Redhat Linux 5.4 Server Book.

Linux Installation Welcome to Red Hat Enterprise Linux The Welcome screen does not prompt you for any input. Read over the help text in the left panel for additional instructions and information on where to register your Red Hat Enterprise Linux product. Notice the Hide Help button at the bottom left corner of the screen. The help screen is open by default. To minimize the help text, click on Hide Help. Click on the Next button to continue. Language Selection Using your mouse, select a language to use for the installation. Selecting the appropriate language also helps target your time zone configuration later in the installation. The installation program tries to define the appropriate time zone based on what you specify on this screen.

Once you select the appropriate language, click Next to continue. 1

Disk Partitioning Setup Partitioning allows you to divide your hard drive into isolated sections, where each section behaves as its own hard drive. Partitioning is particularly useful if you run multiple operating systems. On this screen, you can choose to perform automatic partitioning, or manual partitioning using Disk Druid. Automatic partitioning allows you to perform an installation without having to partition your drive(s) yourself. If you do not feel comfortable with partitioning your system, it is recommended that you do not choose to partition manually and instead let the installation program partition for you. To partition manually, choose the Disk Druid partitioning tool.

Partitioning Your System If you chose to partition manually, you must tell the installation program where to install Red Hat Enterprise Linux. This is done by defining mount points for one or more disk partitions in which Red Hat Enterprise Linux is installed. 2

The partitioning tool used by the installation program is Disk Druid. With the exception of certain esoteric situations, Disk Druid can handle the partitioning requirements for a typical installation. Disk Druid's Buttons These buttons control Disk Druid's actions. They are used to change the attributes of a partition (for example the file system type and mount point) and also to create RAID devices. Buttons on this screen are also used to accept the changes you have made, or to exit Disk Druid. For further explanation, take a look at each button in order: Edit: Used to modify attributes of the partition currently selected in the Partitions section. Selecting Edit opens a dialog box. Some or all of the fields can be edited, depending on whether the partition information has already been written to disk. To make a RAID device, you must first create (or reuse existing) software RAID partitions. Once you have created two or more software RAID partitions, select Make RAID to join the software RAID partitions into a RAID device. 3

Partition Fields
Above the partition hierarchy are labels which present information about the partitions you are creating. The labels are defined as follows: Device: This field displays the partition's device name.
Mount Point/RAID/Volume: A mount point is the location within the directory hierarchy at

which a volume exists; the volume is "mounted" at this location. This field indicates where the partition is mounted. If a partition exists, but is not set, then you need to define its mount point. Double-click on the partition or click the Edit button. Type: This field shows the partition's file system type (for example, ext2 or ext3). Format: This field shows if the partition being created will be formatted. Size (MB): This field shows the partition's size (in MB).
Start: This field shows the cylinder on your hard drive where the partition begins. End: This field shows the cylinder on your hard drive where the partition ends.

Recommended Partitioning Scheme

The following is a list of recommendations for partitioning your system: A swap partition (at least 256 MB) swap partitions are used to support virtual memory. In other words, data is written to a swap partition when there is not enough RAM to store the data your system is processing. If you are unsure about what size swap partition to create, make it twice the amount of RAM on your machine. It must be of type swap. Creation of the proper amount of swap space varies depending on a number of factors including the following (in descending order of importance): The applications running on the machine. The amount of physical RAM installed on the machine. The version of the OS. Swap should equal 2x physical RAM for up to 2 GB of physical RAM, and then 1x physical RAM for any amount above 2 GB, but never less than 32 MB. Using this formula, a system with 2 GB of physical RAM would have 4 GB of swap, while one with 3 GB of physical RAM would have 5 GB of swap. Creating a large swap space partition can be especially helpful if you plan to upgrade your RAM at a later time. For systems with really large amounts of RAM (more than 32 GB) you can likely get away with a smaller swap partition (around 1x, or less, of physical RAM). A root partition (500 MB - 5.0 GB) this is where "/" (the root directory) is located. In this setup, all files except for files stored in /boot (on x86, AMD64, and Intel EM64T) are on the root partition.

A 500 MB partition allows you to install a minimal installation; while a 5.0 GB root partition lets you perform a full installation, choosing all package groups. It is recommended that you create a /boot/ partition (100 MB). /boot/ contains the kernels, along with files used during the bootstrap process

Network Configuration
If you do not have a network device, this screen does not appear during your installation and you should advance to The installation program automatically detects any network devices you have and displays them in the

Network Devices list.

Once you have selected a network device, click Edit. From the Edit Interface pop-up screen, you can choose to configure the IP address and Netmask of the device via DHCP (or manually if DHCP is not selected) and you can choose to activate the device at boot time. If you select Activate on boot, your network interface is started when you boot. If you do not have DHCP client access or you are unsure what to provide here, please contact your network administrator.

Firewall Configuration
Red Hat Enterprise Linux offers firewall protection for enhanced system security. A firewall exists between your computer and the network, and determines which resources on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system.

Firewall Configuration Next, you can decide whether to enable a firewall for your Red Hat Enterprise Linux system.

No firewall
No firewall provides complete access to your system and does no security checking. Security checking

is the disabling of access to certain services. This should only be selected if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later.

Enable firewall
If you choose Enable firewall, connections are not accepted by your systems (other than the default settings) that are not explicitly defined by you. By default, only connections in response to outbound requests, such as DNS replies or DHCP requests are allowed. If access to services running on this machine is needed, you can choose to allow specific services through the firewall. If you are connecting your system to the Internet, this is the safest option to choose.

Next, select which services, if any, should be allowed to pass through the firewall. 6

Enabling these options allow the specified services to pass through the firewall. Note, these services may not be installed on the system by default. Make sure you choose to enable any options that you may need.

Remote Login (SSH)

Secure Shell (SSH) is a suite of tools for logging in to and executing commands on a remote machine. If you plan to use SSH tools to access your machine through a firewall, enable this option. You need to have the openssh-server package installed in order to access your machine remotely, using SSH tools.
Web Server (HTTP, HTTPS)

The HTTP and HTTPS protocols are used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must install the httpd package if you want to serve webpages.

File Transfer (FTP)

The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. You must install the publicly serve files.

vsftpd package in order to

Mail Server (SMTP)

If you want to allow incoming mail delivery through your firewall, so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your Internet Service Provider's server using POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.

Language Support Selection

You can install and support multiple languages for use on your system. You must select a language to use as the default language. The default language is the language used on the system once the installation is complete. Typically, the default language is the language you selected to use during the installation. If you choose to install other languages during this installation, you can change your default language after the installation. If you are only going to use one language on your system, selecting only that language saves significant disk space.

Caution

If you select only one language, you can only use that specified language after the installation is complete.

Language Support Selection To use more than one language on your system, choose specific languages to be installed or select all languages to have all available languages installed on your Red Hat Enterprise Linux system. Use the Reset button to cancel your selections. Resetting reverts to the default; only the language you selected for use during the installation is installed.

Tip

To change the language configuration after you have completed the installation, use the Language Configuration Tool.

Type the

system-config-language

command in a shell prompt to launch the Language

Configuration Tool. If you are not root, it prompts you for the root password to continue.

Time Zone Configuration

8

Set your time zone by selecting the city closest to your computer's physical location. There are two ways for you to select your time zone: Using your mouse, click on the interactive map to select a specific city (represented by a yellow dot). A red X appears indicating your selection. You can also scroll through the list at the bottom of the screen to select your time zone. Using your mouse, click on a location to highlight your selection.

Configuring the Time Zone Select System Clock uses UTC if you know that your system is set to UTC. To change your time zone configuration after you have completed the installation, use the Time and Date Properties Tool.

Type the

system-config-date command in a shell prompt to launch the Time and Date

Properties Tool. If you are not root, it prompts you for the root password to continue.

To run the Time and Date Properties Tool as a text-based application, use the command

timeconfig.

Set Root Password

Setting up a root account and password is one of the most important steps during your installation. Your root account is similar to the administrator account used on Windows NT machines. The root account is used to install packages, upgrade RPMs, and perform most system maintenance. Logging in as root gives you complete control over your system.

Note

The root user (also known as the superuser) has complete access to the entire system; for this reason, logging in as the root user is best done only to perform system maintenance or administration.

Root Password Use the root account only for system administration. Create a non-root account for your general use and

su - to root when you need to fix something quickly. These basic rules minimize the chances of a

typo or an incorrect command doing damage to your system.

10

To become root, type

su - at the shell prompt in a terminal window and then press Enter. Then,

enter the root password and press Enter. The installation program prompts you to set a root password for your system. You cannot proceed to the next stage of the installation process without entering a root password The root password must be at least six characters long; the password you type is not echoed to the screen. You must enter the password twice; if the two passwords do not match, the installation program asks you to enter them again.

Tip
To change your root password after you have completed the installation, use the Root Password Tool.

Type the

system-config-rootpassword

command in a shell prompt to launch the

Root Password Tool. If you are not root, it prompts you for the root password to continue. A root password is the administrative password for your Red Hat Enterprise Linux system. You should only log in as root when needed for system maintenance. The root account does not operate within the restrictions placed on normal user accounts, so changes made as root can have implications for your entire system.

Package Group Selection

Now that you have made most of the choices for your installation, you are ready to confirm the default package selection or customize packages for your system.

The

Package Installation Defaults

screen appears and details the default

package set for your Red Hat Enterprise Linux installation. This screen varies depending on the version of Red Hat Enterprise Linux you are installing.

To customize your package set further, select

Customize the set of packages to

Next
takes you to the Package Group Selection

be installed
screen.

option on the screen. Clicking

You can select package groups, which group components together according to function (for example, X Window System and Editors), individual packages, or a combination of the two. To select a component, click on the checkbox beside it.

11

Package Group Selection Select each component you wish to install. Selecting Everything (at the end of the component list) installs all packages included with Red Hat Enterprise Linux. Once a package group has been selected, click on Details to view which packages are installed by default, and to add or remove optional packages from that group. (Package Group Details)

Preparing to Install
12

A screen preparing you for the installation of Red Hat Enterprise Linux now appears. For your reference, a complete log of your installation can be found in /root/install.log once you reboot your system.

Warning
If, for some reason, you would rather not continue with the installation process, this is your last opportunity to safely cancel the process and reboot your machine. Once you press the

Next button,

partitions are written and packages are installed. If you wish to abort the installation, you should reboot now before any existing information on any hard drive is rewritten.

Installing Packages
At this point there is nothing left for you to do until all the packages have been installed. How quickly this happens depends on the number of packages you have selected and your computer's speed.

Installation Complete
Congratulations!
Your Red Hat Enterprise Linux installation is now complete!

The installation program prompts you to prepare your system for reboot.

DOS versus Linux commands

In this appendix, we matched DOS commands with their Linux equivalent. As an extra means of orientation for new users with a Windows background, the table below lists MS-DOS commands with their Linux counterparts. Keep in mind that Linux commands usually have a number of options. Read the Info or man pages on the command to find out more. Table B-1. Overview of DOS/Linux commands

DOS commands
<command> /? cd chdir cls copy date

Linux command
man <command> or command -help

cd pwd clear cp date 13

DOS commands
del dir echo edit exit fc find format mem mkdir more move ren time

Linux command
rm ls echo vim (or other editor) exit diff grep mke2fs or mformat free mkdir more or even less mv mv date

Absolute Pathnames
Absolute pathnames begin with a slash (/). For example: /usr/share/doc/HTML/index.html /usr/share /home/javed

Relative Pathnames
Relative pathnames dont begin with slash (/) For example: HTML/index.html Doc/HTML/index.html ../index.html

Redirect Standard output

14

Redirect standard output with For example:

>

#ls a > outputfile1 # find / -name passwd > outputfile2

Redirect Standard output & Error

Redirect standard output and error with

&>

For example: $ find / -name passwd &> outputfile2

Translate A to a
For example: # cat file.txt | tr a-z A-Z

Printout from CLI

lpr sends file input to printer for example: #ls l | lpr -------It will send output on default printer -send print on non default printer

# cat file.txt | lpr p pritnername

Using the Vi editor

All about Vi
This is probably the most popular text editor for Linux. Even if you don't like it, you may end up using it quite often. If you need to make a quick change to a file, you can't beat 'vi'. This is not meant to be an exhaustive guide to vi. This is just meant to show you how to use the most common (and useful) commands. Let's start by opening a file. Sometimes you need Vi I had an unpleasant surprise once. A friend of mine who had installed Linux had somehow changed the default editor from vi to joe. He called to tell me that his crontab entries didn't do anything. One more reason to get to know vi. Crontab is designed for vi and may not work if you use certain alternative editors Example 1. Open file with vi
vi /etc/hosts.allow

Miscellaneous:
Esc i Esc a Insert Text Append Text

15

Esc u Esc: w Esc: wq Esc ZZ Esc: q!

undo save file save file and quit save file and quit Quit without saving

Basic operations
These are some popular vi commands:

dd will delete n lines starting from the current cursor position. dw will delete n words at the right side of the cursor. x will delete the character on which the cursor is positioned :n moves to line n of the file. :w will save (write) the file :q will exit the editor. :q! forces the exit when you want to quit a file containing unsaved changes. :wq will save and exit :w newfile will save the text to newfile. :wq! overrides read-only permission (if you have the permission to override permissions, for instance when you are using the root account. /astring will search the string in the file and position the cursor on the first match below its position. / will perform the same search again, moving the cursor to the next match. yy will copy a block of text. p will paste it n times. :recover will recover a file after an unexpected interruption.

16

Removing Red Hat Enterprise Linux

To uninstall Red Hat Enterprise Linux from your x86-based system, you must remove the Red Hat Enterprise Linux boot loader information from your master boot record (MBR).

Note
It is always a good idea to backup any data that you have on your system(s). Mistakes do happen and can result in the loss all of your data. In DOS and Windows, use the Windows fdisk utility to create a new MBR with flag /mbr. This ONLY rewrites the MBR to boot the primary DOS partition. The command should look like the following:

fdisk /mbr
If you need to remove Linux from a hard drive and have attempted to do this with the default DOS (Windows)

fdisk, you will experience the Partitions exist but they do not exist problem. The best

way to remove non-DOS partitions is with a tool that understands partitions other than DOS.

2nd Method

17

To begin, insert the Red Hat Enterprise Linux CD #1 and boot your system. Once you have booted off the CD, a boot prompt appears. At the boot prompt, type: rescue mode program. You are prompted for your keyboard and language requirements. Enter these values as you would during the installation of Red Hat Enterprise Linux. Next, a screen appears telling you that the program attempts to find a Red Hat Enterprise Linux install to rescue. Select Skip on this screen. After selecting Skip, you are given a command prompt where you can access the partitions you would like to remove.

linux rescue. This starts the

First, type the command

list-harddrives. This command lists all hard drives on your system

that are recognizable by the installation program, as well as their sizes in megabytes. Be careful to remove only the necessary Red Hat Enterprise Linux partitions. Removing other partitions could result in data loss or a corrupted system environment. To remove partitions, use the partitioning utility parted. Start parted, where /dev/hda is the device on which to remove the partition: 1. parted /dev/hda

Using the

print command, view the current partition table to determine the minor number of the

partition to remove: 2. print

The print command also displays the partition's type (such as linux-swap, ext2, ext3, and so on). Knowing the type of the partition helps you in determining whether to remove the partition. Remove the partition with the command rm. For example, to remove the partition with minor number 3: 3. rm 3

Important
The changes start taking place as soon as you press [Enter], so review the command before committing to it.

18

After removing the partition, use the table.

print command to confirm that it is removed from the partition

Once you have removed the Linux partitions and made all of the changes you need to make,

type quit to quit parted.

After quitting

parted, type exit at the boot prompt to exit rescue mode and reboot your system,

instead of continuing with the installation. The system should reboot automatically. If it does not, you can reboot your computer using Control-Alt-Delete.

The Linux Boot Process

The BIOS tests the system, looks for and checks peripherals, and then looks for a drive to use to boot the system. Usually it checks the floppy drive (or CD-ROM. The order of the drives used for booting is usually controlled by a particular BIOS setting on the system. Once Linux is installed on the hard drive of a system, the BIOS looks for a Master Boot Record (MBR) starting at the first sector on the first hard drive, loads its contents into memory, then passes control to it. This MBR contains instructions on how to load the GRUB (or LILO) boot-loader, using a pre-selected operating system. The MBR then loads the boot-loader, which takes over the process (if the bootloader is installed in the MBR). In the default Red Hat Linux configuration, GRUB uses the settings in the MBR to display boot options in a menu.

First Stage Boot Loader

Two boot loaders are available: Linux Loader (lilo) and Grand Unified Bootloader (grub) The first-stage boot loader Reads in the partition table and looks for the second-stage boot loader on the partition configured as bootable (/boot partition). Launches the second stage boot loader

Second Stage Boot Loader

19

Presents the user with different OS kernels it has been configured to boot. Finds the kernel image in the /boot directory. The kernel binary is named /boot/vmlinuz-<kernel-version> Places the appropriate initial RAM disk image, called an initrd, into memory. The initrd is used by the kernel to load drivers necessary to boot the system.

The Linux Boot Sequence

Linux is supplied with the GRUB boot loader which is fairly sophisticated and therefore cannot entirely fit in the 512 bytes of the MBR. The GRUB MBR boot loader merely searches for a special boot partition and loads a second stage boot loader. This then reads the data in the /boot/grub/grub.conf configuration file, which lists all the available operating systems and their booting parameters. When this is complete, the second stage boot loader then displays the familiar Linux screen that lists all the configured operating system kernels for your choice. Sample grub.conf file

When Linux begins to boot with its kernel, it first runs the /sbin/init program, which does some system checks, such as verifying the integrity of the file systems, and starts vital programs needed for the operating system to function properly. It then inspects the /etc/inittab file to determine Linux's overall mode of operation or runlevel. A listing of valid runlevels can be seen in Table 7-1.

Table 7-1 Linux Runlevels

Mode Directory Run Level Description

20

0 1 2 3 4 5 6

/etc/rc.d/rc0.d Halt /etc/rc.d/rc1.d Single-user mode /etc/rc.d/rc2.d Not used (user-definable) /etc/rc.d/rc3.d Full multi-user mode (no GUI interface) /etc/rc.d/rc4.d Not used (user-definable) /etc/rc.d/rc5.d Full multiuser mode (with GUI interface) /etc/rc.d/rc6.d Reboot

Based on the selected runlevel, the init process then executes startup scripts located in subdirectories of the /etc/rc.d directory. Scripts used for runlevels 0 to 6 are located in subdirectories /etc/rc.d/rc0.d through /etc/rc.d/rc6.d, respectively. Here is a directory listing of the scripts in the /etc/rc.d/rc3.d directory:

# ls /etc/rc.d/rc3.d

... ... ... ... ... ...

... ... ... ... ... ...

K75netfs K96pcmcia K86nfslock S05kudzu K87portmap S09wlan K91isdn S10network K92iptables S12syslog K95firstboot S17keytable

... ... ... ... ... ...

... ... ... ... ... ...

Default Boot runlevel

The default boot runlevel is set in the file /etc/inittab with the initdefault variable. When set to 3, the system boots up with the text interface on the VGA console; when set to 5, you get the GUI. Here is a snippet of the file (delete the initdefault line you don't need): # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:3:initdefault: # Console Text Mode id:5:initdefault: # Console GUI Mode

Note the following:

Most home users boot up with a Windows like GUI (runlevel 5) Most users will tend to boot up with a plain text-based command-line-type interface (runlevel 3) Changing initdefault from 3 to 5, or vice-versa, has an effect upon your next reboot. See the following section on how to get a GUI login all the time until the next reboot. Of course, don't set the initdefault value to 6 or your system will constantly reboot. Setting it to 0 will never allow it to start!

21

Linux Important File Summary

<< Back

File at.allow, at.deny

Directory /etc

Description If at.allow exists, then only the user accounts listed in the file may use the at or batch commands. If at.deny exists, then any user account listed in the file may not use the at or batch commands.

.bash_logout .bash_profile .bashrc bashrc cron.allow, cron.deny

/home/<user> Shell script to clean up any personalized environment settings during logout. /home/<user> Shell script to set personalized environment settings for each login. /home/<user> Shell script to set personalized functions and aliases for each newly created shell or subshell. /etc /etc Shell script to set system-wide functions and aliases. Usually called by /home/<user>/.bashrc. If cron.allow exists, then only the user accounts listed in the file may use the crontab command. If cron.deny exists, then any user account listed in the file may not use the crontab command. Master cron scheduling file for system-wide jobs. On Red Hat systems, the crontab file uses the run-parts script to schedule any script in the appropriately-named /etc/cron.* directory. Filesystem declaration and default mount configuration settings. List of all user groups on the system and the user membership list for each group.

crontab

/etc

fstab group

/etc /etc

22

grub.conf inittab

/boot/grub /etc

GRUB bootloader configuration settings. Usually linked to from /etc/grub.conf. init process configuration settings: virtual terminals, default runlevel, runlevel-dependent rc scripts, Ctrl+Alt+Del interrupt handler, X Windows display manager. LILO bootloader configuration settings. Default configuration settings for newly created user accounts and user groups. Configuration settings for the cron-scheduled logrotate job. On Red Hat distributions, the logrotate.conf file usually includes other logrotate configuration files from the /etc/logrotate.d directory. Configuration settings for the lpd print daemon, and defaults for the printcap file. Kernel Loadable Module definitions and device driver parameters. Configuration files for loading Kernel Loadable Modules during startup. Also known as conf.modules on some Linux distributions. List of all user accounts on the system. Also includes the user's UID, GID, full name, home directory, and default shell. Passwords tend to be stored in /etc/shadow on most systems. Configuration settings for print queues, used by both the lpr command and lpd daemon. Some distributions automatically regenerate this file during startup and use the /etc/printcap.local file to store user customizations. Shell script to set system-wide shell environment settings for all logins. Shell script responsible for running the runleveldependent shell scripts under the appropriate /rc.d/rcN.d directory, where N is the runlevel. Last rc shell script run, usually as part of all startup runlevels (1-5). A common location for user-defined startup commands. Runlevel-independent shell script that mounts filesystems, enables virtual memory swapping, and synchronizes the OS time with the CMOS clock. Reference list of common TCP and UDP port numbers and their related services. Encrypted passwords for all user accounts on the system. Also contains password aging and expiry settings. Configuration settings for the syslogd and klogd

lilo.conf login.defs logrotate.conf

/etc /etc /etc

lpd.conf module-info modules.conf

/etc /boot /etc

passwd

/etc

printcap

/etc

profile rc

/etc /etc/rc.d

rc.local

/etc/rc.d

rc.sysinit

/etc/rc.d

services shadow

/etc /etc

syslog.conf

/etc

23

logging daemons. useradd XF86Config /etc/default /etc/X11 Default configuration settings for newly created user accounts using the useradd command. Configuration settings for X Windows (XFree86). On some systems, this file may be in the /usr/X11R6/lib/X11 directory. Compressed Linux kernel image. Usually a symbolic link to the current image file.

vmlinuz

/boot

Adding Users
useradd (in /usr/sbin):
useradd is a utility for adding new users to a UNIX system. It adds new user information to the /etc/passwd file and creates a new home directory for the user. When you add a new user, you should also set their password (using the -p option on useradd, or using the passwd utility):

# useradd singh # passwd singh

Controlling User Groups

groupadd (in /usr/sbin):
groupadd creates a new user group and adds the new information to /etc/group:

# groupadd staff
usermod (in /usr/sbin): Every user belongs to a primary group and possibly also to a set of supplementary groups. To modify the group permissions of an existing user, use

# usermod -g initialgroup username -G othergroups

where othergroups is a list of supplementary group names separated by commas (with no intervening whitespace).

24

groups
You can find out which groups a user belongs to by typing:

# groups username

File and Directory Permissions

Permission File read User can look at the contents of the file User can modify the contents of the file Directory User can list the files in the directory

write

User can create new files and remove existing files in the directory

execute

User can change into the directory, but cannot User can use the list the files unless (s)he has read permission. filename as a UNIX User can read files if (s) he has read permission command on them.

As we have seen in the previous chapter, every file or directory on a UNIX system has three types of permissions, describing what operations can be performed on it by various categories of users. The permissions are read (r), write (w) and execute (x), and the three categories of users are user/owner (u), group (g) and others (o). Because files and directories are different entities, the interpretation of the permissions assigned to each differs slightly, as shown in Fig 3.1.

Note:
File and directory permissions can only be modified by their owners, or by the superuser (root), by using the chmod system utility. chmod (change [file or directory] mode)

$ chmod

options files
25

chmod accepts options in two forms. Firstly, permissions may be specified as a sequence of 3 octal digits. Each octal digit represents the access permissions for the user/owner, group and others respectively. The mappings of permissions onto their corresponding octal digits are as follows:

(r,w,x)(4, 2, 1)
----x -w-wx r-r-x rwrwx For example the command: # chmod 600 private.txt Sets the permissions on private.txt to rw------- (i.e. only the owner can read and write to the file). Detail about Permission Permissions may be specified symbolically, using the symbols u (user), g (group), o (other), a (all), r (read), w (write), x (execute), + (add permission), - (take away permission) and = (assign permission). For example, the command: # chmod ug=rw,o-rw,a-x *.txt Sets the permissions on all files ending in *.txt to rw-rw---- (i.e. the owner and users in the file's group can read and write to the file, while the general public do not have any sort of access). chmod also supports a -R option which can be used to recursively modify file permissions, e.g. # chmod -R go+r play It will grant group and other read rights to the directory play and all of the files and directories within play. 0 1 2 3 4 5 6 7

chgrp (change group)

$ chgrp group files It can be used to change the group that a file or directory belongs to. It also supports a -R option.

26

Backup, Compress and Uncompress Files

.tar .tar.gz .tgz Commands Detail # tar cvf /opt/backup/backup.tar /home /boot -c Stands for create -v Stands for verbose mode, means show files & full path -f Stands for target means add target (Backup file extension) (Compressed after Backup) (Backup and compress at same time)

/opt/backup/backup.tar------------/home /boot--------------------------

Target path Source Directories

Comments: Take backup of two directories /home and /boot in backup.tar file. Compress/uncompress Tar file #gzip backup.tar #gunzip backup.tar.gz (Compress tar file, output file will be backup.tar.gz) (Uncompress this file, output will be backup.tar)

27

Backup and compress at same time #tar czvf backup.tgz /home #tar xzvf backup.tgz New Compression Utilities #du h /filename #bzip2 v filename #du h /filename (Check the file size) (Use to compress the file) (Check the file size) (Backup of home directory in compress form) (Uncompress bakup.tgz file and Untar)

#bunzip2 compressedfilename (Uncompress file)

Restore Backup
Use the following commands to restore backup, #tar xvf backup.tar ##tar xzvf backup.tgz (Extract tar file) (Extract the compress backup)

Increase the size of SWAP partition

You installed a new Linux system, but forgot to set enough swap space for your needs. Do you need to repartition and reinstall? No, the swap utilities on Linux allow you to make a real file and use it as swap space. The trick is to make a file and then tell the swapon program to use it. Here's how to create, for example, a 500mb swap file on your root partition.

dd if=/dev/zero of=/swapfile bs=500M count=1

This will make a 500mb file on your hard drive. You now need to initialize it:

mkswap /swapfile
And you can then add it to your swap pool:

swapon /swapfile With that you 500mb of swap added. Don't forget to add the swapon command to your startup files so the command will be repeated at each reboot.

Verify the swap size

28

Note:

If Swap partition is not created then we face error during the creation of swap file.

Permanently Active Swapfile To enable the /etc/fstab to include:

/swapfile
swap swap defaults 0 0

The next time the system boots, it will enable the new swap file. 2nd Option to Active it To add the swapon command in startup file, so the command will be executed at each boot. vi /etc/rc.local swapon /swapfile After adding the new swap file and enabling it, make sure it is enabled by viewing the output of the following command cat /proc/swaps or free

29

Create Swap Partition after Installation:

Create a partition with fdisk like /dev/hda5 then use commands to activate it as swap.

mkswap /dev/hda5
then add a line like this to your /etc/fstab

/dev/hda5
Note:

swap

swap

defaults

0 0

What do you use to format a swap partition, mkfs.swap ??? Swap is not a file system. You format swap with mkswap. See man mkswap.

/dev/zero
In Unix-like operating systems, /dev/zero is a special file that provides as many null characters (ASCII NUL, 0x00) as are read from it. One of the typical uses is to provide a character stream for overwriting information. Another might be to generate a clean file of a certain size. Using it to create virtual file shared memory. Destroy data on a partition
#Do not execute this code on any computer unless you want to destroy all data on a partition! dd if=/dev/zero of=/dev/hda8

Like /dev/null, /dev/zero acts as a source and sink for data. All writes to /dev/zero succeed with no other effects (the same as for /dev/null, although /dev/null is the more commonly used data sink); all reads on /dev/zero return as many NULs as characters requested.

Disk Management:
Linux Hard Drive Naming Convention:
The partitions on each drive are referred numerically. The first partition on the first drive is referred to as hda1, the second as hda2, and the third as hda3 etc... Linux IDE naming conventions:
Device /dev/hda /dev/hdb Description 1st (Primary) IDE controller 1st (Primary) IDE controller 30 Configuration Master Slave

/dev/hdc /dev/hdd

2nd (Secondary) IDE controller 2nd (Secondary) IDE controller

Master Slave

Note: SCSI disks are labeled /dev/sda, /dev/sdb, /dev/sdc etc... To represent the first, second, third... SCSI hard drive partitions are represented by an additional number. i.e. First drive first partition, /dev/sda1, second partition, /dev/sda2,... Other SCSI devices such as tape backup are labeled /dev/st0 for the first, /dev/st1 for the second and so forth. See Linux SCSI tutorial for more info.

Command and Response Dialog of Adding a New IDE Drive:

Linuxs fdisk is a text-based tool that requires you to type one-letter commands. You can obtain a list of commands by typing ? or m at the fdisk prompt. The most important fdisk commands are listed in Table. TABLE fdisk Commands Small Description of Commands Command d n p q T w Description Delete a partition Create a new partition Displays (prints) the partitions layout Quits without saving changes Change the partitions type Writes (Save) changes and quits.

As root perform the following: (as highlighted in bold) [root]# fdisk /dev/hdb
Command (m for help): m (Enter the letter "m" to get list of commands) Command action a toggle a bootable flag b edit bsd disklabel c toggle the dos compatibility flag d delete a partition l list known partition types m print this menu n add a new partition o create a new empty DOS partition table p print the partition table 31

q s t u v w x

quit without saving changes create a new empty Sun disklabel change a partition's system id change display/entry units verify the partition table write table to disk and exit extra functionality (experts only)

Command (m for help): n Command action e extended p primary partition (1-4) e Partition number (1-4): 1 First cylinder (1-2654, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-2654, default 2654): Using default value 2654 Command (m for help): p Disk /dev/hdb: 240 heads, 63 sectors, 2654 cylinders Units = cylinders of 15120 * 512 bytes Device Boot /dev/hdb1 Start 1 End 2654 Blocks 20064208+ Id 5 System Extended

Command (m for help): w

(Write and save partition table)

[root]# mkfs -t ext3 /dev/hdb1

mke2fs 1.27 (8-Mar-2008) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 2508352 inodes, 5016052 blocks 250802 blocks (5.00%) reserved for the super user First data block=0 154 block groups 32768 blocks per group, 32768 fragments per group 16288 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000 Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 34 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.

[root]# mkdir /opt2 [root]# mount -t ext3 /dev/hdb1 /opt2

32

Note:

A computer system may have multiple drives with primary partitions but only one

primary partition may be active on one drive only. The active primary partition is used for booting the system and is referenced by the Master Boot Record (MBR). Each hard drive may only have a maximum of four primary partitions. One may only boot an OS from a primary partition. Extended partitions allow one to place up to 24 partitions on a single drive.

FTP Server
The File Transfer Protocol (FTP) is used to copying files between computers over the LAN/WAN. Package: Very Secure FTP Server (vsftpd) vsftpd.beasts.org

Configuration File: /etc/vsftpd/vsftpd.conf

Red Hat FTP Server Directories

Red Hat currently installs the vsftpd server package along with anonymous FTP support during installation. At that time, an ftp directory is created along with several subdirectories where you can place files for FTP access. For example, on Red Hat this would be at /var/ftp/pub. Upload with Anonymous user
33

The vsftpd FTP package does not create a directory where users can upload files to the FTP site. If you want to upload files then you will have to create a directory, and make it part of the ftp group, and then set its permissions to allow users write access.
chgrp ftp /var/ftp/pub/upload chmod g+w /var/ftp/pub/upload

Configuring vsftpd
You configure vsftpd using one configuration file, /etc/vsftpd/vsftpd.conf. Red Hat installs a default vsftpd.conf file in the /etc/vsftpd directory. The man page for vsftpd.conf lists all options, providing a detailed explanation for each. Configuration file:
# Allow anonymous FTP? anonymous_enable=YES ... # The directory which vsftpd will try to change # into after an anonymous login. (Default = /var/ftp) anon_root=/data/directory ... # Uncomment this to allow local users to log in. local_enable=YES ... # Uncomment this to enable any form of FTP write command. # (Needed even if you want local users to be able to upload files) write_enable=YES ... # Uncomment to allow the anonymous FTP user to upload files. This only # has an effect if global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES ... # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES ... # Activate logging of uploads/downloads. xferlog_enable=YES ... # You may override where the log file goes if you like. # The default is shown below. xferlog_file=/var/log/vsftpd.log\ ..

More detail
Option listen listen_port anonymous_enable Configuration Options for vsftpd.conf Description Set standalone mode Specify port for standalone mode Enable anonymous user access
34

Option local_enable no_anon_password anon_upload_enable anon_mkdir_write_enable aonon_world_readable_only idle_session_timeout data_connection_timeouts dirmessage_enable ftpd_banner xferlog_enable xferlog_file deny_email_enable userlist_enable userlist_file userlist_deny

Configuration Options for vsftpd.conf Description Enable access by local users Specify whether anonymous users must submit a password Enable uploading by anonymous users Allow anonymous users to create directories Make uploaded files read only to all users Time limit in seconds for idle sessions Time limit in seconds for failed connections Display directory messages Display FTP login message Enable logging of transmission transactions Specify log file Enable denying anonymous users whose e-mail addresses are specified in vsftpd.banned Deny access to users specified in vsftp.user_list file Deny or allow users access depending on setting of userlist_deny When set to YES, userlist_file list users are denied access. When set to NO, userlist_file list users, and only those users, are allowed access Restrict users to their home directories Allow users access to home directories. Unless chroot_local_user is set to YES, this file contains list of users not allowed access to their home directories Allow access by all users to their home directories Specify PAM script Enable recursive listing

chroot_list_enable chroot_list_file

chroot_local_user pam_service_name ls_recurse_enable

Command Access files

Command usage is highly restricted by vsftpd.
Files for vsftpd

File vsftpd.ftpusers vsftpd.user_list vsftpd.chroot_list

Description Users always denied access Specified users denied access (allowed access if userlist_deny is NO) Local users allowed access (denied access if chroot_local_user is on)
35

Files for vsftpd

File /etc/vsftpd/vsftpd.conf /etc/pam.d/vsftpd /etc/rc.d/init.d/vsftpd /etc/xinetd.d/vsftpd

Description vsftpd configuration file PAM vsftpd script Service vsftpd server script, standalone (Red Hat default) Xinetd vsftpd server script

Restrict Specific Users Users

The /etc/vsftpd.ftpusers File For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file.

Allow Access to Specific Users

For allow access for certain users then edit the /etc/vsftpd/vsftpd.conf file. Do following things; vi /etc/vsftpd/vsftpd.conf userlist_enable=YES userlist_deny=NO :wq Then open the file vi /etc/vsftpd.user_list and add the users account which you want to allow. See the detail below..

userlist_enable userlist_file userlist_deny

Deny access to users specified in vsftp.user_list file Deny or allow users access depending on setting of userlist_deny When set to YES, userlist_file list users are denied access. When set to NO, userlist_file list users, and only those users, are allowed access

36

Telnet
You use the telnet command to log in remotely to another system on your network. The system can be on your local area network or available through an Internet connection Enable Telnet Services: you have to enable the telnet by edition of following file /etv/xinetd.d/krb5-telnet

37

Here change the disable=yes (default) to disable=no to use this service.

$ telnet 200.10.250.139
Connected to garnet login:

Samba Server
With Samba, you can connect your Windows clients on a Microsoft Windows network to services such as shared files, systems, and printers controlled by the Linux Samba server, and, at the same time, allow Linux systems to access shared files and printers on Windows systems

Package: Configure File:

Service :

Samba /etc/samba/smb.conf smb 38

Review the detail about Samba Applications;

Application smbd nmbd smbclient smbmount smbumount smbpasswd smbstatus smbrun testparm smbtar nmblookup redhat-config-samba SWAT

Samba Applications Description Samba server daemon that provides file and printer services to SMB clients Samba daemon that provides NetBIOS name resolution and service browser support Provides FTP-like access by Linux clients to Samba services Mounts Samba share directories on Linux clients Unmounts Samba share directories mounted on Linux clients Changes SMB-encrypted passwords on Samba servers Displays the current status of the SMB network connections Interface program between smbd and external programs Tests the Samba configuration file, smb.conf Backs up SMB/CIFS-shared resources directly to a Unix tape drive Maps the NetBIOS name of a Windows PC to its IP address Samba GUI configuration tool (System Settings:Server Setttings:Samba Server) Samba Web administration tool for configuring smb.conf with a Web browser; enables you to use a Web page interface to create and maintain your Samba configuration file, smb.conf Uses authentication services provided by Windows domain

windbind
/etc/samba/smbpasswd

Samba maintains its own password file.

Starting Up Samba
For a simple Samba setup, you should be able to use the default smb.conf file installed with the Linux distribution package of Samba. If you need to make changes, however, you must restart the Samba server to have the changes take effect. Starting, stopping, and restarting the Samba server is managed by the /etc/rc.d/init.d/smb script using the options start, stop, and restart. On Red Hat, you can run the smb script directly as shown here:
service smb restart

Accessing Samba from Linux

To test your connection from a Linux system, you can use the smbclient command to query the Samba server. To access the home directory of a user on the Samba server, use the IP or
39

hostname address of the Samba server, along with the homes section. With the -U option, specify a user to connect to on the system, as shown here:
smbclient //200.100.200.29/homes -U javed

You are then prompted for a password. If the client password is different from the server password, use the server password. Once connected, you are presented with the SMB client prompt as shown here. You can then access the files on the user's home directory:
smb: \>

Accessing Samba from Windows

To set up a connection for a Windows client, you need to specify the Windows workgroup name and configure the password. The workgroup name is the name that appears in the Entire Network window in the Network Neighborhood on the Windows desktop (My Network Places on Windows 2000, XP). In the smb.conf file, you specify the workgroup name in the workgroup= entry in the global section. The workgroup name should be uppercase, no more than eight characters, and contain no spaces. You can then restart the Samba server. On a Windows client, you see the workgroup name in the Entire Network folder in your Network Neighborhood. Within the workgroup is an icon for the Samba server and within that is an icon for the user directory, as specified in the homes section of the smb.conf file.

Samba Configuration File and Tools

Samba configuration options are kept in the /etc/samba/smb.conf file. You edit this file to make changes to the configuration. Once you finish making any changes, you should test your smb.conf file using the testparm program. The testparm program checks the validity of your configuration entries. By default, testparm uses the /etc/samba/smb.conf file, although you can supply a different configuration file as an argument:
testparm smbstatus To check your network connections, use the smbstatus command. This command returns a listing of all active SMB connections.

Domain Name System (DNS)

Reference Book: The Complete Reference Enterprise Linux & Fedora Edition The Domain Name System (DNS) is a service that locates and translates domain names into their corresponding Internet Protocol (IP) addresses. Manual Translations: /etc/hosts
40

Any computer on the Internet can maintain a file that manually associates IP addresses with domain names. On Linux and Unix systems, this file is called the /etc/hosts file. Here, you can enter the IP addresses and domain names of computers you commonly access. Using this method, however, each computer needs a complete listing of all other computers on the Internet, and that listing must be updated constantly. Early on, this became clearly impractical for the Internet, though it is still feasible for small isolated networks.

Package: Service:
Configuration file:

BIND (Berkely Internet Name Domain) named /etc/named.conf, /var/named/file.forward (Create a file) /var/named/file.reverse

Server Hierarchy
Your network can have a master DNS server and several slave DNS servers to help carry the workload. A slave DNS server automatically copies its configuration files, including all zone files, from the master DNS server. Any changes to the master configuration files trigger an automatic download of these files to the slave servers. Master Name Serve o It contains the master copy of data for zone Slave Name Server o It provides a backup to the master name sever. o All slave servers maintain synchronization with their master name server. Forwarder server A server that forwards unresolved DNS requests to outside DNS servers. Can be used to keep other servers on a local network hidden from the Internet. Caching only server Caches DNS information it receives from DNS servers and uses it to resolve local requests.

Forward zone The forward zone lists name servers outside your network that should be searched if your network's name server fails to resolve an address. IN-ADDR.ARPA zone: DNS can also provide reverse resolutions, where an IP address is used to determine the associated domain name address. Such lookups are provided by IN-ADDR.ARPA zone files.
41

Hint zone A hint zone specifies the root name servers and is denoted by a period (.). A DNS server is normally connected to a larger network, such as the Internet, which has its own DNS servers. DNS servers are connected this way hierarchically, with each server having its root servers to which it can send resolution queries. The root servers are designated in the hint zone. DNS BIND Zone Types

Type master slave hint forward stub

Description Primary DNS zone Slave DNS server; controlled by a master DNS server Set of root DNS Internet servers Forwards any queries in it to other servers Like a slave zone, but holds only names of DNS servers

Forward Zone File in named.conf zone my-web-site.org { type master; file my-site.forward; }; zone another-web-site.com { type master; notify no; file another-site.forward; };

BIND Configuration Statements Statements /* comment */ // comment # comment Description BIND comment in C syntax. BIND comment in C++ syntax. BIND comment in Unix shell and Perl syntax.

42

Directory Option
A critically important option found in most configuration files is the directory option, which holds the location of the name server's zone and cache files on your system. The following example is taken from the Red Hat /etc/named.conf file. This example specifies the zone files are located in the /var/named directory. In this directory, you can find your zone files, including those used for your local system. options { directory "/var/named"; forwarders { 192.168.0.34; 192.168.0.47; }; forwarders Option Another commonly used global option is the forwarders option. With the forwarders option, you can list several DNS servers to which queries can be forwarded if they cannot be resolved by the local DNS server. This is helpful for local networks that may need to use a DNS server connected to the Internet. The forwarders option can also be placed in forward zone entries. notify Option With the notify option turned on, the master zone DNS servers send messages to any slave DNS servers whenever their configuration has changed. The slave servers can then perform zone transfers in which they download the changed configuration files. Slave servers always use the DNS configuration files copied from their master DNS servers. notify takes one argument, yes or no, where yes is the default. With the no argument, you can have the master server not send out any messages to the slave servers, in effect preventing any zone transfers. (Mentioned in above example)

named.conf Example /etc/named.conf

// // A simple BIND 9 configuration // logging {

43

category cname { null; }; }; options { directory "/var/named"; }; zone "." { type hint; file "named.ca"; }; zone "my-site.org" { type master; file "my-site.forward"; }; zone "1.168.192.IN-ADDR.ARPA" { type master; file "my-site.rev"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "named.local"; };

Resource Record Types

Most Commonly Used Resource Records ecord Name A Record Type Address (IP) Brief Definition of Record Maps an IP Address in standard dot notation to a host name.
44

NS CNAME

Name Server Canonical NAME Start Of Authority

Identifies an authoritative name server for a domain zone. Alias hostname for the official hostname. Identifies the best name server for information on a unique domain. Only one SOA can be used per zone. Reversely maps an IP address to a name versus mapping a name to an IP address like an "A record" Identifies a host that will deliver, receive and forward mail.

SOA

PTR

PoinTeR

MX

Mail EXchange

Domain Name Service Resource Record Types Type A A6 NS CNAME SOA Description An IPv4 host address, maps hostname to IPv4 address An IPv6 host address Authoritative name server for this zone Canonical name, used to define an alias for a hostname Start of Authority, starts DNS entries in zone file, specifies name server for domain, and other features such as server contact and serial number Well-known service description Pointer record, for performing reverse domain name lookups, maps IP address to hostname Text string that contains contact information about a host Host information Mailbox or mail list information Mail exchanger, informs remote site of your zone's mail server Text strings, usually information about a host Domain private key Resource record signature Next resource record

WKS PTR RP HINFO MINFO MX TXT KEY SIG NXT

45

Start of Authority: SOA A zone or reverse mapping file always begins with a special resource record called the Start of Authority (SOA) record. This record specifies that all the following records are authoritative for this domain. It also holds information about the name server's domain, which is to be given to other name servers. An SOA record has the same format as other resource records, though its data segment is arranged differently. The format for an SOA record follows: name {ttl} class SOA Origin Person-in-charge ( Serial number Refresh Retry Expire Minimum ) Each zone has its own SOA record. The SOA begins with the zone name specified in the named.conf zone entry. This is usually a domain name. An @ symbol is usually used for the name and acts like a macro expanding to the domain name. The class is usually the Internet class, IN. SOA is the type. Origin is the machine that is the origin of the records, usually the machine running your name server daemon. The person-in-charge is the email address for the person managing the name server (use dots, not @, for the e-mail address, as this symbol is used for the domain name). The following example shows an SOA record. The machine running the name server is server.my-site.com, and the e-mail address of the person responsible for the server is javed.my-site.com. @ IN SOA server.my-site.com. javed.my-site.com. ( 2008060301 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum Name Server: NS The name server record specifies the name of the name server for this zone. These have a resource record type of NS. If you have more than one name server, list them in NS records. These records usually follow the SOA record. As they usually apply to the same domain as the SOA record, their name field is often left blank to inherit the server's domain name specified by the @ symbol in the previous SOA record.

IN

NS

server.my-site.com.
46

You can, if you wish, enter the domain name explicitly as shown here: my-site.com. IN Address Record: A Resource records of type A are address records that associate a fully qualified domain name with an IP address. Often, only their hostname is specified. Any domain names without a terminating period automatically have the domain appended to them. Given the domain my-site.com, the server name in the following example is expanded to server.my-site.com: Server2.my-site.com. IN server IN A A 192.168.0.2 192.168.0.1 NS server.my-site.com.

The SOA Record Format

Field Name Description The root name of the zone. The @ sign is a shorthand reference to the current origin (zone) in the /etc/named.conf file for that particular database file. There are a number of different DNS classes. Home/SOHO will be limited to the IN or Internet class used when defining IP address mapping information for BIND. Other classes exist for non Internet protocols and functions but are very rarely used. The type of DNS resource record. In the example, this is an SOA resource record. Other types of records exist, which Ill cover later. Fully qualified name of your primary name server. Must be followed by a period. The e-mail address of the name server administrator. The regular @ in the e-mail address must be replaced with a period instead. The e-mail address must also be followed by a period. A serial number for the current configuration. You can use the date format YYYYMMDD with an incremented single digit number tagged to the end. This will allow you to do multiple edits each day with a serial number that both increments and reflects the date on which the change was made. Tells the slave DNS server how often it should check the master DNS server. Slaves arent usually used in home / SOHO environments. The slaves retry interval to connect the master in the event of a
47

Class

Type

Nameserver Emailaddress Serial-no

Refresh

Retry

connection failure. Slaves arent usually used in home / SOHO environments. Expiry Total amount of time a slave should retry to contact the master before expiring the data it contains. Future references will be directed towards the root servers. Slaves arent usually used in home/SOHO environments. There are times when remote clients will make queries for subdomains that dont exist. Your DNS server will respond with a no domain or NXDOMAIN response that the remote client caches. This value defines the caching duration your DNS includes in this response.

MinimumTTL

Mail Exchanger: MX The Mail Exchanger record, MX, specifies the mail server that is used for this zone or for a particular host. The mail exchanger is the server to which mail for the host is sent. In the following example, the mail server is specified as server.my-site.com. Any mail sent to the address for any machines in that zone will be sent to the mail server, which in turn will send it to the specific machines. For example, mail sent to a user on server2.mysite.com will first be sent to server.my-site.com, which will then send it on to server2.my-site.com. In the following example, the host 192.168.0.1 (server.my-site.com) is defined as the mail server for the my-site.com domain: My-site.com. IN MX 10 server.my-site.com.

You could also inherit the domain name from the SOA record, leaving the domain name entry blank. IN MX server.my-site.com.

You could use the IP address instead, but in larger networks, the domain name may be needed to search for and resolve the IP address of a particular machine, which could change. My-site.com. IN MX 10 192.168.0.1

An MX record recognizes an additional field that specifies the ranking for a mail exchanger. If your zone has several mail servers, you can assign them different rankings in their MX records. The smaller number has a higher ranking. This way, if mail cannot reach the first mail server, it can be routed to an alternate server to reach the host. In the following example, mail for hosts on the my-site.com domain is first routed to the mail server at
48

192.168.0.1 (server.my-site.com), and if that fails, it is routed to the mail server at 192.168.0.2 (server2.my-site.com). My-site.com. IN MX 10 server.my-ste.com. IN MX 20 server2.my-site.com.

Aliases: CNAME
Resource records of type CNAME are used to specify alias names for a host in the zone. Aliases are often used for machines running several different types of servers, such as both Web and FTP servers. They are also used to locate a host when it changes its name. The old name becomes an alias for the new name. In the following example, ftp.my-site.com is an alias for a machine actually called sever.my-site.com: ftp.my-site.com. IN CNAME server.my-site.com. The term CNAME stands for canonical name. The canonical name is the actual name of the host. In the preceding example, the canonical name is server.my-site.com. The alias, also known as the CNAME, is ftp.mysite.com. In a CNAME entry, the alias points to the canonical name. Aliases cannot be used for NS (name server) or MX (mail server) entries. For those records, you need to use the original domain name or IP address. A more stable way to implement aliases is simply to create another address record for a host or domain. You can have as many hostnames for the same IP address as you want, provided they are certified. For example, to make www.my-site.com an alias for server.my-site.com, you only have to add another address record for it, giving it the same IP address as server.mysite.com. server.my-site.com. IN A 192.168.0.1 www.my-site.com. IN A 192.168.0.1 Pointer Record: PTR A PTR record is used to perform reverse mapping from an IP address to a host. PTR records are used in the reverse mapping files. The name entry holds a reversed IP address, and the data entry holds the name of the host. The following example maps the IP address 192.168.0.1 to server.mysite.com: 1.1.168.192 IN PTR server.my-site.com.

49

In a PTR record, you can specify just that last number segment of the address (the host address) and let DNS fill in the domain part of the address. In the next example, 1 has the domain address, 1.168.192, automatically added to give 1.1.168.192: 1 IN PTR server.my-site.com.

Forward Zone Files

A zone file holds resource records that follow a certain format. The file begins with general directives to define default domains or to include other resource record files. These are followed by a single SOA record, name server and domain resource records, and then resource records for the different hosts. Comments begin with a semicolon and can be placed throughout the file. The @ symbol operates like a special macro, representing the domain name of the zone to which the records apply. The @ symbol is used in the first field of a resource or SOA record as the zone's domain name.
o

Example of Forward zone file

A zone file begins with an SOA record specifying the machine the name server is running on, among other specifications. The @ symbol is used for the name of the SOA record, denoting the zone's domain name. After the SOA, the name server resource records (NS) are listed. Just below the name server records are resource records for the domain itself. Resource records for host addresses (A), aliases (CNAME), and mail exchangers (MX) follow. The next example shows a sample zone file, which begins with an SOA record and is followed by an NS record, resource records for the domain, and then resource records for individual hosts:

; Authoritative data for server.my-site.com ; @ IN SOA server.my-site.com.javed.server.my-site.com.( 93071200 ; Serial number 10800 ; Refresh 3 hours 3600 ; Retry 1 hour 3600000 ; Expire 1000 hours 86400 ) ; Minimum 24 hours IN NS server.my-site.com.
50

IN IN IN server ftp www server2 IN IN IN IN

A MX MX

192.168.0.1 10 server.my-site.com. 15 server2.my-site.com.

A 192.168.0.1 CNAME my-site.com. A 192.168.0.1 A 192.168.0.2

Nameserver Record The next resource record specifies the name server for this zone. Here, it is my-site.com. Notice the name for this resource record is blank. If the name is blank, a resource record inherits the name from the previous record. In this case, the NS record inherits the value of @ in the SOA record, its previous record. This is the zone's domain, and the NS record specifies server.my-site.com as the name server for this zone.

IN

NS

server.my-site.com.

Here the domain name is inherited. The entry can be read as the following. Notice the trailing period at the end of the domain name: my-site.com. IN NS server.my-site.com.

Subdomain Zones
The name for the subdomain could be a different name altogether or a name with the same suffix as the primary domain. In the following example, the subdomain is called beach.my-site.com. It could just as easily be called mybeach.com. The name server to that domain is on the host crab.beach.my-site.com, in this example. Its IP address is 192.168.0.33 and its zone file is beach.my-site.com. The beach.my-site.com zone file holds DNS entries for all the hosts being serviced by this name server. The following example shows zone entries for its named.conf: zone "beach.my-site.com" { type master; file "beach.my-site.com"; };

51

zone "1.168.192.IN-ADDR.ARPA" { type master; file "192.168.0"; };

Subdomain Records
On the primary DNS server, in the example server.my-site.com, you would place entries in the master zone file to identify the subdomain server's host and designate it as a name server. Such entries are also known as glue records. In this example, you would place the following entries in the mysite.com zone file on server.my-site.com: beach.my-site.com. beach.my-site.com. IN IN NS A beach.my-site.com. 192.168.0.33.

URL references to hosts serviced by server3.my-site.com can now be reached from any host serviced by my-site.com, which does not need to maintain any information about the server3.my-site.com hosts. It simply refers such URL references to the server3.my-site.com name server.

Slave Servers
A slave DNS server is tied directly to a master DNS server and periodically receives DNS information from it. You use a master DNS server to configure its slave DNS servers automatically. Any changes you make to the master server are automatically transferred to its slave servers. This transfer of information is called a zone transfer. Zone transfers are automatically initiated whenever the slave zone's refresh time is reached or the slave server receives a notify message from the master. The refresh time is the second argument in the zone's SOA entry. A notify message is automatically sent by the master whenever changes are made to the master zone's configuration files and the named daemon is restarted. In effect, slave zones are automatically configured by the master zone, receiving the master zone's zone files and making them their own.

Slave Zones
Using the previous examples, suppose you want to set up a slave server on server2.my-site.com, Zone entries, as shown in the following example, are set up in the named.conf configuration file for the slave DNS server on server2.my-site.com. The slave server is operating in the same domain as the master, and so it has the same zone name, my-site.com. Its SOA file is named slave.my-site.com. The term "slave" in the filename is merely a convention that helps identify it as a slave server configuration file. The masters statement lists its master DNS serverin this case, 192.168.0.1. Whenever the slave needs to make a zone transfer, it transfers data from
52

that master DNS server. The entry for the reverse mapping file for this slave server lists its reverse mapping file as slave.192.168.0. zone "my-site.com" { type slave; file "slave.my-site.com"; masters { 192.168.0.1; }; zone "1.168.192.IN-ADDR.ARPA" { type slave; file "slave.192.168.0"; masters { 192.168.0.1; };

NFS (Network file System)

The Network File System protocol (NFS) is used when disks need to be shared between Linux Machines. Ref Site: http://www.linuxhomenetworking.com, Ref Book: The Complete Reference Enterprise Linux & Fedora Edition

Package: Service:

nfs nfs, portmap, nfslock,netfs

53

Configuration file: General General NFS Rules

/etc/exports

You should follow some general rules when configuring NFS. 1. Only export directories beneath the / directory. 2. Do not export a subdirectory of a directory that has already been exported. The exception being when the subdirectory is on a different physical device. Likewise, do not export the parent of a subdirectory unless it is on a separate device. 3. Only export local filesystems. Keep in mind that when you mount any file system on a directory, the original contents of the directory are ignored, or obscured, in favor of the files in the mounted file system. When the file system is unmounted, then the original files in the directory reappear unchanged.

VFS The virtual filesystem (VFS) interface is the mechanism used by NFS to transparently and automatically redirect all access to NFS-mounted files to the remote server. This is done in such a way that files on the remote NFS server appear to the user to be no different than those on a local disk. Important NFS Daemons NFS isn't a single program, but a suite of interrelated programs that work together to get the job done.
rpcbind: (portmap in older versions of Linux) The primary daemon upon which all the others rely, rpcbind manages connections for applications that use the RPC specification. By default, rpcbind listens to TCP port 111 on which an initial connection is made. This is then used to negotiate a range of TCP ports, usually above port 1024, to be used for subsequent data transfers. You need to run rpcbind on both the NFS server and client. nfs: Starts the RPC processes needed to serve shared NFS file systems. The nfs daemon needs to be run on the NFS server only. nfslock: Used to allow NFS clients to lock files on the server via RPC processes. The nfslock daemon needs to be run on both the NFS server and client. netfs: Allows RPC processes run on NFS clients to mount NFS filesystems on the server.

Now take a look at how to configure these daemons to create functional NFS client/server.

54

Installing NFS
RedHat Linux installs nfs by default, and also by default nfs is activated when the system boots. You can determine whether you have nfs installed using the RPM command in conjunction with the grep command to search for all installed nfs packages. [root@bigboy tmp]# rpm -qa | grep nfs system-config-nfs-1.1.3-1 nfs-utils-1.0.1-3.9 [root@bigboy tmp]# Now verify potmap or rpcbind package is installed or not. [root@bigboy tmp]# rpm -q rpcbind/portmap portmap-4.0-57 [root@bigboy tmp]#

Configuring NFS on the Server

Both the NFS server and NFS client have to have parts of the NFS package installed and running. The server needs rpcbind, nfs, and nfslock operational, as well as a correctly configured /etc/exports file.

The /etc/exports File

The /etc/exports file is the main NFS configuration file, and it consists of two columns. The first column lists the directories you want to make available to the network. The second column has two parts. The first part lists the networks or DNS domains that can get access to the directory, and the second part lists NFS options in brackets.

For the scenario you need:

Read-only access to the /data/files directory to all networks Read/write access to the /home directory from all servers on the 192.168.1.0 /24 network, which is all addresses from 192.168.1.0 to 192.168.1.255

55

Read/write access to the /data/test directory from servers in the mysite.com DNS domain Read/write access to the /data/database directory from a single server 192.168.1.203.

In all cases, use the sync option to ensure that file data cached in memory is automatically written to the disk after the completion of any disk data copying operation. #/etc/exports /data/files /home /data/test /data/database *(ro,sync) 192.168.1.0/24(rw,sync) *.my-site.com(rw,sync) 192.168.1.203(rw,sync)

Starting NFS on the Server

Configuring an NFS server is straightforward: 1) Use the chkconfig command to configure the required nfs and RPC rpcbind or portmap daemons to start at boot. You also should activate NFS file locking to reduce the risk of corrupted data. [root@bigboy tmp]# Chkconfig --level 35 nfs on [root@bigboy tmp]# Chkconfig --level 35 nfslock on [root@bigboy tmp]# Chkconfig --level 35 portmap on 2) Use the init scripts in the /etc/init.d directory to start the nfs and portmap daemons. The examples use the start option, but when needed, you can also stop and restart the processes with the stop and restart options. [root@bigboy tmp]# Service portmap start [root@bigboy tmp]# Service nfs start [root@bigboy tmp]# Service nfslock start

Configuring NFS on The Client

NFS configuration on the client requires you to start the NFS application; create a directory on which to mount the NFS server's directories that you exported via the /etc/exports file, and finally to mount

56

the NFS server's directory on your local directory, or mount point. Here's how to do it all. Starting NFS on the Client Three more steps easily configure NFS on the client. 1) Use the chkconfig command to configure the required nfs and RPC rpcbind or portmap daemons to start at boot. Activate nfslock to lock the files and reduce the risk of corrupted data. [root@smallfry tmp]# Chkconfig --level 35 netfs on [root@smallfry tmp]# Chkconfig --level 35 nfslock on [root@smallfry tmp]# Chkconfig --level 35 portmap on 2) Use the init scripts in the /etc/init.d directory to start the nfs and RPC rpcbind or portmap daemons. As on the server, the examples use the start option, but you can also stop and restart the processes with the stop and restart options. [root@smallfry tmp]# Service portmap start [root@smallfry tmp]# Service netfs start [root@smallfry tmp]# Service nfslock start

Accessing NFS Server Directories from the Client

In most cases, users want their NFS directories to be permanently mounted using file /etc/fstab The /etc/fstab file lists all the partitions that need to be auto-mounted when the system boots. Therefore, you need to edit the /etc/fstab file if you need the NFS directory to be made permanently available to users on the NFS. For the example, mount the /data/files directory on server (IP address 192.16801.100) as an NFS-type file system using the local /mnt/nfs mount point directory.
#/etc/fstab #Directory Mount Point 192.168.1.100:/data/files /mnt/nfs

Type nfs

Options soft

Dump 0

FSCK 0

Permanently Mounting the NFS Directory You'll now create a mount point directory, /mnt/nfs, on which to mount the remote NFS directory and then use the mount -a command activate the mount.
57

[root@smallfry tmp]# ls /mnt/nfs [root@smallfry tmp]# mount -a Each time your system boots, it reads the /etc/fstab file and executes the mount -a command, thereby making this a permanent NFS mount.

Manually Mounting NFS File Systems Systems

If you don't want a permanent NFS mount, then you can use the mount command without the /etc/fstab entry to gain access only when necessary. This is a manual process; In this case, you're mounting the /data/files directory as an NFS-type filesystem on the /mnt/nfs mount point. The NFS server is bigboy whose IP address is 192.168.1.100. Notice how before mounting there were no files visible in the /mnt/nfs directory, this changes after the mounting is complete: [root@smallfry tmp]# mkdir /mnt/nfs [root@smallfry tmp]# ls /mnt/nfs [root@smallfry tmp]# mount -t nfs 192.168.1.100:/data/files /mnt/nfs [root@smallfry tmp]# ls /mnt/nfs ISO ISO-RedHat kickstart RedHat Congratulations! You've made your first steps towards being an NFS administrator. Activating Modifications To The /etc/exports File You can force your system to re-read the /etc/exports file by restarting NFS. In a nonproduction environment, this may cause disruptions when an exported directory suddenly disappears without prior notification to users. Here are some methods you can use to update and activate the file with the least amount of inconvenience to others. New Exports File When no directories have yet been exported to NFS, use the exportfs -a command. [root@bigboy tmp]# exportfs -a Adding A Shared Directory To An Existing Exports File

58

When adding a shared directory, you can use the exportfs -r command to export only the new entries. [root@bigboy tmp]# exportfs -r Deleting, Moving Or Modifying A Share Removing an exported directory from the /etc/exports file requires work on both the NFS client and server. The steps are: 1) Unexport the mount point directory on the NFS client using the umount command. In this case, you're unmounting the /mnt/nfs mount point. [root@smallfry tmp]# umount /mnt/nfs Note: You may also need to edit the /etc/fstab file of any entries related to the mount point if you want to make the change permanent even after rebooting. 2) Comment out the corresponding entry in the NFS server's /etc/exports file and reload the modified file. [root@bigboy tmp]# exportfs -ua [root@bigboy tmp]# exportfs -a

Troubleshooting NFS
A basic NFS configuration usually works without problems when the client and server are on the same network. The most common problems are caused by forgetting to start NFS, to edit the /etc/fstab file, or to export the /etc/exports file. Another common cause of failure is the iptables firewall daemon running on either the server or client without the administrator realizing it. As always, no troubleshooting plan would be complete without frequent reference to the /var/log/messages file when searching for additional clues. Table 29.2 shows some common NFS errors you'll encounter.

Table 29.2 Some Common NFS Error Messages Error Description

Too many levels Attempting to mount a filesystem that has already been of remote in mounted.
59

path Permission denied User is denied access. This could be the client's root user who has unprivileged status on the server due to the root_squash option. Could also be because the user on the client doesn't exist on the server. Typographical or DNS configuration error in the name of the server. Typographical error in the name of the file or directory: they don't exist. The server could be overloaded or down.

No such host No such file or directory NFS server is not responding

Stale file handle A file that was previously accessed by the client was deleted on the server before the client closed it. Fake hostname Forward and reverse DNS entries don't exist for the NFS client.

The showmount Command When run on the server, the showmount -a command lists all the currently exported directories. It also shows a list of NFS clients accessing the server; in this case one client has an IP address of 192.168.1.102. [root@bigboy tmp]# showmount -a All mount points on bigboy: *:/home 192.168.1.102:* The "df" Command The df command lists the disk usage of a mounted filesystem. Run it on the NFS client to verify that NFS mounting has occurred. In many cases, the root_squash mount option will prevent the root user from doing this, so it's best to try it as an unprivileged user.
[nfsuser@smallfry nfsuser]$ df -F nfs Filesystem 1K-blocks Used Available Use% Mounted on 192.168.1.100:/home/nfsuser

1032056

346552

633068 36% /home/nfsuser

Ports of NFS services

The portmapper uses port 111 and nfsd uses 2049.

60

NFS Security: /etc/hosts.allow and /etc/hosts.deny

The /etc/hosts.allow and /etc/hosts.deny files are used to restrict access to services provided by your server to hosts on your network or on the Internet (if accessible). For example, you can use the hosts.allow file to permit access by certain hosts to your FTP server. Entries in the hosts.deny file would explicitly deny access to certain hosts. For NFS, you can provide the same kind of security by controlling access to specific NFS daemons.

Portmapper Service The first line of defense is to control access to the portmapper service. The portmapper tells hosts where the NFS services can be found on the system. Restricting access does not allow a remote host to even locate NFS. For a strong level of security, you should deny access to all hosts except those that are explicitly allowed. In the hosts.deny file, you would place the following entry, denying access to all hosts by default. ALL is a special keyword denoting all hosts. portmap:ALL In the hosts.allow file, you would then enter the hosts on your network, or any others that you would want to permit access to your NFS server. Again, you would specify the portmapper service, then list the IP addresses of the hosts you are permitting access. You can list specific IP addresses or a network range using a netmask. The following example allows access only by hosts in the local network, 192.168.0.0, and to the host 10.0.0.43. You can separate addresses with commas. portmap: 192.168.0.0/255.255.255.0, 10.0.0.43

In addition, it is also advisable to add the same level of control for specific NFS services. In the hosts.deny file, you would add entries for each service, as shown here: mountd:ALL rquotad:ALL statd:ALL lockd:ALL Then, in the hosts.allow file, you can add entries for each service: mountd: 192.168.0.0/255.255.255.0, 10.0.0.43 rquotad: 192.168.0.0/255.255.255.0, 10.0.0.43 statd: 192.168.0.0/255.255.255.0, 10.0.0.43
61

lockd:

192.168.0.0/255.255.255.0, 10.0.0.43

Netfilter Rules You can further control access using Netfilter to check transmissions from certain hosts on the ports used by NFS services. The portmapper uses port 111 and nfsd uses 2049. Netfilter is helpful if you have a private network that has an Internet connection, and you want to protect it from the Internet. Usually a specific network device, such as an Ethernet card, is dedicated to the Internet connection. The following examples assume that device eth1 is connected to the Internet. Any packets attempting access on ports 111 and 2049 are refused. iptables -A INPUT -i eth1 -p 111 -j DENY iptables -A INPUT -i eth1 -p 2049 -j DENY To enable NFS for your local network, you will have to allow packet fragments. Assuming that eth0 is the device used for the local network, you could use the following example: iptables -A INPUT -i eth0 -f -j ACCEPT

Proxy Servers ServersSquid

62

Ref: http://www.visolve.com/squid/squid26/logs.php Ref: http://www.linuxhomenetworking.com/

Proxy server operates as an agent between the Web browsers (clients) and the servers they access. Technically, you could use a proxy server to simply manage traffic between a Web server and the clients that want to communicate with it, without doing caching at all. Squid combines both capabilities as a proxy-caching server.

Package: Service:
Configuration file:

squid squid /etc/squid/squid.conf

The /etc/squid/squid.conf File The main Squid configuration file is squid.conf, and, like most Linux applications, Squid needs to be restarted for changes to the configuration file can take effect. The Visible Host Name Squid will fail to start if you don't give your server a hostname. You can set this with the visible_hostname parameter. Here, the hostname is set to the real name of the server like tipu. visible_hostname tipu Proxy Server Port As a proxy, Squid will use certain ports for specific services, such as port 3128 for HTTP services like Web browsers. Default port numbers are already set for Squid. Should you need to use other ports, you can set them in the /etc/squid/squid.conf file. The following entry shows how you would set the Web browser port; you can change this port to 8080, # http_port 3128 http_port 8080 Access Control Lists You can limit users' ability to browse the Internet with access control lists (ACLs). Each ACL line defines a particular type of activity, such as an access time or source network, they are then linked to an http_access statement that tells Squid whether or not to deny or allow traffic that matches the ACL.
63

Restricting Web Access by Time To restrict access to the Squid proxy via the time, use the format: acl aclname time [day-abbrevs] [h1:m1-h2:m2] day-abbrevs: S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday This can be used, for instance, to restrict access to work hours (9am - 5pm, Monday to Friday). acl workdays time M T W H F 9:00-17:00 http_access allow workdays
2nd example

acl clients src 192.168.0.3 acl lunchtime time MTWHF 12:00-13:00 http_access allow clients lunchtime http_access deny clients Detail:

# two acl in single syntax

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23. # # Add this to the bottom of the ACL section of squid.conf #Recommended minimum configuration acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl RestrictedHost src 192.168.1.23 # # Add this at the top of the http_access section of squid.conf #Recommend minimum configuration http_access deny RestrictedHost http_access allow home_network business_hours

2nd Example

64

By defining ACLs and using them in Squid options, you can tailor your Web site with the kind of security you want. The following example allows access to the Web through the proxy by only the mylan group of local systems, denying access to all others. Two acl entries are set up: one for the local system and one for all others. http_access options first allow access to the local system and then deny access to all others. # Add this to the bottom of the ACL section of squid.conf #Recommended minimum configuration acl mylan src 192.168.0.0/255.255.255.0 acl all src 0.0.0.0/0.0.0.0 # Add this at the top of the http_access section of squid.conf #Recommend minimum configuration http_access allow mylan http_access deny all

Restricting Access to specific Web sites Squid is also capable of reading files containing lists of web sites and/or domains for use in ACLs. In this example we create to lists in files named /usr/local/etc/allowed-sites.squid and /usr/local/etc/restrictedsites.squid. #We want to limit downloads of these type of files #Put this all in one line acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

# Create a file /usr/local/etc/allowed-sites.squid www.openfree.org linuxhomenetworking.com # File: /usr/local/etc/restricted-sites.squid www.porn.com illegal.com These can then be used to always block the restricted sites and permit the allowed sites during working hours. This can be illustrated by expanding our previous example slightly.
65

# # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl GoodSites dstdomain "/usr/local/etc/allowed-sites.squid" acl BadSites dstdomain "/usr/local/etc/restricted-sites.squid" #another example acl blocked_sites url_regex www.xxx.com acl blocked_sites url_regex www.yyy.com acl blocked_sites url_regex www.zzz.com acl blocked_sites url_regex "/var/smoothwall/proxy/badsites.txt" http_access deny blocked_sites # # Add this at the top of the http_access section of squid.conf # http_access deny BadSites http_access allow home_network business_hours GoodSites

Allowing clients based on MAC Address:

#vi /etc/squid/squid.conf acl allowed_mac_address arp 02-00-4C-4F-4F-50 http_access allow allowed_mac_address :wq

Transparent Proxy: Proxy:

In Transparent Proxy, browsers automatically detect the proxy server, and provide the internet access to users. In `ordinary' proxy, the client specifies the hostname and port number of a proxy in his web browsing software. The browser then makes requests to the proxy for internet; this is all fine and good, But sometimes one of several situations arises. Either

You want to force clients on your network to use the proxy, whether they want to or not.
66

You want clients to use a proxy, but don't want them to know they're using proxy. You want clients to be use proxy, but don't want to go to all the work of updating the settings in hundreds or thousands of web browsers.

This is where transparent proxy comes in. A web request can be intercepted by the proxy, transparently. That is, as far as the client software knows, it is talking to the origin server (Internet) itself,

#vi /etc/squid/squid.conf httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on

Detail:
The four lines inform Squid to run as a transparent proxy, below is a list of what each individual line acheives: httpd_accel_host virtual - This tells the accelerator to work for any URL that it is given (the usual usage for the accelerator is to inform it which URL it must accelerate) httpd_accel_port 80 - Informs the accelerator which port to listen to, the accelerator is a very powerful tool and much of its usage is beyond the scope of this section, the only knowledge required here is that this setting ensures that the transparent proxy accesses the websites we wish to browse via the correct HTTP port, where the standard is port 80. httpd_accel_with_proxy on - By default when Squid has its accelerator options enabled it stops being a cache server, to reinstate this (this is obviously important as the whole purpose behind this configuration is a cache server) we turn the httpd_accel_with_proxy option on

67

httpd_accel_uses_host_header on - In a nutshell with this option turned on Squid is able to find out which website you are requesting Warning proxy_auth (Authentication base proxy server) can't be used in a transparent proxy. It collides with any authentication done by origin servers. It may seem like it works at first, but it doesn't.

Linux as Gateway Server

We can configure Linux machine as a gateway server, Configure transparent proxy Server Enable IP forwarding through /etc/sysctl.conf file Run command #sysctl p Assign Linux server IP as gateway on client machines

Password Authentication Using NCSA

You can configure Squid to prompt users for a username and password. Squid comes with a program called ncsa_auth that reads any NCSA-compliant encrypted password file. You can use the htpasswd program that comes installed with Apache to create your passwords. Here is how it's done: 1) Create the password file. The name of the password file should be /etc/squid/squid_passwd, and you need to make sure that it's universally readable. #touch /etc/squid/squid_passwd # chmod o+r /etc/squid/squid_passwd 2) Use the htpasswd program to add users to the password file. You can add users at anytime without having to restart Squid. In this case, you add a username called javed #htpasswd /etc/squid/squid_passwd javed New password: Re-type new password: Adding password for user javed
68

# 3) Find your ncsa_auth file using the locate command. #locate ncsa_auth /usr/lib/squid/ncsa_auth # 4) Edit squid.conf; specifically, you need to define the authentication program in squid.conf, which is in this case ncsa_auth. Next, create an ACL named ncsa_users with the REQUIRED keyword that forces Squid to use the NCSA auth_param method you defined previously. Finally, create an http_access entry that allows traffic that matches the ncsa_users ACL entry. Here's a simple user authentication example; the order of the statements is important: auth_param basic children 15: Start 15 authentication processes if 16 users logs in at the same time the last user will have to wait until a authentication programs becomes available.

# # Add this to the auth_param section of squid.conf # auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd # # Add this to the bottom of the ACL section of squid.conf # acl ncsa_users proxy_auth REQUIRED # # Add this at the top of the http_access section of squid.conf # http_access allow ncsa_users 5) This requires password authentication and allows access only during business hours. Once again, the order of the statements is important: # # Add this to the auth_param section of squid.conf #
69

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd # # Add this to the bottom of the ACL section of squid.conf # acl ncsa_users proxy_auth REQUIRED acl business_hours time M T W H F 9:00-17:00 # # Add this at the top of the http_access section of squid.conf # http_access allow ncsa_users business_hours Remember to restart Squid for the changes to take effect. Starting Squid To start Squid, you'll need to run the following commands: /usr/local/squid/bin/squid -z /usr/local/squid/bin/squid

the first pass creates the cache directories, and the second starts the daemon. The first command only needs to be run the first time the proxy is used.

CACHE DIRECTORIES
TAG NAME Description Build Option Usage Default cache_dir This is used to define cache directory, its path, type and size Default cache_dir Type Directory-Name FS-specfic-data [options] cache_dir ufs /usr/local/Squid/var/cache 100 16 256

Detail
Type specifies the kind of storage system to use. Only "ufs" is built by default. To enable any of the other storage systems see the --enablestoreio configure option. Type is one of the following:
70

1. ufs is the old well-known Squid storage format that has always been there. 2. aufs uses the same storage format as ufs, utilizing POSIXthreads to avoid blocking the main Squid process on disk-I/O. This was formerly known in Squid as async-io (Asynchronous

I/O, or non-blocking I/O, is a form of input/output processing that permits other processing to continue before the transmission has finished) .
3. diskd uses the same storage format as ufs, utilizing a separate process to avoid blocking the main Squid process on disk-I/O. Type ufs aufs diskd Usage cache_dir ufs Directory-Name Mbytes L1 L2 [options] cache_dir aufs Directory-Name Mbytes L1 L2 [options]s cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]

Directory-Name Directory name is a top-level directory where cache swaps files will be stored. If you want to use an entire disk for caching, this can be the mount-point directory. The directory must exist and be writable by the Squid process. Squid will NOT create this directory for you. Mbytes is the amount of disk space (in MB) to use under this directory. The default is 100 MB. Change this to suit your configuration Level1 Number of first-level subdirectories which will be created under the Directory. The default is 16. Level2 number of second-level subdirectories, which will be created under each first-level directory. The default is 256. Q1 number of unacknowledged I/O requests when Squid stops opening new files. If this many messages are in the queues, Squid won't open new files. Default is 64. Q2 number of unacknowledged messages when Squid starts blocking. If this many messages are in the queues, Squid blocks until it receives some replies. Default is 72. Option:

read-only

Make the cache directory as read only.

max-size=n refers to the max object size this storedir supports. It is used to initially choose the storedir to dump the object.
Default cache_dir ufs /usr/local/squid/cache 100 16 256 Example cache_dir ufs /cache1 5000 16 256 cache_dir ufs /cache2 7000 16 256
71

Note Can specify multiple cache_dir lines to spread the cache among different disk partitions. Click here to find more informations on file systems and cache_dir. Tag Name cache_access_log Usage cache_access_log Directorypath/filename Description This tag is used to specify the path of the access.log file, which logs the client request activity. It contains an entry for every HTTP and ICP queries received. Log Details can be customized using log_mime_hdrs, log_fqdn, client_netmask and emulate_httpd_log. See for Detailed information about this log file. See also log_icp_queries. Default cache_access_log /usr/local/squid/logs/access.log

Example cache_access_log /var/log/squid_access.log

Configure Configure outlook behind the squid server

Normally squid dont have any involvement in outlook configuration, because Squid only work as proxy server, not allow other ports to work. Open the ports? #iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #iptables -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT #iptables -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT If ssl enable in outlook #iptables -A FORWARD -m state --state NEW -p tcp --dport 995 -j ACCEPT #iptables -A FORWARD -m state --state NEW -p tcp --dport 587 -j ACCEPT Also enable the IP forwarding through this file
72

/etc/sysctl.conf and run sysctl p command. Transparent proxy (2nd Detail) My Setup: i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid). ii) Eth0: IP:192.168.1.1 iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems)) iv) OS: Red Hat Enterprise Linux 4.0 (Following instruction should work with Debian and all other Linux distros) Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

Step #1 : Squid configuration so that it will act as a transparent proxy Step #2 : Iptables configuration o a) Configure system as router o b) Forward all http requests to 3128 (DNAT) Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file: # vi /etc/squid/squid.conf Modify or add following squid directives: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on acl lan src 192.168.1.1 192.168.2.0/24 http_access allow localhost http_access allow lan Where,

httpd_accel_host virtual: Squid as an httpd accelerator httpd_accel_port 80: 80 is port you want to act as a proxy httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy. httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL. acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid http_access allow localhost: Squid access to LAN and localhost ACL only http_access allow lan: -- same as above --

73

Iptables configuration Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 : iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Start or Restart the squid: # /etc/init.d/squid restart # chkconfig squid on Desktop / Client computer configuration Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies. How do I test my squid proxy is working correctly? See access log file /var/log/squid/access.log: # tail -f /var/log/squid/access.log Delay Pools Another useful squid feature is delay pools. Conceptually, delay pools are bandwidth limitations - ``pools'' of bandwidth that drain out as people browse the Web, and fill up at a rate you specify - this can be thought of as a leaky bucket that is continually being filled. Terms in delay pool Pool: A collection of bucket groups as appropriate to a given class. bucket Pool: a group of buckets within a pool, such as the per-host bucket group, the per-network bucket group or the aggregate bucket group (the aggregate bucket group is actually a single bucket). bucket: an individual delay bucket represents a traffic allocation, which is replenished at a given rate (up to a given limit) and causes traffic to be delayed when empty. Classes: There are 3 classes of delay pools - class 1 is a single aggregate bucket, class 2 is an aggregate bucket with an individual bucket for each host in the class C, and class 3 is an aggregate bucket, with a network bucket (for each class B) and an individual bucket for each host.

74

Class:Class of a delay pool determines how the delay is applied, ie, whether the different client IPs are treated separately or as a group (or both). class1:Class 1 delay pool contains a single unified bucket, which is used for all requests from hosts subject to the pool. calss2:Class 2 delay pool contains one unified bucket and 255 buckets, one for each host on an 8-bit network class3:It contains 255 buckets for the subnets in a 16-bit network, and individual buckets for every host on these networks (IPv4 class B) How can I limit Squid's total bandwidth to, say, 512 Kbps?
acl all src 0.0.0.0/0.0.0.0 delay_pools 1 delay_class 1 1 delay_access 1 allow all delay_parameters 1 64000/64000 second # might already be defined

# 512 kbits == 64 kbytes per

For an explanation of these tags please see the configuration file. The 1 second buffer (max = restore = 64kbytes/sec) is because a limit is requested, and no responsiveness to a busrt is requested. If you want it to be able to respond to a burst, increase the aggregate_max to a larger value, and traffic bursts will be handled. It is recommended that the maximum is at least twice the restore value - if there is only a single object being downloaded, sometimes the download rate will fall below the requested throughput as the bucket is not empty when it comes to be replenished.

How to limit a single connection to 128 Kbps?

You can not limit a single HTTP request's connection speed. You can limit individual hosts to some bandwidth rate. To limit a specific host, define an acl for that host and use the example above. To limit a group of hosts, then you must use a delay pool of class 2 or 3. For example:

acl only128kusers src 192.168.1.0/255.255.192.0 acl all src 0.0.0.0/0.0.0.0 delay_pools 1 delay_class 1 3 delay_access 1 allow only128kusers delay_access 1 deny all delay_parameters 1 64000/64000 -1/-1 16000/64000 75

To enable this, configure squid with the --enable-delay-pools option, There are 3 classes of delay pools - class 1 is a single aggregate bucket, class 2 is an aggregate bucket with an individual bucket for each host in the class C, and class 3 is an aggregate bucket, with a network bucket (for each class B) and an individual bucket for each host. To configure the amount of delay pools, and specify which pool is which class, use the following format. delay_pools 2 # 2 delay pools delay_class 1 2 # pool 1 is a class 2 pool delay_class 2 3 # pool 2 is a class 3 pool To specify which pool a client falls into, create ACLs which specifies the ip ranges for each pool, and use the following: delay_access 1 allow pool_1_acl delay_access 1 deny all delay_access 2 allow pool_2_acl delay_access 2 deny all Setting the parameters for each pool is done by: delay_parameters pool aggregate network individual Where ``aggregate'' is the parameter for the aggregate bucket, ``network'' for the network bucket, and ``individual'' for the individual bucket. Aggregate is only useful for classes 1, 2 and 3, network for classes 2 and 3, and individual for class 3. Each of these parameters is specified as restore / maximum - restore being the bytes per second restored to the bucket, and maximum being the amount of bytes that can be in the bucket at any time. It is important to remember that they are in bytes per second, not bits. To specify that a parameter is unlimited, use a -1. If you wish to limit any parameter in bits per second, divide this amount by 8, and use the value for both the restore and the maximum. For example, to restrict the entire proxy to 64kbps, use: delay_parameters 1 8000/8000 It is also possible to specify how full the bucket starts: delay_initial_bucket_level 50 Where the value is the percentage full, Another example acl tech src 192.168.0.1/32-192.168.0.20/32 acl no_hotmail url_regex -i hotmail acl all 0.0.0.0/0
76

delay_pools 1 #Number of delay_pool 1 delay_class 1 1 #pool 1 is a delay_class 1 delay_parameters 1 100/100 delay_access 1 allow no_hotmail !tech # Both acl in same syntax.

Monitor sites access through squid

To see how the squid daemon is working, why not view the access.log file in real time? Try this: [root@linuxbox root]# tail -f /var/log/squid/access.log

Verify the Squid file error

#squid k check

77

Linux Mail Server

Package: Service:
Configuration file: sendmail, sendmail-cf, m4 sendmail /etc/mail/sendmail.mc

How to Restart Sendmail after Editing Your Configuration Files In this chapter, you'll see that sendmail uses a variety of configuration files that require different treatments for their commands to take effect. This little script encapsulates all the required post configuration steps. #!/bin/bash cd /etc/mail make newaliases /etc/init.d/sendmail restart Use this command to make the script executable. chmod 700 filename It first runs the make command, which creates a new sendmail.cf file from the sendmail.mc file and compiles supporting configuration files in the /etc/mail directory according to the instructions in the file /etc/mail/Makefile. It then generates new e-mail aliases with the newaliases command, and then restarts sendmail service. How to Put Comments in sendmal.mc

In most Linux configuration files a # symbol is used at the beginning of a line convert it into a comment line or to deactivate any commands that may reside on that line. In sendmail.mc file we use "dnl" to comment syntax. Examples below These statements are disabled by dnl commenting.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

This statement is incorrectly disabled:

78

# DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

This statement is active:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')

How to Configure Linux Sendmail Clients

All Linux mail clients in your home or company need to know which server is the mail server. This is configured in the sendmail.mc file by setting the SMART_HOST statement to include the mail server. In the example below, the mail server has been set to mail.my-site.com, the mail server for the my-site.com domain.
define(`SMART_HOST',`mail.my-site.com')

Once this is done, you need to process the sendmail.mc file and restart sendmail. To do this, run the restarting script we from earlier. If the sendmail server is a Linux server, then the /etc/hosts file will also have to be correctly configured too.

Converting From a Mail Client to a Mail Server

All Linux systems have a virtual loopback interface that lives only in memory with an IP address of 127.0.0.1. As mail must be sent to a target IP address even when there is no NIC in the box, sendmail therefore uses the loopback address to send mail between users on the same Linux server. To become a mail server, and not a mail client, sendmail needs to be configured to listen for messages on NIC interfaces as well. 1) Determine which NICs sendmail is running on. You can see the interfaces on which sendmail is listening with the netstat command. Because sendmail listens on TCP port 25, you use netstat and grep for 25 to see a default configuration listening only on IP address 127.0.0.1 (loopback):
[root@bigboy

tmp]# netstat -an | grep :25 tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN [root@bigboy tmp]#

79

2) Edit sendmail.mc to make sendmail listen on all interfaces. If sendmail is listening on the loopback interface only, you should comment out the DAEMON_OPTIONS line in the /etc/mail/sendmail.mc file with dnl statements. It is also good practice to take precautions against spam by not accepting mail from domains that don't exist by commenting out the accept_unresolvable_domains feature too. See the fourth and next to last lines in the example.
dnl dnl This changes sendmail to only listen on the loopback dnl device 127.0.0.1 and not on any other network dnl devices. Comment this out if you want dnl to accept email over the network. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') dnl ... ... ... dnl dnl We strongly recommend to comment this one out if you want dnl to protect yourself from spam. However, the laptop and dnl users on computers that do dnl not have 24x7 DNS do need this. dnl FEATURE(`accept_unresolvable_domains')dnl dnl FEATURE(`relay_based_on_MX')dnl dnl 3.) Comment out the SMART_HOST Entry in sendmal.mc. The mail server doesn't need a SMART_HOST entry in its sendmail.mc file. Comment this out with a dnl at the beginning. dnl define(`SMART_HOST',`mail.my-site.com')

4)Regenerate the sendmail.cf file, and restart sendmail. Again, you can do this with the restart script from the beginning of the chapter. 5) Make sure sendmail is listening on all interfaces (0.0.0.0).
[root@bigboy tmp]# netstat -an | grep :25 | grep tcp tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN [root@bigboy tmp]#

80

Relay the domains

The /etc/mail/access File
You can make sure that only trusted PCs on your network have the ability to relay mail via your mail server by using the /etc/mail/access file. That is to say, the mail server will relay mail only for those PCs on your network that have their e-mail clients configured to use the mail server as their outgoing SMTP mail server.
localhost.localdomain localhost 127.0.0.1 192.168.1.16 192.168.1.17 192.168.2 my-site.com jd.com mail.jd.com RELAY RELAY RELAY RELAY RELAY RELAY RELAY RELAY RELAY

Add Domains for Email services

The /etc/mail/local-host-names File
When sendmail receives mail, it needs a way of determining whether it is responsible for the mail it receives. It uses the /etc/mail/local-host-names file to do this. This file has a list of hostnames and domains for which sendmail accepts responsibility. For example, if this mail server was to accept mail for the domains my-site.com and another-site then the file would look like this:
my-site.com asiancitizen.org jd.com

Which User Should Really Receive The Mail?

After checking the contents of the virtusertable, sendmail checks the aliases files to determine the ultimate recipient of mail.

The /etc/mail/virtusertable file

The /etc/mail/virtusertable file contains a set of simple instructions on what to do with received mail. The first column lists the target email address and the second column lists the local user's mail box, a remote email address, or a mailing list entry in the /etc/aliases file to which the email should be forwarded.
81

If there is no match in the virtusertable file, sendmail checks for the full email address in the /etc/aliases file.
webmaster@jd.com @asiancitizen.org sales@my-site.com info@my-site.com finance@my-site.com @my-site.com webmasters javed sales@jd.com dogar dogar error:nouser User unknown

In this example, mail sent to: webmaster@jd.com will go to local user (or mailing list) webmasters, all other mail to asiancitizen.org will go to local user javed Sales email at my-site.com will go to the sales department at jd.com. Info and finance at my-site.com goes to local user (or mailing list) dogar. All other users at my-site.com receive a bounce back message stating "User unknown". After editing the /etc/mail/virtusertable file, you have to convert it into a sendmail-readable database file named /etc/mail/virtusertable.db with two commands:
Restart sendmail service or execute below commands [root@bigboy tmp]# cd /etc/mail [root@bigboy mail]# make

82

VNC Server
VNC, or Virtual Networked Computing, is a way of controlling a remote computer just as though you are sitting in front of it. In the Windows world it is also known as remote desktop but it's normally referred to as VNC in the Linux world. All that happens is that you connect using a VNC client to a remote computer running the VNC server, then an image of the remote desktop is transmitted to your local computer and you can see and control the desktop just as though you are there since all keyboard and mouse commands are sent from your client machine to the server. vncserver and vncviewer Check what's installed First check if you already have them installed on your system, open a terminal and type:
$ rpm -qa|grep vnc vnc-server-4.1.1-36 vnc-4.1.1-36

If you get an output something like this then you're all ready, if not you need to install them. Add a user(s) Next we need to add at least 1 VNC user, open the file /etc/sysconfig/vncservers as root and add the information shown:
$ vi /etc/sysconfig/vncservers # # # # # # # # # # The VNCSERVERS variable is a list of display:user pairs. Uncomment the lines below to start a VNC server on display :2 as my 'myusername' (adjust this to your own). You will also need to set a VNC password; run 'man vncpasswd' to see how to do that. DO NOT RUN THIS SERVICE if your local area network is untrusted! For a secure way of using VNC, see <URL:http://www.uk.research.att.com/archive/vnc/sshvnc.html>.

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP. # Use "-nohttpd" to prevent web-based VNC clients connecting. # Use "-localhost" to prevent remote VNC clients connecting except when # doing so through a secure tunnel. See the "-via" option in the # `man vncviewer' manual page.

VNCSERVERS="1:bobpeers" VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"

83

Setting a password To add some security we need to add a password that must be given before a connection can be established, open a terminal and type:
$ vncpasswd Password: Verify:

This creates a hidden folder called .vnc in your home folder containing the password file. Create .vnc file in user home directory
$vncserver haseeb

If .vnc directory is not created in user home folder then run above command. Starting the server and startup options To start the server we type the command 'vncserver' and the session you wish to start (if you have set up more than 1 entry in the /etc/sysconfig/vncservers file:
$ vncserver :1 Starting VNC server: 1:bobpeers New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1 Starting applications specified in /home/bobuser/.vnc/xstartup Log file is /home/bobuser/.vnc/linux.bobpeers:1.log [ OK ]

Now the server is started and a user could connect, however they will get a plain grey desktop by default as the connection will not cause a new session of X to start by default, to fix this we need to edit the startup script in the .vnc folder in your home directory.
$ vi ~/.vnc/xstartup #!/bin/sh # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & twm & 84

As the file says make sure the two lines at the top are uncommented by removing the leading # sign. Next we need to restart vncserver to pick up the changed we just made. To restart the vncserver we need to kill the process and start a new one as root:
$ vncserver -kill :1 Killing Xvnc process ID 13728 $ vncserver :1 Starting VNC server: 1:bobpeers New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1 Starting applications specified in /home/bobuser/.vnc/xstartup Log file is /home/bobuser/.vnc/linux.bobpeers:1.log [ OK ]

Using vncviewer To start the viewer type: $ vncviewer localhost:5901 This open a dialog as shown for us to enter our password we set earlier, enter the password and you should now see a copy of your desktop. Note that unlike the Gnome Remote Desktop this has started a new session of X so any applications open on the host machine are not visible to the new session, it's basically a whole new logon running at the same time. If you just type 'vncviewer' at the prompt then you will asked for the host to connect to, then you can type localhost:5901 for example. Remember to use the correct port number when connecting, if you set your VNCSERVERS to be 2000:myname then you would need to connect on localhost:7900.

Stopping the vncserver There are two ways to stop the server, either as root: $ /sbin/service vncserver stop Shutting down VNC server: 1:bobpeers

[ OK ]

or you can explicitly kill a particular session without being root: $ vncserver -kill :1
85

Killing Xvnc process ID 13728 Just replace the 1 with the vnc session you wish to stop. Access at Window Plate form Access it through vnc viewer like 172.16.160.199:2 (2 means 2nd user defined in /etc/sysconfig/vncserver file)

86

Email Server Postfix

Postfix is faster, easier to configure than Sendmail, reliable and scalable.

Package: Service:
Configuration file:

Postfix Postfix /etc/postfix/main.cf

Daemon Name: master that is running behind to control its services. #ps aux | grep master #netstat ant | grep 25

Note:

On default setting of postfix, we face error service fail, if localhost entry is missing, then service fail; please keep in mind during the working on it Default Setting

On default postfix will listen the request only from local host. Verify it through this command. #ps aux | grep 25 Change Setting 1. Disable inet_interfaces = localhost and can enable inet_interfaces = all 2. Add domain like asiancitizen.org a. Mydestination = $myhostname, jd.com, asiancitizen.org i. Can add more than one domain, all messages delivered these hosted domains. Important If sendmail and postfix both server running on a machine then chose one active. Package: system-switch-mail....rpm, system-switch-mail-gnome...rpm #system-switch-mail #system-switch-mail-nox

Mail forwarding
1. Forward email from hosted domain (jd.com) to other user or other domain (javed_dogar@hotmail.com) then we add address in following file. a. /etc/aliases javed: javed_dogar@hotmail.com, sales@jd.com, haseeb
87

Detail: Here javed is user of hosted domain jd.com, mails of javed@jd.com will forward to hotmail, sales and haseeb. 2. We can forward whole domains email to one person or more; and also can forward one address emails to one, many persons; Add this line in /etc/postfix/main.cf, dont add space before this line. virtual_alias_maps = hash:/etc/postfix/virtual Edit the follow file for mail forwarding. /etc/postfix/virtual

Detail: all emails of hamid@jd.com will forward to javed, ali, asad of local domain. And amjad@jd.com wills forward to haseeb, javed and hotmail address. All emails of domain jd.com will forward to asad.

Virtual Domain hosting

Some providers host domains that have no (or only a few) local mailboxes. The main purpose of these domains is to forward mail elsewhere. The following example shows how to set up example.com as a mail forwarding domain:
1 /etc/postfix/main.cf: 2 virtual_alias_domains = example.com ...other hosted domains... 3 virtual_alias_maps = hash:/etc/postfix/virtual 4 5 /etc/postfix/virtual: 6 postmaster@example.com postmaster 7 joe@example.com joe@somewhere 8 jane@example.com jane@somewhere-else 9 # Uncomment entry below to implement a catch-all address 10 # @example.com jim@yet-another-site 88

11

...virtual aliases for more domains...

Notes:

Line 2: The virtual_alias_domains setting tells Postfix that example.com is a so-called virtual alias domain. If you omit this setting then Postfix will reject mail (relay access denied) or will not be able to deliver it (mail for example.com loops back to myself). NEVER list a virtual alias domain name as a mydestination domain!

Lines 3-11: The /etc/postfix/virtual file contain the virtual aliases. With the example above, mail for postmaster@example.com goes to the local postmaster, while mail for joe@example.com goes to the remote address joe@somewhere, and mail for jane@example.com goes to the remote address jane@somewhere-else. Mail for all other addresses in example.com is rejected with the error message "User unknown". Line 10: The commented out entry (text after #) shows how one would implement a catch-all virtual alias that receives mail for every example.com address not listed in the virtual alias file. This is not without risk. Spammers nowadays try to send mail from (or mail to) every possible name that they can think of. A catch-all mailbox is likely to receive many spam messages, and many bounces for spam messages that were sent in the name of anything@example.com.

As simple as can be: shared domains, UNIX system accounts

The simplest method to host an additional domain is to add the domain name to the domains listed in the Postfix mydestination configuration parameter, and to add the user names to the UNIX password file. Can configure more domains on single postfix server, same users will be use the different domains. This approach makes no distinction between canonical and hosted domains. Each username can receive mail in every domain. In the examples we will use "example.com" as the domain that is being hosted on the local Postfix machine.
/etc/postfix/main.cf: mydestination = $myhostname localhost.$mydomain ... example.com

The limitations of this approach are:

A total lack of separation: mail for info@my.host.name is delivered to the same UNIX system account as mail for info@example.com. With users in the UNIX password file, administration of large numbers of users becomes inconvenient.

89

Mailbox and Message Size

# postconf mailbox_size_limit

Output:
mailbox_size_limit = 51200000

51200000 bytes is default mailbox size limit.

Display the default maximum size in bytes of a message

Type the following command:
# postconf message_size_limit

Output:
message_size_limit = 10240000

Setup new mailbox size limit

# vi /etc/postfix/main.cf

Add/modify/set values as follows:

mailbox_size_limit = 30000000 message_size_limit = 10240000

Save and restart postfix mail server:

# /etc/init.d/postfix restart

Increasing squirrelmail maximum attachment size

Its is very natural that users may some day wana upload files that are bigger in size than squirrelmails default 2 MB limit. so to increase the limit of upload , just do the following things.
1. 2. 3. 4. 5. Locate your php.ini. e.g /etc/php.ini open file is some editor. Search for upload_max_filesize. Change 2M to something else, for example 5M. If the upload_max_filesize is larger than post_max_size, you must increase post_max_size so that its bigger than upload_max_size 6. If the value of post_max_size is larger than memory_limit, you must increase memory_limit so that its larger than post_max_size. 7. Save your changes to the file. 8. Restart your apache web server.

Must change the values of these directives;

90

post_max_size memory_limit upload_max_filesize and enjoy using squirrelmail. #postconf | grep always_bcc
Use this if we want to use any address for carbon copy of all emails sent by postfix. Postfix message size limit not working Question: Running RHEL 3. Postfix is not recognizing message size limits. I cannot send or receive any mail that is 7mb or larger. According to my postfix settings I should be able to send and receive at 10mb. What the heck is going on? [root@mail1 XXXXX]# /usr/sbin/postconf | grep size berkeley_db_create_buffer_size = 16777216 berkeley_db_read_buffer_size = 131072 body_checks_size_limit = 12288 bounce_size_limit = 50000 header_size_limit = 102400 mailbox_size_limit = 10240000 message_size_limit = 10240000 [root@mail1 XXXXX]# Below is what I get with an 8mb attachment: log file ---------------------Jun 23 13:30:24 mail1 postfix/cleanup[28104]: warning: DC7908CA12: queue file size limit exceeded Delivery Status Notification ---------------------Technical details of permanent failure: PERM_FAILURE: SMTP Error (state 13): 552 Error: message too large

Email Auto reply with Vacation Tool Package: Vacation

Vacation automatically replies to incoming emails. The reply is contained in the file .vacation.msg in users home directory. Vacation doesnt come included as standard with most linux distros. You can get the rpm at http://www.tuxfan.homeip.net:8080/rpms/vacation-1.2.6-1.i386.rpm Login with required user, like su javed Run vacation command, like $vacation without interactive switch I, now it will automatically create .forward and .vacation.msg file. Edit msg file as per requirement. Now run command $vacation I to activate the changes. By default auto reply to one sender one time weekly. For further detail see man vacation. 91

CREATED BY VISHVENDRA SINGH CHUAHAN

92