10.0.0.0 10.255.255.255 (10/8 prefix) 172.16.0.0 172.31.255.255 (172.16/12 prefix) 192.168.0.0 192.168.255.255 (192.168/16 prefix)
cups
http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html#permission
http://wiki.archlinux.org/index.php/CUPS_Setup#Linux_to_Linux
http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html#permission
http://wiki.archlinux.org/index.php/CUPS_Setup#Linux_to_Linux
linux printer drivers
http://www.turboprint.de/english.html
http://www.turboprint.de/english.html
Speed Test
For two hosts communicating across a path of multiple
networks, a transmitted packet becomes fragmented if its size is greater
than the smallest MTU of any network in the path. Because packet
fragmentation can result in reduced network performance, it is desirable
to avoid fragmentation by transmitting packets with a size is no
greater than the smallest MTU in the network path. This size is called
the path MTU.
putty
http://www.unixwiz.net/techtips/putty-openssh.htmlBroadband
BroadBand type and Speed info
DS0 - 64 kilobits per second
ISDN - Two DS0 lines plus signaling (16 kilobytes per second), or 128 kilobits per second
T1 - 1.544 megabits per second (24 DS0 lines)
T3 - 43.232 megabits per second (28 T1s)
OC3 - 155 megabits per second (84 T1s)
OC12 - 622 megabits per second (4 OC3s)
OC48 - 2.5 gigabits per seconds (4 OC12s)
OC192 - 9.6 gigabits per second (4 OC48s)
ISDN - Two DS0 lines plus signaling (16 kilobytes per second), or 128 kilobits per second
T1 - 1.544 megabits per second (24 DS0 lines)
T3 - 43.232 megabits per second (28 T1s)
OC3 - 155 megabits per second (84 T1s)
OC12 - 622 megabits per second (4 OC3s)
OC48 - 2.5 gigabits per seconds (4 OC12s)
OC192 - 9.6 gigabits per second (4 OC48s)
Dynamic Host Configuration Protocol (DHCP)
Setting up DHCP server on Redhat Linux system
01. Install the dhcp server software if not already installed
# yum install dhcp.x86_64
02. The dhcp server configuration file is
/etc/dhcpd.conf. A sample file can be found at
/usr/share/doc/dhcp-<version>/dhcpd.conf.sample. Copy this sample
file as /etc/dhcpd.conf and modify the file as required.
# cat /etc/dchpd.conf
#DHCP server sample config file
ddns-update-style interim;
ignore client-updates;
# if more than one network interface card present in the system, then specify to which
# interface the DHCP server has to listion in the following line
DHCPDARGS=eth0;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1; # --- default gateway
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option domain-name "yourdomain.com";
option domain-name-servers 192.131.255.10, 206.206.206.206; # DNS servers IP
range dynamic-bootp 192.168.1.100 192.168.1.254;
default-lease-time 86400;
max-lease-time 86400;
option ip-forwarding off;
}
# To assign an IP address to a client based on the MAC address of the network interface card,
# use the hardware ethernet parameter within a host declaration.
host test {
option host-name "test.example.com";
hardware ethernet 00:A0:78:8E:9E:AA;
fixed-address 192.168.1.104;
}
03. Start the DHCPD server
# service dhcpd start
04. Make the DHCPD Server to start automatically during next reboot
# chkconfig dhcpd on
Lease Database
On the DHCP server, the file /var/lib/dhcp/dhcpd.leases stores the DHCP client lease database. This file should not be modified by hand. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease. All times in the lease database are in Greenwich Mean Time (GMT), not local time.
The lease database is recreated from time to time so
that it is not too large. First, all known leases are saved in a
temporary lease database. The dhcpd.leases file is renamed
dhcpd.leases~, and the temporary lease database is written to
dhcpd.leases.
The DHCP daemon could be killed or the system could
crash after the lease database has been renamed to the backup file but
before the new file has been written. If this happens, the dhcpd.leases
file does not exist, but it is required to start the service. Do not
create a new lease file. If you do, all the old leases will be lost and
cause many problems. The correct solution is to rename the dhcpd.leases~
backup file to dhcpd.leases and then start the daemon.
Help for DHCP
Help is available from the following man pages
man dhcp-eval man dhcpd.conf man dhcpd.leases man dhcpd man dhcrelay
More information for configuring DHCP server can be found at the following link
http://centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html
http://centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html
configuring dynamic dns udate along with DHCP
http://en.opensuse.org/Howto_setup_SUSE_as_SAMBA_PDC_with_OpenLDAP,_DYNDNS_and_CLAM
DNS
Setting up BIND
The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain.
The SOA resource record contains the following information:
Source host - The host where the file was created.
Contact e-mail - The e-mail address
of the person responsible for administering the domain's zone file. Note
that a "." is used instead of an "@" in the e-mail name.
Serial number - The revision number
of this zone file. Increment this number each time the zone file is
changed. It is important to increment this value each time a change is
made, so that the changes will be distributed to any secondary DNS
servers.
Refresh Time - The time, in seconds, a
secondary DNS server waits before querying the primary DNS server's SOA
record to check for changes. When the refresh time expires, the
secondary DNS server requests a copy of the current SOA record from the
primary. The primary DNS server complies with this request. The
secondary DNS server compares the serial number of the primary DNS
server's current SOA record and the serial number in it's own SOA
record. If they are different, the secondary DNS server will request a
zone transfer from the primary DNS server. The default value is 3,600.
Retry time - The time, in seconds, a
secondary server waits before retrying a failed zone transfer. Normally,
the retry time is less than the refresh time. The default value is 600.
Expire time - The time, in seconds,
that a secondary server will keep trying to complete a zone transfer. If
this time expires prior to a successful zone transfer, the secondary
server will expire its zone file. This means the secondary will stop
answering queries, as it considers its data too old to be reliable. The
default value is 86,400.
Minimum TTL - The minimum
time-to-live value applies to all resource records in the zone file.
This value is supplied in query responses to inform other servers how
long they should keep the data in cache. The default value is 3,600.
The following is an example of a DNS server SOA resource record:
@ IN SOA nameserver.place.dom. postmaster.place.dom. (
1 ; serial number
3600 ; refresh [1h]
600 ; retry [10m]
86400 ; expire [1d]
3600 ) ; min TTL [1h]
Configuring Bind in Ubuntu/Debian
Install Bind# apt-get install bind9
Ubuntu provides a pre-configured Bind, so we can edit /etc/bind/named.conf.local file instead of /etc/bind/named.conf
# cat /etc/bind/named.conf.local
zone "gene.com" {
type master;
file "/etc/bind/zones/sys-admin.net.db";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.0";
};
Create the zone file for sys-admin.net
@ IN SOA ubuntu.sys-admin.net. root.ubuntu.sys-admin.net. (
2007030701
28800
3600
604800
38400
)
IN NS ubuntu.sys-admin.net.
IN MX 10 ubuntu.sys-admin.net.
ubuntu IN A 192.168.0.2
dt IN A 192.168.0.3
lt IN A 192.168.0.1
Now, create the reverse lookup file
@ IN SOA ubuntu.sys-admin.net. root.ubuntu.sys-admin.net. (
2007030701
28800
3600
604800
38400
)
IN NS ubuntu.sys-admin.net.
IN NS ns1.sys-admin.net.
108 IN PTR ubuntu.sys-admin.net
77 IN PTR dt.sys-admin.net
66 IN PTR lt.sys-admin.net
rndc - name server control utility
reload Reload configuration file and zones. reload zone [class [view]] Reload a single zone. retransfer zone [class [view]] Retransfer a single zone without checking serial number. reconfig Reload configuration file and new zones only. sign zone [class [view]] Update zone keys, and sign as needed. loadkeys zone [class [view]] Update keys without signing immediately. stats Write server statistics to the statistics file. querylog Toggle query logging. dumpdb [-all|-cache|-zones] [view ...] Dump cache(s) to the dump file (named_dump.db). secroots [view ...] Write security roots to the secroots file. stop Save pending updates to master files and stop the server. halt Stop the server without saving pending updates. flush Flushes all of the server's caches. flush [view] Flushes the server's cache for a view. flushname name [view] Flush the given name from the server's cache(s) status Display status of the server.
To list all the address entries in the local DNS server
ls -t A abc.com > /tmp/nslookup.out
http://www.debian-administration.org/articles/343
http://www.debianhelp.co.uk/bindweb.htm
http://ubuntuforums.org/showthread.php?t=236093
http://www.debianhelp.co.uk/bindweb.htm
http://ubuntuforums.org/showthread.php?t=236093
IPTables Firewall
Iptables places rules into predefined chains (INPUT,
OUTPUT and FORWARD) that are checked against any network traffic (IP
packets) relevant to those chains and a decision is made about what to
do with each packet based upon the outcome of those rules, i.e.
accepting or dropping the packet. These actions are referred to as
targets, of which the two most common predefined targets are DROP to
drop a packet or ACCEPT to accept a packe
These are 3 predefined chains in the filter table to
which we can add rules for processing IP packets passing through those
chains. These chains are:
INPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer.
This chain is used if you are using your computer as a router.
Rules are added in a list to each chain. A
packet is checked against each rule in turn, starting at the top, and if
it matches that rule, then an action is taken such as accepting
(ACCEPT) or dropping (DROP) the packet. Once a rule has been matched and
an action taken, then the packet is processed according to the outcome
of that rule and isn't processed by further rules in the chain. If a
packet passes down through all the rules in the chain and reaches the
bottom without being matched against any rule, then the default action
for that chain is taken. This is referred to as the default policy and
may be set to either ACCEPT or DROP the packet.
The concept of default policies within chains
raises two fundamental possibilities that we must first consider before
we decide how we are going to organize our firewall.
1. We can set a default policy to DROP all packets and
then add rules to specifically allow (ACCEPT) packets that may be from
trusted IP addresses, or for certain ports on which we have services
running such as bittorrent, FTP server, Web Server, Samba file server
etc.
or alternatively,
2. We can set a default policy to ACCEPT all packets
and then add rules to specifically block (DROP) packets that may be from
specific nuisance IP addresses or ranges, or for certain ports on which
we have private services or no services running.
Generally, option 1 above is used for the INPUT chain
where we want to control what is allowed to access our machine and
option 2 would be used for the OUTPUT chain where we generally trust the
traffic that is leaving (originating from) our machine.
An iptables syntax quick reference
Taking a look at what you have
iptables -L [chain] - Lists your current iptables configuration
iptables -L -t nat - for listing all the nat rules. they are not displayed by default.
Making modifications
iptables -A [chain] - Append a rule to a desired chain in the current configuration
iptables -D [chain] - Delete a rule from a desired chain in the current configuration
iptables -R [chain] - Replace an existing rule from a desired chain in the current configuration
iptables - I [chain] - (that's a capital I as in Insert) Insert a new rule into a desired chain of the current configuration
iptables -N [chain] - Create a new chain
iptables -X [chain] - Delete a chain
Getting rid of all rules and starting over
iptable -X - Delete all chains
iptables -F - Flush the table of all contents
Importing & Exporting
iptables-save > filename - exports the current iptables configuration to a flat file.
iptables-restore < filename - imports an iptables configuration from a flat file and overwrites the current configuration.
Writing a Simple Rule Set
IMPORTANT:
At this point we are going to clear the default rule set. If you are
connecting remotely to a server via SSH for this tutorial then there is a
very real possibility that you could lock yourself out of your machine.
You must set the default input policy to accept before flushing the
current rules, and then add a rule at the start to explicitly allow
yourself access to prevent against locking yourself out.
We will use an example based approach to examine the
various iptables commands. In this first example, we will create a very
simple set of rules to set up a Stateful Packet Inspection (SPI)
firewall that will allow all outgoing connections but block all unwanted
incoming connections:
# iptables -P INPUT ACCEPT # iptables -F # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -L -vwhich should give the following output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Now lets look at each of the 8 commands above in turn and understand exactly what we've just done:
iptables -P INPUT ACCEPT If
connecting remotely we must first temporarily set the default policy on
the INPUT chain to ACCEPT otherwise once we flush the current rules we
will be locked out of our server.
iptables -F We used the -F switch to flush all existing rules so we start with a clean state from which to add new rules.
iptables -A INPUT -i lo -j ACCEPT Now
it's time to start adding some rules. We use the -A switch to append
(or add) a rule to a specific chain, the INPUT chain in this instance.
Then we use the -i switch (for interface) to specify packets matching or
destined for the lo (localhost, 127.0.0.1) interface and finally -j
(jump) to the target action for packets matching the rule - in this case
ACCEPT. So this rule will allow all incoming packets destined for the
localhost interface to be accepted. This is generally required as many
software applications expect to be able to communicate with the
localhost adaptor.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is the rule that does most of the work, and again we are adding
(-A) it to the INPUT chain. Here we're using the -m switch to load a
module (state). The state module is able to examine the state of a
packet and determine if it is NEW, ESTABLISHED or RELATED. NEW refers to
incoming packets that are new incoming connections that weren't
initiated by the host system. ESTABLISHED and RELATED refers to incoming
packets that are part of an already established connection or related
to and already established connection.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Here we add a rule allowing SSH connections over tcp port 22. This is
to prevent accidental lockouts when working on remote systems over an
SSH connection. We will explain this rule in more detail later.
iptables -P INPUT DROP The -P switch
sets the default policy on the specified chain. So now we can set the
default policy on the INPUT chain to DROP. This means that if an
incoming packet does not match one of the following rules it will be
dropped. If we were connecting remotely via SSH and had not added the
rule above, we would have just locked ourself out of the system at this
point.
iptables -P FORWARD DROP Similarly,
here we've set the default policy on the FORWARD chain to DROP as we're
not using our computer as a router so there should not be any packets
passing through our computer.
iptables -P OUTPUT ACCEPT and
finally, we've set the default policy on the OUTPUT chain to ACCEPT as
we want to allow all outgoing traffic (as we trust our users).
iptables -L -v Finally, we can list (-L) the rules we've just added to check they've been loaded correctly.
Finally, the last thing we need to do is save our
rules so that next time we reboot our computer our rules are
automatically reloaded:
# /sbin/service iptables save
This executes the iptables init script, which
runs /sbin/iptables-save and writes the current iptables configuration
to /etc/sysconfig/iptables. Upon reboot, the iptables init script
reapplies the rules saved in /etc/sysconfig/iptables by using the
/sbin/iptables-restore command.
Common IPtables examples:
1. Delete all existing rulesiptables -F
2. Set default chain policies
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x" iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
5. Allow incoming SSH only from a sepcific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
6. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # Allow incoming HTTPS iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
9. Allow outgoing SSH only to a specific network
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
11. Load balance incoming HTTPS traffic
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet) # if eth0 is connected to internal network (192.168.1.x) iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
16. Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
17. Allow NIS Connections
rpcinfo -p | grep ypbind ; This port is 853 and 850 iptables -A INPUT -p tcp --dport 111 -j ACCEPT iptables -A INPUT -p udp --dport 111 -j ACCEPT iptables -A INPUT -p tcp --dport 853 -j ACCEPT iptables -A INPUT -p udp --dport 853 -j ACCEPT iptables -A INPUT -p tcp --dport 850 -j ACCEPT iptables -A INPUT -p udp --dport 850 -j ACCEPT
18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22 iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
25. Log dropped packets
iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7 iptables -A LOGGING -j DROP
Sample /etc/sysconfig/iptables file for nating (port forwarding) port 80 to 7101 and 443 to 7102
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d 10.192.14.181 -p tcp --dport 80 -j REDIRECT --to-ports 7101 -A OUTPUT -d 10.192.14.181 -p tcp --dport 443 -j REDIRECT --to-ports 7102 -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 7101 -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-ports 7102 -A PREROUTING -d 10.192.14.181 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7101 -A PREROUTING -d 10.192.14.181 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 7102 COMMIT
IPtables on RHEL
http://wiki.centos.org/HowTos/Network/IPTables
http://wiki.centos.org/HowTos/Network/IPTables
NFS
Automount:
Master map file# cat /etc/auto_master # local mount point map name mount options # All machines listed in /etc/hosts are automatically mounted (a subdirectory) under /net /net -hosts -nosuid # directories listed in /etc/auto_home is mounted under /home (Indirect Map) /home auto_home # Direct map file /- auto_direct # comment out if you use NIS+ and centrally maintained files #+auto_master
Indirect Map file
An Indirect map configuration file lists the pathnames and relative mount points, /home in this case
An Indirect map configuration file lists the pathnames and relative mount points, /home in this case
# cat /etc/auto_home #key Mount_Options Location user_1 mach_1:/export/home/user_1 user_2 mach_2:/export/home/user_2 user_3 mach_3:/export/home/user_3
The above can be replace by a single line like bellow
* mach_3:/export/home/&
In the above example, instead of mounting user
home directories on /home/user_1 to mount on /home/users/user_1, add
the following line in the auto_home file
#key Mount_Options Location user_1 /users mach1:/export/home/user_1
Direct Map files
# cat auto_direct /home/research -rw filbert:/home/research
NFS mount options
rw ro --> read write / read only bg|fg --> Try in the background / foreground if the mount attempt fails retry=n --> number of times to retry the mount operation port=<number> -- Set server UDP/TCP port number to <number>. Default is 2049 proto=<udp|tcp> soft|hard --> Return an error if the server does not respond / or continue till the server responds intr|noinrt --> Allow keyboard interrupts to kill a process on a hung hard mounted file system
exportfs options
ro --> read only access rw=host1:host2: --> read write access to host1 and host2 anon=uid --> use "uid" as the effective user if the request comes from unknown UID root=host1:host2 --> Give root access to the root users from host1 and host2
TIP:
Problem: Can not change the ownership of files in NFS mounted directory
Solution: This problem occurs usually with NFS ver 4.0. NFS V.4 needs the the user name to be present both on the server and client. Otherwise, it will not let you chage the owner ship of files. We can overcome this problem by mounting the file systems as nfs v.3.
Problem: Can not change the ownership of files in NFS mounted directory
Solution: This problem occurs usually with NFS ver 4.0. NFS V.4 needs the the user name to be present both on the server and client. Otherwise, it will not let you chage the owner ship of files. We can overcome this problem by mounting the file systems as nfs v.3.
In Solaris:
# mount - nfs -o rw,vers=3 server:<directory> /<mount_point>
In Linux
# mount -o rw,nfsvers=3 server:<directory> /<mount_point>
Nagios
notification_options specifies which notification types for host
states should be sent, separated by comma; there should be one or more
of the following:
The password of nagiosadmin can be changed using "htpasswd /etc/nagios/passwd nagiosadmin" command
New user can be added using the same htpasswd command
After new user is added, he has to added in /etc/nagios/cgi.cfg file for various level of access.
the time the command is invoked.
01. Install Nagios Plugins and NRPE on the client
d—host DOWN state u—host UNREACHABLE state r—host recovery (UP state) f—host starts and stops fl apping s—notify when scheduled downtime starts or ends
Service_notification_options Specifies the service states that the user should be notified about, separated by commas; this can
be one or more of the following:
be one or more of the following:
w—service WARNING state u—service UNKNOWN state c—service CRITICAL state r—service recovery (OK state) f—service starts and stops fl apping n—person will not receive any service notification
Nagios Web Interface
The default username for accessing the webinterface is: nagiosadminThe password of nagiosadmin can be changed using "htpasswd /etc/nagios/passwd nagiosadmin" command
New user can be added using the same htpasswd command
After new user is added, he has to added in /etc/nagios/cgi.cfg file for various level of access.
Nagios Plugins
Nagios performs checks by running an external command, and uses the return code, along with output from the command, as information on whether the check worked or not. It is the command's responsibility to verify if a host or service is working atthe time the command is invoked.
Nagios requires that all plugins follow a specific,
easy-to-follow behavior in order for them to work smoothly. These rules
are common for both host checks and service checks. It requires that
each command returns specific result codes, which are:
Exit code Status Description 0 OK Working correctly 1 WARNING Working, but needs attention (for example, low resources) 2 CRITICAL Not working correctly or requires attention 3 UNKNOWN Plugin was unable to determine the status for the host or service
Standard Nagios plugins usually accept the following parameters:
Option Description -h, --help Provide help -V, --version Print the exact version of the plugin -v, --verbose Make the plugin report more detailed information on what it is doing -t, --timeout Timeout (seconds); after this time plugin will report CRITICAL status -w, --warning Plugin-specifi c limits for the WARNING status -c, --critical Plugin-specifi c limits for the CRITICAL status -H, --hostname Host name, IP address or unix socket to communicate with -4, --use-ipv4 Use IPv4 for network connectivity -6, --use-ipv6 Use IPv6 for network connectivity
Commands that verify various daemons also have a
common set of options. Many of the networking-related plugins use the
following options in addition to the preceding standard ones
Option Description
-p, --port TCP or UDP port to connect to
-w, --warning Response time that will issue a WARNING status (seconds)
-c, --critical Response time that will issue a CRITICAL status (seconds)
-s, --send String that will be sent to the server
-e, --expect String that should be sent back from the server (option might be
passed several times; see --all for details)
Monitot Remote Host using NRPE:
ON THE CLIENT01. Install Nagios Plugins and NRPE on the client
yum install nrpe nagios-plugins-all
Nagios How to on Centos
Nagios Made Easy
Monitor Remote Linux Host using Nagios 3.0
Nagios on Ubuntu
Nagios Made Easy
Monitor Remote Linux Host using Nagios 3.0
Nagios on Ubuntu
NRPE- Nagios Remote Plug-in Executor
LDAP
dn - distinct name
rdn - relative distinct name
dc - domain component
Configuring OPEN LDAP on RHEL
Modify the /etc/openldap/slapd.confinclude /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args database bdb suffix "dc=sys-admin,dc=net" rootdn "cn=Manager,dc=sys-admin,dc=net" rootpw secret directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
Modify the /etc/openldap/ldap.conf as follows
HOST 127.0.0.1
BASE dc=sys-admin,dc=net
Start the LDAP server
# service ldap start
Add initial entries to your directory by creating an LDIF file and running ldapadd
# cat base1.ldif
dn: dc=sys-admin,dc=net
objectClass: dcObject
objectClass: organization
o:UNIX Admin
dc: sys-admin
dn: cn=Manager,dc=sys-admin,dc=net
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=Users,dc=sys-admin,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Users
description: System Users
# ldapadd -x -D "cn=Manager, dc=sys-admin, dc=net" -W -f /tmp/base1.ldif
Tips:-
- Sometimes, ldapadd command may fail with the following error
-x Use simple authentication instead of SASL -D binddn Use the Distinguished Name binddn to bind to the LDAP directory -w Prompt for simple authentication.
- If there is a extra space character at the end of any line, the ldapadd command may fail with the following error.
For adding hosts entries
dn: cn=ubuntu.sys-admin.net,ou=Hosts,dc=sys-admin,dc=net
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 192.168.123.1
cn: ubuntu.sys-admin.net
cn: ubuntu
For deleting an entry
# ldapdelete -W -x -D 'cn=Manager,dc=sys-admin,dc=net' 'ou=hosts,dc=sys-admin,dc=net'
phpLDAPadmin
Download and extract the phpLDAPadmin to any one of the web accessible directory. Under config directory, modify config.php.$ldapservers->SetValue($i,'server','base',array('dc=sys-admin,dc=net')); $ldapservers->SetValue($i,'login','dn','cn=Manager,dc=sys-admin,dc=net');
Tips: phpLDAPadmin Installation problem on RHL. Got the following error
Could not determine the root of your LDAP tree.
It appears that the LDAP server has been configured to not reveal its root.
Please specify it in config.php
Solution: Add/Modify the config.php of phpLDAPadmin with the following line
$ldapservers->SetValue($i,'server','base',array('dc=sys-admin,dc=net'));
Query LDAP Servers
To query all entries in ldapldapsearch -x -b 'ou=People,dc=sys-admin,dc=net'
To query about a single dn
ldapsearch -LLL -x -h <server_name> uid=jeeva
To list all dn in ldap server
ldapsearch -LLL -x -h <ldap_server> dn
Note: -b 'dc=sys-admin,dc=net' is not required if /etc/openldap/ldap.conf file configured properly
Configuring LDAP Server in Ubuntu
Setting up LDAP clients for UNIX authentication
Implementing Autofs using LDAP maps
Configuring LDAP to authenticate Samba users
Setting up LDAP clients for UNIX authentication
Implementing Autofs using LDAP maps
Configuring LDAP to authenticate Samba users
LDAP on Ubuntu/Debian
Setting up the LDAP server
01. Install the slapd, ldap-utils and migrationtools packages
# apt-get install slapd ldap-utils migrationtools phpldapadmin
02. Create a link for ldapadmin for Web access
# ln -s /usr/share/phpldapadmin /var/www/phpldapadmin
03. Modify the dc values in /usr/share/phpldapadmin/config/config.php file as follows:
$ldapservers->SetValue($i,'server','base',array('dc=sys-admin,dc=net'));
04. Re-configure the slapd package. Answer the questions as bellow
# dpkg-reconfigure slapd
OpenLDAP server configuration?: no
DNS domain name: sys-admin.net
Name of your organization: Organization Name
Admin passwd: secret
Confirm admin password: secret
Database backend: BDB
Database to be removed when slapd is purged: no
Allow LDAPv2 protocol: no
Omit openLDAP server configuration: no
05. Start the LDAP server if not started already
# /etc/init.d/slapd start
06. Test the ldap server
# ldapsearch -x -b dc=sys-admin,dc=net
# ldapsearch -x -b 'dc=sys-admin,dc=net' '(objectclass=*)'
07. Add initial entries to ldap database. Use the migrationtools to convert the /etc files to LDAP files
7a. Modify the $DEFAULT_MAIL_DOMAIN and $DEFAULT_BASE
in /usr/share/migrationtools/migrate_common.ph file from padl to your
domain name.
$DEFAULT_MAIL_DOMAIN = "sys-admin.net";
$$DEFAULT_BASE = "dc=sys-admin,dc=net";
$IGNORE_UID_BELOW = 1000;
$IGNORE_GID_BELOW = 1000;
$IGNORE_UID_ABOVE = 9999;
$IGNORE_GID_ABOVE = 9999;
7b. Convert the /etc/hosts, /etc/passwd, /etc/group, etc.. to ldif format using migrationtools
/migrate_base.pl > /tmp/base.ldif
/migrate_group.pl /etc/group /tmp/group.ldif
/migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
/migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
/migrate_automount.pl /etc/auto.master /tmp/automount.ldif
/migrate_automount.pl /etc/auto.home >> /tmp/automount.ldif
7c. Add the ldiff files to LDAP database
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/base.ldif
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/passwd.ldif
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/group.ldif
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/hosts.ldif
ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /tmp/automount.ldif
LDAP server is ready now
LDAP Authentication in ubuntu
01. On the client system, install the following packages# apt-get install ldap-utils libpam-ldap libnss-ldap nscd
The libnss-ldap and libpam-ldap packages ask few questions. Answer them
LDAP Server host: <IP address of Server>
The distinguished name of the search base: dc=sys-admin,dc=net
LDAP version to use: 3
LDAP account for root: cn=admin,dc=sys-admin,dc=net
Root account passwd: <your password Here>
Make local root Database admin: Yes
Database requires logging in: No
Root login account: cn=admin,dc=gene,dc=com
02. Edit the /etc/nsswitch.conf file
cat /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
03. Add / Edit /etc/ldap/ldap.conf file
cat /etc/ldap/ldap.conf
BASE dc=sys-admin, dc=net
URI ldap://IP-address_of_your_ldap_server
04. Modify the common-account, common-auth, common-password, common-session, su and ssh pam modules as follows
# cat /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so use_first_pass
# cat /etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
# cat /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
password required pam_unix.so nullok obscure min=4 max=8 md5 use_first_pass
# cat /etc/pam.d/common-session
session sufficient pam_ldap.so
session required pam_unix.so
session optional pam_foreground.so
# cat /etc/pam.d/ssh
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
@include common-password
# cat /etc/pam.d/su
auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
@include common-auth
@include common-account
@include common-session
# cat /etc/pam.d/passwd
@include common-password
05. Modify /etc/libnss-ldap.conf and /etc/pam_ldap.conf as follows
# cat /etc/libnss-ldap.conf
host <IP-Address_of_LDAP_server>
base ou=People,dc=sys-admin,dc=net
uri ldap://IPaddress_of_Ldap_server/
ldap_version 3
nss_base_passwd ou=People,dc=sys-admin,dc=net
nss_base_group ou=Group,dc=sys-admin,dc=net
06. Verify the system can get the user information from LDAP server using getent command
# getent passwd
07. Try logging in to the system using LDAP user
Problem:
01. While the LDAP server comes up, it gives the following error message repeated several times and takes very long time to boot
udevd[374]: nss_ldap: could not connect to any LDAP server as (null) -
Can't contact LDAP server
Can't contact LDAP server
Sol: This is the problem with libnss-ldap package and a
known problem. The booting time can be considerably reduced by adding
the following lines to /etc/ldap/ldap.conf or /etc/libnss-ldap.conf
bind_policy hard
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 2
Also, change nsswitch.conf as follows
passwd files ldap
group files ldap
shadow files ldap
Alternatively, download and install the following package
http://www.porcheron.info/libnss-ldap_251-7_i386.deb
http://www.porcheron.info/libnss-ldap_251-7_i386.deb
02. Could not change the password of Ldap users. Gives "User not known to the underlying authentication module"
Sol: Make sure /etc/pam.d/passwd files has entries in the following order
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
Autofs using LDAP on ubuntu
For installing nfs-server, client packages and configuring automount, refer File Sharing section here
On the LDAP server:
01. Install autofs-ldap in server. This package contains /etc/ldap/schema/autofs.schema file. Without this autofs.schma, it is not possible to add automountMap object class in LDAP.
# apt-get install autofs autofs-ldap
01. Install autofs-ldap in server. This package contains /etc/ldap/schema/autofs.schema file. Without this autofs.schma, it is not possible to add automountMap object class in LDAP.
2a. Add the following line in /etc/ldap/slapd.conf in the ldap server
include /etc/ldap/schema/autofs.schema
2b. Restart the ldap daemon
# /etc/init.d/slapd restart
03. Create the auto.master map entry for LDAP
3a. If you want to keep auto.master map file also in
the LDAP server, add the following ldif to ldap server. Else, skip this
step and continue to step 04
# cat /root/auto.master.ldif
dn: ou=auto.master, dc=sys-admin,dc=net
ou: auto.master
objectClass: top
objectClass: automountMap
dn: cn=/home,ou=auto.master, dc=sys-admin,dc=net
objectClass: automount
automountInformation: ldap:192.168.123.51:ou=auto.home,dc=sys-admin,dc=net --timeout 30
cn: /home
3b. Add the contents of /root/auto.master to ldap server
# ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f /root/auto.master.ldif
04. Create the auto.home map entries for LDAP
4a. If /etc/auto.home already exits, convert it to
ldif format using migration tools. If not, create a file called
autofs.ldif shown bellow.
# /usr/share/migrationtools/migrate_automount.pl /etc/auto.home /root/autofs.ldif
# cat autofs.ldif
dn: ou=auto.home,dc=sys-admin,dc=net
objectClass: top
objectClass: automountMap
ou: auto.home
dn: cn=test1,ou=auto.home,dc=sys-admin,dc=net
objectClass: automount
cn: test1
automountInformation: 192.168.123.51:/home/test1
dn: cn=test2,ou=auto.home,dc=sys-admin,dc=net
objectClass: automount
cn: test2
automountInformation: 192.168.123.51:/home/test2
4b. Add the contents of /root/autofs.ldif to the LDAP database
# ldapadd -x -D "cn=admin,dc=sys-admin,dc=net" -W -f autofs.ldif
On all the client systems where you want the directories automount, do the following
01. Install autofs and autofs-ldap packages. Without
autofs-ldap package, client may not pick up the master map file
auto.master from the LDAP server
# apt-get install autofs autofs-ldap
02. If you have already added auto.master map
entries to LDAP server and want to serve /etc/auto.master file also by
ldap server, add the following line to /etc/nsswitch.conf. If you want
to keep local auto.master file in each server, skip to step 04.
automount: ldap files
03. Add the following lines to /etc/nsswitch.conf file
automount files ldap
04. If you want to keep the local
/etc/auto.master file in each server, modify it as shown bellow to refer
LDAP server for map files. Otherwise, skip to next step
# cat /etc/auto.master
/home ldap:LDAP_server_name:ou=auto.home,dc=sys-admin,dc=net
05. Restart the autofs daemon
# /etc/init.d/autofs restart
06. Test whether automount is working fine
SAMBA and LDAP in ubuntu
01. Install samba and samba-doc packages. samba.schema is included in samba-doc package# apt-get install samba samba-doc
02. Copy /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz to /etc/ldap/schema/ directory and unzip it
# cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
# cd /etc/ldap/schema/
# gunzip samba.schema.gz
03. Add the following line in /etc/ldap/slapd.conf
include /etc/ldap/schema/samba.schema
04. Setup the samba server. Edit the /etc/samba/smb.conf file as follows and restart the samba server
# cat smb.conf
[global]
workgroup = WORKGROUP
server string = %h server (Samba, Ubuntu)
obey pam restrictions = Yes
#--- Logging options
log level = 2
debug pid = yes
debug timestamp = yes
debug uid = yes
#---LDAP authentication settings
passdb backend = ldapsam guest
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=sys-admin,dc=net
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap admin dn = cn=admin,dc=sys-admin,dc=net
[secretdata]
comment = Samba home from LDAPSVR
directory = /smbhome
valid users = jeeva, kpalanis
read only = No
browseable = no
[homes]
comment = User Home directories
browseable = no
writable = yes
[sharedata]
comment = Sharred data for all users
directory = /home/shared
readonly = no
hide unreadable = yes
#--- settings for the recycle bin
vfs objects = recycle
recycle:repository = /home/shared-recycle
recycle:noversions = 2
05. Let the Samba server know the password for
the LDAP admin account listed in smb.conf file using smbpasswd command.
This password is stored in the secret.tdb file. Please note that, If the
the value of ldap admin dn changes, the password will need to be
manually updated as well. If the password is not stored using smbpasswd
-w option, samba server may fail to startup.
smbpasswd -w <passwd_of_ldapadmin>
06.Restart the samba server
# /etc/init.d/samba restart
07. To allow each users to change their samba password, add the following lines to /etc/ldap/slapd.conf
access to attr=sambaLMPassword,sambaNTPassword
by dn="cn=admin,dc=sys-admin,dc=net" write
by self write
by anonymous auth
by * none
access to *
by dn="cn=admin,dc=sys-admin,dc=net" write
by * read
06. Add the LDAP authentication information for samba server in in /etc/samba/smb.conf
security = user
ldap server = yourldapserver
ldap suffix = "dc=sys-admin,dc=net"
ldap admin dn = "cn=admin,dc=sys-admin,dc=net"
encrypt passwords = true
passdb backend = ldapsam guest
To add a samba user to LDAP:
01. Get the local SID of Samba server
net getlocalsid
02. Create a ldif file for samba user
"/usr/sbin/slappasswd -h {CRYPT}"-command to create password-hashes for the users
http://wiki.debian.org/OpenLDAPSetup
http://people.debian.org/~torsten/ldapnss.html
http://docs.solstice.nl/index.php/Directory-server
http://www.howtoforge.com/linux_ldap_authentication
http://moduli.net//pages/sarge-ldap-auth-howto
http://people.debian.org/~torsten/ldapnss.html
http://docs.solstice.nl/index.php/Directory-server
http://www.howtoforge.com/linux_ldap_authentication
http://moduli.net//pages/sarge-ldap-auth-howto
To configure outlook for ldap
Tools -> Email Accounts
Directory: Select "Add a new directory or address book"
Click Next
Select "Internet Directory Server (LDAP)"
Click Next
"Server Information": Server Name: ldap.example.com
"Logon Information": Check "This server requires me to log on"
"User Name": billg
"Password": B1lLGpW
Click More Settings ...
Tools -> Email Accounts
Directory: Select "Add a new directory or address book"
Click Next
Select "Internet Directory Server (LDAP)"
Click Next
"Server Information": Server Name: ldap.example.com
"Logon Information": Check "This server requires me to log on"
(It will probably warn you about not being available until after your
restart Outlook. That is fine, click OK) "Search" tab -> "Search Options": cn=users,dc=example,dc=com
Click OK
Click Next
Click Finish
Samba
Edit the /etc/samba/smb.conf as follows
cat smb.conf
[global]
cat smb.conf
[global]
workgroup = WORKGROUP netbios name = Ubuntu server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam security = user username map = /etc/samba/smbusers obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . socket options = TCP_NODELAY [sharedata] comment = Test share directory = /stage read only = no hide unreadable = yes # settings for recycle bin vfs objects = recycle recycle:repository = /stage/shared-recycle/ recycle:noversions =2 [secretdata] directory = /stage/data browseable = no valid users = user1, user4 read list = user4 readonly = no
Create the samba user and password
# smbpasswd -a user1
Create /etc/samba/smbusers file and map samba
users to UNIX users. The format is <Linux_User_Name> = “<samba
username>”. You can use a different samba user name to map to an
Linux account.
# vi /etc/samba/smbusers user1 = user1 user2 user3 user4 = user4
Restart the samba daemon
If tdbsam backend is used for password, to list and view the encrypted password of SAMBA users
# pdbedit -w -L
Swat
SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. SWAT immediately changes the functioning of Samba whenever you commit your changes through the web GUI.
The enabling and disabling, starting and stopping of
SWAT is controlled by xinetd, via a configuration file named
/etc/xinetd.d/swat. Here is a sample:
service swat
{
port = 901
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
only_from = localhost
}
The default configuration only allows SWAT web
access from the console of Samba server as user root on port 901. This
means you'll have to enter "http://127.0.0.1:901" in your browser to get the login screen.
You can make SWAT accessible from other servers by
adding IP address entries to the only_from parameter of the SWAT
configuration file. Here's an example of an entry to allow connections
only from 192.168.1.3 and localhost. Notice that there are no commas
between the entries.
only_from = localhost 192.168.1.3
Samba Client tasks
To list all the shared directoris in a system called test1# smbclient -L [system name|iPaddress] --user <user_name>
To mount a shared windows directory share1 to local unix system
# mount -t smbfs -o username=<user_name>,password=<Passwd>,uid=<local_user_name>,
gid=<local_gid> //windows-system_name/share1
or
# mount -t cifs -o username=<username>,password=<passwd>,domain=<domainname>,
uid=<local_user_name>,gid=<local_gid> //windows-system_name/share_name
To automatically mount a windows share on a linux system, add the following line to the /etc/fstab file
//<IPaddress>/share_name <mount_point> cifs \ username=<uname>,password=<passwd>,uid=500,gid=500,file_mode=0644,dir_mode=0755 1 2
To keep the user name and password in a separate file instead of giving it on /etc/fstab file
//<IPaddress>/share_name <mount_point> cifs \ credentials=<file_name>,uid=<uid_number>,gid=<gid_number>,file_mode=0644,dir_mode=0755 1 2 //192.168.123.25/data /pcdata cifs credentials=/data \ /etc/cifs.secret,uid=500,gid=500,file_mode=0640,dir_mode=0750 1 2 # cat file_name username=test1 password=testpasswd uid=500 gid=500
Sendmail
# sendmail -bp NAA20852 2235 Fri Dec 14 13:14 MAILER-DAEMON (Deferred: Connection refused by prophet.qa.haht.com.) <netsaint at prophet.qa.haht.com> NAA21610 16176 Fri Dec 14 13:26 MAILER-DAEMON (Deferred: Connection refused by maillist.newsfactor.com.) <nlsystem at maillist.newsfactor.com>
To delete the deferred messages
For Sendmail the queue directory in many UNIX is
/var/spool/mqueue/...
Looking at the directory, you will see a bunch of file that start with:
df..., qf..., or xf...
After that the file name contains a combination of 3 letters and 5 numbers.
This second part matches the output you got from the "sendmail -bp" command.
Here is an example:
dfNAA20852 dfNAA21610 qfNAA20852 qfNAA21610
df..., qf..., or xf...
After that the file name contains a combination of 3 letters and 5 numbers.
This second part matches the output you got from the "sendmail -bp" command.
Here is an example:
If you wanted to delete the Message NAA20852 (to
netsaint at prophet.qa.haht.com) you would move to the queue directory and:
rm ??NAA20852
netsaint at prophet.qa.haht.com) you would move to the queue directory and:
Boom! The message is now gone from your queue.
Please note, that if you are going to be playing with your queued up
messages, you should STOP SENDMAIL first:
/etc/rc.d/init.d/sendmail stop
Please note, that if you are going to be playing with your queued up
messages, you should STOP SENDMAIL first:
To manually process the defered/queued up messages
# sendmail -q -v
sendmail.cf
DS<smtp relay> # SMTP mail relay Dj<domain name> # Official or fully qualified domain name DM<Domain Name> # masquerade as sendmail.cw defines alternate local mail addresses for the host. sendmail.cR defines hosts that are allowed to relay through the current host (ie non-local addresses that the host will accept mail from).
Sending email using sendmail prompt
telnet mail 25
Trying...
Connected to mail.
Escape character is '^]'.
220 xxxx.xxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Tue, 24 Jun 2008 18:47:25 -0700
helo
250 xxxx.xxx.com Hello [192.168.128.25]
Mail From: test@test.com
250 2.1.0 test@test.com....Sender OK
RCPT To: test@xyz.com
250 2.1.5 test@xyz.com
data
354 Start mail input; end with <CRLF>.<CRLF>
test mail
.
250 2.6.0 <AEMEXPA6FapNuT1FM1J00000437@xxxx.xxx.com> Queued mail for deliverySecurity
To scan the open ports in the system
nmap -sS -O -F -vvv <ip-address>
To find out all the active systems in a subnet
nmap -v -sP 192.168.100.0/24
List the Listening portn in system
netstat -an|grep LISTEN
List the ip, port number and process
lsof -i -nP # -n to list ip instead of host name. -P to list port number instead of service name lsof -i :587 lsof -i :smtp lsof -i @labrat.remote.net lsof -i TCP:4350 lsof -i UDP:4350
Listing open files
lsof /dirname
Listing open NFS files
lsof -N
Listing open file from process id
lsof -p <pid>
To list all the files which has link count less
than 1 (deleted files but still used by some process, hence not
releasing the free space)
lsof +aL1
More info
http://www.opensource.apple.com/darwinsource/10.3/lsof-12/lsof/00QUICKSTART
Tools
Various Tools info used in Network connections and monitoring
Putty
Backup and restore putty profiles
Backup
Start-> Run -> regedit
Ctrl+F
Simon
File -> export - Save the file name puttprofile.reg
or
Start -> Run
regedit /e "\desktop\puttyprofile.reg" HKEY_CURRENT_USER\Software\Simontatham
Restore
Copy the puttyprofile.reg to restoring system Double click the file and click on Merge and select yes. Putty Session Manager click here
TCPIP
To list all the programs registered with rpc daemon
# rpcinfo -p
FTP
In Linux to disable shell access to a vsftp user:
Facter is a system inventory tool that we use throughout the book. It
returns “facts” about each agent, such as its hostname, IP address,
operating system and version, and other configuration items. These facts
are gathered when the agent runs. The facts are then sent to the Puppet
master, and automatically created as variables available to Puppet. You
can see the facts available on your clients by running the facter
binary from the command line. Each fact is returned as a key => value
pair. For example:
Puppet’s principal configuration file is called puppet.conf and is stored at /etc/puppet/puppet.conf. likely that this file has already been created when you installed Puppet, but if it hasn’t, then you can create a simple file using the following command:
Some characters like hyphens and spaces can confuse Puppet's parser, and to be on the safe side it's wise to put all names consistently in double quotes.
Add /bin/false to /etc/shells directory make /bin/false as the default shell for the user
proftp
Setting up FTP accounts for users using ProFTPd
Sample configuration file
ServerName "DC7700 FTP server"
ServerIdent on "DC7700 FTP Server ready."
ServerAdmin root@localhost
ServerType standalone
DefaultServer on
AccessGrantMsg "User %u logged in."
DeferWelcome off
# Do not perform ident nor DNS lookups (hangs when the port is filtered)
IdentLookups off
UseReverseDNS off
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files from being group and world writable.
Umask 022
# Default to show dot files in directory listings
ListOptions "-a"
# To prevent DoS attacks, set the maximum number of child processes to 30.
MaxInstances 30
# Allow to resume not only the downloads but the uploads too
AllowRetrieveRestart on
AllowStoreRestart on
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# chroot all users of group users to their home directory
# and not a member of adm
DefaultRoot ~ users,!adm
# disable root login and require a valid shell (from /etc/shells)
RootLogin off
RequireValidShell on
# Normally, we want users to do a few things
<Global>
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
# grant login only for members of the group ftpuser
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>
# to set a different umask for directory /ftp/special from fefault 022
<Directory /ftp/special>
AllowOverwrite on
Umask 002 002
</Directory>
# This is where we want to put the pid file
ScoreboardFile /var/run/proftpd.score
# Define the log formats
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
# activate logging
# every login
ExtendedLog /var/log/proftpd/auth.log AUTH auth
# file/dir access
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
# for paranoid (big logfiles!)
#ExtendedLog /var/log/proftpd/paranoid.log ALL default
# Configuration for mod_ban
<IfModule mod_ban.c>
BanEngine on
BanLog /var/log/proftpd/ban.log
BanTable /var/run/proftpd/ban.tab
# If the same client reaches the MaxLoginAttempts limit 2 times within 10 minutes,
#automatically add a ban for that client that will expire after one hour.
BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00
# Allow the FTP admin to manually add/remove bans
BanControlsACLs all allow user ftpadm
</IfModule>
Additional Useful configurations which can be added
# An upload directory that allows storing files but not retrieving or creating directories.
<Directory uploads/*>
AllowOverwrite no
<Limit READ>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
# A basic anonymous configuration, with an upload directory.
<Anonymous ~ftp>
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10 "Sorry, max %m users -- try again later"
# Put the user into /pub right after login
DefaultChdir /pub
# We want 'welcome.msg' displayed at login, '.message' displayed in
# each newly chdired directory and tell users to read README* files.
DisplayLogin /welcome.msg
DisplayFirstChdir .message
DisplayReadme README*
# Some more cosmetic and not vital stuff
DirFakeUser on ftp
DirFakeGroup on ftp
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE SITE_CHMOD>
DenyAll
</Limit>
</Anonymous>
Puppet
# facter operatingsystem => Ubuntu ipaddress => 10.0.0.10 --- ---
Puppet can be installed and used on a variety of different platforms, including the following:
• Red Hat Enterprise Linux, CentOS, Fedora & Oracle Enterprise Linux
• Debian and Ubuntu
• Mandrake and Mandriva
• Gentoo
• Solaris and OpenSolaris
• MacOS X and MacOS X Server
• *BSD
• AIX
• HP UX
• Microsoft Windows hosts (in versions after 2.6.0 and with only limited support for
file resources)
On these platforms, Puppet manages a variety of configuration items (resources), including (but not limited to):
• Files
• Services
• Packages
• Users
• Groups
• Cron jobs
• SSH keys
• Nagios configuration
• Red Hat Enterprise Linux, CentOS, Fedora & Oracle Enterprise Linux
• Debian and Ubuntu
• Mandrake and Mandriva
• Gentoo
• Solaris and OpenSolaris
• MacOS X and MacOS X Server
• *BSD
• AIX
• HP UX
• Microsoft Windows hosts (in versions after 2.6.0 and with only limited support for
file resources)
On these platforms, Puppet manages a variety of configuration items (resources), including (but not limited to):
• Files
• Services
• Packages
• Users
• Groups
• Cron jobs
• SSH keys
• Nagios configuration
A resource is constructed like:
type { title:
attribute => value,
}
Puppet describes the files containing
configuration data as manifests. Puppet manifests are made up of a
number of major components:
• Resources – Individual configuration items
• Files – Physical files you can serve out to your agents
• Templates – Template files that you can use to populate files
• Nodes – Specifies the configuration of each agent
• Classes – Collections of resources
• Modules - An advanced, portable collection of resources that can include classes, definitions, and other supporting configuration
• Definitions – Composite collections of resources
• Resources – Individual configuration items
• Files – Physical files you can serve out to your agents
• Templates – Template files that you can use to populate files
• Nodes – Specifies the configuration of each agent
• Classes – Collections of resources
• Modules - An advanced, portable collection of resources that can include classes, definitions, and other supporting configuration
• Definitions – Composite collections of resources
Installing Puppet
On the Master:# yum install ruby ruby-libs ruby-shadow # Add the epel repository if not already done # yum install puppet puppet-server facter
On the client:
yum install ruby ruby-libs ruby-shadow # Add the epel repository if not already done # yum install puppet facterOn most platforms, Puppet’s configuration will be located under the /etc/puppet directory.
Puppet’s principal configuration file is called puppet.conf and is stored at /etc/puppet/puppet.conf. likely that this file has already been created when you installed Puppet, but if it hasn’t, then you can create a simple file using the following command:
# puppetmasterd --genconfig > puppet.conf
Authorizing a client
Puppet uses SSL (Secure Sockets Layer), an encrypted protocol, to communicate between master and clients. This means that only a client with a correctly signed SSL certificate can access the Puppetmaster and receive its configuration. To exchange certificates between the master and client, follow this procedure.
Puppet uses SSL (Secure Sockets Layer), an encrypted protocol, to communicate between master and clients. This means that only a client with a correctly signed SSL certificate can access the Puppetmaster and receive its configuration. To exchange certificates between the master and client, follow this procedure.
Configure the client to contact the master:
The Client configuration file for puppet agent is /etc/puppet/puppet.conf.
Edit your /etc/puppet/puppet.conf file to tell the client where to find the Puppetmaster:
The Client configuration file for puppet agent is /etc/puppet/puppet.conf.
Edit your /etc/puppet/puppet.conf file to tell the client where to find the Puppetmaster:
server = centos01.home.local
Generate a certificate request
# puppet agent --test or # puppet agent --server <server name> -t --detailed-exitcodes
On the master, sign the certificate:
a. List the certificates waiting for signing
# pupprt cert list
centos02.home.local
b. Sign the Certificate
# pupprt cert sign centos02.home.local
On the client, run puppet for the first time
# puppet agent --test
After signing a new node’s certificate, it may
take up to 30 minutes before that node appears in the console and begins
retrieving configurations.
Puppet dry run
Puppet’s dry-run feature is a powerful tool that’s often overlooked by busy sysadmins. Even if you test your Puppet manifests on a virtualised replica of your production site, which many people don’t have the time or the budget to do, pushing changes out live can have unforeseen side effects which are best avoided.
To dry-run Puppet, use the --noop flag:
Puppet’s ‘noop’ (no-operation) mode shows you what would happen, but doesn’t actually do it.
# puppetd --test --noop
The site.pp file
The site.pp file tells Puppet where and what configuration to load for our clients. We’re going to store this file in a directory called manifests under the /etc/puppet directory. Puppet will not start without the site.pp file being present.Revoking client Certificates
If the node does not appear even after 30 minutes, on the client check the certificates.
Run the following command
# puppet agent --test
If you get any certificate related errors, try to delete the certificate files on the client and in the master server.
On the client system, delete the certificate files.
On the client system, delete the certificate files.
# rm -rf /etc/puppetlabs/puppet/ssl
On the master cerver, revoke the certificate for the client
# puppet cert --clean centos02.home.local
On the client, Generate a certificate request
# puppet agent --test
On the Master, Sign the Certificate
# pupprt cert sign centos02.home.local
Puppet Style
1. Always quote your resource names; for example, use package { "exim4": and not package { exim4:Some characters like hyphens and spaces can confuse Puppet's parser, and to be on the safe side it's wise to put all names consistently in double quotes.
2. Always quote parameter values that are not reserved words in Puppet; for example:
name => "First Lastname", mode => "0700", owner => "deploy", but ensure => installed, enable => true, ensure => running,Always include curly braces ({}) around variable names when referring to them in strings. For example:
source => "puppet:///modules/webserver/${brand}.conf",
Otherwise Puppet's parser has to guess which characters should
be part of the variable name and which belong to the surrounding string.
Curly braces make it explicit.
3. Always end lines that declare parameters with a comma, even if it is the last parameter:
service { "memcached":
ensure => running,
enable => true,
}
Very often, when you edit the file, you'll want to append an extra parameter to it and forget to add the necessary comma!
4. When declaring a resource with a single parameter, make the declaration on one line and with no trailing comma as follows:
package { "puppet": ensure => installed }
5. Where there is more than one parameter, give each parameter its own line:
package { "rake":
ensure => installed,
provider => gem,
require => Package["rubygems"],
}
When declaring symlinks, use ensure => link as follows:
file { "/etc/php5/cli/php.ini":
ensure => link,
target => "/etc/php.ini",
}
Rake API
Puppet Dashboard provides rake tasks that can create nodes, group nodes, create classes, and assign classes to nodes and groups. You can use these as an API to automate workflows or bypass Dashboard’s GUI when performing large tasks.
All of these tasks should be run as follows, replacing <TASK> with the task name and any arguments it requires:
# sudo rake -f <FULL PATH TO DASHBOARD'S DIRECTORY>/Rakefile <TASK>Node Tasks
node:list [match=<REGULAR EXPRESSION>] - List nodes. Can optionally match nodes by regex. node:add name=<NAME> [groups=<GROUPS>] [classes=<CLASSES>] - Add a new node. Classes and groups can be specified as comma-separated lists. node:del name=<NAME> - Delete a node. node:classes name=<NAME> classes=<CLASSES> - Replace the list of classes assigned to a node. Classes must be specified as a comma-separated list. node:groups name=<NAME> groups=<GROUPS> - Replace the list of groups a node belongs to. Groups must be specified as a comma-separated list.
To remove a node from Dashboard
$ sudo /opt/puppet/bin/rake -f /opt/puppet/share/puppet-dashboard/Rakefile node:del name=centos03.home.local
Class Tasks
nodeclass:list [match=<REGULAR EXPRESSION>] - List node classes. Can optionally match classes by regex. nodeclass:add name=<NAME> - Add a new class. This must be a class available to the Puppet autoloader via a module. nodeclass:del name=<NAME> - Delete a node class.
Group Tasks
nodegroup:list [match=<REGULAR EXPRESSION>] - List node groups. Can optionally match gorups by regex. nodegroup:add name=<NAME> [classes=<CLASSES>] - Create a new node group. Classes can be specified as a comma-separated list. nodegroup:del name=<NAME> - Delete a node group. nodegroup:add_all_nodes name=<NAME> - Add every known node to a group. nodegroup:addclass name=<NAME> class=<CLASS> - Assign a class to a group without overwriting its existing classes. nodegroup:edit name=<NAME> classes=<CLASSES> - Replace the classes assigned to a node group. Classes must be specified as a comma-separated list.
Certificate Management:
List certificate pending signing:puppet cert --listList all certificates (+ sign indicates it's already signed):
puppet cert --list --allSign certificate:
puppet cert --sign ${FQDN}
Generate:
puppet cert --generate ${FQDN}
Revoke:
puppet cert --revoke ${FQDN}
NTP
ntpq - NTP Query program
# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*10.196.14.64 132.163.4.103 2 u 879 1024 377 0.284 -1.659 4.158
+10.196.14.65 132.163.4.101 2 u 358 1024 377 0.262 -1.357 0.097
10.196.14.66 10.196.14.64 3 u 534 1024 377 0.352 -0.400 0.059
+10.196.14.67 132.163.4.102 2 u 76 1024 377 0.309 -0.839 0.387
# ntpq -pcrv
remote refid st t when poll reach delay offset jitter
==============================================================================
*wks20.dc2.prod. 132.163.4.103 2 u 921 1024 377 0.284 -1.659 4.158
+wks21.dc2.prod. 132.163.4.101 2 u 400 1024 377 0.262 -1.357 0.097
wks22.dc2.prod. 10.196.14.64 3 u 576 1024 377 0.352 -0.400 0.059
+wks23.dc2.prod. 132.163.4.102 2 u 118 1024 377 0.309 -0.839 0.387
assID=0 status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
version="ntpd 4.2.2p1@1.1570-o Sun Aug 28 19:21:07 UTC 2011 (1)",
processor="x86_64", system="Linux/2.6.18-274.el5", leap=00, stratum=3,
precision=-20, rootdelay=53.491, rootdispersion=42.923, peer=11040,
refid=10.196.14.64,
reftime=d547aea6.e8719e12 Wed, May 22 2013 20:52:54.907, poll=10,
clock=d547b23f.14651c99 Wed, May 22 2013 21:08:15.079, state=4,
offset=-1.075, frequency=186.205, jitter=4.188, noise=1.752,
stability=0.004, tai=0
Columns Defined:
remote: peers speficified in the ntp.conf file * = current time source # = source selected, distance exceeds maximum value o = source selected, Pulse Per Second (PPS) used + = source selected, included in final set x = source false ticker . = source selected from end of candidate list - = source discarded by cluster algorithm blank = source discarded high stratum, failed sanity refid: remote source’s synchronization source stratum: stratum level of the source t: types available l = local (such as a GPS, WWVB) u = unicast (most common) m = multicast b = broadcast - = netaddr when: number of seconds passed since last response poll: polling interval, in seconds, for source reach: indicates success/failure to reach source, 377 all attempts successful delay: indicates the roundtrip time, in milliseconds, to receive a reply offset: indicates the time difference, in milliseconds, between the client server and source disp/jitter: indicates the difference, in milliseconds, between two samples
Keine Kommentare:
Kommentar veröffentlichen