Thursday, December 9, 2010

Firewall in LINUX

                      FIREWALL IN LINUX

              Firewall is a security gate to our network, It decides to whom to give access to our data and to whom should it restricts. Linux firewall uses Ip address for packet filtering.
There are 2 types in Linux Firewall :
1) Ip tables: Recently used firewall
2) Ip chains: It was used earlier.

There are 3 types of packets :.

a) Input Packet
b) Output Packet
c)Forward through Packet

 
On the basis of packets there are 3 types of rules,
a) Input Rule
b) Output Rule
c)Forward Rule

 
Iptables contains Tables and in every table there is a grouping of Ipchains. Every rule is having specific number. New rule goes to new line. We can add, delete, modify the Rules.

Ip tables command is as follows -
# iptables -t table option pattern -j target
the -t table option tells which table to use.

3 basic tables are available -
1) Filter
2) Nat
3) Mangle

 
Nat table supports network address translation.
Filter table allows to block or allow special types of network traffic.

Setting up Ip Masquerading :
it allows you to hide the ip address of the computer on your LAN.

Give command :
# iptables -L

It will show -

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


If you want to stop ping to your machine from other computer add rule as :
# iptables -A INPUT -S other_machines_IP -p icmp --icmp-type echo-request -j REJECT

here -A = is to append chain
-S = source address
-p = protocol
-j = action to be taken

Now give command, # iptables -L
you can see your settings in a tabular form.

For dropping First Rule :
 
# iptables -R INPUT 1 -s other_machines_IP -p icmp --icmp-type echo-request -j DROP

# iptables -L
you will get the changes made.

To delete Rules :
 
# iptables -D (chain_name) (Rule_number)
i.e. # iptables -D INPUT 1

To delete all Rules :
 
# iptables -F (chain_name)

If you want to get Ping from only 172.16.0.240 machine and no other then write rule as :
# iptables -A INPUT -s ! 172.16.0.240 -p icmp --icmp-type echo-request -j REJECT

To allow FTP on 172.16.0.241 the Rule is :
# iptables -A INPUT -s 172.16.0.241 -p tcp --dport 20 -j ACCEPT
 
or you can allow port 21 also for FTP. Port 20 and 21 are used for FTP

To block 172.16.0.240 for FTP access the Rule should be :

# iptables -A INPUT -s 172.16.0.240 -p tcp --dport 20 -j DROP
You can check the changes :
# iptables -L
 
For FTP if you block single port then you can login using FTP but cannot access files. If you dont want to get login also then block both the ports.

If you restart your machine then that rules are no more there if you want to save them then give command :

# service iptables save

Rules gets saved in “/etc/sysconfig/iptables” file
You can add or delete rules directly in this file also.

To allow proxy from 172.16.0.240 write rule as,
# iptables -A INPUT -s 172.16.0.240 -p tcp --dport 3128 -j ACCEPT

and to block it on 172.16.0.241 ,
# iptables -A INPUT -s 172.16.0.241 -p tcp --dport 3128 -j DROP
# iptables -L



To Replace Rules :
 
# iptables -R (chain_name) (Rule_number) (New_Rule)
e.g. To replace rule no. 6 and allow squid from 172.16.0.241 we can write as,

# iptables -R INPUT 6 -s 172.16.0.241 -p tcp --dport 3128 -j ACCEPT

# iptables -L
 
To stop Iptables service :

# service iptables stop
To start service :

# service iptables start

To make new Table :
we can not create new tables. By default there are 3 tables: Filter, Nat & Mangle

To create new chain :
iptables -N (new_chain_name)
# iptables -N FTP1

1) Allow ftp to 172.16.0.241
# iptables -A FTP1 -s 172.16.0.241 -p tcp -dport 20 -j ACCEPT
 
2) To deny FTP to 172.16.0.240
# iptables -A FTP1 -s 172.16.0.240 -p tcp -dport 20 -j DROP
# iptables -A FTP1 -s 172.16.0.240 -p tcp -dport 21 -j DROP
# iptables -L

Thursday, December 2, 2010

Apache Web Server

                               Apache Web Server

This server was earlier released by name as 'httpd'. When it was made free various people added patches to it Hence it was named as ' A Patchy Server' , later it became apache web server. But the name of service remained same i.e. 'httpd'.

First check that the package is installed on your system for that:

# rpm -qa |grep httpd*

if package is there on your system then check for file '/etc/httpd/httpd.conf '
Edit that file :
# vim /etc/httpd/httpd.conf

This file is divided into 3 sections :
                             Section I

1) ServerTokens OS
it shows information of OS only when server utility is made ON.
2) ServerRoot “/etc/httpd”
This directory contains server's configuration file and log file.
3) ScoreBoardFile run/httpd.scoreboard
when httpd service made ON various processes gets started, these processes are stored in memory. We can make enable this option and take these processes on hard disk.
4) PidFile run/httpd.pid
The information of services (processes) which are started by httpd daemon is stored in this file using the process id.
5) Timeout 300
if the request from client doesnot come within 300 seconds then the connection gets timed out.
6) KeepAlive off
if this option is off thenclient can send only one request at a time. If it is ON then it can send multiple requests.
7) MaxKeepAlieveRequests 100
it decides how many requests can be send using one connection.
8) KeepAlieveTimeOut 15
if on one connection there are 100 requests then each request will be alive for 15 seconds without sending information. That means one connection can remain alive for 15 * 100 = 1500 seconds
9) StartServers = 8
at a time only 8 services can be started.
10) MinSpareServers 5
5 servers are available for spare
11) MaxSpareServers 20
12) MaxClients 150
one server service can handle upto 150 clients
13) MaxRequestsPerChield 1000
every server service can handle 1000 requests.
14) StartServers 2
15) MaxClients 150
16) MinSpareThreads 25
17) MaxSpareThreads 75
18) ThreadsPerChild 25
19) MaxRequestsPerChield 0
20) Listen 0.0.0.0:80

if you are having 3 servers and this option is 0.0.0.0 then services will work on all 3 servers. If you give specific ip address here then services will work on that particular server.
21) LoadModule …...
this is a list of various web services that are required.
22) Include conf.d/*.conf
consider all the parameters in /etc/httpd/conf directory.
23) Extended status ON
If you want to use Additional third party softwares then make this option ON.

                               Section II
24) User apache
25) Group apache

Server uses services using these names ( options 24, 25)
26) ServerAdmin root@localhost
you can show administrators mail id on site. If some one is having queries he will
contact you.
27) ServerName new.host.name:80
here give name of server. This service work on TCP port 80.
28) UseCanonicalName off
it will not show a different name of itself if this is off.
29) DocumentRoot “/var/www/html”
in this directory it will show web page doc's.
30) Options FollowSymLinks
anyone can not access directories directly, if you want it go through links
31) AllowOverride None
no one can change option 30
32) (Directory "/var/www/html") 
this directory is secure
33) Options Indexes FollowSymLinks
       (IfModule  mod_Proxy C) 

if you uncomment all statements below this , then the server acts as a Proxy server. But it is not secure.


                 Section III : Virtual Hosts
this section is used to prepare website.
1) NameVirtualHost *:80
Using this option we can open multiple web pages on single ip address. It can access the site as per URL name.
2) (VirtualHost *)
replace * by hostname.
i.e. Virtual Host www.Redhat.com

if you want to test it …. then exit by making changes and give command
# service httpd start
and open mozill and give URL as
http://(ip address of your machine)
you will see the apache version information and redhat page.

Now Edit /etc/httpd/conf/httpd.conf file

NameVirtualHost = 80 (remove comment)
and make it as NameVirtualHost ipaddress_of_your_machine:80
at the end of the file write... i.e. below (VirtualHost)
(VIrtualHost www.rediffmail.com)
ServerAdmin root@your_Hostname.com
DocumentRoot /webdocs
ServerName your_hostname
ErrorLog /logs/rediffmail-error_log
CustomLog /logs/rediffmail-custom_log common
(/VirtualHost)


then change
DirectoryIndex index.html (your web page)

save and Exit

edit /etc/hosts file

at the end type
(your ip address) (your host name)

save and Exit
# service network restart
# service httpd restart


then login as root
open mozill
give URL www.rediffmail.com

you will get document stored in /webdocs folder.

You can do it for multiple sites also for that only few changes in 'httpd.conf and hosts' file are needed.

NIS [ Network Information Service ]

                      NIS [ Network Information Service]

The earlier name of NIS was 'Yellow Pages'. But later it gets registered as a TradeMark hence now NIS is used in practice.
In NIS one server is used as a Master server and one is made as a secondary server for precaution when master gets problems.

First check whether the package for NIS is installed on your machine, for that :

# rpm -qa |grep yp*



it needs 3 packages 1) ypserv*
                            2) yptools*
                            3) ypbind*

 
Uses :
 
If we want 10 users to be created on 100 Linux machines each then just create 10 users on NIS server and its /etc/passwd file is shared with those 100 machines. So the work becomes easier.

Step 1 : set the Ip address for machine using : #netconfig or #setup

Stetp 2 :
set the Domain Name using : # domainname (domain name)

Make sure that all the machines in the NIS domain must have the same domain name.

The domain name you set was not persistent, it lost when you restart your machine hence to make it persistent enter it into the script which runs every-time when machine starts.
i.e. '/etc/syconfig/network' file
edit it i.e. # vim /etc/sysconfig/network and make changes as

NETWORKING = YES
HOSTNAME = (your host name)
domainname (your domain name)


e.g. domainname classroom.edu
save the file and exit vi mode

restart your machine

STEP NO. 1 & 2 are common to both server and NIS clients.

Set this On NIS CLIENT machine:
 
STEP 3 : edit '/etc/yp.conf ' file and make changes as...

domain (your domain name) broadcast

( e.g domain classroom.edu broadcast)

domain (your domain name) server (your Host name)
(You will get your Ip address and Hostname from '/etc/hosts' file)

ypserver                        (your Host Name)

save and exit

STEP 4 : edit '/etc/nsswitch.conf' file

( this file contains the list of files which the operating system checks for NIS)

make changes as...

a) passwd : nis files
b) shadow : nis files
c)group : nis files
d) hosts : nis files dns


save & exit

STEP 5 : Edit '/etc/hosts' file
add to last line...
(ip address of client machine) (Client Host Name)
(Ip address of server machine) (server Host Name)


save & exit

Thus CLIENT configuration completed here...

Set this On NIS SERVER Machine...

STEP 6 : edit '/etc/hosts' file...
write at last line...

(Ip address of server machine) (server Host Name)

save and exit

The total configuration of NIS is stored at '/var/yp' directory.

Edit '/var/yp/makefile'
the contents of that file are...

1) #B = -b
if you remove this comment using NIS server different clients can access the date through DNS server. Use this option if your are having multiple DNS servers.
2) NOPUSH = true
if you are having single server keep this option 'true'. Because if this is 'true' the Primary server does not send its database to the secondary server. This server pushes its database to the servers whose name & ip addresses are there in the '/var/yp/ypservers' file
3) MINUID = 500
MINGID = 500

this option tells from which number the UID and GID are to be started.
4) NFSNOBODYUID = 65534
NFSNOBODYGID = 65534
5) MERGE_PASSWD = true

it decides whether the 'shadow' file and 'passwd' file is merged into single file or not.
6) MERGE_GROUP = true
it decides whether the 'group' file and 'gshadow' file is merged into single file or not.
7) AWK = /usr/bin/gawk
8) MAKE = /usr/bin/gmake
9) UMASK = umask 066

DONT CHANGE OPTIONS 7, 8, 9. These are used to make database.
10) YPSRCIDR = /etc
11)
12)
13)
14)
15)

DONT CHANGE OPTIONS 11 to 15 these variables are created for to know where to get the database files.
After this we only need following options...
GROUP
PASSWD
SHADOW
GSHADOW
ADJUNCT
ALIASES
HOSTS
AUTO_MASTER
AUTO_HOME
AUTO_LOCAL


Keep these options in front of '-all'
So Comment the other options which are not needed or remove them.

Save & exit.
Now Give this command from PRIMARY SERVER only...

# /usr/lib/yp/ypinit -m
( if u dont have secondary NIS server, then press 'ctrl + D' )

if you are having secondary NIS server then give its name here. Its entry will be added directly to '/var/yp/ypservers'. The current list of NIS servers looks like this:

(Host name)
is this correct [y/n : y] Press 'y'

# yum install authconfig-gtk
# service ypserve restart
# service portmap restart
# getsebool -a | grep “yp”
# setsebool allow_ypbind=1


set your domain name again

Now From CLIENT Machine :

# authconfig-tui

or # system-config-authentication

Service NIS will get started...

on client you can ligin as guest...

But to get homedirectory... make settings as....

FORM CLIENT as well as SERVER Machine :
# vim /etc/auto.master
make changes under # /net as
/home/guests /etc/auto.misc --timeout = 60

save and exit

edit '/etc/auto.misc' file

# vim /etc/auto.misc

make changes at last line as...
* -rw,soft,intr 192.168.0.254 :/home/guests/&
save and exit

# service autofs restart

then login into client using
login name : guest2001
passwd : (no password)


It will get home directory.

DNS [ Domain Name Server / System ]

           DNS [ Domain Name Server / System ] For RHEL 4

If we want to register multiple domains and wish to give same Ip address for those sites then DNS is used. If client user enters url names then DNS is used to understand that name and searches the particular Ip address of that site. It acts as a mediator between user and rest internet.

To check the rpm of DNS is installed or not give command :

rpm -qa | grep bind*

Here name of DNS service is “named” and package name is “bind
BIND : Berkely Internet Named Domain

edit “/etc/named.conf ” file. If this file is not there then move /etc/named.custom file to the same location with “named.conf” or copy it,

i.e. # cp /etc/named.custom /etc/named.conf

# vim /etc/named.conf

1) controls : from where this file gets modified.
2) Zone : the format of zone file is very important.

Zone “.” IN {
type hint;
file “named.ca” // the name of file containing zone records.
};
zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update {none};
};

First two zones are called as Forward lookup zones. In that client give the name and dns server returns the Ip address for that name. After that the type come named “reverse lookup zone”. In that client give Ip address and the DNS server returns the DNS name of that Ip address.
i.e. 1) if in forward lookup zone the url is like “arpa.addr.in” then in reverse lookup zone it becomes “in.addr.arpa”
2) I fin forward lookup zone the Ip address is “192.168.100.10” then in reverse lookup zone it becomes “100.168.192.in.addr.arpa”. And the “.10” gets stored in records of RLZ.
3) Zone “0.0.127.in=addr.arpa” IN {
type master;
file “named.conf”;
allow-update { none; };
};
make changes as next line

zone “pranay.com” IN {
type master;
file “pranay.com.zone”;
allow-update { none; };
};

if this option is “none” and if the primary master gets off then no any client can update its record. If you are having secondary server then instead of “none” type your secondary server's Ip address.

Pranay.com.zone” file   (your zone file)

There are three files in “/var/named” directory, of that “named.local” file is of reverse zone. Copy “localhost.zone” file and paste it at same location with name “pranay.com.zone”.

Now edit “pranay.com.zone” file :

a) $TTL 86400 : if any client caches this file then he can cache it for 86400 seconds only. After that he needs to download it from server again.

b) $ORIGIN localhost.

Server's name
i.e. type $ORIGIN    (server's domain name) 

c)
@
IN SOA@root (
42 ; serial (d.adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum


IN NS @               (Here IN is 'Internet' NS is 'Name server' & @ is your                                     machine)

  IN A                      (now delete this IN A and)

Make changes as

PRANAY(i.e. your domain name) IN A ipaddress
www IN A ipaddress
 another client IN  A   ipaddress


save & exit

Edit “/etc/hosts” file

only keep there below line,

127.0.0.1 localhost.localdomain localhost

 &    delete all next lines
save & exit
Then start service named i.e.
 

# service named start
# netconfig

set your ip address & set name server ip address i.e. dns server address
ok

# service network restart

To check it type,
# ping www.pranay.com
It will ping the site.

To check whether server is ok & service is ok give command,

# nslookup pranay.pranay.com
# dig pranay.pranay.com



Edit “/var/named/pranay.com.zone” file

make changes as

IN SOA . root

And

  IN NS     (server's ip adress)



And
$ORIGIN pranay.com                 (i.e. name of your zone)

save & exit

Then Give Command :

# dig pranay.pranay.com

Then,

# ping pranay.pranay.com

Now
Check the entries in “/etc/hosts” file
# vim /etc/httpd/conf/httpd.conf

Make changes as

NameVirtualHost (ip address of server):80

Then changs as
(VirtualHost www.pranay1.com)

(VirtualHost www.pranay.com) 



then change as

ServerName (ip address of server):80

save & Exit

# service httpd restart


TO PING LINUX DNS SERVER FROM WINDOWS XP MACHINE :

Goto XP's My Network places properties → local area connection properties → TCP-IP properties → Give DNS server IP address → ok

goto run
cmd
 ping   (server's Ip address)  
ping pranay.pranay.com
ping PRANAY.pranay.com
nslookup pranay.pranay.com

it will show IP address.

                                        IMPORTANT
1) If you want to create a new zone then copy file “/etc/named/localhost.zone” to the same location with your zone name. i.e. web.com.zone
2) Edit file “/etc/httpd/conf/httpd.conf” and make changes as given above
3) Edit “web.com.zone” file and make changes as given above
4) edit “/etc/named.conf” and make changes as given above
5) restart services named and httpd

Creating Secondary Master

1) Edit “/etc/named.conf

zone “abc.com” IN {
type slave ;
file “abc.com.zone” ;
  master {(ip address) ;} ;
} ;


If you want to allow your zone to somebody else then,

zone “web.com.zone” IN {
type master ;
file “web.com.zone” ;
allow-update {(ip address of that machine) ;} ;
} ;


save & exit

Now Edit “/etc/rndc.key” file
This file contains security key. This security key is unique for each computer. We need to generate & specify this key for each computer.

Edit “/etc/rndc.conf” file

make change at the end of this file as :

 
server (ip address)   {
key “redhat” ;
} ;

include “/etc/rndc.key” ;

save & exit

OR

edit “/etc/named.conf ” file

add # to lines with key word “control” and also to nest 2 lines
add # to last line with ley word “include”

save & exit