Before go to this post you need to view How to configure
LDAP server and client configuration click here
Showing posts with label Redhat. Show all posts
Showing posts with label Redhat. Show all posts
Wednesday, March 13, 2013
Thursday, October 18, 2012
Linux Hotplug a CPU
How do
I hotplug a CPU on a running Linux system? I would like to dynamically enable
or disable a CPU on a running system?
Linux kernel does supports cpu-hotplug mechanism. You can enable or disable CPU without a system reboot.
Linux kernel does supports cpu-hotplug mechanism. You can enable or disable CPU without a system reboot.
Content Filter by Using Squid, Squid guard / Dansguardian at Free-of-Cost
INTRODUCTION
The post fully
deals with several parts of internet based utilities and restrictions that are
mainly used in IT industry like to limit the web access for some users to a list
of accepted/well known web servers and/or URLs only, Block access to some
listed or blacklisted web servers and/or URLs for some users, Redirect blocked
URLs to an "intelligent" CGI based info page, Etc., These all are
implemented by
Wednesday, October 3, 2012
Controlling Web Access With SQUID
This summary is not available. Please
click here to view the post.
The Linux Boot Process in Detail
1.
When a PC is booted it starts running a BIOS program which is a memory resident
program on an EEPROM integrated circuit.
BIOS –
Basic Input Output
of the System
EEPROM -
Electrically
Erasable Programmable Read-Only
Memory
Thursday, September 27, 2012
Sudo Full Practical Session
Introduction
Before we proceed, it would be best
to cover some basic user administration topics that will be very useful in
later chapters. Adding Users
One of the most important
activities in administering a Linux box is the addition of users. Here you'll
find some simple examples to provide a foundation for future chapters. It is
not intended to be comprehensive, but is a good memory refresher. You can use
the command man useradd to get the help pages on adding users with the useradd
command or the man usermod to become more familiar with modifying users with
the usermod command.
Wednesday, September 26, 2012
Using chkconfig to Start Daemons at Each runlevel
As stated earlier, the chkconfig command can be used to adjust which applications start at each runlevel. You can use this command with the --list switch to get a full listing of packages listed in /etc/init.d and the runlevels at which they will be on or off:
Friday, September 21, 2012
Linux / Unix Commands For Connecting To The Serial Console
Most embedded Linux /
BSD systems such as routers, servers and nas devices comes with console
interface (serial port with RS-232). BIOS can use this, and after boot BIOS
screen I/O is redirected so that you can use the device. RS-232 is also used
for communicating to headless server, where no monitor or keyboard is
installed, during boot when operating system is not running yet and therefore
no network connection is possible. You need to use a serial cable between your
computer and embedded system or server. In this post I will cover five common
utilities used for serial communication under Linux / Unix / *BSD and Mac OS X.
How To Check and Use Serial Ports Under Linux
How do I check and configure serial ports under
Linux for various purposes such as modem, connecting null modems or connect a
dumb terminal?
Linux offers various tools. Linux uses ttySx for a serial port device name. For example, COM1 (DOS/Windows name) is ttyS0, COM2 is ttyS1 and so on.
Linux offers various tools. Linux uses ttySx for a serial port device name. For example, COM1 (DOS/Windows name) is ttyS0, COM2 is ttyS1 and so on.
Task:
Display Detected System's Serial Support
Simple
run dmesg command
Wednesday, September 12, 2012
Allow A Normal User To Run Commands As root Under Linux / UNIX Operating Systems
From my mail bag:
I would like to run
few commands such as stop or start web server as a root user. How do I allow a
normal user to run these commands as root?
You need to use the sudo command which is use to execute a command as another
user. It allows a permitted user to execute a command as the superuser or
another user, as specified in the /etc/sudoers (config file that defines or
list of who can run what) file. The sudo command allows users to do tasks on a
Linux system as another user.
Wednesday, September 5, 2012
Linux log files location and how do I view logs files?
Q. I am new to Linux and I would like to know
where are the log files located under Debian or Cento OS Linux server? How do I
open or view log files?
Ans. Almost all logfiles are located under /var/log directory (and subdirectory). You can change to this directory using cd command but you need to be the root user. You can use less, more, cat or tail command to see the logs.
Ans. Almost all logfiles are located under /var/log directory (and subdirectory). You can change to this directory using cd command but you need to be the root user. You can use less, more, cat or tail command to see the logs.
Go to /var/logs
directory:
How do I rotate log files?
Q. How do I rotate log files under Linux operating system?
A. You need use tool called logrotate, which is
designed to ease administration of systems that generate large numbers of log
files. It allows automatic rotation, compression, removal, and mailing of log
files.
Each
log file may be handled daily, weekly, monthly, or when it grows too large.
With this tool you keep logs longer with less disk space.
Default configuration file
The default configuration file is
/etc/logrotate.conf:
Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network
Q. How do I track and monitor connection for eth1 public
network interface under Redhat Enterprise Linux (RHEL) 5 server?
Ans.You can use netstat
command or tcptrack command. Both command can show established TCP connection
and provides the ability to monitor the same.
BASIC LDAP CONFIGURATION For RHEL / Centos / Fedora
INTRO: LDAP stands for Lightweight Directory Access Protocol. It is used as
centralized data (or
Directory)
server (not database server)
for various purposes.
There
is a difference between Directory server
and a Database server.
In
Directory server
the data is read more frequently than it is
written.
In
Database server
the data is written more frequently than it is
read.
Here
we shall see how LDAP is
used for creating centralized users (Network
users).
The
Network Users can also be configured using NIS
SUPPORTIVE SERVICES:
Configuration
of NFS is
required at server and
client end.
NFS plays
the backbone for LDAP as it provides the Directory
throughout the network.
Without
NFS configuration
of LDAP does
not work.
Monday, September 3, 2012
Linux: Iptables Examples For New SysAdmins Part -->3
Before see this post please read my
previous post (Linux: Iptables Examples For New SysAdmins Part -->2)
#12: Log and Drop
Packets
Type the following to
log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: # iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Linux: Iptables Examples For New SysAdmins Part -->2
Before see this post please read my previous post (Linux: Iptables Examples For New SysAdmins Part -->1)
#3: Delete Firewall Rules
To display line number
along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 192.0.43.10
Linux: Iptables Examples For New SysAdmins Part -->1
Linux comes with a host based firewall called
Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux
kernel that allows kernel modules to register callback functions with the
network stack. A registered callback function is then called back for every
packet that traverses the respective hook within the network stack.
This
Linux based firewall is controlled by the program called iptables to handles
filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly
recommend that you first read our quick tutorial thatexplains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora /
Redhat Enterprise Linux. This post list most common iptables solutions required
by a new Linux user to secure his or her Linux operating system from intruders.
Redhat / CentOS Iptables Firewall Configuration
H
|
ow do I configure a
host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora /
Redhat Enterprise Linux?
Netfilter is a host-based firewall for Linux
operating systems. It is included as part of the Linux distribution and it is
activated by default. This firewall is controlled by the program called
iptables. Netfilter filtering take place at the kernel level, before a program
can even process the data from the network packet.
|
| Icon reference for Firewall |
What is sysctl.conf in Linux
sysctl is an interface that allows you to make
changes to a running Linux kernel. With /etc/sysctl.conf you can configure
various Linux networking and system settings such as:
1.
Limit network-transmitted configuration for IPv4
2.
Limit network-transmitted configuration for IPv6
3.
Turn on execshield protection
4.
Prevent against the common 'syn flood attack'
5.
Turn on source IP address verification
6.
Prevents a cracker from using a spoofing attack against the IP
address of the server.
7.
Logs several types of suspicious packets, such as spoofed
packets, source-routed packets, and redirects.
sysctl
command
The sysctl command is used to modify kernel
parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values
to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
To load settings, enter:
# sysctl -p
Sample
/etc/sysctl.conf
Edit
/etc/sysctl.conf and update it as follows. The file is documented with
comments. However, I recommend reading the official Linux kernel sysctl tuning
help file (see below):
# The following is suitable for dedicated web server, mail, ftp server etc.
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
# increase system file descriptor limit
fs.file-max = 65535
#Allow for more PIDs
kernel.pid_max = 65536
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
Friday, August 31, 2012
Red Hat / CentOS VSFTPD FTP Server Configuration
Vsftpd (Very Secure FTP Daemon) is an FTP
server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux
distributions. It supports IPv6, SSL, locking users to their home directories
and many other advanced features.
In this
guide you will learn:
1.
Setup vsftpd to Provide FTP Service.
2.
Configure vsftpd.
3.
Configure Firewalls to Protect the FTP Server.
4.
Configure vsftpd with SSL/TLS.
5.
Setup vsftpd as Download Only Anonymous Internet Server.
6.
Setup vsftpd With Virtual Users and Much More.
VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:
1.
Virtual IP configurations
2.
Virtual users
3.
Run as standalone or inetd / xinetd operation
4.
Per-user configuration
5.
Bandwidth throttling
6.
Per-source-IP configurability
7.
Per-source-IP limits
8.
IPv6 ready
9.
Encryption support through SSL integration
10.
And much more.
Install
Vsftpd FTP Server
Install the vsftpd package via yum command:
# yum install vsftpd
Vsftpd Defaults
1.
Default port: TCP / UDP - 21 and 20
2.
The main configuration file: /etc/vsftpd/vsftpd.conf
3.
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers
Configure Vsftpd Server
Open the configuration file, type:
# vim /etc/vsftpd/vsftpd.conf
Turn off standard ftpd
xferlog log format:
xferlog_std_format=NO
Turn on verbose vsftpd
log format. The default vsftpd log file is /var/log/vsftpd.log:
log_ftp_protocol=YES
Above to directive es
will enable logging of all FTP transactions. Lock down users to their home
directories:
chroot_local_user=YES
Create warning banners
for all FTP users:
banner_file=/etc/vsftpd/issue
Create
/etc/vsftpd/issue file with a message compliant with the local site policy or a
legal disclaimer:
NOTICE TO USERS
Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn
on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21
Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vim /etc/sysconfig/iptables
Add the following
lines, ensuring that they appear before the final LOG and DROP lines for the
RH-Firewall-1-INPUT:
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file
/etc/sysconfig/iptables-config, enter:
# vim /etc/sysconfig/iptables-config
Ensure that the
space-separated list of modules contains the FTP connection tracking module:
IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the
file. Restart firewall:
# service iptables restart
Tip: View FTP Log File
Type the following
command:
# tail -f /var/log/vsftpd.log
Sample output:
Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530
Please login with USER and PASS."
Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER
vivekda"
Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108
", "331 Please specify the password."
Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108"
, "PASS "
Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108
", "230 Login successful."
Tip: Restrict Access to Anonymous User Only
Edit the
vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
local_enable=NO
Tip:
Disable FTP Uploads
Edit the
vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:
write_enable=NO
Security
Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users
files may result into a better and secure system. Restrict the growth of
certain file systems is possible using various techniques. For e.g., use /ftp
partition to store all ftp home directories and mount ftp with nosuid, nodev
and noexec options. A sample /etc/fstab enter:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users
from filling a disk used by FTP upload services. Edit the vsftpd configuration
file. Add or correct the following configuration options to represents a
directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub
Create An FTP User
Account
Now your FTP server is up and running. It is time to add
additional users to FTP server so that they can login into account to upload /
download files. To add a user called tom and set the password, enter:
# adduser -c 'FTP USER mike' -m mike
# passwd mike
Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf
local_enable=YES
Restart the vftpd:
# service vsftpd restart
Allow anonymous
access ftp access
Edit the vsftpd
configuration file, enter:
# vi /etc/vsftpd/vsftpd.conf
Add or correct the
following configuration option:
Only allow anonymous access ftp access:
Only allow anonymous access ftp access:
anonymous_enable=YES
Disable local users
login to ftp server:
local_enable=NO
Disable upload files
and writing permission on the FTP server:
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
Only allow file
reading permission to the rest of the world:
anon_world_readable_only=YES
connect_from_port_20=YES
hide_ids=YES
pasv_min_port=40000
pasv_max_port=60000
Turn on log features
xferlog_enable=YES
# Do not allow the use of "ls -R" to avoid consume a lot of resources
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
Set performance
option:
# Uses one process per connection to gain performance.
# This is used to supports huge numbers of simultaneously connected users.
one_process_model=YES
# The timeout, in seconds, which is the maximum time a remote client may spend
# between FTP commands. If the timeout triggers, the remote client is kicked off.
idle_session_timeout=120
# The timeout, in seconds, which is roughly the maximum time we permit data
# transfers to stall for with no progress. If the timeout triggers,the remote client
# is kicked off.
data_connection_timeout=300
# The timeout, in seconds, for a remote client to establish connection with
# a PASV style data connection.
accept_timeout=60
# The timeout, in seconds, for a remote client to respond to our PORT
# style data connection.
connect_timeout=60
# The maximum data transfer rate permitted, in bytes per second,
# for anonymous clients.
anon_max_rate=50000
Restart the ftp
server:
# service vsftpd restart
Pluggable Authetication Module
# vim /etc/pam.d/vsftpd
sense = allow or deny (default in deny state)
If its in deny then users in vim /etc/vsftpd/ftpusers are unable to access
If its in allow the users in vim /etc/vsftpd/ftpusers are able to access
Subscribe to:
Posts (Atom)
