Four Main Network Configuration Files in LINUX Environment.
1. /etc/sysconfig/network-scripts/ifcfg-eth0
Dynamic IPV4 Configuration
DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:0D:60:FB:CA:61
ONBOOT=yes
Statioc IPV4 Configuration
DEVICE=eth1
BOOTPROTO=none
HWADDR=00:0D:60:FB:CA:61
ONBOOT=yes
IPADDR=192.168.0.X
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
PEERDNS=no
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
2. #cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
GATEWAY=10.53.0.254
3. #cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
: :1 localhost6.localdomain6 localhost6
127.31.53.1 stationX.example.com stationX
4. #cat /etc/resolve.conf
search example.com another.org
nameserver 127.31.35.2
nameserver 192.168.1.3
"I like to do, to see, and to experience. I like to think, to dream, to talk, to listen. I like to see the moonlight at night; I like to look at the clouds in the sky, I like to be alone, I like to be surrounded by people. I like to make friends, to laugh & to enjoy every moment with them."
Tuesday, February 28, 2012
RAD & LVM
LVM
Create
#Linux partition /dev/sda7, /dev/sda8, /dev/sda9
#pvcreate /dev/sda{7,8}
#vgcreate vg0 /dev/sda{7,8}
#lvcreate vg0 –n /dev/vg0/data –L 200M
#vgdisplay vg0
#lvdisplay /dev/vg0/data
Extend
#pvcreate /dev/sda9
#vgextend vg0 /dev/sda9
#lvextend /dev/vg0/data –L 260M (200+60)
#resize2fs /dev/vg0/data
Reduce
#e2fsck –f /dev/vg0/data
#resize2f /dev/vg0/data 60M
#lvreduce /dev/vg0/data –L 60M
RAD & LVM CONFIGURATION :
1. use fdisk /dev/sda to create 100MB each partition
(7,8,9,10)
2. partition type ‘t’ to ‘fd’
3. save ‘w’ & for kernel reconfiguration is
#partprobe /dev/sda
#mdadm –C /dev/md0 –l 1 –n 2 /dev/sda{7,8}
#mdadm –C /dev/md1 –l 1 –n 2 /dev/sda{9,10} –a yes
#mkfs.ext3 /dev/md0
(cat /proc/mdstat) show the status
#mkfs.ext3 /dev/md1
#mkdir /data
#mount /dev/md0 /data
#df –h
#mdadm –detail /dev/md0
#umount /data
#mdadm –f /dev/md0 /dev/sda7
#cat /proc/mdstat
#mdadm –r /dev/md0 /dev/sda7 (hot remove)
#mdadm –a /dev/md0 /dev/sda7
#cat /proc/mdstat
#umount /dev/md0
#pvcreate /dev/md0
#vgcreate volgroup /dev/md0
#lvcreate volgroup –n /dev/volgroup/data –L 100M
#mkfs.ext3 /dev/volgroup/data
#mkdir /data
#vim /etc/fstab
/dev/volgroup/data /data ext3 default 0 0
#mount –a
#rm /etc/lvm/.cache
#reboot –f
#vgdisplay volgroup
#lvdisplay /dev/volgroup/data
#pvcreate /dev/md1
#vgextend volgroup /dev/md1
#lvextend /dev/volgroup/data –L 140M (100+40)
#resize2fs /dev/volgroup/data
#mount /dev/volgroup/data /data
#df –h
#umount /data
#e2fsck –f /dev/volgroup/data
#resize2fs /dev/volgroup/data 40M
#lvreduce /dev/volgroup/data -L 40M
#lvdisplay /dev/volgroup/data
Now lvsize 140MB reduced by 100MB 140-100=40MB,
Now lvsize 40MB.
Create
#Linux partition /dev/sda7, /dev/sda8, /dev/sda9
#pvcreate /dev/sda{7,8}
#vgcreate vg0 /dev/sda{7,8}
#lvcreate vg0 –n /dev/vg0/data –L 200M
#vgdisplay vg0
#lvdisplay /dev/vg0/data
Extend
#pvcreate /dev/sda9
#vgextend vg0 /dev/sda9
#lvextend /dev/vg0/data –L 260M (200+60)
#resize2fs /dev/vg0/data
Reduce
#e2fsck –f /dev/vg0/data
#resize2f /dev/vg0/data 60M
#lvreduce /dev/vg0/data –L 60M
RAD & LVM CONFIGURATION :
1. use fdisk /dev/sda to create 100MB each partition
(7,8,9,10)
2. partition type ‘t’ to ‘fd’
3. save ‘w’ & for kernel reconfiguration is
#partprobe /dev/sda
#mdadm –C /dev/md0 –l 1 –n 2 /dev/sda{7,8}
#mdadm –C /dev/md1 –l 1 –n 2 /dev/sda{9,10} –a yes
#mkfs.ext3 /dev/md0
(cat /proc/mdstat) show the status
#mkfs.ext3 /dev/md1
#mkdir /data
#mount /dev/md0 /data
#df –h
#mdadm –detail /dev/md0
#umount /data
#mdadm –f /dev/md0 /dev/sda7
#cat /proc/mdstat
#mdadm –r /dev/md0 /dev/sda7 (hot remove)
#mdadm –a /dev/md0 /dev/sda7
#cat /proc/mdstat
#umount /dev/md0
#pvcreate /dev/md0
#vgcreate volgroup /dev/md0
#lvcreate volgroup –n /dev/volgroup/data –L 100M
#mkfs.ext3 /dev/volgroup/data
#mkdir /data
#vim /etc/fstab
/dev/volgroup/data /data ext3 default 0 0
#mount –a
#rm /etc/lvm/.cache
#reboot –f
#vgdisplay volgroup
#lvdisplay /dev/volgroup/data
#pvcreate /dev/md1
#vgextend volgroup /dev/md1
#lvextend /dev/volgroup/data –L 140M (100+40)
#resize2fs /dev/volgroup/data
#mount /dev/volgroup/data /data
#df –h
#umount /data
#e2fsck –f /dev/volgroup/data
#resize2fs /dev/volgroup/data 40M
#lvreduce /dev/volgroup/data -L 40M
#lvdisplay /dev/volgroup/data
Now lvsize 140MB reduced by 100MB 140-100=40MB,
Now lvsize 40MB.
OPEN OFFICE INSTALLATION IN LINUX
OPEN OFFICE INSTALLATION throuth “rpm”
#lftp 192.168.0.254
#cd pub
#get OO
#bye
#tar xzvf OO
#cd OOF
#cd RPMS
#rpm –ivh *rpm
#cd desktop
#rpm –ivh openoffice.org-redhat-menus
#init 6
OPEN OFFICE INSTALLATION throuth “yum”
#lftp Server1
#cd pub
#get OO
#bye
#tar xzvf OO
#mv OOF openoffice
#yum install createrepo
#cd /openoffice/RPMS
#createrepo –v $(pwd) or (create –v /root/openoffice/RPMS
#vi /etc/yum.repos.d/oof.repo
[oof-Repo]
name=Open Office Repo at my PC
baseurl=file:///root/openoffice/RPMS
enabled=1
gpgcheck=0
#yum install openoffice.org-*
#cd desktop-integration
#rpm –ich openoffice.org-redhat
#init 6
#lftp 192.168.0.254
#cd pub
#get OO
#bye
#tar xzvf OO
#cd OOF
#cd RPMS
#rpm –ivh *rpm
#cd desktop
#rpm –ivh openoffice.org-redhat-menus
#init 6
OPEN OFFICE INSTALLATION throuth “yum”
#lftp Server1
#cd pub
#get OO
#bye
#tar xzvf OO
#mv OOF
#yum install createrepo
#cd /openoffice/RPMS
#createrepo –v $(pwd) or (create –v /root/openoffice/RPMS
#vi /etc/yum.repos.d/oof.repo
[oof-Repo]
name=Open Office Repo at my PC
baseurl=file:///root/openoffice/RPMS
enabled=1
gpgcheck=0
#yum install openoffice.org-*
#cd desktop-integration
#rpm –ich openoffice.org-redhat
#init 6
REPOSITORY
What's in a repository?
A repository is a central place where data is stored and maintained. A repository can be a place where multiple databases or files are located for distribution over a network, or a repository can be a location that is directly accessible to the user without having to travel across a network.
Create Repository "ftp"
#/etc/yum.repos.d/server1.repo
[Server1-Repo]
name=Server Reposetary
baseurl=ftp://server1/pub/Server
enabled=1
gpgcheck=0
: wq ->
#yum list available
Create Repository "http"
#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=http://Server1.example.com/path
enabled=1
gpgcheck=0
Create own pc Private Repository
#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=file:///root/Server
enabled=1
gpgcheck=0
#rpm –ivh Server/createrepo –o
#createrepo Server/
#yum list all
A repository is a central place where data is stored and maintained. A repository can be a place where multiple databases or files are located for distribution over a network, or a repository can be a location that is directly accessible to the user without having to travel across a network.
Create Repository "ftp"
#/etc/yum.repos.d/server1.repo
[Server1-Repo]
name=Server Reposetary
baseurl=ftp://server1/pub/Server
enabled=1
gpgcheck=0
: wq ->
#yum list available
Create Repository "http"
#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=http://Server1.example.com/path
enabled=1
gpgcheck=0
Create own pc Private Repository
#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=file:///root/Server
enabled=1
gpgcheck=0
#rpm –ivh Server/createrepo –o
#createrepo Server/
#yum list all
Linux Boot Sequence Overview
A. Boot Sequence Overview
#/boot/grub/grub.conf
Kernal Initialization or Kernel boot time functions.
1. Device Detection
2. Device Driver Initialization
3. Mounts root filesystem readonly
4. Loads initial process (init)
The MD5 passwd has can be created with grub-md5-crypt.
If for some reason your MBR becomes corrupted and we need to
reinstall GRUB, we can do so with the command /sbin/grub-install
boot-device. Occasionally it may prove necessary for the user to set
up grub manually. If grub-install fails for some reason try the
following:
1. Type the command grub and press Enter.
2. Type root(hd0,0)
3. Type setup(hd0)
4. Type quit.
or
#chroot /mnt/sysimage
#grub-install /dev/sda
#exit
4 important files :
1. #/etc/inittab
2. #/etc/rc.local
3. #/etc/.bash_profile
4. #/boot/grub/grub.conf
GRUB SCREEN PASSWD
Go to Single user mode : e e s b
sh# grub-md5-crypt
passwd:……………………
retype passwd:…………………….
Then copy the passwd.
Go to another terminal…………..
#vim /boot/grub/grub.conf
below the hiddenmenu write
password –md5 here paste the passwd
:wq ->
B. Updating a Kernel RPM
#uname –r (show the curren login kernel version)
#lftp Server1 ->
#server1>cd pub ->
#pub > get K ->
#bye ->
#root#ll
#rpm –ivh K
#reboot –f
#uname –r or vim /boot/grub/grub.conf
#/boot/grub/grub.conf
Kernal Initialization or Kernel boot time functions.
1. Device Detection
2. Device Driver Initialization
3. Mounts root filesystem readonly
4. Loads initial process (init)
The MD5 passwd has can be created with grub-md5-crypt.
If for some reason your MBR becomes corrupted and we need to
reinstall GRUB, we can do so with the command /sbin/grub-install
boot-device. Occasionally it may prove necessary for the user to set
up grub manually. If grub-install fails for some reason try the
following:
1. Type the command grub and press Enter.
2. Type root(hd0,0)
3. Type setup(hd0)
4. Type quit.
or
#chroot /mnt/sysimage
#grub-install /dev/sda
#exit
4 important files :
1. #/etc/inittab
2. #/etc/rc.local
3. #/etc/.bash_profile
4. #/boot/grub/grub.conf
GRUB SCREEN PASSWD
Go to Single user mode : e e s b
sh# grub-md5-crypt
passwd:……………………
retype passwd:…………………….
Then copy the passwd.
Go to another terminal…………..
#vim /boot/grub/grub.conf
below the hiddenmenu write
password –md5 here paste the passwd
:wq ->
B. Updating a Kernel RPM
#uname –r (show the curren login kernel version)
#lftp Server1 ->
#server1>cd pub ->
#pub > get K
#bye ->
#root#ll
#rpm –ivh K
#reboot –f
#uname –r or vim /boot/grub/grub.conf
Wednesday, February 22, 2012
Unit 12 NFS, AUTOMOUNTER, SWAP FILES & PARTITIONS
Example of NFS, AUTOMOUNTER, SWAP FILES & PARTITIONS Configuration
NFS
#mkdir /mnt/shishir
#mount –t nfs server1:/var/ftp/pub /mnt/shishir
#vim /etc/fstab
srever1:/var/ftp/pub /mnt /nfs default 0 0
:wq ->
AUTOMOUNTER
#showmount –e server1 (show nis shareable by server1)
#service iptables stop
#chkconfig iptables off
#chkconfig –list | grep iptables
#mkdir /mnt/lg
#vim /etc/auto.master ->
(input)
/mnt/lg /etc/auto.Samsung --timeout=60
#service autofs restart
#cd /mnt/lg/intel (try to access)
#intel#ls ->
SWAP FILES & PARTITIONS
#mkswap /dev/sda7
#partprobe /dev/sda
#mkswap /dev/sda7
#swapon –s
(only sda6 is initialize by fstab)
(swap partition status)
#vim /etc/fstab
/dev/sda7 swap swap default 0 0
#swapon –a (mount swap partition which initialize fstab)
(Activate the swap partion which reads /etc/fstab)
#swapon –S
#dd if=/dev/zero of=myswap bs=1M count=128
#ls –lh
#mkswap myswap
#swapon –a myswap
#swapon –S myswap
#vim /etc/rc.local
(input lineno6)
swap –a /root/myswap
:wq ->
AUTOMOUNTER
NAME
automount - configure mount points for autofs
SYNOPSIS
automount [options] mount-point map-type[,format] map [map-options]
DESCRIPTION
The automount program is used to configure a mount point for autofs, the inlined Linux automounter. automount works by taking a base mount-point and map file, and using these (combined with other options) to automatically mount filesystems within the base mount-point when they are accessed in any way. The filesystems are then autounmounted after a period of inactivity.
OPTIONS
-p, --pid-file
Write the pid of the daemon to the specified file.
-t, --timeout
Set the minimum timeout, in seconds, until directories are unmounted. The default is 5 minutes. Setting the timeout to zero disables unmounts completely.
-v, --version
Display the version number, then exit.
ARGUMENTS
automount takes at least three arguments. Mandatory arguments include mount-point, map-type and map. Both mandatory and optional arguments are described below.
mount-point
Base location for autofs-mounted filesystems to be attached. This is a directory name which must already exist.
map-type
Type of map used for this invocation of automount. The following are valid map types:
file
The map is a regular text file.
program
The map is an executable program, which is passed a key on the command line and returns an entry on stdout if successful.
yp
The map is a NIS (YP) database.
nisplus
The map is a NIS+ database.
hesiod
The map is a hesiod database whose filsys entries are used for maps.
ldap
map names are of the form [servername:]basedn, where the optional servername is the name of the LDAP server to query, and basedn is the DN to do a subtree search under. Entries are automount objects in the specified subtree, where the cn attribute is the key (the wildcard key is "/"), and the automounterInformation attribute contains the information used by the automounter. Documentation on the schema used by this module is available online at http://docs.iplanet.com/docs/manuals/directory/411ext/nis/mapping.htm.
format Format of the map data; currently the only formats
recognized are sun, which is a subset of the Sun automounter map format, and hesiod, for hesiod filesys entries. If the format is left unspecified, it defaults to sun for all map types except hesiod.
map
Location of mapfile to use. This is an absolute UNIX pathname in the case for maps of types file or program, and the name of a database in the case for maps of type yp, nisplus, or hesiod.
options
Any remaining command line arguments without leading dashes (-) are taken as options (-o) to mount. Arguments with leading dashes are considered options for the maps.
NFS
#mkdir /mnt/shishir
#mount –t nfs server1:/var/ftp/pub /mnt/shishir
#vim /etc/fstab
srever1:/var/ftp/pub /mnt /nfs default 0 0
:wq ->
AUTOMOUNTER
#showmount –e server1 (show nis shareable by server1)
#service iptables stop
#chkconfig iptables off
#chkconfig –list | grep iptables
#mkdir /mnt/lg
#vim /etc/auto.master ->
(input)
/mnt/lg /etc/auto.Samsung --timeout=60
#service autofs restart
#cd /mnt/lg/intel (try to access)
#intel#ls ->
SWAP FILES & PARTITIONS
#mkswap /dev/sda7
#partprobe /dev/sda
#mkswap /dev/sda7
#swapon –s
(only sda6 is initialize by fstab)
(swap partition status)
#vim /etc/fstab
/dev/sda7 swap swap default 0 0
#swapon –a (mount swap partition which initialize fstab)
(Activate the swap partion which reads /etc/fstab)
#swapon –S
#dd if=/dev/zero of=myswap bs=1M count=128
#ls –lh
#mkswap myswap
#swapon –a myswap
#swapon –S myswap
#vim /etc/rc.local
(input lineno6)
swap –a /root/myswap
:wq ->
AUTOMOUNTER
NAME
automount - configure mount points for autofs
SYNOPSIS
automount [options] mount-point map-type[,format] map [map-options]
DESCRIPTION
The automount program is used to configure a mount point for autofs, the inlined Linux automounter. automount works by taking a base mount-point and map file, and using these (combined with other options) to automatically mount filesystems within the base mount-point when they are accessed in any way. The filesystems are then autounmounted after a period of inactivity.
OPTIONS
-p, --pid-file
Write the pid of the daemon to the specified file.
-t, --timeout
Set the minimum timeout, in seconds, until directories are unmounted. The default is 5 minutes. Setting the timeout to zero disables unmounts completely.
-v, --version
Display the version number, then exit.
ARGUMENTS
automount takes at least three arguments. Mandatory arguments include mount-point, map-type and map. Both mandatory and optional arguments are described below.
mount-point
Base location for autofs-mounted filesystems to be attached. This is a directory name which must already exist.
map-type
Type of map used for this invocation of automount. The following are valid map types:
file
The map is a regular text file.
program
The map is an executable program, which is passed a key on the command line and returns an entry on stdout if successful.
yp
The map is a NIS (YP) database.
nisplus
The map is a NIS+ database.
hesiod
The map is a hesiod database whose filsys entries are used for maps.
ldap
map names are of the form [servername:]basedn, where the optional servername is the name of the LDAP server to query, and basedn is the DN to do a subtree search under. Entries are automount objects in the specified subtree, where the cn attribute is the key (the wildcard key is "/"), and the automounterInformation attribute contains the information used by the automounter. Documentation on the schema used by this module is available online at http://docs.iplanet.com/docs/manuals/directory/411ext/nis/mapping.htm.
format Format of the map data; currently the only formats
recognized are sun, which is a subset of the Sun automounter map format, and hesiod, for hesiod filesys entries. If the format is left unspecified, it defaults to sun for all map types except hesiod.
map
Location of mapfile to use. This is an absolute UNIX pathname in the case for maps of types file or program, and the name of a database in the case for maps of type yp, nisplus, or hesiod.
options
Any remaining command line arguments without leading dashes (-) are taken as options (-o) to mount. Arguments with leading dashes are considered options for the maps.
Tuesday, February 21, 2012
Unit 11 NIS (Network Information System)
What is NIS?
NIS (Network Information System) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's domain name system (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks.
NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a UNIX-based program.
Example of NIS Configuration.
#authconfig-tui
#system-config-authentication (Graphical Mode)
Authentication Configuration Screen
Enable NIS support Configure NIS
NIS Domain notexample
NIS Server Server1.example.com
#Service Network Restart
#ifconfig
#ping server1
#showmount –e 192.168.0.254
(-e = show the NFS server’s export list)
#mkdir /home/guests
#mount 192.168.0.254:/home/guests /home/guests
#ls –l /home/guests
(It shows 20 users for guest starting form 2001)
open another black console………………….
Login : guest2007
Passwd : password
#echo “Hello I am come back” > stationX ->
Then go to server PC
root#su – guest2007
#ls
#cat stationY
#ls –l
NIS (Network Information System) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's domain name system (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks.
NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a UNIX-based program.
Example of NIS Configuration.
#authconfig-tui
#system-config-authentication (Graphical Mode)
Authentication Configuration Screen
Enable NIS support Configure NIS
NIS Domain notexample
NIS Server Server1.example.com
#Service Network Restart
#ifconfig
#ping server1
#showmount –e 192.168.0.254
(-e = show the NFS server’s export list)
#mkdir /home/guests
#mount 192.168.0.254:/home/guests /home/guests
#ls –l /home/guests
(It shows 20 users for guest starting form 2001)
open another black console………………….
Login : guest2007
Passwd : password
#echo “Hello I am come back” > stationX ->
Then go to server PC
root#su – guest2007
#ls
#cat stationY
#ls –l
Monday, February 20, 2012
Unit 10 SSH - Secure Shell
What is SSH?
SSH (Secure Shell) is a client/server package used in Unix and Linux systems to provide secure access to a remote system.
OpenSSH Overview
OpenSSH replaces common, insecure
network communication applications
Provides user and token-based authentication
Capable of tunneling insecure protocols through port forwarding
System default configuration (client and server) resides in /etc/ssh/
OpenSSH Authentication
The sshd daemon can utilize several different authentication methods
password (sent securely)
RSA and DSA keys
Kerberos
s/key and SecureID
host authentication using system key pairs
Service Profile: SSH
Type: System V-managed service
Packages: openssh, openssh-clients, openssh-server
Daemon: /usr/sbin/sshd
Script: /etc/init.d/sshd
Port: 22
Configuration: /etc/ssh/ssh_config
OpenSSH Server Configuration
SSHD configuration file
/etc/ssh/sshd_config
The OpenSSH Client
Secure shell sessions
ssh hostname
ssh user@hostname
ssh hostname remote-command
Secure remote copy files and directories
scp file user@host:remote-dir
scp -r user@host:remote-dir localdir
Secure ftp provided by sshd
sftp host
sftp -C user@host
Protecting Your Keys
ssh-add -- collects key passphrases
ssh-agent -- manages key passphrases
Example of SSH Configuration
SSH /etc/ssh/sshd_config (Securing Data)
NODE – 1 / StationX
#useradd pop;passwd pop
#su-pop
pop#ssh-keygen –t dsa
# ls –a (show .ssh)
#cd .ssh
.ssh#ssh root@stationY
#useradd jak; passwd jak
#su –jak
#mkdir .ssh
#chmod 700 .ssh
#exit
.ssh#ls
id_dsa id_da.pub (show this 2 files)
#scp id_dsa.pub jak@stationY:.ssh/authorized_keys
#ssh jak@stationy ->
(without passwd we go to stationY user)
NODE – 1 / StationY
#useradd jak; passwd jak
#mkdir .ssh
#chmod 700 .ssh
ssh stationY or ssh 192.168.0.Y -> (passwd : redhat) ->
scp /root/Desktop/ab* stationX:/root/Desktop
SSH (Secure Shell) is a client/server package used in Unix and Linux systems to provide secure access to a remote system.
OpenSSH Overview
OpenSSH replaces common, insecure
network communication applications
Provides user and token-based authentication
Capable of tunneling insecure protocols through port forwarding
System default configuration (client and server) resides in /etc/ssh/
OpenSSH Authentication
The sshd daemon can utilize several different authentication methods
password (sent securely)
RSA and DSA keys
Kerberos
s/key and SecureID
host authentication using system key pairs
Service Profile: SSH
Type: System V-managed service
Packages: openssh, openssh-clients, openssh-server
Daemon: /usr/sbin/sshd
Script: /etc/init.d/sshd
Port: 22
Configuration: /etc/ssh/ssh_config
OpenSSH Server Configuration
SSHD configuration file
/etc/ssh/sshd_config
The OpenSSH Client
Secure shell sessions
ssh hostname
ssh user@hostname
ssh hostname remote-command
Secure remote copy files and directories
scp file user@host:remote-dir
scp -r user@host:remote-dir localdir
Secure ftp provided by sshd
sftp host
sftp -C user@host
Protecting Your Keys
ssh-add -- collects key passphrases
ssh-agent -- manages key passphrases
Example of SSH Configuration
SSH /etc/ssh/sshd_config (Securing Data)
NODE – 1 / StationX
#useradd pop;passwd pop
#su-pop
pop#ssh-keygen –t dsa
# ls –a (show .ssh)
#cd .ssh
.ssh#ssh root@stationY
#useradd jak; passwd jak
#su –jak
#mkdir .ssh
#chmod 700 .ssh
#exit
.ssh#ls
id_dsa id_da.pub (show this 2 files)
#scp id_dsa.pub jak@stationY:.ssh/authorized_keys
#ssh jak@stationy ->
(without passwd we go to stationY user)
NODE – 1 / StationY
#useradd jak; passwd jak
#mkdir .ssh
#chmod 700 .ssh
ssh stationY or ssh 192.168.0.Y -> (passwd : redhat) ->
scp /root/Desktop/ab* stationX:/root/Desktop
Friday, February 17, 2012
Unit 9 DOVECOT (MRA) Mail Retrieval Protocols
What is DOVECOT?
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002.
Mail Retrieval Protocols
Post Office Protocol
All data, including passwords, is passed in cleartext over TCP port 110
Use POP3s to provide SSL encryption of data over TCP port 995
Internet Mail Access Protocol
All data, including passwords, is passed in cleartext over TCP port 143
Use IMAPs to provide SSL encryption of data over TCP port 993
Dovecot supports POP3, POP3s, IMAP, and IMAPs
Service Profile: Dovecot
Type: SystemV-managed service
Package: dovecot
Daemon: /usr/sbin/dovecot
Script: /etc/init.d/dovecot
Ports: 110 (pop), 995 (pop3s), 143 (imap), 993 (imaps)
Configuration: /etc/dovecot.conf
Dovecot Configuration
Listens on all IPv6 and IPv4 interfaces by default
Specify protocols in /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
Make a private key and self-signed certificate before using SSL
Confirm system time to avoid date issues
Review /etc/dovecot.conf for key and cert locations
Run make -C /etc/pki/tls/certs dovecot.pem
Creates a single PEM file containing both the key and the cert.
Example of Dovecot Cofiguration
DOVECOT(MRA)
#yum install –y dovecot
#chkconfig dovecot on
#vim /etc/doecot.conf (specify the protocols)
Esc /protocols
17 #protocols
18 (input) protocols = imap imaps pop pop3s
88
89
90 ssi_cert_file=/etc/pki/tls/certs/dovecot.pem
91 ssi_key_file=/etc/pki/tls/certs/dovecot.pem
wq ->
#cd /etc/pki/tls/certs
#make dovecot.pem
IN ->
ODISHA ->
BHUBANESWAR ->
ISDAC ->
RHCE ->
stationX.example.com ->
root@stationX.example.com
#service dovecot restart
#netstart –tnl (port 110,995,143,993 open)
#each “I AM COME BACK” | mail –s litu student@stationX.example.com
GO TO STATION Y
# mutt –f {student@stationX.example.com} ->
0 ->
passwd ->
“show the certificate
and message which
comes from stationX”
pki = Public key Infrastructure
tls = Transfer Layer Security
certs = Certificates
SSL = Secure Socket Layer
Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002.
Mail Retrieval Protocols
Post Office Protocol
All data, including passwords, is passed in cleartext over TCP port 110
Use POP3s to provide SSL encryption of data over TCP port 995
Internet Mail Access Protocol
All data, including passwords, is passed in cleartext over TCP port 143
Use IMAPs to provide SSL encryption of data over TCP port 993
Dovecot supports POP3, POP3s, IMAP, and IMAPs
Service Profile: Dovecot
Type: SystemV-managed service
Package: dovecot
Daemon: /usr/sbin/dovecot
Script: /etc/init.d/dovecot
Ports: 110 (pop), 995 (pop3s), 143 (imap), 993 (imaps)
Configuration: /etc/dovecot.conf
Dovecot Configuration
Listens on all IPv6 and IPv4 interfaces by default
Specify protocols in /etc/dovecot.conf
protocols = imap imaps pop3 pop3s
Make a private key and self-signed certificate before using SSL
Confirm system time to avoid date issues
Review /etc/dovecot.conf for key and cert locations
Run make -C /etc/pki/tls/certs dovecot.pem
Creates a single PEM file containing both the key and the cert.
Example of Dovecot Cofiguration
DOVECOT(MRA)
#yum install –y dovecot
#chkconfig dovecot on
#vim /etc/doecot.conf (specify the protocols)
Esc /protocols
17 #protocols
18 (input) protocols = imap imaps pop pop3s
88
89
90 ssi_cert_file=/etc/pki/tls/certs/dovecot.pem
91 ssi_key_file=/etc/pki/tls/certs/dovecot.pem
wq ->
#cd /etc/pki/tls/certs
#make dovecot.pem
IN ->
ODISHA ->
BHUBANESWAR ->
ISDAC ->
RHCE ->
stationX.example.com ->
root@stationX.example.com
#service dovecot restart
#netstart –tnl (port 110,995,143,993 open)
#each “I AM COME BACK” | mail –s litu student@stationX.example.com
GO TO STATION Y
# mutt –f {student@stationX.example.com} ->
0 ->
passwd ->
“show the certificate
and message which
comes from stationX”
pki = Public key Infrastructure
tls = Transfer Layer Security
certs = Certificates
SSL = Secure Socket Layer
Thursday, February 16, 2012
Unit 8 Sendmail (Simple Mail Transport Protocol)
What is Sendmail?
On the Internet, sendmail is the most popular UNIX-based implementation of the Simple Mail Transfer Protocol (SMTP) for transmitting e-mail. When a sendmail server receives e-mail, it attempts to deliver.
Service Profile: Sendmail
Type: System V-managed service
Packages: sendmail, sendmail-cf, sendmail-doc
Daemon: /usr/sbin/sendmail
Script: /etc/init.d/sendmail
Port: 25 (smtp)
Configuration: /etc/mail/sendmail.cf, /etc/mail/sendmail.mc, /etc/aliases, /etc/mail/virtusertable, /etc/mail/access
Intro to Sendmail Configuration
Red Hat uses and recommends the m4 macro language
Use dnlspace to comment a line within an m4 macro file
service sendmail restart uses /etc/mail/Makefile
Converts /etc/mail/sendmail.mc into /etc/mail/sendmail.cf
Rehashes various flat-file databases
make compares timestamps; touch a file to force a rebuild/rehash
sendmail-cf is not installed by default
The init script will not rebuild files unless sendmail-cf has been installed.
Incoming Sendmail Configuration
Modify /etc/mail/sendmail.mc to listen on all interfaces
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Add to /etc/mail/local-host-names each hostname by which the server may be referred
Modify access control
Update /etc/hosts.{allow,deny}
Add an Netfilter rule to allow SMTP traffic
Restart sendmail
Outgoing Sendmail Configuration
Red Hat provides a default /etc/mail/submit.cf
rarely needs modification
enables sendmail to act as a client MSP
To masquerade as a domain instead of a single host
Uncomment the following lines in /etc/mail/sendmail.mc
EXPOSED_USER(`root')dnl
FEATURE(masquerade_envelope)dnl
MASQUERADE_AS(`example.com')dnl
FEATURE(masquerade_entire_domain)dnl
Inbound Sendmail Aliases
Local aliases: /etc/aliases
Programs must be linked under /etc/smrsh for the Sendmail Restricted Shell
fakename: realname
a-list: fakename, otheruser
helpdesk: | mail2ticket
Virtual aliases: /etc/mail/virtusertable
admin@123.com shopper
admin@xyz.org jdj
pageme@he.net lmiwtc@pg.com
@cba.com cba@aol.com
@dom1.org %1@dom2.org
Outbound Address Rewriting
Add the following lines to /etc/mail/sendmail.mc
FEATURE(genericstable)dnl
FEATURE(`always_add_domain')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl
Create and populate /etc/mail/genericstable
paul@example.com paul@otherexample.com
david@example.com david.lastname@example.com
Domains must be listed in /etc/mail/local-host-names
Address rewriting occurs for SMTP and not LMTP
Sendmail SMTP Restrictions
Enable in /etc/mail/sendmail.mc using
FEATURE(`blacklist_recipients')dnl
Add restrictions in /etc/mail/access
From:90trialspammer@aol.com REJECT
Connect:spamRus.net REJECT
Connect:204.168.23 REJECT
Connect:10.3 OK
From:virtualdomain1.com RELAY
To:user@dom9.com ERROR:550 mail discarded
To:nobody@ ERROR:550 bad name
Sendmail Operation
/etc/mail/local-host-names
must contain server's name and aliases
mail -v user
view SMTP exchange with local relay
mailq and mailq -Ac
view messages queued for future delivery
sendmail -q
reprocess the email queue
tail -f /var/log/maillog
View log in real-time
Configure sendmail server
RPM packages required: sendmail, sendmail-cf and m4
Ubuntu/Debian install: sudo apt-get sendmail sendmail-base sendmail-bin sendmail-cf mailutils
Sendmail receives mail for local system user login accounts. Mail is held in a single file: /var/mail/userID
Steps to run mail server using sendmail:
1. Required for inbound mail: The mail server must be identified by the DNS as the mail server in order to receive mail. See the YoLinux web tutorial on configuring DNS.
2. /etc/mail/local-host-names (Required) (Red Hat 7.1 - Fedora Core 3)
/etc/sendmail.cw (Red Hat 6.x)
This file contains all of the alternate host names of the server. (i.e. domain-name.com) Sendmail will not accept mail for a domain unless it is permitted to do so by the contents of this file.
Sample:
megawebhost.com
yolinux.com
yo-linux.com
3. File /etc/aliases (Optional) lists alternative names for email recipients.
Sample:
webmaster: john, dave
postmaster: kim, garret
larry.anderson: larry
moe.anderson: moe
curly.anderson: curly
After creation or modification one must run the command newaliases which will generate a new version of the file /etc/aliases.db There is no need to restart the sendmail daemon. The changes are picked up automatically.
4. File /etc/mail/virtusertable (Optional) Allows the separation of emails by domain. i.e. greg@domain1.com and greg@domain2.com go to two different users greg1 and greg2.
webmaster@domain-1.com dave
webmaster@domain-2.com john
john@domain-2.com john
@domain-2.com error:nouser User unknown
@domain3.com mathew
The second column is the local user, a remote forwarding email address or a mailing list entry in /etc/aliases.
The domain "domain-2.com" will only receive email for john@domain-2.com and webmaster@domain-2.com while all other mail to this domain receives an error message.
Convert /etc/mail/virtusertable to /etc/mail/virtusertable.db with the commands:
cd /etc/mail
make
5. Relaying and receiving mail is controlled by the file: /etc/mail/access. By default relaying is only allowed by localhost and sendmail will accept mail from all. (Red Hat 7.1 default is more strict but the restriction is not from the access file. More below.)
Required for outbound email. Helpful for blocking some unwanted inbound email.
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
Generate database file:
[root prompt]# makemap hash /etc/mail/access.db < /etc/mail/access
The access file can be used to thwart spammers. List IP addresses or email address to deny in the file: /etc/access
After adding entries to the access file, generate the database file with the command above.
XXX.XXX.XXX.XXX REJECT
YYY.YYY.YYY.YYY ERROR:"550 We don't accept mail from spammers"
spammer@isp.com REJECT " Spam not accepted"
ZZZ.ZZZ.ZZZ.ZZZ OK - Override rules and allow
ZZZ.ZZZ OK - Allow from ZZZ.ZZZ.*.* network
See the /etc/mail/access file I am currently using. It changes daily. Feel free to cut and paste this Sendmail access file to your system.
Other access lists:
Iowa State University
West-Point.org
IP block list used by http: Wizcrafts.net: Exploited server list
Sendmail.org: More info on cf-readme (See Anti-Spam section)
6. Sendmail must be running. See the YoLinux init tutorial to learn how the sendmail daemon can be configured to be started by the system upon system boot. This may have been configured during installation.
On the Internet, sendmail is the most popular UNIX-based implementation of the Simple Mail Transfer Protocol (SMTP) for transmitting e-mail. When a sendmail server receives e-mail, it attempts to deliver.
Service Profile: Sendmail
Type: System V-managed service
Packages: sendmail, sendmail-cf, sendmail-doc
Daemon: /usr/sbin/sendmail
Script: /etc/init.d/sendmail
Port: 25 (smtp)
Configuration: /etc/mail/sendmail.cf, /etc/mail/sendmail.mc, /etc/aliases, /etc/mail/virtusertable, /etc/mail/access
Intro to Sendmail Configuration
Red Hat uses and recommends the m4 macro language
Use dnlspace to comment a line within an m4 macro file
service sendmail restart uses /etc/mail/Makefile
Converts /etc/mail/sendmail.mc into /etc/mail/sendmail.cf
Rehashes various flat-file databases
make compares timestamps; touch a file to force a rebuild/rehash
sendmail-cf is not installed by default
The init script will not rebuild files unless sendmail-cf has been installed.
Incoming Sendmail Configuration
Modify /etc/mail/sendmail.mc to listen on all interfaces
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Add to /etc/mail/local-host-names each hostname by which the server may be referred
Modify access control
Update /etc/hosts.{allow,deny}
Add an Netfilter rule to allow SMTP traffic
Restart sendmail
Outgoing Sendmail Configuration
Red Hat provides a default /etc/mail/submit.cf
rarely needs modification
enables sendmail to act as a client MSP
To masquerade as a domain instead of a single host
Uncomment the following lines in /etc/mail/sendmail.mc
EXPOSED_USER(`root')dnl
FEATURE(masquerade_envelope)dnl
MASQUERADE_AS(`example.com')dnl
FEATURE(masquerade_entire_domain)dnl
Inbound Sendmail Aliases
Local aliases: /etc/aliases
Programs must be linked under /etc/smrsh for the Sendmail Restricted Shell
fakename: realname
a-list: fakename, otheruser
helpdesk: | mail2ticket
Virtual aliases: /etc/mail/virtusertable
admin@123.com shopper
admin@xyz.org jdj
pageme@he.net lmiwtc@pg.com
@cba.com cba@aol.com
@dom1.org %1@dom2.org
Outbound Address Rewriting
Add the following lines to /etc/mail/sendmail.mc
FEATURE(genericstable)dnl
FEATURE(`always_add_domain')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl
Create and populate /etc/mail/genericstable
paul@example.com paul@otherexample.com
david@example.com david.lastname@example.com
Domains must be listed in /etc/mail/local-host-names
Address rewriting occurs for SMTP and not LMTP
Sendmail SMTP Restrictions
Enable in /etc/mail/sendmail.mc using
FEATURE(`blacklist_recipients')dnl
Add restrictions in /etc/mail/access
From:90trialspammer@aol.com REJECT
Connect:spamRus.net REJECT
Connect:204.168.23 REJECT
Connect:10.3 OK
From:virtualdomain1.com RELAY
To:user@dom9.com ERROR:550 mail discarded
To:nobody@ ERROR:550 bad name
Sendmail Operation
/etc/mail/local-host-names
must contain server's name and aliases
mail -v user
view SMTP exchange with local relay
mailq and mailq -Ac
view messages queued for future delivery
sendmail -q
reprocess the email queue
tail -f /var/log/maillog
View log in real-time
Configure sendmail server
RPM packages required: sendmail, sendmail-cf and m4
Ubuntu/Debian install: sudo apt-get sendmail sendmail-base sendmail-bin sendmail-cf mailutils
Sendmail receives mail for local system user login accounts. Mail is held in a single file: /var/mail/userID
Steps to run mail server using sendmail:
1. Required for inbound mail: The mail server must be identified by the DNS as the mail server in order to receive mail. See the YoLinux web tutorial on configuring DNS.
2. /etc/mail/local-host-names (Required) (Red Hat 7.1 - Fedora Core 3)
/etc/sendmail.cw (Red Hat 6.x)
This file contains all of the alternate host names of the server. (i.e. domain-name.com) Sendmail will not accept mail for a domain unless it is permitted to do so by the contents of this file.
Sample:
megawebhost.com
yolinux.com
yo-linux.com
3. File /etc/aliases (Optional) lists alternative names for email recipients.
Sample:
webmaster: john, dave
postmaster: kim, garret
larry.anderson: larry
moe.anderson: moe
curly.anderson: curly
After creation or modification one must run the command newaliases which will generate a new version of the file /etc/aliases.db There is no need to restart the sendmail daemon. The changes are picked up automatically.
4. File /etc/mail/virtusertable (Optional) Allows the separation of emails by domain. i.e. greg@domain1.com and greg@domain2.com go to two different users greg1 and greg2.
webmaster@domain-1.com dave
webmaster@domain-2.com john
john@domain-2.com john
@domain-2.com error:nouser User unknown
@domain3.com mathew
The second column is the local user, a remote forwarding email address or a mailing list entry in /etc/aliases.
The domain "domain-2.com" will only receive email for john@domain-2.com and webmaster@domain-2.com while all other mail to this domain receives an error message.
Convert /etc/mail/virtusertable to /etc/mail/virtusertable.db with the commands:
cd /etc/mail
make
5. Relaying and receiving mail is controlled by the file: /etc/mail/access. By default relaying is only allowed by localhost and sendmail will accept mail from all. (Red Hat 7.1 default is more strict but the restriction is not from the access file. More below.)
Required for outbound email. Helpful for blocking some unwanted inbound email.
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
Generate database file:
[root prompt]# makemap hash /etc/mail/access.db < /etc/mail/access
The access file can be used to thwart spammers. List IP addresses or email address to deny in the file: /etc/access
After adding entries to the access file, generate the database file with the command above.
XXX.XXX.XXX.XXX REJECT
YYY.YYY.YYY.YYY ERROR:"550 We don't accept mail from spammers"
spammer@isp.com REJECT " Spam not accepted"
ZZZ.ZZZ.ZZZ.ZZZ OK - Override rules and allow
ZZZ.ZZZ OK - Allow from ZZZ.ZZZ.*.* network
See the /etc/mail/access file I am currently using. It changes daily. Feel free to cut and paste this Sendmail access file to your system.
Other access lists:
Iowa State University
West-Point.org
IP block list used by http: Wizcrafts.net: Exploited server list
Sendmail.org: More info on cf-readme (See Anti-Spam section)
6. Sendmail must be running. See the YoLinux init tutorial to learn how the sendmail daemon can be configured to be started by the system upon system boot. This may have been configured during installation.
Wednesday, February 15, 2012
Unit 7 Squid Web Proxy Cache
Squid Web Proxy Cache
What is SQUID Proxy Server?
Squid is a caching proxy server sharing internet from one machine to several machine.
It supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows.
Service Profile: Squid
Type: SystemV-managed service
Package: squid
Daemon: /usr/sbin/squid
Script: /etc/init.d/squid
Port: 3128(squid), (configurable)
Configuration: /etc/squid/squid.conf
Useful parameters in /etc/squid/squid.conf
http_port 3128
cache_mem 8 MB
cache_dir ufs /var/spool/squid 100 16 256
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
http_access deny all
Example of SQUID Configuration
SQUID It is a web proxy services.
# ping yahoo.com
Edit -> preference -> Manual Prox Configuration -> Own IP address
type then port type 3128 -> ok -> close.
www.yahoo.com (In firefox) not ping or not open.
#netstart –tnl (the port squid 3128 is not open)
#yum –y install squid (3128)
#service squid start
#netstart –tnl (open the port squid 3128)
Edit -> Preference -> Manual Proxy Configuration -> 127.0.0.1 ->
3128 -> OK
In firefox www.yahoo.com (open the browser)
Howmany PC allow to proxy services.
#vim /etc/squid/squid.conf
Esc /acl all -> 4billion of PC connected ( acl means we have to define
access control list)
2394 acl all scr 0.0.0.0/0.0.0.0 -> (src means source IP address)
2395(type) acl isdac src 192.168.0.0/24 -> 256 nos PC
Esc /http_access allow localhost
2527 http_access allow localhost ->
2528 http_access allow isdac (type)
wq ->
# service squid restart
Edit -> preference -> manual -> 192.168.0.X -> 3128 -> OK
Open Firefox
http://www.yahoo.com
In the restriction of squid service
# vim /etc/squid/squid.conf
Esc /acl
2395 acl isdac src 192.168.0.0/24
2396 acl yahoo dstdomain.yahoo.com (type)
Esc htaccess
Esc /http_access allow locationhost
2528 http_access allow localhost
2529 http_access deny yahoo
2530 http_access allow isdac
2531 http_access deny all
#service squid restart
#vim /etc/squid/squid.conf
Esc /3128 Press N
73 http_port 8080
#service squid restart.
acl all
acl isdac src 192.168.0.0/24
acl mitu dstdomin .yahoo.com
http_access deny mitu
http_access allow isdac
Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files
Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE
How do I configure squid content filtering?
A. You can use squid ACL (access control list) to block all these files easily.
How do I block music files using squid content filtering ACL?
First open squid.conf file /etc/squid/squid.conf:
# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
Save and close the file.
Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES
Append following content:
Caution: Do not include HTML close tags
What is SQUID Proxy Server?
Squid is a caching proxy server sharing internet from one machine to several machine.
It supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows.
Service Profile: Squid
Type: SystemV-managed service
Package: squid
Daemon: /usr/sbin/squid
Script: /etc/init.d/squid
Port: 3128(squid), (configurable)
Configuration: /etc/squid/squid.conf
Useful parameters in /etc/squid/squid.conf
http_port 3128
cache_mem 8 MB
cache_dir ufs /var/spool/squid 100 16 256
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
http_access deny all
Example of SQUID Configuration
SQUID It is a web proxy services.
# ping yahoo.com
Edit -> preference -> Manual Prox Configuration -> Own IP address
type then port type 3128 -> ok -> close.
www.yahoo.com (In firefox) not ping or not open.
#netstart –tnl (the port squid 3128 is not open)
#yum –y install squid (3128)
#service squid start
#netstart –tnl (open the port squid 3128)
Edit -> Preference -> Manual Proxy Configuration -> 127.0.0.1 ->
3128 -> OK
In firefox www.yahoo.com (open the browser)
Howmany PC allow to proxy services.
#vim /etc/squid/squid.conf
Esc /acl all -> 4billion of PC connected ( acl means we have to define
access control list)
2394 acl all scr 0.0.0.0/0.0.0.0 -> (src means source IP address)
2395(type) acl isdac src 192.168.0.0/24 -> 256 nos PC
Esc /http_access allow localhost
2527 http_access allow localhost ->
2528 http_access allow isdac (type)
wq ->
# service squid restart
Edit -> preference -> manual -> 192.168.0.X -> 3128 -> OK
Open Firefox
http://www.yahoo.com
In the restriction of squid service
# vim /etc/squid/squid.conf
Esc /acl
2395 acl isdac src 192.168.0.0/24
2396 acl yahoo dstdomain.yahoo.com (type)
Esc htaccess
Esc /http_access allow locationhost
2528 http_access allow localhost
2529 http_access deny yahoo
2530 http_access allow isdac
2531 http_access deny all
#service squid restart
#vim /etc/squid/squid.conf
Esc /3128 Press N
73 http_port 8080
#service squid restart.
acl all
acl isdac src 192.168.0.0/24
acl mitu dstdomin .yahoo.com
http_access deny mitu
http_access allow isdac
Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files
Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE
How do I configure squid content filtering?
A. You can use squid ACL (access control list) to block all these files easily.
How do I block music files using squid content filtering ACL?
First open squid.conf file /etc/squid/squid.conf:
# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
Save and close the file.
Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES
Append following content:
Caution: Do not include HTML close tags