ATTACK

A quick and useful command for checking if a server is under ddos:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

To Block a certain IP address that on server .Please use following commands

—————–command——————————

route add ipaddress reject

for example route add 192.168.0.168 reject

You can check whether given IP is blocked on server by using following command

route -n |grep IPaddress

—————–command——————————

OR

use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

—————–command——————————

Then KILL all httpd connection and restarted httpd service by using following command

killall -KILL httpd

service httpd startssl


additionally you can check the connection ports here


lsof | grep ESTABLISHED
lsof | grep LISTEN

lsof -p PID

POSTGRESQL ERROR

IF you get an error given below

FATAL 1: IDENT authentication failed for user "postgres"'

Do the following to fix it.

# vi /var/lib/pgsql/data/pg_hba.conf


Add the line

host all 127.0.0.0 255.255.255.255 trust

:wq // save the file


The /var/lib/pgsql/data/pg_hba.conf will look like this.

# TYPE DATABASE USER CIDR-ADDRESS METHOD

#local all all ident sameuser
host all all 127.0.0.1/32 trust




# service postgresql restart

INSTALLING MAVEN

# cd /opt


# wget -c http://www.eng.lsu.edu/mirrors/apache//maven/binaries/apache-maven-3.0-bin.tar.gz

# tar xvzf apache-maven-3.0-bin.tar.gz

# vi /etc/profile

Add the following lines to the end of the file

M2_HOME=/opt/apache-maven-3.0
export M2_HOME
PATH=$PATH:$M2_HOME/bin

:wq // save the file


# source /etc/profile

Apache maven is installed and ready to use.

Tux blog: INSTALLING OPENNMS

Tux blog: INSTALLING OPENNMS: "OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and power..."

INSTALLING OPENNMS

OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and powerful system, getting it installed and configured can take a little effort.

Minimum Requirements
--------------------

* A 1 GHz Pentium III (or equivalent processor) or better. OpenNMS can also take advantage of multiple processors.

* A minimum of 256 MB of RAM, although 512 MB is strongly recommended. The OpenNMS Java Virtual Machine benefits from large amounts of memory, up to 2 GB, and more if using a 64-bit processor.

* OpenNMS requires about 200 MB of disk space for the program files. In addition, each data variable collected requires, by default, a little under 300 KB of disk space.


Configure RPM-based Distributions with Yum
-------------------------------------------

[root@localhost ~]# yum install yum-fastestmirror


Install the OpenNMS Repository RPM
-----------------------------------

rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-snapshot-fc7.noarch.rpm

Or, to install the latest unstable release on CentOS or RHEL 5, you would run:

rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-unstable-rhel5.noarch.rpm

Installing Java on RPM-based Distributions Using Yum
----------------------------------------------------

[root@localhost ~]# yum install jdk


Installing PostgreSQL on RPM-Based Distributions Using Yum
----------------------------------------------------------

[root@localhost ~]# yum -y install postgresql-server


Configure PostgreSQL
--------------------

Locate the Postgres "data" directory. Often this is /var/lib/pgsql/data. You should then find the two files we need to modify in that directory.

First we need to make sure PostgreSQL is listening on an IP socket, and not just a local unix socket.


Edit postgresql.conf File and add the following.

listen_addresses = 'localhost'

max_connections = 256

max_connections = 256



Customizing the pg_hba.conf File
--------------------------------

Add the below lines.

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
host all all 127.0.0.1 255.255.255.255 trust
host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust


Creating the PostgreSQL Database
---------------------------------


# /etc/init.d/potgresql start


Installing JICMP on RPM-Based Distributions Using YUM
-----------------------------------------------------


[root@localhost ~]# yum install jicmp



Installing OpenNMS
------------------
------------------


[root@localhost ~]# yum install opennms-*

Configure Java for OpenNMS
--------------------------

[root@localhost ~]# /opt/opennms//bin/runjava -s


The desired outpu is given below:


runjava: Looking for an appropriate JRE...
runjava: Checking for an appropriate JRE in JAVA_HOME...
runjava: skipping... JAVA_HOME not set
which: no java in (/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/opennms/bin:/root/bin)
runjava: did not find a JRE in user's path
runjava: searching for a good JRE...
runjava: found a good JRE in "/usr/java/jdk1.5.0_18/bin/java"
runjava: value of "/usr/java/jdk1.5.0_18/bin/java" stored in configuration file
You have new mail in /var/spool/mail/root


Configure a specific JRE
-------------------------


If you need to configure specific JRE do the following:

[root@localhost]# /opt/opennms/bin/runjava -S


Run the OpenNMS Installer Application
-------------------------------------

[root@localhost ~]# /opt/opennms/bin/install -l /usr/local/lib -dis




Login to the Web Application
-----------------------------

By default, OpenNMS's built-in web server listens on port 8980, so point your browser at http://:8980/opennms/


The initial user name is "admin" and the password is "admin".

Enjoyyyy...............


If you need any further assistance. Ping me

Email: vasanth462@gmail.com

To Speed up the installation using YUM

You may want to install the yum-fastestmirror RPM if your distro supports it. This can often speed up downloads of large packages. See the CentOS Wiki

# yum install yum-fastestmirror

SVN ADMINISTRATION

http://artis.imag.fr/~Xavier.Decoret/resources/svn/index.html

DANSGUARDIAN,SQUID,IPTABLES

If you want to filter a net browsing in a linux gateway server using iptables,squid and Dansguardian follow my steps

etho=Internet ipaddress
eth1=192.168.0.229

Do the necessary steps to make Linux machine as router and gateway


# yum install squid

Open the configuration file of the squid.


# vi /etc/squid/squid.conf


Enter the following line

http_port 3128 transparent

Add the Acls



acl home_network src 192.168.0.0/24
http_access allow home_network

# service squid start


# iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# service iptables save
# service iptables restart

This Will block your employess from connecting to squid directly.








1 . Install Dansguardian from the source or RPM

I am using RPM here



The files are installed in /etc/dansguardian. Open Main configuration file of dansguardian. Enter the following details.


# vi /etc/dansguadian/dansguardian.conf

proxyip = 192.168.0.229


proxyport = 3128


filterport = 8080


save the file.


Run the following redirect

# iptables -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080



In the clients set the gateway as 192.168.0.229(in my case)

Shell script to start Authdeamon

#! /bin/sh

case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0


~

Installing Courier in a Postfix Server

Coming Soon............................

YUM THROUGH PROXY

If your internal network is protected with a proxy server and firewall use the following settings to use yum

1. Open a shell

2. export http_proxy=http://proxyhost:port number

Eg: http_proxy=http://192.168.0.229:3128

3. yum list


Enjoyyyy

OPENVZ COMMANDS

OpenVZ is an Operating System-level server virtualization solution, built on Linux. OpenVZ creates isolated, secure virtual environments.

FILES

/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched

Log file /var/log/vzctl.log

vzctl Commands

Usage: vzctl [options] [parameters]

Help : vzctl --help


1. stop a VE (start/stop/restart) -

#vzctl stop VEID

2. to stop a VE in fast mode -

#vzctl stop VEID --fast

3. to see all the VE's -

#vzlist -a

4. to enter a VE -

#vzctl enter VEID

5. to see the uptime of a VE - run this from the node -

#vzctl exec VEID uptime

6. to see all the running process in a VE from the node -

#vzctl exec VEID ps aux

7. list the load of each VE -

#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done

8. when you think it is a RAM issue (Out Of Memory)-

#less /var/log/messages|grep OOM|grep VEID|wc -l

9. Reinstall a VE - all data will be lost and a fresh install will be there -

#vzctl reinstall VEID

10. number of running VE's in the node - 

#vzlist|grep running|wc -l

11. To find the status of a VC:

#vzctl status VEID

12. You can execute commands inside a VC from the node itself

#vzctl exec VEID COMMAND

13. Check inodevalue

#df -i

14. Set inodevalue

#vzctl set VEID --diskinodes 2000000:2000000 --save

15. Check numiptent value

#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0

16. Set numiptent value

#vzctl set VEID --numiptent 2000000:2000000 --save

17. To permanently remove this VE:

#vzctl destroy VE_ID

Configuration Commands


1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.


2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.


3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.


4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.


5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.


6) vzctl exec VEID command : To run any command on a VPS from Node.


7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.

PERMENETLY MOUNTING THE REMOTE WINDOWS SHARE USING /etc/fstab

To permanently mount the Windows share to Linux enter the following entry to the /etc/fstab and run



//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0


:wq

# mount -a

PRIVATE READ WRITE SHARE

Private write share.

Create a share like below in /etc/samba/smb.conf


security = share

[privatewrite]

path = /private

writable = yes

create mask = 0765

valid users = vasanth



# smbpasswd -a vasanth

# smbpasswd -e vasanth

MAPPING LINUX FOLDER TO WINDOWS

MAPPING LINUX FOLDER TO WINDOWS

In winbox open cmd

Type trhe following command

> net use * \192.168.1.12\privatewrite /user:vasanth

It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox

> net use // this command will display the current connections to the our windows server

To disconnect the drive

right click >> disconnect

or

> net use z: /delete

TO MAKE A HIDDEN SHARE IN WINDOWS

Enter the share in smb.conf

[privatewrite]

path = /private

writable = yes

create mask = 0765

valid users = vasanth

browseable = no
//this line cause the share to became invisible.



The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.

On windows network places address bar please type

\\192.168.1.12\privatewrite

# smbclient -L server1

TO FIND OUT THE STATUS OF A FILE IN LINUX

# stat smb.conf

OUTPUT:

File: `smb.conf'

Size: 10041 Blocks: 24 IO Block: 4096 regular file

Device: 803h/2051d Inode: 1901530 Links: 1

Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)

Access: 2010-06-17 07:12:01.000000000 +0530

Modify: 2010-06-17 07:09:52.000000000 +0530

Change: 2010-06-17 07:09:52.000000000 +0530

STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.

STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.

1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.

The section that is responsible for sharing printers in smb.conf is as follows.

load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.


; printcap name = /etc/printcap

printing = cups


NOTE: The driver for the shared printer should be in stalled in the windows host.

INSTALLING NEW KERNEL FROM THE SOURCE

Download the latest kernel from http:www.kernel.org

wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz

# tar xvzf linux-2.6.33.tar.gz

# cd linux-2.6.33


# cp /boot/config-`uname -r` .config

# make menuconfig

# make bzImage

# make modules

# make modules_install

# make install

IPTABLES SCRIPT THAT CAN BE USED IN GATEWAYS

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP

$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Blocking direct internet access

$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP



# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT



# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow FTP connections FROM LAN to INTERNET

$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT



# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT


# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP


# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP

SSL/TLS

Webcam under Linux

1. Plug your webcam to USB port

2. Check whether the Webcam detected or not. Please do the following steps

# ls -l /dev/video0

crw------- 1 root root 81, 0 Sep 18 12:01 /dev/video0

If the output like above your webcam is detected in Linux.

3 . Install luvcview

Get the latest source from the following URL.

http://mxhaard.free.fr/spca50x/Investigation/uvc/



# tar xvzf luvcview-20060207.tar.gz


# cd luvcview-20060207

# make

# make install


4. After the above steps run the following command


# luvcview -f yuv


Now you can view your face in your Desktop.



Enjoyyyy


Vasanth.T.M
Systems Administrator(Linux)
Ph:+919496824351

SQUID monitoring

tail -f /var/log/squid/access.log | awk '{print$3 " " $8 " " $7}' // Use this script to monitor the We usage in ur home network

Cpanel Error

If You are experiencing the following error

pcfg_openfile: unable to check htaccess file, ensure it is readable

Do the following

Login to Cpanel

go Frontpage Extensions

Reinstall it


Reload the Url

Now it will be Okay.

Find Usefull Commands

# find /path/to/base/dir -type f -exec chmod 755 {} \;

# find public_html/ -type f -exec chmod 644 {} \;

Find Usefull Commands

# find /path/to/base/dir -type f -exec chmod 755 {} \;

# find public_html/ -type f -exec chmod 644 {} \;

What is SSL and what are Certificates?

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.

1.

A browser requests a secure page (usually https://).
2.

The web server sends its public key with its certificate.
3.

The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.

The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.

The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.

The web server sends back the requested html document and http data encrypted with the symmetric key.
7.

The browser decrypts the http data and html document using the symmetric key and displays the information.

Several concepts have to be understood here.

COURIER INSTALLATION

COURIER_MTA INSTALLATION



1.Download the courier authentication library

URL://http://www.courier-mta.org/authlib/

# rpm -qa | grep libtool
# rpm -qa | grep binutil
# rpm -qa | grep expect

# su – vasanth
# tar xvjf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib-0.63.0
# ./configure
# make
# make install
# cd /usr/local/etc/authlib
# /usr/local/sbin/authdaemond start
# ps -ax | grep auth
# cd /etc/init.d
# ln -s /usr/local/sbin/authdaemond
# ln -s /etc/init.d/authdaemond /etc/rc5.d/S20authdaemond



INSATALLING Courier-IMAP

At first check the mailbox format by checking

# cat /var/qmail/control/defaultdelivery
Note: Compile courier as non root user
# tar xvjf courier-imap-4.7.0.tar.bz2
# cd courier-imap-4.7.0
# su root
#make install (must be root)
# make install-configure(must be root )
# cd /usr/lib/courier-imap/ ( Every thing related to courier will be installed inside this directory)

1.bin >>> Contain the binary file related to the courier
2. etc >>> Contain the configuaration files
3. libexec >>> Contain the startup scripts
4. libexec >>> courier tcpd is the tcp super server like xinetd and inetd
5. man >>> Mnaul pages





CONFIGURING POP3 SERVICE

# cd /usr/lib/courier-imap/etc
# vi pop3d
#/usr/lib/courier-imap/libexec/pop3d.rc start
# netstat -nlp | grep 110


# vi /usr/local/etc/authlib/authdaemonrc
uncomment the following
authmodulelist="authuserdb authpam authldap authmysql authcustom authpipe"

IF any problem regarding pop read

http://www.courier-mta.org/authlib/README.authdebug.html


COURIER -POP3-SSL

# vi /usr/lib/courier-imap/etc/pop3d.cnf

Add the entrries to your choice

# cd /usr/lib/courier-imap/share

# ./mkpop3dcert

Certificate is stored in the /usr/lib/courier-imap/share/pop3d.pem

# cd /usr/lib/courier-imap/libexec

# ./pop3d-ssl.rc start



NOTE

Link all the startup script to /etc/init.d/
and /etc/rc3.d or rc5.d

QMAIL-SMARTHOST

QMAIL AS SAMRTHOST

Smart host means the email gateway between our localnetwork and remote network.


There are two files in /var/qmail/control.

1./var/qmail/control/locals
2./var/qmail/control/smtproutes
locals -> Define the local domains which are allowded to route messages. It normally define localdomain and fqdn of our server. If the message is destined remote domain it will consult the smtproutes and forward all messages to that server.





Mail open relay

mv /var/qmail/control/rcpthosts /var/qmail/control/rcpthosts.bak

APACHE-SSL

HOW TO APACHE-SSL



Install the following

# yum install httpd-*
# yum install openssl
# yum install mod-ssl
# yum install crypto-utils

Creating Self signed

# genkey www.example.com

Go next till the creatin of certificates(select 1024 and self signed)

Certificate are stored in /etc/pki/private/www.example.com
and in
/etc/pki/tls/certs/www.example.com


Update /etc/httpd/conf.d/ssl.conf

change the line SSLCertificatefile to the following

SSLCerticatefile /etc/pki/tls/certs/www.example.com.crt

SSLCertificatekeyfile /etc/pki/tls/private/www.example.com.key

Restart the server

# service httpd restart

To verify

netstat -ntlp | grep 443

Configuring Console Access

Configuring Console Access
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
1.They can run certain programs that they would not otherwise be able to run
2.They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
Disabling Shutdown Via Ctrl-Alt-Del
By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a -- key combination used at the console. If you'd like to completely disable this ability, you will need to comment out the following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using --. You can restrict this privilege to certain users, by taking the following steps:
1.Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
2.Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using --. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using --. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.
For more information on shutdown.allow see the shutdown man page.
Disabling Console Program Access
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and LILO passwords are set, -- is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Disabling All Console Access
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
=/dev/fd[0-1]* \
/dev/floppy/*
=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
=/dev/cdrom* /dev/cdwriter*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
=/dev/sga
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
0660 0660 root.floppy
0600 0640 root
0600 0600 root.disk
and add a line like:
0600 0600 root
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
1.Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2.Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3.Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo

IPTABLES+SQUID PROXY SETUP

Squid iptables firewall
The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface.
Squid is configured to proxy ftp, http, https, and AOL Instant Messenger traffic. In addition, the server is running a caching/forwarding name server and time server and therefore requires therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns).
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"

# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Needed for FTP (specifically, to allow incoming ftp-data connections)
/sbin/modprobe ip_conntrack_ftp

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES s


# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \
--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \
--state NEW -j ACCEPT

# Allow ssh on LAN interface
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \
--state NEW -j ACCEPT

# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP

# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP

# Have these rules take effect when iptables is started
/sbin/service iptables save

Restricting normal users in login in a linux server

Restricting normal users in login in a linux server

We can restrict normal users to login in server using pam. Pam module pam_nologin.so is used for the purpose. configure the /etc/pam.d/login like as shown below.#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_nologin.so file=/etc/nologin
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so

VSFTPD VIRTUAL USER SETUP

VSFTPD Virtual Users Setup (with individual FTP home directories)



STEP 1: Install Required packages:
pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Check if the 'db' package is installed

[root@mysystem vsftpd]# rpm -qa | grep -i db

If the db4 package is not installed, do it:

[root@mysystem vsftpd]# yum install db4

The package compat-db will give us the db42_load binary used to build the virtual username/password db file

[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd

Can't find dbXX_load binary? check the locations of the files in this package

[root@mysystem vsftpd]# rpm -ql compat-db
STEP 2: Configure PAM
Confirm existance/location of the file /lib/security/pam_userdb.so

[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)

#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so

(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)
STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)
[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp
STEP 4: Configure vsftpd for virtual users
[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES


Now start up vsftpd (which is configured to run stand-alone in my config file):

[root@mysystem vsftpd]# vsftpd
STEP 5: Setup virtual FTP usernames and their passwords
[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3

Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:

[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
STEP 6: Create directories for each virtual FTP user
[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1
STEP 7: Test an FTP virtual user login
[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>
Troubleshooting
If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!

[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access


I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.

[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db

Plaggubale Authentication Modules

LINUX PAM
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM

1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.

LOCATION OF CONFIGURATION FILE

Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.

PAM CONFIGURATION FILE FORMAT

PAM configuration file contain a group of
directive as follows.

(module interface)( control flag)(module name)(module arguments)


MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.

AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.

ACCOUNT

This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.

PASSWORD

This module interface set and verify password.
SESSION

This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.

NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.

There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional

Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.

Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.

sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.



optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.

Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.

Modules location
Location of pam modules is in /lib/security/.

Module argument

We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.

Pam error messages

All the pam module report error messages in /var/log/messages.

AVILABLE MODULES

1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.

FIELDS IN /etc/security/access.conf

Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.

second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).

Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.

Sample /etc/security/access.conf File

1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so

Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.


PAM_CRACKLIB.SO











PAM_CRACKLIB.SO

In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.

Enabling pam_cracklib.so

pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so md5 use_authtok

The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.

Block Non root user from shutdown the system

Prevent a non-root user from shutting down or rebooting the system

To prevent all non-root users from using the shutdown, reboot or halt commands, do the following :

1. In the file /etc/X11/gdm/gdm.conf , change the line that reads :

SystemMenu=true

to

SystemMenu=false

2. In the file /etc/inittab, change the line that reads :

ca:ctrlaltdel:/sbin/shutdown -t3 -r now

to

ca:ctrlaltdel:echo "You are not authorized to turn off the machine"

3. In the directory /etc/security/console.apps/, delete the file reboot, poweroff and halt.
4. Remove the file /usr/bin/poweroff

SquirrelMail Installation from Source

SquirrelMail


# wget http://sourceforge.net/projects/squirrelmail/files/stable/1.4.20/squirrelmail-1.4.20.tar.bz2/download



# tar xvjf /squirrelmail-1.4.20.tar.bz2/

# mv /squirrelmail-1.4.20 /varwww/html

#chown -R apache:apache /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html

# mv squirrelmail-1.4.20 webmail


# cd webmail

# mkdir -p /var/local/squirrelmail


# mv -i data/ /var/local/squirrelmail/

# chown -R apache.apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chown -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chgrp -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/







Data directory inside the above location is to moved to some whare else, Because squirrel mail maintains uplodaed data in this directory.


# cd /var/www/html/ webmail/config

# ./conf.pl

Select the option 2
and enter like given below


1. Domain : ip address of the server

2. Invert Time : false

3. Sendmail or SMTP : Sendmail



A. Update IMAP Settings : localhost:143 (courier )

B. Change Sendmail Config : /usr/sbin/sendmail


Save and return to previous menu

From the main menu select the option 4 general options and change the following settings.


1. Data Directory : /var/www/html/squirrelmail-1.4.20/data/ // This is optional

2.Attachment Directory : $data_dir/ // This is optional

Save and return to previous menu


Add The virtualhost in apache.




# ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /var/www/html/webmail

ServerName www.test.com

# ErrorLog logs/dummy-host.example.com-error_log

# CustomLog logs/dummy-host.example.com-access_log common





# service httpd restart
#/etc/init.d/imapd.rc restart

In the browser enter localhost/webmail

SENDMAIL LOGGING

SENDMAIL [ SYSLOG]


How does syslog determine where to send the log files for sendmail ?


catting the out put of mail in syslog in sles is shown below.


# grep -i mail /etc/syslog.conf

mail.* - /var/log/mail

mail.info - /var/log/mail.info

mail.warning - /var/log/mail.warn

mail.err - /var/log/mail.err

*.*,mail.none,news.none - /var/log/messages


Explanation:-

In general syslog entry in linux and unix servers are in the following form.

Facility.level -


Facility is mail in syslog.conf

level may be one of the 0 to 8 ie (debug-emergency)

mail.* in syslog.conf indicate that all the levels.


NOTE: debug produces more messages and enmergency produces less messages.
Debug level creates lots of disk IO.

System log setup with sendmail is each line conatain atleast two lines.

First line acknowledges the receive of the message and second lne correcsponds to the delivery attempts.



Example are gievn below.


Recieving of message from the mail user agent

Jun 2 11:42:13 pc1 sendmail[6484]: o526C9vA006484: from=root, size=6, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, relay=root@localhost


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: from=, size=262, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Delivery of the message


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30262, dsn=2.0.0, stat=Sent


Jun 2 11:42:22 pc1 sendmail[6484]: o526C9vA006484: to=root, ctladdr=root (0/0), delay=00:00:13, xdelay=00:00:09, mailer=relay, pri=30006, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o526CD0Q006500 Message accepted for delivery).

RESTRICTING MESSAGE SIZE IN SENDMAIL

RESTRICTING MESSAGE SIZE


Go to /data/sendmail-8.14.0/cf/cf

# vi sendmial.mc

insert the following line

define(`confMAX_MESSAGE_SIZE', `4096') // mAXIMUM MESSAGE SIZE IN coming toTHE SERVER IS RESTRICTED TO 4k

# cp sendmail.cf /etc/mail

# grep ^o /etc/smail/sendmail.cf

The output should conatin the following line.

MaxMessageSize=4096

CLAMAV INSTALLATION ON OpenSuse 11

CLAMAV INSTALLATION


# cd /data

# cd clamav

# tar xvzf clamav-0.96.1.tar.gz

# cd clamav

# groupadd clamav

# useradd -g clamav clamav

# ./configure

#make

# make install

# cd /usr/local/etc/

# vi clamd.conf

comment out the line Example.

#Example

uncomment the line

LocalSocket /tmp/clamd.socket

:wq //save the file


# vi freshclam.conf

Comment out the line Example

# Example


:wq //Save the file.



# touch /var/log/freshclam.log

# chmod 600 /var/log/freshclam.log


#chown clamav /var/log/freshclam.log



# which freshclam // This is the utility responsible for updating clam.


The output should be:

/usr/local/bin/freshclam


Run the following

# ldconfig

# freshclam // This command is for updating clamd

# clamscan

# clamd start

# ps -ax | grep clam


The output should be:



# ps -ax | grep clam

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

3981 ? Ssl 0:00 clamd start

4010 pts/0 R+ 0:00 grep clam





# freshclam // This option is mainly used for the updating clamav.


# which freshclam


The log file for the fresh clam process is


# ls -l /var/log/freshclam.log

Run the freshclam process in dialy basis in cron.

SAMBA PRIMARY DOMAIN CNROLLER

AMABA PDC

1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account

ADVANTAGES AND DISADVANTAGES

1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.

ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.

# mkdir -p /data/public

# mkdir -p /data/netlogon

# vi /etc/samba/smb.conf

[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes

os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //

[public]
path = /data/public
read only = no

[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list

Save the file




Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.

// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.


# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'



The output should be:

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1b>

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1c>




Also verify the nmbd log file.

# tail -f /var/log/samba/nmbd.log

The output is:


[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)

*****



Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12

become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12



*****





2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC




On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.

Domain Admins

Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.


# vi /etc/samba/smb.conf

add
the following line to the GLOBAL section

enable privileges = yes

save the file

# service smb restart



In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section


# net getlocalsid SUPPORT

The output is:

SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293

Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:


# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin

The output is:

Successfully added group Domain Admins to the mapping db


Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.

Virtual domain with sendmail and dovecot

Special Thanks To : BasilKurain.


Virtual hosting with dovecot

# grep dovecot /etc/passwd

The outpu is:

dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin

# grep dovecot /etc/group

dovecot:x:97:

# grep vmail /etc/passwd

The output is:

blank

# grep vmail /etc/group

The output is:

blank


# groupadd vmail


# useradd vmail -g vmail

# ls /home/ -l

The output is:

drwx------ 6 vmail vmail 4096 Jul 8 16:23 vmail

# touch /var/log/dovecot.log

# touch /var/log/dovecot-info.log

# vi /etc/dovecot.conf

add the following entries

# Remove imaps things if you don’t want them
protocols = imaps
# It’s nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
# Disable SSL for now.
ssl = no # v1.2+, for older versions use: ssl_disable = yes
disable_plaintext_auth = no
# We’re using Maildir format
mail_location = maildir:~/Maildir
# If you’re using POP3, you’ll need this:
# pop3_uidl_format = %08Xu%08Xv
# Authentication configuration:
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
}

# mkdir /etc/dovecot/

# touch /etc/dovecot/passwd

# chown -R dovecot:dovecot /etc/dovecot

add the following line to

# vi /etc/dovecot/passwd

add this line:

vasanth@tetsing:{PLAIN}redhat

hemanth@testing.com:{PLAIN}redhat


save the file



Take browser

enter

localhost/webmail

username: vasanth@tetsing.com
password: redhat

You can also use

username: hemanth@testing.com
password: redhat



Now virtual domain testing.com is configured in the domain and users vasanth and hemanth are added.



Vasanth.T.M

Sendmail cotrolling script

I am posting one useful script to start, stop, restrat sendmail( Source code installation )

#! /bin/sh

case "$1" in
start)
echo "Starting SMTP port. (sendmail)"
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo "Stopping down SMTP port:"
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0

DIRECTORY SERVICES

1. What is a directory ?

Directory is a specialized database that store small piece of information. Directory tend to be write once and read many times.

2. Use of directories

* Look up email address and contact information
* Manage and synchronize User aythenticaton
* Store and search arbitrary data.


3. LDAP

LDAP means light weight directory access protocol. First implimentation used ladp as gateway protocol. In 1995 stand alone ldap daemon for servers are introduced.


4. LDAP models
---------------

There are 4 LDAP models

* Information model

It defines how individual entries in directory are structured.

* Naming model

In this entries are defined in hierarchical tree

* Functional Model

What operation can be performed on the directory.

* Security model

It defines how directory information is protected from the unauthorized access.



5. INFORMATION MODEL
--------------------------

* The fundamental unit of data storage in directory is called an entry.

* Entry may represent an object and describe the selected characteristics or attribute of an object.

* attribute have different type indicating what sort of information is stored in attribute.

* Each attribute in an entry has an value assosciated with it.

* Unique distinguished name that identifies the indvidual entry in the directory tree.

INSTALLATION OF QMAIL SERVER (Building from scratch)
----------------------------

Packages needed
----------------

1 .ucspi-tcp -> inetd/xinetd substitute

2 .deamontools -> svcsscan/supervise and management and & logging

3.qmail -> MTA

Login to your server as root

# mkdir qmail

# mkdir/package

# mkdir /var/qmail

# cd qmail

# wget -c http://www.qmail.org/netqmail-1.06.tar.gz

# wget -c http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz

# cd /package

# wget -c http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

# cd -

# tar xvzf netqmail-1.06.tar.gz

# cd netqmail-1.06


CREATE FOLLOWING USERS AND GROUPS
----------------------------------

# groupadd nofiles

# useradd -g nofiles -d /var/qmail/alias alias

# useradd -g nofiles -d /var/qmail qmaild

# useradd -g nofiles -d /var/qmail qmaill

# groupadd qmail

# useradd -g nofiles -d /var/qmail qmailp

# useradd -g qmail -d /var/qmail qmailq

# useradd -g qmail -d /var/qmail qmailr

# useradd -g qmail -d /var/qmail qmails

# cd netqmail-1.06

# make setup check

CHECK YOUR FULLY QUALIFIED DOMAIN NAME
--------------------------------------

# hostname

# ./config-fast $hostname

# ls -l /var/qmail (QMAIL DIRECTORY STRUCTURE IS CREATED INSIDE /var/qmail)


PATCHING AND INSTALLINTG UCSPI
------------------------------

Check whether patch utility is presnt in your server

# which patch

# tar xvzf ucspi-tcp-0.88.tar.gz

# cd qmail/ucspi/ucspi-tcp-0.88

# patch < /root/qmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.errno.patch

# make

# make setup check


INSTALLING DAEMONTOOLS
-----------------------

# cd /package

# tar xvzf daemontools-0.76.tar.gz

A directory named admin is created inside /package

# cd admin

# cd daemontools-0.76/

# cd src

# patch < /root/qmail/netqmail-1.06/other-patches/daemontools-0.76.errno.patch

# cd /package/admin/daemontools-0.76/

# package/install (RUN REXACTLY SAME AS POSTED)

Now the deamontools is installed and it creates one entry in /etc/inittab. The Entry is given below.

SV:123456:respawn:/command/svscanboot


CREATING QMAIL STARTING AND STOPPING SCRIPT
-------------------------------------------

# cd /var/qmail

# vi rc

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

:wq (save the file)

# chmod 755 rc

# mkdir /var/log/qmail

SETTING UP MAILBOX FORMAT
--------------------------

# cd /var/qmail/conrol


# vi defaultdelivery

./Mailbox

:wq

QMAIL CONTROL SCRIPTS
-----------------------

# cd /var/qmail/bin

# wget http://lifewithqmail.org/qmailctl-script-dt70

# mv qmailctl-script-dt70 qmailctl

# chmod 755 /var/qmail/bin/qmailctl

# ln -s /var/qmail/bin/qmailctl /usr/bin


INSTALLATION OF SUPERVISERY SCRIPTS
-----------------------------------

# mkdir -p /var/qmail/supervise/qmail-send/log

# mkdir -p /var/qmail/supervise/qmail-smtpd/log

# cd /var/qmail/supervise/qmail-send/

# vi run

#!/bin/sh
exec /var/qmail/rc

:wq

# vi /var/qmail/supervise/qmail-send/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail

:wq

# vi /var/qmail/supervise/qmail-smtpd/run


#!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi

exec /usr/local/bin/softlimit -m 2000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

:wq


# vi /var/qmail/supervise/qmail-smtpd/log/run

#!/bin/sh
exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail/smtpd

:wq

# mkdir /var/log/qmail/smtpd

Make the run files executable
-----------------------------
# chmod 755 /var/qmail/supervise/qmail-send/run

# chmod 755 /var/qmail/supervise/qmail-send/log/run

# chmod 755 /var/qmail/supervise/qmail-smtpd/run

# chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

# chown qmaill /var/log/qmail /var/log/qmail/smtpd

Finally, link the supervise directories into /service:

ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service

# rm -rf /usr/sbin/sendmail

# rm -rf /usr/lib/sendmail

# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

# ln -s /var/qmail/bin/sendmail /usr/lib

Traditionally sendmail bimary is used in unix and linux systems to inject messages in to the queue


DEFAULT ALIASES FOR MTA
-----------------------

# cd /var/qmail/alias


# echo root > .qmail-root

# echo root > .qmail-postmaster

# ln -s .qmail-postmaster .qmail-maler-daemon


SMTP Access Control
# echo '127.:allow,RELAYCLIENT=""' >>/etc/tcp.smtp

# qmailctl cdb


Now qmail is installed and ready for loacal delivery.

TO CHECK QMAIL STATUS
----------------------

# qmailctl stat

The out put of the above command should be like given below


output:
--------------------------------------------------------
/service/qmail-send: up (pid 18742) 111 seconds

/service/qmail-send/log: up (pid 18741) 111 seconds

/service/qmail-smtpd: up (pid 18745) 111 seconds

/service/qmail-smtpd/log: up (pid 18748) 111 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0
----------------------------------------------------------

# ps -ef | grep qmail



MAIL RELAY
----------

MAil relay is the accepting of mail by MTA which is not for local users or local sender. In mail relaying qmail act as both SMTP server and smtp client.

In the case of qmail domain specified in the message is listed in /var/qmail/control/rcpthosts then message is accepted. If it's not listed in rcpthosts, the message is rejected with the following message.

553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

SELECTIVE RELAYING
------------------

There are few way to allow our mail system as relay. They are as follows.

Host-Based Relaying
-------------------
This is accomplished by using tcpserver to set the RELAYCLIENT environment variable, which tells qmail-smtpd to override the rcpthosts file.


To give a client relay access, add an entry to /etc/tcp.smtp like this:
IP address of client:allow,RELAYCLIENT=""


For example, to allow the host with the IP address 192.168.174.100 to relay, add the entry

192.168.174.100:allow,RELAYCLIENT=""

You can use wildcards. To match 192.168.1.anything:

192.168.174.:allow,RELAYCLIENT=""

You can also specify domain names:

=client.example.net:allow,RELAYCLIENT=""

Once you have updated the the file /etc/tcp.smtp run the following command.

# qmailctl cdb

which executes the following commands:

# tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
3 chmod 644 /etc/tcp.smtp*

Authenticated Relaying
----------------------

SMTP authentication
-------------------

SMTp authentication provides authenticated relaying.

I am here using checkpassword program for setting up smtp authentication


# cd qmail

# wget http://cr.yp.to/checkpwd/checkpassword-0.90.tar.gz

# tar xvzf checkpassword-0.90.tar.gz

# cd checkpassword-0.90

# make

After running make if it returns an error do the following

# vi error.h

remove extern int errno;

and add


#include

:wq

Again run

# make


# make setup check

# which checkpassword

The output should be

/bin/checkpassword

The above binary check the 2 files in our server they are /etc/passwd and /etc/shadow.

NOTE: Refer http://qmail.oamok.com/qmail/top.html#checkpassword

Download the package qmail-smtpd-auth-0.5.10

# cd qmail

# wget http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-0510_tgz.bin

# mv qmail-smtpd-auth-0510_tgz.bin netqmail-1.06

# cd netqmail-1.06

# tar -tzvf qmail-smtpd-auth-0510_tgz.bin

# tar -xvzf qmail-smtpd-auth-0510_tgz.bin

# mv qmail-smtpd-auth-0510_tgz.bin /root/qmail

# qmailctl stop

# ./install_auth.sh

# ls -l qmail-smtpd.c.patch

# vi qmail-smtpd.c.patch

Do

/* +#define CRAM_MD5 */

:wq


# make setup check ( places new binaries in /var/qmail/run)

# cd /var/qmail/supervise/qmail-smtpd

# vi run