Firewall in LINUX

                      FIREWALL IN LINUX

              Firewall is a security gate to our network, It decides to whom to give access to our data and to whom should it restricts. Linux firewall uses Ip address for packet filtering.
There are 2 types in Linux Firewall :
1) Ip tables: Recently used firewall
2) Ip chains: It was used earlier.

There are 3 types of packets :.

a) Input Packet
b) Output Packet
c)Forward through Packet
 
On the basis of packets there are 3 types of rules,
a) Input Rule
b) Output Rule
c)Forward Rule
 
Iptables contains Tables and in every table there is a grouping of Ipchains. Every rule is having specific number. New rule goes to new line. We can add, delete, modify the Rules.

Ip tables command is as follows -
# iptables -t table option pattern -j target
the -t table option tells which table to use.

3 basic tables are available -
1) Filter
2) Nat
3) Mangle
 
Nat table supports network address translation.
Filter table allows to block or allow special types of network traffic.

Setting up Ip Masquerading :
it allows you to hide the ip address of the computer on your LAN.

Give command :
# iptables -L

It will show -

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

If you want to stop ping to your machine from other computer add rule as :
# iptables -A INPUT -S other_machines_IP -p icmp --icmp-type echo-request -j REJECT

here -A = is to append chain
-S = source address
-p = protocol
-j = action to be taken

Now give command, # iptables -L
you can see your settings in a tabular form.

For dropping First Rule :
 
# iptables -R INPUT 1 -s other_machines_IP -p icmp --icmp-type echo-request -j DROP

# iptables -L
you will get the changes made.

To delete Rules :
 
# iptables -D (chain_name) (Rule_number)
i.e. # iptables -D INPUT 1

To delete all Rules :
 
# iptables -F (chain_name)

If you want to get Ping from only 172.16.0.240 machine and no other then write rule as :
# iptables -A INPUT -s ! 172.16.0.240 -p icmp --icmp-type echo-request -j REJECT

To allow FTP on 172.16.0.241 the Rule is :
# iptables -A INPUT -s 172.16.0.241 -p tcp --dport 20 -j ACCEPT
 
or you can allow port 21 also for FTP. Port 20 and 21 are used for FTP

To block 172.16.0.240 for FTP access the Rule should be :

# iptables -A INPUT -s 172.16.0.240 -p tcp --dport 20 -j DROP
You can check the changes :
# iptables -L
 
For FTP if you block single port then you can login using FTP but cannot access files. If you dont want to get login also then block both the ports.

If you restart your machine then that rules are no more there if you want to save them then give command :

# service iptables save

Rules gets saved in “/etc/sysconfig/iptables” file
You can add or delete rules directly in this file also.

To allow proxy from 172.16.0.240 write rule as,
# iptables -A INPUT -s 172.16.0.240 -p tcp --dport 3128 -j ACCEPT

and to block it on 172.16.0.241 ,
# iptables -A INPUT -s 172.16.0.241 -p tcp --dport 3128 -j DROP
# iptables -L


To Replace Rules :
 
# iptables -R (chain_name) (Rule_number) (New_Rule)
e.g. To replace rule no. 6 and allow squid from 172.16.0.241 we can write as,

# iptables -R INPUT 6 -s 172.16.0.241 -p tcp --dport 3128 -j ACCEPT

# iptables -L
 
To stop Iptables service :

# service iptables stop
To start service :

# service iptables start

To make new Table :
we can not create new tables. By default there are 3 tables: Filter, Nat & Mangle

To create new chain :
iptables -N (new_chain_name)
# iptables -N FTP1

1) Allow ftp to 172.16.0.241
# iptables -A FTP1 -s 172.16.0.241 -p tcp -dport 20 -j ACCEPT
 
2) To deny FTP to 172.16.0.240
# iptables -A FTP1 -s 172.16.0.240 -p tcp -dport 20 -j DROP
# iptables -A FTP1 -s 172.16.0.240 -p tcp -dport 21 -j DROP
# iptables -L

Apache Web Server

                               Apache Web Server

This server was earlier released by name as 'httpd'. When it was made free various people added patches to it Hence it was named as ' A Patchy Server' , later it became apache web server. But the name of service remained same i.e. 'httpd'.

First check that the package is installed on your system for that:

# rpm -qa |grep httpd*

if package is there on your system then check for file '/etc/httpd/httpd.conf '
Edit that file :
# vim /etc/httpd/httpd.conf

This file is divided into 3 sections :
                             Section I

1) ServerTokens OS
it shows information of OS only when server utility is made ON.
2) ServerRoot “/etc/httpd”
This directory contains server's configuration file and log file.
3) ScoreBoardFile run/httpd.scoreboard
when httpd service made ON various processes gets started, these processes are stored in memory. We can make enable this option and take these processes on hard disk.
4) PidFile run/httpd.pid
The information of services (processes) which are started by httpd daemon is stored in this file using the process id.
5) Timeout 300
if the request from client doesnot come within 300 seconds then the connection gets timed out.
6) KeepAlive off
if this option is off thenclient can send only one request at a time. If it is ON then it can send multiple requests.
7) MaxKeepAlieveRequests 100
it decides how many requests can be send using one connection.
8) KeepAlieveTimeOut 15
if on one connection there are 100 requests then each request will be alive for 15 seconds without sending information. That means one connection can remain alive for 15 * 100 = 1500 seconds
9) StartServers = 8
at a time only 8 services can be started.
10) MinSpareServers 5
5 servers are available for spare
11) MaxSpareServers 20
12) MaxClients 150
one server service can handle upto 150 clients
13) MaxRequestsPerChield 1000
every server service can handle 1000 requests.
14) StartServers 2
15) MaxClients 150
16) MinSpareThreads 25
17) MaxSpareThreads 75
18) ThreadsPerChild 25
19) MaxRequestsPerChield 0
20) Listen 0.0.0.0:80
if you are having 3 servers and this option is 0.0.0.0 then services will work on all 3 servers. If you give specific ip address here then services will work on that particular server.
21) LoadModule …...
this is a list of various web services that are required.
22) Include conf.d/*.conf
consider all the parameters in /etc/httpd/conf directory.
23) Extended status ON
If you want to use Additional third party softwares then make this option ON.

                               Section II
24) User apache
25) Group apache
Server uses services using these names ( options 24, 25)
26) ServerAdmin root@localhost
you can show administrators mail id on site. If some one is having queries he will
contact you.
27) ServerName new.host.name:80
here give name of server. This service work on TCP port 80.
28) UseCanonicalName off
it will not show a different name of itself if this is off.
29) DocumentRoot “/var/www/html”
in this directory it will show web page doc's.
30) Options FollowSymLinks
anyone can not access directories directly, if you want it go through links
31) AllowOverride None
no one can change option 30
32) (Directory "/var/www/html") 
this directory is secure
33) Options Indexes FollowSymLinks
       (IfModule  mod_Proxy C) 

if you uncomment all statements below this , then the server acts as a Proxy server. But it is not secure.


                 Section III : Virtual Hosts
this section is used to prepare website.
1) NameVirtualHost *:80
Using this option we can open multiple web pages on single ip address. It can access the site as per URL name.
2) (VirtualHost *)
replace * by hostname.
i.e. Virtual Host www.Redhat.com

if you want to test it …. then exit by making changes and give command
# service httpd start
and open mozill and give URL as
http://(ip address of your machine)
you will see the apache version information and redhat page.

Now Edit /etc/httpd/conf/httpd.conf file

NameVirtualHost = 80 (remove comment)
and make it as NameVirtualHost ipaddress_of_your_machine:80
at the end of the file write... i.e. below (VirtualHost)
(VIrtualHost www.rediffmail.com)
ServerAdmin root@your_Hostname.com
DocumentRoot /webdocs
ServerName your_hostname
ErrorLog /logs/rediffmail-error_log
CustomLog /logs/rediffmail-custom_log common
(/VirtualHost)

then change
DirectoryIndex index.html (your web page)

save and Exit

edit /etc/hosts file

at the end type
(your ip address) (your host name)

save and Exit
# service network restart
# service httpd restart

then login as root
open mozill
give URL www.rediffmail.com

you will get document stored in /webdocs folder.

You can do it for multiple sites also for that only few changes in 'httpd.conf and hosts' file are needed.

NIS [ Network Information Service ]

                      NIS [ Network Information Service]

The earlier name of NIS was 'Yellow Pages'. But later it gets registered as a TradeMark hence now NIS is used in practice.
In NIS one server is used as a Master server and one is made as a secondary server for precaution when master gets problems.

First check whether the package for NIS is installed on your machine, for that :

# rpm -qa |grep yp*


it needs 3 packages 1) ypserv*
                            2) yptools*
                            3) ypbind*
 
Uses :
 
If we want 10 users to be created on 100 Linux machines each then just create 10 users on NIS server and its /etc/passwd file is shared with those 100 machines. So the work becomes easier.

Step 1 : set the Ip address for machine using : #netconfig or #setup

Stetp 2 : set the Domain Name using : # domainname (domain name)

Make sure that all the machines in the NIS domain must have the same domain name.

The domain name you set was not persistent, it lost when you restart your machine hence to make it persistent enter it into the script which runs every-time when machine starts.
i.e. '/etc/syconfig/network' file
edit it i.e. # vim /etc/sysconfig/network and make changes as

NETWORKING = YES
HOSTNAME = (your host name)
domainname (your domain name)

e.g. domainname classroom.edu
save the file and exit vi mode

restart your machine

STEP NO. 1 & 2 are common to both server and NIS clients.

Set this On NIS CLIENT machine:
 
STEP 3 : edit '/etc/yp.conf ' file and make changes as...

domain (your domain name) broadcast

( e.g domain classroom.edu broadcast)

domain (your domain name) server (your Host name)
(You will get your Ip address and Hostname from '/etc/hosts' file)

ypserver                        (your Host Name)

save and exit

STEP 4 : edit '/etc/nsswitch.conf' file

( this file contains the list of files which the operating system checks for NIS)

make changes as...

a) passwd : nis files
b) shadow : nis files
c)group : nis files
d) hosts : nis files dns

save & exit

STEP 5 : Edit '/etc/hosts' file
add to last line...
(ip address of client machine) (Client Host Name)
(Ip address of server machine) (server Host Name)

save & exit

Thus CLIENT configuration completed here...

Set this On NIS SERVER Machine...

STEP 6 : edit '/etc/hosts' file...
write at last line...

(Ip address of server machine) (server Host Name)

save and exit

The total configuration of NIS is stored at '/var/yp' directory.

Edit '/var/yp/makefile'
the contents of that file are...

1) #B = -b
if you remove this comment using NIS server different clients can access the date through DNS server. Use this option if your are having multiple DNS servers.
2) NOPUSH = true
if you are having single server keep this option 'true'. Because if this is 'true' the Primary server does not send its database to the secondary server. This server pushes its database to the servers whose name & ip addresses are there in the '/var/yp/ypservers' file
3) MINUID = 500
MINGID = 500
this option tells from which number the UID and GID are to be started.
4) NFSNOBODYUID = 65534
NFSNOBODYGID = 65534
5) MERGE_PASSWD = true
it decides whether the 'shadow' file and 'passwd' file is merged into single file or not.
6) MERGE_GROUP = true
it decides whether the 'group' file and 'gshadow' file is merged into single file or not.
7) AWK = /usr/bin/gawk
8) MAKE = /usr/bin/gmake
9) UMASK = umask 066
DONT CHANGE OPTIONS 7, 8, 9. These are used to make database.
10) YPSRCIDR = /etc
11)
12)
13)
14)
15)
DONT CHANGE OPTIONS 11 to 15 these variables are created for to know where to get the database files.
After this we only need following options...
GROUP
PASSWD
SHADOW
GSHADOW
ADJUNCT
ALIASES
HOSTS
AUTO_MASTER
AUTO_HOME
AUTO_LOCAL

Keep these options in front of '-all'
So Comment the other options which are not needed or remove them.

Save & exit.
Now Give this command from PRIMARY SERVER only...

# /usr/lib/yp/ypinit -m
( if u dont have secondary NIS server, then press 'ctrl + D' )

if you are having secondary NIS server then give its name here. Its entry will be added directly to '/var/yp/ypservers'. The current list of NIS servers looks like this:

(Host name)
is this correct [y/n : y] Press 'y'

# yum install authconfig-gtk
# service ypserve restart
# service portmap restart
# getsebool -a | grep “yp”
# setsebool allow_ypbind=1

set your domain name again

Now From CLIENT Machine :

# authconfig-tui

or # system-config-authentication

Service NIS will get started...

on client you can ligin as guest...

But to get homedirectory... make settings as....

FORM CLIENT as well as SERVER Machine :
# vim /etc/auto.master
make changes under # /net as
/home/guests /etc/auto.misc --timeout = 60

save and exit

edit '/etc/auto.misc' file

# vim /etc/auto.misc

make changes at last line as...
* -rw,soft,intr 192.168.0.254 :/home/guests/&
save and exit

# service autofs restart

then login into client using
login name : guest2001
passwd : (no password)

It will get home directory.

DNS [ Domain Name Server / System ]

           DNS [ Domain Name Server / System ] For RHEL 4

If we want to register multiple domains and wish to give same Ip address for those sites then DNS is used. If client user enters url names then DNS is used to understand that name and searches the particular Ip address of that site. It acts as a mediator between user and rest internet.

To check the rpm of DNS is installed or not give command :

rpm -qa | grep bind*

Here name of DNS service is “named” and package name is “bind”
BIND : Berkely Internet Named Domain

edit “/etc/named.conf ” file. If this file is not there then move /etc/named.custom file to the same location with “named.conf” or copy it,

i.e. # cp /etc/named.custom /etc/named.conf

# vim /etc/named.conf

1) controls : from where this file gets modified.
2) Zone : the format of zone file is very important.

Zone “.” IN {
type hint;
file “named.ca” // the name of file containing zone records.
};
zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update {none};
};

First two zones are called as Forward lookup zones. In that client give the name and dns server returns the Ip address for that name. After that the type come named “reverse lookup zone”. In that client give Ip address and the DNS server returns the DNS name of that Ip address.
i.e. 1) if in forward lookup zone the url is like “arpa.addr.in” then in reverse lookup zone it becomes “in.addr.arpa”
2) I fin forward lookup zone the Ip address is “192.168.100.10” then in reverse lookup zone it becomes “100.168.192.in.addr.arpa”. And the “.10” gets stored in records of RLZ.
3) Zone “0.0.127.in=addr.arpa” IN {
type master;
file “named.conf”;
allow-update { none; };
};
make changes as next line

zone “pranay.com” IN {
type master;
file “pranay.com.zone”;
allow-update { none; };
};

if this option is “none” and if the primary master gets off then no any client can update its record. If you are having secondary server then instead of “none” type your secondary server's Ip address.

“Pranay.com.zone” file   (your zone file)

There are three files in “/var/named” directory, of that “named.local” file is of reverse zone. Copy “localhost.zone” file and paste it at same location with name “pranay.com.zone”.

Now edit “pranay.com.zone” file :

a) $TTL 86400 : if any client caches this file then he can cache it for 86400 seconds only. After that he needs to download it from server again.

b) $ORIGIN localhost.

Server's name
i.e. type $ORIGIN    (server's domain name) 

c)@
IN SOA@root (
42 ; serial (d.adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS @               (Here IN is 'Internet' NS is 'Name server' & @ is your                                     machine)

  IN A                      (now delete this IN A and)

Make changes as

PRANAY(i.e. your domain name) IN A ipaddress
www IN A ipaddress
 another client IN  A   ipaddress

save & exit

Edit “/etc/hosts” file

only keep there below line,

127.0.0.1 localhost.localdomain localhost

 &    delete all next lines
save & exit
Then start service named i.e.
 
# service named start
# netconfig

set your ip address & set name server ip address i.e. dns server address
ok

# service network restart

To check it type,
# ping www.pranay.com
It will ping the site.

To check whether server is ok & service is ok give command,

# nslookup pranay.pranay.com
# dig pranay.pranay.com


Edit “/var/named/pranay.com.zone” file

make changes as

IN SOA . root

And

  IN NS     (server's ip adress)


And
$ORIGIN pranay.com                 (i.e. name of your zone)

save & exit

Then Give Command :

# dig pranay.pranay.com

Then,

# ping pranay.pranay.com

Now
Check the entries in “/etc/hosts” file
# vim /etc/httpd/conf/httpd.conf

Make changes as

NameVirtualHost (ip address of server):80

Then changs as
(VirtualHost www.pranay1.com)
(VirtualHost www.pranay.com) 



then change as

ServerName (ip address of server):80

save & Exit

# service httpd restart


TO PING LINUX DNS SERVER FROM WINDOWS XP MACHINE :

Goto XP's My Network places properties → local area connection properties → TCP-IP properties → Give DNS server IP address → ok

goto run
cmd
 ping   (server's Ip address)  
ping pranay.pranay.com
ping PRANAY.pranay.com
nslookup pranay.pranay.com

it will show IP address.

                                        IMPORTANT
1) If you want to create a new zone then copy file “/etc/named/localhost.zone” to the same location with your zone name. i.e. web.com.zone
2) Edit file “/etc/httpd/conf/httpd.conf” and make changes as given above
3) Edit “web.com.zone” file and make changes as given above
4) edit “/etc/named.conf” and make changes as given above
5) restart services named and httpd

Creating Secondary Master

1) Edit “/etc/named.conf”

zone “abc.com” IN {
type slave ;
file “abc.com.zone” ;
  master {(ip address) ;} ;
} ;

If you want to allow your zone to somebody else then,

zone “web.com.zone” IN {
type master ;
file “web.com.zone” ;
allow-update {(ip address of that machine) ;} ;
} ;

save & exit

Now Edit “/etc/rndc.key” file
This file contains security key. This security key is unique for each computer. We need to generate & specify this key for each computer.

Edit “/etc/rndc.conf” file

make change at the end of this file as :

 server (ip address)   {
key “redhat” ;
} ;
include “/etc/rndc.key” ;

save & exit

OR

edit “/etc/named.conf ” file

add # to lines with key word “control” and also to nest 2 lines
add # to last line with ley word “include”

save & exit

NFS [ Network File System]

NFS [ Network File System]

                         To share the data on one computer with other computer NFS is used.

The Network File System (NFS) was developed to allow machines to mount a disk partition on a remote machine as if it were a local disk. It allows for fast, seamless sharing of files across a network. There are other systems that provide similar functionality to NFS e.g. Samba provides file services to Windows clients.

For Username and Password if we share “/etc/passwd” file on NIS server to clients then they can login to the server but cant get their home directory on server. For that configure that server as NFS and mount the home directory of the user. For that give command :

# mount -t nfs (server's ip address):/home /home

here “:/home” this directory is of server and “/home” is of client.

There is a file at “/etc/” named “exports”

Edit that file... #vim /etc/exports

make changes as...

(name of directory to be shared)     (Ip address of machine whom you want to share directory)    (rights, sync/async)

e.g. /dbc * (rw, async)

here /dbc is the directory on server which we want to share

' * ' means share for all machines ( or you can give specific Ip)

Now to share it give command :

# exportfs -a

# exportfs                    ( To see what is shared on your machine )

To share a directory on your machine which is currently on other machine

make any directory on root for e.g.

# mkdir /abc

# service nfs start

Then mount directory which is on other computer onto your computer for that give command-

# mount -t nfs (client's IP address):s1 /abc

Modes :

async : This mode is fast working because, if someone is accessing a file on a machine and after some processing he changed that file and saved it, but before saving it on to hard disk some other person requested to access that file then in that case also the file is made available for new client without saving that file. But if meanwhile machine gets restarted or network gets off then the file gets lost or corrupted.

Sync : in this mode working is slow because, file gets saved on hard disk first and then made available for the client machine.

no_wdely : If we have selected the 'async' mode then we cannot use this mode.

In this case if 2 users wants to access a single file simultaneously then it is made available for both users and when one user makes changes to that file the changes are reflected only after saving the file by first user.

nohide : if we mount any directory from samba server using nfs it is there in hidden format ( it is due to file system), then instead of mounting filesystem separately to each client just mount filesystem on NFS server and use “nohide” option, the data will gets directly available.

no_subtree_check : if we use this option it will not show directory tree list to client. They have to check it by browsing each directory separately.

insecure_locks : if following options are selected the directory security will not be maintained-

a) no_auth_nlm : authentication is not required for access

b) no_acl : Permissions on file are not checked by server.

c)Mountpoint = path : if we have alredy mounted a directory from some where else we can remount it using nfs.

User Id mapping :

a) root/squash : 'root' is also considered as an anonymous user. It does not have full rights because of security concern.

b) no_root_squash : root is having access as a root user.

c)all-squash : all users will get access as anonymous user.

d)anonuid and anongid : it can map anonymous user and groups id's.

e)insecure : we can not check permissions and other parameters.

If you want a persistent mounting then edit /etc/fstab and make changes as

(ip address of server):/directory_name /path_where_to_mount_directory nfs defaults 0 0

save and exit

It will be helpful if server is having users and their home directories. Give entry of above line in every clients /etc/fstab file. After login every client will gets his home directory.

To make on the service after every reboot give command :

# chkconfig nfs on

Squid Proxy

Squid Proxy

Squid Server acts as a Internet Service Provider. It caches data and hence speed of internet browsing increases little-bit.
Internet Data : Internet data is of 2 types-
a) Static Data : This data does not changes e.g. Documents etc.
b) Dynamic Data : this data changes as time passes. e.g. Advertise, pictures etc.

                         Static data can be cached. Dynamic data can not be cached. The data which has been cached on internet is given to clients through server. But dynamic data needs to be taken every time from internet. Proxy server can also be used as an internet accelerator. If someone is accessing data from outside network then this server acts as a interface between main server and client, so that there is less load on main server.

Check for package is installed or not : # rpm -qa |grep squid*

If package is installed on your system then...

Edit '/etc/squid/squid.conf ' file
                                 Contents of squid.conf
a) #http_port 3128
the default port for squid is 3128, if you want to change then remove comment.

b) cache_dir ufs /var/spool/squid 100 16 256
this directory contains cached data. [ufs = file system, 100 = size = 100 Mb default,
16 = first level directories to be created,
256 = Under every directory we can create 256 second level sub directories]

Exit from vi mode

The directories where it stores cached data are called as 'swap directories'.
To create swap directories give command-

# squid -z ( if error is there then follow next step)

Edit squid.conf file
make changes as
Default :
instead of #none type your host name
save and exit

# squid -z
# service squid start
# chkconfig squid on (to start the service after every reboot)

Goto mozilla
edit tab → preferences → Advanced → proxies
Give Ip address of proxy server
e.g. 172.16.0.1 port 3128

if you are using Internet Explorer then make same changes in
tools tab → internet options

In squid by default there is everything 'off '
To block or allow Ip addresses of machines we need to write ACL's (Access Control List)

To write ACL there is command :
acl   (list name) acl-type   value
e.g. If you want to allow http access to machines in “intranet” domain write following lines in squid.conf file below... #INSERT YOUR OWN RULES HERE line

acl intranet src 192.168.100.10-100
http_access allow intranet

save and exit

# service squid restart

then goto client machine start mozilla open any site. If your machine is having internet connection you will get that site.
Remember first insert all rules of “deny” then insert all rules for “allow”

To Allow or Block Sites :

/etc/squid/squid.conf

acl intranet src 172.16.0.10-172.16.0.20
acl yahoo dstdomain .yahoo..com
http_access deny intranet yahoo

save and Exit

As we know there are very few sites which we want to allow as compared to the sites to be denied. So list of allowed sites can be stored in a file e.g. file named 'goodsites'
e.g. # vim /goodsites
in that file list all the allowed sites i.e.

.yahoo.com
.rediffmail.com
.google.com

save and exit

Edit squid.conf

acl intranet src 172.16.0.10-172.16.0.20
acl good dstdomain “/goodsites”
http_access allow intranet good

save and exit

# service squid restart

open mozilla and check for those sites.

Time Scheduling :

For time scheduling edit squid.conf file

acl intranet src 172.16.0.10-172.16.0.20
acl nettime time SMTW 17:00-19:00
acl good dstdomain “/goodsites”
http_access allow nettime good intranet

save and Exit
# service squid restart

it means if the days are Sunday, Monday, Tuesday, Wednesday and the time is in between 5:00 pm to 7:00 pm the good sites for intranet will open and other sites will remain blocked. If days are Thursday, Friday, Saturday all sites for intranet will be blocked.

This server caches files automatically. If the server gets slow then just increase the size of cache directory above 100Mb.

Server Configuration in Linux

 DHCP [Dynamic Host Configuration Protocol]:

To check package is installed or not :

# rpm -qa |grep dhcp*

if package is installed on your machine it will display you the list. If not inatall it using CD or DVD as mentioned in FTP section.

Search a file “dhcpd.conf.sample”
this file is present at '/usr/share/doc/dhcp-*/ ' location. Copy this file into /etc/ location and rename it as 'dhcpd.conf'. i.e.
# cp /usr/share/doc/dhcp-*/dhcpd.conf.sample /etc/dhcpd.conf

goto /etc/ and check it.

Edit that file
Contents of that file are-
# vim /etc/dhcpd.conf

1) ddns-update-style interim;
'dhcp server and DNS server communicate with each other using interim method
2) ignore client-updates;
if client tries to update the information, DHCP will not allow it.
3) Range dynamic-bootup  (range of ip addresses);
    e.g.   172.16.0.50  to   172.16.0.100

The default lease time upto which client can use the connection is 21600 seconds (i.e. 6 Hrs. approx) and the maximum lease time is 43200 seconds (i.e. 12 Hrs. approx). You can increase the max lease time if client request for it.
Server can renew the Ip address if the lease period is 50% over. After 80% lease period done the server frees that ip address for to give to anyone.

# service dhcpd start

if you get [Failed] message the check the ip address of system and server and make them same.

# service network restart
# service dhcpd start

you will get [OK] message

For to give a fix ip address i.e. reservation:

get MAC address of client (using ifconfig command you can get it).

Edit dhcpd.conf file
in that file serach option

 hardware ethernet (give client's MAC address)  
 fixed address (give client's ipaddress)  

# service dhcpd restart

If you want to check the ip addresses of various machines assigned by DHCP server then edit
'/var/lib/dhcp/dhcpd.leases' file

LINUX   Installation Requirements

For installation of Linux we need to create minimum 3 partitions :-

 1) /boot – 100Mb approx.

 2) /   - 5 GB Minimum (For Full installation).

3) /swap – Double of RAM (swap partition i.e. Virtual Memory)

Difference Between Windows and Linux :-

Windows                                                                                    Linux

1) Not case Sensitive.                                                         1) case sensitive

2)  Drive letters are allowed                                                2) No drive letters used to identify partitions

                                                                                                              Instead names are used. E.g. /, /boot, /swp

3) Hidden files are having special attribute –h           3) Any file name starting with a                                                                                       dot(.) is considered as hidden
          

and there are many more… 

 

Commands :     

1)      Pwd : Publish working directory.

2)      Whoami : Gives Login user name.

3)      ls : similar to dir command in windows.

4)      man : manual pages ( Gives Help of a command) e.g.  $ man ls

5)      cd : change directory

6)      mkdir : create a new directory.

7)      touch : creates a blank file by the name given.

8)      cat : displays the contents of the file.

9)      cp   : copy file from source to destination

10)  rm : to delete files and folders

11)  mv  : to move files or folders from one location to other.      

VI Editor Basics:


To create a file vi editor is used. The command to create 'sample' file is:
$vim sample


When vi editor starts, it starts in read only mode by default. Press 'i' or 'Insert' key to work in read write mode.


commands:

1) esc key: To come out of any mode.


2) :wq - to save file and exit


3) :w - to save file


4) :q - to exit from vi editor without saving


5) :q! - forcefully exit without saving


Screens:   In GUI we get 6 screens to work on command line.


a) ctrl + Alt + F1  :- First screen
b) ctrl + Alt + F2  :- Second screen
c) ctrl + Alt + F3   :- Third screen 
d) ctrl + Alt + F4   :- Fourth screen
e) ctrl + Alt + F5   :- Fifth screen
f) ctrl + Alt + F6    :- Sixth screen
The 7th screen is GUI screen i.e. ctrl + Alt + F7 



How to store XP's Boot Loader in MBR using CD:

1) Boot your system using XP's bootable CD.

2) Choose recovery console by pressing 'r' option when asked.

3) Give path of your XP's installation folder

e.g. C:Windows (Press Enter)

4) Type 'fixmbr' (Press Enter)

5) Type 'fixboot' (Press Enter)

6) Type 'yes' (Press Enter)

7) Type 'exit (Press Enter)

8) Then Restart your system

the XP's Boot loader gets installed.



Creating CHAIN LOADER:

How to Install Linux Boot Loader:

If you Install XP over Linux (Dual Boot) the Linux's Boot Loader gets corrupted.
So to Install again Linux Boot Loader without disturbing XP we need to create a
Chain Loader. For that-

1) Insert Linux Bootable CD or DVD.

2) Type 'linux rescue' (Press Enter)

3) Type 'chroot /mnt/sysimage'

4) Then check partitions by giving command 'fdisk -l'

5) Then copy Linux grub loader on first sector of Linux Partition insted
of MBR. For that give commmand-
#grub-install /dev/hda2         (Press Enter) ---(Here /dev/hda2 is your
                                               linux partition shown in 'fdisk -l' command)

6) Then copy Boot Loader image in a file say 'bootsect.lnx'. for that-
#dd if=/dev/hda2 of=bootsect.lnx bs=512 count=1 (Press Enter)

    (here dd= disk duplicator, if= input file, of=output file,
      bs=block size in bytes)

7) Then mount XP's Partition in a test directory... for that
#mkdir test                                     (Press Enter)
#mount -t auto /dev/hda1 /test (Press Enter)
   (here /dev/hda1 is your XP'x partition shown by 'fdisk -l')

8) Then see contents of /test
#cd /test
#ls

9) Then copy 'bootsect.lnx' file in /test directory i.e.
#cp /bootsect.lnx bootsect.lnx (Press Enter)

10) Edit XP's boot.ini file and make changes i.e.
#vi boot.ini

Press 'Insert' key and make changes at the End of file as...
C:\bootsect.lnx="RedHat Linux EL"

save the file using 'esc' key and ':wq'

11) Unmount that volume using...
#umount /test

Restart your system... You will get chain loader installed




Partition Management in Linux:

To create new partitions or to edit, modify, delete or manage partitions there is command in Linux:
'fdisk'

To check existing partition table give command:
#fdisk -l

For more options of fdisk give 'man fdisk' command.

We can easily manage our partitions using this options. To enter fdisk utility give command:
#fdisk /dev/

After Creating partitions we need to format them. For this 'mke2fs' command is there. This command formats the partitions using ext2 file system by default.

#mke2fs -j /dev/
Here -j option is used to format the partition using ext3 FS.

This Partitioning is not permanent. It losts after logoff or restartint system.

To make the changes permanent or static we need to make entry of that partition in '/etc/fstab' file.
Then only the changes remain permanent.


Run Levels :

The run levels are managed by '/etc/inittab' file
There are total 6 run levels present in this file, in which run level 4 is actually not present.

0 - halt (Do NOT set initdefault to this, otherwise system will not start.)
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you do not have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - reboot (Do NOT set initdefault to this)

you can set your desired run level to run as default using this file.



User Management in Linux

For managing users in linux there are various commands, we will see them:

1) useradd: This command is used to create new users.
You can see the help of this command by typing 'man useradd' . The some important parameters are:
a) -c : comment: description for the user. e.g. manager, sales representative etc.
b) -d : home directory : assigns the specified directory as the home directory for the user
e.g. -d /sales/pranay
c) -e : expiration date : user account will be expired on that date. i.e. disable on the date specified. Format: yyyy-mm-dd
d) -f : Inactive days : number of days after the password expires, the user can login to system, before his account has been disabled.
e) -g : (gid, froup name) : this is the primary group os the user.
f) -G : group name : secondary group membership.
g) -m : this switch creates home directory for the user if the home directory is not present. It also copies contents from /etc/skel directory into the home directory of user which has been created.
h) -M : No user home directory is created.
i) -n : No group is created by the name of the user.
j) -o : allow create user with duplicate (non-unique) UID.
System considers such users as a single user, but they can login using different user names.
k) -p : accepts passwords as encrypted formats.
For this first give command 'crypt ' and then use it with -p option.
l) -r : allow to accept UID less than 500.
this option is used with -u option. The users having UID less then 500 are treated as system created users.
m) -s : shell : allow user to accept shell
e.g. -s /bin/bash
n) -u : UID : allow user to accept specific UID.
To give UID 400 give command: #useradd -r -u 400

E.g.:
1) to add new user having same group id (member of the same group):
#useradd -n -g 502
2) to change login shell of user:
#useradd -s /bin/csh

If you want multiple users with same settings give command:
first create one home directory: #mkdir /home/home_dir
then,
#useradd -D -g 502 -b /home/home_dir -e 2010-11-11 -f 3 -s /bin/ksh
#useradd -n user1
#useradd -n user2
#useradd -n user3
.
.
.
and so on...
now these users are having same group id (502), same home directory (/home/home_dir), same expiration date [11 Nov 2010], same default inactive says after expiry (3 days) and same login shell (/bin/ksh).

3) to create groups of same GID: #gropuadd -g 400 group1
                                                    #groupadd -o -g 400 group2
(see 'man groupadd')
to delete group: # groupdel
to delete user : #userdel



usermod Command:

used to modify user settings. See 'man usermod'.
E.g. 1) To change UID of existing user: #usermod -u 515

2) To change login name of existing user: #usermod -l

we see membership of PRIMARY GROUP in /etc/passwd file and membership of SECONDARY GROUP in /etc/group file. For that give command
#usermod -G 502
After that user will became member of group having GID 502. It will be displayed in /etc/group file.

chmod Command:

create a directory '/temp' & check permissions for it by,
#ls -all

then change the permissions of other users by
#chmod o-rx /temp

then login by another user & try to gointo that directory by #cd /temp
It will not go.

Using numbers: r=4
w=2
x=1
i.e. rwx=7, rx=5, rw=6

#chmod 755 /temp
it will set permissions for
owner (u) =rwx (7)
group (g) =rx (5)
others (o) =rx (5) on /temp directory.

chgrp command:

#chgrp 301 /temp
or #chgrp /temp
this command is used to change group of particular directory.

Sticky Bit:
If for a directory all users have rwx rights then anyone can delete others files and folders or modify them easily. For that 'sticky bit' is used. It causes only owner of that file can delete or modify that file.
To add = +t
To remove = -t
e.g. #chmod +t /temp

  

Commands related to Networking:

1. netconfig : command used to setup ip address to a machine.
2. setup : command used to setup ip address to a machine.
3. ifconfig : command to check the ip address.
4. service network restart : to restart network service.
5. ping : it will continuously ping if network is ok.
   To stop press 'ctrl + c' or 'ctrl + z'

Telnet [ Terminal Network ]

It is used to work on a particular machine remotely. By default telnet is disabled for security purpose. For managing network there is a daemon 'xinetd.d'. the 'xinetd.d' directory is located at /etc folder. In that folder there is a file 'telnet'. We just open '/etc/xinetd.d/telnet' file and make change as...

disable = no

then save and exit vi. Restart the service i.e.

#service xinetd restart

now check #telnet

Telnet does not allow root user login (because of security). We can login as a ordinary user. And then using command 'su' we can switch to root user account.

Rlogin:

there is a file '/etc/xinetd.d/rlogin'. Edit it make changes as...

disable = no

save and exit from vi editor. Restart xinetd service

#service xinetd restart

# rlogin ip_address_of_machine

you will logged in. if you want to switch user root you can do it by
# su

for further help try
# man rlogin

if there is a user 'aaa' on server and user 'bbb' on workstation and you want to login to server then simply login to workstation by 'bbb' user and give command,

#rlogin server's_ip_address  -l aaa

you will get login.

FTP [ File Transfer Protocol ]:

FTP is used to send or receive a file from one machine to other machine. Name of FTP server in Linux is VSFTP i.e. very secure FTP.

Check whether there is package installed on your system, for that-
# rpm -qa | grep vsftpd*
here q – query packages installed on the system
a – all packages
it will list all the installed packages.

If vsftpd package is not installed on system, then insert CD-1 or DVD of o/s and install the RPM by giving command-
# rpm -ivh vsftpd- - - (give tab)

after successful installation vsftpd directory gets created under /etc directory and two files get created in that folder. It indicates ftp gets installed. You need to copy the data which you want to send via ftp in '/etc/var/ftp/pub' directory.

Contents of '/etc/vsftpd/vsftpd.conf ' file :

1) anonymous_enable = yes
here anonymous stands for all users. Login using 'anonymous' user name and blank password. If you dont want to login as anonymous user set this option 'no'.
2) local_enable = yes
if it is 'yes' then local users can also login using ftp.
3) write_enable = yes
if you want uploading allowed then make it 'yes'.
4) local_umask = 022
the value infront of umask gets deducted from previous value (777).
5) #anon_upload_enable = yes
by deafault only local users having file uploading permission on server. If you want it to allow for anonymous user make it 'yes'.
6) #anon_mkdir_write_enable = yes
anonymous user doesnt having permission to create directory on server. If you want to allow him for that make changes here.
7) dirmessage_enable = yes
create a directory '.message' in every sub-directory in /var/ftp directory. Write a message in '.message' directory about what is there in parent directory.
e.g. this directory contains display drivers etc.
8) xferlog_enable = yes
it keeps record of who uploaded data on ftp, who downloaded data in a log file.
9) connect_from_port_20 = yes
for FTP it uses tcp port 20 & 21. one is used for communication (wid client server) and other is used for actual data transfer. Only one port is kept enable at a time for convinience.
10) chown_updates = yes
it is used in case of data entry to change ownership of uploaded file.
11) chown_username = whoever
give the user name by whom you want to create ownership.
12) xferlog_file = /var/log/vsftpd.log
the log record is kept in this file. To change the location of that file this command is used.
13) xferlog_std_format = yes
to store log in standard format
14) idle_session_timeout = 600 (seconds)
if the user using ftp is idle for 600 seconds the session gets terminated.
15) data_connection_timeout = 120 (seconds)
if there is no data transfer for 120 seconds the connection gets disconnected.
16) #nopriv_user = ftpsecure
for first time the ftp gets connected using root user name but later it gets converted to 'ftpsecure' user. It is used for security purpose.
17) #async_abor_enable = yes
while downloading if connection gets losts then it downloads from start again. To avoid it use this option. It will download from where it gets disconnected.
18) ascii_upload_enable = yes
by default it uses binary upload or download. You can make it ascii using this option.
19) ascii_download_enable = yes
try to avoid it coz it gets more memory and less speed.
20) ftp_banner = welcome to blah ftp server
a banner gets displayed at login time.
21) deny_email_enable = yes
used to ban particular email address.
22) #banned_email_file = /etc/vaftpd.banned_emails
the email id's which are banned are stored in this file
23) chroot_list_enable = yes
used to change root directory (i.e. starting point of user home directory) of user.
24) chroot_list_file = /etc/vsftpd.chroot_list
this file includes users who are allowed to run chroot
25) # ls_rescue_enable = yes
used to disable 'ls -R' command.
26) Pam_Service_name = vsftpd
pam is nothing but pluggable authentication module.
27) userlist_enable = yes
enter the user names whom you want to allow ftp or deny ftp in '/etc/vsftpd.user' file.
28) Listen = yes
it decides whether to accepts packets on network card or port.
29) tcp_wrappers = yes
it wraps the ftp packets into tcp protocol and sends, coz transfer layer protocol is tcp.

To start service:
# service vsftpd start

then open a terminal and give command-
#ftp

username = anonymous
password = blank (no password)

ftp> ls
you will see pub directory.
Now to accept a file from other machine (to download a file)
ftp> get
ftp> bye (to exit ftp)
the file gets downloaded at your last working location.

Now tp upload a file on ftp server...
ftp> put
ftp> bye

by default the anonymous user is not having permission for uploading a file. You can give it using vsftpd.conf file.