Setup a ftp server in Linux

Install vsftpd server:

  • yum install vsftpd
  • systemctl enabel vsftpd
  • systemctl start vsftpd

Allow FTP upload for anonymous users:

  1. Verify ftp user exist already, if not then create one:
    1. getent passwd | grep ftp; grep ftp /etc/passwd
    2. useradd   -m /var/ftp  -s /sbin/nologin   -c “ftp user”  ftp 
  2. Update the following parameters in /etc/vsftpd/vsftpd.conf:
    • anon_upload_enable=YES
    • anonymous_enable=YES
    • write_enable=YES
  3. Create and grant appropriate permissions for uploads directory:
    • mkdir -m 755 /var/ftp/uploads    (-m 730 to forbid read/download files)
    • chgrp   ftp  /var/ftp/uploads
  4. Update SELinux context:
    • chcon   -t  public_content_rw_t    /var/ftp/uploads
    • setsebool  -P   allow_ftpd_anon_write on
    • systemctl restart vsftpd
  5. Test by uploading a sample file:
    • ftp hostname
    • Name: anonymous
    • Password: password
    • put ~/file  uploads/file
Advertisements
Posted in LFCE, Linux | Tagged ,

Setup Postfix and Dovecot in CentOS7

Install Postfix:

  1. yum install postfix
  2. postconf   inet_interfaces = all                           (Listen on all configured interfacesIPs)
  3. postconf   mynetworks_style = subnet             (Enable trusted subnet)
  4. systemctl restart postfix; systemctl enable postfix
  5. Allow smtp (25) service in the firewall:
    1. firewall-cmd   –permanent  –add-service smtp
    2. firewall-cmd –reload
    3. firewall-cmd –list-all
  6. Configs:
    1. /etc/postfix/main.cf
    2. /etc/postfix/master.cf
    3. /var/log/maillog                                (log file)
    4. /var/mail/*; /home/user/mail          (user inbox file)

Install Dovecot:

  1. yum install dovecot
  2. Add following into /etc/dovecot/dovecot.conf
    protocols = imap pop3 lmtp
    listen = *
  3. Add following into /etc/dovecot/conf.d/10-mail.conf
    mail_location = mbox:~/mail:INBOX=/var/mail/%u
  4. chmod 0600 /var/mail/*     (Ref: http://wiki2.dovecot.org/Errors/ChgrpNoPerm)
  5. systemctl restart dovecotsystemctl enable dovecot
  6. Allow imap (143) and pop3 (110) services in the firewalls:
    • firewall-cmd   –permanent  –add-service imap
    • firewall-cmd   –permanent  –add-service pop3
    • firewall-cmd –reload
    • firewall-cmd –list-all
  7. Test the dovecot server using mutt:
    usermod -G user  mail      (Operation not permitted error in /var/log/maillog)
    mutt -f imap://user@hostname/
  8. Configs:
    • /etc/dovecot/dovecot.conf
    • /etc/dovecot/conf.d/*.conf
    • /var/log/maillog

Enable SASL authentication in Postfix and Dovecot:

  • Dovecot:
    1. Un-comment the following lines in /etc/dovecot/conf.d/10-master.conf:
      unix_listener /var/spool/postfix/private/auth {
          mode = 0666
      }
    2. systemctl restart dovecot
  • Postfix:
    1. postconf  smtpd_sasl_type=dovecot
    2. postconf  smtpd_sasl_auth_enable=yes
    3. postconf  smtpd_sasl_path=private/auth 
    4. postconf  smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination
    5. systemctl restart postfix

Enable StartTLS for Postfix:

  1. Create a new PEM certificate:
    cd /etc/pki/tls/certs/; make /etc/postfix/postfix.pem
  2. Change the Postfix configuration to enable and enforce TLS:
    • postconf   smtpd_tls_auth_only=yes
    • postconf   smtpd_tls_security_level=may
    • postconf   smtpd_tls_cert_file=/etc/postfix/postfix.pem
    • postconf   smtpd_tls_key_file=/etc/postfix/postfix.pem
    • systemctl restart postfix
  3. Test SMTP StartTLS
    • echo -en “\0student\0password” | base64
    • gnutls-cli –crlf –starttls –insecure –port 25 192.168.254.133
    • ehlo centos
    • starttls
    • ctrl+d
    • auth plain AHN0dWRlbnQAcGFzc3dvcmQ=  (Output of echo|base64 command)
    • mail from:student
    • rcpt to:root@192.168.254.133
    • data
    • Subject: I sent this using SASL SMTP auth protected by TLS
    • Cool no?
    • And secure!
    • .
    • quit

Send test mail:

  1. mail command:
    1. for i in one two three; do
    2. echo $i | mail -s “test $i” student@hostname;
    3. done
  2. telnet command:
    1. echo -en “\0student\0password” | base64
    2. $ telnet hostname 25
    3. auth plain AHN0dWRlbnQAc3R1ZGVudA==   (Output of echo cmd)
    4. helo localhost
    5. mail from:student@hostname
    6. rcpt to:user@hostname2
    7. data
    8. Subject: testing telnet email
    9. This is root
    10.  .
    11. quit

postconf:

  • postconf  -df                                        (List all parameters from main.cf)
  • postconf   mynetworks_style=all     (Edits a parameter value in main.cf)
  • postconf -X mynetworks_style         (Deletes a parameters from main.cf)
Posted in LFCE, LFCS, Linux | Tagged

Configure Apache in Linux

Install Apache server

  • yum install  httpd  mod_ssl
  • systemctl enable httpd
  • systemctl start httpd
  • Configs:
    • /etc/httpd/conf/httpd.conf
    • /etc/httpd/conf.d/ssl.conf
  • Logs:
    • /var/log/httpd/accesss_log
    • /var/log/httpd/error_log
    • /var/log/httpd/ssl_accesss_log
    • /var/log/httpd/ssl_request_log
    • /var/log/httpd/ssl_error_log

IP based virtual host:

  1. ip addr add 192.168.1.5/24 dev eth0                                   (Add IP address) 
  2. mkdir /ipvhost; echo “ipvhost” >> /ipvhost/index.html   (Make directory and index file)
  3. chcon -R  –reference=/var/www/html   /ipvhost/              (Set SELinux context)
  4. Add following in /etc/httpd/conf.d/ipvhost.conf
    <VirtualHost 192.168.1.5:80>

           ServerName       www.ipvhost.example.com
           ServerAlias        ipvhost.example.com
           ServerAdmin     admin@example.com
           DocumentRoot   /ipvhost/
          <Directory /ipvhost/>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
           </Directory>
    LogFormat “%h %l %u %t \”%r\” %>s %b”   common
    CustomLog   logs/ipvhostexample-access_log   common
    ErrorLog       logs/ipvhostexample-error_log
    </VirtualHost>
  5. systemctl reload httpd
  6. w3m -dump http://192.168.1.5/

Name based virtual host:

  1. echo “192.168.1.5  namevhost.example.com” | tee -a   /etc/hosts
  2. mkdir /namevhost; echo “namevhost” >> /namevhost/index.html
  3. chcon -R  –reference=/var/www/html   /namevhost/           (Set SELinux context)
  4. Add following in /etc/httpd/conf.d/ipvhost.conf
    <VirtualHost *:80>

             ServerName   _default_
             DocumentRoot   /var/www/html/
    </VirtualHost>
    <VirtualHost *:80>
             ServerName     namevhost.example.com
             ServerAlias      http://www.namevhost.example.com
             ServerAdmin  admin@example.com
             DocumentRoot   /namevhost/
            <Directory  /namevhost/>
                   Options  Indexes  FollowSymLinks
                   AllowOverride  None
                   Require all granted
             </Directory>
            LogFormat “%h %l %u %t \”%r\” %>s %b”   common
    CustomLog   logs/namevhostexample-access_log   common
    ErrorLog       logs/namevhostexample-error_log
    </VirtualHost>
  5. systemctl reload httpd
  6. w3m  -dump  http://namevhost.example.com/

Password protected directory:

  1. echo “Secure file”  | tee /var/www/html/secure.html
  2. Add following in /etc/httpd/conf.d/secure.conf
    <Location /secure/>      #It’s just a virtual path in the URL to match against
    AuthType Basic
    AuthName “Restricted Area”
    AuthUserFile secure.users
    Require valid-user

    RewriteEngine on              # Serve following file just for testing
    RewriteRule   “/secure/”   “
    http://192.168.1.3/secure.html
    </Location>
  3. Create a password file and an entry for a user myuser
    htpasswd -c /etc/httpd/secure.users myuser
  4. systemctl reload httpd

Configure Appache over SSL on a specific IP and non-standard ports:

  1. yum install httpd  mod_ssl   
  2. Create a private key and self-signed certificate:
    • mkdir /etc/httpd/certs
    • openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
      -keyout /etc/httpd/certs/localhost.key -out /etc/httpd/certs/localhost.crt \
      -subj “/C=US/ST=Awesome/L=Town/O=Example Inc/OU=IT/CN=example.com/emailAddress=admin@example.com”
  3. Update the followings in /etc/httpd/conf/httpd.conf
    Listen 192.168.1.3:88
  4. Update followings in /etc/httpd/conf.d/ssl.conf
    SSLCertificateKeyFile  /etc/httpd/certs/localhost.key
    SSLCertificateFile         /etc/httpd/certs/localhost.crt
    Listen 192.168.1.3:444 https
    <VirtualHost _default_:444>
  5. Update the ports in SELinux context ports:
    semanage port -m -t http_port_t -p tcp 88
    semanage port -m -t http_port_t -p tcp 444
    semanage port -l | grep http_port_t
  6. systemctl restart httpd

A new cgi scripts enabled directory and url rewriting:

  1. mkdir /cgi-new
  2. Create following foo.cgi script in /cgi-new/ directory:
    #!/bin/bash
    echo -e “\n”
    echo -e “Content-type: text/plain\n\n”
    echo -e “File is $1\n”
  3. Grant execute permissions and update SELinux context:
    chmod -R +x /cgi-new
    chcon   -R –reference=/var/www/cgi-bin  /cgi-new/
  4. Create newcgi.conf config file in /etc/httpd/conf.d/ with the followings:
    RewriteEngine on   (Maps /foo to /scripts and pass /bar as argument to foo.cgi)
    RewriteRule  ^/foo/(.*)   /scripts/foo.cgi?$1 [L,PT]  
    ScriptAlias /scripts  /cgi-new/        (Serve /scripts url from /cgi-new directory)
    <Directory /cgi-new/>
       Require all granted
    </Directory>
  5. systemctl restart httpd
  6. curl http://localhost/foo/bar  -> foo.cgi would be: File is bar

P.S. Add “LogLevel alert rewrite:trace6” in /etc/httpd/conf/httpd.conf to print url rewriting debug messages. Reference: http://httpd.apache.org/docs/current/rewrite/

Enable mod_status:

  1. Add the followings in /etc/httpd/conf.d/status.conf
    <Location /server-status/>
         SetHandler server-status
         Require ip 192.168.1.0/24 ::1 127.
    </Location>
  2. systemctl restart httpd
  3. w3m -dumb http://localhost/sever-status/

Enable include under URI:

  1. Create two directories under /var/www/html/:
    mkdir /var/www/html/magic  /var/www/html/includes
  2. Add the following into /etc/httpd/conf.d/magic.conf
    <Location /magic/>
         Options +Includes
         XBitHack on
    </Location>
  3. Create index.html in /var/www/html/magic
    <html>
    <head>
    <title>This file is a magic include file</title>
    </head>
    <body>
    <h1>This file is a magic include file</h1>
    <h2>Foo include below</h2>
    <!–#include virtual=”/includes/foo.html” –>
    <h2>Bar include below</h2>
    <!–#include virtual=”/includes/bar.html” –>
    </body>
    </html>
  4. Create foo.html and bar.html in /var/www/html/includes
    echo “foo file include” | tee /var/www/html/includes/foo.html
    echo “bar file include” | tee /var/www/html/includes/bar.html
  5. systemctl restart httpd
  6. curl http://localhost/magic/index.html

Apache load testing utilities:

  1. Apachebench (ab): provided as part of the Apache httpd server package.
  2. httperf: was written at HP Labs and can use log files as source of URIs to test.
  3. siege: was designed to let web developers measure their code under duress.
  4. sproxy: works as an http proxy server, collecting all information and URIs to use as the Siege testing corpus.

Apache alternate web servers:

  1. cherokee: has an innovative web based configuration panel. Benchmarks has shown cherokee to be much faster than Apache for dynamic and static content.
  2.  nginx: it has small footprint, so it scale well from small servers to high performance web servers. It powers some of the largest sites on the Internet, and now accounts 14% of the web server market share.
  3. Lighttpd: is used to power some high-profile sites, such as YouTube and Wikipedia. It has light-weight and scale-able architecture as well.
Posted in LFCE | Tagged ,

Configure DNS server in linux

Configure a Caching DNS:

  • yum install bind
  • /etc/named.conf
    listen-on port 53 { any; }; | { 127.0.0.1; 192.168.0.18};
    allow-query { any; };         | { localhost; 192.168.0.0/24; };
  • systemctl restart named
  • dig @localhost|@hostname google.com

Configure Authoritative forward zone:

  1. Append following in /etc/named.conf
    zone “example.com.” IN {

               type master;
               file “example.com.zone”;
    };
  2. Check config errors:
    named-checkconf     /etc/named.conf
  3. Create a file in /var/named/example.com.zone with following:
    $TTL 30
    @ IN SOA localhost. admin.example.com. (
    2012092901 ; serial YYYYMMDDRR format
    3H ; refresh
    1H ; retry
    2H ; expire
    1M) ; neg ttl
                                         IN NS localhost.;
    http://www.example.com. IN A 192.168.111.45
    http://www.example.com. IN AAAA fe80::22c9:d0ff:1ecd:c0ef
    foo.example.com. IN A 192.168.121.11
    bar.example.com. IN CNAME http://www.example.com.
    ;generate one hundred entries host1 thru host100
    $GENERATE 1-100 host$.example.com. IN A 10.20.45.$
  4. Check zone config:
    named-checkzone example.com /var/named/example.com.zone
  5. systemctl restart named
  6. Test new DNS entries:
    • dig @localhost -t A http://www.example.com
    • dig @localhost -t AAAA http://www.example.com
    • dig @localhost -t A foo.example.com
    • dig @localhost -t CNAME bar.example.com
    • dig @localhost -t A host7.example.com
    • dig @localhost -t A host37.example.com

Configure a Reverse DNS zone:

  1. Append following in /etc/named.conf:
    zone “45.20.10.in-addr.arpa.” IN {
               type master;
               file “45.20.10.in-addr.arpa.zone”;
    };
  2. Check config errors:
    named-checkconf     /etc/named.conf
  3. Create a zone file in /var/named/45.20.10.in-addr.arpa.zone with following:
    $TTL 30
    @ IN SOA localhost. admin.example.com. (
    2012092901 ; serial YYYYMMDDRR format
    3H ; refresh
    1H ; retry
    2H ; expire
    1M) ; neg ttl
    @ IN NS localhost.;
    ;generate 1-254
    $GENERATE 1-254 $ IN PTR host$.example.com.
  4. Test configs as:
    named-checkzone 45.20.10.in-addr.arpa /var/named/45.20.10.in-addr.arpa.zone
  5. Reload named daemon:
    rndc reload
  6. Test new DNS entries:
    • host 10.20.45.7 localhost
    • host 10.20.45.37 localhost
    • host 10.20.45.73 localhost

Concepts:

  • A: Return 32bit IPv4 address (name to IP address)
  • AAAA: Return 128bit IPv6 address (name to IP address)
  • PTR: Pointer to cannonical name (IP address to name)
  • CNAME: Return an alias to another name
  • MX: Return the message transfer agents for a domain
  • NS: Delegates an authoritative DNS zone nameserver
  • SOA: Start of Authority for a domain (domain and zone settings)
  • TXT: Arbitrary human-readable text, or machine-readable data for specific purpose

 

 

Posted in LFCE

shell and ssh basics

sudo:

  • sudo bash -c “echo ‘user ALL=(ALL) NOPASSWD: ALL’ > /etc/sudoers.d/user
  • sudo bash -c “echo ‘%grp ALL=(ALL) NOPASSWD: ALL’ > /etc/sudoers.d/grp
  • sudo bash -c “echo ‘user ALL=NOPASSWD: /usr/bin/ls, /usr/bin/cat’ > /etc/sudoers.d/user
  • su – user; sudo ls -l /etc/        (Switch to user and verify sudo for user)
  • sudo -i | su – root | su –        (Sudo to root or switch to root)
  • sudo su user                           (Sudo to user which don’t have password)
  • Configs:
    • /etc/sudoers.d/*
    • /etc/sudoers

shell:

  • chsh -l; cat /etc/shells           (List installed shells)
  • echo $SHELL                         (Prints default  shell)
  • echo $0; ps -p “$$”                 (Prints current shell)
  • chsh -s /bin/tcsh user;          (Change user shell in /etc/passwd)
  • exec bash                               (Restart shell without logging out)
  • chroot /mnt/sysroot             (Changes the apparent root directory)

Environment variables:

  • Set user local environment variable:
    • export VAR=’value’; echo $VAR                           (Set a variable temporarily)
    • echo export VAR1=’value’ >> .bash_profile      (Set a variable permanently)
    • source .bash_profile
  • Set system-wide environment variable:
    • sudo bash -c “echo VAR2=’value’ >> /etc/environment
    • P.S. You need to logout and login to reload the file
  • export; env                                                              (Show all environment variables)

ssh: (Secure shell)

  • yum install openssh-server openssh-clients
  • ssh user@host;
  • ssh -l user host
  • ssh -i   ~/.ssh/id_rsa    user@host
  • ssh -X user@host                   (Enable X11 forwarding)
  • ssh-keygen  [-f ~/.ssh/id_rsa   -N ‘password’ -t rsa]    (Generate ssh key in ~.ssh/)
  • eval $(ssh-agent)               (Start ssh agent)
  • ssh-add ~/.ssh/id_rsa         (Use ssh agent to cache private key)
  • ssh-copy-id  user@host    (Copy user public key onto host)
  • systemctl start|stop|restart|status sshd
  • Config files:
    • /etc/ssh/sshd_config  (server config file)
      • PermitRootLogin              yes|no|without-password    (key only)
      • X11Forwarding                 yes|no
      • AllowAgentForwarding   yes|no
      • /etc/ssh/ssh_config
    • $HOME/.ssh/*
      • /etc/ssh/ssh_config | ~/.ssh/config           (Client config file)
        • ForwardX11Trusted yes             (Tunnel X11 protocol over ssh)
      • id_rsa                        (private key)
      • id_rsa.pub                (public key)
      • authorized_keys     (public keys list)
      • known_hosts           (Hosts list to allow login)

 

Posted in LFCE, LFCS

Install Gate One Web Terminal in CentOS 7

  1. yum install epel-release
  2. yum update && yum install git python python-pip
  3. pip install –upgrade pip setuptools
  4. git clone https://github.com/liftoff/GateOne.git
  5. python ./GateOne/setup.py install
  6. firewall-cmd -permanent –add-service https; firewall-cmd –reload
  7. https://centos-ip
Posted in Linux | Tagged , ,

Linux boot loader

grub2 (Boot) commands:

  • grub2-*
  • grub2-mkconfig
  • Configs:
    • /etc/default/grub
    • /boot/grub2/grub.cfg
    • /etc/grub.d/*

Get kernel config options:

  • cat /boot/config-$(uname -r) 

Backup Master Boot Record (MBR):

  • MBR record = 512 bytes
    • Bootstrap = 446 bytes
    • Partition table = 64 bytes
    • Signature = 2 bytes
  • Use 446 bytes to overwrite or restore your /dev/sda   MBR boot code:
    • dd   if=/dev/sda    of=/mbr.bak   bs=446  count=1         (Backup)
    • dd   if=/mbr.bak   of=/dev/sda    bs=446  count=1         (Restore)
  • Use 512 bytes to overwrite or restore the full MBR.
    • dd   if=/dev/sda    of=/mbr.bak   bs=512  count=1         (Backup)
    • dd   if=/mbr.bak   of=/dev/sda    bs=512  count=1         (Restore)

Recovery modes:

  • Rescue mode/Single user mode:
    Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In Red Hat Enterprise Linux 7, rescue mode is equivalent to single user mode and requires the root password.

    • Type e’ at the GRUB boot loader
    • Append either systemd.unit=rescue.target or linux rescue,
      • e.g: … ro crashkernel=auto rhgb quit systemd.unit=rescue.target
    • Then press ‘ctrl+x’ to continue.
    • Alternatively, append single in /etc/defaul/grub as:
      • GRUB_CMDLINE_LINUX=”crashkernel=auto rhgb quiet single
      • grub2-mkconfig  -o /boot/grub2/grub.cfg
  • Emergency mode:
    Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In Red Hat Enterprise Linux 7, emergency mode requires the root password.

    • Type ‘e’ at the GRUB boot loader
    • Append either systemd.unit=emergency.target or linux emergency,
      • e.g: … ro crashkernel=auto rhgb quit systemd.unit=emergency.target
    • Then press ‘ctrl+x’ to continue.
Posted in LFCS, Linux