NETWORK CONFIGURATION

Four Main Network Configuration Files in LINUX Environment.

1. /etc/sysconfig/network-scripts/ifcfg-eth0

Dynamic IPV4 Configuration

DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:0D:60:FB:CA:61
ONBOOT=yes

Statioc IPV4 Configuration

DEVICE=eth1
BOOTPROTO=none
HWADDR=00:0D:60:FB:CA:61
ONBOOT=yes
IPADDR=192.168.0.X
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
PEERDNS=no
TYPE=Ethernet
USERCTL=no
IPV6INIT=no

2. #cat /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
GATEWAY=10.53.0.254

3. #cat /etc/hosts

127.0.0.1 localhost.localdomain localhost
: :1 localhost6.localdomain6 localhost6
127.31.53.1 stationX.example.com stationX


4. #cat /etc/resolve.conf

search example.com another.org
nameserver 127.31.35.2
nameserver 192.168.1.3

RAD & LVM

LVM

Create

#Linux partition /dev/sda7, /dev/sda8, /dev/sda9
#pvcreate /dev/sda{7,8}
#vgcreate vg0 /dev/sda{7,8}
#lvcreate vg0 –n /dev/vg0/data –L 200M
#vgdisplay vg0
#lvdisplay /dev/vg0/data

Extend

#pvcreate /dev/sda9
#vgextend vg0 /dev/sda9
#lvextend /dev/vg0/data –L 260M (200+60)
#resize2fs /dev/vg0/data

Reduce

#e2fsck –f /dev/vg0/data
#resize2f /dev/vg0/data 60M
#lvreduce /dev/vg0/data –L 60M

RAD & LVM CONFIGURATION :

1. use fdisk /dev/sda to create 100MB each partition
(7,8,9,10)

2. partition type ‘t’ to ‘fd’

3. save ‘w’ & for kernel reconfiguration is

#partprobe /dev/sda

#mdadm –C /dev/md0 –l 1 –n 2 /dev/sda{7,8}
#mdadm –C /dev/md1 –l 1 –n 2 /dev/sda{9,10} –a yes
#mkfs.ext3 /dev/md0

(cat /proc/mdstat) show the status

#mkfs.ext3 /dev/md1
#mkdir /data
#mount /dev/md0 /data
#df –h
#mdadm –detail /dev/md0
#umount /data
#mdadm –f /dev/md0 /dev/sda7
#cat /proc/mdstat
#mdadm –r /dev/md0 /dev/sda7 (hot remove)
#mdadm –a /dev/md0 /dev/sda7
#cat /proc/mdstat
#umount /dev/md0
#pvcreate /dev/md0
#vgcreate volgroup /dev/md0
#lvcreate volgroup –n /dev/volgroup/data –L 100M
#mkfs.ext3 /dev/volgroup/data
#mkdir /data
#vim /etc/fstab

/dev/volgroup/data /data ext3 default 0 0

#mount –a
#rm /etc/lvm/.cache
#reboot –f

#vgdisplay volgroup
#lvdisplay /dev/volgroup/data
#pvcreate /dev/md1
#vgextend volgroup /dev/md1
#lvextend /dev/volgroup/data –L 140M (100+40)
#resize2fs /dev/volgroup/data
#mount /dev/volgroup/data /data
#df –h
#umount /data
#e2fsck –f /dev/volgroup/data
#resize2fs /dev/volgroup/data 40M
#lvreduce /dev/volgroup/data -L 40M
#lvdisplay /dev/volgroup/data

Now lvsize 140MB reduced by 100MB 140-100=40MB,
Now lvsize 40MB.

OPEN OFFICE INSTALLATION IN LINUX

OPEN OFFICE INSTALLATION throuth “rpm”

#lftp 192.168.0.254
#cd pub
#get OO
#bye
#tar xzvf OO
#cd OOF
#cd RPMS
#rpm –ivh *rpm
#cd desktop
#rpm –ivh openoffice.org-redhat-menus
#init 6

OPEN OFFICE INSTALLATION throuth “yum”

#lftp Server1
#cd pub
#get OO
#bye
#tar xzvf OO
#mv OOF openoffice
#yum install createrepo
#cd /openoffice/RPMS
#createrepo –v $(pwd) or (create –v /root/openoffice/RPMS
#vi /etc/yum.repos.d/oof.repo
[oof-Repo]
name=Open Office Repo at my PC
baseurl=file:///root/openoffice/RPMS
enabled=1
gpgcheck=0
#yum install openoffice.org-*
#cd desktop-integration
#rpm –ich openoffice.org-redhat
#init 6

REPOSITORY

What's in a repository?

A repository is a central place where data is stored and maintained. A repository can be a place where multiple databases or files are located for distribution over a network, or a repository can be a location that is directly accessible to the user without having to travel across a network.

Create Repository "ftp"

#/etc/yum.repos.d/server1.repo
[Server1-Repo]
name=Server Reposetary
baseurl=ftp://server1/pub/Server
enabled=1
gpgcheck=0
: wq ->
#yum list available


Create Repository "http"

#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=http://Server1.example.com/path
enabled=1
gpgcheck=0

Create own pc Private Repository

#/etc/yum.repos.d/shishir.repo
[shihsir-repo]
name=shishir’s repository
baseurl=file:///root/Server
enabled=1
gpgcheck=0
#rpm –ivh Server/createrepo –o
#createrepo Server/
#yum list all

Linux Boot Sequence Overview

A. Boot Sequence Overview

#/boot/grub/grub.conf

Kernal Initialization or Kernel boot time functions.

1. Device Detection
2. Device Driver Initialization
3. Mounts root filesystem readonly
4. Loads initial process (init)

The MD5 passwd has can be created with grub-md5-crypt.

If for some reason your MBR becomes corrupted and we need to
reinstall GRUB, we can do so with the command /sbin/grub-install
boot-device. Occasionally it may prove necessary for the user to set
up grub manually. If grub-install fails for some reason try the
following:

1. Type the command grub and press Enter.
2. Type root(hd0,0)
3. Type setup(hd0)
4. Type quit.

or

#chroot /mnt/sysimage
#grub-install /dev/sda
#exit

4 important files :
1. #/etc/inittab
2. #/etc/rc.local
3. #/etc/.bash_profile
4. #/boot/grub/grub.conf

GRUB SCREEN PASSWD

Go to Single user mode : e e s b

sh# grub-md5-crypt
passwd:……………………
retype passwd:…………………….

Then copy the passwd.
Go to another terminal…………..

#vim /boot/grub/grub.conf

below the hiddenmenu write

password –md5 here paste the passwd

:wq ->

B. Updating a Kernel RPM

#uname –r (show the curren login kernel version)
#lftp Server1 ->
#server1>cd pub ->
#pub > get K ->
#bye ->
#root#ll
#rpm –ivh K
#reboot –f
#uname –r or vim /boot/grub/grub.conf

Unit 12 NFS, AUTOMOUNTER, SWAP FILES & PARTITIONS

Example of NFS, AUTOMOUNTER, SWAP FILES & PARTITIONS Configuration

NFS

#mkdir /mnt/shishir
#mount –t nfs server1:/var/ftp/pub /mnt/shishir
#vim /etc/fstab
srever1:/var/ftp/pub /mnt /nfs default 0 0
:wq ->

AUTOMOUNTER

#showmount –e server1 (show nis shareable by server1)
#service iptables stop
#chkconfig iptables off
#chkconfig –list | grep iptables
#mkdir /mnt/lg
#vim /etc/auto.master ->
(input)
/mnt/lg /etc/auto.Samsung --timeout=60
#service autofs restart
#cd /mnt/lg/intel (try to access)
#intel#ls ->

SWAP FILES & PARTITIONS

#mkswap /dev/sda7
#partprobe /dev/sda
#mkswap /dev/sda7
#swapon –s
(only sda6 is initialize by fstab)
(swap partition status)
#vim /etc/fstab
/dev/sda7 swap swap default 0 0
#swapon –a (mount swap partition which initialize fstab)
(Activate the swap partion which reads /etc/fstab)
#swapon –S
#dd if=/dev/zero of=myswap bs=1M count=128
#ls –lh
#mkswap myswap
#swapon –a myswap
#swapon –S myswap
#vim /etc/rc.local
(input lineno6)
swap –a /root/myswap
:wq ->


AUTOMOUNTER

NAME
automount - configure mount points for autofs
SYNOPSIS
automount [options] mount-point map-type[,format] map [map-options]
DESCRIPTION
The automount program is used to configure a mount point for autofs, the inlined Linux automounter. automount works by taking a base mount-point and map file, and using these (combined with other options) to automatically mount filesystems within the base mount-point when they are accessed in any way. The filesystems are then autounmounted after a period of inactivity.
OPTIONS

-p, --pid-file
Write the pid of the daemon to the specified file.
-t, --timeout
Set the minimum timeout, in seconds, until directories are unmounted. The default is 5 minutes. Setting the timeout to zero disables unmounts completely.
-v, --version
Display the version number, then exit.

ARGUMENTS
automount takes at least three arguments. Mandatory arguments include mount-point, map-type and map. Both mandatory and optional arguments are described below.

mount-point
Base location for autofs-mounted filesystems to be attached. This is a directory name which must already exist.
map-type
Type of map used for this invocation of automount. The following are valid map types:

file
The map is a regular text file.
program
The map is an executable program, which is passed a key on the command line and returns an entry on stdout if successful.
yp
The map is a NIS (YP) database.
nisplus
The map is a NIS+ database.
hesiod
The map is a hesiod database whose filsys entries are used for maps.
ldap
map names are of the form [servername:]basedn, where the optional servername is the name of the LDAP server to query, and basedn is the DN to do a subtree search under. Entries are automount objects in the specified subtree, where the cn attribute is the key (the wildcard key is "/"), and the automounterInformation attribute contains the information used by the automounter. Documentation on the schema used by this module is available online at http://docs.iplanet.com/docs/manuals/directory/411ext/nis/mapping.htm.

format Format of the map data; currently the only formats
recognized are sun, which is a subset of the Sun automounter map format, and hesiod, for hesiod filesys entries. If the format is left unspecified, it defaults to sun for all map types except hesiod.
map
Location of mapfile to use. This is an absolute UNIX pathname in the case for maps of types file or program, and the name of a database in the case for maps of type yp, nisplus, or hesiod.
options
Any remaining command line arguments without leading dashes (-) are taken as options (-o) to mount. Arguments with leading dashes are considered options for the maps.

Unit 11 NIS (Network Information System)

What is NIS?

NIS (Network Information System) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's domain name system (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks.

NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a UNIX-based program.

Example of NIS Configuration.


#authconfig-tui
#system-config-authentication (Graphical Mode)
Authentication Configuration Screen
Enable NIS support Configure NIS
NIS Domain notexample
NIS Server Server1.example.com
#Service Network Restart
#ifconfig
#ping server1
#showmount –e 192.168.0.254
(-e = show the NFS server’s export list)
#mkdir /home/guests
#mount 192.168.0.254:/home/guests /home/guests
#ls –l /home/guests
(It shows 20 users for guest starting form 2001)
open another black console………………….
Login : guest2007
Passwd : password
#echo “Hello I am come back” > stationX ->
Then go to server PC
root#su – guest2007
#ls
#cat stationY
#ls –l

Unit 10 SSH - Secure Shell

What is SSH?

SSH (Secure Shell) is a client/server package used in Unix and Linux systems to provide secure access to a remote system.

OpenSSH Overview

OpenSSH replaces common, insecure
network communication applications

Provides user and token-based authentication

Capable of tunneling insecure protocols through port forwarding

System default configuration (client and server) resides in /etc/ssh/

OpenSSH Authentication


The sshd daemon can utilize several different authentication methods

password (sent securely)

RSA and DSA keys

Kerberos

s/key and SecureID

host authentication using system key pairs

Service Profile: SSH

Type: System V-managed service

Packages: openssh, openssh-clients, openssh-server

Daemon: /usr/sbin/sshd

Script: /etc/init.d/sshd

Port: 22

Configuration: /etc/ssh/ssh_config

OpenSSH Server Configuration

SSHD configuration file

/etc/ssh/sshd_config

The OpenSSH Client


Secure shell sessions

ssh hostname

ssh user@hostname

ssh hostname remote-command

Secure remote copy files and directories

scp file user@host:remote-dir

scp -r user@host:remote-dir localdir

Secure ftp provided by sshd

sftp host

sftp -C user@host

Protecting Your Keys

ssh-add -- collects key passphrases

ssh-agent -- manages key passphrases


Example of SSH Configuration

SSH /etc/ssh/sshd_config (Securing Data)
NODE – 1 / StationX
#useradd pop;passwd pop
#su-pop
pop#ssh-keygen –t dsa
# ls –a (show .ssh)
#cd .ssh
.ssh#ssh root@stationY
#useradd jak; passwd jak
#su –jak
#mkdir .ssh
#chmod 700 .ssh
#exit
.ssh#ls
id_dsa id_da.pub (show this 2 files)
#scp id_dsa.pub jak@stationY:.ssh/authorized_keys
#ssh jak@stationy ->
(without passwd we go to stationY user)
NODE – 1 / StationY
#useradd jak; passwd jak
#mkdir .ssh
#chmod 700 .ssh
ssh stationY or ssh 192.168.0.Y -> (passwd : redhat) ->
scp /root/Desktop/ab* stationX:/root/Desktop

Unit 9 DOVECOT (MRA) Mail Retrieval Protocols

What is DOVECOT?

Dovecot is an open source IMAP and POP3 server for Linux/UNIX-like systems, written primarily with security in mind. Developed by Timo Sirainen, Dovecot was first released in July 2002.

Mail Retrieval Protocols


Post Office Protocol

All data, including passwords, is passed in cleartext over TCP port 110

Use POP3s to provide SSL encryption of data over TCP port 995

Internet Mail Access Protocol

All data, including passwords, is passed in cleartext over TCP port 143

Use IMAPs to provide SSL encryption of data over TCP port 993

Dovecot supports POP3, POP3s, IMAP, and IMAPs

Service Profile: Dovecot


Type: SystemV-managed service

Package: dovecot

Daemon: /usr/sbin/dovecot

Script: /etc/init.d/dovecot

Ports: 110 (pop), 995 (pop3s), 143 (imap), 993 (imaps)

Configuration: /etc/dovecot.conf

Dovecot Configuration

Listens on all IPv6 and IPv4 interfaces by default

Specify protocols in /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

Make a private key and self-signed certificate before using SSL

Confirm system time to avoid date issues

Review /etc/dovecot.conf for key and cert locations

Run make -C /etc/pki/tls/certs dovecot.pem

Creates a single PEM file containing both the key and the cert.

Example of Dovecot Cofiguration

DOVECOT(MRA)
#yum install –y dovecot
#chkconfig dovecot on
#vim /etc/doecot.conf (specify the protocols)
Esc /protocols
17 #protocols
18 (input) protocols = imap imaps pop pop3s
88
89
90 ssi_cert_file=/etc/pki/tls/certs/dovecot.pem
91 ssi_key_file=/etc/pki/tls/certs/dovecot.pem
wq ->
#cd /etc/pki/tls/certs
#make dovecot.pem
IN ->
ODISHA ->
BHUBANESWAR ->
ISDAC ->
RHCE ->
stationX.example.com ->
root@stationX.example.com
#service dovecot restart
#netstart –tnl (port 110,995,143,993 open)
#each “I AM COME BACK” | mail –s litu student@stationX.example.com
GO TO STATION Y
# mutt –f {student@stationX.example.com} ->
0 ->
passwd ->
“show the certificate
and message which
comes from stationX”


pki = Public key Infrastructure
tls = Transfer Layer Security
certs = Certificates
SSL = Secure Socket Layer

Unit 8 Sendmail (Simple Mail Transport Protocol)

What is Sendmail?

On the Internet, sendmail is the most popular UNIX-based implementation of the Simple Mail Transfer Protocol (SMTP) for transmitting e-mail. When a sendmail server receives e-mail, it attempts to deliver.

Service Profile: Sendmail


Type: System V-managed service

Packages: sendmail, sendmail-cf, sendmail-doc

Daemon: /usr/sbin/sendmail

Script: /etc/init.d/sendmail

Port: 25 (smtp)

Configuration: /etc/mail/sendmail.cf, /etc/mail/sendmail.mc, /etc/aliases, /etc/mail/virtusertable, /etc/mail/access

Intro to Sendmail Configuration


Red Hat uses and recommends the m4 macro language

Use dnlspace to comment a line within an m4 macro file

service sendmail restart uses /etc/mail/Makefile

Converts /etc/mail/sendmail.mc into /etc/mail/sendmail.cf

Rehashes various flat-file databases

make compares timestamps; touch a file to force a rebuild/rehash

sendmail-cf is not installed by default

The init script will not rebuild files unless sendmail-cf has been installed.

Incoming Sendmail Configuration


Modify /etc/mail/sendmail.mc to listen on all interfaces

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Add to /etc/mail/local-host-names each hostname by which the server may be referred

Modify access control

Update /etc/hosts.{allow,deny}

Add an Netfilter rule to allow SMTP traffic

Restart sendmail

Outgoing Sendmail Configuration

Red Hat provides a default /etc/mail/submit.cf

rarely needs modification

enables sendmail to act as a client MSP

To masquerade as a domain instead of a single host

Uncomment the following lines in /etc/mail/sendmail.mc

EXPOSED_USER(`root')dnl
FEATURE(masquerade_envelope)dnl
MASQUERADE_AS(`example.com')dnl
FEATURE(masquerade_entire_domain)dnl

Inbound Sendmail Aliases


Local aliases: /etc/aliases

Programs must be linked under /etc/smrsh for the Sendmail Restricted Shell

fakename: realname
a-list: fakename, otheruser
helpdesk: | mail2ticket

Virtual aliases: /etc/mail/virtusertable

admin@123.com shopper
admin@xyz.org jdj
pageme@he.net lmiwtc@pg.com
@cba.com cba@aol.com
@dom1.org %1@dom2.org

Outbound Address Rewriting


Add the following lines to /etc/mail/sendmail.mc

FEATURE(genericstable)dnl
FEATURE(`always_add_domain')dnl
GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl

Create and populate /etc/mail/genericstable

paul@example.com paul@otherexample.com
david@example.com david.lastname@example.com

Domains must be listed in /etc/mail/local-host-names

Address rewriting occurs for SMTP and not LMTP

Sendmail SMTP Restrictions


Enable in /etc/mail/sendmail.mc using

FEATURE(`blacklist_recipients')dnl

Add restrictions in /etc/mail/access

From:90trialspammer@aol.com REJECT
Connect:spamRus.net REJECT
Connect:204.168.23 REJECT
Connect:10.3 OK
From:virtualdomain1.com RELAY
To:user@dom9.com ERROR:550 mail discarded
To:nobody@ ERROR:550 bad name

Sendmail Operation


/etc/mail/local-host-names

must contain server's name and aliases

mail -v user

view SMTP exchange with local relay

mailq and mailq -Ac

view messages queued for future delivery

sendmail -q

reprocess the email queue

tail -f /var/log/maillog

View log in real-time



Configure sendmail server

RPM packages required: sendmail, sendmail-cf and m4

Ubuntu/Debian install: sudo apt-get sendmail sendmail-base sendmail-bin sendmail-cf mailutils

Sendmail receives mail for local system user login accounts. Mail is held in a single file: /var/mail/userID

Steps to run mail server using sendmail:

1. Required for inbound mail: The mail server must be identified by the DNS as the mail server in order to receive mail. See the YoLinux web tutorial on configuring DNS.

2. /etc/mail/local-host-names (Required) (Red Hat 7.1 - Fedora Core 3)
/etc/sendmail.cw (Red Hat 6.x)

This file contains all of the alternate host names of the server. (i.e. domain-name.com) Sendmail will not accept mail for a domain unless it is permitted to do so by the contents of this file.
Sample:

megawebhost.com
yolinux.com
yo-linux.com


3. File /etc/aliases (Optional) lists alternative names for email recipients.
Sample:

webmaster: john, dave
postmaster: kim, garret
larry.anderson: larry
moe.anderson: moe
curly.anderson: curly


After creation or modification one must run the command newaliases which will generate a new version of the file /etc/aliases.db There is no need to restart the sendmail daemon. The changes are picked up automatically.

4. File /etc/mail/virtusertable (Optional) Allows the separation of emails by domain. i.e. greg@domain1.com and greg@domain2.com go to two different users greg1 and greg2.

webmaster@domain-1.com dave
webmaster@domain-2.com john
john@domain-2.com john
@domain-2.com error:nouser User unknown
@domain3.com mathew


The second column is the local user, a remote forwarding email address or a mailing list entry in /etc/aliases.
The domain "domain-2.com" will only receive email for john@domain-2.com and webmaster@domain-2.com while all other mail to this domain receives an error message.

Convert /etc/mail/virtusertable to /etc/mail/virtusertable.db with the commands:
cd /etc/mail
make

5. Relaying and receiving mail is controlled by the file: /etc/mail/access. By default relaying is only allowed by localhost and sendmail will accept mail from all. (Red Hat 7.1 default is more strict but the restriction is not from the access file. More below.)
Required for outbound email. Helpful for blocking some unwanted inbound email.

localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY


Generate database file:

[root prompt]# makemap hash /etc/mail/access.db < /etc/mail/access


The access file can be used to thwart spammers. List IP addresses or email address to deny in the file: /etc/access
After adding entries to the access file, generate the database file with the command above.

XXX.XXX.XXX.XXX REJECT
YYY.YYY.YYY.YYY ERROR:"550 We don't accept mail from spammers"
spammer@isp.com REJECT " Spam not accepted"
ZZZ.ZZZ.ZZZ.ZZZ OK - Override rules and allow
ZZZ.ZZZ OK - Allow from ZZZ.ZZZ.*.* network


See the /etc/mail/access file I am currently using. It changes daily. Feel free to cut and paste this Sendmail access file to your system.
Other access lists:
Iowa State University
West-Point.org
IP block list used by http: Wizcrafts.net: Exploited server list
Sendmail.org: More info on cf-readme (See Anti-Spam section)

6. Sendmail must be running. See the YoLinux init tutorial to learn how the sendmail daemon can be configured to be started by the system upon system boot. This may have been configured during installation.

Unit 7 Squid Web Proxy Cache

Squid Web Proxy Cache

What is SQUID Proxy Server?


Squid is a caching proxy server sharing internet from one machine to several machine.
It supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows.

Service Profile: Squid


Type: SystemV-managed service

Package: squid

Daemon: /usr/sbin/squid

Script: /etc/init.d/squid

Port: 3128(squid), (configurable)

Configuration: /etc/squid/squid.conf

Useful parameters in /etc/squid/squid.conf


http_port 3128

cache_mem 8 MB

cache_dir ufs /var/spool/squid 100 16 256

acl all src 0.0.0.0/0.0.0.0

acl localhost src 127.0.0.1/255.255.255.255

http_access allow localhost

http_access deny all

Example of SQUID Configuration


SQUID It is a web proxy services.

# ping yahoo.com
Edit -> preference -> Manual Prox Configuration -> Own IP address
type then port type 3128 -> ok -> close.
www.yahoo.com (In firefox) not ping or not open.
#netstart –tnl (the port squid 3128 is not open)
#yum –y install squid (3128)
#service squid start
#netstart –tnl (open the port squid 3128)
Edit -> Preference -> Manual Proxy Configuration -> 127.0.0.1 ->
3128 -> OK
In firefox www.yahoo.com (open the browser)
Howmany PC allow to proxy services.
#vim /etc/squid/squid.conf
Esc /acl all -> 4billion of PC connected ( acl means we have to define
access control list)
2394 acl all scr 0.0.0.0/0.0.0.0 -> (src means source IP address)
2395(type) acl isdac src 192.168.0.0/24 -> 256 nos PC
Esc /http_access allow localhost
2527 http_access allow localhost ->
2528 http_access allow isdac (type)
wq ->
# service squid restart
Edit -> preference -> manual -> 192.168.0.X -> 3128 -> OK
Open Firefox
http://www.yahoo.com
In the restriction of squid service
# vim /etc/squid/squid.conf
Esc /acl
2395 acl isdac src 192.168.0.0/24
2396 acl yahoo dstdomain.yahoo.com (type)
Esc htaccess
Esc /http_access allow locationhost
2528 http_access allow localhost
2529 http_access deny yahoo
2530 http_access allow isdac
2531 http_access deny all
#service squid restart
#vim /etc/squid/squid.conf
Esc /3128 Press N
73 http_port 8080
#service squid restart.
acl all
acl isdac src 192.168.0.0/24
acl mitu dstdomin .yahoo.com
http_access deny mitu
http_access allow isdac


Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files

Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE

How do I configure squid content filtering?

A. You can use squid ACL (access control list) to block all these files easily.
How do I block music files using squid content filtering ACL?

First open squid.conf file /etc/squid/squid.conf:

# vi /etc/squid/squid.conf

Now add following lines to your squid ACL section:

acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"

You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles

Save and close the file.

Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES

Append following content:

Caution: Do not include HTML close tags as it will be closed by squid.
Now create /etc/squid/blocks.files.acl file:



# vi /etc/squid/blocks.files.acl

Append following text:
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Save and close the file. Restart Squid:
# /etc/init.d/squid restart

Squid in action:

Squid Deny Users Accessing a Website

I created and listed the sites in /etc/squid/squidblock.acl file

acl blocksites url_regex "/etc/squid/squidblock.acl"
http_access deny blocksites

And put domain names in /etc/squid/squid-block.acl file (for example block yahoo.com or add words such as sex or gambling etc):

.yahoo.com
.foo.com
.sex

Save and restart squid

SARG
Squid Analysis Report Generator is a tool that allow you to view

Sarg is a Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet.

Sarg provides many informations about Squid users activities: times, bytes, sites, etc...


Installation

If you use native squid log format, the elapsed time will be in reports (emulate_httpd_log off).

1. run ./configure

configure options: --enable-bindir=where sarg binary will be saved
default: /usr/bin

--enable-sysconfdir - where the configuration directory is
default: /usr/local/sarg

--enable-htmldir - where the www html root dir is
default: /var/www/html

--enable-mandir - where the sarg man page will be saved
default: /usr/local/man/man1

3. make

4. make install

5. Go to /usr/local/sarg (or file entered with --sysconfdir on configure)
and change sarg.conf as you need.

6. Notes about sarg:

Date/Time report:
Every minute that a request is logged your time is incremented by the smaller
of 1 minute or the total time for the requests.

Usage: sarg -h


How To: Configure Squid Proxy Server

Mission

To configure squid for simple proxying without caching anything.

Use Cases

When you want to have control on what people browse on your lan.
When number of machine is more than the number of IP addresses you can afford to buy.
When you want to help this holy world in saving some IPV4 addresses.

Assumptions

You have a machine connected directly to internet that you are going to use as a proxy server for other machines on your network.
The machines on your network are using 192.168.0.0/16 as private address space. You can use anyone/multiple address spaces of the available but for this howto we assume 192.168.0.0/16 as the local network.
The local IP address of the machine which will run squid proxy server is 192.168.36.204. You can have any IP, but for this howto we assume this.

How to proceed

First of all ensure that you have squid installed. After installing squid, you need to set access control in squid configuration file which resides in /etc/squid by default. Open /etc/squid/squid.conf and add/edit following lines according to your preferences. Few lines already exist in the configuration file, you can add the rest.

# The port on which squid will listen for requests
http_port 8080
# If 'cgi-bin' or '?' is in query, squid should not check with neighbours'/parents' cache
# and should go to target web-server.
hierarchy_stoplist cgi-bin ?
# If url contains 'cgi-bin' or '?', then it must not be cached
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
# Absolute path to squid access log.
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# Access control list to control every IP address
acl all src 0.0.0.0/0.0.0.0
# Access control list for source machine in LAN
acl lan_src src 192.168.0.0/16
# Access control list for destination machine in LAN
acl lan_dst dst 192.168.0.0/16
# Access control list to manage squid cache
acl manager proto cache_object
# Access control list to define IP address allowed for source localhost
acl localhost src 127.0.0.1/255.255.255.255
# Access control list to define IP addresses allowed for localhost as destination
acl to_localhost dst 127.0.0.0/8
# Access control list to define Safe ports that should be allowed by default
acl SSL_ports port 443 563 1863 5190 5222 5050 6667
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Allow cache management only from localhost
http_access allow manager localhost
# Deny cache management from remote hosts
http_access deny manager
# Deny http access via all the ports which are not listed as safe
http_access deny !Safe_ports
# Deny all connections via all ports which are not listed as safe
http_access deny CONNECT !SSL_ports
# Allow http access from localhost
http_access allow localhost
# Allow http access from machines on LAN
http_access allow lan_src
http_access deny all
http_reply_access allow all
icp_access allow all
# Deny caching for everyone so that there is not caching at all
cache deny all
coredump_dir /var/spool/squid
# Never allow direct connection to machines on the internet
prefer_direct off
never_direct allow all
# Allow direct connetion if the destination machine is on LAN
always_direct allow lan_dst
# Delete this line if you don't have /etc/hosts file
hosts_file /etc/hosts
# Allow AIM connections
# Delete the following 9 lines if you don't want people to connect to AIM
acl AIM_ports port 5190 9898 6667
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com .freenode.net
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com irc.freenode.net
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow AIM_methods AIM_ports AIM_domains
# Allow connections to Yahoo Messenger
# Delete the following 6 lines if you don't want people to connect to Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
# Allow connections to Google Talk
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl GTALK_ports port 5222 5050
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT
http_access allow GTALK_methods GTALK_ports GTALK_hosts
http_access allow GTALK_methods GTALK_ports GTALK_domains
# Allow connections to MSN
# Delete the following 6 lines if you don't want people to connect to Google Talk
acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT
http_access allow MSN_methods MSN_ports MSN_hosts

Now, start the squid proxy server as

service squid start

Also, if you want squid to be started every time you boot the machine, execute the following command

chkconfig --level 345 squid on

You have a squid proxy server running now. You can ask clients to configure there browsers to use 192.168.36.204 as a proxy server with 8080 as proxy port. Command line utilities like elinks, lynx, yum, wget etc. can be asked to use proxy by exporting http_proxy variable as below. Users can also add these lines to ~/.bashrc file to avoid exporting every-time.

export http_proxy='http://192.168.36.204:8080'
export ftp_proxy='http://192.168.36.204:8080'

Unit 6 APACHE Web Services (httpd)

Objectives

What is Apache HTTP Server?

Apache, otherwise known as Apache HTTP Server, is an established standard in the online distribution of website services, which gave the initial boost for the expansion of the World Wide Web. It is an open-source web server platform, which guarantees the online availability of the majority of the websites active today. The server is aimed at serving a great deal of widely popular modern web platforms/operating systems such as Unix, Windows, Linux, Solaris, Novell NetWare, FreeBSD, Mac OS X, Microsoft Windows, OS/2, etc.

Apache httpd has been the most popular web server on the Internet since April 1996.

Upon completion of this unit, you should be able to:

Learn the major features of the Apache HTTP server

Be able to configure important Apache parameters

Learn per-directory configuration

Learn how to use CGI with Apache

Identify key modules

Understand proxy web servers

Service Profile: HTTPD


Type: SystemV-managed service

Packages: httpd, httpd-devel, httpd-manual

Daemon: /usr/sbin/httpd

Script: /etc/init.d/httpd

Ports: 80(http), 443(https)

Configuration: /etc/httpd/conf/httpd.conf, /var/www/*

Related: system-config-httpd

Apache Configuration

Main server configuration stored in /etc/httpd/conf/httpd.conf

controls general web server parameters, regular virtual hosts, and access

defines filenames and mime-types

Module configuration files stored in /etc/httpd/conf.d/*

DocumentRoot default /var/www/html/

Virtual Hosts

NameVirtualHost 192.168.0.100:80


ServerName virt1.com
DocumentRoot /virt1


ServerName virt2.com
DocumentRoot /virt2


Using .htaccess Files


Change a directory's configuration:

add mime-type definitions

allow or deny certain hosts

Setup user and password databases:

AuthUserFile directive

htpasswd command:

htpasswd -cm /etc/httpd/.htpasswd bob
htpasswd -m /etc/httpd/.htpasswd alice

.htaccess Advanced Example


AuthName "Bob's Secret Stuff"
AuthType basic
AuthUserFile /var/www/html/.htpasswd
AuthGroupFile /var/www/html/.htgroup


require group staff



require user bob


CGI

CGI programs are restricted to separate directories by ScriptAlias directive:

ScriptAlias /cgi-bin/ /path/cgi-bin/


Example of APACHE Configuration.

APACHI - Web Services

# yum –y install httpd
# chkconfig httpd on
# service httpd start
# vim /etc/httpd/conf/httpd.conf
971 NameVirtualHost 192.168.0.X:80
984
986 DocumentRoot /var/www/stationX/html
987 ServerName stationX.example.com
990
(7 yy in Esc mode then the last line p)
994 DocumentRoot /var/www/wwwX/html
995 ServerName wwwX.example.com
wq ->
# mkdir –p /var/www/stationX/html
# cd /var/www/stationX/html ->
html # lftp server -> cd /pub/html -> get index.html -> bye
# cd ->
#mkdir –p /var/www/wwwX/html
# cd /var/www/wwwX/html ->
html # lftp server1 -> cd /pub/html -> get index.html -> bye
# cd ->
GO TO FIREFOX
http://www.X.example.com
http://stationX.example.com
OR
# echo ‘ This is wwwX virtual Host ’
/var/www/wwwX/html/index.html
# service httpd restart

.htaccess

# vim /var/www/stationX/html/.htaccess (Host access permission file)
AuthName “ISDAC”
AuthType Basic
AuthUserFile /etc/httpd/conf/passwd
require valid-user
wq ->
# cp /var/www/stationX/html/.htaccess /var/www/wwwX/html/.htaccess
#htpasswd –cm /etc/httpd/conf/passwd ravi
#htpasswd –m /etc/httpd/conf/passwd hari
# vim /etc/httpd/conf/httpd.conf (Type just before the )
990
991 AllowOverride AuthConfig
992

As well as type wwwX
wq ->
#service httpd restart
#httpd –t

CGI-Common Gateway Interface

After DocumentRoot for CGI write
ScriptAlias /cgi-bin/ /var/www/stationX/html/cgi-bin/
wq ->
# mkdir /var/www/stationX/html/cgi-bin
# cd /var/www/stationX/html/cgi-bin
cgi-bin# lftpserver1 -> cd /pub/html -> ls -> get cracker.sh
bye ->
cd ->
root # chmod a+X /var/www/stationX/html/cgi-bin/cracker.sh
(default permission on Directory 755)
# service httpd restart