Thursday 23 March 2017
Advanced System Administration Part - 1
## Advanced System Administration ##
Networking Redhat Linux
A computer network or data network is a
telecommunications network that allows computers to exchange data. In computer
networks, networked computing devices pass data to each other along data
connections. Data is transferred in the form of packets.
Configuration Files
File
|
Description
|
/etc/resolve.conf
|
List DNS servers for internet domain name resolution.
|
/etc/hosts
|
Lists hosts to be resolved locally (not by DNS).
|
/etc/nsswitch.conf
|
List order of host name search. Typically look at local
files, then NIS server, then DNS server.
|
/etc/sysconfig/network-scripts/ifcfg-device
|
Specify TCP network information.
|
~]# mii-tool - Media in dependent interface tool it
will check for the connectivity, speed of device.
~]# system-config-network - to configure the IP Address in CLI and
GUI
~]# setup - to configure the IP and DNS, it will
work in CLI and GUI
~]# ifconfig - to see the IP details
~]# ifdown <Ethernet> - it will bring down the interface
~]# ifup <Ethernet> - it will bring UP the interface
To Assign Temporary IP Address
~]# ifconfig <device name>
<IP Address> <Netmask> <Gateway> - this will assign a IP temporarily
after reboot it will not be there.
~]# vi
/etc/sysconfig/network-scripts/ifcfg-eth0 – to assign permanent IP Address
~]# vi /etc/hosts - to add entry in this file follow as
below
~]# hostname - to add temporary Hostname and see the hostname
Using NEAT Command
~]# neat - it is used to assign the IP Address in
GUI mode. (It will not work in CLI)
Double Click on the Device name
Nickname: Provide the device name
Address: <Enter IP Address>
Subnet mask: <Enter Netmask>
Gateway: <Enter Gateway>
Click on OK
Using DNS tab you can provide
Hostname: <Enter FQDN>
Primary DNS: <Enter Primary DNS
Address>
Secondary DNS: <Enter Primary DNS
Address>
Using neat we can also create virtual
network devices
~]# service network restart - to restart the network service
~]# service network reload - to reload the network configuration
settings
~]# service network start/stop – to start and stop the service
Using
Setup Tool
Using Setup command you can configure
1. Authentication Configuration
2. Firewall Configuration
3. Keyboard configuration
4. Network configuration
5. System services
6. Time zone configuration
7. X configuration
In
this topic we are going to talk about Network configuration
~]# setup - to enter into the setup tool
Select
Network Configuration and hit Enter (click on Run Tool)
After
entering into the Network configuration all the Network devices (Ethernet
cards) you can able to see. Select the card which you want to modify the
settings and hit Enter.
Provide
all the required information such as IP Address, Net mask and Gateway Address. Click
on OK
Then
restart/reload your network service so that it will affect the new
configuration changes.
EPEL repository for RHEL 7.x/6.x/5.x and Centos
7.x/6.x/5.x
EPEL repository for RHEL 7 / RHEL 6/ RHEL 5
and Centos 7/ Centos 6/ Centos 5. EPEL repository (Extra Packages for Enterprise Linux) EPEL is a
open source package building project which is owned and maintained by fedora.
All the packages created by EPEL project is highly qualified and tested.
Manual installation of packages in Linux it’s time taking process and we have
to download all the packages and it’s dependencies one by one by using EPEL
repo we can just install a packages using in yum command.
Why we have to use EPEL
repository
1.
To resolve dependencies and
install them automatically
2.
Extra packages will be
available trough EPEL which may not available with inbuilt subscriptions
3.
Just install EPEL RPM it will
automatically configures YUM for you
4.
Required Internet access to
install packages
5.
It does not provide duplicate
core packages
Requirements to install and configure EPEL
repository
§
Internet access required to
download EPEL RPM
§
Internet access required to
install packages through YUM
§
wget and rpm commands should be available
§
root user credential to install
and enable EPEL repo
Installation and Configuration
process
RHEL 7 64 bit EPEL repository
is below.
Note: EPEL repository for RHEL 7
32bit is not available
[root@TechTutorial ~]# cd /tmp/
[root@TechTutorial tmp]# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
--2016-05-19 11:19:14-- http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 209.132.181.26, 209.132.181.27, 209.132.181.25, ...
Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|209.132.181.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14432 (14K) [application/x-rpm]
Saving to: ‘epel-release-7-6.noarch.rpm’
100%[===================================================================================================================================>] 14,432 56.0KB/s in 0.3s
2016-05-19 11:19:15 (56.0 KB/s) - ‘epel-release-7-7.noarch.rpm’ saved [14432/14432]
[root@TechTutorial tmp]# rpm -ivh epel-release-7-7.noarch.rpm
RHEL 6 / Centos 6 64 Bit
[root@TechTutorial]# cd /tmp
[root@TechTutorial tmp]# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
[root@TechTutorial tmp]# rpm -ivh epel-release-6-8.noarch.rpm
RHEL 6 /Centos 6 32 Bit
[root@TechTutorial]# cd /tmp
[root@TechTutorial]# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@TechTutorial]# rpm -ivh epel-release-6-8.noarch.rpm
RHEL 5/ Centos 5 32 bit
[root@TechTutorial ]# cd /tmp
[root@TechTutorial tmp]# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
[root@TechTutorial tmp]# rpm -ivh epel-release-5-4.noarch.rpm
RHEL 5/ Centos 5 64 bit
[root@TechTutorial ]# cd /tmp
[root@TechTutorial tmp]# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
[root@TechTutorial tmp]# rpm -ivh epel-release-5-4.noarch.rpm
As soon as you installed an
EPEL RPM it will create an YUM configuration file the content of config file
will below as shown below, from that if you see enabled=1 it means your repository is enabled.
[root@TechTutorial /etc/yum.repos.d]# cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
Verify the repository is working.?
[root@TechTutorial yum.repos.d]# yum repolist
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
epel/x86_64/metalink | 3.3 kB 00:00:00
epel | 4.3 kB 00:00:00
(1/3): epel/x86_64/group_gz | 170 kB 00:00:01
(2/3): epel/x86_64/updateinfo | 555 kB 00:00:05
(3/3): epel/x86_64/primary_db | 4.1 MB 00:00:10
repo id repo name status
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 10,087
repolist: 10,087
as shown above EPEL repo is
enabled and working fine. If you want to list all the packages of EPEL
repository the use below command
# yum list all
How do i Install Packages using EPEL repository
[root@TechTutorial ~]# yum --enablerepo=epel install nagios
Above command will list out all
the packages required to install Nagios, then it will ask you for the
confirmation to install If you type Y then it will download packages and
install.
That’s it your EPEL repository
is ready to use enjoy.
NFS Server configuration in RHEL7
NFS Server configuration in
RHEL7
§
Network
File System (NFS): Is a nfs server client
protocol used for sharing files and directories between Linux / Unix to
Unix/Linux systems vise versa. It is a popular distributed filesystem protocol
that enables users to mount remote directories on their server. NFS enables you
to mount a remote share locally. NFS was developed by Sun Micro Systems in the
year 1984
§
RHEL7 provides the support for
NFS versions 3, 4.0, and 4.1(latest version)
§
NFS default port number is 2049
§
NFS share we can mount
Manually, Automatically using AutoFS and Half manual and half automatic
Features:
1.
Centralized Management of Files
2.
Everyone can access same data
3.
Secured with Firewalls and
Kerberos
4.
Reduce Storage Cost and Easy to
use
Server Profile:
§
Packages: nfs-utils*
§
Daemon
Name: nfs-service
§
Port
Number: 2049
§
Config
file path: /etc/exports
NFS server side configuration
§
Install nfs packages through
yum command.
# yum install nfs-utils
# systemctl enable nfs-server
# systemctl start nfs-server
Enable Firewall ports to
communicate with client
# firewall-cmd --permanent --add-service=nfs
# firewall-cmd --permanent --add-service=mountd
# firewall-cmd --permanent --add-service=rpc-bind
Above commands will enable the
firewall ports from server to client
Create and Configure NFS share
# mkdir /ravi
# chown nfsnoboddy:root /ravi
#chmod 770 /ravi
# vim /etc/exports
/ravi 192.168.4.0/24(rw)
Save & Exit (:wq)
# exportfs -avr
That’s it from server side
configuration.
Now we may get one question in
mind that do we need to write NFS SELinux context to NFS shares and Services,
Not required since NFS services default use kernel_t to run
Client Side Configuration
Login to client machine and try to ping to NFS server machine to
confirm client is communicating with NFS server.
# showmount -e NFS-SERVER-IP
# showmount -r 192.168.4.20
To see the NFS shares, which
are shared from NFS server
Manually mounting the NFS shares using mount command
# mount -t nfs -o sync 192.168.4.20:/ravi /mnt/nfs
# df -h
Now you should to see an mount
point /mnt/nfs
That’s it very easy and simple
way to configure nfs server
Simple way to create and manage samba shares in RHEL 7
Simple way to create and manage
samba shares in RHEL 7
We can also call this as CIFS (Common Internet File System)
shares, Sharing the directories / Folders across the corporate network. Sharing
the Directories / Folders from Linux to Windows and Windows to Linux wise versa
we have to use SMB (samba) protocol. Samba is not only used for sharing
directories, we can also use it for sharing printing services (printing
server). I will explain you in detailed simple way to create and manage samba
shares in RHEL 7.
Server Profile
§
Packages
Required: samba*
§
Port
Number: 445
§
Daemon
Name: smb
§
Config
File Location: /etc/samba/smb.conf
Advantages
§
Accessing CIFS shares across the
multiple environments
§
Sharing Printer using SMB
§
Mount windows CIFS shares to Linux
§
Fully Secured shares using user
authentication
Steps to Configure samba server
Install required Packages, Start & Enable Service, Create
users and convert them as samba users, Create New Directory and Share the
directory using SMB Service, Apply SELinux context and Open Firewall Ports.
Installation of Samba Server in RHEL 7
[root@ArkIT ~]# yum install samba*
Dependencies Resolved
===============================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================
Installing:
samba x86_64 4.1.12-21.el7_1 arkit 555 k
samba-client x86_64 4.1.12-21.el7_1 arkit 515 k
samba-python x86_64 4.1.12-21.el7_1 arkit 1.9 M
samba-winbind x86_64 4.1.12-21.el7_1 arkit 438 k
samba-winbind-clients x86_64 4.1.12-21.el7_1 arkit 120 k
samba-winbind-modules x86_64 4.1.12-21.el7_1 arkit 100 k
Installing for dependencies:
iniparser x86_64 3.1-5.el7 arkit 14 k
pyldb x86_64 1.1.17-2.el7 arkit 36 k
python-tdb x86_64 1.3.0-1.el7 arkit 15 k
python-tevent x86_64 0.9.21-3.el7 arkit 16 k
Transaction Summary
===============================================================================================================================
Install 6 Packages (+4 Dependent packages)
Enabling and Starting SMB services
To Enable the SMB and its dependant service NMB, we have to use
below command
[root@desktop ~]# systemctl enable smb
ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
[root@desktop ~]# systemctl enable nmb
ln -s '/usr/lib/systemd/system/nmb.service' '/etc/systemd/system/multi-user.target.wants/nmb.service'
Starting SMB and NMB services, use below mentioned commands to
start required services
[root@desktop ~]# systemctl start nmb
[root@desktop ~]# systemctl start smb
[root@desktop ~]# systemctl status smb
smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)
Active: active (running) since Thu 2016-05-19 23:13:06 IST; 6s ago
Main PID: 3721 (smbd)
Create Directory and apply SELinux Policy
If your SELinux is in enforcing mode then in RHEL 7 SELinux will
allow any content to be access from other servers / clients. We have to apply
SELinux context or keep SELinux in disabled / permissive mode.
before applying SELinux context
[root@desktop ~]# ls -ldZ /arkit_share
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /arkit_share
After Applied SELinux context
[root@desktop ~]# mkdir /arkit_share
[root@desktop ~]# semanage fcontext -a -t samba_share_t "/arkit_share(/.*)?"
[root@desktop ~]# restorecon -vRF /arkit_share
restorecon reset /arkit_share context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@desktop ~]# ls -ldZ /arkit_share
drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 /arkit_share
As shown above when you applied an
SELinux context to particular directory you can see using ls -ldZ command. Change
directory permissions for user
[root@desktop ~]# ls -ld /arkit_share/
drwxr-xr-x. 2 root root 6 May 19 23:18 /arkit_share/
[root@desktop ~]# chown arkit:root /arkit_share/
[root@desktop ~]# ls -ld /arkit_share/
drwxr-xr-x. 2 arkit root 6 May 19 23:18 /arkit_share/
Create users and convert them as Samba Users
[root@desktop ~]# useradd arkit -s /sbin/noshell
[root@desktop ~]# smbpasswd -a arkit
New SMB password:
Retype new SMB password:
Added user arkit.
Create an normal user with restricted shell access then convert
the same user as samba user. Below is the command to verify samba user is
correctly created or Not
[root@desktop ~]# pdbedit -L -v
---------------
Unix username: arkit
NT username:
Account Flags: [U ]
User SID: S-1-5-21-515224089-2640601760-3815168181-1000
Primary Group SID: S-1-5-21-515224089-2640601760-3815168181-513
Full Name:
Home Directory: \\desktop\arkit
HomeDir Drive:
Logon Script:
Profile Path: \\desktop\arkit\profile
Domain: DESKTOP
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 20:36:39 IST
Kickoff time: Wed, 06 Feb 2036 20:36:39 IST
Password last set: Thu, 19 May 2016 23:25:04 IST
Password can change: Thu, 19 May 2016 23:25:04 IST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Configuring samba / CIFS shares
Edit the configuration file to share directory using SMB / SAMBA
server. /etc/samba/smb.conf
[root@desktop ~]# vim /etc/samba/smb.conf
[CIFS_Share]
comment = CIFS share for windows clients
path = /arkit_share
browseable = yes
valid users = arkit
writable = yes
Save the file and Exit
[CIFS_Share] – Share Name
Path – Directory path which directory you would like to share
Valid Users – User Name which user we are providing the access
writable – Providing Write permissions to share ( this permission will be
over written by Actual Directory permissions)
Enabling Firewall to access from Client
[root@desktop ~]# firewall-cmd --permanent --add-service=samba
success
[root@desktop ~]# firewall-cmd --reload
success
Restart the Samba service to reflect changes
[root@desktop ~]# systemctl restart smb.service
[root@desktop ~]# systemctl restart nmb.service
[root@desktop ~]# systemctl status smb.service
smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)
Active: active (running) since Thu 2016-05-19 23:42:28 IST; 17s ago
Main PID: 4612 (smbd)
Accessing from Client Side SMB
/CIFS Share
Install required packages to access SMB share from Linux client
[root@ArkIT ~]# yum install cifs-utils
Loaded plugins: langpacks
ARKIT.CO.IN | 4.1 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package cifs-utils.x86_64 0:6.2-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================
Package Arch Version Repository Size
===================================================================================================================
Installing:
cifs-utils x86_64 6.2-7.el7 ARKIT.CO.IN 84 k
Transaction Summary
===================================================================================================================
Install 1 Package
Total download size: 84 k
Installed size: 174 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : cifs-utils-6.2-7.el7.x86_64 1/1
Verifying : cifs-utils-6.2-7.el7.x86_64 1/1
Installed:
cifs-utils.x86_64 0:6.2-7.el7
Complete!
Create directory for mount point
# mkdir /cifs
[root@ArkIT ~]# mount -t cifs -o username=arkit //192.168.4.21/CIFS_Share /cifs/
Password for arkit@//192.168.4.21/CIFS_Share: ******
That’s it about simple way to create
and manage samba shares in RHEL 7. We will in next article how to auto mount CIFS
/SMB share and adding entry into /etc/fstab file. Simple
way to create and manage samba Simple way to create and manage
samba Simple way to create and manage samba Simple way to create and
manage samba Simple way to create and manage samba
Installation and configuration FTP server in RHEL 7
File Transfer Protocol (FTP) is
a most popular way to transfer files from one machine to another machine across
a network in heterogeneous environment. If you take an example of NFS (Network File system) it has an restriction to it can’t be access from other platform
such as windows. FTP server does not have such a restriction it can be accessed
from Linux OR windows OR OSx. Let’s see installation and configuration FTP
server in RHEL 7.
§
Whenever we install vsftpd
package installed then ftp user will be created
§
ftp user home directory will be
set as /vat/ftp ftp’s document root path.
§
Vsftpd has been very popular
because it is a very fast.
§
Lightweight FTP server and very
easy to configure.
Server profile:
Packages : vsftpd
Daemon : vsftpd
Port Numbers : 20, 21
Config file path : /etc/vsftpd/vsftpd.conf
Packages : vsftpd
Daemon : vsftpd
Port Numbers : 20, 21
Config file path : /etc/vsftpd/vsftpd.conf
Features:
1.
It is very secure and fast
2.
Bandwidth throttling
3.
IPv6 ready
4.
Encryption support through SSL
integration
5.
Virtual IP configurations
6.
Virtual users
7.
Per-user configuration
8.
Per-source-IP configuration and
limits
Installation
and Configuration FTP server in RHEL 7
Before going to install the
vsftpd packages, ensure that the server has access to internet. If it doesn’t
have, configure local YUM repository for vsftpd packages installation.
Install vsftpd yum command
[root@Tech Tutorials ~]# yum install -y vsftpd*
Edit the configuration file.
/etc/vsftpd/vsftpd.conf is the main configuration file of ftp server.
[root@Tech Tutorials ~]# vi /etc/vsftpd/vsftpd.conf
#Disable anonymous user Access to secure FTP server
anonymous_enable=NO
Allow local users to login in vsftpd.
local_enable=YES
Enable write access to local users.
write_enable=YES
Uncomment the line chroot_local_user
chroot_local_user=YES
Enable writable chroot.
allow_writeable_chroot=YES
:wq
Restart and enable the vsftpd
service
[root@Tech Tutorials~]# systemctl restart vsftpd.service
[root@Tech Tutorials~] # systemctl enable vsftpd.service
Create a rule for Firewall to
allow FTP ports
Now need to allow default FTP port 20 and 21 through firewall.
Now need to allow default FTP port 20 and 21 through firewall.
[root@Tech Tutorials~]# firewall-cmd --permanent --zone=public --add-port=21/tcp
[root@Tech Tutorials~]# firewall-cmd --permanent --zone=public --add-port=21/tcp
[root@Tech Tutorials~]# firewall-cmd --reload
Apply SELinux context to ftp
directory. Enable write permission on home directories.
[root@Tech Tutorials~]# semanage fcontext -a -t public_content_rw_t "/var/ftp/pub(/.*)?"
[root@Tech Tutorials~]# restorecon -R /var/ftp/pub
[root@Tech Tutorials~]# setsebool -P ftpd_anon_write 1 OR on
Edit configuration file for
enable upload files.
[root@Tech Tutorials~]# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=yes # <-- #Un-Comment this line
:wq!
[root@Tech Tutorials~]# systemctl restart vsftpd
[root@Tech Tutorials~]# chown ftp /var/ftp/pub
Client Side configuration
Install ftp package through yum
command
[root@Client ~]# yum install ftp
Test the ftp server and
downloading files.
[root@Client ~]# ftp ftp.server.com
ftp> ls
ftp> cd pub
ftp> get file1
ftp>!ls
ftp> bye
For files uploading. Test
the FTP server
[root@Client~]# ftp ftp.server.com
ftp> cd pub
ftp> ls
ctp>!ls
ftp> put file1
ftp>bye
web server installation and configuration step by step
guide
Apache web server installation
and configuration step by step guide in RHEL7 and Centos 7.
web server is used to host
websites using httpd service.
Why Apache name chosen for this
software..?
This software is chosen a name
called APACHE because its firstly group of patches included and used as a software
to run we server from native American nations group. Native American people
called as Apache men. As shown in figure below he is an Apache men from native
American group of people.
Now if you observe carefully
above picture he is wearing an CAP with below shown picture that’s where Apache
name is confirmed for this software
Prerequisites
2.
Web browser to access the web server
Server profile
Package Name: httpd*
Daemon Name: httpd
Config File: /etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ANYNAME.conf
Port Numbers: 80 (HTTP) and 443 (HTTPS)
Web server installation process
[root@ArkIT ~]# yum install httpd*
Transaction Summary
===============================================================================================================================================================================================================
Install 4 Packages (+9 Dependent packages)
Total download size: 4.4 M
Installed size: 16 M
Is this ok [y/d/N]: y
Downloading packages:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 30 MB/s | 4.4 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : apr-1.4.8-3.el7.x86_64 1/13
Installing : apr-util-1.5.2-6.el7.x86_64 2/13
Installing : apr-devel-1.4.8-3.el7.x86_64 3/13
Installing : httpd-tools-2.4.6-31.el7.x86_64 4/13
Installing : cyrus-sasl-devel-2.1.26-17.el7.x86_64 5/13
Installing : openldap-devel-2.4.39-6.el7.x86_64 6/13
Installing : libdb-devel-5.3.21-17.el7_0.1.x86_64 7/13
Installing : expat-devel-2.1.0-8.el7.x86_64 8/13
Installing : apr-util-devel-1.5.2-6.el7.x86_64 9/13
Installing : mailcap-2.1.41-2.el7.noarch 10/13
Installing : httpd-2.4.6-31.el7.x86_64 11/13
Installing : httpd-devel-2.4.6-31.el7.x86_64 12/13
Installing : httpd-manual-2.4.6-31.el7.noarch 13/13
Verifying : openldap-devel-2.4.39-6.el7.x86_64 1/13
Verifying : apr-1.4.8-3.el7.x86_64 2/13
Verifying : mailcap-2.1.41-2.el7.noarch 3/13
Verifying : httpd-2.4.6-31.el7.x86_64 4/13
Verifying : apr-devel-1.4.8-3.el7.x86_64 5/13
Verifying : apr-util-1.5.2-6.el7.x86_64 6/13
Verifying : expat-devel-2.1.0-8.el7.x86_64 7/13
Verifying : httpd-tools-2.4.6-31.el7.x86_64 8/13
Verifying : libdb-devel-5.3.21-17.el7_0.1.x86_64 9/13
Verifying : cyrus-sasl-devel-2.1.26-17.el7.x86_64 10/13
Verifying : httpd-devel-2.4.6-31.el7.x86_64 11/13
Verifying : apr-util-devel-1.5.2-6.el7.x86_64 12/13
Verifying : httpd-manual-2.4.6-31.el7.noarch 13/13
Installed:
httpd.x86_64 0:2.4.6-31.el7 httpd-devel.x86_64 0:2.4.6-31.el7 httpd-manual.noarch 0:2.4.6-31.el7 httpd-tools.x86_64 0:2.4.6-31.el7
Dependency Installed:
apr.x86_64 0:1.4.8-3.el7 apr-devel.x86_64 0:1.4.8-3.el7 apr-util.x86_64 0:1.5.2-6.el7 apr-util-devel.x86_64 0:1.5.2-6.el7 cyrus-sasl-devel.x86_64 0:2.1.26-17.el7
expat-devel.x86_64 0:2.1.0-8.el7 libdb-devel.x86_64 0:5.3.21-17.el7_0.1 mailcap.noarch 0:2.1.41-2.el7 openldap-devel.x86_64 0:2.4.39-6.el7
Complete!
required to install httpd and its dependencies
Enable and Start the Service
[root@ArkIT ~]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@ArkIT ~]# systemctl start httpd.service
[root@ArkIT ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Sun 2016-05-15 21:13:29 IST; 11s ago
service enable – which means whenever you restart server, service should
automatically enable
service start – Normally starting service
As per the above commands web server is installed and started
Allow firewall ports to communicate with
clients
[root@ArkIT ~]# firewall-cmd --permanent --add-service=http
success
[root@ArkIT ~]# firewall-cmd --permanent --add-service=https
success
[root@ArkIT ~]# firewall-cmd --reload
success
web server ports are 80 and 143 default for HTTP and HTTPS
in RHEL 7 and Centos 7 version instead of port numbers we can
directly mention the service which will automatically take its related default
port
if you would like to mention the port use below commands
[root@ArkIT ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ArkIT ~]# firewall-cmd --permanent --add-port=80/udp
success
[root@ArkIT ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ArkIT ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ArkIT ~]# firewall-cmd --reload
success
Configuring the web server
create a file with any name extension should be .conf under
/etc/httpd/conf.d/*.conf
in this case I am going to use main.conf is the
configuration file
[root@ArkIT ~]# cat /etc/httpd/conf.d/main.conf
<VirtualHost *:80>
ServerAdmin root@arkit.co.in
ServerName server1.arkit.co.in
DocumentRoot /var/www/html/
</VirtualHost>
<Directory "/var/www/html/">
AllowOverride none
Require all granted
</Directory>
[root@ArkIT ~]# vim /etc/httpd/conf.d/main.conf
[root@ArkIT ~]# systemctl restart httpd.service
[root@ArkIT ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
Active: active (running) since Sun 2016-05-15 21:43:00 IST; 8s ago
Check configuration if you run with any
problems
[root@ArkIT ~]# apachectl configtest
Syntax OK
Create HTML file for test
Go to path /var/www/html/ and create index.html file and write
some HTML code or some text test your website
[root@ArkIT ~]# vim /var/www/html/index.html
[root@ArkIT ~]# cat /var/www/html/index.html
Web Server Test File
Client side
Web server testing, as you created above test file with some text
in it. Now go to client machine and type server IP / Name to test your web
server is working or not
That’s it about Apache / HTTP service installation and
configuration.
web server installation and
configuration
Mail Server using Postfix, Dovecot and SquirrelMail in
CentOS/RHEL/Scientific Linux 6.3 step by step guide
Before install postfix, remove sendmail from the server.
Because sendmail is the default MTA in Redhat/CentOS.
[root@server ~]# yum remove sendmail
Prerequisites:
The mail server should contain a valid MX record in the DNS server. Navigate to this link how to setup DNS server.
Firewall and SELinux should be disabled.
[root@server ~]# service iptables stop
[root@server ~]# service ip6tables stop
[root@server ~]# chkconfig iptables off
[root@server ~]# chkconfig ip6tables off
[root@server ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot the server.
Scenario
In this tutorial my test box
Hostname = server.arkit.co.in
IP Address = 192.168.1.200/24
And my server is configured with proper MX record in DNS server.
Installation
Postfix is installed by default. If it is not installed, use the below command to install postfix.
[root@server ~]# yum install postfix
Configuration
Open the postfix config file /etc/postfix/main.cf. Find the below lines and edit them as shown below.
[root@server ~]# vi /etc/postfix/main.cf
myhostname = server.arkit.co.in ##line no 75 - uncomment and enter your host name
mydomain = arkit.co.in ##line no 83 - uncomment and enter your domain name
myorigin = $mydomain ##line no 99 - uncomment
inet_interfaces = all ##line no 116 - change to all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain ##line no 164 - add $domain at the end
mynetworks = 192.168.1.0/24, 127.0.0.0/8 ##line no 264 - uncomment and add your network range
home_mailbox = Maildir/ ##line no 419 - uncomment
Start the postfix service.
[root@server ~]# service postfix start
Starting postfix: [ OK ]
[root@server ~]# chkconfig postfix on
Test Postfix
The commands shown in bold letters should be entered by the user.
Note: The dot after the test command is important.
[root@server ~]# telnet localhost smtp
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 server.arkit.co.in ESMTP Postfix
ehlo localhost
250-server.arkit.co.in
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<user1>
250 2.1.0 Ok
rcpt to:<user1>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 117113FF18
quit
221 2.0.0 Bye
Connection closed by foreign host.
Check Mail
Navigate to the user mail directory and check for the new mail.
[root@server ~]# cd /home/user1/Maildir/new/
[root@server new]# ls
1360236956.Vfd00I35afM181256.server.arkit.co.in
[root@server new]# cat 1360236956.Vfd00I35afM181256.server.arkit.co.in
Return-Path: <user1@arkit.co.in>
X-Original-To: user1
Delivered-To: user1@arkit.co.in
Received: from localhost (localhost [IPv6:::1])
by server.arkit.co.in (Postfix) with ESMTP id 117113FF18
for <user1>; Thu, 7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.arkit.co.in>
Date: Thu, 7 Feb 2013 17:05:32 +0530 (IST)
From: user1@arkit.co.in
To: undisclosed-recipients:;
test
Thats it. Postfix working now.
Install Dovecot
[root@server ~]# yum install dovecot
Configure Dovecot
Open the dovecot config file /etc/dovecot/dovecot.conf. Find and uncomment the line as shown below.
[root@server ~]# vi /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
Open the file /etc/dovecot/conf.d/10-mail.conf and uncomment the line as shown below.
[root@server ~]# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir ##line no 24 - uncomment
Open the /etc/dovecot/conf.d/10-auth.conf and edit as shown below.
[root@server ~]# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no ##line no 9 - uncomment and change from yes to no.
auth_mechanisms = plain login ##line no 97 - add the text "login"
Open the /etc/dovecot/conf.d/10-master.conf and edit as shown below.
unix_listener auth-userdb {
#mode = 0600
user = postfix ##line no 83 - uncomment and enter postfix
group = postfix ##line no 84 - uncomment and enter postfix
Start the dovecot service.
[root@server ~]# service dovecot start
Starting Dovecot Imap: [ OK ]
[root@server ~]# chkconfig dovecot on
Test Dovecot
The commands shown in bold should be entered by the user.
[root@server ~]# telnet localhost pop3
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user user1
+OK
pass user1
+OK Logged in.
list
+OK 1 messages:
1 428
.
retr 1
+OK 428 octets
Return-Path: <user1@arkit.co.in>
X-Original-To: user1
Delivered-To: user1@arkit.co.in
Received: from localhost (localhost [IPv6:::1])
by server.arkit.co.in (Postfix) with ESMTP id 117113FF18
for <user1>; Thu, 7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.arkit.co.in>
Date: Thu, 7 Feb 2013 17:05:32 +0530 (IST)
From: user1@arkit.co.in
To: undisclosed-recipients:;
test
.
quit
+OK Logging out.
Connection closed by foreign host.
[root@server ~]#
Dovecot is working now.
Install Squirrelmail
Install EPEL repository first. And install SquirrelMail package from EPEL repository.
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm
[root@server ~]# yum install squirrelmail
[root@server ~]# service httpd start
Starting httpd: [ OK ]
[root@server ~]# chkconfig httpd on
[root@server ~]#
Configure Squirrelmail
Go to the squirrelmail config directory and use the command ./conf.pl to start configure as shown below.
[root@server ~]# cd /usr/share/squirrelmail/config/
[root@server config]# ./conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >>1
Select option 1 and set organization details.
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1. Organization Name : arkit
2. Organization Logo : ../images/sm_logo.png
3. Org. Logo Width/Height : (308/111)
4. Organization Title : Welcome to arkit webmail
5. Signout Page :
6. Top Frame : _top
7. Provider link : http://arkit.co.in
8. Provider name : arkit
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >>R
Press R to return main menu and select option 2. Enter your domain name and select dovecot in the Sendmail or SMTP parameter.
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings General
-------
1. Domain : arkit.co.in
2. Invert Time : false
3. Sendmail or SMTP : SMTP
A. Update IMAP Settings : localhost:143 (uw)
B. Update SMTP Settings : localhost:25
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> S
Once you done, press S to save datas and press Q to exit.
Add the following lines in the httpd.conf file at the end.
[root@server ~]# vi /etc/httpd/conf/httpd.conf
Alias /squirrelmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
RewriteEngine On
AllowOverride All
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
Restart the httpd service.
[root@server ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@server ~]#
Create Users
[root@server ~]# useradd user1
[root@server ~]# useradd user2
[root@server ~]# passwd user1
[root@server ~]# passwd user2
Open the browser from any clients. Type the following in the address bar.
http://serveripaddress/webmail
or
http://yourdomainname/webmail
[root@server ~]# yum remove sendmail
Prerequisites:
The mail server should contain a valid MX record in the DNS server. Navigate to this link how to setup DNS server.
Firewall and SELinux should be disabled.
[root@server ~]# service iptables stop
[root@server ~]# service ip6tables stop
[root@server ~]# chkconfig iptables off
[root@server ~]# chkconfig ip6tables off
[root@server ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Reboot the server.
Scenario
In this tutorial my test box
Hostname = server.arkit.co.in
IP Address = 192.168.1.200/24
And my server is configured with proper MX record in DNS server.
Installation
Postfix is installed by default. If it is not installed, use the below command to install postfix.
[root@server ~]# yum install postfix
Configuration
Open the postfix config file /etc/postfix/main.cf. Find the below lines and edit them as shown below.
[root@server ~]# vi /etc/postfix/main.cf
myhostname = server.arkit.co.in ##line no 75 - uncomment and enter your host name
mydomain = arkit.co.in ##line no 83 - uncomment and enter your domain name
myorigin = $mydomain ##line no 99 - uncomment
inet_interfaces = all ##line no 116 - change to all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain ##line no 164 - add $domain at the end
mynetworks = 192.168.1.0/24, 127.0.0.0/8 ##line no 264 - uncomment and add your network range
home_mailbox = Maildir/ ##line no 419 - uncomment
Start the postfix service.
[root@server ~]# service postfix start
Starting postfix: [ OK ]
[root@server ~]# chkconfig postfix on
Test Postfix
The commands shown in bold letters should be entered by the user.
Note: The dot after the test command is important.
[root@server ~]# telnet localhost smtp
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 server.arkit.co.in ESMTP Postfix
ehlo localhost
250-server.arkit.co.in
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<user1>
250 2.1.0 Ok
rcpt to:<user1>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 117113FF18
quit
221 2.0.0 Bye
Connection closed by foreign host.
Check Mail
Navigate to the user mail directory and check for the new mail.
[root@server ~]# cd /home/user1/Maildir/new/
[root@server new]# ls
1360236956.Vfd00I35afM181256.server.arkit.co.in
[root@server new]# cat 1360236956.Vfd00I35afM181256.server.arkit.co.in
Return-Path: <user1@arkit.co.in>
X-Original-To: user1
Delivered-To: user1@arkit.co.in
Received: from localhost (localhost [IPv6:::1])
by server.arkit.co.in (Postfix) with ESMTP id 117113FF18
for <user1>; Thu, 7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.arkit.co.in>
Date: Thu, 7 Feb 2013 17:05:32 +0530 (IST)
From: user1@arkit.co.in
To: undisclosed-recipients:;
test
Thats it. Postfix working now.
Install Dovecot
[root@server ~]# yum install dovecot
Configure Dovecot
Open the dovecot config file /etc/dovecot/dovecot.conf. Find and uncomment the line as shown below.
[root@server ~]# vi /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp
Open the file /etc/dovecot/conf.d/10-mail.conf and uncomment the line as shown below.
[root@server ~]# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir ##line no 24 - uncomment
Open the /etc/dovecot/conf.d/10-auth.conf and edit as shown below.
[root@server ~]# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no ##line no 9 - uncomment and change from yes to no.
auth_mechanisms = plain login ##line no 97 - add the text "login"
Open the /etc/dovecot/conf.d/10-master.conf and edit as shown below.
unix_listener auth-userdb {
#mode = 0600
user = postfix ##line no 83 - uncomment and enter postfix
group = postfix ##line no 84 - uncomment and enter postfix
Start the dovecot service.
[root@server ~]# service dovecot start
Starting Dovecot Imap: [ OK ]
[root@server ~]# chkconfig dovecot on
Test Dovecot
The commands shown in bold should be entered by the user.
[root@server ~]# telnet localhost pop3
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user user1
+OK
pass user1
+OK Logged in.
list
+OK 1 messages:
1 428
.
retr 1
+OK 428 octets
Return-Path: <user1@arkit.co.in>
X-Original-To: user1
Delivered-To: user1@arkit.co.in
Received: from localhost (localhost [IPv6:::1])
by server.arkit.co.in (Postfix) with ESMTP id 117113FF18
for <user1>; Thu, 7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.arkit.co.in>
Date: Thu, 7 Feb 2013 17:05:32 +0530 (IST)
From: user1@arkit.co.in
To: undisclosed-recipients:;
test
.
quit
+OK Logging out.
Connection closed by foreign host.
[root@server ~]#
Dovecot is working now.
Install Squirrelmail
Install EPEL repository first. And install SquirrelMail package from EPEL repository.
[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm
[root@server ~]# yum install squirrelmail
[root@server ~]# service httpd start
Starting httpd: [ OK ]
[root@server ~]# chkconfig httpd on
[root@server ~]#
Configure Squirrelmail
Go to the squirrelmail config directory and use the command ./conf.pl to start configure as shown below.
[root@server ~]# cd /usr/share/squirrelmail/config/
[root@server config]# ./conf.pl
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color off
S Save data
Q Quit
Command >>1
Select option 1 and set organization details.
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1. Organization Name : arkit
2. Organization Logo : ../images/sm_logo.png
3. Org. Logo Width/Height : (308/111)
4. Organization Title : Welcome to arkit webmail
5. Signout Page :
6. Top Frame : _top
7. Provider link : http://arkit.co.in
8. Provider name : arkit
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >>R
Press R to return main menu and select option 2. Enter your domain name and select dovecot in the Sendmail or SMTP parameter.
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings General
-------
1. Domain : arkit.co.in
2. Invert Time : false
3. Sendmail or SMTP : SMTP
A. Update IMAP Settings : localhost:143 (uw)
B. Update SMTP Settings : localhost:25
R Return to Main Menu
C Turn color off
S Save data
Q Quit
Command >> S
Once you done, press S to save datas and press Q to exit.
Add the following lines in the httpd.conf file at the end.
[root@server ~]# vi /etc/httpd/conf/httpd.conf
Alias /squirrelmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks
RewriteEngine On
AllowOverride All
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
Restart the httpd service.
[root@server ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@server ~]#
Create Users
[root@server ~]# useradd user1
[root@server ~]# useradd user2
[root@server ~]# passwd user1
[root@server ~]# passwd user2
Open the browser from any clients. Type the following in the address bar.
http://serveripaddress/webmail
or
http://yourdomainname/webmail
DHCP
LDAP client configuration with autofs home directories
LDAP Client confguration
first install required packages, in this article we will see how
to configure LDAP client using CLI interface and GUI Interface
[root@ldapclient1 ~]# yum install -y openldap-clients nss-pam-ldapd sssd authconfig-gtk
[root@ldapclient1 ~]# yum install nfs-utils rpcbind autofs
Using GUI mode
install above packages then enter the
command “system-config-authentication”
Using CLI mode
type command “authconfig-tui”
Select [*] Use LDAP
select [*] Use LDAP Authentication
click Next
provide the ldap server details as shown above and click ok
verify the ldap user information using below command
[root@ldapclient1 ~]# getent passwd ldapuser1
ldapuser1:*:1001:1001:ldapuser1:/home/ldapuser1:/bin/bash
as you see below there is no home directory for ldapuser1
[root@ldapclient1 ~]# su - ldapuser1
su: warning: cannot change directory to /home/ldapuser1: No such file or directory
-bash-4.2$
Now mount user home directory using autofs
edit autofs master configuration file add entry
[root@ldapclient1 ~]# vim /etc/auto.master
#
# Sample auto.master file
# This is a 'master' automounter map and it has the following format:
# mount-point [map-type[,format]:]map [options]
# For details of the format look at auto.master(5).
#
/misc /etc/auto.misc
/home /etc/auto.ldapuser
now create /etc/auto.ldapuser file and add the entry for autofs
mount
[root@ldapclient1 ~]# cat /etc/auto.ldapuser
* -rw 192.168.4.15:/home/&
Now restart autofs service
[root@ldapclient1 ~]# systemctl restart autofs
[root@ldapclient1 ~]# systemctl enable autofs
ln -s '/usr/lib/systemd/system/autofs.service' '/etc/systemd/system/multi-user.target.wants/autofs.service'
login using ldapuser then verify you should get ldapuser home
directory automatically
[root@ldapclient1 ~]# su - ldapuser1
Last login: Sun Mar 20 00:02:00 IST 2016 on pts/0
[ldapuser1@ldapclient1 ~]$
That’s it your LDAP client is configured successfully with
autofs home directory mount
openLDAP server installation and configuration step by
step – RHEL7
openLDAP directory service is
based on a client-server model. LDAP transferred “Lightweight directory access protocol” is a directory service protocol that runs on a layer
above the TCP/IP stack. It provides a mechanism used to connect to, search, and
modify Internet directories. The LDAP directory service is based on a
client-server model. OpenLDAP Server installation
openLDAP is used to facilitate
centralized user management. It eliminates users creation on each and every
server, instead of creating users and there profile in all the servers we can
create them in LDAP server and access from all the LDAP client machines.
Few advantages of openLDAP
§
Global naming model ensures
unique entries
§
Allows for multiple independent
directories
§
Extensible to meet future/local
requirements
§
Runs directly over TCP/IP and
SSL
§
Has broad industry support
§
Based on existing deployed
technologies
§
Schema definitions
§
Schema publication
§
Security features
§
Extended operation framework
§
Dynamic and pages search
extensions
This tutorial will explain how
to install and configure openLDAP server and it’s configuration with user home
directory auto mount using NFS autofs
Please observe step by step and
modify your requirements accordingly
Let’s start the configuration
Requirements – RHEL7/Centos 7
with minimal installation OR GUI installation is enough
Tested Centos7, RHEL7,
RHEL7.1 and RHEL7.2 versions
Server Profile :-
§
Packages
: openldap, migrationtools
§
Port
Number: 389, 636
Step 1: Installing LDAP packages using
yum
[root@ark-ldapserver ~]# yum -y install *openldap* migrationtools
generating LDAP admin password
[root@ark-ldapserver ~]# slappasswd
New password:
Re-enter new password:
{SSHA}KczPx+72Gz5W4Tv58EgT8beoPsuxkekO
as shown in above slappasswd command will generate an
password with encryption, please copy above encrypted password and keep it safe
this password we are going to use in further configuration
add the generated password to
below file and change olcSuffix olcRootDN olcRootPW and add key file location as shown in
below (bold ones have to modify)
[root@ark-ldapserver ~]# cd /etc/openldap/slapd.d/cn\=config/
[root@ark-ldapserver cn=config]# vi olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5514a54b
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=arkit,dc=co.in
olcRootDN: cn=Manager,dc=arkit,dc=co.in
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 7ffd78be-8216-1035-9daa-e3230d8ea492
creatorsName: cn=config
createTimestamp: 20160319120438Z
entryCSN: 20160319120438.887404Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160319120438Z
olcRootPW: {SSHA}KczPx+72Gz5W4Tv58EgT8beoPsuxkekO
olcTLSCertificateFile: /etc/pki/tls/certs/arkitldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/arkitkey.pem
Now edit the file monitor.ldif
and add modify dc=my-domain,dc=com to your domain as shown in below
[root@ark-ldapserver cn=config]# vi olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3eb2863a
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" read by dn.base="cn=Manager,dc=arkit,dc=co.in" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 7ffd68a6-8216-1035-9da9-e3230d8ea492
creatorsName: cn=config
createTimestamp: 20160319120438Z
entryCSN: 20160319120438.886990Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20160319120438Z
Test your LDAP configuration
using below command, you may see few checksum errors no problem don’t bother
[root@ark-ldapserver cn=config]# slaptest -u
56ed4143 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56ed4143 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
Step 2: Start LDAP server slapd.service
use below command to start and
enable the service to start after the server reboot
[root@ark-ldapserver cn=config]# systemctl enable slapd.service
ln -s '/usr/lib/systemd/system/slapd.service' '/etc/systemd/system/multi-user.target.wants/slapd.service'
[root@ark-ldapserver cn=config]# systemctl start slapd.service
[root@ark-ldapserver cn=config]# netstat -lt |grep ldap
tcp 0 0 0.0.0.0:ldap 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ldap [::]:* LISTEN
Step 3: Generate certificate
generating x509 certificate for
365 days
[root@ark-ldapserver cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/arkitldap.pem -keyout /etc/pki/tls/certs/arkitkey.pem -days 365
Generating a 2048 bit RSA private key
..................+++
.................................................................................................................................+++
writing new private key to '/etc/pki/tls/certs/arkitkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Telangana
Locality Name (eg, city) [Default City]:Hyderabad
Organization Name (eg, company) [Default Company Ltd]:arkit
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ark-ldapserver
Email Address []:
[root@ark-ldapserver cn=config]#
as mentioned above you can give
the details are else just hit enter in all the fields. verify your certificate
files by listing directory, key file names should match exactly with Step 1
configuration
[root@ark-ldapserver cn=config]# ll /etc/pki/tls/certs/
total 20
-rw-r--r--. 1 root root 1704 Mar 19 17:42 arkitkey.pem
-rw-r--r--. 1 root root 1330 Mar 19 17:42 arkitldap.pem
Step 4: Change migration config
Go to directory path as
mentioned below and edit the file migrate_common.ph file add few entries as shown in below screen
[root@ark-ldapserver cn=config]# cd /usr/share/migrationtools/
[root@ark-ldapserver migrationtools]# vi migrete_common.ph
$DEFAULT_MAIL_DOMAIN = "arkit.co.in";
$DEFAULT_BASE = "dc=arkit,dc=co.in";
$EXTENDED_SCHEMA = 1;
Step 5: Creating openLDAP database file
Now we just create an openLDAP
database with file extension as .ldif
[root@ark-ldapserver migrationtools]# touch /root/base.ldif
[root@ark-ldapserver migrationtools]# cat /root/base.ldif
dn: dc=arkit,dc=co.in
objectClass: top
objectClass: dcObject
objectclass: organization
o: arkit co.in
dc: arkit
dn: cn=Manager,dc=arkit,dc=co.in
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=arkit,dc=co.in
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=arkit,dc=co.in
objectClass: organizationalUnit
ou: Group
Step 6: Creating users and groups
Create normal Linux users along
with there primary groups
[root@ark-ldapserver migrationtools]# useradd ldapuser1
[root@ark-ldapserver migrationtools]# useradd ldapuser2
[root@ark-ldapserver migrationtools]# useradd ldapuser3
[root@ark-ldapserver migrationtools]# passwd ldapuser1
Changing password for user ldapuser1.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@ark-ldapserver migrationtools]# passwd ldapuser2
Changing password for user ldapuser2.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@ark-ldapserver migrationtools]# passwd ldapuser3
Changing password for user ldapuser3.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
now gather all the users and
groups information to separate files
[root@ark-ldapserver migrationtools]# cat /etc/passwd |grep ldapuser > /root/password
[root@ark-ldapserver migrationtools]# cat /root/password
ldapuser1:x:1001:1001::/home/ldapuser1:/bin/bash
ldapuser2:x:1002:1002::/home/ldapuser2:/bin/bash
ldapuser3:x:1003:1003::/home/ldapuser3:/bin/bash
[root@ark-ldapserver migrationtools]# cat /etc/group |grep ldapuser > /root/groups
after that migrate your local
users as openLDAP users
[root@ark-ldapserver migrationtools]# ./migrate_passwd.pl /root/password /root/users.ldif
[root@ark-ldapserver migrationtools]# ./migrate_group.pl /root/groups /root/groups.ldif
[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=arkit,dc=co.in"
adding new entry "cn=Manager,dc=arkit,dc=co.in"
adding new entry "ou=People,dc=arkit,dc=co.in"
adding new entry "ou=Group,dc=arkit,dc=co.in"
[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/users.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=arkit,dc=co.in"
adding new entry "uid=ldapuser2,ou=People,dc=arkit,dc=co.in"
adding new entry "uid=ldapuser3,ou=People,dc=arkit,dc=co.in"
[root@ark-ldapserver migrationtools]# ldapadd -x -W -D "cn=Manager,dc=arkit,dc=co.in" -f /root/groups.ldif
Enter LDAP Password:
adding new entry "cn=ldapuser1,ou=Group,dc=arkit,dc=co.in"
adding new entry "cn=ldapuser2,ou=Group,dc=arkit,dc=co.in"
adding new entry "cn=ldapuser3,ou=Group,dc=arkit,dc=co.in"
Verify the users using below
command
[root@ark-ldapserver migrationtools]# ldapsearch -x cn=ldapuser3 -b dc=arkit,dc=co.in
Step 7: Allow firewall ports
we have to allow ldap and ldaps
port numbers
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=ldap
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=ldaps
success
[root@ark-ldapserver migrationtools]# firewall-cmd --reload
success
That’s about openLDAP server
configuration now we will see how to export LDAP users home directories
Step 8: Install NFS util packages
[root@ark-ldapserver migrationtools]# yum -y install rpcbind nfs-utils
Enable and start the NFS
service
[root@ark-ldapserver migrationtools]# systemctl enable nfs-server.service
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/multi-user.target.wants/nfs-server.service'
[root@ark-ldapserver migrationtools]# systemctl start nfs-server.service
[root@ark-ldapserver migrationtools]# systemctl enable rpcbind
[root@ark-ldapserver migrationtools]# systemctl start rpcbind
configure NFS export
[root@ark-ldapserver migrationtools]# vi /etc/exports
/home *(rw,sync)
[root@ark-ldapserver migrationtools]# systemctl restart nfs-server.service
Enable NFS and it’s supported
Firewall ports
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=nfs
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@ark-ldapserver migrationtools]# firewall-cmd --permanent --add-service=mountd
success
[root@ark-ldapserver migrationtools]# firewall-cmd --reload
success
[root@ark-ldapserver migrationtools]# showmount -e localhost
Export list for localhost:
/home *.arkit.co.in
[root@ark-ldapserver ~]# chmod 777 /home
[root@ark-ldapserver ~]# systemctl restart slapd.service
[root@ark-ldapserver ~]# systemctl status slapd.service
SELinux Security Enhance Linux three layer protection
SELinux security feature of the
Linux kernel. To manage the security enhanced Linux behaviour of a system
to keep it secure in case of a network service compromise.
SELinux is an additional layers
of system security. It is protect user data from your system services that
have been compromised. Linux administrators are known with the standard
user/group/other(u/g/o) permissions security model.
Picture 1. SELinux
As a example if you see above
Picture 1 Whenever outside client request for a data to access from Linux
Server, SELinux will verify requested data port is allowed from SELinux, It
will verify process SELinux context is enabled and File security context
enabled. Three layer security system. This security will work only when SELinux
is in enforcing mode.
SELinux is a set of security
rules that determine which process can access which directories, files and
ports. Every file, process, port and directory has a special label called a
SELinux context.
SELinux label context are user,
role, type and sensitivity. The type context names end with “_t“
To display or set SELinux
contexts with option “Z”:
[root@server ~]# ls -lZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Desktop
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Documents
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 Downloads
[root@server ~]# ls -ldZ /etc/
drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/
[root@server ~]# ls -ldZ /var/
drwxr-xr-x. root root system_u:object_r:var_t:s0 /var/
[root@server ~]# ls -ldZ /
dr-xr-xr-x. root root system_u:object_r:root_t:s0 /
[root@server ~]# ls -ldZ /var/log/
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 /var/log/
SELinux Modes:
SELinux modes are three types :-
1.
Enforcing Mode
2.
Permissive Mode
3.
Disabled Mode
Enforcing Mode: Default mode which will enforce and enabled the SELinux security
on your system. In this mode SELinux logs and protects.
Permissive Mode: This mode can be used to temporarily allow access to content that
SELinux is restricting. No reboot required to go from enforcing to permissive
vice versa. This mode is useful for troubleshooting SELinux security issues.
When SELinux is in permissive mode it will not deny the access it will only
log.
Disabled Mode: Completely disables SELinux your system. Your system reboot
is required to disable SELinux entirely or to get disabled mode to enforcing.
Until unless you reboot your machine after disable it will not effect.
For the first time when you
change SELinux from disable mode to enforcing mode SELinux will relabel all the
files and processes from context rules
Change SELinux modes
To check SELinux security
status
[root@server ~]# sestatus
SELinux status: disabled
[root@server ~]# getenforce
Disabled
Enable / Disable SELinux
Security mode. Edit configuration file and change SELINUX=’enforcing/disabled’
[root@server ~]# vim /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
Enforced mode
[root@server ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[root@server ~]# getenforce
Enforcing
To keep in permissive mode
[root@server ~]# setenforce 0
[root@server ~]# getenforce
Permissive
What is the default SELinux context for newly
created files / Directories
When we create an file /
directory under / (slash) it will assign default_t context.
But if we create an file /
directory under /etc/, /var/, /var/www/html/ it will apply different SELinux
security context let see the examples below
[root@server ~]# mkdir /var/test
[root@server ~]# ls -ldZ /var/test/
drwxr-xr-x. root root unconfined_u:object_r:var_t:s0 /var/test/
[root@server ~]# mkdir /etc/test
[root@server ~]# ls -ldZ /etc/test
drwxr-xr-x. root root unconfined_u:object_r:etc_t:s0 /etc/test
[root@server ~]# mkdir /test
[root@server ~]# ls -ldZ /test
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /test
How to assign SELinux Security context
To assign security context to
file
[root@server ~]# semanage fcontext -a -t samba_share_t "/test(/.*)?"
[root@server ~]# ls -ldZ /test/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /test/
[root@server ~]# restorecon -vRF /test/
restorecon reset /test context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@server ~]# ls -ldZ /test/
drwxr-xr-x. root root system_u:object_r:samba_share_t:s0 /test/
To enable SELinux Security port
[root@server ~]# semanage port -l |grep http_port
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[root@server ~]# semanage port -a -t http_port_t -p tcp 15000
[root@server ~]# semanage port -l |grep http_port
http_port_t tcp 15000, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
Too See SELinux Boolean values.
Enable / Disable sebool parameters
[root@server ~]# getsebool -a |grep ftp
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off
[root@server ~]# setsebool -P ftpd_anon_write on
[root@server ~]# getsebool -a |grep ftpd_anon_write
ftpd_anon_write --> on
sftpd_anon_write --> off
squid proxy server installation and configuration RHEL7 / Centos7
squid proxy server is used to filter
web traffic and reducing and fine tuning internet bandwidth.
Squid was originally developed
as the Harvest object cache, part of the Harvest project at the University of
Colorado Boulder. Further work on the program was completed at the University of
California, San Diego and funded via two grants from the National Science
Foundation. Duane Wessels forked the “last pre-commercial version of Harvest”
and renamed it to Squid to avoid confusion with the commercial fork called
Cached 2.0, which became NetCache. Squid version 1.0.0 was released in July
1996.
Squid is now developed almost
exclusively through volunteer efforts.
Squid Proxy Server Profile
§
Packages
: squid*
§
Service
Name: squid
§
Default
port : 3128
§
Config
File : /etc/squid/squid.conf
§
Log
file Path: /var/log/squid
§
Environment
: RHEL 7, Centos 7 and RHEL 6
Installation process
[root@server ~]# yum install squid*
Installed:
squid.x86_64 7:3.3.8-12.el7_0
Dependency Installed:
libecap.x86_64 0:0.2.0-8.el7 perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-Data-Dumper.x86_64 0:2.145-3.el7
perl-Digest.noarch 0:1.17-245.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 perl-IO-Compress.noarch 0:2.061-2.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7
Complete!
Enable and start the Service
[root@server ~]# systemctl enable squid
ln -s '/usr/lib/systemd/system/squid.service' '/etc/systemd/system/multi-user.target.wants/squid.service'
[root@server ~]# systemctl start squid
[root@server ~]# systemctl status squid
squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled)
Active: active (running) since Sun 2016-04-17 13:47:33 IST; 34s ago
Process: 7989 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 7983 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 7999 (squid)
CGroup: /system.slice/squid.service
├─7999 /usr/sbin/squid -f /etc/squid/squid.conf
└─8001 (squid-1) -f /etc/squid/squid.conf
Apr 17 13:46:53 server.arkit.co.in squid[7989]: 2016/04/17 13:46:53| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
Apr 17 13:47:13 server.arkit.co.in squid[7989]: 2016/04/17 13:47:13| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
Apr 17 13:47:33 server.arkit.co.in squid[7989]: 2016/04/17 13:47:33| WARNING: Could not determine this machines public hostname. Please configure one or set 'visible_hostname'.
Apr 17 13:47:33 server.arkit.co.in squid[7999]: Squid Parent: will start 1 kids
Apr 17 13:47:33 server.arkit.co.in squid[7999]: Squid Parent: (squid-1) process 8001 started
Apr 17 13:47:33 server.arkit.co.in systemd[1]: Started Squid caching proxy.
Allow firewall port for squid
[root@server ~]# firewall-cmd --permanent --add-port=3128/tcp
success
[root@server ~]# firewall-cmd --reload
success
Default port of squid proxy is
3128 that’s why we have to allow port 3128.
Access Control List
Open the configuration file and
write the ACL as per requirement in ACL we can do so many things
1.
Restricting un-wanted (BAD)
URL’s
2.
Restrict access to internet
based on time period
3.
Control Downloads
4.
Restrict file type downloads
5.
Allow Networks to enable
Internet access
6.
Download speed control
[root@server ~]# vim /etc/squid/squid.conf
To allow Network we have to
write below ACL lines
acl localnet src 192.168.4.0/24
http_access allow localnet
To allow ports using ACL
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
Block bad sites
acl badsites url_regex "/etc/squid/badsites"
http_access deny badsites
write the bad sites in the file
[root@server ~]# cat /etc/squid/badsites
.facebook.com
.twitter.com
.youtube.com
.msn.com
.myspace.com
.flickr.com
Block File downloads
acl blockfiles urlpath_regex "/etc/squid/blockfiles.acl"
http_access deny blockfiles
Block file type downloads,
below is the example file to deny mp3, mp4, flv avi, 3gp, mpg and mpeg.
[root@server ~]# cat /etc/squid/blockfiles.acl
\.torrent$
\.mp3.*$
\.mp4.*$
\.3gp.*$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$
\.[Ff][Ll][Vv].*$
Time based access, which deny
internet access from morning 10 Hours to 19 Hours
acl work_hours time 10:00-19:00
http_access deny work_hours
restricting download speed ACL
acl speedcontrol src 192.168.4.0/24
delay_pools 1
delay_class 1 2
delay_parameters 1 524288/524288 52428/52428
delay_access 1 allow speedcontrol
Go to Client Side
Change the proxy address in
your browser then try to access the website
IE Settings > Internet options > Connections > Lan Settings >
IE Settings > Internet options > Connections > Lan Settings >
provide IP address and port
number
Now see the logs watch the
squid logs
/var/log/squid/ log file directory
/var/log/squid/ log file directory
The logs are a valuable source
of information about Squid workloads and performance. The logs record not only
access information, but also system configuration errors and resource
consumption (eg, memory, disk space). There are several log file maintained by
Squid. Some have to be explicitly activated during compile time, others can
safely be deactivated during.
§
/var/log/squid/access.log
: Most log file analysis program are based on the entries in
access.log. You can use this file to find out who is using squid server and
what they are doing etc
§
/var/log/squid/cache.log
: The cache.log file contains the debug and error messages that
Squid generates. If you start your Squid using the default RunCache script, or
start it with the -s command line option, a copy of certain messages will go
into your syslog facilities. It is a matter of personal preferences to use a
separate file for the squid log data.
§
/var/log/squid/store.log
: The store.log file covers the objects currently kept on disk or
removed ones. As a kind of transaction log it is ususally used for debugging
purposes. A definitive statement, whether an object resides on your disks is
only possible after analysing the complete log file. The release (deletion) of
an object may be logged at a later time than the swap out (save to disk).
HOW DO I VIEW SQUID LOG FILES / LOGS?
You can use standard UNIX /
Linux command such as grep / tail to view log files. You must login as root or
sudo command to view log files.
Display log files in real time
Use tail command as follows:
~]# tail -f /var/log/squid/access.log
OR
~]$ sudo tail -f /var/log/squid/access.log
Search log files
Use grep command as follows:
Use grep command as follows:
~]#grep 'string-to-search' /var/log/squid/access.log
Install MariaDB 10.2 RHEL 7 / Centos 7 Complete
Beginners Guide
We are going to see how to install MariaDB 10.2 RHEL 7 /
Centos 7 Complete Beginners Guide. Why i said Beginners guide because this is
an first step installation. Why we have to use MariaDB.
Few Features of MariaDB :
§
Mariadb is an open-source relational
database software.
§
It is a great alternative or drop-in
replacement for MySQL.
§
It is free and easy to use.
§
MariaDB is fast, Salable and robust,
with rich ecosystem of storage engines
§
MariaDB New features includes GIS and
JSON support
§
A non-blocking client API library
§
The Aria and XtraDB storage engines
with enhanced performance
§
Better server status variables, and
enhanced replication.
§
API and ABI compatibility with MySQL
Server Profile:
1.
Packages:
mariadb,mariadb-server,mariadb-libs
2.
Daemon Name: mariadb
3.
Port Number: 3306
4.
Configuration file path: /etc/my.cnf
Install MariaDB 10.2
RHEL 7 / Centos 7 Complete Beginners Guide
Let’s install mariaDB packages using local repository, along
with installation media mariaDB packages also included. So not required to add
external repo packages for mariadb installation. If you want latest version
then use yum repo from mariaDB
MariaDB Repo for RHEL 7 64bit
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/rhel7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
MariaDB repo for Centos 7 64bit
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
Note: We have to enable yum group option to install mariaDB packages
[root@TechTutorials ~]# yum groupinstall mariadb*
Downloading packages:
--------------------------------------------------------------------------------------------------------------------------------------------
Total 68 MB/s | 22 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : perl-Data-Dumper-2.145-3.el7.x86_64 1/13
Installing : unixODBC-2.3.1-10.el7.x86_64 2/13
Installing : perl-Net-Daemon-0.48-5.el7.noarch 3/13
Installing : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 4/13
Installing : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 5/13
Installing : perl-IO-Compress-2.061-2.el7.noarch 6/13
Installing : perl-PlRPC-0.2020-14.el7.noarch 7/13
Installing : perl-DBI-1.627-4.el7.x86_64 8/13
Installing : perl-DBD-MySQL-4.023-5.el7.x86_64 9/13
Installing : 1:mariadb-5.5.41-2.el7_0.x86_64 10/13
Installing : 1:mariadb-server-5.5.41-2.el7_0.x86_64 11/13
Installing : mysql-connector-odbc-5.2.5-6.el7.x86_64 12/13
Installing : MySQL-python-1.2.3-11.el7.x86_64 13/13
Verifying : 1:mariadb-5.5.41-2.el7_0.x86_64 1/13
Verifying : perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64 2/13
Verifying : mysql-connector-odbc-5.2.5-6.el7.x86_64 3/13
Verifying : perl-Data-Dumper-2.145-3.el7.x86_64 4/13
Verifying : MySQL-python-1.2.3-11.el7.x86_64 5/13
Verifying : 1:mariadb-server-5.5.41-2.el7_0.x86_64 6/13
Verifying : 1:perl-Compress-Raw-Zlib-2.061-4.el7.x86_64 7/13
Verifying : perl-PlRPC-0.2020-14.el7.noarch 8/13
Verifying : perl-Net-Daemon-0.48-5.el7.noarch 9/13
Verifying : perl-DBI-1.627-4.el7.x86_64 10/13
Verifying : unixODBC-2.3.1-10.el7.x86_64 11/13
Verifying : perl-DBD-MySQL-4.023-5.el7.x86_64 12/13
Verifying : perl-IO-Compress-2.061-2.el7.noarch 13/13
Installed:
MySQL-python.x86_64 0:1.2.3-11.el7 mariadb.x86_64 1:5.5.41-2.el7_0 mariadb-server.x86_64 1:5.5.41-2.el7_0
mysql-connector-odbc.x86_64 0:5.2.5-6.el7
Dependency Installed:
perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-MySQL.x86_64 0:4.023-5.el7
perl-DBI.x86_64 0:1.627-4.el7 perl-Data-Dumper.x86_64 0:2.145-3.el7 perl-IO-Compress.noarch 0:2.061-2.el7
perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7 unixODBC.x86_64 0:2.3.1-10.el7
Complete!
After Completion of MariaDB package installation, we have to
enable, Start the service and verify whether itis listing on port number and
status
[root@server ~]# systemctl enable mariadb.service
ln -s '/usr/lib/systemd/system/mariadb.service' '/etc/systemd/system/multi-user.target.wants/mariadb.service'
[root@server ~]# systemctl start mariadb.service
[root@server ~]# ss -tunlp |grep mysqld
tcp LISTEN 0 50 *:3306 *:* users:(("mysqld",4188,13))
[root@server ~]# systemctl status mariadb.service
mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled)
Active: active (running) since Mon 2016-06-13 22:07:52 IST; 14s ago Install MariaDB 10.2 RHEL 7
Process: 4031 ExecStartPost=/usr/libexec/mariadb-wait-ready $MAINPID (code=exited, status=0/SUCCESS)
Process: 3939 ExecStartPre=/usr/libexec/mariadb-prepare-db-dir %n (code=exited, status=0/SUCCESS)
Main PID: 4030 (mysqld_safe)
Allow MariaDB port from firewall to communicate from clients
[root@server ~]# firewall-cmd --permanent --add-service=mysql
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --permanent --add-port=3306/tcp
success
[root@server ~]# firewall-cmd --reload
success
How you would like to configure the MariaDB instance, Networking
without Networking.
Networking = Enable instance networking so that we can connect
to instance from remote machine
Without Networking = We can’t connect instance from remote
machine just we can use within the server
[root@server ~]# vim /etc/my.cnf
skip-networking=1
:wq
Now restart mariaDB service to reflect the changes
Now to secure mariadb, we have to set root user password for
mariadb,remove anonymous user,disallow login remote,remove test database and
etc.
installing the MariaDB server using below command. Hardening mariaDB.
installing the MariaDB server using below command. Hardening mariaDB.
[root@server ~]# mysql_secure_installation
/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command not found
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment. Install MariaDB 10.2 RHEL 7
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately. Install MariaDB 10.2 RHEL 7
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Hardening MariaDB Database by creating password
After installation of MariaDB server,
database root user password is blank. So for security to reset the root
password.
Note: Without database root password we can able to login
Note: Without database root password we can able to login
Now connect to mariadb server with root password first time
[root@server ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.41-MariaDB MariaDB Server Install MariaDB 10.2 RHEL 7
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
That’s it about Install MariaDB 10.2 in RHEL 7 / Centos 7
Complete Beginners Guide.
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment