20421470 linux server installation configuration manual
TRANSCRIPT
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
1/32
Redhat -9 SERVER INSTALLATION
Partition:boot 100 MB/ 10 GBhome 10 GBvar 10 GB
swap Double of ramprofile 30 GB
Packages:Select all servers packages.Select all development packages.Kernel source.Do not select samba's and samba-swat packages.
DNS Configuration:
Check DNS rpm# rpm -qa | grep bind
Now open /etc/named.conf# vi /etc/named.confcopy all 5lines of local host at last.
This is a forward lookup zone entry
zone hitech.com.zone IN {
type masterfile hitech.com.zoneallow-update {none;} ;
This is a reverse lookup zone entry
zone 100.168.192.in-addr.arpa IN {type masterfile named.local.hitech;allow-update {none;} ;
copy 2 file in directory /var/named
(1) hitech.com.zone(2) named.local.hitech
#cp /var/named/localhost.zone /var/named/hitech.com.zone#cp /var/named/named.local /var/named/named.local.hitech
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
2/32
4. vi /var/named/hitech.com.zone
ORIGIN hitech.com@ 1D IN NS hitech.comhitech.com. 1D IN A 192.168.100.1mail IN A 192.168.100.1hitech.com. IN MX 5 mail.hitech.com
5. vi /var/named/named.local.hitech
Replace all localhost words with hitech.com.
Contents of named.local.hitech$TTL 86400 @ IN SOA hitech.com. root.hitech.com. (
1997022700 ; Serial28800 ; Refresh14400 ; Retry
3600000 ; Expire86400 ) ; Minimum
IN NS hitech.com.
2 IN PTR hitech.com.
Note: In above file 2 stands for last octet of ip address.
Now Edit /etc/resolve.conf
#vi /etc/resolve.confnameserver 192.168.100.2 (Give server ip)nameserver ISP's DNS
#service named restart#rndc reload#host hitech.com
qmail queris this
#host -t MX hitech.com#host mail.hitech.com#host 192.168.100.1#host -a hitech.com
Note: If on client side error of dns lookup, then iptables should be off.
If we implement qmail and other packages then we have to change ip in dns file andothers configuration files.
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
3/32
Samba Configuration:
(1) First you have to remove all samba's old rpms if installed.#rpm -e nodeps samba#rpm -e nodeps samba-common#rpm -e nodeps samba-client#rpm -e nodeps samba-swat(if installed)
Install all new rpms of samba from redhat enterprise cd.
Samba-swat-3.0.0-15samba-commom-3.0.0-14.3E from cd-2samba-3.0.0-14.3E from cd-3samba-client-3.0.0-14.3E from cd-2
If rpm is not found download from net and then followed this procedure.(If source rpm)
# rpmbuild rebuild (Samba rpm name)
Now we have to edit /etc/samba/smb.conf file
Contains of file which are edited in Global section.
[global]workgroup = HITECHEXPORTserver string = Hi-Tech Export PDC Server#interfaces = eth0, lo#bind interfaces only = Yes
obey pam restrictions = Yespam password change = Yeshosts allow = 192.168.100. 127.printing = cupslog file = /var/log/samba/%m.logmax log size = 0unix password sync = Yespasswd program = /usr/bin/passwd %upasswd chat = *New*password* %n\n *ReType*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s/bin/false -M %u
local master = Yesos level = 99domain master = Yespreferred master = Yesdomain logons = Yeslogon script = %U.batlogon path = \\%L\Profiles\%Udns proxy = Nolog level = 1
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
4/32
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
5/32
# mkdir -p /home/samba/netlogon (same as samba.conf file)
To check users.
# vi /etc/passwd
To check smbpasswd file is blank or not(still it is blank)
# vi /etc/samba/smbpasswd (no use if smbpasswd file directly copied from pdcserver.)
To convert normal user to samba users.
Note: If smb password file is blank then and then fire this command.
# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
We must give a root smbpassword for domain admin password.
# smbpasswd root
To append password of user to exiting passwd file.
# smbpasswd -a user
Now restart smb service.
# service smb restart
To check Configuration is ok or not type command:
# net getlocalsid (Fire on pdc)# net rpc getsid (only works on bdc)
Note:To copy SID from pdc to bdc give command net rpc getsidWe should also check this line in pdc smb.conf.
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false-M %u
If any machine does not join domain then you have to create trust manually :
#useradd -g samba-clients -d /dev/null -s /bin/false machinename$#passwd -l machinename$#smbpasswd -a -m machinename
If there is a secondary PDC, then (else it would create problem for login of users)domain logons = NO
Only for BDC:In Smb.confos level < pdcpreffered master = No
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
6/32
domain master = No
/etc/samba/smb.conf the following should be adjust in BDC
preffered master = Nodomain master = Noos level < PDCserver string = instead of PDC write BDC.
Note: Also copy of following file of PDC server./etc/passwd/etc/samba/smbpasswd/etc/shadow/etc/gshadow/etc/group/Profiles//home/
If while joinig domain if any error, then its possible that PDC may take 10min. tobroadcast SID.
/Profiles name should be same in smb.conf file and fstab file.
If any user is not able to login then on PDC chmod -R 777 /ProfilesYou can delete partition of /Profiles , if any error found in it.
(3)Give permission .recycle folder 333.# chmod -R 333 /NewEDrive/Path where .recycle
Note : Whenever you copy paste to original file of Server, kindly take backup of thatoriginal file first and then copy / paste.
To create and transfer users to new group.Ex. If we wants to transfer users of autocad group in to new surajn group.
First we have to create new group called surajn
#addgroup surajn
Now find autocad group id in /etc/group and write down. To find autocad group id fire
this command.
#cat /etc/group |grep autocad
Now, Find above id in /etc/passwdwith the help of following command.
#cat /etc/passwd | grep id number.
Now change user's group.
# usermod -g groupname(New) username
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
7/32
Second Ex.
add a group called abc.# groupadd abc
Add user xyz in abc group# adduser -g abc xyz
If user xyz in 2 groups then fire this command# adduser -g abc -G pqr xyz
Note: In this case xyz user's primary group is abc and secondary group is pqr.
To change user's primary group.# usermod -g xyz user
HOME Directory :
If there is no home directory of a user then you can create his home directory :#mkdir -p /home/sanjeevm#chown -R sanjeevm /home/sanjeevm#usermod -d /home/sanjeevm/ sanjeevmThis is useful for Webmail etc...
Note :When you add new share in samba, then you have to do :
mkdir -p /NewFOlder/.recyclechmod -R 2777 NewFolder(Sgid set on this Folder to maintain quota)
chmod -R 333 NewFolder/.recyclechgrp -R groupname NewFolder
Swat
This is a webbased tool for counfigure samba server.
# vi /etc/xinetd.d/swat
disable = noonly from = 192.168.100.0/24
Quota
To set quota on share folder follow the following steps.
1. Edit the /etc/fstab file.(Entry in fstab)/dev/sdb1 /Ddrive ext3 defaults,usrquota,grpquota 0 0
2. Now create 2 file in /Ddrive. This is quota database file never delete it.#touch /Ddrive/aquota.user
#touch /Ddirive/aquota.group
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
8/32
3. Now check quota on disk.#quotacheck -vgum /Ddrive
4. Now to on Quota.#quotaon /Ddrive
5. To set quota on folder/Group
# setquota -g grpname 1000 2000 0 0 /dev/sdc1(FileSystem)Note: 1000 is soft limit of file size.2000 is hard limit of file size.0 0 is Number of file limit.(0 refers to unlimited, means user can create unlimitedfile in folder)
6. To check quota:# repquota -avg
Sgid:
To set Sgid on folder#chmod -R 2777 /Path of share folder.
Note: In every share folder we have to set sgid for maintain quota.
Rsync
This script is used for taking backup.
# vi /etc/xinetd.d/rsync
disable = no
Note :In rsync script for backup when you take backup of whole folder then you have toexclude : lost+found(Not necessary).
Whenever we change in /etc/xinetd.d directory we have to restart xinetd.d service.
Fdisk
Using fdisk
#fdisk /dev/hdcp printn newasked for extended e
primary - pSelect e or pThen give partition number.First cyclinder press enterlast cyclinder +150000(150 gb)
Type w to write on disk.
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
9/32
Now format the partition.
#mkfs -t ext3 /dev/hda1
If not formatting fire this command and then fire above command.
#partprobe
NIS Configuration
If we wants to linux desktop users logins on server we have to configure NIS server. Inoue scenario we do not use NIS server because there are lots of problem on client sidelike desktop hang and Pcs work slow.For server side
Rpms required for NIS:
yptoolsypbindypserve
# domainname
Give nis domain entry# vi /etc/sysconfig/network NISDOMAIN = XYZ.com
# echo XYZ.com > /var/yp/ypdomain
Note: ypdomain does not exit we have to create this file using above command.
# domainname
start service ypserve, yppasswd, ypxfrd.# service start ypserve then yppasswd, ypxfrd
To move /etc/passwd file data in nis file type command (or update nis password file)# /usr/lib/yp/init -mnext host to add xyz.com
ctl + D# rpm -qa | grep nfs-utlis
# vi /etc/exports To mount any share of server using NFS/home *(rw, sync):wq
Start NFS service.#service nfs start/statusTo check remote service
# rpcinfo -p localhost
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
10/32
To check which folder we mount.#Exportfs
NFS on Client side
mount home folder of server,Edit /etc/fstab file.
# vi /etc/fstab192.168.100.10/home /home nfs defaults,soft 0 0
start service ypbind# service ypbind start
# authconfig (then follow the instruction)
Syslog
To view a system log this service must be a start.# vi /etc/syslog.conf
*.debug /var/log/messages
Add above line to check system log in deep.
Cron tab
# vi /var/spool/cron/root
MAILTO = mail id
Note: To forward mail of logs to specific email id go to usermin and do mail
forwarding
You can forward mails coming to root to any other user by creating file in root :vi .forward and write the mail address e.g. [email protected] will work only for sendmail and not for qmail or other.
For Qmail you will have to create the file as under (if it does not exists):#vi /var/qmail/alias/.qmail-root& then #echo emailid > /var/qmail/alias/.qmail-root
SSH Server
To login one server to another server without password we have to configure this server. Weare using this server for taking backup of data through rsync.
From Bdc to Pdc server login.
On Pdc server
# ssh-keygen -t dsa
Now on Bdc server
mailto:[email protected]:[email protected] -
8/8/2019 20421470 Linux Server Installation Configuration Manual
11/32
# ssh -keygen -t dsa# scp -p /root/.ssh/id_dsa.pub 192.168.100.2(ip of Pdc server) :/root/.ssh/authorized_keys
If you don't want the keys to get overwrite then :#scp -p id_dsa IP of PC:/root
go to above give IP PC and :#cat id_dsa >> .ssh/authorized_keys
Usermin
Password change procedure:with the help of usermin we can change passwordsamba,system and send mail.
Install webminSelect usermin option.Now click on install tab.
After installation of usermin rpm select module restriction.Then adduser restrictionThen select all user.Click on change password tab.
Apache
# vi /etc/httpd/conf/httpd.confuncomment this line:NameVirtualHost server ip
Copy virtual host 7 line
Uncomment all line
< virtual host 192.168.100.4>server admin .........................................DocumentRoot /var/www/webs(Set path of index.html)server name hitech.com..............................................................................
Note : If we creat index.html file and put it in /var/www/webs/ - then we have to :#chown -R apache:apache /var/www/webs/
Whenever we change in httpd.conf file we have to restart httpd service.#service httpd restart
Grub
File: etc/grub.confHow to generate boot loader password after installation.
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
12/32
# grub-md5-crypt
Then copy md5 password in grub.conf under splash image line.Password --md5 paste password(md5 formatted)
Contents of grub.conf (with password)
# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You do not have a /boot partition. This means that# all kernel and initrd paths are relative to /, eg.# root (hd0,0)# kernel /boot/vmlinuz-version ro root=/dev/hdc1# initrd /boot/initrd-version.img#boot=/dev/hdcdefault=0timeout=10
splashimage=(hd0,0)/boot/grub/splash.xpm.gzpassword --md5 $1$wKPul0$7bMy79pnEE6UoEZYuS4dl0title Red Hat Linux (2.4.20-8)
root (hd0,0)kernel /boot/vmlinuz-2.4.20-8 ro root=LABEL=/initrd /boot/initrd-2.4.20-8.img
After changes in grub.conf we must fire following command to implement of changes.
# grub-install /dev/hdc
Lilo
#cp /etc/lilo.conf.anaconda /etc/lilo.conf(If not counfigured)
# vi /etc/lilo.confContent of lilo.conf
prompttimeout=50
default=Jayboot=/dev/hdcmap=/boot/mapinstall=/boot/boot.brestrictedpassword=redhat4299message=/boot/messagelinear
image=/boot/vmlinuz-2.4.20-8label=Jay
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
13/32
initrd=/boot/initrd-2.4.20-8.imgread-onlyappend="root=LABEL=/"
Note: if we change lable then we must change default. Both lable and default are same.
Send Mail
Rpms required for send mail.
Sendmail -8.12.8-4sendmail-cf 8.12.8-4
we cant change directly in sendmail.cf file, so change in send mail macro file which issendmail.mc
# vi /etc/mail/sendmail.mc (lines which are edited)
define(`SMART_HOST',`mail.reliadat.com')
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnlNote : Addr=0.0.0.0 For ExternalFEATURE(`accept_unresolvable_domains')dnl (if this feature is enable we can send &receive mail from any network)
LOCAL_DOMAIN (`mail.reliadat.com')dnl
Now open access file.
We can not change directly in access.db file so open.
# vi /etc/mail/access192.168.100.0/24 Relay(In place of relay it canbe REJECT OR DROP )Comment all lines and add : 127.0.0.1 RELAY
To redirect changes of access to access.db
m4 /etc/mail/access > /etc/mail/access.db
2. To redirect changes sendmail.mc to sendmail.cf
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
3.Add host entry# vi /etc/hosts127.0.0.1 servername mail.reliadat.com localhost
4 # servive senmail restart
5. To check sand mail# ps -aux | grep sendmail
http://mail.reliadat.com/http://mail.reliadat.com/http://mail.reliadat.com/ -
8/8/2019 20421470 Linux Server Installation Configuration Manual
14/32
Now edit ipop3 file.
#vi /etc/xinetd.d/ipop3 Changedisable = no#Service xinetd restart
Note : IPTables should be off in all run-levels.
qmail service stop#qmailctl stopqmail has its own ipop3, same sendmail has its own ipop3. So if you remove qmail then itsipop3 is also removed, so if you install sendmail after removing qmail then you have toinstall imap which installs ipop3.
GNFC 3rd :
PDC = mail.reliadat.com(qmail counfigured)BDC = mail.bdc.com
Squirrelmail
To check rpm for squirrel mail.# rpm -qa |grep squirrel
# cd /usr/share/squirrelmail/config/
#./conf.pl : Change Options as required
# vi /etc/httpd/conf/httpd.confNote : give pathSquirrelmail index.php (/usr/share/squirrelmail/index.php)
Content of httpd.conf
#
ServerAdmin [email protected] DocumentRoot /usr/share/squirrelmail/
ServerName reliadat.comErrorLog /var/log/mail.reliadat.com
# CustomLog logs/dummy-host.example.com-access_log common
Note : You have to change disable = no in /etc/xinetd.d/imap & /etc/xinetd.d/imaps &Restart xinetd service.IPTAbles service should be off in all runlevels.
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
15/32
Squid
Introduction:Two important goals are:
Reduce Internet bandwidth charges.
Limit access to the Web to only authorized users.
The Squid web caching proxy server can achieve both these goals easily.Users configure their web browsers to use the Squid proxy server instead of going to theweb directly. The Squid server then checks its web cache for the web information requestedby the user. It will return any matching information that finds in its cache, and if not, itwill go to the web to find it on behalf of the user. Once it finds the information, it will popu-late its cache with it and also forward it to the user's web browser.
This reduces the amount of data accessed from the web. Another advantage is that you canconfigure your firewall to only accept HTTP web traffic from the Squid server and no oneelse. Squid can then be configured to request usernames and passwords for each user thatusers its services. This provides simple access control to the Internet.
Advantages of Squid are, caching images and files on a server shared by all, Internet band-width charges can be reduced.
Squid's password authentication feature is well liked because it allows only authorizedusers to access the Internet.
To increase more http security. And we can block particular website using only keywordnot url.
Counfiguration:
To check squid rpm.# rpm -qa | grep squid
Note: Get print out squid.conf from proxy server.
Squid users and password on terminal.
#htpasswd -c /etc/squid/squid_passwd username-c is used if the password file does not exists. Else you can omitt -c.
If we edit in squid.conf we must restart squid service.
#service squid restartIf ncsa not found.# locate ncsa_auth
Cache rebuild
#/usr/sbin/squid -f /etc/squid/squid.conf -z
#service squid restart
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
16/32
Ip Forwarding#vi /etc/sysctl.confnet.ipv4.ip_ipforward = 1
#sysctl -p (To ipforwarding)
Note:
#chmod 744 /etc/squid/squid_pass#chmod 744 /etc/squid/squid.conf#chown squid /etc/squid/squidpass#chown squid /etc/squid/squid.conf
To create cache log.#touch /var/log/squid/cache.log
Squid guard tool
Introduction:This tool is used for block website by url and blocking website by user wise.ex. If we wants to only directors and PMs can surf gmail.com and others are not allowed tosurf gmail.com.
How squid, squidguard and Blacklist are works?Users typewww.google.com in browser first browser ask for proxy authentication if usersare authorized then he can go ahead other wise users are not able to access any site. If anyregex found in url then squid also blocked their request. If not squid is redirect theirrequest to squidguard.conf.
In squidguard.conf we define acl such as rules who is allowed or disallowed to such web-site. The database of blacklist(Block website) file is also define here. When request comeson squidguard.conf, squidguard check database of blacklist file if any url found in blacklistfile then squidguard redirect particular website which we define in squidguard.conf. If urlnot found in blacklist it will go to the web to find it on behalf of the user . Once it finds theinformation, it will populate its cache with it and also forward it to the user's web browser.
#vi /etc/squid/squidgaurd.conf
Note: Get print out of squidguard.conf from proxy server.
Download SquidGuard and Blacklist :
Install above packages.Copy porn folder from /Blacklist to squidguard directory#Cd /blacklist# cp -r pron/ /var/lib/squidguard/# cp r ads/ /var/lib/squidguard/# cp r aggressive /var/lib/squidguard/# cp r audio-video /var/lib/squidguard/# cp r drugs /var/lib/squidguard/# cp r gambling /var/lib/squidguard/# cp r hacking /var/lib/squidguard/
http://net.ipv4.ip/http://www.google.com/http://net.ipv4.ip/http://www.google.com/ -
8/8/2019 20421470 Linux Server Installation Configuration Manual
17/32
# cp r proxy /var/lib/squidguard/# cp r violence /var/lib/squidguard/# cp r warez /var/lib/squidguard/
You can add your list of websites to /var/lib/squidguard/porn/domains OR/var/lib/squidguard/porn/urls
We are blocked following domain/website:desibaba.comespnstar.comporngirl.compkronline.comsexworld.commusicindia.comraaga.commail.comonlinemusic.comonlinevideo.com
videoonline.comindiafm.commusiconline.comonlinemovie.commovieonline.comadult.comgames.comgmail.comyahoo.comhotmail.comsify.com
indiatimes.comrediff.comrediffmail.comazesearch.com
Note : We are remove key words like sex and Music from Gnfc6th proxyserver(Squid.conf) due to request of Anilthoria and vijaybhai.Removed below sites from squidguard due to Hitesh Patel.www.altavista.comwww.metacrawler.comwww.excite.com
Removed below sites from squidguard due to Binoj.Www.hollywood.com
To access website userwise:Create a file called legal in /var/lib/squidguard/porn/Add a website name in this file which we dont want to block.
Now create another file called users in /var/lib/squidguard/porn/Add users which we wants to access above website.
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
18/32
Following websites are allowed for Directors, PM and Technical group.
Hotmail.comYahoo.comGmail.comRediff.comRediffmail.com
Indiatimes.com
Below modules thats are same configured in Proxy and BDC Server.1. Squid2. Squidguard3. Iptables rules and tcp wrappers4. Squid report.
In Apache create Virtual Host : /var/www/html/Create file index.html For Access Denied and paste it in /var/www/html/
#chown apache /var/www/html/index.html
#Start httpd service#service httpd start
Samba, Dns and ip details of all branches.
Gnfc 6
PDC = 192.168.100.2 - eth0BDC = 192.168.100.3 - eth0SMB WGRP = HitechexportDNS = hitech.comProxy = Icenet - 203.88.147.195 - eth2
Gilp - 203.77.194.67 eth1Local 192.168.100.7 - eth0
Reliadat
PDC = 192.168.2.3 - eth0BDC = 192.168.2.2 - eth0
SMB WGRP = ReliadatDNS = reliadat.com
1.Server Configuration
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
19/32
Gnfc6 Server Configuration:
PDC BDC ProxyMotherboard Intel Asus p4800delux Asus p4800deluxCPU Xeon dual Processor
3.0GhzP4-2.8Ghz P4-2.8Ghz
Ram 2 Gb 1 Gb 1 Gb
HDD 1.SCSI 76GB2.SCSI 146GB2.SCSI 146GB2.Wd 120GB Ide
1.Seagate 40gb2.Seagate 120gb3.Seagate 120gb4.Seagate 120gb
1.Seagate 40gb
Reliadat Server Configuration:
Pdc BdcMotherboard Intel865 gvsr Intel845 gvsrCPU P4-3.0ghz P4-2.6ghz
Ram 1 Gb 1 GbHDD 1.Seagate 120gb
2.Seagate 120gb1.Seagate 120gb2.Seagate 120gb
To install a lan card of ASUS motherboard we have to compile kernel source code.
Installation Instructions for sk98lin Driver.
Unpack the driver installation package using the command
# tar xfvz install-???.tar.bz2
After the driver installation package is unpacked, type the followingcommands to start the sk98lin driver build process:
#cd DriverInstall#./install.sh
Select the driver installation mode.(User)
To compile the Linux Kernel, proceed as follows:
Go to the directory /usr/src and remove all symbolic links to oldLinux sources using the commands:
# cd /usr/src# make xconfig
Select the options you want to compile into the new kernel.
- For kernel 2.4.x family:a. Select the menu "Network Device Support".
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
20/32
b. Select "Ethernet (1000 Mbit)".
To integrate the driver permanently into the kernel, mark"Marvell Yukon Chipset/SysKonnect SK-98xx Support" with (*)
Select "Exit".
After booting the Linux kernel and compiling the driver as a loadablekernel module (LKM), the driver needs to be loaded.
Enter "modprobe sk98lin".
NOTE: For further information (e.g. the driver parameters) refer tothe sk98lin.txt file.
IPTables
Introduction:With the help of iptables we can do block port, anonymous request, port
forwarding, routing and filtering.
In our scenario we use iptables for nating and virus-port blocking.
Counfiguration:There is a file /etc/rc.d/rc.local in which when the system starts, the line added in/etc/rc.d/rc.local- will get executed. The line is : /root/icenet.sh
There are 2 files in /root
gipl.shifdown eth0ifdown eth1ifdown eth2ifup eth1ifup eth0/etc/rc.d/rc.gipl
icenet.shifdown eth0
ifdown eth1ifdown eth2ifup eth1ifupeth2/etc/rc.d/rc.icenet
Now the files /etc/rc.d/rc.gipl :
#!/bin/sh#IPTABLES=/sbin/iptablesiptables -F -t nat
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
21/32
#####DMZ##################Addison Pc######iptables -I PREROUTING -t nat -d 203.77.194.104 -j DNAT --to-destination 192.168.100.41iptables -I POSTROUTING -t nat -s 192.168.100.41 -j SNAT --to-source 203.77.194.104###Comp 5############iptables -I PREROUTING -t nat -d 203.77.194.101 -j DNAT --to-destination192.168.100.35
iptables -I POSTROUTING -t nat -s 192.168.100.35 -j SNAT --to-source 203.77.194.101###Comp 7############iptables -I PREROUTING -t nat -d 203.77.194.102 -j DNAT --to-destination192.168.100.37iptables -I POSTROUTING -t nat -s 192.168.100.37 -j SNAT --to-source 203.77.194.102###Comp 8############iptables -I PREROUTING -t nat -d 203.77.194.103 -j DNAT --to-destination192.168.100.38iptables -I POSTROUTING -t nat -s 192.168.100.38 -j SNAT --to-source 203.77.194.103iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT###################################
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADEiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#########Port Forwading For VNC Connection#############################################iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 -j DNAT --to 192.168.100.14:5900iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 --dport 80 -j DNAT --to192.168.100.14:5900iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 -j DNAT --to192.168.100.191:5900
iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 --dport 80 -j DNAT --to192.168.100.191:5900
#########Ip Routing#########################route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0 gw 192.168.100.1############################################
iptables -F -t filter#port 135 DCE Endpoint Resolutioniptables -I INPUT -p tcp --sport 135 -j DROPiptables -I INPUT -p udp --sport 135 -j DROP
iptables -I INPUT -p tcp --dport 135 -j DROPiptables -I INPUT -p udp --dport 135 -j DROP
iptables -I FORWARD -p tcp --sport 135 -j DROPiptables -I FORWARD -p udp --sport 135 -j DROPiptables -I FORWARD -p tcp --dport 135 -j DROPiptables -I FORWARD -p udp --dport 135 -j DROP
#port 445 Microsoft-DSiptables -I INPUT -p tcp --sport 445 -j DROPiptables -I FORWARD -p tcp --sport 445 -j DROP
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
22/32
iptables -I INPUT -p tcp --dport 445 -j DROPiptables -I FORWARD -p tcp --dport 445 -j DROP
#port 4444 krb524iptables -I INPUT -p tcp --sport 4444 -j DROPiptables -I FORWARD -p tcp --sport 4444 -j DROPiptables -I INPUT -p tcp --dport 4444 -j DROP
iptables -I FORWARD -p tcp --dport 4444 -j DROP
iptables -F -t mangleiptables -t mangle -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROPiptables -t mangle -I PREROUTING -m state --state INVALID -j DROPiptables -t mangle -I PREROUTING -m unclean -j DROP
#iptables -I INPUT -p tcp -s 203.77.194.66 -j ACCEPT#iptables -I INPUT -p tcp -s 203.77.194.94 -j ACCEPT#iptables -I INPUT -p tcp -s 203.88.141.34 -j ACCEPT#iptables -I INPUT -p tcp -s 203.88.141.62 -j ACCEPT
#iptables -I INPUT -p tcp -s 203.88.141.27 -j ACCEPT#iptables -I INPUT -p tcp -s 192.168.100.0/24 -j ACCEPT#iptables -A INPUT -p tcp -j REJECTecho 1 > /proc/sys/net/ipv4/ip_forwardecho nameserver 203.77.198.101 > /etc/resolv.confecho nameserver 203.77.200.20 >> /etc/resolv.conf
Note: Last two lines of above file for,we dont have to need change dns in resolve.confmanually. It will take dns automatically when this script is run.Ip Routing line is user for define static route on eth0.
FIREWALL
Rules to block/access IP's with particular Ethernet card:
iptables -I INPUT -p tcp -s (IP of the machine which wants to access our machine) -i(Ethernet of our machine) -j ACCEPTFor e.g.#Iptables -I INPUT -p tcp -s 203.77.194.67 -i eth0 -j ACCEPT
Rules to block/access IP without ethernet card
#iptables -I INPUT -p tcp -s ipadd. -j ACCEPT
To reject all ip.#iptables -A INPUT -p tcp -j REJECT
To Flush rules.#iptables -F -t filter#iptables -F -t nat#iptables -F -t mangle
To List rules :
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
23/32
#iptables -L -t nat#iptables -L -t filter#iptables -L -t mangle
To block ports#iptables -I PREROUTING -p tcp dport 136 -j DROPThis above can repeat for other ports also
In Reliadat : PDC / BDC both are having IPTABLES FILTER RULESON
To allote RealIP's to Local Machine from Linux Router :Source nating
#iptables -I PREROTING -t nat -d 203.77.194.66 -j DNAT -to-destination 192.168.100.10#iptables -I POSTROUTING -t nat -s 192.168.100.10 -j SNAT -to-source 203.77.194.66#iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT
Note: Above rule has should to be apply before our nating / squid / port
filtering rules.We have to create alias of realip card with alloting new realip.(i.e eth0 Icenet IP , then eth0:1 New Icenet IP)
To access Our local pc from Outside network with Vnc viewer.
Add the following rules after our nating rules.# iptables t nat A PREROUTING p tcp d Real IP j DNAT -- to local IP:5900#iptables t nat A PREROUTING p tcp d REAL IP dport 80 j DNAT -to localip:5800
To Define IP Route:#route add -net 192.168.0.0 netmask 255.255.255.0 eth0 gw 192.168.100.1
Note:
This is only for Cisco 1751. If any request come from 192.168.0.0 network thenproxy use 192.168.100.1 gateway, not use xincom. This is special for NLDC line.
New Firewall
TCPWrapper :
This is another tool for increase security but it is not more power full thenIptables. Tcpwrapper is used for block particular daemon/port/services.In our scenario we block ssh service through tcp wrapper. Only selected ips are allowed toconnect our server using ssh service.All this security like Tcpwrapper and Iptables are set in proxy server.
For Vastrapur
#vi /etc/hosts.allow :sshd : 192.168.100.sshd : 203.77.194.67
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
24/32
sshd : 203.77.194.93sshd : 203.88.141.19sshd : 203.88.141.18
#vi /etc/hosts.deny :ALL:ALL EXCEPT 127.0.0.1 192.168.100.
Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl
TCPWrapper : For GNFC 6th
#vi /etc/hosts.allow :sshd: 192.168.100. 203.77.194.21 203.88.147.194
#vi /etc/hosts.deny :ALL:ALL EXCEPT 127.0.0.1 192.168.100.
Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl
TCPWrapper : For GNFC 3rd
#vi /etc/hosts.allow :sshd : 192.168.2.sshd : 203.77.194.67sshd : 203.77.194.93sshd : 203.77.194.66sshd : 203.77.194.94sshd : 203.88.140.234
#vi /etc/hosts.deny :ALL:ALL EXCEPT 127.0.0.1 192.168.100.
Add GIPL given blocking list to /etc/rc.d/rc.gnfc in PDC / BDC
Services List of all Location:
#chkconfig --list servicename#chkconfig level 35 servicename on/off
#service servicename status
GNFC6:
PDC = ON(35) namedON(35) crondOFF(35) squidOFF(35) iptablesON(35) smbON(35) sendmailOFF(35) dhcp
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
25/32
BDC = ON(35) namedON(35) crondOFF(35) squidOFF(35) iptablesOFF(35) smb
ON(35) sendmailOFF(35) dhcp
Proxy server = ON(35) namedOFF(35) crondON(35) squidON(35) iptablesOFF(35) smbON(35) sendmail
ON(35) dhcp
GNFC 3rd
PDC = ON(35) namedON(35) crondOFF(35) squidON(35) iptablesON(35) smbOFF(35) dhcp
QMAIL - ON
BDC = ON(35) namedOFF(35) crondOFF(35) squidON(35) iptablesOFF(35) smbON(35) sendmailOFF(35) dhcp
Note :
Fstab File:In /etc/fstab the last column should be 0 0 and not 1 2
Tmp watch:Tmpwatch checks access time of the files and it will remove the file as per the parameters.As for e.g.#/usr/sbin/tmpwatch atime -v 48 /NewEDrive/Anil/.recycleAnd do make an entry for the same in crontab's file as well by creating shell script for theabove. Give chmod 777 recycle.sh
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
26/32
Log rotate
#vi /etc/logrotate.conf(configuration file)For this to work , syslog service should be ON.
daily
weeklymonthlyyearly
Note :In our case logs rotate = WeeklyTo check the logs : /var/log/secure
USB Device
For first time at connecting USB device you have to do :#fdisk /dev/sda AND fdisk -l
#vi /etc/modules.conf There should be 1 line added if not present :alias usb-controller1 usb-uhci
You have format the USB device etc... same as IDE.
#vi /etc/fstab Do not write in /etc/fstab but manually mount it as :#mount /dev/sda1 /usb/NewEDrive
Entry in fstab file./dev/sda1 /usb/NewE_FDrive ext3 suid,rw 0 0
Change Password Tool
This is a third party rpm which you can download and install :#tar -zxvf chnangepasswd*.*#cd chnangepasswd*.*#./configure --enable-cgidir=/var/www/cgi-bin --enable-language=Portuguese
--enable-smbpasswd=/usr/local/samba/private/smbpasswd--enable-squidpasswd=/etc/squid/passwd enable-logo=opentech.jpg
You can get this above from /root/changepassword/ README file.
Entry in httpd.conf:
ServerAdmin [email protected] /var/www/webs/
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
27/32
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
28/32
Misc : TroubleShooting#telnet hitechexport.com 25#ehlo localhost#mailfrom:emailid#rcptto:emailid
#lsmod#dmesg
Dhcp:To view a dhcpd log#vi /var/lib/dhcp/dhcpd.leases
Squid:When pings get reply but we are not able to surfing kindly check gateway using command:#netstat -arAdd & remove Gateway:#route add default gw 192.168.100.7
#route del default gw 192.168.100.7
To view cache.log:#route -C#tail -f /var/squid/cache.log#tail -f /var/squid/access.log
Partition and Quota Details of PDC Server.
Squid Report Generator
SARG: Squid Analysis Report Generator is a tool that allows you to view "where" your usersare going to on the Internet.
Installation Notes:
Download sarg2.0.9.tar.gz source code from http://sf.net.
Now untar the above file.#tar zxvf sarg*.*
Go to the sarg-2.0.9 dircetroy.#cd sarg-2.0.9
Now compile the source code.#./configure#make#make install
Now edit the sarg.conf file in /usr/local/sarg/ directory.Get the print out of sarg.conf from proxy server.
http://sf.net/http://sf.net/ -
8/8/2019 20421470 Linux Server Installation Configuration Manual
29/32
To generate report from command line:#sarg l /var/log/squid/access.log
Add the entry in cron:We generate report every day at 12.10am10 12 * * * sarg l /var/log/squid/access.log
Hard-Disk Details in HP Server.
1. 76GB SCSI (Quota not set on this Drive.)Device = /dev/sda
/boot 100MB/home 10GB/Var 10GB/ 10GBSwap 4GB
/Profiles 30GB
2. 146GB SCSI (Quota set on this Drive.)Device = /dev/sdb
/DDrive 78GB/EDrive 57GB
3. 146GB SCSI (Quota set on this Drive.)Device = /dev/sdb
/FDrive 78GB/Gdrive 57GB
4. 120GB Ide Drive. (Quota not set on this Drive.)/Hdrive 52GB
Share Details of each Drive on PDC Server.
1. DdriveAddisonChampak
DTPHeartSanjeev
2. EDriveBhaskarHomeHMHomeKetanHomeNDHomeVijayBinojHome
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
30/32
HRKPHomePBHomeVijayHomeHeratHomeItMatchManishHome
TapanHome
3. FdriveAuctionEofficeFinanceGADSharedSoftwareTechnical
4. Gdrive
AccountsCADMarketing
5. HDriveNewSource
Quota on above Folder
1. DdriveAddison 05GBChampak 25GBDTP 10GBHeart 25GBSanjeev 10GB
2. EDriveBhaskarHome 01GBHMHome 02GB
KetanHome 01GBNDHome 01GBVijay 25GBBinojHome 01GBHR 05GBKPHome 01GBPBHome 02GBVijayHome 01GBHeratHome 01GBItMatch 05GBManishHome 01GB
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
31/32
TapanHome01GB
3. Fdrive
Auction 02GBEoffice 03GBFinance 05GB
GAD 05GBShared 20GBSoftware 10GBTechnical 10GB
4. Gdrive
Accounts 10GBCAD 25GBMarketing 10GB
5. HDriveNewSource (-)
Partition Details of BDC Server:
No. of Hard-Disk.1. 40GB IDE
Device = /dev/hda
/boot = 100MB.
/ = 10GB./Var = 05GB./home= 10GB.Swap = 04GB
2. 120GB IDEDevice = /dev/hdb
/DDrive = 78GB/Profiles = 30GB
3. 120GB IDEDevice = /dev/hdc
/EDrive = 60GB/GDrive = 51GB
4. 120GB IDEDevice = /dev/hdd
/Fdrive = 78GB/Hdrive = 33GB
-
8/8/2019 20421470 Linux Server Installation Configuration Manual
32/32
Share Details of each Drive on BDC Server.
1. DdriveAddison
ChampakDTPHeartSanjeev
2. EDriveBhaskarHomeHMHomeKetanHomeNDHomeVijay
BinojHomeHRKPHomePBHomeVijayHomeHeratHomeItMatchManishHomeTapanHome
3. Fdrive
AuctionEofficeFinanceGADSharedSoftwareTechnical
4. Gdrive
AccountsCADMarketing
5. HDriveNewSource