Honeyd (Virtual Honeypot).
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.
Introduction
Traditionally, information security has been primarily defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one’s resources. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it [is] purely defensive, the enemy has the initiative. In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.
This tutorial shows how you can compile and install honeyd 1.5c on CentOS 5.5 server. I do not issue any guarantee that this will work for you!
Preliminary Note
In this tutorial I will use the following hosts:
* Host Server : 192.168.245.128
* Virtual Honeypot 1 : 192.168.245.200
* Virtual Honeypot 2 : 192.168.245.201
Here's a little diagram that shows our setup:
Host IP=192.168.245.128
192.168.245.200 192.168.245.201
-------+------------+--------
+--+--+ +--+--+
hp1 hp2
+-----+ +-----+
Virtual Virtual
Honeypot1 Honeypot2
Preparation
You need to remove libdnet and libevent packages otherwise you wont be able to compile honeyd.(See note)
yum remove libevent libevent-devel libdnet libdnet-devel
yum install autoconf gcc python-devel
Download required packages
You need to download few packages before installing honeyd.
cd /tmp
wget http://monkey.org/~provos/libevent-1.3a.tar.gz
wget http://space.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
wget http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz
Install required packages
cd /tmp
tar -xvf libevent-1.3a.tar.gz
cd libevent-1.3a
./configure
make
make install
cd /tmp
tar -xvf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure
make
make install
Download Arpd updated packages
For arpd-0.2 to compile under gcc 4.0.0 the file arpd.c must be modified. Replace it with the one from the Iran Honeynet Project web site , then compile and install.
cd /tmp
tar -xvf arpd-0.2.tar.gz
cd arpd
wget http://www.honeynet.ir/software/honeyd/arpd.c
./configure
make
make install
Run arpd
Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.
/usr/local/sbin/arpd '192.168.245.200-192.168.245.201'
Install Honeyd 1.5c
cd /tmp
wget http://www.honeyd.org/uploads/honeyd-1.5c.tar.gz
tar -xvf honeyd-1.5c.tar.gz
cd honeyd-1.5c
./configure
make
make install
Configure Honeyd
cd /usr/local/share/honeyd
cp -v config.ethernet honeyd.conf
vi honeyd.conf
Some configurations that outline features available in Honeyd.org Web Site.
This is sample configuration:
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create honeypot-template
set honeypot-template ethernet "00:22:FA:cc:dd:ee"
set honeypot-template personality "Microsoft Windows XP SP2"
set honeypot-template uptime 1234567
set honeypot-template default tcp action reset
set honeypot-template default udp action reset
set honeypot-template default icmp action open
add honeypot-template tcp port 135 open
add honeypot-template tcp port 139 open
add honeypot-template tcp port 445 open
add honeypot-template tcp port 3389 block
add honeypot-template tcp port 53 proxy 8.8.8.8:53
bind 192.168.245.200 honeypot-template
bind 192.168.245.201 honeypot-template
Important Note: The IP Addresses should be in the same network segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to those IP Addresses to reach your honeyd hosting computer.
Configure Linux firewall
Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file. You should have something like this:
$IPTABLES -A INPUT -d 192.168.245.200 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.245.201 -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Run Honeyd
/usr/local/bin/honeyd -d -f /usr/local/share/honeyd/honeyd.conf -p /usr/local/share/honeyd/nmap.prints -x /usr/local/share/honeyd/xprobe2.conf -a /usr/local/share/honeyd/nmap.assoc --disable-webserver '192.168.245.200-192.168.245.201'
Test Honeyd
Run this test only from an IP Addresses outside host machine.
nmap -T4 -A -v 192.168.245.200
Reference URL:http://howtoforge.com/installing-honeyd-1.5c-and-arpd-0.2-under-centos-5-with-gcc-4.x
Wednesday, December 29, 2010
Monday, December 20, 2010
Centralized Backup Server With Amanda On CentOS
This document describes how to set up a centralized network backup with Amanda. We will use virtual tape to store the backup.
In my environment, I have 2 Linux servers that I want to backup.
192.168.20.200 (Alpha) : /home/kulathep
192.168.20.201 (Beta) : /data and /var
I am going to build a new server with Amanda as a centralized backup server.
192.168.20.202 (Gamma)
Setup Server (Gamma)
1. Install Amanda with yum:
yum -y install amanda*
2. Edit Amanda conf in xinetd.d:
vi /etc/xinetd.d/amanda
vi /etc/xinetd.d/amandaidx
vi /etc/xinetd.d/amidxtape
Change Disable = yes to Disable = no.
3. Copy Amanda conf files:
cp -r /etc/amanda/DailySet1 /etc/amanda/intra
4. Edit amanda.conf:
vi /etc/amanda/intra/amanda.conf
org "Configuration name"
mailto "email"
netusage 600 Kbps
dumpcycle 2 weeks
runspercycle 10
tapecycle 15 tapes
#tpchanger "chg-manual"
tpchanger "chg-disk"
changerfile "/etc/amanda/intra/changer"
#tapedev "null:"
tapedev "file:/backup/intra/slots"
#tapetype HP-DAT
#labelstr "^DailySet1-[0-9][0-9]*$"
tapetype HARDDISK
define tapetype HARDDISK {
comment “Backup to Virtual Tape”
length 3072 mbytes # each tape is 3 Gigs
}
# amrecover_changer "null:"
amrecover_changer "changer"
#infofile "/etc/amanda/DailySet1/curinfo" # database DIRECTORY
#logdir "/etc/amanda/ DailySet1" # log directory
#indexdir "/etc/amanda/ DailySet1/index" # index directory
infofile "/var/log/amanda/intra/curinfo" # database DIRECTORY
logdir "/var/log/amanda/intra" # log directory
indexdir "/var/log/amanda/intra/index" # index directory
With this configuration, Amanda will do a full backup every 2 weeks, and an incremental backup every week day. The backup will be stored and rotated on 15 virtual tapes.
5. Edit disklist (tell Amanda which servers, directory to backup, what dumptype to use).
vi /etc/amanda/intra/disklist
Remove every lines including “localhost /etc comp-root-tar” at the end of the file. And add:
alpha /home/kulathep comp-user-tar
beta /data comp-user-tar
beta /var comp-user-tar
Note: See amanda.conf for the dumptype.
6. Edit hosts file:
vi /etc/hosts
192.168.20.200 alpha
192.168.20.201 beta
7. Create backup directory (we will store the backup here):
mkdir -p -m 770 /backup/intra/slots
chown -R amanda:disk /backup
8. Create tape list:
touch /etc/amanda/intra/tapelist
chown –R amanda:disk /etc/amanda/intra
9. Create slots (virtual tapes):
su - amanda
cd /backup/intra/slots
for ((i=1; $i<=15; i++)); do mkdir slot$i; done
ln -s slot1 data
10. Test virtual tapes:
/usr/sbin/ammt -f file:/backup/intra/slots status
11. Label the virtual tapes:
for ((i=1; $i<=15; i++)); do /usr/sbin/amlabel intra intra-$i slot $i; done
12. Reset the tape:
/usr/sbin/amtape intra reset
13. Edit .amandahosts to allow communications from clients:
vi /var/lib/amanda/.amandahosts
alpha amanda
beta amanda
gamma amanda
14. Start xinetd service:
su –
service xinetd start
15. Check amanda process:
lsof grep amanda
Set Up Client
1. Install amanda client with yum:
yum -y install amanda-client
2. Edit file .amandahosts to allow communications from server:
vi /var/lib/amanda/.amandahosts
gamma amanda
3. Edit xinetd.d:
vi /etc/xinetd.d/amanda
Disable = no
4. Start xinetd:
service xinetd start
5. Check Amanda service:
lsof grep amanda
Backup Data
1. Check tapes and clients on server:
su - amanda
/usr/sbin/amcheck intra
2. Dump manually:
/usr/sbin/amdump intra
3. Add amdump to cron:
crontab –e
0 16 * * 1-5 /usr/sbin/amcheck -m intra
45 0 * * 2-6 /usr/sbin/amdump intra
The first line checks the tape/clients and sends an email if it found something wrong (no email if everything is okay) at 4pm.
The second line dumps at 12.45am on weekdays.
Restore Data
1. Prepare tapes:
cd /tmp
/usr/sbin/amtape intra slot 1 # select slot1 (tape1)
/usr/sbin/ammt -t file:/backup/intra/slots rewind # rewind
2.1. Restore everything from every server:
/usr/sbin/amrestore file:/backup/intra/slots
2.2. Restore only a server and a directory:
/usr/sbin/amrestore file:/backup/intra/slots beta /var
3. Extract:
tar xvf
Referance Website: http://howtoforge.com/centralized-backup-server-with-amanda-on-centos
Shell Script To Back Up All MySQL Databases, Each Table In An Individual File And Upload To Remote FTP
This script will create a backup of each table in every database (one file per table), compress it and upload it to a remote ftp.
First create a mysql user with select and lock table privileges (or use root).
Then use this script in your crontab every hours:
#!/bin/sh
# System + MySQL backup script
# Copyright (c) 2008 Marchost
# This script is licensed under GNU GPL version 2.0 or above
# ---------------------------------------------------------------------
#########################
######TO BE MODIFIED#####
### System Setup ###
BACKUP=YOUR_LOCAL_BACKUP_DIR
### MySQL Setup ###
MUSER="MYSQL_USER"
MPASS="MYSQL_USER_PASSWORD"
MHOST="localhost"
### FTP server Setup ###
FTPD="YOUR_FTP_BACKUP_DIR"
FTPU="YOUR_FTP_USER"
FTPP="YOUR_FTP_USER_PASSWORD"
FTPS="YOUR_FTP_SERVER_ADDRESS"
######DO NOT MAKE MODIFICATION BELOW#####
#########################################
### Binaries ###
TAR="$(which tar)"
GZIP="$(which gzip)"
FTP="$(which ftp)"
MYSQL="$(which mysql)"
MYSQLDUMP="$(which mysqldump)"
### Today + hour in 24h format ###
NOW=$(date +"%d%H")
### Create hourly dir ###
mkdir $BACKUP/$NOW
### Get all databases name ###
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'show databases')"
for db in $DBS
do
### Create dir for each databases, backup tables in individual files ###
mkdir $BACKUP/$NOW/$db
for i in `echo "show tables" $MYSQL -u $MUSER -h $MHOST -p$MPASS $dbgrep -v Tables_in_`;
do
FILE=$BACKUP/$NOW/$db/$i.sql.gz
echo $i; $MYSQLDUMP --add-drop-table --allow-keywords -q -c -u $MUSER -h $MHOST -p$MPASS $db $i $GZIP -9 > $FILE
done
done
### Compress all tables in one nice file to upload ###
ARCHIVE=$BACKUP/$NOW.tar.gz
ARCHIVED=$BACKUP/$NOW
$TAR -cvf $ARCHIVE $ARCHIVED
### Dump backup using FTP ###
cd $BACKUP
DUMPFILE=$NOW.tar.gz
$FTP -n $FTPS <http://howtoforge.com/shell-script-to-back-up-all-mysql-databases-each-table-in-an-individual-file-and-upload-to-remote-ftp
First create a mysql user with select and lock table privileges (or use root).
Then use this script in your crontab every hours:
#!/bin/sh
# System + MySQL backup script
# Copyright (c) 2008 Marchost
# This script is licensed under GNU GPL version 2.0 or above
# ---------------------------------------------------------------------
#########################
######TO BE MODIFIED#####
### System Setup ###
BACKUP=YOUR_LOCAL_BACKUP_DIR
### MySQL Setup ###
MUSER="MYSQL_USER"
MPASS="MYSQL_USER_PASSWORD"
MHOST="localhost"
### FTP server Setup ###
FTPD="YOUR_FTP_BACKUP_DIR"
FTPU="YOUR_FTP_USER"
FTPP="YOUR_FTP_USER_PASSWORD"
FTPS="YOUR_FTP_SERVER_ADDRESS"
######DO NOT MAKE MODIFICATION BELOW#####
#########################################
### Binaries ###
TAR="$(which tar)"
GZIP="$(which gzip)"
FTP="$(which ftp)"
MYSQL="$(which mysql)"
MYSQLDUMP="$(which mysqldump)"
### Today + hour in 24h format ###
NOW=$(date +"%d%H")
### Create hourly dir ###
mkdir $BACKUP/$NOW
### Get all databases name ###
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'show databases')"
for db in $DBS
do
### Create dir for each databases, backup tables in individual files ###
mkdir $BACKUP/$NOW/$db
for i in `echo "show tables" $MYSQL -u $MUSER -h $MHOST -p$MPASS $dbgrep -v Tables_in_`;
do
FILE=$BACKUP/$NOW/$db/$i.sql.gz
echo $i; $MYSQLDUMP --add-drop-table --allow-keywords -q -c -u $MUSER -h $MHOST -p$MPASS $db $i $GZIP -9 > $FILE
done
done
### Compress all tables in one nice file to upload ###
ARCHIVE=$BACKUP/$NOW.tar.gz
ARCHIVED=$BACKUP/$NOW
$TAR -cvf $ARCHIVE $ARCHIVED
### Dump backup using FTP ###
cd $BACKUP
DUMPFILE=$NOW.tar.gz
$FTP -n $FTPS <
Ghosting The Machine
This is a short but potentially extremely handy guide to ghosting one Linux box to another (or simply making a full backup of a desktop/server). Credit goes to 'topdog' for this.
You might have a small office where you customise one desktop just how you like it and need to roll this out to N other PC's or simply want a backup of a server or desktop to another machine or even to an image file.
The main tool here is netcat which is extremely powerful and has a multitude of other great uses that won't be covered here.
Target Machine:
** Boot to linux rescue mode with networking (CentOS works fine)
Initiate netcat to listen on port 30 - # nc -l -p dd of=/dev/sda (assuming the hard drive is sda and not hda):
# nc -l -p 30 dd of=/dev/sda
Source Machine:
Dump the contents of the disk to the target PC - #dd if=/dev/sda nc
# dd if=/dev/sda nc 192.168.0.20 30
Then to check that traffic is flowing, on the source go to another terminal (ALT/F2) and dump the tcp data on the NIC (assuming it's eth0):
tcpdump -tnli eth0 port 30
If you just want a backup image you could change the above output on the taget to:
# nc -l -p 30 dd of=mybackup.img
That's it. Naturally the target PC/disk cannot be smaller than the source:) I hope this saves someone a lot of time.
Referance Website: http://howtoforge.com/ghosting-the-machine
You might have a small office where you customise one desktop just how you like it and need to roll this out to N other PC's or simply want a backup of a server or desktop to another machine or even to an image file.
The main tool here is netcat which is extremely powerful and has a multitude of other great uses that won't be covered here.
Target Machine:
** Boot to linux rescue mode with networking (CentOS works fine)
Initiate netcat to listen on port 30 - # nc -l -p
# nc -l -p 30 dd of=/dev/sda
Source Machine:
Dump the contents of the disk to the target PC - #dd if=/dev/sda nc
# dd if=/dev/sda nc 192.168.0.20 30
Then to check that traffic is flowing, on the source go to another terminal (ALT/F2) and dump the tcp data on the NIC (assuming it's eth0):
tcpdump -tnli eth0 port 30
If you just want a backup image you could change the above output on the taget to:
# nc -l -p 30 dd of=mybackup.img
That's it. Naturally the target PC/disk cannot be smaller than the source:) I hope this saves someone a lot of time.
Referance Website: http://howtoforge.com/ghosting-the-machine
Thursday, December 16, 2010
Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On CentOS
This document describes how to install a PureFTPd server that uses virtual users from a MySQL database instead of real system users. This is much more performant and allows to have thousands of ftp users on a single machine. In addition to that I will show the use of quota and upload/download bandwidth limits with this setup. Passwords will be stored encrypted as MD5 strings in the database.
For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. phpMyAdmin is a comfortable graphical interface which means you do not have to mess around with the command line.
This tutorial is based on CentOS 5.3. You should already have set up a basic CentOS 5.3 system, for example as described in the first six chapters of this tutorial: http://www.howtoforge.com/perfect-server-centos-5.3-i386-ispconfig-2
This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.
This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Install MySQL And Apache/PHP
We can install MySQL and Apache/PHP (Apache and PHP are needed by phpMyAdmin) with a single command:
yum install mysql mysql-server httpd php php-mysql php-mbstring
Then we create the system startup links for MySQL and Apache (so that both start automatically whenever the system boots) and start both services:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
chkconfig --levels 235 httpd on
/etc/init.d/httpd start
Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
3 Install phpMyAdmin
Unfortunately there's no phpMyAdmin package in the official CentOS 5.3 repositories, but I've found a phpMyAdmin package for CentOS 4.x in the centos.karan.org repository which works on CentOS 5.3 as well. We can install it like this:
rpm -ivh http://centos.karan.org/el4/misc/testing/i386/RPMS/phpMyAdmin-2.7.0-3.el4.pl2.lsn.noarch.rpm
Afterwards, you should be able to access phpMyAdmin in a browser under this address:
http://server1.example.com/phpMyAdmin/
(you can also use the IP address instead of server1.example.com)
If you find that your phpMyAdmin is missing lots of images and has problems loading, open the file/usr/share/phpMyAdmin/config.inc.php and comment out the $cfg['PmaAbsoluteUri'] line:
vi /usr/share/phpMyAdmin/config.inc.php
[...]
#$cfg['PmaAbsoluteUri'] = 'http://server1.example.com/phpMyAdmin/';
[...]
Afterwards, phpMyAdmin should work as expected.
4 Install PureFTPd With MySQL Support
Again, there's no PureFTPd package in the official CentOS 5.3 repositories, but the centos.karan.org repository has a PureFTPd package for CentOS 5.3 (in the kbs-CentOS-Testing repository). Therefore we add this repository to our official CentOS repositories:
cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
Now we must enable the kbs-CentOS-Testing repository. To do this, we open the file kbsingh-CentOS-Extras.repo and change enabled=0 to enabled=1 in the kbs-CentOS-Testing stanza; also change gpgcheck=1 to gpgcheck=0:
vi kbsingh-CentOS-Extras.repo
[...]
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/
Then we import the GPG key of our new repository:
rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
Now we can install PureFTPd:
yum install pure-ftpd
Then we create an ftp group (ftpgroup) and user (ftpuser) that all our virtual users will be mapped to. Replace the group- and userid 2001 with a number that is free on your system:
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser
5 Create The MySQL Database For PureFTPd
Now we create a database called pureftpd and a MySQL user named pureftpd which the PureFTPd daemon will use later on to connect to the pureftpd database:
mysql -u root -p
CREATE DATABASE pureftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost.localdomain' IDENTIFIED BY 'ftpdpass';
FLUSH PRIVILEGES;
Replace the string ftpdpass with whatever password you want to use for the MySQL user pureftpd. Still on the MySQL shell, we create the database table we need (yes, there is only one table!):
USE pureftpd;
CREATE TABLE ftpd (
User varchar(16) NOT NULL default '',
status enum('0','1') NOT NULL default '0',
Password varchar(64) NOT NULL default '',
Uid varchar(11) NOT NULL default '-1',
Gid varchar(11) NOT NULL default '-1',
Dir varchar(128) NOT NULL default '',
ULBandwidth smallint(5) NOT NULL default '0',
DLBandwidth smallint(5) NOT NULL default '0',
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default '*',
QuotaSize smallint(5) NOT NULL default '0',
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User))
TYPE=MyISAM;
quit;
As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.
BTW, (I'm assuming that the hostname of your ftp server system is server1.example.com) you can access phpMyAdmin under http://server1.example.com/phpMyAdmin/ (you can also use the IP address instead of server1.example.com) in a browser and log in as the user pureftpd. Then you can have a look at the
database. Later on you can use phpMyAdmin to administrate your PureFTPd server.
6 Configure PureFTPd
Edit /etc/pure-ftpd/pure-ftpd.conf and make sure that theChrootEveryone, MySQLConfigFile, and CreateHomeDir lines are enabled and look like this:
vi /etc/pure-ftpd/pure-ftpd.conf
[...]
ChrootEveryone yes
[...]
MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
[...]
CreateHomeDir yes
[...]
The ChrootEveryone setting will make PureFTPd chroot every virtual user in his home directory so he will not be able to browse directories and files outside his home directory. The CreateHomeDir line will make PureFTPd create a user's home directory when the user logs in and the home directory does not exist yet.
Then we edit /etc/pure-ftpd/pureftpd-mysql.conf. It should look like this:
cp /etc/pure-ftpd/pureftpd-mysql.conf /etc/pure-ftpd/pureftpd-mysql.conf_orig
cat /dev/null > /etc/pure-ftpd/pureftpd-mysql.conf
vi /etc/pure-ftpd/pureftpd-mysql.conf
MYSQLSocket /var/lib/mysql/mysql.sock
#MYSQLServer localhost
#MYSQLPort 3306
MYSQLUser pureftpd
MYSQLPassword ftpdpass
MYSQLDatabase pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt md5
MYSQLGetPW SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTASZ SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. phpMyAdmin is a comfortable graphical interface which means you do not have to mess around with the command line.
This tutorial is based on CentOS 5.3. You should already have set up a basic CentOS 5.3 system, for example as described in the first six chapters of this tutorial: http://www.howtoforge.com/perfect-server-centos-5.3-i386-ispconfig-2
This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.
This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Install MySQL And Apache/PHP
We can install MySQL and Apache/PHP (Apache and PHP are needed by phpMyAdmin) with a single command:
yum install mysql mysql-server httpd php php-mysql php-mbstring
Then we create the system startup links for MySQL and Apache (so that both start automatically whenever the system boots) and start both services:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
chkconfig --levels 235 httpd on
/etc/init.d/httpd start
Create a password for the MySQL user root (replace yourrootsqlpassword with the password you want to use):
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
3 Install phpMyAdmin
Unfortunately there's no phpMyAdmin package in the official CentOS 5.3 repositories, but I've found a phpMyAdmin package for CentOS 4.x in the centos.karan.org repository which works on CentOS 5.3 as well. We can install it like this:
rpm -ivh http://centos.karan.org/el4/misc/testing/i386/RPMS/phpMyAdmin-2.7.0-3.el4.pl2.lsn.noarch.rpm
Afterwards, you should be able to access phpMyAdmin in a browser under this address:
http://server1.example.com/phpMyAdmin/
(you can also use the IP address instead of server1.example.com)
If you find that your phpMyAdmin is missing lots of images and has problems loading, open the file/usr/share/phpMyAdmin/config.inc.php and comment out the $cfg['PmaAbsoluteUri'] line:
vi /usr/share/phpMyAdmin/config.inc.php
[...]
#$cfg['PmaAbsoluteUri'] = 'http://server1.example.com/phpMyAdmin/';
[...]
Afterwards, phpMyAdmin should work as expected.
4 Install PureFTPd With MySQL Support
Again, there's no PureFTPd package in the official CentOS 5.3 repositories, but the centos.karan.org repository has a PureFTPd package for CentOS 5.3 (in the kbs-CentOS-Testing repository). Therefore we add this repository to our official CentOS repositories:
cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
Now we must enable the kbs-CentOS-Testing repository. To do this, we open the file kbsingh-CentOS-Extras.repo and change enabled=0 to enabled=1 in the kbs-CentOS-Testing stanza; also change gpgcheck=1 to gpgcheck=0:
vi kbsingh-CentOS-Extras.repo
[...]
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/
Then we import the GPG key of our new repository:
rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
Now we can install PureFTPd:
yum install pure-ftpd
Then we create an ftp group (ftpgroup) and user (ftpuser) that all our virtual users will be mapped to. Replace the group- and userid 2001 with a number that is free on your system:
groupadd -g 2001 ftpgroup
useradd -u 2001 -s /bin/false -d /bin/null -c "pureftpd user" -g ftpgroup ftpuser
5 Create The MySQL Database For PureFTPd
Now we create a database called pureftpd and a MySQL user named pureftpd which the PureFTPd daemon will use later on to connect to the pureftpd database:
mysql -u root -p
CREATE DATABASE pureftpd;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost' IDENTIFIED BY 'ftpdpass';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP ON pureftpd.* TO 'pureftpd'@'localhost.localdomain' IDENTIFIED BY 'ftpdpass';
FLUSH PRIVILEGES;
Replace the string ftpdpass with whatever password you want to use for the MySQL user pureftpd. Still on the MySQL shell, we create the database table we need (yes, there is only one table!):
USE pureftpd;
CREATE TABLE ftpd (
User varchar(16) NOT NULL default '',
status enum('0','1') NOT NULL default '0',
Password varchar(64) NOT NULL default '',
Uid varchar(11) NOT NULL default '-1',
Gid varchar(11) NOT NULL default '-1',
Dir varchar(128) NOT NULL default '',
ULBandwidth smallint(5) NOT NULL default '0',
DLBandwidth smallint(5) NOT NULL default '0',
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default '*',
QuotaSize smallint(5) NOT NULL default '0',
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User))
TYPE=MyISAM;
quit;
As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.
BTW, (I'm assuming that the hostname of your ftp server system is server1.example.com) you can access phpMyAdmin under http://server1.example.com/phpMyAdmin/ (you can also use the IP address instead of server1.example.com) in a browser and log in as the user pureftpd. Then you can have a look at the
database. Later on you can use phpMyAdmin to administrate your PureFTPd server.
6 Configure PureFTPd
Edit /etc/pure-ftpd/pure-ftpd.conf and make sure that theChrootEveryone, MySQLConfigFile, and CreateHomeDir lines are enabled and look like this:
vi /etc/pure-ftpd/pure-ftpd.conf
[...]
ChrootEveryone yes
[...]
MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf
[...]
CreateHomeDir yes
[...]
The ChrootEveryone setting will make PureFTPd chroot every virtual user in his home directory so he will not be able to browse directories and files outside his home directory. The CreateHomeDir line will make PureFTPd create a user's home directory when the user logs in and the home directory does not exist yet.
Then we edit /etc/pure-ftpd/pureftpd-mysql.conf. It should look like this:
cp /etc/pure-ftpd/pureftpd-mysql.conf /etc/pure-ftpd/pureftpd-mysql.conf_orig
cat /dev/null > /etc/pure-ftpd/pureftpd-mysql.conf
vi /etc/pure-ftpd/pureftpd-mysql.conf
MYSQLSocket /var/lib/mysql/mysql.sock
#MYSQLServer localhost
#MYSQLPort 3306
MYSQLUser pureftpd
MYSQLPassword ftpdpass
MYSQLDatabase pureftpd
#MYSQLCrypt md5, cleartext, crypt() or password() - md5 is VERY RECOMMENDABLE uppon cleartext
MYSQLCrypt md5
MYSQLGetPW SELECT Password FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetUID SELECT Uid FROM ftpd WHERE User="\L" AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetGID SELECT Gid FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MYSQLGetDir SELECT Dir FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthUL SELECT ULBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetBandwidthDL SELECT DLBandwidth FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTASZ SELECT QuotaSize FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
MySQLGetQTAFS SELECT QuotaFiles FROM ftpd WHERE User="\L"AND status="1" AND (ipaccess = "*" OR ipaccess LIKE "\R")
Make sure that you replace the string ftpdpass with the real password for the MySQL user pureftpd in the lineMYSQLPassword! Please note that we use md5 as MYSQLCrypt method, which means we will store the users' passwords as an MD5 string in the database which is far more secure than using plain text passwords!
Now we create the system startup links for PureFTPd and start it:
chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start
7 Populate The Database And Test
To populate the database you can use the MySQL shell:
mysql -u root -p
USE pureftpd;
Now we create the user exampleuser with the status 1 (which means his ftp account is active), the password secret(which will be stored encrypted using MySQL's MD5 function), the UID and GID 2001 (use the userid and groupid of the user/group you created at the end of step two!), the home directory /home/www.example.com, an upload and download bandwidth of 100 KB/sec. (kilobytes per second), and a quota of 50 MB:
INSERT INTO `ftpd` (`User`, `status`, `Password`, `Uid`, `Gid`, `Dir`, `ULBandwidth`, `DLBandwidth`, `comment`, `ipaccess`, `QuotaSize`, `QuotaFiles`) VALUES ('exampleuser', '1', MD5('secret'), '2001', '2001', '/home/www.example.com', '100', '100', '', '*', '50', '0');
quit;
Now open your FTP client program on your work station (something like WS_FTP or SmartFTP if you are on a Windows system or gFTP on a Linux desktop) and try to connect. As hostname you use server1.example.com (or the IP address of the system), the username is exampleuser, and the password is secret.
If you are able to connect - congratulations! If not, something went wrong.
Now, if you run
ls -l /home
you should see that the directory /home/www.example.com (exampleuser's home directory) has been created automatically, and it is owned by ftpuser and ftpgroup (the user/group we created at the end of step four):
[root@server1 ~]# ls -l /home
total 4
drwxr-xr-x 2 ftpuser ftpgroup 4096 Aug 10 14:04 http://www.example.com/
[root@server1 ~]#
8 Database Administration
For most people it is easier if they have a graphical front-end to MySQL; therefore you can also use phpMyAdmin (in this example under http://server1.example.com/phpMyAdmin/) to administrate the pureftpd database.
Whenever you want to create a new user, you have to create an entry in the table ftpd so I will explain the columns of this table here:
ftpd Table:
User: The name of the virtual PureFTPd user (e.g. exampleuser).
status: 0 or 1. 0 means the account is disabled, the user cannot login.
Password: The password of the virtual user. Make sure you use MySQL's MD5 function to save the password encrypted as an MD5 string:
UID: The userid of the ftp user you created at the end of step two (e.g. 2001).
GID: The groupid of the ftp group you created at the end of step two (e.g. 2001).
Dir: The home directory of the virtual PureFTPd user (e.g. /home/www.example.com). If it does not exist, it will be created when the new user logs in the first time via FTP. The virtual user will be jailed into this home directory, i.e., he cannot access other directories outside his home directory.
ULBandwidth: Upload bandwidth of the virtual user in KB/sec. (kilobytes per second). 0 means unlimited.
DLBandwidth: Download bandwidth of the virtual user in KB/sec. (kilobytes per second). 0 means unlimited.
comment: You can enter any comment here (e.g. for your internal administration) here. Normally you leave this field empty.
ipaccess: Enter IP addresses here that are allowed to connect to this FTP account. * means any IP address is allowed to connect.
QuotaSize: Storage space in MB (not KB, as in ULBandwidth and DLBandwidth!) the virtual user is allowed to use on the FTP server. 0 means unlimited.
QuotaFiles: amount of files the virtual user is allowed to save on the FTP server. 0 means unlimited.
9 Anonymous FTP
If you want to create an anonymous ftp account (an ftp account that everybody can login to without a password), you need a user and a group called ftp. Both have been created automatically when you installed the pure-ftpd package, so you don't need to create them manually. However, ftp's homedir is /var/ftp by default, but I'd like to create the anonymous ftp directory in /home/ftp (the normal users' ftp directories are in /home as well, e.g./home/www.example.com). But of course, you can use the /var/ftp directory for anonymous ftp, if you prefer it.
If you want to use /home/ftp, open /etc/passwd and change the ftp user's homedir from /var/ftp to /home/ftp (don't do this if you want to use /var/ftp):
vi /etc/passwd
[...]
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
ftp:x:14:50:FTP User:/home/ftp:/sbin/nologin
[...]
Then move /var/ftp to /home (don't do this if you want to use /var/ftp):
mv /var/ftp /home
Then we create the directory /home/ftp/incoming which will allow anonymous users to upload files. We will give the/home/ftp/incoming directory permissions of 311 so that users can upload, but not see or download any files in that directory. The /home/ftp directory will have permissions of 555 which allows seeing and downloading of files:
chown ftp:nobody /home/ftp
cd /home/ftp
mkdir incoming
chown ftp:nobody incoming/
chmod 311 incoming/
cd ../
chmod 555 ftp/
(If you want to use /var/ftp instead, replace /home/ftp with /var/ftp in the above commands.)
Anonymous users will be able to log in, and they will be allowed to download files from /home/ftp, but uploads will be limited to /home/ftp/incoming (and once a file is uploaded into /home/ftp/incoming, it cannot be read nor downloaded from there; the server admin has to move it into /home/ftp first to make it available to others).
Now we have to configure PureFTPd for anonymous ftp. Open /etc/pure-ftpd/pure-ftpd.conf and make sure that you have the following settings in it:
vi /etc/pure-ftpd/pure-ftpd.conf
[...]
NoAnonymous no
[...]
AntiWarez no
[...]
AnonymousBandwidth 8
[...]
AnonymousCantUpload no
[...]
(The AnonymousBandwidth setting is optional - it allows you to limit upload and download bandwidths for anonymous users. 8 means 8 KB/sec. Use any value you like, or comment out the line if you don't want to limit bandwidths.)
Finally, we restart PureFTPd:
/etc/init.d/pure-ftpd restart
10 Links
PureFTPd: http://www.pureftpd.org/
MySQL: http://www.mysql.com/
phpMyAdmin: http://www.phpmyadmin.net/
CentOS: http://www.centos.org/
Referance Website: http://howtoforge.com/virtual-hosting-with-pureftpd-and-mysql-incl-quota-and-bandwidth-management-on-centos-5.3
Wednesday, December 15, 2010
How To Install And Configure Advanced Policy Firewall (APF) On CentOS
This tutorial explains how you can install and configure APF - an interface to IPTables which lets you easily configure a full featured firewall to secure servers and workstations connected to a network. This guide describes an example installation on a server with cPanel but it's only a matter of port numbers which must be open for everything to work. APF can be used on any system.
The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.
From Advanced Policy Firewall's website:
"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."
Installation
We will begin with downloading and extracting the archive with APF:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and installing it:
sh ./install.sh
After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.
More information about ports used by cPanel can be found here:http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I
Configuration
APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:
nano -w /etc/apf/conf.apf
The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.
Let's get to work!
DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.
SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)
IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666"- inbound TCP ports to open
IG_UDP_CPORTS="53,6277" - inbound UDP ports to open
IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers
TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules
UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules
ALL_STOP="DROP" - defines a reaction to any other connections
We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.
BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0
It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.
Testing
Keeping in mind the DEVEL_MODE option we start APF like that:
/usr/local/sbin/apf -s
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"
Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.
Final Preparation
Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.
Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.
Referance URL: http://howtoforge.com/how-to-install-and-configure-advanced-policy-firewall-apf-on-centos-5.3
The makers of cPanel recommend CentOS to be the base for their software. That's why I've used this distribution for my example. Any distribution with IPTables will do.
From Advanced Policy Firewall's website:
"Advanced Policy Firewall (APF) is an IPTables(Netfilter) based firewall system designed around the essential needs of today's Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the 'apf' command, which includes detailed usage information on all the features."
Installation
We will begin with downloading and extracting the archive with APF:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -zxvf http://www.rfxn.com/downloads/apf-current.tar.gz
cd apf-9.7-1
and installing it:
sh ./install.sh
After the installation finishes APF will display locations of it's executable and configuration files as well as ports detected as being used on our system. You have to verify that the numbers are correct to avoid mistakes.
More information about ports used by cPanel can be found here:http://docs.cpanel.net/twiki/bin/view/AllDocumentation/AllFAQ/LinuxFAQ#Which_ports_should_be_open_if_I
Configuration
APF's basic configuration file is /etc/apf/conf.apf so we edit it like this:
nano -w /etc/apf/conf.apf
The configuration file is pretty well commented so it's not hard to understand which options are responsible for certain functions. What You should remember is that by default everything is locked and You have to configure APF to open ports You need to use.
Let's get to work!
DEVEL_MODE="1" - be sure to set this option to 1 until You're satisfied with the settings.Development mode sets a cron job to deactivate APF every 5 minutes. This really lets You install it on a remote machine without the risk of cutting Yourself out.
SET_MONOKERN="0" - APF supports monolithic kernels. If IPTables was not compiled as a module (APF then complains about IPTables even without setting up a firewall for example: Starting APF:Unable to load iptables module (ip_tables), aborting.)
IFACE_IN="eth0" and IFACE_OUT="eth0" - untrusted interfaces connected to the network, mostly the Internet
IG_TCP_CPORTS="20,21,22,25,26,37,43,53,80,110,113,143,443,465,873,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,6666"- inbound TCP ports to open
IG_UDP_CPORTS="53,6277" - inbound UDP ports to open
IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers
EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers
TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules
UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules
ALL_STOP="DROP" - defines a reaction to any other connections
We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.
BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0
It's worth spending some more time to get familiar with more configuration options as APF is very feature rich.
Testing
Keeping in mind the DEVEL_MODE option we start APF like that:
/usr/local/sbin/apf -s
We can use the following parameters:
-s - start APF
-r - restart APF
-f - stop APF
-l - list statistics
-st - status of APF
-a host - allow connections from "host"
-d host - deny connections from "host"
Now we can test our firewall with a port scanner like nmap or any other tool. If we run into any problems we will be able to fix it remotly because Cron will flush the rules every 5 minutes.
Final Preparation
Now that we are sure that the firewall is working and isn't blocking ports that we need, we can change DEVEL_MODE="1" option in the configuration file to 0 and restart APF.
Next we make sure APF is started at boot time, so using setup command we go to System Services, tick APF and save the settings. After restarting the system APF should start automatically.
Referance URL: http://howtoforge.com/how-to-install-and-configure-advanced-policy-firewall-apf-on-centos-5.3
Tuesday, December 14, 2010
CentOS 5.x Samba Domain Controller With LDAP Backend
This will show you how to set up a Samba Domain Controller with a local LDAP backend, using CentOS 5.x (tested on 5.3, still successfully running on 5.4). Includes a web-interface for managing LDAP users/groups/etc.
January 2010 -- Now with support for Windows 7 domain logins (see end of guide).
Disable selinux:
It will only cause problems, I'm not going to mess with SELinux in this guide other than disabling it.
echo 0 >/selinux/enforce
Within /etc/sysconfig/selinux, set:
SELINUX=disabled
Install some tools
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum update
yum install openldap-servers nss_ldap samba httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common smbldap-tools
Installing smbldap-tools this way should install all the dependent perl modules, however the version available on yum has some bugs, so we'll upgrade to the latest version afterwards, keeping the dependencies, but overwriting the smbldap-tools package:
rpm -Uvh http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.5-1.noarch.rpm
Set up the hostname
For our purposes in this guide, we are calling the server's hostname "dc1" and the domain "DOMAINNAME". Note: If you want to use your fqdn for your Samba domain, wherever you see ,dc=DOMAINNAME below, replace it with,dc=example,dc=com, assuming your fqdn is example.com. Also note that "root" will be the samba administrator username, if you don't like that, change it as well. Related lines are: cn=root and cn: root
Within /etc/hosts, add or replace your line (following the file's format, assuming 192.168.0.5 is your server's network-accessible IP):
192.168.0.5 dc1.DOMAINNAME dc1
Set your hostname on the command line:
hostname dc1.DOMAINNAME
Generate a master password and set up ldap
slappasswd
Note the output of slappasswd, you will insert it into slapd.conf in a minute.
mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist
Insert the following text into /etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=DOMAINNAME"
rootdn "cn=root,dc=DOMAINNAME"
rootpw {SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD
password-hash {SSHA}
directory /var/lib/ldap
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eqindex sambaSID eq
index sambaPrimaryGroupSID eqindex sambaDomainName eq
index objectClass pres,eq
index default sub
Note the rootpw line in the above text, that's where you paste your output from slappasswd.
cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG
Insert the following text into /etc/openldap/init.ldif:
dn: dc=DOMAINNAME
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectclass: organizationalRole
cn: root
slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*slapcat
slapcat should produce something very similar to the following output:
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
structuralObjectClass: organization
entryUUID: 717d1b1e-ce90-102d-88c3-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000000#00#000000
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: 71858556-ce90-102d-88c4-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000001#00#000000
service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=DOMAINNAME"
The output from ldapsearch should be very similar to the following:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# DOMAINNAME
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
# root, DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Setting up remote administration of the ldap directory
Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:
memory_limit = 32M
Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go Tohttp://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:
mkdir /var/www/html/samba && cd /var/www/html/samba
wget http://softlayer.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz
tar zxf phpldapadmin-1.1.0.7.tar.gz
ln -s phpldapadmin-1.1.0.7 pla
cp pla/config/config.php.example pla/config/config.php
Now edit ./pla/config/config.php and uncommment the following line:
$config->custom->jpeg['tmpdir'] = "/tmp";
Make newly setup software available
service httpd restart
chkconfig httpd on
Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):
#Allow Https://
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#Allow samba:
-A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT
Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Usernamecn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.
Integrate ldap and Samba
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf
Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
Under [global], you will need to add these three settings not there by default:
ldap ssl = off
nt acl support = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
net getlocalsid
Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.
Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.
Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.
chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
authconfig-tui
Check that the output from authconfig-tui contains:
[ ] Local authorization is sufficient
Now test your samba config:
testparm
smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate
smbldap-populate will ask for the password, enter it.
Start the LDAP Samba installation up
/etc/init.d/smb start
chkconfig smb on
Add users/groups, correlate between unix and ldap:
useradd user1
smbldap-useradd -a -G 'Domain Users' -m -s /bin/bash -d /home/user2 -F "" -P user1
Get a picture of the UNIX groups that aren't there yet that LDAP assumes:
net groupmap list
Output is something like:
Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins
Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users
Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514
Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
Add correlating groups to unix, using the suggested GIDs:
groupadd -g 514 samba_domain_guests
groupadd -g 515 samba_domain_computers
groupadd -g 544 samba_administrator
groupadd -g 548 samba_account_operators
groupadd -g 550 samba_print_operators
groupadd -g 551 samba_backup_operators
groupadd -g 552 samba_replicators
If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:
smbldap-groupadd -a "People In Our Office"
Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:
groupadd -g 1001 samba_people_in_our_office
Add users to LDAP groups via the web interface, then correlate in unix:
usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME
Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":
useradd -M -g 515 -s /bin/false officecomp1$
Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:
chkconfig ntpd off
chkconfig bluetooth off
chkconfig xinetd off
chkconfig smartd off
chkconfig yum-updatesd off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig restorecond off
chkconfig portmap off
chkconfig pcscd off
chkconfig nfslock off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig irqbalance off
chkconfig kudzu off
chkconfig ip6tables off
chkconfig hidd off
chkconfig gpm off
chkconfig haldaemon off
chkconfig autofs off
chkconfig avahi-daemon off
service ntpd stop
service bluetooth stop
service xinetd stop
service smartd stop
service yum-updatesd stop
service rpcidmapd stop
service rpcgssd stop
service restorecond stop
service portmap stop
service pcscd stop
service nfslock stop
service mcstrans stop
service mdmonitor stop
service irqbalance stop
service kudzu stop
service ip6tables stop
service hidd stop
service gpm stop
service haldaemon stop
service autofs stop
service avahi-daemon stop
(Optional) Upgrade Samba so Windows 7 computers can join the domain
Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).
We will get the newer samba RPMs built for CentOS from Sernet:
cd /etc/yum.repos.d/
wget http://ftp.sernet.de/pub/samba/3.3/centos/5/sernet-samba.repo
yum update
Your samba packages will update from the Sernet repo.Since the upgrade, our CentOS service for samba disappeared; let's re-add it:
chkconfig --add smb
chkconfig smb on
Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):
useradd -M -g `cat /etc/groupgrep samba_domain_computerscut -d: -f3` -s /bin/false win7-computername$
usermod -a -G samba_domain_computers win7-computername$
Now join your Windows 7 PC to the domain using this official Samba mini guide:http://wiki.samba.org/index.php/Windows7
Referance URL: http://howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend
January 2010 -- Now with support for Windows 7 domain logins (see end of guide).
Disable selinux:
It will only cause problems, I'm not going to mess with SELinux in this guide other than disabling it.
echo 0 >/selinux/enforce
Within /etc/sysconfig/selinux, set:
SELINUX=disabled
Install some tools
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum update
yum install openldap-servers nss_ldap samba httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common smbldap-tools
Installing smbldap-tools this way should install all the dependent perl modules, however the version available on yum has some bugs, so we'll upgrade to the latest version afterwards, keeping the dependencies, but overwriting the smbldap-tools package:
rpm -Uvh http://download.gna.org/smbldap-tools/packages/smbldap-tools-0.9.5-1.noarch.rpm
Set up the hostname
For our purposes in this guide, we are calling the server's hostname "dc1" and the domain "DOMAINNAME". Note: If you want to use your fqdn for your Samba domain, wherever you see ,dc=DOMAINNAME below, replace it with,dc=example,dc=com, assuming your fqdn is example.com. Also note that "root" will be the samba administrator username, if you don't like that, change it as well. Related lines are: cn=root and cn: root
Within /etc/hosts, add or replace your line (following the file's format, assuming 192.168.0.5 is your server's network-accessible IP):
192.168.0.5 dc1.DOMAINNAME dc1
Set your hostname on the command line:
hostname dc1.DOMAINNAME
Generate a master password and set up ldap
slappasswd
Note the output of slappasswd, you will insert it into slapd.conf in a minute.
mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.dist
Insert the following text into /etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=DOMAINNAME"
rootdn "cn=root,dc=DOMAINNAME"
rootpw {SSHA}TTzshhAbmZPPb8F2s7sgf9B+IrZt+nUD
password-hash {SSHA}
directory /var/lib/ldap
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eqindex sambaSID eq
index sambaPrimaryGroupSID eqindex sambaDomainName eq
index objectClass pres,eq
index default sub
Note the rootpw line in the above text, that's where you paste your output from slappasswd.
cp /usr/share/doc/samba-3.*/LDAP/samba.schema /etc/openldap/schema/
cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG
Insert the following text into /etc/openldap/init.ldif:
dn: dc=DOMAINNAME
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectclass: organizationalRole
cn: root
slapadd -l /etc/openldap/init.ldif
chown -R ldap:ldap /var/lib/ldap
chmod 600 /var/lib/ldap/*slapcat
slapcat should produce something very similar to the following output:
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
structuralObjectClass: organization
entryUUID: 717d1b1e-ce90-102d-88c3-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000000#00#000000
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: 71858556-ce90-102d-88c4-df22563ebfee
creatorsName: cn=root,dc=DOMAINNAME
modifiersName: cn=root,dc=DOMAINNAME
createTimestamp: 20090506134920Z
modifyTimestamp: 20090506134920Z
entryCSN: 20090506134920Z#000001#00#000000
service ldap start
chkconfig ldap on
ldapsearch -x -b "dc=DOMAINNAME"
The output from ldapsearch should be very similar to the following:
# extended LDIF
#
# LDAPv3
# base
# filter: (objectclass=*)
# requesting: ALL
#
# DOMAINNAME
dn: dc=DOMAINNAME
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: DOMAINNAME
# root, DOMAINNAME
dn: cn=root,dc=DOMAINNAME
objectClass: organizationalRole
cn: root
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Setting up remote administration of the ldap directory
Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:
memory_limit = 32M
Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go Tohttp://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:
mkdir /var/www/html/samba && cd /var/www/html/samba
wget http://softlayer.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz
tar zxf phpldapadmin-1.1.0.7.tar.gz
ln -s phpldapadmin-1.1.0.7 pla
cp pla/config/config.php.example pla/config/config.php
Now edit ./pla/config/config.php and uncommment the following line:
$config->custom->jpeg['tmpdir'] = "/tmp";
Make newly setup software available
service httpd restart
chkconfig httpd on
Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):
#Allow Https://
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#Allow samba:
-A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT
Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Usernamecn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.
Integrate ldap and Samba
mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf
Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
Under [global], you will need to add these three settings not there by default:
ldap ssl = off
nt acl support = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
net getlocalsid
Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.
Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.
Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.
chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
authconfig-tui
Check that the output from authconfig-tui contains:
[ ] Local authorization is sufficient
Now test your samba config:
testparm
smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate
smbldap-populate will ask for the password, enter it.
Start the LDAP Samba installation up
/etc/init.d/smb start
chkconfig smb on
Add users/groups, correlate between unix and ldap:
useradd user1
smbldap-useradd -a -G 'Domain Users' -m -s /bin/bash -d /home/user2 -F "" -P user1
Get a picture of the UNIX groups that aren't there yet that LDAP assumes:
net groupmap list
Output is something like:
Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins
Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users
Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514
Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552
Add correlating groups to unix, using the suggested GIDs:
groupadd -g 514 samba_domain_guests
groupadd -g 515 samba_domain_computers
groupadd -g 544 samba_administrator
groupadd -g 548 samba_account_operators
groupadd -g 550 samba_print_operators
groupadd -g 551 samba_backup_operators
groupadd -g 552 samba_replicators
If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:
smbldap-groupadd -a "People In Our Office"
Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:
groupadd -g 1001 samba_people_in_our_office
Add users to LDAP groups via the web interface, then correlate in unix:
usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME
Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":
useradd -M -g 515 -s /bin/false officecomp1$
Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:
chkconfig ntpd off
chkconfig bluetooth off
chkconfig xinetd off
chkconfig smartd off
chkconfig yum-updatesd off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig restorecond off
chkconfig portmap off
chkconfig pcscd off
chkconfig nfslock off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig irqbalance off
chkconfig kudzu off
chkconfig ip6tables off
chkconfig hidd off
chkconfig gpm off
chkconfig haldaemon off
chkconfig autofs off
chkconfig avahi-daemon off
service ntpd stop
service bluetooth stop
service xinetd stop
service smartd stop
service yum-updatesd stop
service rpcidmapd stop
service rpcgssd stop
service restorecond stop
service portmap stop
service pcscd stop
service nfslock stop
service mcstrans stop
service mdmonitor stop
service irqbalance stop
service kudzu stop
service ip6tables stop
service hidd stop
service gpm stop
service haldaemon stop
service autofs stop
service avahi-daemon stop
(Optional) Upgrade Samba so Windows 7 computers can join the domain
Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).
We will get the newer samba RPMs built for CentOS from Sernet:
cd /etc/yum.repos.d/
wget http://ftp.sernet.de/pub/samba/3.3/centos/5/sernet-samba.repo
yum update
Your samba packages will update from the Sernet repo.Since the upgrade, our CentOS service for samba disappeared; let's re-add it:
chkconfig --add smb
chkconfig smb on
Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):
useradd -M -g `cat /etc/groupgrep samba_domain_computerscut -d: -f3` -s /bin/false win7-computername$
usermod -a -G samba_domain_computers win7-computername$
Now join your Windows 7 PC to the domain using this official Samba mini guide:http://wiki.samba.org/index.php/Windows7
Referance URL: http://howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend
Efficient High-Available LoadBalanced Cluster On CentOS 5.3 (Direct Routing Method)
This article explains how to set up an LVS cluster of load balanced virtual servers with Heartbeat and Ldirectord On CentOS 5.3.The load balancer sits between the user and two (or more) backend Apache/IIS web servers that hold the same content. Not only does the load balancer distribute the requests to the two backend Apache/IIS servers, it also checks the health of the backend servers. If one of them is down, all requests will automatically be redirected to the remaining backend server.
Introduction
An LVS cluster consists or one or more virtual services each of which may have zero or more real servers. The IP address of a virtual service is what end-users connect to and is typically advertised over DNS. When a connection is made to a virtual service, it is allocated a real server, and all packets for this connection are forwarded to this real server. Ldirectord is a daemon to monitor and administer real servers in a LVS cluster of load balanced virtual servers. Ldirectord typically used as a resource for Linux-HA. Ldirectord monitors the health of the real servers by periodically requesting a known URL and checking that the response contains an expected response. If a real server fails then the server is removed and will be reactivated once it comes back on line. If all the real servers are down then a fall-back server is inserted into the pool, which will made quiescent one of the real web servers comes back on line. Typically, the fall-back server is localhost. If an HTTP virtual service is being provided then it is useful to run an Apache HTTP server that returns a page indicating that the service is temporarily inaccessible.
Note: This tutorial is based on my personal experience and some other tutorials which is publicly available on Internet. I do not issue any guarantee that this will work for you!.
Preliminary Note
In this tutorial I will use the following 3 hosts:
Virtual IP address (end users connect to this) : 10.10.10.53
Load Balancer: ld.example.com, IP address: 10.10.10.52
Web Server 1: http1.example.com,
IP address: 192.168.200.102
Web Server 2: http2.example.com,
IP address: 192.168.200.103
Load Balancer Configuration
Install heartbeat,heartbeat-ldirector and ipvsadm packages on your Load Balancer system (ld.example.com).
yum install heartbeat heartbeat-ldirector ipvsadm -y
chkconfig ldirectord off
chkconfig heartbeat onsed -i 's/net.ipv4.ip_forward = 1/net.ipv4.ip_forward = 0' /etc/sysctl.conf
sysctl -p
Load Balancer Secondary Ethernet Configuration
Configure secondary eth0 for LVS as its going to be exposed to outside world or your local gateway.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
HWADDR=3a:5d:71:ad:67:47
NETMASK=255.255.255.0
IPADDR=10.10.10.52
GATEWAY=10.10.10.1
TYPE=Ethernet
vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
HWADDR=3a:5d:71:ad:67:47
NETMASK=255.255.255.0
IPADDR=10.10.10.53
TYPE=Ethernet
service network restart
Configuring ldirectord
Configure ldirectord on your Load Balancer system.
vi /etc/ha.d/ldirectord.cf
checktimeout=30
checkinterval=2
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=no
virtual=10.10.10.53:80
fallback=127.0.0.1:80
real=192.168.200.102:80 gate
real=192.168.200.103:80 gate
service=http
request="/check.txt"
httpmethod=GET
receive="webserverisworking"
persistent=100
scheduler=lblc
protocol=tcp
checktype=negotiate
Important Note: after virtual=x.x.x.x:80 line , each line MUST start with TAB. Don't forget to press TAB key before each lines.
service ldirectord start
In the virtual= line we put our virtual IP address (10.10.10.53 in this example), and in the real= lines we list the IP addresses of our Apache/IIS nodes (192.168.200.102 and 192.168.200.103 in this example). In the request= line we list the name of a file on http1 and http2 that ldirectord will request repeatedly to see if http1 and http2 are still alive. That file (that we are going to create later on) must contain the string listed in the receive= line.In the scheduler= line you can use one of the following method depending on your needs: rr - wrr - lc - wlc - lblc - lblcr - dh - sh - sed - nq
For more information about scheduler methods visit: http://linux.die.net/man/8/ipvsadm
Configure heartbeat
Configure heartbeat on your Load Balancer system.
vi /etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 10
bcast eth0
mcast eth0 225.0.0.1 694 1 0
auto_failback on
respawn hacluster /usr/lib/heartbeat/ipfail
node ld.example.com
Important: As nodenames we must use the output of:
uname -n
vi /etc/ha.d/haresources
ld.example.com ldirectord::ldirectord.cf LVSSyncDaemonSwap::master IPaddr2::10.10.10.53/24/eth0/10.10.10.255
The first word in the first line above is the output of
uname -n
vi /etc/ha.d/authkeys
auth 3
3 md5 somerandomstring
chmod 600 /etc/ha.d/authkeys
Testing
Let's check if load balancer work as expected:
ip addr sh eth0
The load balancer should list the virtual IP address (10.10.10.53):
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:c8:6f:2f brd ff:ff:ff:ff:ff:ff
inet 10.10.10.52/24 brd 10.10.10.255 scope global eth0
inet 10.10.10.53/24 brd 10.10.10.255 scope global secondary eth0:0
If your tests went fine, you can now go on and configure the two Apache/IIS nodes.
Cluster Nodes Configurations (Apache Real Web Servers Configuration)
On both web servers http1 and http2, apache should be running having a common serving file (for purpose of get checked by ldirectord).
yum install httpd -y
echo "webserverisworking" > /var/www/html/check.txt
service httpd start
chkconfig httpd on
Now, Create a loopback interface on each web server, so it doesn’t communicate with your network gateway/router directly
vi /etc/sysconfig/network-scripts/ifcfg-lo:0
It must look like this:
DEVICE=lo:0
IPADDR=10.10.10.53
NETMASK=255.255.255.255
ONBOOT=yes
NAME=loopback
vi /etc/sysctl.conf
It must look like this:
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2
sysctl -p
ifup lo:0
Windows XP/2003/2008 users!: if you are using IIS6/7 as a web server then you should follow the next steps otherwise just skip.
Cluster Nodes Configurations (IIS6/7 Real Web Server Configuration)
1. Create text file by using Notepad and name it "check.txt"
2. Fill this file with "webserverisworking" string.
3. Move file to "C:\inetpub\wwwroot" or anywhere your web files are.
If you are using Windows XP/2003 IIS web server then you should do these steps:
1. Install "Microsoft Loopback Adapter" by using "Add Hardware" icon in Control Panel.
2. Set IP to 10.10.10.53
3. Set Subnet Mask to 255.255.255.0
4. Don't Set Gateway or DNS
5. Done!
If you are using Windows 2008 IIS web servers then you should do these steps:
1. Install "Microsoft Loopback Adapter" by using "Add Hardware" icon in Control Panel.
2. Set IP to 10.10.10.53
3. Set Subnet Mask to 255.255.255.0
4. Don't Set Gateway or DNS
5. Then you need to use the following command line magic :
netsh interface ipv4 set interface "net" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostsend=enabled
Note: Obviously first you will need to rename the specific adapters from the default of "Local Area Network Connection 1" to either "net" or "loopback" respectively i.e.
See following link for more information http://blog.loadbalancer.org/direct-server-return-on-windows-2008-using-loopback-adpter/
Final Test
Use "ipvsadm" to list down current statistics of ldirectord. Make sure that both real servers IPs are listed there and have non-zero value in weight (since we’ve this default setup, it should be 1). If not, then try checking the log file, tcpdump on ldirector and apache logs on real servers. If everything works good, you’ll see changing content when browsing to http://10.10.10.53/ multiple times (from another system outside these cluster nodes). Then stop httpd on one web server, browse to the URL again and all requests should now be served from the other web server.
ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.10.10.53:http lblc
192.168.200.102:http Route 1 0 0
192.168.200.103:http Route 1 0 0
For more information use following commands:
ipvsadm -L -nc
ipvsadm -L -n --rate
ipvsadm -L -n --stats
Referal URL: http://howtoforge.com/efficient-high-available-loadbalanced-cluster-on-centos-5.3-direct-routing-method
Introduction
An LVS cluster consists or one or more virtual services each of which may have zero or more real servers. The IP address of a virtual service is what end-users connect to and is typically advertised over DNS. When a connection is made to a virtual service, it is allocated a real server, and all packets for this connection are forwarded to this real server. Ldirectord is a daemon to monitor and administer real servers in a LVS cluster of load balanced virtual servers. Ldirectord typically used as a resource for Linux-HA. Ldirectord monitors the health of the real servers by periodically requesting a known URL and checking that the response contains an expected response. If a real server fails then the server is removed and will be reactivated once it comes back on line. If all the real servers are down then a fall-back server is inserted into the pool, which will made quiescent one of the real web servers comes back on line. Typically, the fall-back server is localhost. If an HTTP virtual service is being provided then it is useful to run an Apache HTTP server that returns a page indicating that the service is temporarily inaccessible.
Note: This tutorial is based on my personal experience and some other tutorials which is publicly available on Internet. I do not issue any guarantee that this will work for you!.
Preliminary Note
In this tutorial I will use the following 3 hosts:
Virtual IP address (end users connect to this) : 10.10.10.53
Load Balancer: ld.example.com, IP address: 10.10.10.52
Web Server 1: http1.example.com,
IP address: 192.168.200.102
Web Server 2: http2.example.com,
IP address: 192.168.200.103
Load Balancer Configuration
Install heartbeat,heartbeat-ldirector and ipvsadm packages on your Load Balancer system (ld.example.com).
yum install heartbeat heartbeat-ldirector ipvsadm -y
chkconfig ldirectord off
chkconfig heartbeat onsed -i 's/net.ipv4.ip_forward = 1/net.ipv4.ip_forward = 0' /etc/sysctl.conf
sysctl -p
Load Balancer Secondary Ethernet Configuration
Configure secondary eth0 for LVS as its going to be exposed to outside world or your local gateway.
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
HWADDR=3a:5d:71:ad:67:47
NETMASK=255.255.255.0
IPADDR=10.10.10.52
GATEWAY=10.10.10.1
TYPE=Ethernet
vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=none
ONBOOT=yes
HWADDR=3a:5d:71:ad:67:47
NETMASK=255.255.255.0
IPADDR=10.10.10.53
TYPE=Ethernet
service network restart
Configuring ldirectord
Configure ldirectord on your Load Balancer system.
vi /etc/ha.d/ldirectord.cf
checktimeout=30
checkinterval=2
autoreload=yes
logfile="/var/log/ldirectord.log"
quiescent=no
virtual=10.10.10.53:80
fallback=127.0.0.1:80
real=192.168.200.102:80 gate
real=192.168.200.103:80 gate
service=http
request="/check.txt"
httpmethod=GET
receive="webserverisworking"
persistent=100
scheduler=lblc
protocol=tcp
checktype=negotiate
Important Note: after virtual=x.x.x.x:80 line , each line MUST start with TAB. Don't forget to press TAB key before each lines.
service ldirectord start
In the virtual= line we put our virtual IP address (10.10.10.53 in this example), and in the real= lines we list the IP addresses of our Apache/IIS nodes (192.168.200.102 and 192.168.200.103 in this example). In the request= line we list the name of a file on http1 and http2 that ldirectord will request repeatedly to see if http1 and http2 are still alive. That file (that we are going to create later on) must contain the string listed in the receive= line.In the scheduler= line you can use one of the following method depending on your needs: rr - wrr - lc - wlc - lblc - lblcr - dh - sh - sed - nq
For more information about scheduler methods visit: http://linux.die.net/man/8/ipvsadm
Configure heartbeat
Configure heartbeat on your Load Balancer system.
vi /etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 10
bcast eth0
mcast eth0 225.0.0.1 694 1 0
auto_failback on
respawn hacluster /usr/lib/heartbeat/ipfail
node ld.example.com
Important: As nodenames we must use the output of:
uname -n
vi /etc/ha.d/haresources
ld.example.com ldirectord::ldirectord.cf LVSSyncDaemonSwap::master IPaddr2::10.10.10.53/24/eth0/10.10.10.255
The first word in the first line above is the output of
uname -n
vi /etc/ha.d/authkeys
auth 3
3 md5 somerandomstring
chmod 600 /etc/ha.d/authkeys
Testing
Let's check if load balancer work as expected:
ip addr sh eth0
The load balancer should list the virtual IP address (10.10.10.53):
2: eth0:
link/ether 00:0c:29:c8:6f:2f brd ff:ff:ff:ff:ff:ff
inet 10.10.10.52/24 brd 10.10.10.255 scope global eth0
inet 10.10.10.53/24 brd 10.10.10.255 scope global secondary eth0:0
If your tests went fine, you can now go on and configure the two Apache/IIS nodes.
Cluster Nodes Configurations (Apache Real Web Servers Configuration)
On both web servers http1 and http2, apache should be running having a common serving file (for purpose of get checked by ldirectord).
yum install httpd -y
echo "webserverisworking" > /var/www/html/check.txt
service httpd start
chkconfig httpd on
Now, Create a loopback interface on each web server, so it doesn’t communicate with your network gateway/router directly
vi /etc/sysconfig/network-scripts/ifcfg-lo:0
It must look like this:
DEVICE=lo:0
IPADDR=10.10.10.53
NETMASK=255.255.255.255
ONBOOT=yes
NAME=loopback
vi /etc/sysctl.conf
It must look like this:
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2
sysctl -p
ifup lo:0
Windows XP/2003/2008 users!: if you are using IIS6/7 as a web server then you should follow the next steps otherwise just skip.
Cluster Nodes Configurations (IIS6/7 Real Web Server Configuration)
1. Create text file by using Notepad and name it "check.txt"
2. Fill this file with "webserverisworking" string.
3. Move file to "C:\inetpub\wwwroot" or anywhere your web files are.
If you are using Windows XP/2003 IIS web server then you should do these steps:
1. Install "Microsoft Loopback Adapter" by using "Add Hardware" icon in Control Panel.
2. Set IP to 10.10.10.53
3. Set Subnet Mask to 255.255.255.0
4. Don't Set Gateway or DNS
5. Done!
If you are using Windows 2008 IIS web servers then you should do these steps:
1. Install "Microsoft Loopback Adapter" by using "Add Hardware" icon in Control Panel.
2. Set IP to 10.10.10.53
3. Set Subnet Mask to 255.255.255.0
4. Don't Set Gateway or DNS
5. Then you need to use the following command line magic :
netsh interface ipv4 set interface "net" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostreceive=enabled
netsh interface ipv4 set interface "loopback" weakhostsend=enabled
Note: Obviously first you will need to rename the specific adapters from the default of "Local Area Network Connection 1" to either "net" or "loopback" respectively i.e.
See following link for more information http://blog.loadbalancer.org/direct-server-return-on-windows-2008-using-loopback-adpter/
Final Test
Use "ipvsadm" to list down current statistics of ldirectord. Make sure that both real servers IPs are listed there and have non-zero value in weight (since we’ve this default setup, it should be 1). If not, then try checking the log file, tcpdump on ldirector and apache logs on real servers. If everything works good, you’ll see changing content when browsing to http://10.10.10.53/ multiple times (from another system outside these cluster nodes). Then stop httpd on one web server, browse to the URL again and all requests should now be served from the other web server.
ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.10.10.53:http lblc
192.168.200.102:http Route 1 0 0
192.168.200.103:http Route 1 0 0
For more information use following commands:
ipvsadm -L -nc
ipvsadm -L -n --rate
ipvsadm -L -n --stats
Referal URL: http://howtoforge.com/efficient-high-available-loadbalanced-cluster-on-centos-5.3-direct-routing-method
Installing PowerDNS With MySQL On CentOS
What is PowerDNS?
PowerDNS is a MySQL-based DNS server, written in C++ and licensed under the GPL. PowerDNS can be managed through a web interface (PowerAdmin). This guide shows how to install it on CentOS.
1. Installing MySQL
[root@server ~]# yum -y install mysql mysql-server
2. Create system startup links for MySQL
[root@server ~]# chkconfig --levels 235 mysqld on
[root@server ~]# service mysqld start
3. Check if MySQL is running
[root@server ~]# netstat -tap grep mysql
tcp 0 0 *:mysql *:* LISTEN 28179/mysqld
4. Set password for user root
[root@server ~]# mysqladmin -u root password password123
5. Install PowerDNS
[root@server ~]# yum -y install pdns pdns-backend-mysql
6. Setting database
[root@server ~]# mysql -u root -p
mysql> CREATE DATABASE powerdns;
mysql> user powerdns;
mysql> CREATE TABLE domains (
-> id INT auto_increment,
-> name VARCHAR(255) NOT NULL,
-> master VARCHAR(128) DEFAULT NULL,
-> last_check INT DEFAULT NULL,
-> type VARCHAR(6) NOT NULL,
-> notified_serial INT DEFAULT NULL,
-> account VARCHAR(40) DEFAULT NULL,
-> primary key (id)
-> );
mysql> CREATE UNIQUE INDEX name_index ON domains(name);
mysql> CREATE TABLE records (
-> id INT auto_increment,
-> domain_id INT DEFAULT NULL,
-> name VARCHAR(255) DEFAULT NULL,
-> type VARCHAR(6) DEFAULT NULL,
-> content VARCHAR(255) DEFAULT NULL,
-> ttl INT DEFAULT NULL,
-> prio INT DEFAULT NULL,
-> change_date INT DEFAULT NULL,
-> primary key(id)
-> );
mysql> CREATE INDEX rec_name_index ON records(name);
mysql> CREATE INDEX nametype_index ON records(name,type);
mysql> CREATE INDEX domain_id ON records(domain_id);
mysql> CREATE TABLE supermasters (
-> ip VARCHAR(25) NOT NULL,
-> nameserver VARCHAR(255) NOT NULL,
-> account VARCHAR(40) DEFAULT NULL
-> );
mysql> quit;
[root@server ~]# nano /etc/pdns/pdns.conf
#################################
# launch Which backends to launch and order to query them in
#
# launch=
launch=gmysql
gmysql-host=192.200.200.1
gmysql-user=power_admin
gmysql-password=password123
gmysql-dbname=powerdns
#################################
7. Create the system startup links for PowerDNS
[root@server ~]# chkconfig --levels 235 pdns on
[root@server ~]# service pdns start
8. Preparing the system for PowerAdmin installation
[root@server ~]# yum -y install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash gettext
9. Create system startup links for apache and start it
[root@server ~]# chkconfig --levels 235 httpd on
[root@server ~]# service httpd start
10. Install following two PEAR packages
yum -y install php-pear-DB php-pear-MDB2-Driver-mysql
11. Download PowerAdmin
[root@server ~]# wget https://www.poweradmin.org/download/poweradmin-2.1.2.tgz
[root@server ~]# tar zxvf poweradmin-2.1.2.tgz -C /var/www/html/
[root@server ~]# mv poweradmin-2.1.2 poweradmin
[root@server ~]# mv /var/www/html/poweradmin/inc/config.inc.php
[root@server ~]# chown -R apache:apache /var/www/html/poweradmin/
Referal Link: http://howtoforge.com/installing-powerdns-with-mysql-on-centos
Installing Nictool On CentOS 5
What is Nictool?
Nictool is a free software for managing DNS, but for download we have to register at www.nictool.com; Nictool can export from djbdns, BIND, PowerDNS. All data is stored in MySQL and can be managed over the web using a browser. This tutorial shows how to install Nictool on CentOS 5.2.
1. Download nictool
2. Extract nictoolclient
[root@server ~]# tar -zxvf NicToolClient-2.07.tar.gz
[root@server ~]# cd NicToolClient-2.07
3. Install perl modules
[root@server NicToolClient-2.07]# perl Makefile.PL
[root@server NicToolClient-2.07]# make install clean
4. Moving directory to web folder
[root@server NicToolClient-2.07]# cd ..
[root@server ~]# mv NicToolClient-2.0.7.tar.gz /var/www/html/NicToolClient
5. Edit file httpd.conf like this
[root@server ~]# nano /etc/httpd/conf/httpd.conf
ServerName server.com
Alias /images/ "/var/www/html/NicToolClient/htdocs/images/"
DocumentRoot /var/www/html/NicToolClient/htdocs
DirectoryIndex index.cgi
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
AllowOverride None
Order allow,deny
Allow from all
6. And we can edit the file nictoolclient.conf
[root@server ~]# nano /var/www/html/NicToolClient/lib/nictoolclient.conf
Change this line:
$NicToolClient::app_dir = '/usr/local/www/NicToolClient';
to:
$NicToolClient::app_dir = '/var/www/html/NicToolClient';
7. Restart service apache
[root@server ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Now we can try to install NictoolServer.
9. Install Perl Modules
[root@server NicToolServer-2.07]# perl Makefile.PL
If we get messages like this:
'Warning: prerequisite Apache2::SOAP 0 not found'
please download Apache2::SOAP in www.cpan.org
You can download the module from this rl: http://search.cpan.org/CPAN/authors/id/R/RK/RKOBES/Apache2-SOAP-0.73.tar.gz
[root@server NicToolServer]# tar zxvf Apache2-SOAP-0.73.tar.gz
[root@server NicToolServer]# cd Apache2-SOAP-0.73
[root@server Apache2-SOAP-0.73]# perl Makefile.PL
[root@server Apache2-SOAP-0.73]# make
[root@server Apache2-SOAP-0.73]# make test
[root@server Apache2-SOAP-0.73]# make install
10. If your Apache2::SOAP has been installed you can continue to install perl modules
[root@server NicToolServer-2.07]# make deps
[root@server NicToolServer-2.07]# make install clean
11. Moving folder to web folder
[root@server ~]# mv NicToolServer-2.07 /var/www/html/NicToolServer
12. Add this line in httpd.conf file
[root@server ~]# nano /etc/httpd/conf/httpd.conf
PerlFreshRestart On
PerlTaintCheck Off
Listen 8082
PerlRequire /var/www/html/NicToolServer/nictoolserver.conf
PerlRequire /var/www/html/NicToolClient/lib/nictoolclient.conf
KeepAlive Off
SetHandler perl-script
PerlResponseHandler NicToolServer
SetHandler perl-script
# ATTENTION: Comment out one or the other!
#PerlResponseHandler Apache::SOAP
PerlResponseHandler Apache2::SOAP
# /ATTENTION
PerlSetVar dispatch_to "/var/www/html/NicToolServer, NicToolServer::SOAP"
13. Restart service apache and run service mysql
[root@server ~]# service httpd restart
[root@server ~]# service mysqld start
14. Create database
[root@server ~]# cd /var/www/html/NicToolServer/sql/
[root@server sql]# perl create_tables.pl
#########################################################################
NicTool database connection settings
#########################################################################
Please enter database hostname [localhost]:
Please enter database root password:
Please enter a name for the NicTool database [nictool]:
Please enter a username for NicTool's database user [nictool]:
#########################################################################
NicTool admin user (root) settings
#########################################################################
Please enter a new root password for NicTool:
Please enter a verify password:
Please enter an email address for the root user of NicTool: server@mail.com
Beginning table creation.
If any of the information you entered is incorrect, press Control-C now!
-------------------------
DATABASE DSN: mysql://nictool:******@localhost/nictool
host: localhost
db : nictool
user: nictool
*** the DSN info must match the settings in nictoolserver.conf! ***
NicTool admin user (root) settings
#########################################################################
Please enter a new root password for NicTool:
Please enter a verify password:
Please enter an email address for the root user of NicTool: server@mail.com
Beginning table creation.
If any of the information you entered is incorrect, press Control-C now!
-------------------------
DATABASE DSN: mysql://nictool:******@localhost/nictool
host: localhost
db : nictool
user: nictool
*** the DSN info must match the settings in nictoolserver.conf! ***
NICTOOL LOGIN: http://localhost/index.cgi
user : root
pass : *******
email: server@mail.com
-------------------------
Otherwise, hit return to continue...
importing contents of nt_group.sql .. done.
importing contents of nt_summary.sql .. done.
importing contents of nt_nameserver.sql .. done.
importing contents of nt_zone.sql .. done.
importing contents of nt_perm.sql .. done.
importing contents of nt_user.sql .. done.
importing contents of temp.sql .. done.
15. And then edit file nictoolserver.conf and fill in the correct MySQL settings
[root@server sql]# cd ..
[root@server NicToolServer]# nano nictoolserver.conf
$NicToolServer::db_engine = 'mysql';
$NicToolServer::db_host = 'localhost';
$NicToolServer::db_port = 3306;
$NicToolServer::db = 'nictool';
$NicToolServer::db_user = 'nictool';
$NicToolServer::db_pass = '';
16. Restart apache
[root@server NicToolServer]# service httpd restart
Referal URL: http://howtoforge.com/installing-nictool-on-centos-5.2
Nictool is a free software for managing DNS, but for download we have to register at www.nictool.com; Nictool can export from djbdns, BIND, PowerDNS. All data is stored in MySQL and can be managed over the web using a browser. This tutorial shows how to install Nictool on CentOS 5.2.
1. Download nictool
2. Extract nictoolclient
[root@server ~]# tar -zxvf NicToolClient-2.07.tar.gz
[root@server ~]# cd NicToolClient-2.07
3. Install perl modules
[root@server NicToolClient-2.07]# perl Makefile.PL
[root@server NicToolClient-2.07]# make install clean
4. Moving directory to web folder
[root@server NicToolClient-2.07]# cd ..
[root@server ~]# mv NicToolClient-2.0.7.tar.gz /var/www/html/NicToolClient
5. Edit file httpd.conf like this
[root@server ~]# nano /etc/httpd/conf/httpd.conf
ServerName server.com
Alias /images/ "/var/www/html/NicToolClient/htdocs/images/"
DocumentRoot /var/www/html/NicToolClient/htdocs
DirectoryIndex index.cgi
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
PerlOptions +ParseHeaders
Options +ExecCGI
AllowOverride None
Order allow,deny
Allow from all
6. And we can edit the file nictoolclient.conf
[root@server ~]# nano /var/www/html/NicToolClient/lib/nictoolclient.conf
Change this line:
$NicToolClient::app_dir = '/usr/local/www/NicToolClient';
to:
$NicToolClient::app_dir = '/var/www/html/NicToolClient';
7. Restart service apache
[root@server ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Now we can try to install NictoolServer.
9. Install Perl Modules
[root@server NicToolServer-2.07]# perl Makefile.PL
If we get messages like this:
'Warning: prerequisite Apache2::SOAP 0 not found'
please download Apache2::SOAP in www.cpan.org
You can download the module from this rl: http://search.cpan.org/CPAN/authors/id/R/RK/RKOBES/Apache2-SOAP-0.73.tar.gz
[root@server NicToolServer]# tar zxvf Apache2-SOAP-0.73.tar.gz
[root@server NicToolServer]# cd Apache2-SOAP-0.73
[root@server Apache2-SOAP-0.73]# perl Makefile.PL
[root@server Apache2-SOAP-0.73]# make
[root@server Apache2-SOAP-0.73]# make test
[root@server Apache2-SOAP-0.73]# make install
10. If your Apache2::SOAP has been installed you can continue to install perl modules
[root@server NicToolServer-2.07]# make deps
[root@server NicToolServer-2.07]# make install clean
11. Moving folder to web folder
[root@server ~]# mv NicToolServer-2.07 /var/www/html/NicToolServer
12. Add this line in httpd.conf file
[root@server ~]# nano /etc/httpd/conf/httpd.conf
PerlFreshRestart On
PerlTaintCheck Off
Listen 8082
PerlRequire /var/www/html/NicToolServer/nictoolserver.conf
PerlRequire /var/www/html/NicToolClient/lib/nictoolclient.conf
KeepAlive Off
SetHandler perl-script
PerlResponseHandler NicToolServer
SetHandler perl-script
# ATTENTION: Comment out one or the other!
#PerlResponseHandler Apache::SOAP
PerlResponseHandler Apache2::SOAP
# /ATTENTION
PerlSetVar dispatch_to "/var/www/html/NicToolServer, NicToolServer::SOAP"
13. Restart service apache and run service mysql
[root@server ~]# service httpd restart
[root@server ~]# service mysqld start
14. Create database
[root@server ~]# cd /var/www/html/NicToolServer/sql/
[root@server sql]# perl create_tables.pl
#########################################################################
NicTool database connection settings
#########################################################################
Please enter database hostname [localhost]:
Please enter database root password:
Please enter a name for the NicTool database [nictool]:
Please enter a username for NicTool's database user [nictool]:
#########################################################################
NicTool admin user (root) settings
#########################################################################
Please enter a new root password for NicTool:
Please enter a verify password:
Please enter an email address for the root user of NicTool: server@mail.com
Beginning table creation.
If any of the information you entered is incorrect, press Control-C now!
-------------------------
DATABASE DSN: mysql://nictool:******@localhost/nictool
host: localhost
db : nictool
user: nictool
*** the DSN info must match the settings in nictoolserver.conf! ***
NicTool admin user (root) settings
#########################################################################
Please enter a new root password for NicTool:
Please enter a verify password:
Please enter an email address for the root user of NicTool: server@mail.com
Beginning table creation.
If any of the information you entered is incorrect, press Control-C now!
-------------------------
DATABASE DSN: mysql://nictool:******@localhost/nictool
host: localhost
db : nictool
user: nictool
*** the DSN info must match the settings in nictoolserver.conf! ***
NICTOOL LOGIN: http://localhost/index.cgi
user : root
pass : *******
email: server@mail.com
-------------------------
Otherwise, hit return to continue...
importing contents of nt_group.sql .. done.
importing contents of nt_summary.sql .. done.
importing contents of nt_nameserver.sql .. done.
importing contents of nt_zone.sql .. done.
importing contents of nt_perm.sql .. done.
importing contents of nt_user.sql .. done.
importing contents of temp.sql .. done.
15. And then edit file nictoolserver.conf and fill in the correct MySQL settings
[root@server sql]# cd ..
[root@server NicToolServer]# nano nictoolserver.conf
$NicToolServer::db_engine = 'mysql';
$NicToolServer::db_host = 'localhost';
$NicToolServer::db_port = 3306;
$NicToolServer::db = 'nictool';
$NicToolServer::db_user = 'nictool';
$NicToolServer::db_pass = '';
16. Restart apache
[root@server NicToolServer]# service httpd restart
Referal URL: http://howtoforge.com/installing-nictool-on-centos-5.2
Friday, December 10, 2010
SquirrelMail Configuration Easy Steps (SquirrelMail + Sendmail + Apache On RedHat/CentOS/Fedora)
This tutorial explains how you can install and configure SquirrelMail on a RedHat/CentOS/Fedora based mail server which uses Sendmail and Apache.
Scenario:
Primary Mail Server: linuxbox4 (192.168.0.14)
Domain Name: abc.com
Trusted IP Pool: 192.168.0.0/24
Note: Replace domain name and system name and IP according to your scenario.
Prerequisites:
1. DNS is configured with proper MX record.
2. All necessary packages/ softwares are installed.
Step 1:
Configure all service to start at boot time.
chkconfig sendmail on
chkconfig httpd on
chkconfig dovecot on
Step 2:
Configure /etc/hosts file. In this scenario /etc/hosts file should look like this:
192.168.0.14 linuxbox4 www.abc.com
Step 3:
Outgoing Mail Server Configuration (Sendmail):
Open /etc/mail/sendmail.mc file and change the following two lines.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl
To:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl FEATURE(`accept_unresolvable_domains')dnl
Save and exit.
First line here enables sendmail to receive incoming emails on all installed the NICs. Otherwise mail server would only be able to receive mails from it.
- Second line here tells sendmail, do not receive emails from mail servers whose PTR record is not configured in DNS server. This is a basic level SPAM control settings in sendmail.
Generate sendmail.cf file from sendmail.mc file.
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Step 4:
Allow RELAY for trusts (organization's) IP addresses that you want to permit sending emails using this mail server. Open/etc/mail/access in this file we specify all those addresses that will be sending emails through this mail server. At the end of this file add the following line:
192.168.0 RELAY
Save and exit and convert this text database into DB format by following command.
makemap hash < size="1">
Step 5:
Tell sendmail that it will be acting as a primary mail server for "abc.com" domain. We do this by adding domain name in/etc/mail/local-host-names. If this server is acting as a mail server for more then one domains then add names of all of the domains in this file on separate line. Open /etc/mail/local-host-names and add "abc.com" at the end of this file.
Note: A mail server can act as a primary mail server for more then one domains at the same time and as well as can act as a primary and secondary mail server for more than one domain at the same time.
Step 6:
All system users are mail users as well. Now create mail only users.
useradd -s /usr/sbin/smrsh mailuser1
useradd -s /usr/s2n/smrsh mailuser1
Also set their passwords:
passwd mailuser1
passwd mailuser2
Step 7:
Finally restart sendmail service.
service sendmail restart
Step 8:
ncoming Mail Server Configuration (Dovecot):
Open /etc/dovecot.conf and change the following lines.
From:
#protocols = imap pop3
protocols = imap imaps pop3 pop3s
Save and exit and restart dovecot service.
service dovecot restart
Step 9:
Webserver Configuration (Apache):
Apache comes pre-configured, you just have to change the ServerName parameter in /etc/httpd/conf/httpd.conf file and restart the service, that’s all. Open /etc/httpd/conf/httpd.conf and set the ServerName parameter.
ServerName http://www.abc.com/
Save and exit and restart httpd service.
service httpd restart
Installation & Configuration of Squirrelmail
Check that Squirrelmail is installed on the system.
# rpm –q squirrelmail
If squirrelmail is not installed on the system then install it through rpm:
rpm –ivh squirrelmail
Now go to the squirrelmail directory, located in /usr/share.
# cd /usr/share/squirrelmail
Then go to the config directory:
# cd config
Now run one of the following commands to configure squirrelmail.
# ./conf.pl
OR
perl conf.pl
Now select option 1 (Organization Preferences).
Organization Name : YOUR_ORG_NAME
Organization Title : YOUR_ORG_NAME Webmail
Provider link : http://your_org_site_address/
Provider name : YOUR_ORG_NAME
Now select option 2 (Server Settings).
Domain : abc.com
Sendmail or SMTP : Sendmail
IMAP Server : localhost
IMAP Port : 143
Server software : uw
Delimiter : /
Now select option 3 (Folder Settings).
Default Folder Prefix : mail/
Show Folder Prefix Option : true
Trash Folder : Trash
Sent Folder : Sent
Drafts Folder : Drafts
By default, move to trash : true
By default, move to sent : true
By default, save as draft : true
List Special Folders First : true
Show Special Folders Color : true
Auto Expunge : true
Default Sub. of INBOX : false
Show 'Contain Sub.' Option : true
Default Unseen Notify : 2
Default Unseen Type : 1
Auto Create Special Folders : true
Folder Delete Bypasses Trash : false
Enable /NoSelect folder fix : false
Now select option 4 (General Settings).
Data Directory : /var/lib/squirrelmail/prefs/
Attachment Directory : /var/spool/squirrelmail/attach/
Directory Hash Level : 0
Default Left Size : 150
Usernames in Lowercase : false
Allow use of priority : true
Hide SM attributions : false
Allow use of receipts : true
Allow editing of identity : true
llow editing of name : true
Remove username from header : false
Allow server thread sort : true
Allow server-side sorting : true
Allow server charset search : true
Enable UID support : true
PHP session name : SQMSESSID
Location base :
Now choose option 8 (Plugins) and select the plugins that you wish to provide to your webmail users.
Now open the browser with the following link:
http://YOUR_SITE_ADDRESS/webmail
OR
http://192.168.0.14/webmail
Referance website: http://www.howtoforge.com/
Scenario:
Primary Mail Server: linuxbox4 (192.168.0.14)
Domain Name: abc.com
Trusted IP Pool: 192.168.0.0/24
Note: Replace domain name and system name and IP according to your scenario.
Prerequisites:
1. DNS is configured with proper MX record.
2. All necessary packages/ softwares are installed.
Step 1:
Configure all service to start at boot time.
chkconfig sendmail on
chkconfig httpd on
chkconfig dovecot on
Step 2:
Configure /etc/hosts file. In this scenario /etc/hosts file should look like this:
192.168.0.14 linuxbox4 www.abc.com
Step 3:
Outgoing Mail Server Configuration (Sendmail):
Open /etc/mail/sendmail.mc file and change the following two lines.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl
To:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl FEATURE(`accept_unresolvable_domains')dnl
Save and exit.
First line here enables sendmail to receive incoming emails on all installed the NICs. Otherwise mail server would only be able to receive mails from it.
- Second line here tells sendmail, do not receive emails from mail servers whose PTR record is not configured in DNS server. This is a basic level SPAM control settings in sendmail.
Generate sendmail.cf file from sendmail.mc file.
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Step 4:
Allow RELAY for trusts (organization's) IP addresses that you want to permit sending emails using this mail server. Open/etc/mail/access in this file we specify all those addresses that will be sending emails through this mail server. At the end of this file add the following line:
192.168.0 RELAY
Save and exit and convert this text database into DB format by following command.
makemap hash < size="1">
Step 5:
Tell sendmail that it will be acting as a primary mail server for "abc.com" domain. We do this by adding domain name in/etc/mail/local-host-names. If this server is acting as a mail server for more then one domains then add names of all of the domains in this file on separate line. Open /etc/mail/local-host-names and add "abc.com" at the end of this file.
Note: A mail server can act as a primary mail server for more then one domains at the same time and as well as can act as a primary and secondary mail server for more than one domain at the same time.
Step 6:
All system users are mail users as well. Now create mail only users.
useradd -s /usr/sbin/smrsh mailuser1
useradd -s /usr/s2n/smrsh mailuser1
Also set their passwords:
passwd mailuser1
passwd mailuser2
Step 7:
Finally restart sendmail service.
service sendmail restart
Step 8:
ncoming Mail Server Configuration (Dovecot):
Open /etc/dovecot.conf and change the following lines.
From:
#protocols = imap pop3
protocols = imap imaps pop3 pop3s
Save and exit and restart dovecot service.
service dovecot restart
Step 9:
Webserver Configuration (Apache):
Apache comes pre-configured, you just have to change the ServerName parameter in /etc/httpd/conf/httpd.conf file and restart the service, that’s all. Open /etc/httpd/conf/httpd.conf and set the ServerName parameter.
ServerName http://www.abc.com/
Save and exit and restart httpd service.
service httpd restart
Installation & Configuration of Squirrelmail
Check that Squirrelmail is installed on the system.
# rpm –q squirrelmail
If squirrelmail is not installed on the system then install it through rpm:
rpm –ivh squirrelmail
Now go to the squirrelmail directory, located in /usr/share.
# cd /usr/share/squirrelmail
Then go to the config directory:
# cd config
Now run one of the following commands to configure squirrelmail.
# ./conf.pl
OR
perl conf.pl
Now select option 1 (Organization Preferences).
Organization Name : YOUR_ORG_NAME
Organization Title : YOUR_ORG_NAME Webmail
Provider link : http://your_org_site_address/
Provider name : YOUR_ORG_NAME
Now select option 2 (Server Settings).
Domain : abc.com
Sendmail or SMTP : Sendmail
IMAP Server : localhost
IMAP Port : 143
Server software : uw
Delimiter : /
Now select option 3 (Folder Settings).
Default Folder Prefix : mail/
Show Folder Prefix Option : true
Trash Folder : Trash
Sent Folder : Sent
Drafts Folder : Drafts
By default, move to trash : true
By default, move to sent : true
By default, save as draft : true
List Special Folders First : true
Show Special Folders Color : true
Auto Expunge : true
Default Sub. of INBOX : false
Show 'Contain Sub.' Option : true
Default Unseen Notify : 2
Default Unseen Type : 1
Auto Create Special Folders : true
Folder Delete Bypasses Trash : false
Enable /NoSelect folder fix : false
Now select option 4 (General Settings).
Data Directory : /var/lib/squirrelmail/prefs/
Attachment Directory : /var/spool/squirrelmail/attach/
Directory Hash Level : 0
Default Left Size : 150
Usernames in Lowercase : false
Allow use of priority : true
Hide SM attributions : false
Allow use of receipts : true
Allow editing of identity : true
llow editing of name : true
Remove username from header : false
Allow server thread sort : true
Allow server-side sorting : true
Allow server charset search : true
Enable UID support : true
PHP session name : SQMSESSID
Location base :
Now choose option 8 (Plugins) and select the plugins that you wish to provide to your webmail users.
Now open the browser with the following link:
http://YOUR_SITE_ADDRESS/webmail
OR
http://192.168.0.14/webmail
Referance website: http://www.howtoforge.com/
Thursday, December 9, 2010
BIND Installation On CentOS
What is bind?
BIND is alternative software for translating domain names into IP addresses. Because domain names are alphabetic, they are easier to remember. So if we will browse the Internet we don’t need to remember IP addresses. For example, the domain namewww.yourdomain.com might translate to 192.168.0.1.
1. You Can Check BIND Packet
[root@server named]# rpm -qa bind*
bind-libs-9.2.4-2bind-utils-9.2.4-2bind-9.2.4-2
2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com
[root@server ~]# cat /etc/resolv.conf
nameserver 192.168.0.1
3. Setting File /etc/named.conf
[root@server ~]# nano /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "yourdomain.com" IN {
type master;
file "/var/named/yourdomain.com.zone";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "/var/named/0.168.192.rev";
allow-update { none; };
};
include "/etc/rndc.key";
4. Setting File /var/named/yourdomain.com.zone
First you must create the file yourdomain.com.zone; you can use this syntax:
[root@server ~]# nano /var/named/yourdomain.com.zone
$TTL 86400
@ IN SOA yourdomain.com. root.yourdomain.com. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns1.yourdomain.com.
@ IN A 192.168.0.1
ns1 IN A 192.168.0.1
@ IN MX 10 mail.yourdomain.com.
mail IN A 192.168.0.1
WWW IN A 192.168.0.1
5. Setting File /var/named/0.168.192.rev
First you must create the file 0.168.192.rev; you can use this syntax:
[root@server ~]# nano /var/named/0.168.192.rev
$TTL 86400
@ IN SOA yourdomain.com. root.yourdomain.com. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D) ; minimum
@ IN NS ns1.yourdomain.com.
1 IN PTR binggo.yourdomain.com.
6. nslookup yourdomain.com
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.1Address: 192.168.0.1#53
Name: yourdomain.comAddress: 192.168.0.1
7. dig yourdomain.com
[root@server ~]# dig yourdomain.com
; DiG 9.2.4 yourdomain.com;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10576;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:;yourdomain.com. IN A
;; ANSWER SECTION:yourdomain.com. 86400 IN A 192.168.0.1
;; AUTHORITY SECTION:yourdomain.com. 86400 IN NS ns1.yourdomain.com.
;; ADDITIONAL SECTION:ns1.yourdomain.com. 86400 IN A 192.168.0.1;; Query time: 8 msec;; SERVER: 192.168.0.1#53(192.168.0.1);; WHEN: Sat Aug 2 10:56:16 2008;; MSG SIZE rcvd: 85
8. Configuration For NS 1 Is Finished
If you see errors, you can try to change the permissions of the folder /var/named.
root@server ~]# chmod 777 -Rvf /var/named/
mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/198.99.208.rev’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/yourdomain.com.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)
9. Check The /var/log/messages Log To Find Out If There Are Errors
[root@server ~]# tail /var/log/messages
Aug 2 10:53:57 server named[20094]: listening on IPv4 interface venet0:0, 192.168.0.1#53
Aug 2 10:53:57 server named[20094]: command channel listening on 127.0.0.1#953
Aug 2 10:53:57 server named[20094]: zone 0.168.192.in-addr.arpa/IN: loaded serial 100
Aug 2 10:53:57 server named[20094]: zone yourdomain.com/IN: loaded serial 100
Aug 2 10:53:57 server named[20094]: zone localhost/IN: loaded serial 42
Aug 2 10:53:57 server named[20094]: running
Aug 2 10:53:57 server named[20094]: zone yourdomain.com/IN: sending notifies (serial 100)
Aug 2 10:53:57 server named[20094]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)
Aug 2 10:53:57 server named[20094]: received notify for zone ‘yourdomain.com’
Aug 2 10:53:57 server named[20094]: received notify for zone ‘0.168.192.in-addr.arpa’
Referance Website http://howtoforge.com
BIND is alternative software for translating domain names into IP addresses. Because domain names are alphabetic, they are easier to remember. So if we will browse the Internet we don’t need to remember IP addresses. For example, the domain namewww.yourdomain.com might translate to 192.168.0.1.
1. You Can Check BIND Packet
[root@server named]# rpm -qa bind*
bind-libs-9.2.4-2bind-utils-9.2.4-2bind-9.2.4-2
2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com
[root@server ~]# cat /etc/resolv.conf
nameserver 192.168.0.1
3. Setting File /etc/named.conf
[root@server ~]# nano /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "yourdomain.com" IN {
type master;
file "/var/named/yourdomain.com.zone";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "/var/named/0.168.192.rev";
allow-update { none; };
};
include "/etc/rndc.key";
4. Setting File /var/named/yourdomain.com.zone
First you must create the file yourdomain.com.zone; you can use this syntax:
[root@server ~]# nano /var/named/yourdomain.com.zone
$TTL 86400
@ IN SOA yourdomain.com. root.yourdomain.com. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS ns1.yourdomain.com.
@ IN A 192.168.0.1
ns1 IN A 192.168.0.1
@ IN MX 10 mail.yourdomain.com.
mail IN A 192.168.0.1
WWW IN A 192.168.0.1
5. Setting File /var/named/0.168.192.rev
First you must create the file 0.168.192.rev; you can use this syntax:
[root@server ~]# nano /var/named/0.168.192.rev
$TTL 86400
@ IN SOA yourdomain.com. root.yourdomain.com. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D) ; minimum
@ IN NS ns1.yourdomain.com.
1 IN PTR binggo.yourdomain.com.
6. nslookup yourdomain.com
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.1Address: 192.168.0.1#53
Name: yourdomain.comAddress: 192.168.0.1
7. dig yourdomain.com
[root@server ~]# dig yourdomain.com
; DiG 9.2.4 yourdomain.com;; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10576;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:;yourdomain.com. IN A
;; ANSWER SECTION:yourdomain.com. 86400 IN A 192.168.0.1
;; AUTHORITY SECTION:yourdomain.com. 86400 IN NS ns1.yourdomain.com.
;; ADDITIONAL SECTION:ns1.yourdomain.com. 86400 IN A 192.168.0.1;; Query time: 8 msec;; SERVER: 192.168.0.1#53(192.168.0.1);; WHEN: Sat Aug 2 10:56:16 2008;; MSG SIZE rcvd: 85
8. Configuration For NS 1 Is Finished
If you see errors, you can try to change the permissions of the folder /var/named.
root@server ~]# chmod 777 -Rvf /var/named/
mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/198.99.208.rev’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/yourdomain.com.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)
9. Check The /var/log/messages Log To Find Out If There Are Errors
[root@server ~]# tail /var/log/messages
Aug 2 10:53:57 server named[20094]: listening on IPv4 interface venet0:0, 192.168.0.1#53
Aug 2 10:53:57 server named[20094]: command channel listening on 127.0.0.1#953
Aug 2 10:53:57 server named[20094]: zone 0.168.192.in-addr.arpa/IN: loaded serial 100
Aug 2 10:53:57 server named[20094]: zone yourdomain.com/IN: loaded serial 100
Aug 2 10:53:57 server named[20094]: zone localhost/IN: loaded serial 42
Aug 2 10:53:57 server named[20094]: running
Aug 2 10:53:57 server named[20094]: zone yourdomain.com/IN: sending notifies (serial 100)
Aug 2 10:53:57 server named[20094]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)
Aug 2 10:53:57 server named[20094]: received notify for zone ‘yourdomain.com’
Aug 2 10:53:57 server named[20094]: received notify for zone ‘0.168.192.in-addr.arpa’
Referance Website http://howtoforge.com
Installation Of BIND As A Secondary (Slave) DNS Server On CentOS
After we have installed BIND as a master DNS server (NS1), we can now try to set up a secondary DNS server (NS2) with BIND on CentOS. NS2 acts as a backup if there are problems with NS1.
Make sure you've successfully set up NS1, as described in my previous post!
NS1 with IP 192.168.0.1NS2 with IP 192.168.0.2Our domain: yourdomain.com
Now we can try setting up NS2
1. Check your Bind package
[root@server ~]# rpm -qa bind*
bind-libs-9.2.4-2
bind-utils-9.2.4-2
bind-9.2.4-2
2. Setting file /etc/resolv.conf
[root@server ~]# nano /etc/resolv.conf
nameserver 192.168.0.1
3. Setting file /etc/named.conf
[root@server ~]# nano /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
include "/etc/rndc.key";
4. Change permission of the directory /var/named
[root@server ~]# chmod 777 -Rvf /var/named/
mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)
5. The files /var/named/yourdomain.com and /var/named/0.168.192.rev will automatically be copied to NS2.
6. Running service named
[root@server ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
7. And check in log file what’s the matter???
[root@server ~]# tail /var/log/messages
Aug 3 04:25:42 server named[9362]: listening on IPv4 interface venet0:0, 192.168.0.2#53Aug 3 04:25:42 server named[9362]: command channel listening on 127.0.0.1#953Aug 3 04:25:42 server named[9362]: zone localhost/IN: loaded serial 42Aug 3 04:25:42 server named[9362]: runningAug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: transferred serial 100Aug 3 04:25:42 server named[9362]: transfer of ‘yourdomain.com/IN’ from 192.168.0.1#53: end of transferAug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: sending notifies (serial 100)Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: transferred serial 100Aug 3 04:25:43 server named[9362]: transfer of ‘0.168.192.in-addr.arpa/IN’ from 192.168.0.1#53: end of transferAug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)Looking at this log, you can see that the yourdomain.com zone gets transferred. Actually this file is copied to NS2 so, if NS1 is dead or has a problem, NS2 has a backup configuration.
8. Result using nslookup
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Name: yourdomain.com
Address: 192.168.0.1
answered from nslookup used server from NS1 with IP 192.168.0.1
Now we can try to deactivate NS1 to see if name resolution is still working.
9. First adding nameserver 192.168.0.2
[root@server ~]# cat /etc/resolv.conf
nameserver 192.168.0.1
nameserver 192.168.0.2
This domain is using NS2 because NS1 is not active. We don't need to change any files on NS2 because all zone files are transferred from NS1 to NS2.
10. Trying a DNS lookup while NS1 is down
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.2
Address: 192.168.0.2#53
Name: yourdomain.com
Address: 192.168.0.1
Now if there's any problem with NS1 you can rest calm because NS2 acts as a backup.
Make sure you've successfully set up NS1, as described in my previous post!
NS1 with IP 192.168.0.1NS2 with IP 192.168.0.2Our domain: yourdomain.com
Now we can try setting up NS2
1. Check your Bind package
[root@server ~]# rpm -qa bind*
bind-libs-9.2.4-2
bind-utils-9.2.4-2
bind-9.2.4-2
2. Setting file /etc/resolv.conf
[root@server ~]# nano /etc/resolv.conf
nameserver 192.168.0.1
3. Setting file /etc/named.conf
[root@server ~]# nano /etc/named.conf
//
// named.conf for Red Hat caching-nameserver
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};
include "/etc/rndc.key";
4. Change permission of the directory /var/named
[root@server ~]# chmod 777 -Rvf /var/named/
mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)
5. The files /var/named/yourdomain.com and /var/named/0.168.192.rev will automatically be copied to NS2.
6. Running service named
[root@server ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
7. And check in log file what’s the matter???
[root@server ~]# tail /var/log/messages
Aug 3 04:25:42 server named[9362]: listening on IPv4 interface venet0:0, 192.168.0.2#53Aug 3 04:25:42 server named[9362]: command channel listening on 127.0.0.1#953Aug 3 04:25:42 server named[9362]: zone localhost/IN: loaded serial 42Aug 3 04:25:42 server named[9362]: runningAug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: transferred serial 100Aug 3 04:25:42 server named[9362]: transfer of ‘yourdomain.com/IN’ from 192.168.0.1#53: end of transferAug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: sending notifies (serial 100)Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: transferred serial 100Aug 3 04:25:43 server named[9362]: transfer of ‘0.168.192.in-addr.arpa/IN’ from 192.168.0.1#53: end of transferAug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)Looking at this log, you can see that the yourdomain.com zone gets transferred. Actually this file is copied to NS2 so, if NS1 is dead or has a problem, NS2 has a backup configuration.
8. Result using nslookup
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Name: yourdomain.com
Address: 192.168.0.1
answered from nslookup used server from NS1 with IP 192.168.0.1
Now we can try to deactivate NS1 to see if name resolution is still working.
9. First adding nameserver 192.168.0.2
[root@server ~]# cat /etc/resolv.conf
nameserver 192.168.0.1
nameserver 192.168.0.2
This domain is using NS2 because NS1 is not active. We don't need to change any files on NS2 because all zone files are transferred from NS1 to NS2.
10. Trying a DNS lookup while NS1 is down
[root@server ~]# nslookup yourdomain.com
Server: 192.168.0.2
Address: 192.168.0.2#53
Name: yourdomain.com
Address: 192.168.0.1
Now if there's any problem with NS1 you can rest calm because NS2 acts as a backup.
Subscribe to:
Posts (Atom)