www.acuityeducare.

com
0

Acuity Educare

LINUX SYSTEM
ADMINISTRATION
SEM : V
SEM V: UNIT 3

607A, 6th floor, Ecstasy business park, city of joy, JSD

road, mulund (W) | 8591065589/022-25600622

Abhay More abhay_more

 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Q. What is Firewall? How to allow basic services through firewall.

• Red Hat Enterprise Linux provides services on the Internet. That means that unauthorizedusers
will try to attack our server and try to get access. To prevent this, we need to install a firewall.

• A firewall works through packet inspection.

• This means that the firewall screens incoming and outgoing packets to check whether the address,
protocol, and port of the packet is either allowed or denied.
• Firewall works on 3rd, 4th and 5th layers of OSI Model.
• A firewall can not check the user that has sent the packet and the actual data portion of the packet.
• In large company networks, firewalls are placed on router that connects the network to the Internet.
Everything behind the router is considered to be secure and doesn’t need a firewall of its own. But, if a
server is directly connected to the Internet, the server does require a firewall.

• Netfilter is the default firewall in Linux. To configure Netfilter on Red Hat Enterprise Linux, you can
use the system-config-firewall graphical tool or iptables in command line Interface.
• There are two main configuration files for netfilter firewall that are stored in the directory
/etc/sysconfig.

• In the file iptables, you’ll find all the rules that you’ve added to the firewall.
• In the file iptables-config, the configuration of the firewall is stored

Steps to allow basic services through firewall:

1. From the GNOME graphical interface, select System Administration Firewall or system-config-
firewall from shell.
2. From the list of trusted services, select DNS, FTP, SSH, and WWW, and click Apply to save the
configuration.
3. Close system-config-firewall, and open a shell prompt.
4. Display the current status of the iptables service in the runlevels on your server.
# chkconfig | grep iptables

iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

5. If the iptables service is not enabled then enable it.

# chkconfig iptables on

6. Display current status of iptables.

# service iptables status

7. If service is not enabled for the current session then start it.
# service iptables start

8. Display firewall rules.

# iptables -L –v

Page 1 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Q. What is IP Masquerading? Give steps of port forwarding.

• In IP masquerading, you can configure a server to connect your local network to the Internet.
• The local network uses private address range that cannot communicate on the Internet, usingIP
Masquerading they are translated to the public IP address. It is also referred to as Network Address
Translation (NAT).

• The major benefit of using masquerading is that with just one public IP address, you can connectmany
devices on the private network to the Internet.
• To enable masquerading, you need to select the public interface. Once this interface is masqueraded, all
packets are rewritten with the IP address of the publicinterface as the source address.
To trace the packet back to its original sender, the NAT router maintains a NAT table. A port address is used
to trace every connection in this NATtable.

• We can also use port forwarding in combination with masquerading. This means you assign a port on
the public interface of the NAT router and forward everything thatcomes in on that portto a specific
host and port on the private network.
• We can use thisapproach if one of the computers on the private network is not directlyreachable from
theInternet.

Steps of port forwarding:

1. Use yum -y install httpd to install a web server on a computer.

2. On the host computer, open # system-config-firewall, and click Port Forwarding. Click Add,and in
the Source part of the configuration, select the interface that is used asthe physical network card on
your host computer.

3. Click Port, and in the Port and Protocol window that opens, select User Defined.
4. Enter port 3333, and click OK.
Page 2 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

5. In the destination part of the Port Forwarding window, select Forward To Another Port. Enterthe IP
address that is used by HTTP Server machine, and from the Port list, select port 80.Click OK to
save the configuration. Next click Apply to apply the configuration to the firewall.

6. On the host computer, type # iptables -L -v and verify that you see a line with the IP address
192.168.1.1as its destination in the Forward chain. This is the packet forwarding rule.

Q. Explain Setting Up a Firewall with iptables.

Understanding Tables, Chains, and Rules:

• Tables are the basic building blocks of a Netfilter firewall.

• Specific tables can be created to specify functionality of the firewall. By default, the filter table isused.
TheNAT table is also frequently used.
Page 3 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

• A table contains chains

• A chain consists of a set of rules that is sequentially processed for each packet that enters the firewall
until it finds a match. The default strategy is “exiton match,” which means that the firewall looks no
further once the first rule that matches for a specific packet is found.
• The following chains are used in the filter table:
o INPUT Incoming packets are processed in this chain.
o OUTPUT This chain is used for outgoing packets.
o FORWARD This chain is used on routers, and packets that don’t have a process on
thefirewall as their destination use it.

Understanding How a Rule Is Composed:

• Different elements can be used to specify properties of a packet in each rule.

• Some elements are mandatory to use.

• most common elements in rules are:

• Modules A module is an optional element that you can use in a rule. Modules offer enhancements to the
Netfilter firewall. They do that by loading a specific kernel module that adds functionality. A very
common module in iptables rules is the state module,which looks at the state of a packet.

• Interface On a server with multiple network cards, it makes sense to apply rules to specific interfaces
only. However, if you’re configuring your firewall on a server withone network card only, you can omit
the interface specification.

• IP Addresses In a rule, you can allow or deny access to specific IP addresses or IP networkaddresses.

• Protocol Most rules allow or deny access to specific ports. These ports are always connected to the UDP
or TCP protocol. Therefore, if you want to state a specific port, you alsoneed to indicate the protocol
that is to be used.

• Target The target is a mandatory component in a rule. A target specifies what needs to be done with a
matching packet. Different targets can be used, of which ACCEPT,DROP, REJECT, and LOG are the most
important.

 Apart from these common elements found in rules, you need to specify the purpose of the rule. If viewed
generically, there are two options: either you can set a policy or you can add a ruleto a chain.

 A policydefines the default behavior. If no specific rule is found in the chain that matches an incoming
packet, the policy is applied. It is always good practice to define a policy that deniesall access.

 If you use -A to append a rule, it is entered at the last position in the chain. However, if you use
Page 4 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

-I to insert a rule, you can specify where exactly in the chain you want to insert it.

Example: sending packet to proxy server

• # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

o This command updates the NAT or network address translation table (-t nat), appending arule
to the prerouting chain (-A PREROUTING).
o IP packets handled by the prerouting chain are modified as soon as they arrive and arenot
otherwise processed.
The rule applies to TCP protocol packets (-p tcp) arriving on the network interface eth0 (-ieth0) that
are destined for port 80 (--dport 80).
o The modification that occurs is that packets going to port 80 are redirected (-j REDIRECT)to port
3128 (--to-port 3128), which is the port on which Squid listens.

Use the command iptables -t nat -L to verify that the rule is in effect:#/sbin/iptables -L -t nat

Q. Explain Advanced iptables Configuration.

1. iptables Logging
2. Limit module

1. iptables Logging

• If you need to know exactly what is happening in your firewall, the LOG target can be used butmake
sure it doesn’t log too much, otherwise during a ping flood attack your log files will be flooded with
useless information.

Steps to Setup iptables Logging:

1. Determine on which line in the INPUT chain SSH traffic is allowed. For example line 4.
# iptables -L -v --line-numbers

2. Makes sure all SSH traffic is logged.

# iptables -I INPUT 4 -p tcp --dport 22 -j LOG

3. Open an SSH session and run some commands, such as ls and who.

4. Use less /var/log/messages, and use G to go to the end of the file. Check log lines added tothe log
file.

Page 5 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

2. The Limit Module

• When using logging, numerous lines are written to the log files. On an active system, the number
of lines logged can be so high that your log files will suffer a denial-of-service attack,and nothing
further will be readable.
• To protect yourself against this, you can use the limit module. This module allows you to jumpto a
target if a certain number of packets have been matched within a specific period of time.
• For example, if you want to limitthe number of packets logged to one per second for all SSHtraffic,
use the following line:
# iptables -I INPUT 3 -p tcp --dport 22 -m limit --limit 1/s -j LOG

Q. Give steps to Configure NAT.

• Network Address Translation (NAT) is a common technique that can be used on routers to allow
computers on the private network go out with one registered IP address on the public network.
• We can use NAT for three purposes:
I. To change the source IP address to the IP address of the firewall before it is sent to the Internet, you
need the MASQUERADE target.
II. To change the source IP address of a specific host to the IP address of the firewall before it is sent
to the Internet, you need the SNAT target.
To redirect traffic that is sent to a specific IP address and port on the public IP address to anIP address and
port on the private network, you need the DNAT target

(1) A packet targeted at IP address 1.2.3.4:80 comes on the NAT router. This packet has to besent tothe
web server that listens at IP address 10.0.0.10 on the internal network.
(2) The packet is processed by the firewall. To make sure DNAT is used to send the packet to the web
server,use this command: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. Youalso need to
enable routing (echo 1 > /proc/sys/net/ipv4/ip_forward) and set the policy for the routing chain to ALLOW:
iptables -P FORWARD ALLOW.
(3) Because of the rule in the PREROUTING chain of the NAT table, here the packet can be
delivered to the web server.

Page 6 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

(4) The web server sends back the answer. However, the source address of the web server isused in
the answer, and this address is unknown on the Internet.
(5) Thus, a masquerading rule must be defined.

The following command defines the masquerading rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination10.0.0.10

The masquerading rule makes sure that the source IP address is changed to the source IPaddressof the
NAT router, which allows nodes on the Internet to send the packet back tothe appropriate destination.

In the NAT table, three different chains are available.

I. PREROUTING
II. POSTROUTING
III. OUTPUT
• In PR EROUTING, packets are processed before the routing decision is made. This chain istypically
used for incoming packets where the destination address has to be rewritten, whichhappens in
DNAT.

• In SNAT and MASQUERADE, the source IP address must be rewritten, and that needs tobe done
after the routing process has been applied. Therefore, the SNAT and MASQUERADE rules are
added to the POSTROUTING chain.

•
To enable any kind of Network Address Translation, host must be configured for packet
forwarding. By default, the Linux kernel doesn’t allow packet forwarding. To make sure thatyour
computer can do packet forwarding, check that the /etc/sysctl.conf file contains the following
line:
net.ipv4.ip_forward = 1
Steps to Configure NAT:

1. one router machine Use iptables -F, iptables -P INPUT ALLOW, iptables –P OUTPUT ALLOW,
and iptables -P FORWARD ALLOW. Next use service iptables save to save thisconfiguration.
2. Repeat step 1 on the host computer, and use service httpd stopthen chkconfighttpd
off to make sure the web server is stopped on the host computer.
3. On the host computer, enable routing by opening /etc/sysctl.conf with an editor.
Make sure it includes the line net.ipv.ip_forward = 1, and use sysctl -p to thesysctl service tomake
the change effective.

4. On the host, use iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j

DNAT --to-destination 192.168.1.1.
5. On the host, use iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE toenable IP
Page 7 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

masquerading.
6. On another computer connected to the same network as your RHEL host, test thatyou canreach
the HTTP port on the host.
After verifying that this works, restart both the host computer and the virtualmachine to clear theNAT
configuration

Q. What is SSL ?

• For many services on servers additional security is required. By applying this security, we can make
sure that traffic to the server isencrypted and the identity of the server is guaranteed. To achieve this
level of security,we can use SSL (Secure Socket Layer).

• To work with SSL, we need a public key certificate.

• The certificate contains thepublic key of the server that users are going to use to encrypt the data and
establish a secured connection (Confidentiality), and it contains a “proof of identity” (Authentication)
which is normally provided by a CA.
• The role of the CA is to sign PKI certificates generated by servers.This is useful only if the client that
receives the certificate knows the public key of the CA. If Client does not know Public Key of CA then
untrusted connection message will be displayed to client, and the application will probably close the
connection.
• Hence, for common use on the Internet, make sure that the CA is known to everyone.
• For private internal use, an in-house CA can also be used.
• We need to pay money to the CA that is going to sign your certificates. If we don’t want or don’tneed to
do that, you can use a self-signed certificate.

Steps for public/private keys to encrypt traffic that is sent to a server:

1. When the connection to the server is first initialized, the server sends its public key(PKI)certificate.
This contains the public key of the server, and it is signed with theprivate key of the certificate
authority (CA).
2. The client use public key of CA to verify that the PKI certificate can be trusted.
3. Now that the connection is trusted, a symmetric session key is generated by the client and sentto
server. The data traffic is encrypted with this session key for performance reasons.
4. Because public/private key encryption is one-way encryption, only the server is capableof
decrypting the traffic by using its private key

Page 8 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Q. Write steps for Creating and Managing Self-Signed Certificate

• To create and manage certificates, you can use the openssl command-line utility.
• We need to store the certificates that we are going to create, in the home directory of user rootif we
want them to be well protected, or else we can put the certificates in the directory
/etc/pki/tls, which exists for this purpose bydefault.
• Within this directory, you need four subdirectories to store the certificates: certs, newcerts,
private, and crl. These subdirectories are already created on Red HatEnterprise Linux.
o certs: This is the location used to store all signed PKI certificates. The directory can be open for
public access because it contains only public keys and no private ones.
o newcerts: This is where we temporarily store all new certificates until they are signed. After we’ve
signed them, we can remove them from this location.
o private: This directory is used to store private keys. We must make sure that this directoryis well
protected because the private keys that are stored here are the proof of identity for our server. If
the private keys are compromised, anyone can pretend to be your server.
To protect the private keys, make sure that the private directory has permission mode 700and that
user root is owner of this directory.

o crl: A certificate revocation list (CRL) is a list of certificates that are invalid. If you need to revoke
certificates, copy them to this directory.

Page 9 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Create your own Certificate Authority:

• Use the configuration file in /etc/pki/openssl.cnf. This file contains default settings that are usedto
create new certificates. This file contains default values that are not required to input from command
line.
# openssl req -newkey rsa:1024 -x509 -days 3650
• The openssl command uses subcommands. req is the command that is used to generate a
certificate-signing request. With that request, a new key iscreated with an RSA length of 1024bits in
which x509 and a validity of 10 years is used.

• Another way of creating a self-signed certificate is by using the genkey command.

Thiscommand provides a text user interface that guides the user through the process of
creatinga certificate.
Steps:
1. Install RPM Package that contains genkey command.
# yum install -y crypto-utils mod_ssl

2. Execute genkey command with servername. This command automatically places the resultingPKI
certificate and private key in the correct directories, which are /etc/pki/tls/private and
/etc/pki/tls/certs.

# genkey --days 365 yourserver.example.com

3. Select the key size you want to use. The default key size is set to 1024. If you need a highersecurity
level, you canselect a bigger key size, but by doing that you will slow your system.

4. Move the mouse and type some command to help system generate some random bits that are
necessary to produce the key.

5. Once the key is generated, genkey asks whether you want to create a certificate signingrequest. For
self-signed certificate click No.
• If you click yes then after creating the certificate signing request, send this request to the CA. Once you
receive the signed certificate back, you can copy it to the /etc/pki/tls/certs directory and tell your
application to use the signed certificate.

6. Set a passphrase for the private key. It is a good idea to protect your private keys with a passphrase, so
select Yes and set a passphrase that is difficult to guess. The longer the passphrase, the harder itgets to
guess its value af ter a private key has become compromised.

7. Now enter the appropriate information to identify your server.

Page 10 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

After you enter the appropriate identification, the public and private keys are written to the appropriate
directories and are ready for use

Q. What is GNU Privacy Guard? Give steps for creating and exchanging GPG keys.

• PKI certificates and SSL are primarily used with web servers; another way to protect files is byusing
GNU Privacy Guard (GPG).
• GPG is commonly used in email communication,and it is also used to encrypt and decrypt filesso that
they can be securelytransported.

Some commands are used to Manage GPG Keys:

• To see the keys that arecurrently available, use gpg --list-keys

• If you want to check your private key, you can use gpg --list-secret-keys
To verify person check fingerprint on their business card use gpg --fingerprint and compare result
• While creating the key pair, a keyring is created. This keyringconsists of two files thatare
written to the .gnupg directory in the home directory of the user.
• The public key iswritten to ~/.gnupg/pubring.gpg, and the private key is written to
~/.gnupg/secring.gpg.
• Make sure that the private key file is well secured because it contains your identity. Thus,
ifanyone steals this file, they can pretend to be you.

Creating and Exchanging GPG Keys:

Step 1: Create two users named linda and lisa, and give them the password.

# useradd –p password linda

#useradd –p password lisa

Step 2: Log in to the graphical interface as user linda, and create a GPG pair. Accept all default values,
and assign the password password12 to theprivate key. When the gen-key program tellsyou to generate
entropy, use ls -R / acouple of times to get you through the procedure faster. gpg --gen-key

Step 3: Repeat step 2 for user lisa, and use the same parameters.

Step 4: As linda, expor t public key (key transfer) to the /tmp directory.

export gpg --export -a > /tmp/linda.key

Step 5: As lisa, import linda’s key to lisa’s keyring.

Page 11 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

gpg --import < /tmp/linda.key

Step 6: As lisa, show that the key has been impor ted correctly.

gpg --list-keys
Q. How to Encrypt Files with GPG?

• GPG is commonly used to encrypt files.

• The base command to do this is gpg –e yourfile.
• The gpg command will next ask for a user ID. This is the ID of the user to which you want to send the
encrypted file. This must be a user who is already in your GPGkeyring. Enter the name of each user
for whom you want to encrypt the file on a separateline. When you’re done,just press Enter on an
empty line

Steps to encrypt file with GPG:

Step 1:Open a shell, and become user linda.

# su - linda

Step 2: As linda, copy the file /etc/hosts to your home directory.

cp /etc/hosts ~

Step 3: List the keys currently imported in Linda’s environment, and note the exact name of theuser
lisa.

gpg –listkeys

Step 4: Encrypt the file hosts, when the user account is requested, enter the exact name of user lisa as
you found it in the previous step of this exercise. Nextpress Enter on an empty line to complete the
encryption procedure.

gpg -e hosts

Step 5: Copy the gpg file to the tmp directory where lisa can seeand read it.

cp ~/hosts.gpg /tmp

Step 6: Use exit to log out as linda, and become user lisa.

Page 12 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

exit

su – lisa

Step 7: As lisa, decrypt the hosts file.

gpg -d /tmp/hosts.gpg’

Q. Why is it required to sign GPG file or RPM? Which commands are used for Signing?
• The purpose of signing is to provide proof that something has actually been transmitted by the
intended sender.
• To sign data, the user’s private key is used. The signing process adds a digital signature to a
message or file. If the receiver of the message has the public key of the sender in their GPG ring,
this can automatically prove that the message actually comes from the intended sender.

• The procedure of signing is used in email communications and to sign RPM files.

• To sign a file, the basic command is gpg -s file.

• This command can also be combined with -e to encrypt the file, to encrypt and sign a file at thesame
time use gpg -e -s filecommand.

• If we’ve received a file that is signed with GPG, you can use gpg -d to open it.
If we have the public key of the sender on your system, it will automatically be opened. If you don’t
have the public key, that means you cannot verify the signature of the file, but you still areable to open
it.

Q. What is NFS? Explain advantages and disadvantages of NFS

• Network File System (NFS), is the most common method for providing file sharing services onLinux
networks.
• It is a distributed file system that enables local access to remote disks and file systems.
• NFS uses standard client/server architecture.
• The server has physical disks with shared file systems and several daemons that make the shared file
systems avialble on network. This process is normally referred to as exportinga file system.
• NFS clients mount the exported file systems, called NFS mounts.

NFS advantages

1. Centralized administration, Maintenance and Control

2. NFS saves disk space and prevent duplication of resources.
3. Just changing the exported file system to point at the upgraded or newly installed applicationsmakes
it available for users throughout a network.

Page 13 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

4. Filtering NFSv4 in a firewall is much easier than in the past.

NFSv4 has better security options, including the option to use Kerberos.

NFSv4 offers the option to make a pseudo-root mount, which allows users to mount everything to
which they have access by issuing one mount only.

NFS disadvantages

1. Performance
• As a distributed, network-based file system, NFS is sensitive to network congestion. Heavy
network traffic slows down NFS performance. Similarly, heavy disk activity on the NFS server
badly affects NFS’s performance.

2. Single Point failure

• An exported file system also represents a single point of failure.
• If the disk or system exporting data becomes unavailable no one can access that resource.

3. Security
• NFS design assumes a trusted network.
• Data is sent over network using RPC, remote procedure calls in plain text.

Explain main configuration file of NFS

The NFS server configuration file

• /etc/exports is NFS server configuration file

• Each line in /etc/exports has the following format:
dir host(options) [host(options)] ...

• The line consists of three parts

o dir is a directory or file system to export
o host specifies one or more hosts permitted to mount dir
o options specifies one or more mount options

The export options determine the characteristics of the exported file system.

Option Description

Ro Exports the file system read-only, disabling any operation thatchanges the
file system

Rw Exports the file system read-write, permitting operations that changethe

file system

Page 14 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

sync Forces the server to perform a disk write before the request is
considered complete
async Allows the server to cache disk writes to improve performance

Secure Requires client requests to originate from a secure (privileged) port,that is,
one numbered less than 1024

insecure Permits client requests to originate from unprivileged ports (those

numbered 1024 and higher)

root_squash Maps all requests from a UID or GID of 0 to the UID or GID of the
anonymous user (-2 in Red Hat Linux)
no_root_squash Disables root_squash

all_squash Maps all requests from all UIDs or GIDs to the UID or GID of the
anonymous user
no_all_squash Disables all_squash

anonuid=uid Sets the UID of the anonymous account to uid, default uid of
anonymous user is -2

anongid=gid Sets the GID of the anonymous account to gid, default gid of
anonymous user is -2

1. /usr/local *.example.com(ro)
• line permits all hosts with a name of the format somehost. example.com to mount
/usr/local.

2. /home 192.168.0.0/255.255.255.0(rw)

• permits any host with an IP address in the range 192.168.0.0 to 192.168.0.255 to mount
/home

3. /var/tmp 192.168.0.1(rw)

• permits only the host whose IP address is 192.168.0.1 to mount /var/tmp

Q . Give steps to Setup or configure NFSv4 Server and Client

Steps to Create NFS Shares

Step 1: create a directory with the name /data.

# mkdir /data

Step 2: Make sure incoming users have permissions on the shared directory.
Page 15 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

# chmod 777 /data

This command opens the share to anyone.

Step 3: Use vi editor to open the file /etc/exports, and inser t the following line of code to share the

/data directory with anyone:

# vi /etc/exports

/data *(rw,no_root_squash)

Step 4: Start or Restart NFS server

# service nfs restart

Step 5: Make sure NFS server starts at every server reboot.

# chkconfig nfs on

Step 6: Verify that the share is available.

# showmount -e localhost

This command shows all exported shares on the local computer.

Step 7: After creating the NFS share, make sure it is accessible through the firewall. Allow NFSaccess
by opening port 2049 in the firewall.

Mounting an NFS Share on the client machine:

Step 1: Display names of directories that are shared by the NFS server.

# showmount -e nfsServer

Step 2: Mount the share on the local /mnt directory. (Temporary Mount)

# mount nfsServer:/data /mnt

Or

Step 2: Mount the NFS share in /etc/fstab (Permanent Mount/ persistent mount)#
mkdir /data

Page 16 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
 TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

# vi /etc/fstab

nfsServer:/data /data nfs _netdev 00

• Where,
_netdev = This option ensures that your system waits until the network is up before making thismount

Step 3: Verify that the NFS share are mounted.

# mount

Q . Give steps for Configuring Automount for NFS shares.

OR

How will you create an Automount Indirect Map?

• automountis a service that mounts NFS shares automatically.

• The central configuration file in automount is /etc/auto.master.
Steps to configure Automount Indirect Map:
Step 1: define a directory that should be monitored by automount.
# mkdir /data

Step 2: Open /etc/auto.master with vi editor, and include the following line:# vi
/etc/auto.master

/data /etc/auto.data

• This line defines the indirect map.

• It tells Automount that it can find the configuration for the /data directory in the /etc/auto.data
file.

Step 3: Open /etc/auto.data, and give it the following contents:

# vi /etc/auto.data

files -rw nfsserver:/data

Step 4: Start/ Restart autofs.

# service autofs restart

Step 5: Next use # cd /data and enter the # ls command. You’ll see no subdirectories.

Page 17 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Now use # cd files to activate the /data subdirectory files. You are in the /data/filesdirectory now, and
you’ll see the contents of the /data share on the NFS server.

Q. Distinguish between NFS and Samba.

NFS Samba

NFS protocol is native to linux system Smb protocol add the SMB/CIFS (server message
block/common internet file system) file sharing
protocol to linux and unix which is native to windows.

NFS uses its own protocol called "NFS" Samba uses the SMB protocol which is
which is not commonly available for PCs considered "standard" for PCs

NFS by default trusts all client machines Samba's SMB protocol allows the server machineto
completely. once an NFS server configured to handle authentication i.e client machine must provide
accept connections from a client machine the username and password to connect to samba server.
client does not require
(server side authentication)
any further server-side authentication. (no
server side authentication)

Share filesystem between linux machines Share filessystem between Linux and
windows/linux machines.

NFS has four versions, the newest NFSv4 Samba has multiple versions, the latest of which
includes a stateful protocol allows file and print sharing between multiple
computers
NFS is faster than samba Samba is slower than NFS.

Configuration file for nfs is /etc/exports Configuration file for samba is

/etc/samba/smb.conf

Q . Give Steps to Configure Samba Server.

• NFS is fast and convenient, but it has a major disadvantage: it works only between Linux
machines.
• To get access to other types of clients, you need a filesharing protocol that is available on thoseclients
as well.
• The Common Internet File System (CIFS)is a protocol available on all windows machines,and it
is offered by the Linux Samba server.

• Samba service can be used for file sharing, printers sharing and windows domain services.

Page 18 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Setting Up a Samba Server:

Step 1: Create a directory on the Linux file system and grant the appropriate permissions to thisdirectory.

# mkdir /sambafiles

# chmod 777 /sambafiles

Step 2: Install the Samba packages

# yum -y install samba*

Step 3: Create the share in Samba.

• Open the file /etc/samba/smb.conf with an editor.

# vi /etc/samba/smb.conf

• Locate the workgroup parameter, and change it to workgroup = MYSAMBA.

• Go to the bottom of the configuration file, and add the following share configuration:

[sambafiles]

comment = samba files

path = /sambafiles
writable = yes

valid user = lucky

Step 4: check the syntax of the samba configuration file.

#testparm

Step 5: Create a Samba account, which makes the Samba server accessible for the Samba users.

# useradd lucky

• Don’t set the password, because Samba users don’t need a password on the Linux system.

# smbpasswd -a lucky

• The above command create Samba user lucky.

Step 6: (re)start the Samba service and make sure that it starts on every server boots.

# service smb restart

Page 19 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

# chkconfig smb on

Q . Explain Samba Advanced Authentication Options. Explain Samba Security Options.

• When working with Samba, you can use different security options.
• This option is set in the [global] section of the /etc/samba/smb.conf file.
• The following authentication options are available:
1. security = share

Using share makes it easier to create anonymous shares that do not require authentication.

• When using this option, use theguest only parameter in the share.
• Never use it for shares that contain valuable data.

2. security = user

• This is the default security option, where a user must log in to the share before getting access.
3. security = domain

• This option works if your Samba server has been added to a Windowsdomain.

4. security = server

• This option uses an external server (such as another Samba server) to handle Samba
authentication requests. It is best to avoid using this, because it isn’t verysecure.
5. security = ads

This option makes Samba a member in a Windows Active Directorydomain. It makes it easier to access
resources in the AD domain or to set up access for AD users to resources in Samba

Q. How to Access Samba Shares from client machines.

Connecting from a windows PC to Samba Server

• On the Windows computer, double-click My Network Places icon from the desktop. In the network
places window we must see the listing for Redhat computer. Double-click the icon andwe see the
share we made available.
• We are prompted for username and password. Once provided, we can share file between Linuxand
Windows computers.

Connecting from a Linux PC to Samba Server

• There are various ways to mount samba share on linux machnines

Page 20 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

1. There are some tools that we can use to access Samba shares on Linux likeNautilus, toconnect
to a Samba share.

2. To list the Samba shares that are offered by a specific server, you can use # smbclient –L
• This shows the names of all shares that are offered, and it also provides an option to log intothe
Samba server.

3. We can mount the Samba share into the local file system using mount command.
4. Mounting a Samba Share Using /etc/fstab
• When putting a Samba share in /etc/fstab, we’ll also need to include the usernameandpassword
required to gain access to the share.
• Add a credentials file and specify a user and password for every Samba user.
• Keep this file in a secure place that’snot accessible to all users.

Step 1: On the client computer, use # smbclient -L //yoursambaserver to list the Samba shareson your
Samba server.

Step 2: create credential file /root/credentials

• user=lisa
• password=secret
• user=lucky
• password=word

Step 3:Enter a line in /etc/fstab to mount the Sambashare.

//mysambaserver/share /data/samba cifs credentials=/root/credentials 0 0

Step 4:Mount the newly created share from /etc/fstab.# mount –a

Q. What is FTP? How to enable Anonymous FTP Server.

• Samba and NFS are used in localnetwork environments. FTP is a good solution for offering fileaccess
over the Internet.
• On Red Hat Enterprise Linux, vsftpd is the preferred FTP server.
• Deploying vsftpd to offer access to shared files is easy.
• The configuration file /etc/vsftpd.conf contains many settings.

Page 21 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622
TRAINING -> CERTIFICATION -> PLACEMENT BSC IT : SEM - V : LINUX – U3

Page 22 of 22
YouTube - Abhay More | Telegram - abhay_more
607A, 6th floor, Ecstasy business park, city of joy, JSD road, mulund (W) | 8591065589/022-25600622