted on the server before the client closed it.

Fake hostname Forward and reverse DNS entries don't exist for the NFS
client.
The showmount Command

When run on the server, the showmount -a command lists all the
currently exported directories. It also shows a list of NFS clients accessing
the server; in this case one client has an IP address of 192.168.1.102.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

[root@bigboy tmp]# showmount -a
All mount points on bigboy:
*:/home
192.168.1.102:*

The "df" Command

The df command lists the disk usage of a mounted filesystem. Run it

on the NFS client to verify that NFS mounting has occurred. In many cases,
the root_squash mount option will prevent the root user from doing this, so
it's best to try it as an unprivileged user.

[nfsuser@smallfry nfsuser]$ df -F nfs

Filesystem 1K-blocks Used Available Use% Mounted on
192.168.1.100:/home/nfsuser
1032056 346552 633068 36% /home/nfsuser
Ports of NFS services

The portmapper uses port 111 and nfsd uses 2049.

NFS Security: /etc/hosts.allow and /etc/hosts.deny

The /etc/hosts.allow and /etc/hosts.deny files are used to restrict
access to services provided by your server to hosts on your network or on
the Internet (if accessible). For example, you can use the hosts.allow file to
permit access by certain hosts to your FTP server. Entries in the hosts.deny
file would explicitly deny access to certain hosts. For NFS, you can provide
the same kind of security by controlling access to specific NFS daemons.

Portmapper Service
The first line of defense is to control access to the portmapper service.
The portmapper tells hosts where the NFS services can be found on the
system. Restricting access does not allow a remote host to even locate NFS.
For a strong level of security, you should deny access to all hosts except
those that are explicitly allowed. In the hosts.deny file, you would place the
following entry, denying access to all hosts by default. ALL is a special
keyword denoting all hosts.

portmap:ALL

In the hosts.allow file, you would then enter the hosts on your network, or
any others that you would want to permit access to your NFS server. Again,
you would specify the portmapper service, then list the IP addresses of the
hosts you are permitting access. You can list specific IP addresses or a
network range using a netmask. The following example allows access only
by hosts in the local network, 192.168.0.0, and to the host 10.0.0.43. You
can separate addresses with commas.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

portmap: 192.168.0.0/255.255.255.0, 10.0.0.43

In addition, it is also advisable to add the same level of control for specific
NFS services. In the hosts.deny file, you would add entries for each service,
as shown here:

mountd:ALL
rquotad:ALL
statd:ALL
lockd:ALL

Then, in the hosts.allow file, you can add entries for each service:

mountd: 192.168.0.0/255.255.255.0, 10.0.0.43

rquotad: 192.168.0.0/255.255.255.0, 10.0.0.43
statd: 192.168.0.0/255.255.255.0, 10.0.0.43
lockd: 192.168.0.0/255.255.255.0, 10.0.0.43

Netfilter Rules

You can further control access using Netfilter to check transmissions

from certain hosts on the ports used by NFS services. The portmapper uses
port 111 and nfsd uses 2049. Netfilter is helpful if you have a private
network that has an Internet connection, and you want to protect it from the
Internet. Usually a specific network device, such as an Ethernet card, is
dedicated to the Internet connection. The following examples assume that
device eth1 is connected to the Internet. Any packets attempting access on
ports 111 and 2049 are refused.

iptables -A INPUT -i eth1 -p 111 -j DENY

iptables -A INPUT -i eth1 -p 2049 -j DENY

To enable NFS for your local network, you will have to allow packet
fragments. Assuming that eth0 is the device used for the local network, you
could use the following example:

iptables -A INPUT -i eth0 -f -j ACCEPT

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Proxy Servers—Squid

Ref: http://www.visolve.com/squid/squid26/logs.php
Ref: http://www.linuxhomenetworking.com/

Proxy server operates as an agent between the Web browsers (clients)

and the servers they access. Technically, you could use a proxy server to
simply manage traffic between a Web server and the clients that want to
communicate with it, without doing caching at all.
Squid combines both capabilities as a proxy-caching server.

Package: squid
Service: squid
Configuration file: /etc/squid/squid.conf

The /etc/squid/squid.conf File

The main Squid configuration file is squid.conf, and, like most Linux
applications, Squid needs to be restarted for changes to the configuration file
can take effect.

The Visible Host Name

Squid will fail to start if you don't give your server a hostname. You can set this with the
visible_hostname parameter. Here, the hostname is set to the real name of the server like tipu.

visible_hostname tipu

Proxy Server Port

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 As a proxy, Squid will use certain ports for specific services, such as
port 3128 for HTTP services like Web browsers. Default port numbers are
already set for Squid. Should you need to use other ports, you can set them
in the /etc/squid/squid.conf file. The following entry shows how you
would set the Web browser port; you can change this port to 8080,

# http_port 3128

http_port 8080

Access Control Lists

You can limit users' ability to browse the Internet with access control
lists (ACLs). Each ACL line defines a particular type of activity, such as an
access time or source network, they are then linked to an http_access
statement that tells Squid whether or not to deny or allow traffic that
matches the ACL.

Restricting Web Access by Time

To restrict access to the Squid proxy via the time, use the format:

acl aclname time [day-abbrevs] [h1:m1-h2:m2]

day-abbrevs:
S - Sunday
M - Monday
T - Tuesday
W - Wednesday
H - Thursday
F - Friday
A - Saturday
This can be used, for instance, to restrict access to work hours (9am - 5pm,
Monday to Friday).
acl workdays time M T W H F 9:00-17:00
http_access allow workdays
2nd example
acl clients src 192.168.0.3
acl lunchtime time MTWHF 12:00-13:00
http_access allow clients lunchtime # two acl in single syntax
http_access deny clients

Detail:

You can create access control lists with time parameters. For example,
you can allow only business hour access from the home network, while
always restricting access to host 192.168.1.23.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

#
# Add this to the bottom of the ACL section of squid.conf
#Recommended minimum configuration
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl RestrictedHost src 192.168.1.23

#
# Add this at the top of the http_access section of squid.conf
#Recommend minimum configuration
http_access deny RestrictedHost
http_access allow home_network business_hours

2nd Example
By defining ACLs and using them in Squid options, you can tailor your
Web site with the kind of security you want. The following example allows
access to the Web through the proxy by only the mylan group of local
systems, denying access to all others. Two acl entries are set up: one for
the local system and one for all others. http_access options first allow
access to the local system and then deny access to all others.

# Add this to the bottom of the ACL section of squid.conf

#Recommended minimum configuration

acl mylan src 192.168.0.0/255.255.255.0

acl all src 0.0.0.0/0.0.0.0

# Add this at the top of the http_access section of squid.conf

#Recommend minimum configuration

http_access allow mylan

http_access deny all

Restricting Access to specific Web sites

Squid is also capable of reading files containing lists of web sites

and/or domains for use in ACLs. In this example we create to lists in files
named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restricted-
sites.squid.

#We want to limit downloads of these type of files

#Put this all in one line
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe
.mpg .qt .ram .rm .iso .raw .wav .mov

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

# Create a file /usr/local/etc/allowed-sites.squid
www.openfree.org
linuxhomenetworking.com

# File: /usr/local/etc/restricted-sites.squid
www.porn.com
illegal.com

These can then be used to always block the restricted sites and permit the
allowed sites during working hours. This can be illustrated by expanding our
previous example slightly.

#
# Add this to the bottom of the ACL section of squid.conf
#
acl home_network src 192.168.1.0/24
acl business_hours time M T W H F 9:00-17:00
acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid"
acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid"
#another example
acl blocked_sites url_regex www.xxx.com
acl blocked_sites url_regex www.yyy.com
acl blocked_sites url_regex www.zzz.com
acl blocked_sites url_regex "/var/smoothwall/proxy/badsites.txt"
http_access deny blocked_sites

#
# Add this at the top of the http_access section of squid.conf
#
http_access deny BadSites
http_access allow home_network business_hours GoodSites

Allowing clients based on MAC Address:

#vi /etc/squid/squid.conf

acl allowed_mac_address arp 02-00-4C-4F-4F-50

http_access allow allowed_mac_address

:wq

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Transparent Proxy:

In Transparent Proxy, browsers automatically detect the proxy server,

and provide the internet access to users.

In `ordinary' proxy, the client specifies the hostname and port number of
a proxy in his web browsing software. The browser then makes requests to
the proxy for internet; this is all fine and good,

But sometimes one of several situations arises. Either

• You want to force clients on your network to use the proxy, whether
they want to or not.
• You want clients to use a proxy, but don't want them to know they're
using proxy.
• You want clients to be use proxy, but don't want to go to all the work
of updating the settings in hundreds or thousands of web browsers.

This is where transparent proxy comes in. A web request can be intercepted
by the proxy, transparently. That is, as far as the client software knows,
it is talking to the origin server (Internet) itself,

#vi /etc/squid/squid.conf

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

Detail:
The four lines inform Squid to run as a transparent proxy, below is a
list of what each individual line acheives:

httpd_accel_host virtual - This tells the accelerator to work for any URL
that it is given (the usual usage for the accelerator is to inform it which URL
it must accelerate)

httpd_accel_port 80 - Informs the accelerator which port to listen to, the

accelerator is a very powerful tool and much of its usage is beyond the scope

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

of this section, the only knowledge required here is that this setting ensures
that the transparent proxy accesses the websites we wish to browse via the
correct HTTP port, where the standard is port 80.

httpd_accel_with_proxy on - By default when Squid has its accelerator

options enabled it stops being a cache server, to reinstate this (this is
obviously important as the whole purpose behind this configuration is a
cache server) we turn the httpd_accel_with_proxy option on

httpd_accel_uses_host_header on - In a nutshell with this option turned

on Squid is able to find out which website you are requesting

Warning

proxy_auth (Authentication base proxy server) can't be used in a

transparent proxy. It collides with any authentication done by origin servers.
It may seem like it works at first, but it doesn't.

Linux as Gateway Server

We can configure Linux machine as a gateway server,

Configure transparent proxy Server

Enable IP forwarding through /etc/sysctl.conf file
Run command #sysctl –p
Assign Linux server IP as gateway on client machines

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and

password. Squid comes with a program called ncsa_auth that reads any
NCSA-compliant encrypted password file. You can use the htpasswd
program that comes installed with Apache to create your passwords. Here is
how it's done:

1) Create the password file. The name of the password file should be
/etc/squid/squid_passwd, and you need to make sure that it's
universally readable.

#touch /etc/squid/squid_passwd
# chmod o+r /etc/squid/squid_passwd

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

2) Use the htpasswd program to add users to the password file. You can
add users at anytime without having to restart Squid. In this case, you add a
username called javed

#htpasswd /etc/squid/squid_passwd javed

New password:
Re-type new password:
Adding password for user javed
#

3) Find your ncsa_auth file using the locate command.

#locate ncsa_auth
/usr/lib/squid/ncsa_auth
#

4) Edit squid.conf; specifically, you need to define the authentication

program in squid.conf, which is in this case ncsa_auth. Next, create an ACL
named ncsa_users with the REQUIRED keyword that forces Squid to use
the NCSA auth_param method you defined previously. Finally, create an
http_access entry that allows traffic that matches the ncsa_users ACL
entry. Here's a simple user authentication example; the order of the
statements is important:

auth_param basic children 15:

Start 15 authentication processes if 16 users logs in at the same time the
last user will have to

wait until a authentication programs becomes available.

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/squid_passwd

# Add this to the bottom of the ACL section of squid.conf

#
acl ncsa_users proxy_auth REQUIRED

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users

5) This requires password authentication and allows access only during

business hours. Once again, the order of the statements is important:

#
# Add this to the auth_param section of squid.conf
#
auth_param basic program /usr/lib/squid/ncsa_auth
/etc/squid/squid_passwd

#
# Add this to the bottom of the ACL section of squid.conf
#
acl ncsa_users proxy_auth REQUIRED
acl business_hours time M T W H F 9:00-17:00

#
# Add this at the top of the http_access section of squid.conf
#
http_access allow ncsa_users business_hours

Remember to restart Squid for the changes to take effect.

Starting Squid

To start Squid, you'll need to run the following commands:

/usr/local/squid/bin/squid -z
/usr/local/squid/bin/squid

the first pass creates the cache directories, and the second starts the
daemon. The first command only needs to be run the first time the proxy is
used.

CACHE DIRECTORIES

TAG NAME cache_dir

Description This is used to define cache directory, its path, type and size

Build Option Default

Usage cache_dir Type Directory-Name FS-specfic-data [options]
Default cache_dir ufs /usr/local/Squid/var/cache 100 16 256

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Detail
Type specifies the kind of storage system to use. Only "ufs" is built by
default. To enable any of the other storage systems see the --enable-
storeio configure option.

Type is one of the following:

1. ufs is the old well-known Squid storage format that has always
been there.
2. aufs uses the same storage format as ufs, utilizing POSIX-
threads to avoid blocking the main Squid process on disk-I/O.
This was formerly known in Squid as async-io (Asynchronous
I/O, or non-blocking I/O, is a form of input/output processing that
permits other processing to continue before the transmission has
finished) .
3. diskd uses the same storage format as ufs, utilizing a separate
process to avoid blocking the main Squid process on disk-I/O.
Type Usage
ufs cache_dir ufs Directory-Name Mbytes L1 L2 [options]
aufs cache_dir aufs Directory-Name Mbytes L1 L2 [options]s
diskd cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]

Directory-Name Directory name is a top-level directory where cache swaps

files will be stored. If you want to use an entire disk for caching, this can be
the mount-point directory. The directory must exist and be writable by the
Squid process. Squid will NOT create this directory for you.

Mbytes is the amount of disk space (in MB) to use under this directory. The
default is 100 MB. Change this to suit your configuration Level1 Number of
first-level subdirectories which will be created under the Directory. The
default is 16. Level2 number of second-level subdirectories, which will be
created under each first-level directory. The default is 256.

Q1 number of unacknowledged I/O requests when Squid stops opening new

files. If this many messages are in the queues, Squid won't
open new files. Default is 64. Q2 number of unacknowledged messages
when Squid starts blocking. If this many messages are in the queues, Squid
blocks until it receives some replies. Default is 72.

Option:
read-only Make the cache directory as read only.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

max-size=n refers to the max object size this storedir supports. It is used to
initially choose the storedir to dump the object.

Default cache_dir ufs /usr/local/squid/cache 100 16 256

Example
cache_dir ufs /cache1 5000 16 256
cache_dir ufs /cache2 7000 16 256

Note
Can specify multiple cache_dir lines to spread the cache among different
disk partitions. Click here to find more
informations on file systems and cache_dir.

Tag Name cache_access_log

Usage cache_access_log Directory−path/filename
Description
This tag is used to specify the path of the access.log file, which logs
the client request activity. It contains an entry for
every HTTP and ICP queries received. Log Details can be customized using
log_mime_hdrs, log_fqdn, client_netmask
and emulate_httpd_log.
See for Detailed information about this log file. See also log_icp_queries.

Default cache_access_log /usr/local/squid/logs/access.log

Example

cache_access_log /var/log/squid_access.log

Configure outlook behind the squid server

Normally squid don’t have any involvement in outlook configuration,
because Squid only work as proxy server, not allow other ports to work.

Open the ports?

#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#iptables -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT

#iptables -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT

If ssl enable in outlook

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

#iptables -A FORWARD -m state --state NEW -p tcp --dport 995 -j ACCEPT

#iptables -A FORWARD -m state --state NEW -p tcp --dport 587 -j ACCEPT

Also enable the IP forwarding through this file

/etc/sysctl.conf and run sysctl –p command.

Transparent proxy (2nd Detail)

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all
other Linux distros)

Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

• Step #1 : Squid configuration so that it will act as a transparent proxy

• Step #2 : Iptables configuration
o a) Configure system as router
o b) Forward all http requests to 3128 (DNAT)
• Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to
file:
# vi /etc/squid/squid.conf

Modify or add following squid directives:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,

• httpd_accel_host virtual: Squid as an httpd accelerator

• httpd_accel_port 80: 80 is port you want to act as a proxy
• httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
• httpd_accel_uses_host_header on: Header is turned on which is the hostname from the
URL.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 • acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to
use squid
• http_access allow localhost: Squid access to LAN and localhost ACL only
• http_access allow lan: -- same as above --

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid
server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Start or Restart the squid:

# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP

address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not
have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:

# tail -f /var/log/squid/access.log

Delay Pools

Another useful squid feature is delay pools. Conceptually, delay pools are bandwidth limitations
- ``pools'' of bandwidth that drain out as people browse the Web, and fill up at a rate you specify
- this can be thought of as a leaky bucket that is continually being filled.

Terms in delay pool

Pool:
A collection of bucket groups as appropriate to a given class.

bucket Pool:
a group of buckets within a pool, such as the per-host bucket group, the per-network bucket
group or the aggregate bucket group (the aggregate bucket group is actually a single bucket).

bucket:
an individual delay bucket represents a traffic allocation, which is replenished at a given rate (up
to a given limit) and causes traffic to be delayed when empty.

Classes:
There are 3 classes of delay pools - class 1 is a single aggregate bucket, class 2 is an aggregate

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

bucket with an individual bucket for each host in the class C, and class 3 is an aggregate bucket,
with a network bucket (for each class B) and an individual bucket for each host.

Class:-
Class of a delay pool determines how the delay is applied, ie, whether the different client IPs are
treated separately or as a group (or both).

class1:-
Class 1 delay pool contains a single unified bucket, which is used for all requests from hosts
subject to the pool.

calss2:-
Class 2 delay pool contains one unified bucket and 255 buckets, one for each host on an 8-bit
network

class3:-
It contains 255 buckets for the subnets in a 16-bit network, and individual buckets for every host
on these networks (IPv4 class B)

How can I limit Squid's total bandwidth to, say, 512 Kbps?
acl all src 0.0.0.0/0.0.0.0 # might already be defined
delay_pools 1
delay_class 1 1
delay_access 1 allow all
delay_parameters 1 64000/64000 # 512 kbits == 64 kbytes per
second

For an explanation of these tags please see the configuration file.

The 1 second buffer (max = restore = 64kbytes/sec) is because a limit is requested, and no
responsiveness to a busrt is requested. If you want it to be able to respond to a burst, increase the
aggregate_max to a larger value, and traffic bursts will be handled. It is recommended that the maximum
is at least twice the restore value - if there is only a single object being downloaded, sometimes the
download rate will fall below the requested throughput as the bucket is not empty when it comes to be
replenished.

How to limit a single connection to 128 Kbps?

You can not limit a single HTTP request's connection speed. You can limit individual hosts to some
bandwidth rate. To limit a specific host, define an acl for that host and use the example above. To limit a
group of hosts, then you must use a delay pool of class 2 or 3. For example:

acl only128kusers src 192.168.1.0/255.255.192.0

acl all src 0.0.0.0/0.0.0.0
delay_pools 1
delay_class 1 3
delay_access 1 allow only128kusers

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

delay_access 1 deny all
delay_parameters 1 64000/64000 -1/-1 16000/64000

To enable this, configure squid with the --enable-delay-pools option, There are 3 classes of delay
pools - class 1 is a single aggregate bucket, class 2 is an aggregate bucket with an individual
bucket for each host in the class C, and class 3 is an aggregate bucket, with a network bucket (for
each class B) and an individual bucket for each host.

To configure the amount of delay pools, and specify which pool is which class, use the following
format.

delay_pools 2 # 2 delay pools

delay_class 1 2 # pool 1 is a class 2 pool
delay_class 2 3 # pool 2 is a class 3 pool

To specify which pool a client falls into, create ACLs which specifies the ip ranges for each
pool, and use the following:
delay_access 1 allow pool_1_acl
delay_access 1 deny all
delay_access 2 allow pool_2_acl
delay_access 2 deny all
Setting the parameters for each pool is done by:
delay_parameters pool aggregate network individual

Where ``aggregate'' is the parameter for the aggregate bucket, ``network'' for the network
bucket, and ``individual'' for the individual bucket. Aggregate is only useful for classes 1, 2 and
3, network for classes 2 and 3, and individual for class 3.

Each of these parameters is specified as restore / maximum - restore being the bytes per second
restored to the bucket, and maximum being the amount of bytes that can be in the bucket at any
time. It is important to remember that they are in bytes per second, not bits. To specify that a
parameter is unlimited, use a -1.

If you wish to limit any parameter in bits per second, divide this amount by 8, and use the value
for both the restore and the maximum. For example, to restrict the entire proxy to 64kbps, use:

delay_parameters 1 8000/8000

It is also possible to specify how full the bucket starts:

delay_initial_bucket_level 50

Where the value is the percentage full,

Another example

acl tech src 192.168.0.1/32-192.168.0.20/32

acl no_hotmail url_regex -i hotmail
acl all 0.0.0.0/0

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

delay_pools 1 #Number of delay_pool 1
delay_class 1 1 #pool 1 is a delay_class 1
delay_parameters 1 100/100
delay_access 1 allow no_hotmail !tech # Both acl in same syntax.

Monitor sites access through squid

To see how the squid daemon is working, why not view the access.log file in real time? Try this:

[root@linuxbox root]# tail -f /var/log/squid/access.log

Verify the Squid file error

#squid –k check

Linux Mail Server

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Package: sendmail, sendmail-cf, m4
Service: sendmail
Configuration file: /etc/mail/sendmail.mc

How to Restart Sendmail after Editing Your Configuration Files

In this chapter, you'll see that sendmail uses a variety of configuration files that require
different treatments for their commands to take effect. This little script encapsulates all
the required post configuration steps.

#!/bin/bash
cd /etc/mail
make
newaliases
/etc/init.d/sendmail restart

Use this command to make the script executable.

chmod 700 filename

It first runs the make command, which creates a new sendmail.cf file from the
sendmail.mc file and compiles supporting configuration files in the /etc/mail directory
according to the instructions in the file /etc/mail/Makefile. It then generates new e-mail
aliases with the newaliases command, and then restarts sendmail service.

How to Put Comments in sendmal.mc

In most Linux configuration files a # symbol is used at the beginning of a line
convert it into a comment line or to deactivate any commands that may reside on
that line.
In sendmail.mc file we use "dnl" to comment syntax. Examples below

 These statements are disabled by dnl commenting.

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')


 This statement is incorrectly disabled:

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

 This statement is active:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

How to Configure Linux Sendmail Clients

All Linux mail clients in your home or company need to know which server is
the mail server. This is configured in the sendmail.mc file by setting the SMART_HOST
statement to include the mail server. In the example below, the mail server has been
set to mail.my-site.com, the mail server for the my-site.com domain.

define(`SMART_HOST',`mail.my-site.com')

Once this is done, you need to process the sendmail.mc file and restart sendmail.
To do this, run the restarting script we from earlier.
If the sendmail server is a Linux server, then the /etc/hosts file will also have to be
correctly configured too.

Converting From a Mail Client to a Mail Server

All Linux systems have a virtual loopback interface that lives only in memory
with an IP address of 127.0.0.1. As mail must be sent to a target IP address even
when there is no NIC in the box, sendmail therefore uses the loopback address to
send mail between users on the same Linux server. To become a mail server, and
not a mail client, sendmail needs to be configured to listen for messages on NIC
interfaces as well.
1) Determine which NICs sendmail is running on. You can see the interfaces on
which sendmail is listening with the netstat command. Because sendmail listens on
TCP port 25, you use netstat and grep for 25 to see a default configuration listening
only on IP address 127.0.0.1 (loopback):

[root@bigboy tmp]# netstat -an | grep :25

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
[root@bigboy tmp]#

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

2) Edit sendmail.mc to make sendmail listen on all interfaces. If sendmail is listening
on the loopback interface only, you should comment out the DAEMON_OPTIONS
line in the /etc/mail/sendmail.mc file with dnl statements. It is also good practice to
take precautions against spam by not accepting mail from domains that don't exist
by commenting out the accept_unresolvable_domains feature too. See the fourth
and next to last lines in the example.

dnl
dnl This changes sendmail to only listen on the loopback
dnl device 127.0.0.1 and not on any other network
dnl devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl
...
...
...
dnl
dnl We strongly recommend to comment this one out if you want
dnl to protect yourself from spam. However, the laptop and
dnl users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
dnl

3.) Comment out the SMART_HOST Entry in sendmal.mc. The mail server doesn't need
a SMART_HOST entry in its sendmail.mc file. Comment this out with a dnl at the
beginning.

dnl define(`SMART_HOST',`mail.my-site.com')

4)Regenerate the sendmail.cf file, and restart sendmail. Again, you can do this with
the restart script from the beginning of the chapter.
5) Make sure sendmail is listening on all interfaces (0.0.0.0).

[root@bigboy tmp]# netstat -an | grep :25 | grep tcp

tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
[root@bigboy tmp]#

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Relay the domains
The /etc/mail/access File
You can make sure that only trusted PCs on your network have the ability to relay
mail via your mail server by using the /etc/mail/access file. That is to say, the mail
server will relay mail only for those PCs on your network that have their e-mail
clients configured to use the mail server as their outgoing SMTP mail server.

localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
192.168.1.16 RELAY
192.168.1.17 RELAY
192.168.2 RELAY
my-site.com RELAY
jd.com RELAY
mail.jd.com RELAY

Add Domains for Email services

The /etc/mail/local-host-names File
When sendmail receives mail, it needs a way of determining whether it is
responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do
this. This file has a list of hostnames and domains for which sendmail accepts
responsibility. For example, if this mail server was to accept mail for the domains
my-site.com and another-site then the file would look like this:

my-site.com
asiancitizen.org
jd.com

Which User Should Really Receive The Mail?

After checking the contents of the virtusertable, sendmail checks the aliases files to
determine the ultimate recipient of mail.
The /etc/mail/virtusertable file
The /etc/mail/virtusertable file contains a set of simple instructions on what to do with
received mail. The first column lists the target email address and the second column
lists the local user's mail box, a remote email address, or a mailing list entry in the
/etc/aliases file to which the email should be forwarded.

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

If there is no match in the virtusertable file, sendmail checks for the full email
address in the /etc/aliases file.

[email protected] webmasters
@asiancitizen.org javed
[email protected] [email protected]
[email protected] dogar
[email protected] dogar
@my-site.com error:nouser User unknown

In this example, mail sent to:

• [email protected] will go to local user (or mailing list) webmasters,

• all other mail to asiancitizen.org will go to local user javed
• Sales email at my-site.com will go to the sales department at jd.com.
• Info and finance at my-site.com goes to local user (or mailing list) dogar.

• All other users at my-site.com receive a bounce back message stating "User
unknown".

• After editing the /etc/mail/virtusertable file, you have to convert it into a

sendmail-readable database file named /etc/mail/virtusertable.db with two
commands:
• Restart sendmail service or execute below commands
• [root@bigboy tmp]# cd /etc/mail
• [root@bigboy mail]# make

VNC Server

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

 VNC, or Virtual Networked Computing, is a way of controlling a remote computer
just as though you are sitting in front of it. In the Windows world it is also known as
remote desktop but it's normally referred to as VNC in the Linux world. All that happens
is that you connect using a VNC client to a remote computer running the VNC server,
then an image of the remote desktop is transmitted to your local computer and you can
see and control the desktop just as though you are there since all keyboard and mouse
commands are sent from your client machine to the server.

vncserver and vncviewer

Check what's installed

First check if you already have them installed on your system, open a terminal and type:

$ rpm -qa|grep vnc

vnc-server-4.1.1-36
vnc-4.1.1-36

If you get an output something like this then you're all ready, if not you need to install
them.

Add a user(s)
Next we need to add at least 1 VNC user, open the file /etc/sysconfig/vncservers as
root and add the information shown:
$ vi /etc/sysconfig/vncservers

# The VNCSERVERS variable is a list of display:user pairs.

#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own). You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted! For a secure way of using VNC, see
# <URL:http://www.uk.research.att.com/archive/vnc/sshvnc.html>.

# Use "-nolisten tcp" to prevent X connections to your VNC server via

TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except

when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

VNCSERVERS="1:bobpeers"
VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Setting a password

To add some security we need to add a password that must be given before a
connection can be established, open a terminal and type:

$ vncpasswd
Password:
Verify:

This creates a hidden folder called .vnc in your home folder containing the password
file.

Create .vnc file in user home directory

$vncserver haseeb

If .vnc directory is not created in user home folder then run above command.

Starting the server and startup options

To start the server we type the command 'vncserver' and the session you wish to start
(if you have set up more than 1 entry in the /etc/sysconfig/vncservers file:

$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup

Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]

Now the server is started and a user could connect, however they will get a plain grey
desktop by default as the connection will not cause a new session of X to start by
default, to fix this we need to edit the startup script in the .vnc folder in your home
directory.

$ vi ~/.vnc/xstartup

#!/bin/sh

# Uncomment the following two lines for normal desktop:

unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup

[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

As the file says make sure the two lines at the top are uncommented by removing the
leading # sign. Next we need to restart vncserver to pick up the changed we just made.
To restart the vncserver we need to kill the process and start a new one as root:

$ vncserver -kill :1
Killing Xvnc process ID 13728
$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup

Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]

Using vncviewer

To start the viewer type:

$ vncviewer localhost:5901

This open a dialog as shown for us to enter our password we set earlier, enter the
password and you should now see a copy of your desktop. Note that unlike the Gnome
Remote Desktop this has started a new session of X so any applications open on the
host machine are not visible to the new session, it's basically a whole new logon running
at the same time.

If you just type 'vncviewer' at the prompt then you will asked for the host to connect to,
then you can type localhost:5901 for example. Remember to use the correct port
number when connecting, if you set your VNCSERVERS to be 2000:myname then you
would need to connect on localhost:7900.

Stopping the vncserver

There are two ways to stop the server, either as root:

$ /sbin/service vncserver stop

Shutting down VNC server: 1:bobpeers [ OK ]

or you can explicitly kill a particular session without being root:

$ vncserver -kill :1
Killing Xvnc process ID 13728

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)

Just replace the 1 with the vnc session you wish to stop.

Access at Window Plate form

Access it through vnc viewer like 172.16.160.199:2 (2 means 2nd user defined
in /etc/sysconfig/vncserver file)

Prepared By: Javed Ahmad Dogar (PUCIT course LBSM)