Serverlinux.in

21/05/2015

Configure SSL on Centos & Redhat Step by step
Required Packages:

install mod_ssl openssl

Self-signed Certificate Generate:

# Generate private key
openssl genrsa -out ca.key 2048

# Generate CSR
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

Allow on the selinux:

restorecon -RvF /etc/pki

Configuration SSL on configuration file.

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Find and change these certificate file:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/iocl_virtuosos_in.crt
SSLCertificateKeyFile /etc/pki/tls/certs/private.key

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

httpd restart

Configure the virtual host for normal web page :

NameVirtualHost *:80


DocumentRoot /var/www/html/vivek.serverlinux.in
ServerName vivek.serverlinux.in
ErrorLog /var/log/httpd/vivek/error_log
CustomLog /var/log/httpd/vivek/access_log common
ServerAlias www.vivek.serverlinux.in
Alias /vivek “/var/www/html/vivek.serverlinux.in”

DirectoryIndex index.php

Configure the virtual host for SSL web page :

NameVirtualHost *:443


SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
AllowOverride All

DocumentRoot /var/www/html/vivek.serverlinux.in
ServerName vivek.serverlinux.in

httpd restart

01/05/2015

Zimbra Mail Server Install & configuration on CentOS & RHEL Step By Step.

s9{X{n^SZ8{fŲEUUah͏nە}4>kvfe:ct[s {Y"\fܞD?-A>i{/;e?SQYQ96ኹNXc|$OO[w7nO?քԀ&ON wfVQ'Ni" #{ɛp뮋Dﮏ.os٭|6և6v0ߎDr-gW,>4l-8C'vJ #=qԝ,,~+oe^ #:dzwoQ{t%grYY-Q_geEKs4>;gc-ߒ;{qSM #9뿙ͬN'YYR7뿪Rsb/U?_Vj}U,YgJ'9}\?0> ewdU}XAܕ3W^ߢ)UoYW:,{ߒgdz$-?*!ofkYYP|Tgd*ojqofKX'۫'ޗy5럢>0Z)9sX&OY?~'gƬ_㹢Et ss/oKZ%bN֞O 5M|…

31/12/2014

Wishing you n your family a very happy new year 2015. May this bring lots of felicity, prosperous, happiness, wealth , health, Prosperity, luck and peace.
Vivekanand Mall(serverlinux)

11/12/2014

NFS Server & Client Setting On CentOS7 &RHEL 7

Network File System know as NFS,It server-client protocol used for sharing files on linux systems. Using NFS you can mount a remote share locally.Directly can access any of the files on that remote share.

NFS Benefits:

Its allows local access to remote files.
It uses standard client/server architecture for file sharing between all Linux/Unix based machines.
NFS we can configure the centralized storage solutions.
Users get their data irrespective of physical location.
No manual refresh needed for new files.File Can be secured using Firewalls and Kerberos.

NFS Services

1. nfs
2. portmap
3. rpc

Important Files for NFS Configuration

1. /etc/fstab : For mount the directory accross the reboot.
2. /etc/exports : For Share the file and network
3. /etc/sysconfig/nfs : For port number

NFS Server Configuration Steps :

Required Packages:

yum install nfs-utils nfs-utils-lib

Required Service:

systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap

systemctl start rpcbind
systemctl start nfs-server
systemctl start nfs-lock
systemctl start nfs-idmap

Export directory Configure

mkdir /nfsshare

Share the directory /nfshare make the entry on the /etc/exports also define the network which is the accesable for it.

vi /etc/exports

/nfs_share 192.168.0.0(rw,sync)

file sharing obtions for /etc/exports.

1. rw: For give the read and write permission on the share directory.
2. ro: For this can give permission to client and server only can read.
3. sync: For sync the file when it is commited.
4. no_root_squash: For connect the root on share directiry.
5. no_subtree_check: This can be used to avoid scan the subtree into NFS directory.

NFS Client Configuration Steps:

Packages:

yum install nfs-utils nfs-utils-lib

Service:

systemctl enable rpcbind
systemctl enable nfs-server
systemctl enable nfs-lock
systemctl enable nfs-idmap

systemctl start rpcbind
systemctl start nfs-server
systemctl start nfs-lock
systemctl start nfs-idmap

Mount the directory on Client

mkdir /nfs_share

mount -t nfs 192.168.0.1:/nfs_share /nfs_share

or

vi /etc/fstab

192.168.0.1:/nfs_share /mnt nfs defauls 0 0

Important command for NFS.

showmount -e : To see the share directory on your machine
showmount -e : Available shares at remote server
showmount -d : Show all sub directories
exportfs -r : Refresh the server directory after modified
exportfs -v : Show list of shares files on server
exportfs -a : Exports all shares /etc/exports.
exportfs -u : Unexports all shares directory into /etc/exports.

23/06/2014

How To Block Interactive Logon:

Use of Interactive login :
Any persoan give you physical machine and suggest please stop some service and not share the password to login on the system then how can stop the service then use it.
Steps:
1.Reboot the local machine(host)
2. Press the arrow uper and left arrow key till any DOS promt message come like "Welcome to the Centos.."
3.Press the I key from the keybord
4.Then select the service which want to stop.

How to Disable interactive logon:

# vi /etc/sysconfig/init

SETCOLOR_NORMAL="echo -en \\033[0;39m"
# Set to anything other than 'no' to allow hotkey interactive startup...
PROMPT=no
# Set to 'yes' to allow probing for devices with swap signatures
AUTOSWAP=no
# What ttys should gettys be started on?
ACTIVE_CONSOLES=/dev/tty[1-6]

14/06/2014

How to Set the GRUB Password:

We can generate the grub password using these two method:
1. # grub-md5-crypt
Password:
Retype password:
$1$rzZil1$ymgnaUq1w/ES31CRTV5gH1

2. # grub-crypt
Password:
Retype password:
$6$mic1.rIkrbcNNjdE$lYLkdenTAh/abx9Y01G7N0tzsLD/nXk1IWFmWDLQxs1bZHnY5T0ZeW9prutPAF32giao5jAznSRCQvvl.xv161

Update the grub password in grub.conf file:

/etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/sda2
# initrd /initrd-[generic-]version.img
=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password –md5 $1$rzZil1$ymgnaUq1w/ES31CRTV5gH1 (Its generate using frist method the use this formate)
$6$mic1.rIkrbcNNjdE$lYLkdenTAh/abx9Y01G7N0tzsLD/nXk1IWFmWDLQxs1bZHnY5T0ZeW9prutPAF32giao5jAznSRCQvvl.xv161 (For Second method)
title CentOS (2.6.32-279.el6.x86_64)
lock # (For lock)
root (hd0,0)
kernel /vmlinuz-2.6.32-279.el6.x86_64 ro root=UUID=6ec78794-e981-473d-9a2e-c416884e24cd rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=auto KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-279.el6.x86_64.img

Then reboot the host.
After that it will be give error then press P key from the keybord then ask for password enter the password .

Then select OS or press B button from keybord.

14/06/2014

Protect SSH Logins with MOTD Banner & SSH Messages

For ssh login configure a security banners it content some general information or security warning information

Desplay message using two way using motd and secound using issue.net file.

motd – Display banner message after the user has logged in.
issue.net – Display banner message before the password login prompt.

Display SSH general information or security warning Message to Users Before Login:
/etc/issue.net
add the your message or information which you want to display like this
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# WelCome to Serverlinux.in #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# vi /etc/ssh/sshd_config
none (Search Banner and uncomment it)
and add the path then it will be look like this:
Banner /etc/issue.net

Then restart the service:
/etc/init.d/sshd restart

After that when we login then message will show:
ssh 192.168.33.128
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# WelCome to Serverlinux.in #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Last login: Sat Jun 14 09:31:42 2014 from 192.168.33.1
[root@server ~] #

Display SSH general information or security warning Message to Users After Login

/etc/motd
add your message and save it.
**************************************
* Thansk for login *
**************************************

Then when we login on server both message are display :

ssh 192.168.33.128
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# WelCome to Serverlinux.in #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
Last login: Sat Jun 14 10:04:01 2014 from 192.168.33.1
**************************************
* Thansk for login *
**************************************

14/06/2014

Log File Location For Linux Server:

/var/log/yum.log: Yum log files.
/var/log/message – Where current activity logs or whole system logs are available.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/mysqld.log – MySQL database server log file.
/var/log/maillog – Mail server logs.
/var/log/kern.log – Kernel logs.
/var/log/secure – Authentication log.
/var/log/cron.log – Crond logs (cron job).
/var/log/auth.log – Authentication logs.
/var/log/boot.log – System boot log.

14/06/2014

How to Check the User Validity

chage -l username

OutPut:

chage -l root
Last password change : May 12, 2014
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

For change password aging to any user:

chage -M 60 username
chage -M 60 -m 7 -W 7 username

Parameters:

-M Set maximum number of days
-m Set minimum number of days
-W Set the number of days of warning

14/06/2014

How To Block SSH Login For root & User

# cd /etc
# mkdir nologin
then root user con't login on the terminal

For Bock the root user login on ssh use the following:

/etc/ssh/sshd_config

# Authentication:
2m
PermitRootLogin no (Uncomment this and add no to disable for root login)
yes
6
10

14/06/2014

SSH Login Without Password Using ssh-keygen

Create private & public keys using ssh-key-gen

[root@support ~] # ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
d0:99:f8:94:73:26:7d:78:80:3b:f2:8e:f6:9a:62:65 root@support
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| o.= o |
| o O.= o |
| .+o= o |
| oS. |
| E . |
| o o |
| o o.. |
| . ooo. |
+-----------------+

Copy the public key using ssh-copy-id to remote-host

ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.33.128
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.33.128'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

You have new mail in /var/spool/mail/root

Login to remote-host without any password

ssh 192.168.33.128
Last login: Tue May 13 03:40:38 2014 from 192.168.33.1

13/06/2014

How to create master and slave DNS:

On Master DNS:

Check the ip address:


eth1 Link encap:Ethernet HWaddr 00:0C:29:5A:B0:13
inet addr:192.168.33.141 Bcast:192.168.33.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5a:b013/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:260 errors:0 dropped:0 overruns:0 frame:0
TX packets:482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28183 (27.5 KiB) TX bytes:42938 (41.9 KiB)

Add the hostname:
/etc/hosts

127.0.0.1 localhost.localdomain localhost.localdomain localhost4 localhost4.localdomain4 localhost server over2cloud
::1 localhost.localdomain localhost.localdomain localhost6 localhost6.localdomain6 localhost server over2cloud
192.168.33.141 over2cloud.co.in over2cloud

Configure the Domain name:

/etc/sysconfig/network

NETWORKING=yes
HOSTNAME=over2cloud.over2cloud.co.in
DOMAIN=over2cloud.co.in

Check the firewall and stop it:

service iptables stop

Install the DNS service file:

install bind* -y

DNS Configuration:

# vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 192.168.33.141; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { 192.168.33.142; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "over2cloud.co.in" IN {
type master;
file "f.zone";
allow-update { none; };
};

zone "33.168.192.in-addr.arpa" IN {
type master;
file "r.zone";
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Configure the Zone according to the DNS:

/var/named/
-p named.localhost f.zone
-p named.loopback r.zone

Declare the f.zone:
# vi f.zone
$TTL 1D
@ IN SOA over2cloud.co.in. root.over2cloud.co.in. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS over2cloud.co.in.
over2cloud.co.in. IN A 192.168.33.141
over2cloud IN A 192.168.33.141

Declare the r.zone:
# vi r.zone

$TTL 1D
@ IN SOA over2cloud.co.in. root.over2cloud.co.in. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS over2cloud.co.in.
141 PTR over2cloud.co.in.
141 PTR over2cloud

Restart the service :

services named restart

On Slaves DNS:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key";
server 192.168.33.141 {
keys {rndc-key; };
};

options {
listen-on port 53 { 127.0.0.1; 192.168.33.145; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "facebook.com" IN {
type slave;
masters { 192.168.33.141; };
file "slaves/f.zone";
allow-update { none; };
};

zone "33.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.33.141; };
file "slaves/r.zone";
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Restart the service :

services named restart

----------------------------

How to Use ACl,Blaclhole,Hiding of Version & TSIG:

Check the IP address:

ifconfig
eth1 Link encap:Ethernet HWaddr 00:0C:29:80:BA:A1
inet addr:192.168.33.144 Bcast:192.168.33.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe80:baa1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:129 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13715 (13.3 KiB) TX bytes:14089 (13.7 KiB)

Add the hostname:
/etc/hosts

127.0.0.1 localhost.localdomain localhost.localdomain localhost4 localhost4.localdomain4 localhost server facebook
::1 localhost.localdomain localhost.localdomain localhost6 localhost6.localdomain6 localhost server facebook
192.168.33.144 facebook facebook.com

Configure the Domain name:

/etc/sysconfig/network

NETWORKING=yes
HOSTNAME=facebook.facebook.com
DOMAIN=facebook.com

Check the firewall and stop it:

service iptables stop

Install the DNS service file:

install bind* -y

Generate the TSIG Key:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc.key

DNS Configuration:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "domainip" {192.168.33.1/24; }; for ACL
acl "spam" { 192.168.34.145; }; for Blackhole to prevent the spam dns
include "/etc/rndc.key"; # Use for TSIG key
options {
listen-on port 53 { 127.0.0.1; 192.168.33.144; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer {192.168.33.145; };
recursion yes;
blackhole { spam; }; # For Blackhole use
version "vivek"; # Hide the Version
max-cache-size 10m; # Maximum Cache size 10 MB
cleaning-interval 15; # Cache will be clean after interval 15 minutes
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
zone-statistics yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "facebook.com" IN {
type master;
file "f.zone";
allow-update { key rndc.key; };
};

zone "33.168.192.in-addr.arpa" IN {
type master;
file "r.zone";
allow-update { key rndc.key; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Restart the service :

services named restart