Domain Name System

What is DNS?
Domain Name System (DNS) is a hierarchical naming system for computers or resources connected to the Internet or private network. DNS is the way how Internet domain names like google.com are located and translated into Internet Protocol (IP) addresses, hence DNS allow us to use domain names instead of network addresses (IP Address) to associate with individual networking equipments. DNS also allows segregation of Internet users meaningfully.
A DNS Server is a distributed database system that maintains and publishes information of any domain subordinate to it. The database contains information like network names and addresses of Network hosts.

Berkeley Internet Name Domain (BIND)BIND is a software distribution for DNS server and is now the most commonly used DNS Server on the internet. The distribution contains three modules:

1. DNS Server
   The daemon in the system which answer query according to DNS protocol standard.
2. DNS resolver library
   A library which ensure BIND correctly follows the DNS standards.
3. Software tools for testing
   Testing tools to help ensure DNS server configuration is working properly

The latest release of BIND is at version 9.7.0-P1 while version 10 is still under development.
Features :1.DNS Protocol Enhancements
Supports for Incremental Zone Transfer (IXFR) where a slave nameserver downloads only the updated portions of zone modified on the master nameserver.
2.Multiple View
Ability to present different information depending on the originating of request.
3.Security
DNSSEC – allows for zone to be encrypted (signed) with a zone key.
TSIG – sharing of zone information after verifying of shared secret key.
4.Support for IPv6

Installation
To install BIND, it is important that IP Address of the server hosting BIND does not change. Appendix A demonstrates a brief guide on setting up the Networking configuration required prior to install BIND.
There are 3 ways to install BIND:1. Installing through Yum
2. Install RPM packages
3. Build from source

Yum (Yellowdog Updater Modified)Install through Yum is simple. Just execute the following command to install.

# yum install bind

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we will have to download the rpm file from online source.

a.Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first

# cd / media/RHEL_5.3\ x86_64\ DVD/Server

b. Install the rpm
# rpm –ivh bind*
Install from source
a.Download the source
# wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz
b.Unzip the source
# tar –zxvf bind-9.7.0-P1.tar.gz

c.Compile the source
# cd bind-9.7.0-P1
# ./configure
# make
# make install
Configure Firewall to allow BIND
Make sure to configure the firewall of the server in which Samba resides in. If not all incoming authentication request will be rejected by the firewall.

GUI
1.Go to System > Administration > Security Level and Firewall. Enter root credential as required.


2. Security Level Configuration Window will be displayed. Expand Other port (1) and add required DNS ports (2) as followed (3):
a. Ports: 53, Protocol: TCPb. Ports: 53, Protocol: UDP





3.Click OK to add port and OK to confirm configuration.

Shell
The shell command to configure IPTABLES for BIND is as followed:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

As records in IPTABLES will be cleared when reboot, it is recommended to create a script file to execute these commands upon system startup. More information can be found in IPTABLES documentation.

Configuration
There are many different scenarios to setup a DNS server into a network environment. BIND can be configured to become roles as followed:
1.Master
2.Slave
3.Caching-only
4.Forwarding

This document will demonstrate the configuration of a Master named server in a single view environment. Note that details are not covered into depths as it can be referred from here .
BIND configuration can be found in 2 locations:

1./etc/named.conf
Main configuration file
2./var/named/ directory
Working directory that contains zone, statistic and cache files

/etc/named.conf
The main configuration can be complex in a multiple-view environment. To get new administrators started easily, we’ll look into a single-view configuration. Before we get started, it is important to note that the named.conf file is critical on the syntax and any minor errors like missing a semi-colon (;) can cause the entire daemon from failing to start. Caching server role is set in this file.

1.acl statement
a.This statement defines the group of hosts from a particular network segments which are permitted or denied access to the nameserver.
2.options statement
a.A list of global server configuration options. Forwarding server role is set here.
3.zone statement
a.Defines characteristic of a zone. Options set here override the global options statements. Master/slave server role is set here.

Sample configuration of named.conf:

# nano /etc/named.conf
acl all {
192.168.205.0/24;
127.0.0.1;
};

options {
listen-on port 53 { all; };
allow-query { all; };
forward { first; };
forwarders { 172.20.120.74; };
};

zone "ca.com" IN {
type master;
file "/var/named/ca.com.zone";
};

zone "205.168.192.in-addr.arpa" IN {
type master;
file "/var/named/192.168.205.zone";
};

Zone files in /var/named/
Zone files contain information about a namespace (example of a namespace: google.com). By default they are located in /var/named/ directory, but if any case bind-chroot package is installed, the default location has to be in /var/named/chroot/var/named/ directory.
Sample Zone file configuration:
1. ca.com.zone
#nano /var/named/ca.com.zone;
; Zone file for my-site.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.ca.com. hostmaster.ca.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds

IN NS ns1.ca.com. ; Inet Address of nameserver
IN MX 10 mail.ca.com. ; Primary Mail Exchanger
localhost IN A 127.0.0.1
svr1 IN A 192.168.205.10
ns1 IN CNAME svr1
mail IN CNAME svr1

2. 192.168.205.zone
#nano /var/named/192.168.205.zone;
; Filename: 192-168-1.zone
;
; Zone file for 192.168.1.x
;
$TTL 3D
@ IN SOA www.ca.com. hostmaster.ca.com. (
200303301 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
IN NS ns1.ca.com.
10 IN PTR ns1.ca.com.
10 IN PTR mail.ca.com.
10 IN PTR svr1.ca.com.

Starting/Restarting/Stopping of BIND
To start/restart/stop a daemon in linux, we use the command “service”.

Start
# service named start
Restart
# service named restartStop
# service named stop
Status
# service named status

Troubleshooting BIND
Ensure BIND is working locally
To ensure BIND works locally, just execute dig command. It should return results similar to as follow:
# dig
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16265 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 604800 IN A 198.41.0.4 A.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 604800 IN A 192.228.79.201 C.ROOT-SERVERS.NET. 604800 IN A 192.33.4.12 D.ROOT-SERVERS.NET. 604800 IN A 128.8.10.90 E.ROOT-SERVERS.NET. 604800 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 604800 IN A 192.5.5.241 F.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 604800 IN A 192.112.36.4 H.ROOT-SERVERS.NET. 604800 IN A 128.63.2.53 H.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:1::803f:235 I.ROOT-SERVERS.NET. 604800 IN A 192.36.148.17 J.ROOT-SERVERS.NET. 604800 IN A 192.58.128.30 J.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:c27::2:30 ;; Query time: 2747 msec ;; SERVER: 192.168.205.10#53(192.168.205.10) ;; WHEN: Wed Apr 14 14:43:46 2010 ;; MSG SIZE rcvd: 500


If the above command does not work, it could be any of the 2 problems:

i.Mistake in configuration files
ii.Query blocked by firewall

Before checking on the firewall rules, it is best to recheck your configuration first.
 
Ensure the network of the originating query is allowed in the named.conf
Ensure that the network of the originating query is set in the acl statement of named.conf:
acl all {
192.168.205.0/24;
127.0.0.1;
};

Add in required network into this statement.

Ensure query is not blocked by firewall
Ensure that DNS query to the firewall is not blocked on the server side, as well as on the client side. Refer to Configure Firewall to allow BIND section for more information.

Appendix A – Networking configuration1.Set static Ip address
Setup your network configuration, make sure the ip address for the server is set to static. Below is a sample configuration to configure the interface to use a static address.

/etc/sysconfig/network-scripts/ifcfg-eth0:
# nano /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0
IPADDR=192.168.205.10
NETMASK=255.255.255.0
BOOTPROTO=static
HWADDR=00:0C:29:75:C3:F4
ONBOOT=yes
BROADCAST=192.168.205.255
NETWORK=192.168.205.0
GATEWAY=192.168.205.2

2.Set the hostname of the server.

/etc/sysconfig/network:
# nano /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=svr1.ca.com

3.Ensure that the resolver file on the dns server is set correctly. Since this is a DNS server, any query should be send back to itself. Any public namespace will be send to a public DNS server using the forwarder option.

/etc/resolv.conf:
# nano /etc/resolv.conf
search ca.com # add ca.com to the domain name resolving, for example if I try to resolve eliz, the system will add ca.com to eliz and try to resolve eliz.ca.com from the dns servers list below
nameserver 192.168.205.2
nameserver 192.168.205.10

File Transfer Protocol (FTP)

Introduction
FTP is an acronym for File Transfer Protocol. As the name suggests, FTP is used to transfer files between computers on a network. You can use FTP to exchange files between computer or access online software archives. Keep in mind, however, that many FTP sites are heavily used and require several attempts before connecting. The most commonly used ftp package is VSftp, which stand for ‘very secure file transfer protocol’.
File Transfer Protocol (FTP), is a standard Internet protocol, is the simplest way to exchange files between computers on the internet. You can use FTP to exchange files between computer accounts and transfer files for an account and desktop computer, or access online software archives.

Active FTP
Active FTP works as follows:

• Client connects to the FTP server by establishing an FTP control connection to port 21 of the server. Commands such as 'ls' and 'get' are sent over this connection.
  
• Whenever client requests data over the control connection, the server initiates data transfer connections back to the client. The source port of these data transfer connections is always port 20 on the server, and the destination port is a high port on the client.
  
• Thus the 'ls' listing that you asked for comes back over the "port 20 to high port connection", not the port 21 control connection.
  
• FTP active mode data transfer therefore does this in a counter intuitive way to the TCP standard as it selects port 20 as its source port (not a random high port > 1024) and connects back to the client on a random high port that has been pre-negotiated on the port 21 control connection.
  
• Active FTP may fail in cases where the client is protected from the Internet via many to one NAT (masquerading). This is because the firewall will not know which of the many servers behind it should receive the return connection.

Passive FTP
Passive FTP works as follows:

• Client connects to the FTP server by establishing a FTP control connection to port 21 of the server. Your commands such as 'ls' and 'get' are sent over that connection.
  
• Whenever the client requests data over the control connection, the client initiates the data transfer connections to the server. The source port of these data transfer connections is always a high port on the client with a destination port of a high port on the server.
  
• Passive FTP should be viewed as the server never making an active attempt to connect to the client for FTP data transfers.
  
• Passive FTP works better for clients protected by a firewall as the client always initiates the required connections.

Setup File Transfer Server
VSFTP keeps its configuration in vsftpd.conf, which can be access by executing the command below:

#nano /etc/vsftpd/vsftpd.conf

Most of the frequently used options are already inside the configuration file. All administrator needs to do is to add or remove the comment (#) at the beginning of the lines to activate or deactivate the options.
Each option is bind to values or directives, which will affect how VSFTP works. Different options results in different form of ftp server. Try exploring each of the options in the configuration file when possible.

FTP user List
You can restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access.

#nano /etc/vsftpd.ftpusers

Anonymous Upload
VSFTPD allows only anonymous FTP downloads to remote users. But if you would like to allow remote users to be able to write data to your FTP server, it is recommended that you create a write only directory within /var/ftp/pub. This will enable users to upload but not access other files uploaded by other users.
# mkdir /var/ftp/pub/upload
Chmod 722 /var/ftp/pub/upload

Authorized FTP Users with Read only Access to a directory
1. Enter into text editor mode for vsftpd.conf by typing the following command.
# nano /etc/vsftpd/vsftpd.conf

2. Disable anonymous FTP by editing the following line to
# anonymous_enable=NO

3. Enable local individual logins by editing the following line to
#local_enable=YES4.
Change the following to disallow write_enable
#write_enable = NO

4. Change the following to disallow write_enable
#write_enable = NO

5. Start the VSFTP services
#service vsftpd start

6. Create a user group and shared directory
#groupadd ftp-users
#mkdir /home/ftpFolder

7. Make directory accessible to ftp-users group
#chmod 750 /home/ftpFolder
#chown root:ftp-users /home/ftpFolder

8. Add users and make their default directory /home/ftpFolder
#useradd –g ftp-users –d /home/ftpFolder user1
#passwd user1

9. Copy files to be downloaded by users into/home/ftpFolder
Change the permission of the files in the /home/ftpFolder directory for read only access by the group
#chown root:ftp-users /home/ftpFolder *
#chmod 740 /home/ftpFolder *

Test FTP Functionality
A simple test procedure that ensures that the FTP is working properly
#ftp 192.168.1.1
#
ftp>

If you have disable the upload transfer. You will not be able to upload files into the instructor computer
# put testfile
#testfile

List the directory and download the file.
#ls
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
#get -rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm.tmp
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
#exit

Network Information Services (NIS)

Introduction
To access Linux computer, you would need to have a valid username and password. A common problem that a large network of Lunux computer that normally each user would require an account on every linux computer.
However there is such services offered in Linux that would allow you to setup one central managed database of usernames and password called NIS. NIS only requires you to maintain one password database on the NIS server and configure the other system on the network as clients.

Features of NIS
1.Able to create user accounts that can be shared across all systems on your network.
2.The user account is created only on the NIS server.
3.Users only need to change their passwords on the NIS server only
4.NIS clients are typically limited to Unix or Linux operating systems

Install NIS
There are 3 ways to install NIS on the NIS Server:
1.Install through Yum
2.Install RPM package

Yum (Yellowdog Updater Modified)
Install through yum is simple. Just execute the following command to install
#yum install ypserv ypbind portmap yp-tools

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we will have to download the rpm file from online source.

a) Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first.

#cd /media/RHEL_5.3\x86\DVD/server

b) Install RPM
#rpm –ivh ypbind*
#rpm –ivh ypserv*
#rpm –ivh yptools*

Setting up NIS server
•The following steps are performed on the instructor computer
•Log in as root

The following command bring you to the text editor mode of the network config file
#nano /etc/sysconfig/network

Type and follow text into the file and press Crt + X and Y to save and exit from the text editor
NISDOMAIN=”NIS_LINUX_SERVER”

NIS server will have to be configured as NIS Client as well ,so you would also have to edit the NIS Client configuration file too as being the sever itself or as localhost.

#nano /etc/yp.conf

Type and follow text into the file and press Crt + X and Y to save and exit from the text editor
ypserver 127.0.0.1

Start the necessary NIS daemons in the /etc/init.d directory and perform chkconfig commands to ensure they start after
_________________________
#service portmap start
#service yppasswdd start
#service ypserv start
#chkconfig portmap on
#chkconfig yppasswdd on
#chkconfig ypserv on
_________________________

Type the following command to confirm that the above services are running
# rpcinfo -p localhost

Initialize your NIS domain by adding the instructor computer into the NIS server list

# /usr/lib/yp/ypinit –m
#instructor ~ the computer name
#y

OR

#/usr/lib86/yp/ypinit –m
#instructor ~ the computer name
# y

Start the ypbind and ypxfrd Daemons
•You can only perform the following command if your NIS files have already been created

#service ypbind start
#service ypxfrd start
#chkconfig ypbind on
#chkconfig ypxfrd on

Type the following command to confirm that the all NIS daemons are running
# rpcinfo -p localhost

Create NIS users
Create two user account called studentA & studentB. Both the password is password.

#useradd -g users studentA
#passwd password
#password ~ re-entering of passord
# cd /var/yp
#make ~ creating directory for user

#useradd -g users studentB
#passwd password
#password ~ re-entering of passord
# cd /var/yp
#make ~ creating directory for user

Confirm user authentication information has been updated by using the ypmatch or getent command

#ypmatch studentA passwd
#getent passwd studentB

 
Setting up NIS client
The authconfig-tui command enter into a program that automatically configures the NIS files after prompting you for the IP address and domain of the NIS server. It is the fastest and easiest way of setting up NIS client. * use the tab button to move around the menu.
#authconfig-tui

Once done check the yp.conf file to ensure that the required NIS information has been entered into the files

#nano /etc/yp.config
#nano /etc/sysconfig/network

Troubleshooting Techniques

NIS SERVER
While setting up NIS Server , if you faced any problem during the setup phase. , You would have to delete the /var/yp/NIS_LINUX_SERVER directory and restart portmap , yppasswd,ypserv before you are able to setup again.

#nano /etc/sysconfig/network

Remove the following text from the file and press Crt + X and Y to save and exit from the text editor

NISDOMAIN=”NIS_LINUX_SERVER”

NIS server will have to be configured as NIS Client as well ,so you would also have to edit the NIS Client configuration file too as being the sever itself or as localhost.

#nano /etc/yp.conf

Remove the following text from the file and press Crt + X and Y to save and exit from the text editor

ypserver 127.0.0.1

Restart the necessary NIS daemons in the /etc/init.d directory and perform chkconfig commands to ensure they start after the next reboot

#service portmap restart
#service yppasswdd restart
#service ypserv restart
#chkconfig portmap on
#chkconfig yppasswdd on
#chkconfig ypserv on

Test NIS Access to NIS Server

The following commands allow you to ypcat , ypmatch and getent command from the student computer.

# ypcat passwd
#ypmatch passwd
#getent passwd <>

Test that firewall allow NIS Daemon to pass through.
•Ensure that telnet is enable for Instructor and Student Computer
#telnet
#<>
#

•Using ssh to log into NIS client

#shh –l
#

If for both telnet or shh you are unable to log in then you would have to check on Linux firewall settings.

Apache 2.0

Introduction

Apache is a freely available Web server that is distributed under an "open source" license. Version 2.0 runs on most Unix-based operating systems, According to a Netcraft (www.netcraft.com) Web server survey 60% of all Web sites on the Internet are using Apache making Apache more widely used than all other Web servers combined.

Features of Apache 2.0

Unix Threading
On Unix systems with POSIX threads support, Apache can now run in a hybrid multiprocess, multithreaded mode. This improves scalability for many, but not all configurations.

New Build System
The build system has been rewritten from scratch to be based on autoconf and libtool. This makes Apache's configuration system more similar to that of other packages.

Multiprotocol Support
Apache now has some of the infrastructure in place to support serving multiple protocols. mod_echo has been written as an example.

Filtering
Apache modules may now be written as filters which act on the stream of content as it is delivered to or from the server. This allows, for example, the output of CGI scripts to be parsed for Server Side Include directives using the INCLUDES filter in mod_include. The module mod_ext_filter allows external programs to act as filters in much the same way that CGI programs can act as handlers.

Simplified configuration
Many confusing directives have been simplified. The often confusing Port and BindAddress directives are gone; only the Listen directive is used for IP address binding; the ServerName directive specifies the server name and port number only for redirection and vhost recognition.

Install Apache
There are 3 ways to install Apache:
1. Install through Yum
2. Install RPM package
Yum (Yellowdog Updater Modified)

Install through yum is simple. Just execute the following command to install
#yum install

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we will have to download the rpm file from online source.

a) Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first.

#cd /media/RHEL_5.3\x86\DVD/server

b) Install RPM
#rpm –ivh httpd*


Setting up Apache Server
•The following steps are performed on the instructor computer
•Log in as root

The following commands checks if the web server is installed on the instructor computer
#chkconfig --list httpd

Fig 1.1

From the image above (fig1.1) Apache Server is installed but all run level are off. You can type the following command to ensure that the Apache starts in run level 3 and 5.
#chkconfig –level 35 httpd on

Fig 1.2

Type the following command to start the Apache services and go to web browser and navigate to http://localhost. To ensure that the default web page is up

Fig 1.3

Fig1.4

This command allows you to view the main Apache Server Configuration File.
#nano /etc/httpd/conf/httpd.conf

You can stall the html files at this directory. As you can see there are two folder here.
#/var/www/html

Setting up Apache Server Virtual Web hosting

/var/www/html : Fig2.1

Ensure that you have the folders that you are trying to and in each folder will need to have a index.html for testing purpose.
You have to enter the following command in order to configure the httpd configuration for Virtual Hosting
#nano /etc/httpd/conf/httpd.conf

You can use the template documents as the end of the document as a guide for creating the configuration or connection for the virtual hosting .

Add in the following lines to configure the gajchung web hosting. _____________________________________

DocumentRoot /var/www/html/gajchung/

DirectoryIndex index.html

ServerName http://www.gajchung.com/

ServerAlias gajchung.com, http://www.jon.com/

Disable Directory Listing
For example, you create a subdirectory named /home/www/gajchung/example under www.gajchung.com's Document Root. You'll be able to view the contents of the file gajchung.example.html in this subdirectory if you point your browser to:
www.gajchung.com/example/gajchung.example.com.html

You can disable the Directory Listing by typing the following commands in the
#nano /etc/httpd/conf/httpd.conf

You would not be able to browse the directory in gajchung folder.
Checking Syntax
You can check the work that you have done to create virtual hosts with the following command:
#httpd –S

User-Based Security
Limit access to the webpage to authorized users with password by adding the following commands into the Container

AuthType Basic
AuthName “ Internal Use Only:
AuthUserFile /etc/httpd/webpass
Require user gajchung


Adding the user
Adding the user to be able to access to the Document Root Folders
#useradd –g users www
#chown –R www:users /home/www
#chmod 755 /home/www

You can test the new ownership command by typing
#11 /var/www/gajchung/index.*

Here is the result which is tested on the Instructor Computer . If you have set the Apache Web hosting properly

www.hahaeve.com

www.gajchung.com

Localhost

Troubleshooting of Apache 2.0

1) /etc/init.d/httpd start : Start the web daemon
2) /etc/init.d/httpd stop : Stop the web daemon
3) /etc/init.d/httpd restart : Stop the daemon and then start it quickly
4) /etc/init.d/httpd reload : Reload the configuration files
5) /etc/init.d/httpd status : Obtain the daemon status
6) /etc/init.d/httpd -help : Obtaining a list of init script
7) /etc/init.d/httpd configtest : Test your Apache Configuration

Sendmail

What is Sendmail?
Sendmail is a general purpose internetworking email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the internet.

Install Sendmail
Sendmail requires 3 packages to work; sendmail, sendmail-cf and m4.

There are 3 ways to install sendmail:
1) Installing through Yum
2) Install RPM packages
3) Build from source

Yum (Yellowdog Updater Modified)
Install through Yum is simple. Just execute the following command to install.
_________________________________________________
~]#Yum install sendmail sendmail-cf m4
_________________________________________________

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we might have to download the rpm file from online source.

a. Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first
____________________________________________
~]# cd / media/RHEL_5.3\ x86_64\ DVD/Server
____________________________________________

b. Install the rpm
_____________________________________________
~]# rpm –ivh sendmail*
~]# rpm –ivh m4*
_____________________________________________

Install from source
a.Download the source
_________________________________________________
~]# wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.14.4.tar.gz
_________________________________________________
b.Unzip the source
____________________________________
~]# tar –zxv sendmail.8.14.4.tar.gz
____________________________________

c. Compile the source
____________________________
~]# cd sendmail.8.14.4
# ./Build
# ./Build install
____________________________

Configure Sendmail
Sendmail is a very huge topic to cover. Yet in this document we will be covering on a simple installating to get sendmail working and the methods to test and troubleshooting sendmail should problem arises.

Dovecot is used in this document to IMAP and POP access to the clients. In this document we will also be covering how clients from both Linux and Windows platform are able to access the mail server.

Ensure DNS is configured properly for Mail Exchange
1.Make sure the fully qualified domain name (fqdn) of the mail server host can be resolved.
________________________________________
~]# host mail.ca.com
mail.ca.com is an alias for svr1.ca.com.
svr1.ca.com has address 192.168.205.10
________________________________________
2. Ensure that the MX record in the DNS zone file is pointed correctly to the IP address of the mail server.
_________________________________________________________________________________
~]# cat /var/named/ca.com.zone
;
; Zone file for my-site.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.ca.com. hostmaster.ca.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds

IN NS ns1.ca.com. ; Inet Address of nameserver
IN MX 10 mail.ca.com. ; Primary Mail Exchanger
svr1 IN A 192.168.205.10
mail IN CNAME svr1
____________________________________________________________________
Configure sendmail.mc
1.Ensure that sendmail is listening to the correct network
a.Using netstat to determine to network that the server is listening to

Correct result:
______________________________________
~]# netstat -an grep :25 grep tcp
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
______________________________________

Incorrect result:
_______________________________________
~]# netstat -an grep :25 grep tcp
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
_______________________________________

b. If the server is only listening to localhost, make the following changes by commenting the daemon_options line in sendmail.mc. To comment, just add dnl in front of the line.

~]# vi /etc/mail/sendmail.mc
_______________________________________________________________
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')
_________________________________________________________

2. Comment out SMART_HOST entry, which is only required for client.
________________________________________

dnl define(`SMART_HOST',`mail.ca.com')
________________________________________

3. Regenerate sendmail.cf and start sendmail
_____________________________________________________
~]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
~]# service sendmail restart
_____________________________________________________

Configure DoveCot for POP access
1. Install dovecot if required
~]# rpm –ivh dovecot*

2.Ensure dovecot is configured for pop3
______________________________________________________________________
~]# vi /etc/dovecot.conf

# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
protocols = imap imaps pop3 pop3s
________________________________________________

3. Start dovecot
_______________________________________________
~]#service dovecot start
_______________________________________________

4. Ensure dove
______________________________________
~]# netstat -a egrep -i 'popimap'
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
_______________________________________

Configure Linux Sendmail Client
1. Install Sendmail onto the client and ensure DNS is working properly
a) Refer to "Install Sendmail" section for installation
b) Ensure that FQDN of the mail server can be resolved.
________________________________________
~]# nslookup mail.ca.com
Server: 192.168.205.10
Address: 192.168.205.10#53

mail.ca.com canonical name = svr1.ca.com.
Name: svr1.ca.com
Address: 192.168.205.10
_____________________________________________________________

2.Configure sendmail.mc. Ensure that the option below is configured properly by pointing it to the FQDN of the mail server.
__________________________________________
~]# vi /etc/mail/sendmail.mc

define(`SMART_HOST',`mail.ca.com')
__________________________________________

3. Regenerate sendmail.cf and start sendmail
____________________________________________________
~]# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
~]# service sendmail restart
_____________________________________________________

Configure Windows Client (Microsoft Outlook 2007)
1) Start MS Outlook 2007. Cancel wizard if promted.
2) Setup the account.
a) Go to Account setting

b. Add new account

c. Check “Manually configure server settings or additional server type” and click next

d. Select “Internet E-mail” for E-mail service and click next

e.Enter the following information for E-mail settings:
i.User Information:
•Your Name: student
•E-mail Address: student@ca.com
ii.Server Information
•Account Type: POP3
•Incoming mail server: 192.168.205.10
•Outgoing mail server: mail.ca.com
iii.Login Information
•Username: student
•Password: *omitted*
f.Click on Test Account Setting to test the connectivity of the service. Click next once everything is configured properly.

Secure Shell

Secure Shell

Secure Shell is a solution that provides an open protocol for securing communication between machines. It is less complex and is a cheaper alternative as compared to many hardware solutions, e.g. VPN. SSH is a server/client solution which provides features like the command shell, file transfer and data tunneling services for TCP/IP applications. SSH provides secured authentication, encryption and data integrity to prevent security threats like password theft and man in the middle attacks.

Benefits of SSH

•User Authentication
SSH provides many alternatives that allow users or machines to be authenticated. The can range for basic shared-key authentication to secure technology like the public key authentication
•Host Authentication
Providing the client with host key and is used by the server to prove the client authenticity. This technique helps to guard again Man-in-the-middle attack.
•Data Encryption
The process of packaging of data using ciphers so provide privacy to the 2 communicating machines. SSH are able to provide this using common types of algorithms like DES, 3DES, Blowfish, AES and Twofish.
•Data Integrity
SSH ensures that the data sent are unaltered through any means within any transactions between machines. SSHv2 uses Message Authentication Code (MAC) which enhanced the current Cyclic Redundancy Check (CRC) provided by SSHv1.


Simple connection to SSH Server from Windows Client using Putty
1.Connect to the server from Windows using SSH Client (PuTTY)
• PuTTY can be downloaded from here:
_________________________________________________________
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
__________________________________________________________

• Configure PuTTY

1.Enter the Server IP address:
•The server IP address is: 172.20.130.28
2.Ensure that SSH is selected as the Connection Type
3.To save the configuration for easier connection in the future, give the Session a name and save it
4.Click Open to connect to the server through ssh connection.
5.Click OK to accept the (key?)
6.Login to the system

PuTTY configuration

PuTTY security Alert

2. Restrict Access
The following diagrams describe how it can be done to restrict certain hosts or domain to access the SSH server. All we have to do is to edit the hosts.deny file and add a line pointing to the source domain.

Editing of host.deny

contents of hosts.deny

Samba

What is Samba?
Samba is an Open Source application that provides file and print services to SMB/CIFS clients and it allow interoperability between Linux/Unix servers and Windows-based clients. The current stable release of Samba is 3.5.1.
With the flexibility of Samba to provide interoperability, samba can integrate into a Windows Server Domain environment, by acting as a Primary Domain Controller or as a domain member. We can also make samba a part of an Active Directory domain too!

Features:
Samba allows file and print sharing and provide interoperability between Windows platform and Unix platform computers by providing the following:
1. Serve directory trees and printers to Linux, UNIX, and Windows clients
2. Assist in network browsing (with or without NetBIOS)
3. Authenticate Windows domain logins
4. Provide Windows Internet Name Service (WINS) name server resolution
5. Act as a Windows NT®-style Primary Domain Controller (PDC)
6. Act as a Backup Domain Controller (BDC) for a Samba-based PDC
7. Act as an Active Directory domain member server
8. Join a Windows NT/2000/2003 PDC

Install Samba
There are 3ways to install samba:
1) Installing through Yum
2)Install RPM packages
3)Build from source

Yum(Yellowdog Updater Modified)
Install through Yum is simpple. Just execute the following command to install.
#Yum install Samba

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. By in any case a CD/DVD-ROM is not available, we might have to download the rpm file from online source.

a. Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first
#cd /media/RHEL_5.3\ x86\ DVD/Server

b. Install the rpm
#rpm -ivh samba*

Install from source
a. Download the source
#wget http://www.samba.org/samba/ftp/samba-3.5.1.tar.gz

b. Unzip the source
#tar -zxvf samba-3.5.1.tar.gz

c. Compile the source
#cd samba-3.5.1
#./configure
#make
#make install

Configure Firewall to allow Samba
Make sure to configure the firewall of the server in which Samba resides in. If not all incoming authentication request will be rejected by the firewall.

GUI
Go to System > Administration > Security Level and Firewall and tick Samba

Shell
Configuring Samba
There are many variations to deploy Samba, in this section share a basic configuration to allow a windows client to access a share folder in Linux

1. Preparing users and share folders
In this section, we will create the user to be use for samba. For security reasons, samba users should not have a login shell, thus creating the user with the option “-s /bin/false”. The samba users should not have any local password and we will need to use passwd command with –d option to remove the password of these users. We will also need to execute smbpasswd with –a option to add required users into samba authentication list.

For easy administration, we will create a folder here and have it bind to a group, and any samba users who are in this particular group will have access to this folder. “chgrp” is to make /var/samba/share folder to become under smbgroup and we need to modify file access level of this folder to allow users of smbgroup to be able to write into the folder by using “chmod” command.

Do note that the file access level is mutually exclusive from the “create mask” option in smb.conf.

# mkdir -p /var/smb/share
# chgrp smbgroup /var/samba/share
# chmod 5770 /var/samba/share
___________________________________________
# groupadd -g 600 smbgroup
# useradd -m -s /bin/false -g 600 smbuser
# passwd -d smbuser
Removing password for user smbuser.
passwd: Success
# smbpasswd -a smbuser2
New SMB password:
Retype new SMB password:
Added user smbuser2.
____________________________________________
2. Smb.conf
Smb.conf is the main configuration file of samba. It specifies the workgroup, the share name and path, the share access level and many more. The sample configuration specifies a group directory file sharing only scenario (no printer sharing). If you wish to enable file sharing individual samba users to connect to their home drive,
just uncomment the entire [home] section in the default smb.conf.
______________________________________________________________
# vi /etc/samba/smb.conf
# append this to the end of the file
# there is no need to create from a fresh copy of smb.conf
[share]
path = /var/samba/share
public = yes
write list = @smbgroup
create mask = 0770
writable = yes
_________________________________________________________________

The configuration above is quite straight forward. It is to create a public share on the server in the folder /var/samba/share. This writable share folder is visible to everyone, but only allows users from smbgroup to access it.
Changing the configuration is simple. If you do not want the share folder to be writable, just set writable = yes to writable = no, then restart the daemon.

3. Adding users and relate it to samba
To make the configuration work, samba users needs to be added (for non-directory scenarios). Samba users are actually normal users, but require a different password for samba.
To add users and insert it into samba user database, we can do the following:
#adduser smbuser
#passwd smbuser
#smbpasswd –a smbuser

4. Restart samba to enforce the new configuration
To force samba to use the new configuration, we need to restart samba daemon
_______________________________________________

# /etc/init.d/smb restart
________________________________________________
OR
_________________________________________________

# service smb restart
_________________________________________________

Troubleshooting Samba
Samba provides a command to trouble shoot samba set up.

TestParm
This command helps to check for errors in your configuration. When running this command, it will prompt out all errors from the configuration file.

# testparm /etc/samba/smb.conf

Smbclient
This command will probe the samba server and determines the share that the server provides. This is a good troubleshooting command which does not require an actual client for testing.

# smbclient –L server1

Nmblookup
This command acts like nslookup, except it does a bit more by checking whether or not the client component has been install correctly. This command can be use for both server and clients

# nmblookup –B server1

Accessing Samba Share from Windows client
In the earlier sample, we created a share using samba to allow smbuser to access the share folder from any of the internal network. In this section we will look at how to connect to the Linux server from Windows.

Setup drive letter on windows so that can easily access these files.
1.Provide the client computer the required credential to use for the share
a.Start -> run -> type “cmd” and press Enter

At the prompt type the following:
net use z: \\ip_of_your_samba_server\share/user: smbuser

2.Map the network drive
a.In Windows Explore, under Tools > Map network drive, set the drive letter and the share of the Linux Share

3. Navigate to the folder

ITLv3 foundation Certification is now HOT 5 Certification in 2010 Certification trends

Recently, ITIL v3 Foundations
is voted as the "HOT 5 IT certification in 2010" to have for IT professionals.

While many of you ask me why we need to be certified by the ITSM industry besides holding a diploma or degree, the reasons for doing so are plenty. Here are some reasons... the "Big WHY".

As stated in www.networksasia.net, "the goal this year is to streamline IT operations, adding automation where possible, while at the same time increasing services to users. The premise of overhauling the way IT works is outlined in the IT Infrastructure Library, or ITIL (Version 3 is currently being adopted)".

This is especially true for organization seeking integration expertise from fresh graduates who couples ITIL skills with networking, supply-chain management, server administration, security or other technical skills. Considered now as a life-cycle approach (with processes "build-In"), the new ITIL framework can deliver benefits such as improved incident and problem management, availability, lower costs of project roll-out due to streamlined functions and processes.

The full article on the “5 Hot IT certification picks for 2010” can be found in this URL:

http://www.networksasia.net/content/5-hot-it-certification-picks-2010?page=0%2C2&utm_source=lyris&utm_medium=newsletter&utm_campaign=nwa_daily§ion=eNews_breaking_news

Domain Name System (DNS)

What is DNS?
Domain Name System is a hierarchical naming system for computers or resources connected to the Internet or private network. DNS is the way how Internet domain names like google.com are located and translated into Internet Protocol (IP) addresses, hence DNS allow us to use domain names instead of network addresses (IP address) to associate with individual networking equipments. A DNS Server is a distributed database system that maintains and publishes information of any domain subordinate to it.

Features:1) DNS Protocol Enhancements
2) Multiple view
3) Security
4) Support for IPv6

InstallationThere are 3 ways to install BIND:
1) Installing through YUM
2) Install RPM packages
3) Build from source

Yum( Yellowdog Updater Modified)
Install through Yum is simple. Just execute the following command to install.
#yum install bind

RPM Package Manager
Installing through RPM Package manager requires a bit more work. Normally we will install from the CD/DVD-ROM provided. If in any case a CD/DVD-ROM is not available, we will have to download the rpm file from online source.

a) Navigate to the source, which most like be the CD/DVD-ROM. The source CD/DVD-ROM have to be inserted first.
#cd / media/RHEL_5.3\ x86_64\ DVD/Server

b) Install RPM
#rpm -ivh bind*
Install from sourcea) Download source
# wget http://ftp.isc.org/isc/bind9/9.7.0-P1/bind-9.7.0-P1.tar.gz
b. Unzip the source
# tar –zxvf bind-9.7.0-P1.tar.gz
c. Compile the source
# cd bind-9.7.0-P1
# ./configure
# make
# make install
Configure Firewall to allow BIND

Make sure to configure the firewall of the server in which Samba resides in. If not all incoming authentication request will be rejected by the firewall.

GUI
1) Go to System > Administration > Security Level and Firewall. Enter root credential as required.


2. Security Level Configuration Window will be displayed. Expand Other port (1) and add required DNS ports (2) as followed (3): a. Ports: 53, Protocol: TCP
b. Ports: 53, Protocol: UDP


3. Click OK to add port and OK to confirm configuration.

ShellThe shell command to configure IPTABLES for BIND is as followed:
# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp --dport 53 -j ACCEPT
# iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

ConfigurationThere are many different scenarios to setup a DNS server into a network environment. BIND can be configured to become roles as followed:
1. Master
2. Slave
3. Caching-only
4. Forwarding

BIND configuration can be found in 2 locations:
1. /etc/named.confMain configuration file
2. /var/named/ directory
Working directory that contains zone, statistic and cache files

/etc/named.confThe main configuration can be complex in a multiple-view environment. To get new administrators started easily, we’ll look into a single-view configuration. Before we get started, it is important to note that the named.conf file is critical on the syntax and any minor errors like missing a semi-colon (;) can cause the entire daemon from failing to start. Caching server role is set in this file.

1. acl statement
a. This statement defines the group of hosts from a particular network segments which are permitted or denied access to the nameserver.
2. options statement
a. A list of global server configuration options. Forwarding server role is set here.
3. zone statement
a. Defines characteristic of a zone. Options set here override the global options statements. Master/slave server role is set here.

Sample configuration of named.conf:

# nano /etc/named.conf
acl all {
192.168.205.0/24;
127.0.0.1;
};

options {
listen-on port 53 { all; };
allow-query { all; };
forward { first; };
forwarders { 172.20.120.74; };
};

zone "ca.com" IN {
type master;
file "/var/named/ca.com.zone";
};

zone "205.168.192.in-addr.arpa" IN {
type master;
file "/var/named/192.168.205.zone";
};

Zone files in /var/named/
Zone files contain information about a namespace (example of a namespace: google.com). By default they are located in /var/named/ directory, but if any case bind-chroot package is installed, the default location has to be in /var/named/chroot/var/named/ directory.
Sample Zone file configuration:
1. ca.com.zone


#nano /var/named/ca.com.zone;
; Zone file for my-site.com
;
; The full zone file
;
$TTL 3D
@ IN SOA ns1.ca.com. hostmaster.ca.com. (
200211152 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds

IN NS ns1.ca.com. ; Inet Address of nameserver
IN MX 10 mail.ca.com. ; Primary Mail Exchanger
localhost IN A 127.0.0.1
svr1 IN A 192.168.205.10
ns1 IN CNAME svr1
mail IN CNAME svr1

2. 192.168.205.zone
#nano /var/named/192.168.205.zone;
; Filename: 192-168-1.zone
;
; Zone file for 192.168.1.x
;
$TTL 3D
@ IN SOA www.ca.com. hostmaster.ca.com. (
200303301 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
IN NS ns1.ca.com.
10 IN PTR ns1.ca.com.
10 IN PTR mail.ca.com.
10 IN PTR svr1.ca.com.

Starting/Restarting/Stopping of BIND
To start/restart/stop a daemon in Linux, we use the command “service”.
Start
# service named startRestart
# service named restartStop
# service named stopStatus
# service named status

Troubleshooting BIND
Ensure BIND is working locally
To ensure BIND works locally, just execute dig command. It should return results similar to as follow:
# dig

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16265 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 604800 IN A 198.41.0.4 A.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 604800 IN A 192.228.79.201 C.ROOT-SERVERS.NET. 604800 IN A 192.33.4.12 D.ROOT-SERVERS.NET. 604800 IN A 128.8.10.90 E.ROOT-SERVERS.NET. 604800 IN A 192.203.230.10 F.ROOT-SERVERS.NET. 604800 IN A 192.5.5.241 F.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 604800 IN A 192.112.36.4 H.ROOT-SERVERS.NET. 604800 IN A 128.63.2.53 H.ROOT-SERVERS.NET. 604800 IN AAAA 2001:500:1::803f:235 I.ROOT-SERVERS.NET. 604800 IN A 192.36.148.17 J.ROOT-SERVERS.NET. 604800 IN A 192.58.128.30 J.ROOT-SERVERS.NET. 604800 IN AAAA 2001:503:c27::2:30 ;; Query time: 2747 msec ;; SERVER: 192.168.205.10#53(192.168.205.10) ;; WHEN: Wed Apr 14 14:43:46 2010 ;; MSG SIZE rcvd: 500 If the above command does not work, it could be any of the 2 problems: i. Mistake in configuration files ii. Query blocked by firewall Before checking on the firewall rules, it is best to recheck your configuration first.   Ensure the network of the originating query is allowed in the named.conf Ensure that the network of the originating query is set in the acl statement of named.conf: acl all { 192.168.205.0/24; 127.0.0.1; }; Add in required network into this statement. Ensure query is not blocked by firewall Ensure that DNS query to the firewall is not blocked on the server side, as well as on the client side. Refer to Configure Firewall to allow BIND section for more information. Appendix A – Networking configuration
1. Set static Ip address
Setup your network configuration, make sure the ip address for the server is set to static. Below is a sample configuratio to configure the interface to use a static address.
/etc/sysconfig/network-scripts/ifcfg-eth0:


# nano /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0
IPADDR=192.168.205.10
NETMASK=255.255.255.0
BOOTPROTO=static
HWADDR=00:0C:29:75:C3:F4
ONBOOT=yes
BROADCAST=192.168.205.255
NETWORK=192.168.205.0
GATEWAY=192.168.205.2

2. Set the hostname of the server.

/etc/sysconfig/network:
# nano /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=svr1.ca.com

3. Ensure that the resolver file on the dns server is set correctly. Since this is a DNS server, any query should be send back to itself. Any public namespace will be send to a public DNS server using the forwarder option.

/etc/resolv.conf:
# nano /etc/resolv.conf
search ca.com # add ca.com to the domain name resolving, for example if I try to resolve eliz, the system will add ca.com to eliz and try to resolve eliz.ca.com from the dns servers list below
nameserver 192.168.205.2
nameserver 192.168.205.10

IPTABLES PAT

A Simple PAT / Port Address Translation for outgoing traffic:

1.    Remove any existing user-defined chains in the NAT table, reset the default policies on all chains, and flush all rules:

        iptables –t nat -F

2.    Configure NAT using Iptables (In this example eth0 is the public outgoing interface)

    iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

IPTABLEs script and to make persistence upon reboot

The /sbin/iptables command does not set persistence. Therefore we we need to create a script and make sure the system call it upon reboot for firewall to remain persistent. Here is a sample script.

==================================

#!/bin/bash

#assign variable $IPT with the iptables command

IPT=/sbin/iptables

#set policies on each chain

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT ACCEPT #default, but set it anyway

#flush all rules in the filter table

$IPT -F

#flush all rules in the nat table

$IPT -F -t nat

#allow established TCP connections

$IPT -A INPUT -p tcp ! --syn -j ACCEPT

#allow traffic on the loopback interface

$IPT -A INPUT -i lo -j ACCEPT

#allow icmp traffic

$IPT -A INPUT -p icmp -j ACCEPT

#allow incoming DNS traffic from DNS Server

$IPT -A INPUT -p udp --sport 53 -j ACCEPT

$IPT -A INPUT -p udp --dport 53 -j ACCEPT

#allow incoming proxy traffic

$IPT -A INPUT -p tcp -s 10.0.0.0/24 --dport 3128 -j ACCEPT

#allow incoming ssh traffic

$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

#allow port forwarding

$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -j ACCEPT

$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 80 -j ACCEPT

$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT

$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 22 -j ACCEPT

#allow NAT

$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#port forwarding

$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.10:80

$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 222 -j DNAT --to-destination 10.0.0.10:22

#Transparent Proxy

$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.0.0.1:3128

#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128

==================================


Next is to make iptables persistent upon reboot, there are many ways. Let's take a look at linux's way of using some tools to do that. Linux have a few tools that makes the script easily persistence upon reboot (may not be applicable for other linux). As also mentioned by many linux users, a custom iptables script is sometimes necessary to work around the limitations of the RHEL firewall configuration tool. These are the steps:

   1.Make sure that the default iptables initialization script is not running:
          service iptables stop

    2.Execute the custom iptables script:
          sh [custom iptables script]
  
    3. Save the newly created iptables rules:
          service iptables save

     4. Restart the iptables service:
          service iptables restart

     5. Verify that the custom iptables ruleset have taken effect:
         service iptables status

     6. Enable automatic start up of the iptables service on boot up:
         chkconfig iptables on

The custom iptables script should now be be persistence upon system reboot

-----------------------------------------------------------------------------


Alternatively, as described in Debian Linux documentation, http://www.debian-administration.org/articles/445 we can 'attach' the script to the network interface so that when we do a ifdown and then ifup, the iptables script is brought up.


OR stick to the standard method described by Debian Linux documentation using these steps. Here we use an example:

1.    Install iptables
            apt-get install iptables

2.    Remove any existing user-defined chains, reset the default policies on all chains, and flush all rules:
            iptables  -F

3.    Set the firewall rules....

4.    Display the firewall policy:

             iptables  -L

Then, Configure your system to maintain these new firewall rules across reboots / make persistent:


5.    Create a text file named iptables-script containing all the rules applied.

6.    Make the text file executable

             chmod 755 iptables-script

7.    Save the file in /etc/init.d

8.    Run update-rc.d to set at which runlevel to apply the firewall rules
         E.g update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .

9.    Reboot and verify that the policies are in place.


Further Reading:
http://electron.mit.edu/~gsteele/firewall/

http://www.tin.org/bin/man.cgi?section=8&topic=update-rc.d

http://townx.org/simple_firewall_for_ubuntu_using_iptables

Quotes by Nelson Mandela

It always seems impossible until its done.

Education is the most powerful weapon which you can use to change the world.

I learned that courage was not the absence of fear, but the triumph over it. The brave man is not he who does not feel afraid, but he who conquers that fear.

There is no such thing as part freedom.

A good head and a good heart are always a formidable combination.

If you talk to a man in a language he understands, that goes to his head. If you talk to him in his language, that goes to his heart.

Sample Flowchart..

Linux DNS Client Short notes

Possible Troubleshooting Areas:

1. The 2 configuration files for DNS is /etc/hosts and /etc/resolv.conf. By default, system looks into /etc.hosts files, then looks into /etc/resolv.conf. To change the order, edit the /etc/nsswitch.conf file to:

host: dns,files

2. Any static Name to IP mapping, add into the /etc/hosts file. For e.g the localhost is by default already an entry in the /etc/hosts file.

127.0.0.1      MyclientMachine     localhost.localdomain       localhost

As TCP/IP protocols understands that 127.0.0.1 means the local machine, when you use MyclientMachine, localhost.localdomian or localhost, they all point to the same place, which is 127.0.0.1.

3. Next, you may need to edit the /etc/resolv.conf to include the DNS server you want this machine to point to, so that your machine can resolve other names. The configuration is easy, i'll provide an example here:

#my local network DNS server
nameserver 192.168.1.2
#the next DNS server that I'll depend on if the first one is unreachable or does not resolve the address.
nameserver 202.65.247.31

4. But sometimes, you dont even have to configure /etc/resolv.conf if the DNS settings is provided by your DHCP server when your machine (the DHCP client) is grabbing address, network mask, gateway, its DNS name, the DNS server ips from the DHCP server.

New powerpoint design

Which one u guys prefer??

Mid Presentation PPT

Good afternoon Mr. Leung and Dr Ang. Our project is about Linux troubleshooting Framework using ITIL methodologies, strategies and tools.
A framework is a basic conceptual structure used to solve or address complex issues, usually a set of tools, materials or components. Especially in a software context the word is used as a name for different kind of toolsets, component base.
Linux Troubleshooting framework is collection of procedure to be used as a guideline
Our project consist of Jonathan, wee yeong and myself (Elizabeth).


Our agenda for today, I will be presenting to you introduction, project objective, project plan and project plan.
For wee yeong he will be presenting network diagram, documentation template, Linux and web 2.0.
And jon will be presenting ITIL Problem faced and solution.

For Introduction
Basic of understanding ITILv3 there is a service lifecycle which consist of 5phases:
Service strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement

Well, we extract some of the concept from ITILv2 and v3 for managing of our project team and developing Linux troubleshooting framework.

Our project objective are using ITIL concept for development of our project, develop a easy understanding framework for troubleshooting, develop a blog that will provide user with information on Linux troubleshooting and develop question bank for ITILv3 is actually for student to practice the questions.

Difficulty in understanding the difference between ITIL v2 and ITIL v3
Difficulty in adopting of ITIL v3 & v2 concepts into Linux Troubleshooting Framework.
You can't implement ITIL with just processes and technology.

You must address the people involved as well. ITIL demands attention to three components: people, process and technology.

Changes in process improve efficiency and effectiveness.
Changes in technology reduce costs and accelerate responsiveness.

But you ultimately have to change member to develop the culture you need to better support the roles and responsibility of the project

Some commands used on VMware Red hat Linux does not work the Real Linux System

This is our project plan is for week 1 to week 5. We have gone through project initiation, project planning, which consist of Linux, web2.0 and ITIL, and the first iteration of project execution, linux, web2.0, itil and integration, and now we are in the stage for Preparation for mid term presentation.

So for the last 5 weeks, this is what we have accomplished.
In the first week, we have discuss and come out with a strict policy for change management and communication.
Then we proceed to beautify the blogskin for the blog, which is meant for the collaboration of past network and system admin projects, ITIL, and Linux Essential and Troubleshooting.
And since part of the requirement of the project is to come out with methods to troubleshoot Linux, we come out with a simple test environment so that we are able to research and test all the network services of Linux

This is the network diagram of our testing environment. We will use 3 computers in this environment. One to act as server that will host all the network services and 2 computers to be the client of this environment. For these 2 clients one will be using Linux, and the other will be a Windows platform to test for interoperability.

The following are some of the Network Services we are considering to deploy to our Server :

DHCP-Dynamic Host Configuration Protocol
NIS-Network Information System
SSH-Secure Shell
POP-Post Office Protocol
DNS-Domain Name System
FTP-File Transfer Protocol
IMAPS-Internet Message Access Protocol
NFS-Network File System