Note:

• During the overall process of configuring the server, you have to login to root user.
• Process of Linux configuration is very complicated, make sure that you follow the configuration process exactly;
do not jump or skip any process.
• Linux configuration are very sensitive, you have to be careful with every single component of syntax and
command such as space, sign, paragraph, etc.
• If you are not sure about the use of any command, you can type: man command_name; EX: man rm
• This academic tutorial is intended for demonstration only, you may use simple passwords here, but in real
practice, you should use strong passwords.
• You can skip the yellow highlight parts.

Configure Time Zone

The first thing that we need to do after installing server OS is to configure time zone.

♦ List all available time zones in CentOS; press q to exit.

[root@primary ~] # timedatectl list-timezones

♦ Set time zone to Asia/Phnom_Penh

[root@primary ~] # timedatectl set-timezone Asia/Phnom_Penh

♦ View the current time zone and make sure that Asia/Phnom_Penh is there
[root@primary ~] # ls -l /etc/localtime

♦ To shut down the OS

[root@primary ~] # init 0

♦ To restart the OS
[root@primary ~] # init 6

or
[root@primary ~] # reboot

Configure Date and Time

After configuring time zone, we have to set the correct date and time.

♦ Set the correct date and time on the server

[root@primary ~] # date --set "2021-10-25 13:45:30.999"

♦ To view current date and time

[root@primary ~] # date

Configure Network Interface Cards

In this case there are 2 network interface cards:
• ens160 is used for providing services to internal clients.
• ens192 is used for accessing to the Internet.
The numbers 160 and 192 can be different from a computer to another.

♦ Check the device number and state

[root@primary ~] # nmcli device

♦ Edit the Service network interface card configuration

[root@primary ~] # vi /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_FAILURE_FATAL=no
NAME=Service
UUID=(do not change it)
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.11.10
PREFIX=24
DNS1=192.168.11.10
DOMAIN=vanndy.edu
IPV6_DISABLED=yes

♦ Edit the Internet network card configuration

[root@primary ~] # vi /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_FAILURE_FATAL=no
NAME=Internet
UUID=(do not change it)
DEVICE=ens192
ONBOOT=yes
IPADDR=192.168.88.10
PREFIX=24
GATEWAY=192.168.88.2
DNS1=192.168.88.2
IPV6_DISABLED=yes

♦ Restart network service

[root@primary ~] # systemctl restart NetworkManager

♦ Show the devices information

[root@primary ~] # nmcli device show ens160
[root@primary ~] # nmcli device show ens192

♦ Test ICMP service by ping to google.com and make sure it can reach Google domain. Press Ctrl + c to stop.
[root@primary ~] # ping google.com -c10

Configure SSH Password Authentication

SSH service allows client to remote login to server. It can authenticate clients using a variety of different
methods. SSH password authentication allow us to remote login to SSH server with username and password

♦ Edit SSH configuration file

[root@primary ~] # vi /etc/ssh/sshd_config

Note: to go to any line, press line number + gg

♣ Line 43: make sure it is uncomment (remove # or // or ; from the beginning of the line) and change to yes
PermitRootLogin yes

♣ Lin 69: uncomment

PermitEmptyPasswords no

♦ Restart SSH service

[root@primary ~] # systemctl restart sshd

♦ Check the IP addresses of the server

[root@primary ~] # ip addr show

or
[root@primary ~] # ip a

Remote Login with Password Authentication via PuTTY (Windows OS)

PuTTY is an SSH client also a telnet client. From Windows OS, we use it to remote login to the SSH server.

♦ Download and install PuTTY from link below

https://drive.google.com/drive/folders/1Yx01RRFZKvQHEUy9WUQ1Dxj4DPEd_amp?usp=sharing
♦ Enter the server’s IP address, either 192.168.11.10 or 192.168.88.10 and use port number 22

♦ Accept the connection and enter user root’s password

Remote Login with Password Authentication via Terminal (Mac OS and Linux OS)
From MacOS or Linux OS, use Terminal to remote login to the server.

♦ On MacOS, go to System Preferences => Sharing and enable Remote Login

 ♦ Open Terminal and enter command
ssh [email protected]

♦ Accept the connection and enter user root’s password

♦ It is possible to execute commands on remote host with SSH command as below
xman@Xs-MacBook-Pro ~ % ssh [email protected] "cat /etc/profile"

Transfer File with Secure Copy

It is possible to use Secure Copy (scp) commands with OpenSSH service.

♦ Make sure both server and client are connected – use the command ping to test connection first
Copy file from CentOS server to CentOS client
♦ Create a test file on CentOS server
[root@primary ~] # touch /root/ServerTestFile1.txt

♦ Copy file from CentOS server to CentOS client user, IP address, directory on client
[root@primary ~] # scp /root/ServerTestFile1.txt [email protected]:/home

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter user root’s password (user root on CentOS client)
Copy file from CentOS client to CentOS server
♦ Create test files on CentOS client (enter commands below on client)
[root@centosclient ~] # touch /home/ClientTestFile1.txt /home/ClientTestFile2.txt

♦ Copy file from CentOS client to CentOS server user, IP address, directory on client
[root@primary ~] # scp [email protected]:/home/ClientTestFile1.txt /root

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter user root’s password (user root on CentOS client)
Copy file from CentOS server to MacOS host
♦ Create a test file on CentOS server
[root@primary ~] # touch /root/ServerTestFile2.txt

♦ Copy file from CentOS server to MacOS host user, IP address, directory on MacOS
[root@primary ~] # scp /root/ServerTestFile2.txt [email protected]:/Users/xman/Desktop

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter user xman’s password (user xman on MacOS host)
Copy file from MacOS host to CentOS server
♦ Create a test file on MacOS host (enter commands below MacOS terminal)
xman@Xs-MacBook-Pro ~ % touch /Users/xman/Desktop/MacOSTestFile.txt

♦ Copy file from MacOS host to CentOS server user, IP address, directory on MacOS
[root@primary ~] # scp [email protected]:/Users/xman/MacOSTestFile.txt /root

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter user xman’s password (user xman on MacOS host)

Transfer File with SSH File Transfer Protocol

It is possible to use SSH File Transfer Protocol (sftp) commands with OpenSSH service.
♦ To transfer file with sftp command, connect to the remote host first; EX: remote from CentOS server to
CentOS client
[root@primary ~] # sftp [email protected]

♣ Enter user root’s password (user root on CentOS client)

♦ Show current working directory on CentOS client (remote host)
sftp> pwd

♦ Show current working directory on CentOS server

sftp> !pwd

♦ Change directory on CentOS client (remote host)

sftp> cd /home
sftp> pwd

♦ List directory contents on CentOS client (remote host)

sftp> ls -l

♦ List directory contents on CentOS server

sftp> !ls -l

♦ Create a test file on CentOS server

sftp> !touch ServerTestFile3.txt

♦ Copy file from CentOS server to CentOS client (remote host)

sftp> put ServerTestFile3.txt
sftp> ls -l

♦ Copy file from CentOS client (remote host) to CentOS server

sftp> get ClientTestFile2.txt

♦ Create directory on CentOS client (remote host)

sftp> mkdir ClientTestFolder
sftp> ls -l

♦ Remove directory on CentOS client (remote host)

sftp> rmdir ClientTestFolder
sftp> ls -l

♦ Remove file on CentOS client (remote host)

sftp> rm ClientTestFile2.txt
sftp> ls -l

♦ Exit from sftp mode

sftp> exit

Set Hostname
Hostname is a label that is assigned to a device connected to a computer network and used to identify that
device. In this case:
primary is a hostname
vanndy is a domain name
edu is top level domain (TLD)

♦ Edit hostname configuration file

[root@primary ~] # vi /etc/hostname

♣ Line 1: enter the host name and domain name

primary.vanndy.edu

♦ To view the hostname and some server’s information

[root@primary ~] # hostnamectl

♦ You can also set hostname with command below

[root@primary ~] # hostnamectl set-hostname primary.vanndy.edu

Yellowdog Updater, Modified (YUM) and Dandified YUM (DNF)

The package management tool DNF has been set default on RHEL 8 / CentOS 8. However, yum command is
also located as a link to dnf-3, so it is possible to use yum or dnf or dnf-3 with the same usage.
 ♦ Shows the full path of yum commands
[root@primary ~] # which yum

♣ /usr/bin/yum
♦ Shows the content of yum directory
[root@primary ~] # ll /usr/bin/yum

♣ lrwxrwxrwx. 1 root root 5 Mar 12 2021 /usr/bin/yum -> dnf-3

♦ Shows the full path of dnf commands
[root@primary ~] # which dnf

♣ /usr/bin/dnf
♦ Shows the content of dnf directory
[root@primary ~] # ll /usr/bin/dnf

♣ lrwxrwxrwx. 1 root root 5 Mar 12 2021 /usr/bin/dnf -> dnf-3

♦ List all installed packages
[root@primary ~] # yum list --installed

♦ Check the version of yum package

[root@primary ~] # yum list --installed | grep yum

♦ Check the configuration files of yum package

[root@primary ~] # rpm -ql yum
/etc/dnf/protected.d/yum.conf
/etc/yum.conf
/etc/yum/pluginconf.d
/etc/yum/protected.d
/etc/yum/vars
/usr/bin/yum
/usr/share/man/man1/yum-aliases.1.gz
/usr/share/man/man5/yum.conf.5.gz
/usr/share/man/man8/yum-shell.8.gz
/usr/share/man/man8/yum.8.gz

♦ Check whether the configuration files of yum package link to dnf or not
[root@primary ~] # ll /etc/yum.conf

♣ lrwxrwxrwx. 1 root root 12 Mar 12 2021 /etc/yum.conf -> dnf/dnf.conf

[root@primary ~] # ll /etc/yum/vars

♣ lrwxrwxrwx. 1 root root 11 Mar 12 2021 /etc/yum/vars -> ../dnf/vars

Use Module Repository

It is possible to use module repository on RHEL 8 / CentOS 8 that was integrated in Fedora.

♦ Display available modules

[root@primary ~] # dnf module list

♦ Show a module; EX: postgresql

[root@primary ~] # dnf module list postgresql
Name Stream Profiles Summary
postgresql 9.6 client, server [d] PostgreSQL server and client module
postgresql 10 [d] client, server [d] PostgreSQL server and client module
postgresql 12 client, server [d] PostgreSQL server and client module
postgresql 13 client, server [d] PostgreSQL server and client module

♦ Install Postgres SQL default module

[root@primary ~] # dnf module install -y postgresql:13

♦ Check the installed module again; [i] = installed

[root@primary ~] # dnf module list postgresql
Name Stream Profiles Summary
postgresql 9.6 client, server [d] PostgreSQL server and client module
postgresql 10 [d] client, server [d] PostgreSQL server and client module
postgresql 12 client, server [d] PostgreSQL server and client module
postgresql 13 [e] client, server [d] [i] PostgreSQL server and client module

♦ In case you want to change to another version of installed module; EX: from postgresql 13 to 12
♦ Reset (remove) the current module
[root@primary ~] # dnf module reset -y postgresql

♦ Install the module of another version

[root@primary ~] # dnf module install -y postgresql:12

♦ Check the installed module again; [i] = installed

[root@primary ~] # dnf module list postgresql

♦ Verify the installed module

[root@primary ~] # dnf module provides postgresql

♦ Check version of the module

[root@primary ~] # postgres -V

Install and Configure Useful Online Repository

A repository is a collection of software for Linux distribution on a server. Beside Red Hat default repository,
there are some useful repositories. In this case, we want to install EPEL online repository from the Internet.

♦ Install epel-release package. More information about EPEL repository: https://fedoraproject.org/wiki/EPEL

[root@primary ~] # dnf -y install epel-release

♦ Edit EPEL repository configuration file

[root@primary ~] # vi /etc/yum.repos.d/epel.repo

♣ Line 7: change from 1 to 0

enabled=0

♣ Add line 8:
priority=10

♦ Edit EPEL Modular repository configuration file

[root@primary ~] # vi /etc/yum.repos.d/epel-modular.repo

♣ Line 7: change from 1 to 0

enabled=0

♣ Add line 8:
priority=10

♦ In case if you want to install particular packages directly from EPEL repository, connect to the Internet
[root@primary ~] # dnf --enablerepo=epel -y install [package1 package2]

♦ Install elrepo-release package. EL repository mainly provides drivers for RHEL.

[root@primary ~] # dnf -y install elrepo-release

♦ Edit EL repository configuration file

[root@primary ~] # vi /etc/yum.repos.d/elrepo.repo

♣ Line 11: change from 1 to 0

enabled=0

♣ Add line 12:

priority=10

♦ In case if you want to install particular packages directly from EL repository, connect to the Internet
[root@primary ~] # dnf --enablerepo=elrepo -y install [package1 package2]

♦ Install remi-release package. Remi repository provides useful packages like latest PHP and so on. More
information about Remi repository: https://rpms.remirepo.net
[root@primary ~] # dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

♦ Check the configuration files of Remi repository

[root@primary ~] # rpm -ql remi-release

♦ Find out what are the configuration files of Remi repository enabled
[root@primary ~] # grep 'enabled=1' /etc/yum.repos.d/remi-*
/etc/yum.repos.d/remi-modular.repo:enabled=1
/etc/yum.repos.d/remi-safe.repo:enabled=1

♣ Only remi-modular and remi-safe are enabled by default

 ♦ Edit remi-modular repository configuration file
[root@primary ~] # vi /etc/yum.repos.d/remi-modular.repo

♦ Line 10: change from 1 to 0

enabled=0

♦ Add line 11:

priority=10

♦ In case if you want to install particular packages directly from Remi Modular repository, connect to the
Internet
[root@primary ~] # dnf --enablerepo= remi- modular -y install [package1 package2]

♦ Edit remi-safe repository configuration file

[root@primary ~] # vi /etc/yum.repos.d/remi-safe.repo

♦ Line 10: change from 1 to 0

enabled=0

♦ Add line 11:

priority=10

♦ In case if you want to install particular packages directly from Remi Safe repository, connect to the Internet
[root@primary ~] # dnf --enablerepo= remi-safe -y install [package1 package2]

Configure Default Offline Repository

Normally, the default repository that the system searches for the packages is “CentOS-Base Repo” on the
Internet. But for CentOS distribution, some of the important packages are already build-in inside the operating
system ISO file, so we do not need to install the packages from the Internet, we only have to point its repository
to the folders “BaseOS” and “AppStream” in the ISO file.
Packages in BaseOS is intended to provide the core set of the underlying OS functionality that provides the
foundation for all type installations.
Packages in Application Stream includes user space applications, runtime languages, and databases in support
of the varied workloads and use cases.

♦ Create a new folder for backing up current repository lists

[root@primary ~] # mkdir /tmp/Repo

♦ Move the current repository lists to backup folder

[root@primary ~] # mv /etc/yum.repos.d/CentOS-Linux-*.repo /tmp/Repo

♦ Connect the CentOS DVD ISO file to the VM CD ROM

♦ Make a new folder for mounting the CD
[root@primary ~] # mkdir /mnt/Linux

♦ Mount the OS ISO file to the folder /mnt/Linux

[root@primary ~] # mount /dev/cdrom /mnt/Linux
 ♦ Create a local CentOS repository configuration file
[root@primary ~] # touch /etc/yum.repos.d/CentOS-Local.repo

♦ Edit local CentOS repository configuration file

[root@primary ~] # vi /etc/yum.repos.d/CentOS-Local.repo
[InstallMedia]
name=CentOS Linux 8 - Local
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///mnt/Linux/BaseOS
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[InstallMedia-AppStream]
name=CentOS Linux 8 - AppStream
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///mnt/Linux/AppStream
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

♦ Change access permission of the CentOS repository configuration file

[root@primary ~] # chmod 644 /etc/yum.repos.d/CentOS-Local.repo

♦ Clean up YUM repository

[root@primary ~] # yum clean all

♦ Refresh YUM repository

[root@primary ~] # yum repolist

♦ Test by installing a simple package without the Internet connection; EX: Nginx and tar
[root@primary ~] # yum -y install nginx tar

Note: from now on when we want to install any package, we do not need to connect to the Internet anymore, we
just connect the CentOS DVD ISO file to the VM CD ROM and mount the CD to the folder /mnt/Linux.

Install VMWare Tools

VMware Tools needs to be installed in VMs to make them run smoothly inside VMware products.

♦ Install gcc package

[root@primary ~] # yum install -y gcc

♦ Install kernel-devel package

[root@primary ~] # yum install -y kernel-devel

♦ Unmount the OS ISO file to the folder /mnt/Linux

[root@cent ~] # umount /mnt/Linux

♦ In VMware Workstation or VMware Fusion, VM => Install VMware Tools…

♦ Mount the VMware Tools CD into /mnt/Linux
[root@primary ~] # mount /dev/cdrom /mnt/Linux

♦ Extract the file VMwareTools-10.3.10-13959562.tar.gz to the folder /root

Note: the file VMwareTools-10.3.10-13959562.tar.gz may have different name according to the version of
VMware product, so change it accordingly.
[root@primary ~] # tar -zxvf /mnt/Linux/VMwareTools-10.3.10-13959562.tar.gz -C /root

♦ Change the directory to /root/vmware-tools-distrib

[root@primary ~] # cd /root/vmware-tools-distrib

♦ Start to install VMware tools

[root@primary vmware-tools-distrib] # ./vmware-install.pl

♦ Follow the instruction to install VMware Tools (just press enter). After finishing installation, restart the OS.
♦ Remove the directory /root/vmware-tools-distrib
[root@primary ~] # rm -rf /root/vmware-tools-distrib

Go to Windows client and configure section 1

Install and Configure Vi Improved (VIM)

VIM is an improved version of VI with more features such as GUI support, online help and syntax highlighting.

♦ Install vim-enhanced package

[root@primary ~] # yum -y install vim-enhanced

♦ Edit CentOS profile to make alias vim to vi

[root@primary ~] # vi /etc/profile

♣ Add to the end of file (EoF)

alias vi='vim'

♦ Load function into the current shell

[root@primary ~] # source /etc/profile

♦ Edit CentOS profile to make alias vim to vi

[root@primary ~] # vi ~/.bashrc

♣ Add to the end of file (EoF)

alias vi='vim'
 ♦ Load function into the current shell
[root@ primary ~] # source ~/.bashrc

♦ Create VIM configuration file and set as below

[root@primary ~] # vi ~/.vimrc
set nocompatible
set encoding=utf-8
set fileencodings=utf-8
set fileformats=unix,dos
set history=50
set ignorecase
set smartcase
set hlsearch
set incsearch
set number
set showmatch
set binary noeol
set autoindent
set wrap
syntax on
highlight Comment ctermfg=LightCyan

♦ Test by editing any configuration file and make sure that VIM feature works
[root@primary ~] # vi /etc/yum.repos.d/CentOS-Local.repo

Add Local Users and Set Their Passwords

In this case, we create 4 sample users and set password for each one.

♦ Add users
[root@primary ~] # useradd redhat
[root@primary ~] # useradd ubuntu
[root@primary ~] # useradd debian
[root@primary ~] # useradd testing

♦ Set the password for each user

[root@primary ~] # passwd redhat
[root@primary ~] # passwd ubuntu
[root@primary ~] # passwd debian
[root@primary ~] # passwd testing
 ♦ View home directory of each user
[root@primary ~] # ll /home

♦ Switch from user “root” to normal user; EX: switch to user “ubuntu”
[root@primary ~] # su ubuntu

♦ Switch from normal user “ubuntu” to user “root”

[ubuntu@primary root] # exit

Remove Local Users

In this case, we remove a sample user named “testing”.

♦ Delete a user
[root@primary ~] # userdel -r testing

♦ View the home directory again and make sure that home directory of user “testing” is gone
[root@primary ~] # ll /home

Disable Normal User Using Sudo Command

Limiting users to run sudo command means do not allow normal user to use su or sudo command. We do
this to limit user from using sensitive Linux commands and to prevent user from hacking root user account.
Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications
and services in a Linux.

♦ Edit PAM configuration file

[root@primary ~] # vi /etc/pam.d/su

♣ Line 7: uncomment
auth required pam_wheel.so use_uid

♦ Restart the server

[root@primary ~] # init 6

♦ Login with normal user; EX: user ubuntu. Try using “sudo” command, and make sure that it shows like this:
ubuntu is not in the sudoers file. This incident will be reported.
[ubuntu@primary ~] # sudo passwd

Disable IPV6
IPV6 should be disable because it is no use right now; more importantly, it makes server’s configuration more
complicated and may affect to server privacy.

♦ Edit CentOS boot grub configuration file

[root@primary ~] # vi /etc/default/grub
 ♣ Line 6: add ipv6.disable=1
GRUB_CMDLINE_LINUX="ipv6.disable=1 crashkernel=...

♦ Reload the boot grub on BIOS firmware

[root@primary ~] # grub2-mkconfig -o /boot/grub2/grub.cfg

♦ Reload the boot grub on UEFI firmware

[root@primary ~] # grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

♦ Restart the server then test with a command below; make sure there is no inet6
[root@primary ~] # ip addr show

Disable Boot Menu

Boot menu should be disabled to prevent from Backdoor hacking (resetting user root’s password).

♦ Edit CentOS boot grub configuration file

[root@primary ~] # vi /etc/default/grub

♣ Line 1: change from 5 to 0

GRUB_TIMEOUT=0

♦ Reload the boot grub on BIOS firmware

[root@primary ~] # grub2-mkconfig -o /boot/grub2/grub.cfg

♦ Reload the boot grub on UEFI firmware

[root@primary ~] # grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

♦ Restart the server and make sure that boot menu does not appear anymore
[root@primary ~] # init 6

Disable Firewall
Firewall should be configured on the gateway, so it is unnecessary to run it on the server. Moreover, Firewall
makes the server configuration more complicated since we need to set the rule on Firewall for every service.

♦ Check if Firewall is installed on the server or not

[root@primary ~] # rpm -qa | grep firewalld

♦ Stop Firewall service

[root@primary ~] # systemctl stop firewalld

♦ Disable Firewall service on boot

[root@primary ~] # systemctl disable firewalld

♦ Restart the server and use command below to see all active services; make sure Firewall service not running
[root@primary ~] # systemctl -t service

♦ Use the command below to see all services installed on server

[root@primary ~] # systemctl list-unit-files -t service

♦ Use the command below to check the status of Firewall services; make sure it is inactive
[root@primary ~] # systemctl status firewalld

Disable Security-Enhanced Linux

It is good to disable SELinux (Security-Enhanced Linux) since it sets restrictions on security – blocking some
services from starting. There are 3 options of SELinux:
enforcing = enabled
disabled = disabled
permissive = enabled but only loging, not deny accesses

♦ Show current SELinux status

[root@primary ~] # getenforce

♦ Edit SELinux configuration file

[root@primary ~] # vi /etc/selinux/config

♣ Line 7: change from enforcing to disabled

SELINUX=disabled

♦ Restart the server then check the status of SELinux again, and make sure it is disabled

Go to Linux client and configure from section 1 to section 15

Configure SSH Key Authentication

SSH keys provide an easy, yet extremely secure way of logging into the server. SSH key pairs are 2
cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists
of a public key and a private key, which is retained by the client. The public key, which is on the server, can
be used to encrypt messages that only the private key can decrypt. The public key is added to a special file
within the user account you will be logging into called ~/.ssh/authorized_keys.

♦ Create key pair with RSA encryption method

[root@primary ~] # ssh-keygen -t rsa

♣ Enter file in which to save the key (/root/.ssh/id_rsa): [Enter]

♣ Set your own passphrase
♦ Rename the created public key
[root@primary ~] # mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

♦ Change access permission of the public key

[root@primary ~] # chmod 600 ~/.ssh/authorized_keys
 Remote Login with Key Authentication via PuTTY (Windows OS)
BitVise is a SSH Client for Windows. /root/.ssh/id_rsa is the private key file to be copied to Windows OS.

♦ Download and install Bitvise SSH Client from link below

https://drive.google.com/drive/folders/1Yx01RRFZKvQHEUy9WUQ1Dxj4DPEd_amp?usp=sharing
♦ Copy (drag and drop) the file /root/.ssh/id_rsa from the primary server to Windows OS

♦ Run PuTTY Key Generator (C:\Program Files\PuTTY\puttygen.exe)

♦ Click Load and select All Files (*.*)
♦ Chose the file id_rsa

♦ Enter your passphrase that you set when creating key pair
♦ Click Save private key; EX: Private Key.ppk
 ♦ Edit SSH configuration file
[root@primary ~] # vi /etc/ssh/sshd_config

♣ Line 70: change from yes to no

PasswordAuthentication no

♦ Restart SSH service

[root@primary ~] # systemctl restart sshd

♦ From now on, we cannot remote login to the server with SSH password authentication, we have to use the
private key file and the passphrase.
♦ Steps to remote login to the server with SSH private key:
♣ Open PuTTY and enter the server’s IP address
♣ In the Category left panel go to Connection => SSH => Auth
♣ Click Browse… and locate for the private key you just saved
♣ Enter your passphrase (not user root’s password)
 ♦ You can also remote login to the server via PuTTY Authentication Agent
♣ Open the Private Key.ppk on Windows Desktop
♣ Enter your passphrase

♣ Open PuTTY and enter the server’s IP address, then login directly without entering passphrase again

Remote Login with Key Authentication via Terminal (Mac OS)

/root/.ssh/id_rsa is the private key file to be copied from primary server to Mac OS
xman is the username on Mac OS
192.168.11.1 is the IP address of Mac OS
/Users/xman/Desktop is the destination path on Mac OS
♦ Copy the private key file to Mac OS
[root@primary ~] # scp /root/.ssh/id_rsa [email protected]:/Users/xman/Desktop

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter the passphrase of key pair
 ♣ Enter the password of user xman of Mac OS
♦ Edit SSH configuration file
[root@primary ~] # vi /etc/ssh/sshd_config

♣ Line 70: change from yes to no

PasswordAuthentication no

♦ Restart SSH service

[root@primary ~] # systemctl restart sshd

♦ From now on, we cannot remote login to the server with SSH password authentication, we have to use the
private key file and the passphrase.
♦ Steps to remote login to the server with SSH private key:
♣ On Mac, rename the private key file id_rsa to id_rsa.pem
♣ Open Terminal and enter command
xman@Xs-MacBook-Pro ~ % ssh -i /Users/xman/Desktop/id_rsa.pem [email protected]

♣ Accept and enter the passphrase of key pair (not user root’s password)
♣ To logout from remote server
[root@primary ~]# exit

♦ You can also remote login to the server via SSH-Agent

♣ On Mac, open Terminal and run SSH-Agent
xman@Xs-MacBook-Pro ~ % eval $(ssh-agent)

♣ Add passphrase
xman@Xs-MacBook-Pro ~ % ssh-add /Users/xman/Desktop/id_rsa.pem

♣ Verify passphrase
xman@Xs-MacBook-Pro ~ % ssh-add -l

♣ Remote login directly without entering passphrase again

xman@Xs-MacBook-Pro ~ % ssh [email protected]

♣ After you stop remote to the server, you can kill SSH-Agent process
xman@Xs-MacBook-Pro ~ % eval $(ssh-agent -k)

Remote Login with Key Authentication via Terminal (Linux OS)

/root/.ssh/id_rsa is the private key file to be copied to Linux OS
xman is the username on Linux OS
192.168.11.1 is the IP address of Linux OS
/home/xman/Desktop is the destination path on Linux OS

♦ Copy the private key file to Linux

[root@primary ~] # scp /root/.ssh/id_rsa [email protected]:/home/xman/Desktop

♣ Are you sure you want to continue connecting (yes/no)? yes

♣ Enter the passphrase of key pair
♣ Enter the password of user xman of Linux OS
♦ Edit SSH configuration file
[root@primary ~] # vi /etc/ssh/sshd_config

♣ Line 73: change from yes to no

PasswordAuthentication no

♦ Restart SSH service

[root@primary ~] # systemctl restart sshd

♦ From now on, we cannot remote login to the server with SSH password authentication, we have to use the
private key file and the passphrase.
♦ Steps to remote login to the server with SSH private key:
♣ On Linux OS, rename the private key file id_rsa to id_rsa.pem
♣ Open Terminal and enter command
ssh -i /home/xman/Desktop/id_rsa.pem [email protected]

♣ Accept and enter the passphrase (not user root’s password)

♦ You can also remote login to the server via SSH-Agent
♣ Open Terminal and run SSH-Agent
eval $(ssh-agent)

♣ Add passphrase
ssh-add /home/xman/Desktop/id_rsa.pem

♣ Verify passphrase
ssh-add -l

♣ Remote login directly without entering passphrase again

ssh [email protected]

♣ After you stop remote to the server, you can kill SSH-Agent process
eval $(ssh-agent -k)

Install and Configure Dnsmasq

Dnsmasq provides Domain Name System forwarder, Dynamic Host Configuration Protocol server, router
advertisement and network boot features for small computer networks, created as free software.

♦ In this case, my hostname is primary, and my domain name is vanndy.edu. You may need to change them.
♦ Install dnsmasq packages
[root@primary ~] # yum -y install dnsmasq
 ♦ Edit dnsmasq configuration file
[root@primary ~] # vi /etc/dnsmasq.conf

♣ Line 19: uncomment – never forward addresses in the non-routed address spaces
domain-needed

♣ Line 21: uncomment – query with each server strictly in the order in resolv.conf
bogus-priv

♣ Line 53: uncomment – query with each server strictly in the order in resolv.conf
strict-order

♣ Line 135: uncomment – add domain name automatically to hostnames

expand-hosts

♣ Line 144: uncomment and change from thekelleys.org.uk to primary.vanndy.edu

domain=vanndy.edu

♦ Restart dnsmasq service and enable its service on boot

[root@primary ~]# systemctl enable --now dnsmasq

♦ Edit DNS records

[root@primary ~] # vi /etc/hosts

♣ Add to EoF:
192.168.11.10 primary.vanndy.edu Primary

♦ Restart dnsmasq service

[root@primary ~]# systemctl restart dnsmasq

♦ Install bind-utils packages

[root@primary ~]# dnf -y install bind-utils

♦ Shutdown Internet network interface card

[root@primary ~]# ifdown ens192

♦ Verify Name or Address Resolution

[root@primary ~]# dig primary.vanndy.edu
[root@primary ~]# dig -x 192.168.11.10

Install and Configure DHCP with Dnsmasq

Enable integrated DHCP feature in Dnsmasq to configure DHCP Server.
♦ Edit dnsmasq configuration file
[root@primary ~] # vi /etc/dnsmasq.conf

♣ Line 157: uncomment and define range of IP address to lease and term of lease duration; EX: 15 days
dhcp-range=192.168.11.12,192.168.11.50,360h

♣ Line 334: uncomment and change to server IP address

dhcp-option=option:router,192.168.11.10

♣ Line 343: uncomment and change to server IP address

dhcp-option=option:ntp-server,192.168.11.10

♣ Add line 344: define DNS server IP address

dhcp-option=option:dns-server,192.168.11.10

♣ Add line 345: define subnet mask

dhcp-option=option:netmask,255.255.255.0

♣ Line 406: uncomment and define search domain

dhcp-option=option:domain-search,vanndy.edu

♦ Restart dnsmasq service

[root@primary ~]# systemctl restart dnsmasq

Install and Configure DNS Server

Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or any
resource connected to the Internet or a private network. It associates various information with domain names
assigned to each of the participating entities. It translates domain names to the numerical IP addresses needed
for locating and identifying computer services and devices with the underlying network protocols.

♦ In this case, my hostname is primary, and my domain name is vanndy.edu. You may need to change them.
♦ Install bind and bind-utils packages
[root@primary ~] # yum -y install bind bind-utils

♦ Edit named configuration file

[root@primary ~] # vi /etc/named.conf

♣ Line 11: change from 127.0.0.1 to any

listen-on port 53 { any; };

♣ Line 12: change from ::1 to none

listen-on-v6 port 53 { none; };

♣ Line 19: add 192.168.11.0/24;

allow-query { localhost; 192.168.11.0/24; };

♣ Add line 20:

allow-transfer { localhost; 192.168.11.0/24; };

♣ From line 53 to EoF, delete and replace as below:

view "internal" {
match-clients {
localhost;
192.168.11.0/24;
 };
zone "." IN {
type hint;
file "named.ca";
};
zone "vanndy.edu" IN {
type master;
file "vanndy.edu.lan";
allow-update { none; };
};
zone "11.168.192.in-addr.arpa" IN {
type master;
file "11.168.192.db";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

♦ Edit named configuration file

[root@primary ~] # vi /etc/sysconfig/named

♣ Add to EoF: we do not use IPv6, so we set BIND to use only IPv4
OPTIONS="-4"

♦ Create the forward lookup zone

Note: 2021102501 means: year 2021, month 10, day 25, version 01; so change it according to the current date.
If next time you edit this file, update the version as well.
[root@primary ~] # vi /var/named/vanndy.edu.lan
$TTL 86400
@ IN SOA primary.vanndy.edu. root.vanndy.edu. (
2021102501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS primary.vanndy.edu.
IN A 192.168.11.10
 IN MX 10 primary.vanndy.edu.
primary IN A 192.168.11.10
mail IN A 192.168.11.10
ftp IN CNAME primary.vanndy.edu.
www IN CNAME primary.vanndy.edu.

♦ Create the reverse lookup zone

[root@primary ~] # vi /var/named/11.168.192.db
$TTL 86400
@ IN SOA primary.vanndy.edu. root.vanndy.edu. (
2021102501 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS primary.vanndy.edu.
IN PTR vanndy.edu.
IN A 255.255.255.0
10 IN PTR primary.vanndy.edu.
10 IN NS mail.vanndy.edu.

♦ Stop dnsmasq service

[root@primary ~]# systemctl stop dnsmasq

♦ Disable dnsmasq service on boot

[root@primary ~]# systemctl disable dnsmasq

♦ Restart named service

[root@primary ~] # systemctl restart named

♦ Enable named service on boot

[root@primary ~] # systemctl enable named

♦ Disconnect from the Internet and test DNS with commands below, make sure the ANSWER SECTION and
AUTHORITY SECTION are correct
[root@primary ~] # dig primary.vanndy.edu.
[root@primary ~] # dig www.vanndy.edu.
[root@primary ~] # dig ftp.vanndy.edu.
[root@primary ~] # nslookup primary.vanndy.edu

Note: for Mac OS, you have to disable Remote network card first, then login directly to the server before testing
the commands above. This is the problem of VMware Fusion.
 ♦ Disable the Remote network card and test the commands above
[root@primary ~] # ifdown ens192

♦ To enable the Remote network card again

[root@primary ~] # ifup ens192

Install and Configure chroot Environment

Chroot environment is an operation that changes the apparent root directory for the current running process
and its children. A program that is run in such a modified environment cannot name files outside the designated
directory tree.

♦ Install bind-chroot package

[root@primary ~] # yum -y install bind-chroot

♦ Load chroot shell script

[root@primary ~] # /usr/libexec/setup-named-chroot.sh /var/named/chroot on

♦ Stop named service

[root@primary ~] # systemctl stop named

♦ Start named service

[root@primary ~] # systemctl disable named

♦ Start named-chroot service

[root@primary ~] # systemctl start named-chroot

♦ Enable named-chroot service on boot

[root@primary ~] # systemctl enable named-chroot

Note: from now on, the configuration files of named is located in: /var/named/chroot/

Install and Configure Dynamic Host Configuration Protocol (DHCP)

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and
other network parameters to client devices. It relies on the standard DHCP protocol to respond to broadcast
queries by clients.

♦ Install dhcp-server package

[root@primary ~] # yum -y install dhcp-server

♦ Edit dhcp-server configuration file

[root@primary ~]# vi /etc/dhcp/dhcpd.conf

♣ Add lines 6 to 15, input as below:

option domain-name "vanndy.edu";
option domain-name-servers primary.vanndy.edu;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.11.0 netmask 255.255.255.0 {
range dynamic-bootp 192.168.11.100 192.168.11.200;
option broadcast-address 192.168.11.255;
option routers 192.168.11.10;
}

♦ Check the leased IP address that DHCP Server provide to DHCP Clients in the files below
[root@primary ~]# ll /var/lib/dhcpd
[root@primary ~]# cat /var/lib/dhcpd/dhcpd.leases

Go to Windows client and configure VMnet1 network card to use DHCP service

Install and Configure Network Time Protocol (NTP)

NTP is a networking protocol for clock synchronization between computer systems over packet-switched,
variable-latency data networks. NTP is intended to synchronize all participating computers to within a few
milliseconds of Coordinated Universal Time (UTC). In this architecture, the server synchronizes time with the
Internet and all the clients synchronize time with the server.

♦ Install chrony package

[root@primary ~]# yum -y install chrony

♦ Edit chrony configuration file

[root@primary ~]# vi /etc/chrony.conf

♣ Line 3: comment
#pool 2.centos.pool.ntp.org iburst

♣ Add line 4
server 0.kh.pool.ntp.org

♣ Line 24: uncomment and change to 192.168.11.0/24. This adds the network range you allow to request
NTP time synchronization form your server
allow 192.168.11.0/24

♦ Restart chrony service

[root@primary ~]# systemctl restart chronyd

♦ Enable chrony service on boot

[root@primary ~]# systemctl enable --now chronyd

♣ The option --now forces the service to start now without the option start
♦ For testing, connect to the Internet and use command below to synchronize the time
[root@primary ~]# chronyc sources
 Go to Linux client and configure section 16

Go to Windows client and configure section 2

Install and Configure Network File System (NFS) Server

Network File System (NFS) is a distributed file system protocol that allow a user on a client computer to
access files over a computer network much like how local storage is accessed.

♦ Install nfs-utils package

[root@primary ~] # yum -y install nfs-utils

♦ Edit idmapd configuration file

[root@primary ~] # vi /etc/idmapd.conf

♣ Line 5: uncomment and change as below

Domain = primary.vanndy.edu

♦ Make a shared folder on the server to allow client to access as a file server
[root@primary ~] # mkdir /root/nfsServer

♦ Create some sample folders and files inside the nfsServer folder
♦ Create an export file to set permission for the shared folder
[root@primary ~] # vi /etc/exports

♣ Line 1: define the directory, network IP and permission as below

/root/nfsServer 192.168.11.0/24(rw,no_root_squash)

♦ Restart NFS services

[root@primary ~] # systemctl restart rpcbind nfs-server

♦ Enable NFS services on boot

[root@primary ~] # systemctl enable rpcbind nfs-server

♥ Self-testing NFS service on the server:

♦ Make a folder to mount the shared directory
[root@primary ~] # mkdir /root/123

♦ Mount the folder /root/nfsServer to the folder /root/123

[root@primary ~] # mount -t nfs primary.vanndy.edu:/root/nfsServer /root/123

♦ If your it does not work, try the command below

[root@primary ~] # mount -t nfs 192.168.11.10:/root/nfsServer /root/123

♦ Check if the mounting process is success or not, make sure all the sample folders and files inside the
nfsServer folder is mounted to 123 folder
[root@primary ~] # ll /root/123

Note: for Mac OS user, you have to disable Internet network card first, then login directly to the server before
testing the commands above. This is the problem of VMware Fusion.
♦ Disable the Internet network card and test the commands above
[root@primary ~] # ifdown ens192

♦ To enable the Remote network card again

[root@primary ~] # ifup ens192

♦ To unmount the folder /root/123

[root@primary ~] # umount /root/123

Go to Linux client and configure section 17

Install and Configure LDAP Server

Lightweight Directory Access Protocol (LDAP) is an application protocol used over an IP network to manage
and access the distributed directory information service.

♦ Install OpenLDAP packages

[root@primary ~] # yum -y install openldap-servers openldap-clients

♦ Create a copy of LDAP configuration file

[root@primary ~] # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

♦ Change ownership of the LDAP configuration file

[root@primary ~] # chown ldap. /var/lib/ldap/DB_CONFIG

♦ Restart LDAP service

[root@primary ~] # systemctl restart slapd

♦ Enable LDAP service on boot

[root@primary ~] # systemctl enable slapd

♦ Set OpenLDAP admin password

[root@primary ~] # slappasswd

♣ Set your password and press Enter

♣ Copy the {SSHA}xxxxx to a text file
♦ Create LDIF configuration file
[root@primary ~] # vi chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxx
 ♦ Load LDIF configuration file into LDAP server
[root@primary ~] # ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

♦ Import basic Schemas into LDAP server

[root@primary ~] # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

[root@primary ~] # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

[root@primary ~] # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

♦ Generate directory manager's password

[root@primary ~] # slappasswd

♣ Set your password and press Enter

♣ Copy the {SSHA}xxxxx to a text file
♦ Create LDAP domain; replace to your own domain name for "dc=vanndy,dc=edu" section, and specify the
password generated previously for "olcRootPW" section
[root@primary ~] # vi chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

read by dn.base="cn=Manager,dc=vanndy,dc=edu" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify

replace: olcSuffix
olcSuffix: dc=vanndy,dc=edu

dn: olcDatabase={2}hdb,cn=config
changetype: modify

replace: olcRootDN
olcRootDN: cn=Manager,dc=vanndy,dc=edu

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW

olcRootPW: {SSHA}xxxxx

dn: olcDatabase={2}hdb,cn=config
changetype: modify

add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=vanndy,dc=edu"
write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=vanndy,dc=edu" write by * read

♦ Import LDAP domain

[root@primary ~] # ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

♦ Create LDAP base domain

[root@primary ~] # vi basedomain.ldif
dn: dc=vanndy,dc=edu
objectClass: top
objectClass: dcObject
objectclass: organization
o: Vanndy Edu
dc: Vanndy

dn: cn=Manager,dc=vanndy,dc=edu
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=vanndy,dc=edu
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=vanndy,dc=edu
objectClass: organizationalUnit
ou: Group

♦ Load base domain into LDAP server

[root@primary ~] # ldapadd -x -D cn=Manager,dc=vanndy,dc=edu -W -f basedomain.ldif

♦ Enter the LDAP password

Add Local Users and Groups of the Server to Become LDAP Users
This section shows how to add local users into LDAP server automatically.

♦ Create LDIF configuration file to store user’s configuration

[root@primary ~] # touch ldapuser.ldif

♦ Create a bash file to retrieve user’s information

[root@primary ~] # vi ldapuser.sh
#!/bin/bash

SUFFIX='dc=vanndy,dc=edu'
LDIF='ldapuser.ldif'

echo -n > $LDIF

GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"

USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"

[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"

LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"

LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"

[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"

SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"

[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"

GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"

[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID")

echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF

echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF

echo "gecos: $USER_NAME" >> $LDIF

 echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done

for TARGET_GROUP_ID in "${GROUP_IDS[@]}"

do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"

echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF

echo "objectClass: posixGroup" >> $LDIF
echo "cn: $LDAP_CN" >> $LDIF
echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF

for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3)

do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF

done
echo >> $LDIF
done
)

♦ Execute the bash file

[root@primary ~] # sh ldapuser.sh

♦ Add users and groups via ldapuser.ldif configuration file

[root@primary ~] # ldapadd -x -D cn=Manager,dc=vanndy,dc=edu -W -f ldapuser.ldif

Go to Linux client and configure section 18 and 19

Add LDAP User Accounts into OpenLDAP Server (Not the Local Users of Server)
 This section shows how to add users to LDAP server manually. EX: we want to add a user named Linux Cent.

♦ Generate LDAP admin’s hash key

[root@primary ~] # slappasswd

♦ Enter the LDAP admin’s password and copy the {SSHA}xxxxx to a text file
Note: cn is common name and sn is surname.
♦ Edit LDIF file to store user’s configuration
[root@primary ~] # vi ldapuser.ldif
dn: uid=cent,ou=People,dc=vanndy,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}xxxxx
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent

dn: cn=cent,ou=Group,dc=vanndy,dc=edu
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent

♦ Add user and group via ldapuser.ldif file

[root@primary ~] # ldapadd -x -D cn=Manager,dc=vanndy,dc=edu -W -f ldapuser.ldif

Delete LDAP User Accounts from OpenLDAP Server

This section shows how to delete user from LDAP server manually. EX: we want to delete a user Linux Cent.

♦ Delete user’s ID from People OU

[root@primary ~] # ldapdelete -x -W -D 'cn=Manager,dc=vanndy,dc=edu' "uid=cent,ou=People,dc=vanndy,dc=edu"

♦ Delete user’s name from Group OU

[root@primary ~] # ldapdelete -x -W -D 'cn=Manager,dc=vanndy,dc=edu' "cn=cent,ou=Group,dc=vanndy,dc=edu"

Create Own SSL Certificate

 SSL Certificates, sometimes called digital certificates, are small data files that digitally bind a cryptographic
key to an organization’s details.

♦ Install make packages

[root@primary ~] # yum -y install make

♦ Change directory to the certificate directory

[root@primary ~] # cd /etc/pki/tls/certs

♦ Make key file for server

[root@primary certs] # make server.key

♣ Enter the key’s password

♦ Encrypt the key file with RSA encryption method
[root@primary certs] # openssl rsa -in server.key -out server.key

♣ Enter the password above

♦ Enter the certificate signing request (CSR)
[root@primary certs] # make server.csr
Country Name (2 letter code) [XX]:KH
State or Province Name (full name) []:Phnom Penh
Locality Name (eg, city) [Default City]:Phnom Penh
Organization Name (eg, company) [Default Company Ltd]:Vanndy
Organizational Unit Name (eg, section) []:Primary
Common Name (eg, your name or your server's hostname) []:www.vanndy.edu
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (press Enter)
An optional company name []: (press Enter)

♦ Generate certificate for server

[root@primary certs] # openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

♦ Return back to default directory

[root@primary certs] # cd

Configure LDAP to Connect over TLS

LDAP can be configured to connect over TLS to enable encrypted connection.

♦ Copy the generated key to the certificate folder of LDAP service. Enter the commands below line by line.
[root@primary ~] # cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/etc/openldap/certs/

♦ Change the ownership of the certificate for LDAP service. Enter the commands below line by line.
[root@primary ~] # chown ldap. /etc/openldap/certs/server.key \
/etc/openldap/certs/server.crt \
/etc/openldap/certs/ca-bundle.crt

♦ Create SSL configuration file for the LDAP service

[root@primary ~] # vi mod_ssl.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/server.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/server.key

♦ Import LDAP domain

[root@primary ~] # ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif

♦ Edit LDAP configuration file

[root@primary ~] # vi /etc/sysconfig/slapd

♣ Line 9: add ldaps:///

SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"

♦ Restart LDAP service

[root@primary ~] # systemctl restart slapd

♦ Copy the file /etc/pki/tls/cert.pem from server to the Linux client /etc/openldap/cacerts/
[root@primary ~] # scp /etc/pki/tls/cert.pem [email protected]:/etc/openldap/cacerts/

Note: 192.168.11.12 is the IP address of the Linux client.

♦ Accept the connection

♦ Enter the passphrase of the server’s SSH key authentication file
♦ Enter the password of user root in Linux client

Go to Linux client and configure section 20

 Install and Configure Apache
Apache is the most widely used web server software. A Web server is a program that uses HTTP to serve the
files that form web pages to users, in response to their requests.

♦ Install HTTP package

[root@primary ~] # yum -y install httpd

♦ Remove the default welcome page

[root@primary ~] # rm -f /etc/httpd/conf.d/welcome.conf

♦ Edit HTTP configuration file

[root@primary ~] # vi /etc/httpd/conf/httpd.conf

♣ Line 89: change from local to vanndy.edu

ServerAdmin [email protected]

♣ Line 98: uncomment and change from example.com to vanndy.edu

ServerName www.vanndy.edu:80

♣ Line 154: change from None to All

AllowOverride All

♣ Line 167: add index.cgi index.php

DirectoryIndex index.html index.cgi index.php

♣ Add to EoF
ServerTokens Prod
KeepAlive On

♦ Restart HTTP service

[root@primary ~] # systemctl start httpd

♦ Enable HTTP service on boot

[root@primary ~] # systemctl enable httpd

♦ Create an HTML index file to test HTTP service

[root@primary ~] # vi /var/www/html/index.html
<html>
<body>

<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">

Welcome to www.vanndy.edu

</div>
</body>

</html>

♦ From Linux or Windows client, access to www.vanndy.edu

 Install and Configure PHP
PHP is a server-side scripting language designed primarily for web development but also used as a general-
purpose programming language.

♦ Install PHP packages

[root@primary ~] # yum -y install php php-mbstring php-pear

♦ Edit PHP configuration file

[root@primary ~] # vi /etc/php.ini

♣ Line 902: uncomment (delete sign ; from the beginning of the line) and add Asia/Phnom_Penh
date.timezone = "Asia/Phnom_Penh"

♦ Restart HTTP service

[root@primary ~] # systemctl restart httpd

♦ Create a PHP index file to test PHP service

[root@primary ~] # vi /var/www/html/index.php
<html>

<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
<?php

print Date("d/M/Y - h:i a");

?>
</div>

</body>

</html>

♦ From Linux or Windows client, access to www.vanndy.edu/index.php

Install and Configure PHP-FPM

PHP Fast Process Manager (PHP-FPM) is needed to enable CGI-fast on server.

♦ Install PHP-FPM package

[root@primary ~] # yum -y install php-fpm

♦ Edit PHP configuration file

[root@primary ~] # vi /etc/httpd/conf.d/php.conf

♣ Line 44: change from application/x-httpd-php to "proxy:fcgi://127.0.0.1:9000"

SetHandler "proxy:fcgi://127.0.0.1:9000"

♦ Start PHP-FPM service

[root@primary ~] # systemctl start php-fpm

♦ Enable PHP-FPM on boot

[root@primary ~] # systemctl enable php-fpm

♦ Restart HTTP service

[root@primary ~] # systemctl restart httpd

♦ Create a PHP information file

[root@primary ~] # echo '<?php phpinfo(); ?>' > /var/www/html/info.php

♦ From Linux or Windows client, access to www.vanndy.edu/info.php

♦ If the Server API is FPM/FastCGI, then it is OK.

Install and Configure PHP LDAP Admin

phpLDAPadmin is a web application for administering LDAP servers. The phpLDAPadmin project provides
a Web-based admin tool for easy, accessible administration of the LDAP directory from Web browser.

♦ Install phpLDAP package

[root@primary ~] # yum -y install php-ldap

♦ Install phpLDAPadmin package from EPEL repository

[root@primary ~] # yum --enablerepo=epel -y install phpldapadmin

♦ Edit phpLDAPadmin configuration file

[root@primary ~] # vi /etc/phpldapadmin/config.php

♣ Line 397: uncomment

$servers->setValue('login','attr','dn');

♣ Line 398: comment (add // to the beginning of the line)

// $servers->setValue('login','attr','uid');

♦ Configure phpLDAPadmin for HTTP service

[root@primary ~] # vi /etc/httpd/conf.d/phpldapadmin.conf

♣ Add line 12
Require ip 192.168.11.0/24

♦ Restart HTTP service

[root@primary ~] # systemctl restart httpd

♦ Restart the server

[root@primary ~] # init 6

♦ From Linux or Windows client, access to www.vanndy.edu/ldapadmin/

♦ Login DN: cn=Manager,dc=vanndy,dc=edu
♦ Password: LDAP admin’s password

Configure User’s Web Directory

 On the systems with multiple users, each user can be permitted to have a web site in their home directory using
the UserDir directive. Visitors to a URL http://example.com/~username/ will get content out of the home
directory of the user "username", out of the subdirectory specified by the UserDir directive.

♦ Edit HTTP configuration file

[root@primary ~] # vi /etc/httpd/conf.d/userdir.conf

♣ Line 17: comment

# UserDir disabled

♣ Line 24: uncomment

UserDir public_html

♣ Line 32: change from FileInfo AuthConfig Limit Indexes to all

AllowOverride All

♣ Line 33: change from MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec to None

Options None

♦ Restart HTTP service

[root@primary ~] # systemctl restart httpd

Note: This example is done with user ubuntu.

♦ Restart the Primary server and login to user ubuntu directly (not remote login via PuTYY or Terminal)
♦ Create a directory to store user’s web directory
[ubuntu@primary ~] # mkdir public_html

♦ Change the access permission of user’s home directory

[ubuntu@primary ~] # chmod 711 /home/ubuntu

♦ Change the access permission of user’s sub directory

[ubuntu@primary ~] # chmod 755 /home/ubuntu/public_html

♦ Create a user’s HTML index file to test user’s web directory

[ubuntu@primary ~] # touch /home/ubuntu/public_html/index.html

♦ Log out from user ubuntu, and remote login to user root
♦ Edit HTML index file of user ubuntu
[root@primary ~] # vi /home/ubuntu/public_html/index.html
<html>
<body>

<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">

This is the personal web page of user “ubuntu”
</div>

</body>
</html>

♦ From Linux or Windows client, access to www.vanndy.edu/~ubuntu/

 Install and Configure SSL for HTTPS
When installed on a web server, SSL activates the padlock and the https protocol and allows secure connections
from a web server to a browser. An organization needs to install the SSL Certificate onto its web server to
initiate a secure session with browsers. Once a secure connection is established, all web traffic between the
web server and the web browser will be encrypted. When a certificate is successfully installed on your server,
the application protocol (HTTP) will change to HTTPs.

♦ Install mod_ssl package

[root@primary ~] # yum -y install mod_ssl

♦ Edit SSL configuration file

[root@primary ~] # vi /etc/httpd/conf.d/ssl.conf

♣ Line 43: uncomment

DocumentRoot "/var/www/html"

♣ Line 44: uncomment and change from example.com to vanndy.edu

ServerName www.vanndy.edu:443

♣ Line 85: change from localhost.crt to server.crt

SSLCertificateFile /etc/pki/tls/certs/server.crt

♣ Line 93: change from private/localhost.key to certs/server.key

SSLCertificateKeyFile /etc/pki/tls/certs/server.key

♦ Restart HTTP service

[root@primary ~] # systemctl restart httpd

♦ From Linux or Windows client, access to https://www.vanndy.edu

Note: the browser may display certificate problem, because we are using self-signed certificate.

Go to Windows client and configure section 3

Basic Web Server Authentication

Basic web server authentication provide a very simple authentication method by using web user.

♦ Create HTTP basic authentication configuration file

[root@primary ~]# vi /etc/httpd/conf.d/auth_basic.conf
<Directory /var/www/html/auth-basic>
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>

Note: this example is done with a sample user named owner.

♦ Create a web user called owner and set the password
[root@primary ~]# htpasswd -c /etc/httpd/conf/.htpasswd owner

♣ Enter a password for web user owner

♦ Restart HTTP service
[root@primary ~]# systemctl restart httpd

♦ Create a directory to store web user’s file

[root@primary ~]# mkdir /var/www/html/auth-basic

♦ Create a web user’s index file

[root@primary ~]# vi /var/www/html/auth-basic/index.html
<html>

<body>

<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">

This is a secure web page accessed only by web user with the basic authentication

</div>

</body>
</html>

♦ From Linux or Windows client, access to https://www.vanndy.edu/auth-basic

♦ Username is owner

Configure Auth + PAM + SSL

Auth + PAM + SSL provide an authentication method by using local user account of the server.

♦ Install mod_authnz_external, pwauth packages from EPEL repository

[root@primary ~]# yum --enablerepo=epel -y install mod_authnz_external pwauth

♦ Edit PAM configuration file for HTTP service

[root@primary ~]# vi /etc/httpd/conf.d/authnz_external.conf

♣ Add to EoF:
<Directory /var/www/html/auth-pam>
SSLRequireSSL
AuthType Basic
AuthName "PAM Authentication"
AuthBasicProvider external
AuthExternal pwauth
require valid-user
</Directory>

♦ Restart HTTP service

[root@primary ~]# systemctl restart httpd

♦ Create a directory to store local user’s file

[root@primary ~]# mkdir /var/www/html/auth-pam

♦ Create a local user’s index file

[root@primary ~]# vi /var/www/html/auth-pam/index.html
<html>

<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
This web page can be accessed only by OS local user authentication

</div>
</body>

</html>

♦ From Linux or Windows client, access to https://www.vanndy.edu/auth-pam

♦ Use server’s local user and password to login

Configure Auth + LDAP + SSL

Auth + LDAP + SSL provide an authentication method by using LDAP user account.

♦ Install mod_ldap package

[root@primary ~]# yum -y install mod_ldap

♦ Create LDAP configuration file for HTTP service

[root@primary ~]# vi /etc/httpd/conf.d/auth_ldap.conf
<Directory /var/www/html/auth-ldap>
SSLRequireSSL
AuthName "LDAP Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://primary.vanndy.edu/dc=vanndy,dc=edu?uid?sub?(objectClass=*)
Require ldap-filter objectClass=posixAccount
</Directory>

♦ Create a directory to store LDAP user’s file

[root@primary ~]# mkdir /var/www/html/auth-ldap

♦ Create a LDAP user’s index file

[root@primary ~]# vi /var/www/html/auth-ldap/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
This web page can be accessed only by LDAP active directory users

</div>

</body>
</html>

♦ Restart HTTP service

[root@primary ~]# systemctl restart httpd

♦ From Linux or Windows client, access to https://www.vanndy.edu/auth-ldap

♦ Use LDAP user and password to login

Configure WebDAV
Web Distributed Authoring and Versioning (WebDAV) is an extension of the HTTP that allows clients to
perform remote Web content authoring operations. The WebDAV protocol provides a framework for users to
create, change and move documents on a server, typically a web server or web share. The most important
features of the WebDAV protocol include the maintenance of properties about an author or modification date,
namespace management, collections, and overwrite protection.

♦ Create a directory to store WebDAV files

[root@primary ~]# mkdir /home/webdav

♦ Create some testing folders and files inside /home/webdav

♦ Change the access permission of the WebDAV directory for HTTP service
[root@primary ~]# chown apache. /home/webdav

♦ Change the access permission of the WebDAV directory

[root@primary ~]# chmod 770 /home/webdav

♦ Create WebDAV configuration file for HTTP service

[root@primary ~]# vi /etc/httpd/conf.d/webdav.conf
DavLockDB "/tmp/DavLock"
Alias /webdav /home/webdav
<Location /webdav>
DAV On
SSLRequireSSL
Options None
AuthType Basic
AuthName WebDAV
AuthUserFile /etc/httpd/conf/.htpasswd
<RequireAny>
 Require method GET POST OPTIONS
Require valid-user
</RequireAny>
</Location>

♦ Create a web user called webdav and set the password

[root@primary ~]# htpasswd -c /etc/httpd/conf/.htpasswd webdav

♣ Enter a password for user webdav

♦ Restart HTTP service
[root@primary ~]# systemctl restart httpd

Go to Windows client and configure section 4

Install and Configure Web Log Analyzer

AWStats is an open source Web analytics reporting tool, suitable for analyzing data from Internet services
such as web, streaming media, mail, and FTP servers. AWStats parses and analyzes server log files, producing
HTML reports.

♦ Install awstats package from EPEL and Linux repository

[root@primary ~]# yum --enablerepo=epel -y install awstats

♦ Change directory to awstats folder

[root@primary ~]# cd /etc/awstats/

♦ Rename the awstats configuration file

[root@primary awstats]# mv awstats.primary.vanndy.edu.conf awstats.www.vanndy.edu.conf

♦ Edit awstats configuration file

[root@primary awstats]# vi awstats.www.vanndy.edu.conf

♣ Line 156: change from primary.vanndy.edu to www.vanndy.edu

SiteDomain="www.vanndy.edu"

♣ Line 171: change from REGEX[^.*primary\.vanndy\.edu$] as below

HostAliases="localhost 127.0.0.1 REGEX[vanndy\.edu$] REGEX[^192\.168\.1\.]"

♦ Edit awstats configuration file for HTTP service

[root@primary ~]# vi /etc/httpd/conf.d/awstats.conf

♣ Add line 30: Require ip 192.168.11.0/24

Require ip 192.168.11.0/24

♦ Restart HTTP service

[root@primary ~]# systemctl restart httpd

♦ Generate analytics report of the web server

[root@primary ~]# /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.vanndy.edu -update

Note: you have to generate the report every time you want to get the latest update.
♦ From Linux or Windows client, access to https://www.vanndy.edu/awstats/awstats.pl

Install and Configure MariaDB

MariaDB is the fastest growing Open Source database with high compatibility with MySQL, ensuring a "drop-
in" replacement capability with library binary equivalency and matching with MySQL APIs and commands.

♦ Install mariadb-server package

[root@primary ~]# yum -y install mariadb-server

♦ Edit mariadb configuration file

[root@primary ~]# vi /etc/my.cnf

♣ Line 6: character-set-server=utf8
character-set-server=utf8

♦ Restart mariadb service

[root@primary ~]# systemctl restart mariadb

♦ Enable mariadb on boot

[root@primary ~]# systemctl enable mariadb

♦ Initial setting for MariaDB

[root@primary ~]# mysql_secure_installation
Enter root's password: (Press Enter)
Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] n
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

♦ Test the database by login to user root

[root@primary ~]# mysql -u root -p
MariaDB [(none)]> select user,host,password from mysql.user;
MariaDB [(none)]> show databases;
MariaDB [(none)]> Exit

Install and Configure phpMyAdmin

phpMyAdmin is used for the administration of MySQL over the Web. phpMyAdmin supports a wide range
of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns,
relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the
ability to directly execute any SQL statement.

♦ Install phpMyAdmin, php-mysql, php-mcrypt packages from EPEL repository

[root@primary ~]# yum --enablerepo=epel -y install phpMyAdmin php-mysql php-mcrypt

♦ Edit phpMyAdmin configuration file

[root@primary ~]# vi /etc/httpd/conf.d/phpMyAdmin.conf

♣ Line 17: add 192.168.11.0/24

Require ip 127.0.0.1 192.168.11.0/24

♣ Line 34: add 192.168.11.0/24

Require ip 127.0.0.1 192.168.11.0/24

♦ Restart HTTP service

[root@primary ~]# systemctl restart httpd

♦ Restart the server

[root@primary ~]# init 6

♦ From Linux or Windows client, access to https://www.vanndy.edu/phpmyadmin

Install and Configure VSFTP

Very Secure File Transfer Protocol (VSFTP) is a standard network protocol used to transfer computer files
from one host to another host over a TCP-based network, such as the Internet.

♦ Install vsftpd package

[root@primary ~]# yum -y install vsftpd

♦ Edit vsftpd configuration file

[root@primary ~]# vi /etc/vsftpd/vsftpd.conf

♣ Line 82: uncomment

ascii_upload_enable=YES

♣ Line 83: uncomment

ascii_download_enable=YES

♣ Line 100: uncomment

chroot_local_user=YES

♣ Line 101: uncomment

chroot_list_enable=YES

♣ Line 103: uncomment

chroot_list_file=/etc/vsftpd/chroot_list

♣ Line 109: uncomment

ls_recurse_enable=YES

♣ Line 114: change from NO to YES

listen=YES

♣ Line 123: change from YES to NO

listen_ipv6=NO

♣ Add to EoF
local_root=public_html
use_localtime=YES
seccomp_sandbox=NO

♦ Enable users for vsftpd service

[root@primary ~]# vi /etc/vsftpd/chroot_list
cent
redhat
ubuntu
debian

♦ Restart vsftpd service

[root@primary ~]# systemctl restart vsftpd

♦ Enable vsftpd service on boot

[root@primary ~]# systemctl enable vsftpd

Configure VSFTP to Enable SSL/TLS Connection

VSFTP can be configured to enable encrypted connection over SSL/TLS.

♦ Change directory to the certificate folder

[root@primary ~]# cd /etc/pki/tls/certs

♦ Generate a new key

[root@primary certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem -days 365

Country Name (2 letter code) [XX]:KH

State or Province Name (full name) []:Phnom Penh
Locality Name (eg, city) [Default City]:Phnom Penh
Organization Name (eg, company) [Default Company Ltd]:Vanndy
Organizational Unit Name (eg, section) []:Primary
Common Name (eg, your name or your server's hostname) []:www.vanndy.edu
Email Address []:[email protected]

♦ Change execution mode of the key file

[root@primary certs]# chmod 400 vsftpd.pem
 ♦ Edit vsftpd configuration file
[root@primary certs]# vi /etc/vsftpd/vsftpd.conf

♣ Add to EoF
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

♦ Return back to default directory

[root@primary certs]# cd

Go to Windows client and configure section 5

Install and Configure Postfix

Postfix is a mail transfer agent (MTA) that routes and delivers electronic mail, intended as an alternative to
Sendmail MTA. Postfix is needed to run SMTP server. SMTP server uses 25/TCP.

♦ Install postfix package

[root@primary ~]# yum -y install postfix

♦ Edit postfix configuration file

[root@primary ~]# vi /etc/postfix/main.cf

♣ Line 94: uncomment and change from host.domain.tld to mail.vanndy.edu

myhostname = mail.vanndy.edu

♣ Line 102: uncomment and change from domain.tld to vanndy.edu

mydomain = vanndy.edu

♣ Line 118: uncomment

myorigin = $mydomain

♣ Line 132: uncomment

inet_interfaces = all

♣ Line 183: comment

#mydestination = $myhostname, localhost.$mydomain, localhost

♣ Line 184: uncomment

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

♣ Line 283: uncomment and change from 168.100.189.0/28 to 192.168.11.0/24

mynetworks = 192.168.11.0/24, 127.0.0.0/8

♣ Line 438: uncomment

home_mailbox = Maildir/
 ♣ Add line 591: uncomment and remove $mail_name
smtpd_banner = $myhostname ESMTP

♣ Add to EoF
message_size_limit = 10485760
mailbox_size_limit = 1073741824
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

♦ Restart postfix service

[root@primary ~]# systemctl restart postfix

♦ Enable postfix service on boot

[root@primary ~]# systemctl enable postfix

Install and Configure IMAP Server – Dovecot

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve
e-mail messages from a mail server over a TCP/IP connection. IMAP permits the complete management of an
email box by multiple email clients. Dovecot controls over POP/IMAP server. POP uses 110/TCP, IMAP uses
143/TCP.

♦ Install dovecot package

[root@primary ~]# yum -y install dovecot

♦ Edit dovecot configuration file

[root@primary ~]# vi /etc/dovecot/dovecot.conf

♣ Line 24: uncomment

protocols = imap pop3 lmtp submission

♣ Line 30: uncomment change from *, :: to *

listen = *
♦ Edit dovecot authentication configuration file
[root@primary ~]# vi /etc/dovecot/conf.d/10-auth.conf

♣ Line 10: uncomment and change from yes to no

disable_plaintext_auth = no

♣ Line 100: add login

auth_mechanisms = plain login
 ♦ Edit dovecot mail configuration file
[root@primary ~]# vi /etc/dovecot/conf.d/10-mail.conf

♣ Line 30: uncomment and add maildir:~/Maildir

mail_location = maildir:~/Maildir

♦ Edit dovecot master configuration file

[root@primary ~]# vi /etc/dovecot/conf.d/10-master.conf

♣ Line 100: change from auth-userdb to /var/spool/postfix/private/auth

unix_listener /var/spool/postfix/private/auth {

♣ Line 101: uncomment

mode = 0666

♣ Line 102: uncomment and add postfix

user = postfix

♣ Line 103: uncomment and add postfix

group = postfix

♦ Edit dovecot SSL configuration file

[root@primary ~]# vi /etc/dovecot/conf.d/10-ssl.conf

♣ Line 8: change from required to no

ssl = no

♦ Restart dovecot service

[root@primary ~]# systemctl restart dovecot

♦ Enable dovecot service on boot

[root@primary ~]# systemctl enable dovecot

Install and Configure SquirrelMail

SquirrelMail is a standards-based webmail package which includes built-in pure PHP support for the IMAP
and SMTP protocols. All pages are rendered in pure HTML 4.0 for maximum compatibility across browsers.
SquirrelMail has all the functionality you want from an email client, including strong MIME support, address
books, and folder manipulation.

♦ Install squirrelmail from EPEL repository

[root@primary ~]# yum --enablerepo=epel -y install squirrelmail

♦ Download squirrelmail plugin packages from the Internet

[root@primary ~]# curl -O http://www.squirrelmail.org/plugins/compatibility-2.0.16-1.0.tar.gz

[root@primary ~]# curl -O http://www.squirrelmail.org/plugins/empty_trash-2.0-1.2.2.tar.gz

[root@primary ~]# curl -O http://www.squirrelmail.org/plugins/secure_login-1.4-1.2.8.tar.gz

♦ Extract squirrelmail plugin packages

[root@primary ~]# tar -zxvf compatibility-2.0.16-1.0.tar.gz -C /usr/share/squirrelmail/plugins
[root@primary ~]# tar -zxvf empty_trash-2.0-1.2.2.tar.gz -C /usr/share/squirrelmail/plugins

[root@primary ~]# tar -zxvf secure_login-1.4-1.2.8.tar.gz -C /usr/share/squirrelmail/plugins

♦ Delete squirrelmail plugin downloaded packages

[root@primary ~]# rm -f ./*.tar.gz

Note: for Windows and Linux hosts (VMware Workstation), you have to disconnect from the Internet first before
running the commands below. For Mac OS host (VMware Fusion), you have to disable Remote network card
first, then login directly to the server before running commands below. After that you can enable Remote network
card. This is a problem of VMware Fusion.
♦ Disable the Remote network card and test the commands above
[root@primary ~] # ifdown ifcfg-ens192

♦ To enable the Remote network card again

[root@primary ~] # ifup ifcfg-ens192

♦ Run squirrelmail initial configuration

[root@primary ~]# /usr/share/squirrelmail/config/conf.pl
Command >> 1
Command >> 5
[]: /webmail
Command >> R
Command >> 2
Command >> 1
[localhost]: vanndy.edu
Command >> 3
Your choice [1/2] [1]: 2
Command >> A
Command >> 4
[localhost]: mail.vanndy.edu
Command >> 8
[uw]: dovecot
Command >> 9
[/]: detect
Command >> B
Command >> 4
[localhost]: mail.vanndy.edu
Command >> 7
Try to detect auth mechanisms? [y/N]: y
Trying to detect supported methods (SMTP)...
Testing none: SUPPORTED
Testing login: SUPPORTED
Testing plain: SUPPORTED

Note: if the server repose as above, then it is OK, but if not, we need to check DNS server, SMTP server,
POP/IMAP server again.
none, login, plain, cram-md5, or digest-md5 [none]: login
SMTP connections? [y/N]: N
Command >> R
Command >> 4
Command >> 7
Hide SM attributions (y/n) [n]: y
Command >> R
Command >> 8
Command >> 7
Command >> 8
Command >> 15
Command >> Q
Save? [Y/n]: y

♦ Copy squirrelmail secure login configuration

[root@primary ~]# cp /usr/share/squirrelmail/plugins/secure_login/config.sample.php
/usr/share/squirrelmail/plugins/secure_login/config.php

♦ Edit squirrelmail secure login configuration file

[root@primary ~]# vi /usr/share/squirrelmail/plugins/secure_login/config.php

♣ Line 24: change from 1 to 0

$change_back_to_http_after_login = 0;

♦ Restart HTTP service

[root@primary ~]# systemctl restart httpd

♦ From Linux client, go to https://www.vanndy.edu/webmail/

♦ Login with LDAP user (ubuntu or redhat), then send an email to user debian ([email protected])

Go to Windows client and configure section 6

Install and Configure GIT Server – Subversion

Subversion is needed for revision control tool (GIT). GIT is a widely-used source code management system
for software development. It is a distributed revision control system with an emphasis on speed, data integrity,
and support for distributed, non-linear workflows. GIT was initially designed and developed Linus Torvalds.

♦ Install Subversion package

[root@primary ~]# yum -y install subversion

♦ Create a directory to store the projects

[root@primary ~]# mkdir -p /var/svn/repos/project

♦ Configure project directory for SVN

[root@primary ~]# svnadmin create /var/svn/repos/project

♦ Create a subproject; EX: trunk

[root@primary ~]# svn mkdir file:///var/svn/repos/project/trunk -m "create"

♦ Create a directory to synchronize the project

[root@primary ~]# mkdir /home/project

♦ Test by copy some files and folders to the folder above

♦ Import the file into project folder
[root@primary ~]# svn import /home/project file:///var/svn/repos/project/trunk -m "initial import"

♦ Check the subproject

[root@primary ~]# svn list file:///var/svn/repos/project/trunk

♦ Restart svnserve service

[root@primary ~]# systemctl restart svnserve

♦ Enable svnserve service on boot

[root@primary ~]# systemctl enable svnserve

Configure Access Control of SVN

♦ Edit SVN configuration file
[root@primary ~]# vi /var/svn/repos/project/conf/svnserve.conf

♣ Add line 9: anon-access = none (disable anonymous access)

anon-access = none

♣ Line 28: uncomment

password-db = passwd

♣ Line 37: uncomment

authz-db = authz

♦ Edit users and password of SVN server

[root@primary ~]# vi /var/svn/repos/project/conf/passwd

♦ Add to EoF
centos = centospass
redhat = redhatpass
ubuntu = ubuntupass
debian = debianpass
 ♦ Edit authentication method of SVN server
[root@primary ~]# vi /var/svn/repos/project/conf/authz

♦ Add lines 22 to 30 as below

21 [groups]
22 developer = centos,redhat,ubuntu,debian
23 [/]
24 @developer = rw
25
26 [/trunk]
27 centos = rw
28 redhat = rw
29 ubuntu = rw
30 debian = rw

Go to Windows client and configure section 7

Install and Configure Samba

Samba is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and
print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server
domain, either as a Domain Controller (DC) or as a domain member.

♦ Install samba, samba-client packages

[root@primary ~]# yum -y install samba samba-client

♦ Add a new group called security

[root@primary ~]# groupadd security

♦ Make a new directory for the new group

[root@primary ~]# mkdir /home/security

♦ Create some folders and files inside /home/security

♦ Change group of the folder /home/security for the group security
[root@primary ~]# chgrp security /home/security

♦ Change the access permission of folder /home/security

[root@primary ~]# chmod 770 /home/security

♦ Edit Samba configuration file

[root@primary ~]# vi /etc/samba/smb.conf

♣ Line 7: change from SAMBA to WORKGROUP

workgroup = WORKGROUP
 ♣ Line 8: comment
# security = user
♣ Add line 16
unix charset = UTF-8

♣ Add line 17
dos charset = CP932

♣ Add line 18
hosts allow = 127. 192.168.11.

♣ Add to EoF:
[Security]
path = /home/security
writable = yes
create mode = 0770
directory mode = 0770
guest ok = no
valid users = @security

♦ Restart smb service

[root@primary ~]# systemctl restart smb

♦ Restart nmb service

[root@primary ~]# systemctl restart nmb

♦ Enable smb service on boot

[root@primary ~]# systemctl enable smb

♦ Enable nmb service on boot

[root@primary ~]# systemctl enable nmb

♦ Add any local user to become a user of Samba; EX: user debian
[root@primary ~]# smbpasswd -a debian

♦ Change the attribute of user debian

[root@primary ~]# usermod -G security debian

Go to Windows client and configure section 8

Install and Configure Monitorix

Monitorix is an open source, free and most powerful lightweight tool designed to monitor system and network
resources in Linux. It regularly collects system and network data and display the information in graphs using
its own web interface. Monitorix allows to monitor overall system performance and also help in detecting
bottlenecks, failures, unwanted long response times and other abnormal activities.

♦ Install Monitorix package from EPEL repository

[root@primary ~]# yum --enablerepo=epel -y install monitorix

♦ Configure Monitorix configuration file

[root@primary ~]# vi /etc/monitorix/monitorix.conf

♣ Line 6: change from Place a title here to Monitorix

title = Monitorix

♣ Line 7: add primary.vanndy.edu

hostname = primary.vanndy.edu

♣ Line 8: change from black to white

theme_color = white

♣ Line 12: change from n to y

netstats_in_bps = y

♣ Line 36: add all

hosts_deny = all

♣ Line 37: add 192.168.11.0/24

hosts_allow = 192.168.11.0/24

♦ Restart Monitorix service

[root@primary ~]# systemctl restart monitorix

♦ Enable Monitorix service on boot

[root@primary ~]# systemctl enable monitorix

♦ From Linux or Windows client, access to http://www.vanndy.edu:8080/monitorix/

Go to Linux client and configure from section 21 to section 23