linux admin note

Syslog
QUOTA
NFS
Samba
SSH
TELNET
SQUID
BIND
SENDMAIL
POSTFIX
PROXY
HTTPD
FTP
DHCP
YP
LDAP
PPPD
NTP
MRTG
TRIPWIRE
PAM
Password Security Encryption
Process security
firewall
xinetd, tcp_wrappers iptables
security tools
PortForwarding
selinux

========================================================================

Libarary

source
|
compiler
|
Object code
|
linkear
|
staticlibrary,Dynamic library,statically linked executable code,
Dynamically linked executablecode
|
loader
|
shared library, executable code

/lib
/usr/lib
/usr/i486-linux-libc5/lib
/usr/X11R6/lib
/usr/i486-linuxout/lib

libname.so / libname.so.major

lld progfile

$lld /bin/rm

LD_LIBRARY_PATH
ldconfig -V
========================================================================
SSH
vi /etc/ssh/sshd_config
ssh 192.168.1.100 “uname -a”

scp /etc/hosts root@192.168.1.103:/tmp
scp root@smallfry:/tmp/software.rpm /usr/rpm
(http://winscp.vse.cz/eng/)

$sftp 192.168.1.200
SSH without password
Client
ssh-keygen -t dsa
cd ~/.ssh
scp id_dsa.pub sabin@192.168.59.7:public-key.tmp

Server
mkdir /root/.ssh
chmod 700 /root/.ssh
cd .ssh
cat ~/public-key.tmp >>authorized_keys
rm ~/public-key.tmp
========================================================================

SysLog
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages

.info;mail.none;authpriv.none;cron.none           /var/log/messages
1) vi /etc/sysconfig/syslog
SYSLOGD_OPTIONS=”-r -m0″
service syslog restart

2) vi /etc/syslog.conf
user.*    @stationX
service syslog restart
logger -i -t yourname “this is test”

/etc/logrotate.d
ogrotate -f /etc/logrotate.d/syslog
zcat /var/log/messages.1.gz
==========================================================================
Quota
quota.user,quota.group
1)vi /etc/fstab
/home defaults,userquota,groupquota 1 2
2)mount -o remount /home
3)to verify
quotacheck -acug /home
quotacheck -avug /home
edquota -u user
edquota -g group
edquota -t grace
edquota -p kiran sab
quotaon/quotaoff -av
quotaon/quotaoff -avu
quotaon/quotaoff -avg

repquota -a
==========================================================================
NFS
1. You can only export directories beneath the “/” directory.
2. You cannot export a subdirectory of a directory that has already
been exported. The exception being when the subdirectory is on a different
physical device. Likewise you cannot export the parent of a subdirectory
unless it is on a separate device too.
3. You can only export local file systems.

Caching= “read ahead”

RPM=nfs-utils,portmap-4.0-57

Daemon=Portmap,NFS,NFSlock,NetFS

(async,atime,auto,dev,exec,noatime,noauto,nodev,noexec,
nosuid,nouser,remountro,rw,suid,sync,user)
defaults(rw,suid,dev,exec,auto nouser,async)

x = rsigw = n , number of bytes nfs uses when reading
n = 1024 (default)
x = wsize = n
timeo= n (7)
retry = n number of minutes to nfs mount retry
soft = if the file cannot be mounted and time
out occurs then reutrn an I/O error
hard = if timeout occurs it will display the message
but it will keep on trying unless retry time is over
intr=if nfs file operation has timeout and is
hard mounted then it allow signals to
intrrupt the operations
it uses udp by default
if want tcp then give tcp
optimum=8192
rw,ro(default),sync,async(defualt),no_subtree_check,
subtree_check,root_squash
no_root_squash – when a client connects to the server run as a root
all_squash

1) vi /etc/exports
/temp          *(rw)
/data/files           *(ro,sync)
/home                 192.168.1.0/24(rw,sync)
/data/test            *.my-site.com(rw,sync)
/data/database        192.168.1.203/32(rw,sync)

2)chkconfig –level 35 nfs on
chkconfig –level 35 nfslock on
chkconfig –level 35 portmap on

3) For Client
chkconfig –level 35 netfs on
chkconfig –level 35 nfslock on
chkconfig –level 35 portmap on

4) rpcinfo -p localhost
nfsstat
df -F nfs
showmount -a
exportfs -a (new share)
exportfs -v (refresh)
exportfs -ua(reload)
exportfs -a (new share)

5)vi /etc/fstab
#Directory                  Mount Point    Type   Options         Dump   FSCK
192.168.1.100:/data/files   /mnt/nfs        nfs    soft,nfsvers=2  0      0

6) mount -t nfs 192.168.1.1:/data/files /mnt/nfs

7)Auto Mount
$vi /etc/auto.master
# File: /etc/auto.master
#
/home   /etc/auto.home –timeout=300
/-      /etc/auto.direct

8)-Indrect map
$vi /etc/auto.home
peter   bigboy:/home/peter
bob     ochorios:/home/bob
bunny   waitabit:/home/bunny

-Direct Map
$vi /etc/auto.direct
/data/sales          -rw           bigboy:/disk1/data/sales
/sql/database        -ro,soft      waitabit:/var/mysql/database

-Using the Ampersand Wildcard
$vi /etc/auto.home
peter   bigboy:/home/&

9)chkconfig autofs on

Option Description
Bg Retry mounting in the background if mounting initially fails
Fg Mount in the foreground
soft Use soft mounting
hard Use hard mounting
rsize=n The amount of data NFS will attempt to access per read operation.
The default is dependent on the kernel. For NFS version 2 set it
to 8192 to assure maximum throughput.
wsize=n The amount of data NFS will attempt to access per write operation.
The default is dependent on the kernel. For NFS version 2 set it to 8192
to assure maximum throughput.
nfsvers=n The version of NFS the mount command should attempt to use
Tcp Attempt to mount the filesystem using TCP packets, the default is UDP.
intr If the filesystem is hard mounted and the mount times out, allow
for the process to be aborted using the usual methods such as <CTRL-C>
and the “kill” command.

===========================================================
SQUID
/var/spool/squid
/var/log/squid/access.log

1) vi /etc/squid/squid.conf
visible_hostname server1.nepal.com

acl home_network src 192.168.1.0/24
acl home_network src “/root/allow”
acl business_hours time MTWHF 9:00-17:00
http_access allow homenetwork business_hour
cache_dir
===========================================================
Bind

cp -f /etc/rndc.* /var/named/chroot/etc/
cp /etc/named.conf /var/named/chroot/etc/

1) vi /etc/named.conf
zone “nepal.com” IN {
type master;
notify no;
allow-update { none; };
allow-query { any; };
file “nepal.com.zone”;
};

2) cp /var/named/localhost.zone /var/named/nepal.com.zone
cp /var/named/localhost.   /var/named/nepal.rev

3) vi /var/named/nepal.com.zone

ns1.nepal.com. IN SOA root.nepal.com.(
1;
1H;
1H;
1H;
1H;
);
ns1.nepal.com.   IN NS 192.168.0.5
ns1.nepal.com.  IN A  192.168.0.5
nepal.com.       IN MX 9 mail.nepal.com.
nepal.com.       IN MX 10 mail1.nepal.com.
nepal.com.        IN A  192.168.0.9
nepal.com.        IN A  192.168.0.10
mail.nepal.com.  IN A  192.168.0.7
mail1.nepal.com. IN A  192.168.0.8
www.nepal.com.   IN A  192.168.0.9
www.nepal.com IN A  192.168.0.10
nis1.nepal.com   IN A  192.168.0.11
nis2.nepal.com   IN A  192.168.0.12
file.nepal.com   IN A  192.168.0.13
zone “0.168.196.in-addr.arpa” {
type master;
allow-update { none; };
notify no;
file “nepal.rev”;
};
$TTL 3D
@       IN        SOA        ns1.nepal.com.  hostmaster.nepal.com. (
200303301          ; serial number
8H                 ; refresh, seconds
2H                 ; retry, seconds
4W                 ; expire, seconds
1D )               ; minimum, seconds
NS         ns1.nepal.com.
5                PTR        ns1.nepal.com.
6                PTR        ns2.nepal.com.
7                PTR        mail.nepal.com.
8                PTR        mail1.nepal.com.
4) chkconfig named on

5) service named restart
6) named-checkconfig /etc/named.conf
named-checkzone /var/named.nepal.com.zone

7) nslookup www.nepal.com
dig @nepal.com www.nepal.com
dig @nepal.com MX
host nepal.com
========================================================================
Apache(httpd)
RPM= httpd-2.0.48-1.2.rpm

1) adduser nepal
2) passwd nepal
3) chmod 755 /home/nepal

4) vi /etc/httpd/conf/httpd.conf
ServerAdmin webmaster@nepal.com
servername  nepal.com
DocumentRoot “/home/nepal”(default)
<Directory “/home/nepal”> [/var/www/html]
Options All Indexes Includes FollowSymLinks ExecCGI MultiViews
[MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec]
AllowOverride None (.htaccess)

Order allow,deny
Allow from all(Deny from all/[ip])
</Directory

<Directory /home/*/public_html>
</Directory>

DirectoryIndex index.html

Alias /sabin “/home/nepal/sabin”
<Directory “/home/nepal/sabin”>
</Directory>

ScriptAlias /cgi-bin “/home/nepal/cgi-bin”
<Directory “/home/nepal/cgi-bin”>
</Directory>

AddHandler cgi-script .cgi
AddHandler send-as-is asis

ErrorDocument 404 /missing.htm

5) Named Based Hosting
NameVirtualHost 192.168.0.9
NameVirtualHost 192.168.0.10

<VirtualHost *>
Default Directives. (In other words, not site #1 or site #2)
</VirtualHost>

<VirtualHost 192.168.0.9>
servername www.nepal.com
DocumentRoot /home/nepal
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
Directives for site #1
</VirtualHost>

<VirtualHost 192.168.0.9>
DocumentRoot /home/sabin
servername www.sabin.com
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
Directives for site #2
</VirtualHost>

<VirtualHost 192.168.0.10>
DocumentRoot /home/www/site2
ServerName www.nepal.com
ServerAlias nepal.com, www.arati.com arati.com
</VirtualHost>

options=
<Directory “/home/*”>
Order allow,deny
Allow from all

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
6) IP based Hosting

<VirtualHost *>
DocumentRoot /home/nepal
</VirtualHost>

<VirtualHost 192.168.0.9>
DocumentRoot /home/sabin
servername 192.168.0.9
ServerAdmin sabin@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log

</VirtualHost>

<VirtualHost 192.168.0.10>
DocumentRoot /home/arati
servername 192.168.0.10
ServerAdmin arati@nepal.com
ErrorLog logs/error.log
CustomLog logs/access.log
</VirtualHost>

Compression of static pages
(before virtual hosting)
LoadModule deflate_module modules/mod_deflate.so
<Location />
# Insert filter
SetOutputFilter DEFLATE
# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don’t compress images
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
# Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>

7) Proctecting Site
htpasswd -c /home/nepal/.htpasswd sabin
htpasswd  /home/nepal/.htpasswd arati
chmod 644 /home/nepal/.htpasswd

vi .htpasswd (or <Directory>)

AuthUserFile /home/nepal/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user valid-user

8)
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -x509 -out server.crt
cp server.{key,crt} /etc/httpd/conf/
or
/etc/httpd/conf/make testcert
/etc/httpd/conf/make certreq

vi /etc/httpd/conf.d/ssl.conf
<VirtualHost 192.168.0.7:443>
ServerAdmin
DocumentRoot
ServerName
ServerAlias
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
</VirtualHost>
========================================================================

Web mail (squriell mail)www.hotscripts.com
$vi /var/www/html/webmail/config/config.php

$org_name      = “Microtech International”;
$org_logo      = SM_PATH . ‘images/mtechlogo.jpg.new’;
#$org_logo      = ‘/home/chehen/mtechlogo.jpg’;
$org_logo_width  = ‘308’;
$org_logo_height = ‘111’;
$org_title     = “Microtech International”;
$signout_page  = ‘http://portal.mtech.com.np’;
$frame_top     = ‘_top’;

$provider_uri     = ‘http://www.microtech.com.np’;

$provider_name     = ‘www.microtech.com.np’;

$motd = ” “;

$squirrelmail_default_language = ‘en_US’;

$domain                 = ‘microtech.com.np’;
$imapServerAddress      = ‘192.168.59.1’;
#$imapServerAddress      = ‘192.168.59.7’;
$imapPort               = 143;
$useSendmail            = false;
#$useSendmail            = true;
$smtpServerAddress      = ‘192.168.59.1’;
$smtpPort               = 25;
$sendmail_path          = ‘/usr/sbin/sendmail’;
$pop_before_smtp        = false;
$imap_server_type       = ‘other’;
$invert_time            = false;
$optional_delimiter     = ‘detect’;

vi /etc/httpd/conf.d/squriellmail
========================================================================
Webmin (Web Administration) www.webmin.com

Installed Directory (/var/libexec/mrtg)
$./setup.sh

http://192.168.59.7:10000
=========================================================================
PostFix
/etc/postfix/main.cf
/etc/postfix/master.cf
Daemon=master,qmgr,smtpd,pikup(others)

1)alternatives  -set mta /usr/sbin/sendmail.posfix
2)vi /etc/postfix/main.cf
myorigin=nepal.com
mydestination= nepal.com mail.nepal.com
mynetworks=192.168.0.0/24,127.0.0.1
inet_interfaces=all

3)service postfix start
4)aliases,virtual,access
5)postmap /etc/postfix/access
=========================================================================
SendMail

1) vi /etc/mail/sendmail.cf or vi /etc/mail/sendmail.mc
copy define(“Daemon Port Options = Port=smtp; Addr=127.0.0.1,Name MTA”)
Paste define(“Daemon Port Options = Port=smtp; Addr=192.168.0.7,Name MTA”)

define(MAIL_HUB’, ‘nepal.com’)
define(‘SMART_HOST’,’nepal.com’)
define(‘MASQUERADE_AS’,’nepal.com’)
EXPOSED_USER(‘root’)

MASQUERADE_AS(`nepal.com.’)
MASQUERADE_DOMAIN(`nepal.com.’)
MASQUERADE_AS(nepal.com)
FEATURE(`accept_unresolvable_domains’)dnl
FEATURE(delay_checks)dnl
FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain’)dnl
FEATURE(`masquerade_envelope’)dnl
FEATURE(`allmasquerade’)dnl
MASQUERADE_AS(`my-site.com’)dnl
MASQUERADE_DOMAIN(`my-site.com.’)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

For LDAP
LDAPROUTE_DOMAIN
LDAP_ROUTIN
2)m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

3)vi /etc/mail/local-host-names(Receive mail of domain, To receive)
nepal.com
mail.nepal.com

4)vi /etc/mail/access (To allow to send mail )
localhost.localdomain RELAY
localhost             RELAY
127.0.0.1             RELAY
nepal.com             RELAY
mail.nepal.com        RELAY
192.168.0             RELAY
mail1.nepal.com       RELAY (for backup email)
spam.com              REJECT

5) vi /etc/mail/virtusertable (to redirect emails)
@nepal.com          sabin
info@nepal.com sabin

6) make all

7) vi /etc/aliases
hardware: sabin,subash,arati,rakesh,shyam

8) newaliases

9) vi /etc/mail/relay-domains
nepal.com  RELAY

10)chkconfig sendmail on
chkconfig ipop3 on
chkconfig imapd on

11) service sendmail restart
service xinetd restart

12) sendmail -d0.1 </dev/null (to check)

13) mail -s hello sabin@nepal.com
hello
.

echo “helooo”|mail -v -s hello sabin@nepal.com
mail -s hello sabin@nepal.com < /root/a.txt
14)mailq or sendmail -bd -q 30m
sendmail -bd -q
sendmail -q

15) nmap nepal.com (check 25 and 110 port is open)

16) mail, pine , mutt

17) Check SMTP
telnet 192.168.0.7 25
helo nepal.com
mail from: sabin@nepal.com
rcpt to: arati@nepal.com
data
hello
there
.
quit

18) To check POP
telnet 192.168.0.7 110
user sabin
pass shrestha
stat
top 1 99999
dele 1
quit

19 tail -f /var/log/maillog

===============================================================
Spam Controling
spamassassing / mimedefang
1)$vi /etc/mail/spamassassin/local.cf
Required_hits 6
rewrite_subject 1
subject_tag [SPAM]
report_safe 0

# How many hits before a message is considered spam.
required_hits           6.0

# Whether to change the subject of suspected spam
rewrite_subject         1

# Text to prepend to subject if rewrite_subject is used
subject_tag             [SPAM]

# Encapsulate spam in an attachment
report_safe             1

# Use terse version of the spam report
use_terse_report        0

# Enable the Bayes system
use_bayes               1

# Enable Bayes auto-learning
auto_learn              0

# Enable or disable network checks
skip_rbl_checks         1
use_razor2              0
use_dcc                 0
use_pyzor               0

auto_whitelist_path     /etc/mail/spamassassin/auto-whitelist
bayes_path              /etc/mail/spamassassin/bayes

score SPAM_PHRASE_34_55              3.516
score SPAM_PHRASE_55_XX              1.505
score SPAM_PHRASE_21_34              2.856
score SPAM_PHRASE_13_21              2.337
score SPAM_PHRASE_08_13              2.385
score SPAM_PHRASE_05_08              2.640
score SPAM_PHRASE_03_05              2.084
score SPAM_PHRASE_00_01              0.781
score SPAM_PHRASE_02_03              0.758
score SPAM_PHRASE_01_02              0.500
score LINES_OF_YELLING_2             1.500
score FORGED_RCVD_FOUND              4.000
score MAY_BE_FORGED                  1.000
score UPPERCASE_50_75                2.000
score HTML_FONT_FACE_ODD             1.500
score NIGERIAN_TRANSACTION_1         3.000
score LINES_OF_YELLING               1.500
score WEB_BUGS                       2.500
score FORGED_YAHOO_RCVD              2.500
score SUBJ_HAS_UNIQ_ID               2.000
score JAVASCRIPT_VERY_UNSAFE         3.500
score HTML_FONT_INVISIBLE            2.000
score CTYPE_JUST_HTML                4.000
score FROM_NO_USER                   2.500
score BILLION_DOLLARS                1.000
score CLICK_BELOW                    2.000
score RELAYING_FRAME                 2.000
score MIME_SUSPECT_NAME              2.000
score MIME_HTML_NO_CHARSET           3.000
score MICROSOFT_EXECUTABLE           2.000
score MISSING_MIMEOLE                2.000
score ONLINE_PHARMACY                2.000
score SAVE_UP_TO                     2.000
score SAVE_MONEY                     2.000
score MIME_HTML_ONLY                 2.000
score MONEY_BACK                     2.000
score HTML_FONT_FACE_BAD             3.000
score VIAGRA                         4.000
score VIAGRA_ONLINE                  4.000
score SUBJ_HI                        2.500
score HTML_WEB_BUGS                  2.500
score HTML_IMAGE_ONLY_02             3.000
score HTML_IMAGE_ONLY_04             2.500
score HTML_IMAGE_ONLY_06             2.000
score HTML_IMAGE_ONLY_08             1.500
score HTML_IMAGE_ONLY_10             1.000
score RATWARE_HASH_2                 2.000
score RATWARE_HASH_2_V2              2.000
score MISSING_OUTLOOK_NAME           2.000
score HTML_FONTCOLOR_UNKNOWN         2.000
score NORMAL_HTTP_TO_IP              2.000
score GAPPY_SUBJECT                  3.500
score HTML_FONT_BIG                  2.000
score REMOVE_PAGE                    1.500
score HTML_SHOUTING4                 2.000
score HTML_SHOUTING3                 2.000
score HTML_SHOUTING2                 2.000
score HTML_SHOUTING                  2.000
score NO_REAL_NAME                   2.000
score HGH                            3.000
score MIME_MISSING_BOUNDARY          2.000
score SAVINGS                        3.000
score AMAZING_STUFF                  2.000
score HTML_MESSAGE                   2.500

2)vi /etc/procmailrc

# send mail through spamassassin
:0fw
| /usr/bin/spamc

LOGFILE=/var/log/procmail.log
DROPPRIVS=yes

# Delete all messages with dangerous attachments, as long as below a certain size
# Note: The whitespace in the [ ] below comprises a space and a tab character
:0
* < 256000
* ! ^Content-Type: text/plain
{
:0B
* ^(Content-(Type|Disposition):.*|[     ]*(file)?)name=(“[^”]*|[^ ]*)\.(bat|cmd|com|exe|js|pif|scr|zip)
/dev/null
}

# SpamAssassin sample procmailrc
#
# Pipe the mail through spamassassin (replace ‘spamassassin’ with ‘spamc’
# if you use the spamc/spamd combination)
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn’t bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw
* < 256000
| /usr/bin/spamc

# Delete messages with very high spam level
# Tweak this to your own comfort level!
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
/dev/null

# Work around procmail bug: any output on stderr will cause the “F” in “From”
# to be dropped.  This will re-add it.
:0
* ^^rom[ ]
{
LOG=”*** Dropped F off From_ header! Fixing up. ”

:0 fhw
| sed -e ‘1s/^/F/’
}
# Klez worm procmail filter
:0 B
* 135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE
/var/log/klez
3)vi ~/.procmailrc file

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

:0 Hw
* ^X-Spam-Status: Yes
spam

==========================================================================
4) Procmail (~/.procmailrc)
:0
*^From: test@try.com
!sabin@nepal.com

*^From: *root/root*

*^subjct: .*free.*
/dev/null

:0
*^From: test@try.com
!sabin@abc.com

:0
* ^From: spammer@domain.com
/dev/null

:0:
* ^(From|CC|To).*tux-lug
tuxlug

==========================================================================
Anti virus
http://www.clamav.net/
groupadd clamav
useradd -g clamav -s /bin/false -c “Clam AntiVirus” clamav
cd /usr/local/src
wget http://optusnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.82.tar.gz
tar xzf clamav-0.82.tar.gz
chown -R root.root clamav-0.82
cd clamav-0.82
./configure
make
make install
Customise the clamd configuration file

vi /usr/local/etc/clamd.conf
# make sure you comment out the “example” line
LogSyslog
FixStaleSocket
User qscand  # need to run as user qscand for clamav
to work with recent versions of the qmail-scanner script
Configure clamd so it is running all the time from bootup onwards

cp contrib/init/RedHat/clamd /etc/rc.d/init.d/
chmod 744 /etc/rc.d/init.d/clamd
chkconfig –add clamd
Then I like to use the ntsysv program to double-check
that clamd is set to launch at boot time

If you aren’t ready to reboot the server now, you can
fire up clamd in the mean time with this command :

/etc/rc.d/init.d/clamd start
At this point the clamd software should be running.
A good way to verify this is to use this command :

ps axf
And if all is well, you should be able to see something like this :

18144 ? S 0:00 /usr/local/sbin/clamd
Schedule automatic downloading

touch /var/log/clam-update.log
chmod 600 /var/log/clam-update.log
chown clamav /var/log/clam-update.log
crontab -e
0 * * * *  /usr/local/bin/freshclam –quiet -l /var/log/clam-update.log
Download latest updates now

/usr/local/bin/freshclam -v
=========================================================================
RAZOR V2

http://razor.sourceforge.net/

If Razor is installed, SpamAssassin will automatically include it in the
list of tests run. We found that Razor is quite accurate in identifying
spam, and it only added small amount of extra CPU load on the server, so
it is definitely worth installing.

Compile and install :

# install the pre-requisite modules for razor
perl -MCPAN -e shell
#(enter your way through all the questions. The only one you will likely
have to answer is regarding your Continent/Country)
# tell the cpan shell to follow the dependency tree and automatically grab
any required modules
o conf prerequisites_policy follow
# make sure you have some of the basic tools needed to get the CPAN
downloads working smoothly
install LWP MD5
# install the razor pre-requisites now
install Net::Ping Net::DNS Time::HiRes Digest::SHA1 Getopt::Long File
::Copy Digest::Nilsimsa URI::Escape
quit
# now install the actual razor software
tar xzf razor-agents-2.67.tar.gz
chown -R root.root razor-agents-2.67
cd razor-agents-2.67
perl Makefile.PL
make
make test
make install
cd ..
The Razor programs will now be installed in /usr/bin. In particular,
SpamAssassin makes use of the program called : “razor-check”

Last job is to create the Razor configuration
files (they get put into /etc/razor/) by using these commands :

razor-client
razor-admin -d -create -home=/etc/razor
If your server is going to be busy, then I would recommend
you edit the razor config file and turn down the debugging level a bit :

vi /etc/razor/razor-agent.conf
debuglevel=1

==========================================================================
Fetchmail(offline Mail server)
$vi /root/.fretchmail
#set no bouncemail
poll pop.websurfer.com.np with proto pop3  and options no dns
aka nepal.com
user “info” there with password “catchme” is * here expunge 10

$vi /root/.mailscript
#!/bin/sh
echo “**************************”
/bin/date
/usr/bin/fetchmail -v -a
/usr/sbin/sendmail -bp
/usr/sbin/sendmail -q

crontab
0-59 * * * * /root/.mailscript >> /var/log/fetchmaillog

=================================================================
FTP
$vi /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
ftpd_banner=Welcome to Nepal FTP Server.
chroot_local_user=YES

=================================================================
DHCP
1)vi /etc/dhcpd.conf
(/usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample)
authoritative;
ddns-update-style none; (ad-hoc/interim;)
default-lease-time 604800;
max-lease-time 2592000;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.5;
option domain-name-servers 192.168.0.6;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.200 192.168.0.250;
}

host mailserver {
hardware ethernet 00:02:44:4A:E8:B1;
fixed-address 192.168.0.8;
}

host sabin {
hardware ethernet 00:0C:29:07:8F:2D;
fixed-address 192.168.0.70;

2)vi /etc/sysconfig/dhcpd
# Command line options here
DHCPDARGS=eth0

touch /var/lib/dhcp/dhcpd.leases

3)vi /etc/sysconfig/dhcrelay
(The DHCP Relay Agent (dhcrelay) allows you to relay DHCP
and BOOTP requests from a subnet with no DHCP server on it
to one or more DHCP servers on other subnets)

service dhcrelay start
====================================================================
PPP Server
vi /etc/inittab
S1:2345:respawn:/sbin/mgetty -D /dev/ttyS1

vi /etc/ppp/options.server
-detach
asyncmap 0
modem
crtscts
lock
require-pap
refuse-chap
login
proxyarp
192.168.59.1:192.168.59.100
ms-dns 192.168.59.7

vi /etc/ppp/options
noauth
defaultroute
lock
ipcp-accept-local
ipcp-accept-remote
usepeerdns
passive

vi /etc/ppp/resolv.conf
nameserver 202.52.255.47
nameserver 202.52.255.3

5)vi /etc/syslog.conf
daemon.* /dev/console

6) cat /etc/ppp/pap-secrets

[root@mail ppp]# cat pap-secrets
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
*               *       “”                              *

7) vi /etc/mgetty+sendfax/ login.config
/AutoPPP/ –     –       /usr/sbin/pppd file /etc/ppp/options.server

#Callback conf
back – – /usr/sbin/callback -S 4352548
=======================================================================
Webmin (Web Administration)
Installed Directory (/var/libexec/mrtg)
$./setup.sh

http://192.168.59.7:10000
========================================================================
YP(NIS server)
Daemon: portmap,ypbind,yptools,ypserv,ypxfrd,nfslock,nfs
1) vi /etc/sysconfig/network
NISDOMAIN=nis1.nepal.com
2) domainname nepal.com
/var/yp/Makefile
all:passwd group hosts
nopush=true,merge_groups=files
/var/yp/make [passwd shadow host]
service portmap start
service ypserv start
/usr/lib/yp/ypinit -m [-s masterservers]
/var/yp/ypservers
service yppasswdd start
service ypserv start

rpcinfo -p localhost
if new user added
/var/yp/make

$ypmatch nisuser passwd
getent passwd nisuser

/var/yp/securenets[network security]
/etc/nsswitch.conf[files dns,nis]

# /etc/yp.conf – ypbind configuration file
ypserver 127.0.0.1
Client
portmap,ypbind,yptools
1) /etc/sysconfig/network
NISDOMAIN=server1.sabin.com
authconfig [/etc/yp.conf]
ypcat passwd[must execute when new useris added]
ypwhich,ypcat,ypchfn,ypchsh,yppasswd,ypush

NFS

/etc/exports
/home *(rw)
service nfs restart
exportfs -r
exportfs -v
exportfs -u
exportfs -a

/etc/auto.master
/home /etc/auto.home –timeout 60

/etc/auto.home
* -rw,soft,intr 192.168.0.1:/home/&
or
*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
192.168.1.100:/home:&

service autofs restart
======================================================================
SAMBA (SWAT Makes Samba Simpler http://localhost:901)
share a linux drive with win machine
share a win datat in linux
share a linux printer with win machine
share a win printer with linux
1.FOR Win 95/98 – regedit hkey_Local_Machine/system/currentcontrol/services/VxD/vnetsup/
Add a new Dword value: EnablePlanTextPassword 0x01
2.NT HKEY_LOCAL_MACHINE/system/CurrentControl/services/Rdr\parameters\
——
Dword
EnablePlanTextPassword 0x01
2000
—-
Hkey_local_machine\system\current\services\Rdr\Parameters
EnablePlainTextPassword ox01

Swat
chkconfig swat on
http://localhost:901

1)vi /etc/samba/smb.conf

Section Description
[global] General Samba configuration parameters
[printers] Used for configuring printers
[homes] Defines treatment of user logins
[netlogon] A share for storing logon scripts.
(Not created by default.)
[profile] A share for storing domain logon information such as
“favorites” and desktop icons.(Not created by default.)

[global]

workgroup = HOMENET
server string = Sabin Server
host allow =192.168.0.
printing = lprng
printcap name =/etc/printcap
security= user share
security=[users,shares,server,domain]
load printers = yes
guest account = sabin
allow hosts = host list
deny hosts = host list
admin users = users list

[global] for domain
workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
[homes]
read only = No
browseable = No
create mask = 0644
directory mask = 0755

[netlogon]
path = /home/samba/netlogon
guest ok = Yes

[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
public = yes

[tmp]
comments = sabin share
path = /tmp
valid users = sabin
public = no
writable =yes
printable=no
guest ok = yes
only guest = yes
create mask = 0765
read only = yes
write list= @manager

Authentication from NT
———————–
encrypt password = yes
security = server
password server = <netbios name> of PDC

wins
—–
wins supoort = yes
wins server = IP of wins server

Authentication Server:
———————-
encrypt password = yes
domain logons = yes
OS level = 033
[NET LOGON]
path = <someshare in fs>
read only = yes

SAMBA as a PDC ( primary domian controller)
————————————–
[ global section]
workgroup =
netbios name =
domain logons = yes
security = user
local master = yes
os level = 65 | 64
preferred master = yes
domain master = yes
logon path = \\%N\profiles\%U
logon home = \\<homeserver>\%U
[netlogon]
path = /usr/local/samba/netlogon

root is a Admin user for domain
groupadd sysadmin

domain admin group = @sysadmin
admin users = @sysadmin
printer admin = @sysadmin

Dynamic Creation Of Machine Trust Accounts
[global]
# <…remainder of parameters…>
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
groupadd samba-clients
2)smbpasswd -a root password

smbclient //192.168.0.1/abc -U sabin
nmblookup server -R sabin| nmb \*
smbmount //server/share /mnt/sab -o username=sabin
fstab
//server/1/public /mnt/smb smbfs defaults,username=sabin 0 0
password file= /etc/samba/samba
smbadduser root:sabin
smbpasswd -U root

smclient //station5 -U <username%password>

smbclient //server1/myshare  -N -Tx backup.tar
smbclient //server1/myshare  -N -TXx backup.tar /users/doc
mount -t smbfs -o username=admin%passwd IP //server/share /mnt/share
smbmount //server/share mnt_pt -o username=xxxx%pass

======================================================================
LDAP
1. /etc/openldap/slapd.config
suffix “dc=example,dc=com”
rootdn “cn =root , dc=examplex,dc=com”
rootpw  secret (crypt)
perl -e ” print crypt (‘passwd’,’a_shell’);”
Migrate all users in LDAP server
2. create users student 1 – student with redhat1 – redhat9
#!/bin/bash
for 1 in `seq 1 9` ; do
useradd student$1
echo “redhat$1″ |passwd –stdin student$1
done
3. /usr/share/openldap/migration
migrate_common.ph
$DEFAULT_MAIL_DOMAIN=”stationX. example.com
$DEFAULT_BASE=”dc=example, dc=com”

/etc/protocols
/etc/services
comment all #+
./migrate_all_offline.sh
./migrate_all_nis_online.sh
”       ”   ”    ”
file of ldap:
/var/lib/ldap
chown -R ldap.ldap /var/lib/ldap
service ldap restart
———————
client side:
graphical LDAP client
preferences select server tab
Name– stationx.example.com
LDAPHOST:  ”
BASE DN: dc=example,dc=com
=========================================================================
LDAP
Scenario
The I.T. department in a small organization “nepal.com” has
many Linux servers they need to administer.

1. They want a simple, secure, centralized login scheme for all of them.
2. They have decided to use the LDAP domain “example.com” for their LDAP
database in which one domain component (DC) will be “example”, and
the other will be “com”.
3. The database will only have one organizational unit simply called
“People” which is the LDAP default.
4. Each person will have attributes such as a username (User ID or UID),
password, Linux “home” directory and login shell.
5. The Fedora Linux server named “nepal” will act as the LDAP server
containing the database and has the IP address 192.168.1.100.
6. The Fedora Linux server named “sabin” will be used to test the system
as the LDAP client and has the IP address 192.168.1.102.
7. Server “nepal” has a special user account named “ldapuser” that will
be used to test the LDAP logins.

Required LDAP Server RPMS
openldap,openldap-clients,openldap-devel,nss_ldap,openldap-servers
Required LDAP Client RPMS
openldap,openldap-clients,openldap-devel,nss_ldap

1)Create a database directory
mkdir /var/lib/ldap/example.com
chown ldap:ldap /var/lib/ldap/example.com

2)Create an LDAP “root” password
slappasswd
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ

3)vi /etc/openldap/slapd.conf
database        ldbm
suffix          “dc=example,dc=com”
rootdn          “cn=Manager,dc=example,dc=com”
rootpw          {SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
directory       /var/lib/ldap/example.com
4)service ldap start

5)Create the “ldapuser” test account
useradd -g users ldapuser
passwd ldapuser
grep ldapuser /etc/passwd > /etc/openldap/passwd.ldapusers
grep root /etc/passwd >   /etc/openldap/passwd.root

6)Find the conversion script
slocate -u
locate migrate
(/usr/share/openldap/migration/migrate_passwd.pl)

7) Convert user’s to ldap
/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif

/usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/passwd.root /etc/openldap/root.ldif

8)Edit the user LDIF file
vi /etc/openldap/ldapusers.ldif
:%s/padl/example/g

vi /etc/openldap/root.ldif
:%s/padl/example/g
under the UID line in the file.
cn: Manager

9) vi etc/openldap/example.com.ldif
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

dn: ou=People, dc=example,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit

10)Import the LDIF files into the database

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/example.com.ldif

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/root.ldif

ldapadd -x -D “cn=Manager,dc=example,dc=com” \
-W -f /etc/openldap/ldapusers.ldif
11) Test the LDAP database
ldapsearch -x -b ‘dc=example,dc=com’ ‘(objectclass=*)’

Client
1)vi /etc/openldap/ldap.conf
HOST 192.168.1.100
BASE dc=example,dc=com

2)vi  /etc/nsswitch.conf
$authconfig
[*] Use Shadow Passwords
[*] Use MD5 Passwords
[*] Use LDAP                   [ ] Use TLS
Server: 192.168.1.100
Base DN: dc=example,dc=com
3) Create a home directory for ldap
mkdir /home/ldapuser
chmod 700 /home/ldapuser/
chown ldapuser:users /home/ldapuser/
ll /home
cp /etc/skel/.* /home/ldapuser/
chown ldapuser:users /home/ldapuser/.*

4)vi /usr/local/bin/addldapuser (adduser)
#!/bin/bash
grep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \
> /tmp/changeldappasswd.ldif
ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f \
/tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*

5)addldapuser ldapuser
Create home directories for the user on all the LDAP client Linux boxes

6) vi/usr/local/bin/deleteldapuser
#!/bin/bash
ldapdelete -x -W -D “cn=Manager,dc=example,dc=com” \
“uid=$1,ou=People,dc=example,dc=com”
7)deleteldapuser ldapuser

8)vi /usr/local/bin/modifyldapuser
#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl \
/tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ \
> /tmp/modifyldapuser.ldif
ldapmodify -x -D “cn=Manager,dc=example,dc=com” -W -f \
/tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*

9)passwd ldapuser
modifyldapuser ldapuser

LDAP Web Management Tools
The LDAP Account Manager (LAM) available at http://lam.sourceforge.net/
=========================================================================
TOMCAT server(JSP)

=======================================================================
NTP Server
http://www.eecis.udel.edu/~mills/ntp/servers.html
1) vi /etc/ntp.conf
server otherntp.server.org
server ntp.research.gov

restrict otherntp.server.org   mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov      mask 255.255.255.255 nomodify notrap noquery

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 127.0.0.1

2)ntpdate -u 192.168.1.100
ntpq -p
======================================================
CLOCK
http://www.nixcraft.com/uniqlinuxfeatures/tools/
vivek-tech.com

# $ clock &
#
echo
echo “Digital Clock for Linux”
echo “To stop this clock use command kill pid, see above for pid”
echo “Press a key to continue. . .”

while :
do
ti=`date +”%r”`
echo -e -n “\033[7s”    #save current screen postion & attributes
#
# Show the clock
#

tput cup 0 69          # row 0 and column 69 is used to show clock

echo -n $ti            # put clock on screen

echo -e -n “\033[8u”   #restore current screen postion & attributs
#
#Delay fro 1 second
#
sleep 1
done
find / -type f -perm +6000 -ls
find / -perm -2 ! -type l -ls
find / -nouser -o -nogroup
====================================================================
VPN
ipsec-tools,openswan-2.1.4-1.fc2.i386.rpm
chkconfig ipsec on
ipsec verify

1)vi /etc/sysctl.conf
net/ipv4/ip_forward = 1

2)sysctl -p

VPN Configuration Steps (Using RSA Keys)

Left Internet IP address of the left hand side VPN device
Leftsubnet The network protected by the left hand side VPN device
Leftid Fully Qualified Domain Name in DNS of the left hand side VPN
device preceded by an “@” sign. If DNS hasn’t been set up for
the IP addresses, then you’ll want to remove this entry as names
that don’t resolve correctly will cause the VPN initialization to fail.
Leftrsasigkey The entire “left” RSA sig public key for the left hand side
VPN device. This can be obtained by using the “ipsec showhostkey –left” command.
Leftnexthop The next hop router from the left hand side VPN device when t
trying to reach the right hand side VPN device. You may use an
auto-generated variable “%defaultroute” which will be valid in most
cases, or the actual IP address of the next hop router in cases where
the next hop is not the default router.
Right Internet IP address of the right hand side VPN device
Rightsubnet The network protected by the right hand side VPN device
Rightid Fully Qualified Domain Name in DNS of the right hand side VPN device
preceded by an “@” sign. If DNS hasn’t been set up for the IP
addresses, then you’ll want to remove this entry as names that don’t
resolve correctly will cause the VPN initialization to fail.
Rightrsasigkey The entire “right” RSA sig public key for the right hand side
VPN device. This can be obtained by using the “ipsec showhostkey –right” command.
Rightnexthop The next hop router from the right hand side VPN device when
trying to reach the right hand side VPN device. You may use an auto-generated
variable “%defaultroute” which will be valid in most cases, or the actual
IP address of the next hop router in cases where the next hop is not the default router.

Creating Your Own Keys
ipsec rsasigkey –verbose 2048 > keys.tmp

Get The Left Public Key
ipsec showhostkey –left > /tmp/left.pub

Get The Right Public Key
ipsec showhostkey –right > /tmp/right.pub
1)The /etc/ipsec.conf file
( It is important to maintain the indentation,
The “net-to-net” sub sections must be the same in the
/etc/ipsec.conf for both the left and right hand side VPN devices.
There must be no blank lines in the net-to-net section between
parameters. Lines commented with a “#” are acceptable
Restarting IPSec to reload the configuration file doesn’t
necessarily restart the tunnels. If you set the “auto=” parameter
to “add”, the tunnel will only be started manually with the “ipsec”
command. If the parameter is commented out then the tunnel will
never start. A value of “start” will cause the tunnel to start
automatically.)
#
# File: /etc/ipsec.conf
#
conn net-to-net
left=97.158.253.25             # Public Internet IP address of the
# LEFT VPN device
leftsubnet=172.16.1.0/24       # Subnet protected by the LEFT VPN device
leftid=@vpn1.my-site.com # FQDN of Public Internet IP address of the
# LEFT VPN device with an “@”
leftrsasigkey=0sAQNrV9AYdaW94FXvIxu5p54+MRaW0wy0+HHQrdGofklZYQ4TCBlL+Ym00Ah
fc8mqXlerZY12Os41G8SIV+zzIO04WZ4wmOvEr8DZaldTbfCuvUvMhrTtCpZdm53yF5rCaUbg+Vmx71
fgyVmGu8/kuhzB7nWtOYqDFO8OHDGePOyOVPQi73KfRoDbdb3ND0EtfnRhRPblKJ239OlIq1
leftnexthop=%defaultroute      # correct in many situations
right=6.25.232.1               # Public Internet IP address of
# the RIGHT VPN device
rightsubnet=10.0.0.0/24        # Subnet protected by the RIGHT VPN device
rightid=@vpn2.another-site.com # FQDN of Public Internet IP address of the
# RIGHT VPN device with an “@”
rightrsasigkey=0sAQNNdxFPWCga+E/AnDgIM+uIDq4UXcZzpomwMFUpyQ9+rhUHT9w8nr3rjU
R/qTZOKR2Vqd4XoBd1HkPDBQ8oNjtA3Oz+UQOU3KTMHN5ydFwe6MpTJV/hL6LvhB0OXQad/NhjMIx8v
OnhM8g8SPRnj7pL3abgu7Sg7eFREV1MJSVBhp0DJ0EbVMVV+Xvwlm9++9zbY3mlc+cSXMPAJZ
rightnexthop=97.158.253.25     # correct in many situations
auto=start                     # authorizes and starts this connection
# on booting
2) service ipsec restart

3)Initialize The New Tunnel
ipsec auto –up net-to-net

4)Possible Changes To IP Tables NAT/Masquerade Rules
If you are running iptables with masquerading/NAT the VPN devices
then you will have to exclude packets traversing the tunnel from
the NAT operation. This example assumes that interface eth0 is the
Internet facing interface on your Linux VPN/firewall.

Left Hand Side VPN Device
Old
iptables -t nat -A POSTROUTING -o eth0 -s 172.168.1.0/24 -j MASQUERADE

New
iptables -t nat -A POSTROUTING -o eth0 -s 172.168.1.0/24 -d \! 10.0.0.0/24 -j MASQUERADE

Right Hand Side VPN Device
Old
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

New
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 176.16.1.0/24 -j MASQUERADE

5)How To Ensure Openswan Starts When Rebooting
If your VPN sub- section in the /etc/ipsec.conf file has the line “auto=add”
in it then IPSec will only authorize but won’t establish the connection at
startup. You’ll have to use the “ipsec auto –up <vpn-name>” command to start it manually.
You’ll need to change this to “auto=start” for openswan to automatically
start the VPN when IPSec restarts or when the system reboots.

6)Using Pre-Shared Keys (PSK)
ipsec ranbits –continuous 128

7)Update /etc/ipsec.secrets
vpn1-ip-address vpn2-ip-address : PSK “key in quotations”
97.158.253.25 6.25.232.6 : PSK “nonebutourselvescanfreeourminds”

8)Update /etc/ipsec.conf
authby=secret                # Key exchange method
auto=start                   # authorizes and starts this connection

=============================================================================
Tripwire
config file= /etc/tripwire/twcfg.txt
policy file= /etc/tripwire/tw.opl
database =/var/lib/tripwire/$hostname.twd

1) /etc//tripwire/twinstall.sh
/sbin/tripwire –init
/sbin/tripwire –start

2)integrity check
/sbin/tripwire –check

Report
twprint -m r –twrfile /var/lib/tripwire/report/<name.twr

viewing  tripwire database
twprint -m -d –print -dbfile |less

updating policy
twadmin –print-palfile>/etc/tripwire/twpol.txt

specific files
twprint -m -d –print -dbfile /etc/hosts

tripwire –update –twfile /var/lib/tripwire/report/name.twr
=======================================================================
PAM
=======================================================================
Process Accounting
pcacct*.rpm
$ac=/var/log/wtmp
$action:process account off or on
$accton /var/log/pacct
lastcomm
sa=summarize
sa /var/log/savacct
sa /var/log/usracct

gtop,kpm,xosview,xload,xsysinfo,top

=======================================================================
TCP Wrappers
vi /etc/host.allow
vi /etc/host.deny
<daemonlist>:<clientlist>[:<option>:<options>…]

<daemonlist>=processname(not service) /ALL
<clientlist>=hostname/IP
<option>=allow,deny,alter

vi /etc/host.allow
vsftpd:.example.com
sshd:.example.com\
:spawn /bin/echo `\bin\date` access denied>>/var/log/sshd.log :deny

WILD CARDS
ALL,LOCAL,KNOWN,UNKNOWN,PARANOID(host &ip donot match)

ALL;.example.com
ALL:192.168.
ALL:192.168.0.0/255.255.255.0
in.telnetd:/etc/telnets.hosts
ALL:.example.com EXCEPT sabin.example.com
ALL EXCEPT vsftpd:192.168.0

deny
sshd:.example.com:servrity emerg
sshd:example.com:severity local0.alert

sshd:client1.nepal.com:allow
sshd:client2.nepal.com:deny

Spawn ,twist
in.telnetd:example.com\
:spawn \bin\echo \bin\date from %h>>/var/log/telnet:allow
vsftpd:.example.com\
twist /bin/echo “bod guy go away”

=======================================================================
Xinetd
/etc/xinetd.conf
/etc/xinetd.d/
LOG_ON_SUCCESS.LOG_ON_FAILURE,
ATTEMPT,DURATION,EXIT,HOST,PID,RECORD,USERID,

only_from,no_access,access_times(HH:MM-HH:MM)
service telnet
{
disable=no
flags=reuse
socket_type=stream
wait =no
user=root
server=/usr/sbin/in/telnet.d
log_on_failure +=USERID
no_access=192.168.0.0/24
log_on_success +=PID HOST EXIT
access_times=9:00-1600
}
NAT
bind =123.123.123.123
redirect=10.10.10.12 21 23

per_source(no of instances)
cps=max connection per second
max_load=cp usage thereshold for a service

=======================================================================
IPtables
=======================================================================
Selinux
*/selinux filesystem
access
context
create
enforce
load
policyvers
relabel
user

*security.selinux
getfattr -m . -d /etc/passwd
1) Permissive mode
2) Rebuilding policies
3) Labeling files
4) Routine system administration (changing roles,
adding users, and checking file contexts)
5) Monitoring SELinux through log files
6) Miscellaneous troubleshooting

1)System Modes and SELinux Tuning
+ permissive mode that’s useful for policy troubleshooting and system maintenance.
permissive mode is used when configuring, testing, and troubleshooting SELinux
and the SELinux security policy. Under permissive mode, SELinux permits all operations,
even those that violate the SELinux security policy.
+ enforcing mode (sometimes called enforcement mode). Enforcing mode is the
normal mode of SELinux operation. Under enforcing mode, operations that violate
the SELinux security policy are prevented.

a) Switching the SELinux mode
kernel /vmlinuz-2.6.4-1.305 ro root=LABEL=/ enforcing=1
append=”enforcing=0″(lilo)

To enter enforcing mode, issue the command:
echo “1” > /selinux/enforce

Similarly, to enter permissive mode, issue the command:
echo “0” > /selinux/enforce

setenforce 0
getenforce
vi /etc/selinux
To disable (boot parameter
selinux=0
———————————————–
2) Loading a security policy
rpm=checkpolicy,selinux*
/etc/selinux/src/policy
Make target Compiles the policy from source? Installs the policy? Loads or reloads the policy?
policy Yes No No
install Yes Yes No
load Yes Yes Yes
reload Yes Yes Yes
relabel No No No

a)su –
b)newrole -r sysadm_r
c)cd /etc/selinux/src/policy
d)make target
e)make reload
checkpolicy=The SELinux policy compiler
load_policy=A utility that loads the SELinux binary policy into the running kernel
———————————————–
3) Labeling files
a)su –
newrole -r sysadm_r
cd /etc/selinux/src/policy
make relabel

usr/bin/chcon
Labels one or more files with a specified security context
chcon system_u:object_r:etc_t /etc/hosts /etc/hosts.allow

/sbin/fixfiles
Labels all available filesystems according to the contents of the standard specification
file, src/policy/file_contexts/file_contexts
fixfiles check

/sbin/restorecon
Labels one or more files according to the contents of the standard specification
file, src/policy/file_contexts/file_contexts
restorecon /etc/hosts

/usr/sbin/setfiles
Labels one or more files or filesystems according to the contents of a specification
file
setfiles src/policy/file_contexts/file_contexts /etc/hosts

Tuning Fedora Core 2 SELinux
Fedora Core 2 implementation of
SELinux provides two convenient ways of tailoring SELinux operation:
i) Macros
ii) Policy Booleans

i)Macros
src/policy/tunable.te

Policy macro      Active by default?         Description
allow_user_direct_mouse Yes Allow regular users direct access to the mouse device file
(otherwise allow only the X server to do so).
allow_user_dmesg Yes Allow users to run the dmesg command
allow_user_tcp_server Yes Allow users to run TCP servers (bind to ports and accept
connection from the same domain and outside users).
Disabling this Boolean forces FTP passive mode and may
affect other protocols (including IRC if single_
userdomain is defined).
allow_xserver_home_fonts Yes Allow X server to check for fonts in ~/.gnome or ~/.kde.
allow_ypbind Yes Allow ypbind to run with NIS.
direct_sysadm_daemon Yes Allow sysadm_t to start daemons directly.
ftp_home_dir No Allow FTP to read/write files in user home directories.
ftpd_is_daemon Yes Allow FTP to run from inetd instead of as a stand-alone
daemon.
hide_broken_symptoms No Adds dontaudit rules for broken polices that are not
security risks.
nfs_export_all_ro No Allow reading on any filesystem.
nfs_export_all_rw Yes Allow read/write/create on any filesystem.
nfs_home_dirs Yes Allow NFS home directories.
nscd_all_connect Yes Allow all domains to access NSCD.
read_default_t Yes Allow ordinary users to read any file having type
default_t.
readhome Yes Allow Mozilla to read files in the user home directory.
run_ssh_inetd No Allow SSH to run from inetd instead of as a daemon.
secure_levels No Allow only administrator to log in at the console and forbid
direct access to disk devices.
single_userdomain No Make processes other than newrole and su run by a user
domain stay in the same user domain.
ssh_sysadm_login Yes Allow SSH logins to the sysadm_r:sysadm_t security
context; otherwise, remote SSH users cannot enter this
context.
staff_read_sysadm_file No Allow staff_r users to search the system administrator’s
home directory (generally /root) and read its files.
unlimitedServices Yes Allow processes under initrc and xinetd to run with
all privileges.
unlimitedUsers No Allow users to have full access.
unrestricted_admin Yes Allow sysadm_t to do almost everything.
use_games Yes Allow users to run games.
user_can_mount Yes Allow users to execute mount command.
user_canbe_sysadm Yes Allow normal users to enter sysadm_r role.
user_net_control Yes Allow users to control network interfaces (also needs
USERCTL=true).
user_rw_noexattrfile Yes Allow users to read/write noextattrfile (FAT,
CDROM, FLOPPY).
writehome Yes Allow Mozilla to write files in the user home directory.
xdm_sysadm_login Yes Allow xdm logins as sysadm_r:sysadm_t.

a)vi /etc/selinux/src/policy.
b)edit tunable.te
c)make reload.
ii)Tuning via policy Booleans
change_bool boolean [0|1]
show_bools

change_bool user_ping 0

show_bools
user_ping –> active: 0 pending: 0

echo 0 > /selinux/booleans/user_ping
echo 1 > /selinux/commit_pending_bools
———————————————–
4)Routine SELinux System Use and Administration
a) Entering a role
b) Viewing security contexts
c) Adding users and groups
d) Starting and controlling daemons
e) Tuning SELinux

a) Entering a role
SELinux users have one or more associated
roles and, at any time, are bound to exactly
one of these. Users are initially bound to
a role at login time.
$sestatus
# sestatus -v

The standard SELinux security policy defines four roles:
*staff_r
Used for users permitted to enter the sysadm_r role
*sysadm_r
Used for the system administrator
*system_r
Used for system processes and objects
*user_r
Used for ordinary users

Changing roles
newrole [[-r|–role] ROLE] [[-t|–type] TYPE] [– [ARGS]…]
newrole -r role
#newrole -r sysadm_r

b) Viewing security contexts
# id -Z
ls –context /etc/hosts
ls –lcontext /etc/hosts
ls –scontext /etc/hosts
ls -Z /etc/hosts
ps -Z
ps –context
ps -Z 1

c) Adding users and groups
users’ home directories are labeled with
the special security context user_home_dir_t.
# id -Z
# newrole -r sysadm_r
# id -Z
# useradd -c “test user” -m -d /home/testuser \
-g users -s /bin/bash testuser
# finger testuser
# ls -ld -Z /home/testuser/

Associating a user with a nondefault role
By default, users are associated with
the SELinux role user_r
i. Edit the src/policy/users file.
ii. Recompile the security policy.
iii. Load the generated binary policy file into the kernel.
cd /etc/selinux/src/policy
vi users
user username roles { staff_r sysadm_r };
make target
make reload

user:role:type.
the src/policy/appconfig/default_contexts file specifies
default roles for user logins, SSH sessions, and cron jobs.
system_r:sulogin_t sysadm_r:sysadm_t
system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
system_r:remote_login_t user_r:user_t staff_r:staff_t
system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t
sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
sysadm_r:sudo_t sysadm_r:sysadm_t
staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
user_r:sudo_t sysadm_r:sysadm_t user_r:user_t

Setting user passwords
vipw, vi,
to repair the file label
restorecon /etc/shadow

d) Starting and controlling daemons
run_init script [[arg]…]
run_init /etc/init.d/ntpd start

NOTE
By default, Fedora Core 2 allows a role transition
from sysadm_r to system_r, the role used by init.
Therefore, unless you’ve specially configured Fedora
Core 2 to disable this transition, it’s not necessary
to invoke the run_init command explicitly.

runcon -u system_u -r system_r -t crond_t /usr/sbin/crond
runcon system_u:system_r:crond_t /usr/sbin/crond

e) Tuning SELinux
LOG Format
avc: result { operation } for pid=pid exe=exe
path=opath dev=devno:ptno ino=node
scontext=source tcontext=target tclass=class

*result=The value granted or denied, indicating whether
SELinux permitted or prohibitedthe operation.
*operation=The operation that was attempted, such as
read or write. SELinux defines about 150 operations.
*pid=The process ID of the process that attempted the operation.
*exe=The absolute path of the text file (executable) associated
with the process that attempted the operation.
*path=The absolute path of the object on which the operation was attempted.
*devno=The block device number associated with the
object on which the operation was attempted.
*ptno=The partition number associated with the object
on which the operation was attempted.
*node=The inode number of the object on which the operation was attempted.
*source=The security context of the process that
attempted the operation.
*target=The security context of the target object.
*class=The type of the target object, such as file.

SELinux Logging Subtleties(reduce log)
Change to the policy source directory and
reload the security policy:
cd /etc/security/selinux/src/policy
make reload
or
setenforce 1
setenforce 0

Audit2allow=that scans the system log, looking for
entries pertaining to denied operations

(if login,daemon problem problem)
fixfiles restore
cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts /home/bill

cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts cron_files

cd /etc/security/selinux/src/policy
setfiles file_contexts/file_contexts /etc/init.d/*

Xwindow problem
rm /var/tmp* files

=======================================================================
Instalation Server
1) Make directory
mkdir -p /data/network-install/Fedora/base
mkdir -p /data/network-install/Fedora/RPMS
mkdir -p /data/network-install/ISO

2) Copy the files
cd /mnt/cdrom/Fedora/base
cp -r * /data/network-install/Fedora/base

(copy 4 cd into /data/network-install)

cd /data/network-install/ISO
dd if=/dev/cdrom of=FC2-i386-disc1.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc2.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc3.iso bs=32k
eject cdrom
dd if=/dev/cdrom of=FC2-i386-disc4.iso bs=32k
eject cdrom

another method using mkisofs
mkisofs -J -r -T -o filename.iso /mnt/cdrom

3)Setup Your Webserver ftp & nfs
NameVirtualHost 192.168.1.100
<VirtualHost 192.168.1.100>
DocumentRoot /data/
<Directory /data/network-install>
Options +Indexes
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>
</VirtualHost>

FTP
vi /etc/vsftpd/vsftpd.conf
anon_root=/data/network-install/

NFS
vi /etc/exports
/data/network-install          *(ro,sync)
exportfs -ra

4)Configure DHCP Server

5)Boot form fedora core cd1
boot:linux askmethod
or boot from boot floppy
Kick Start
1)”ksconfig” command from a GUI console
2)save it in /data/network-install/ks.cfg
or can use /root/anaconda-ks.cfg
3)to veryfy
install
nfs –server=192.16.1.100 –dir=/data/network-install/ISO
install
url –url http://192.168.1.100/network-install/
4) To install
NFS Method
boot: linux ks=nfs:192.168.1.100:/data/network-install/ks.cfg

HTTP Method
boot: linux ks=http://192.168.1.100/network-install/ks.cfg

DHCP
vi /etc/dhcpd.conf
filename “/data/network-install/ks.cfg”;
next-server 192.168.1.100;

boot: linux ks

Floppy
boot:linux ks=floppy

=======================================================================
Encrypting swat or other ports like pop3,smtp
1)useradd stunnel
2)cd /usr/share/ssl/certs
make stunnel.pem
chmod 640 stunnel.pem
chgrp stunnel stunnel.pem

3)vi /etc/stunnel/stunnel.conf
# Configure stunnel to run as user “stunnel” placing temporary
# files in the /home/stunnel/ directory
chroot  = /home/stunnel/
pid     = /stunnel.pid
setuid  = stunnel
setgid  = stunnel

# Log all stunnel messages to /var/log/messages
debug   = 7
output  = /var/log/messages

# Define where the SSL certificates can be found.
client  = no
cert    = /usr/share/ssl/certs/stunnel.pem
key     = /usr/share/ssl/certs/stunnel.pem

# Accept SSL connections on port 901 and funnel it to
# port 902 for swat.
[swat]
accept   = 901
connect  = 902

4) cd /etc/xinetd.d
cp swat swat-stunnel

vi swat-stunnel
service swat-stunnel
{
port            = 902
socket_type     = stream
wait            = no
only_from       = 127.0.0.1
user            = root
server          = /usr/sbin/swat
log_on_failure  += USERID
disable         = no
bind            = 127.0.0.1
}
disable 901 port in /etc/services
chkconfig swat off
chkconfig swat-stunnel on

5)start stunnel
$stunnel
(if problem  rpm -e hwcrypto)

6)Test
https://server-ip-address:901/

========
Stunneling pop
1) /var/share/ssl/certs/stunnel.pem
$openssl -req -new -newkey rsa:1024 -nodes \
-x509 -keyout /tmp/key -out /tmp/cert
cat /tmp/cert>>/tmp/key
mv /tmp/key /usr/share/ssl/certs/stunnel.pem
rm /tmp/cert
chmod 600 /usr/share/ssl/certs/stunnel.pem
or
cd /usr/share/ssl/certs
make stunnel.pem

2) vi /etc/xinet.d/pos3s
server=/usr/sbin/stunnel
server_args= -1 /usr/sbin/ipop3d –ipop3d

telnet
stunnel -d localhost:7023 -r localhost:23

stunnel -c  -d localhost:12345 -r server1.nepal.com:7023
telnet localhost 12345
=======================================================================