SOLARIS DISK PARTITIONING

DISK TERMINOLOGY

Disk contain the following components.

1. Tracks
2. Cylinders
3.Sectors/Blocks


Tracks
-----------
Tracks are the concentric ring on the each paltter .

Cylinder
-----------
Groups of tracks

Sectors/Blocks
----------------

512 byte block. Which is the smallest unit represented in hardisk.


Partition with Solaris is AKA slices


To display the Slices with in the harddisk.

#df -h

X86 PCS are limited to 4 primary partitions. Normally x86are divided in to 3 primary and 1 extended.

NOTE:Solaris need one fdisk Partition for it's use.

If you want to add another harddrive disk1

1. Create fdisk partion for Solaris use

2. Then Create  Slices

NOTE: Solaris uses a VTOC(VOLUME TABLE OF CONTENT) to represent the various slices with long fdisk partition on the disk. On the Sparc  Solaris uses VTOC to represent al the slices.

SLICE RULES USING VTOC
---------------------------------

1, Slices may created using VTOC on X86
2. These 10 slicers are represented by 0 to 9.
3. Slices 2,8,9 are reserved. Slice 2 is reserverd for VTOC
NOTE: VTOC Represent the disk label and occupying slice2
4. Slices 0,1,3,6,7 are avilable for use.

Root file system is slice 0.

PRINT VROC/DISKLABEL USING

# prtvtoc /dev/dsk/c0t0d0s0

C0 - Controller Number ## 1st controller
t0- Identifier for the bus orientated controller SCASI/SATA ### For IDE hardisk t0 is not present.
d0 - Represents disk number.
s0- Slice0

VTOC information contain entair diskinformation.

FORAMAT UTILITY
------------------------

1. To open the format utility

# format

2. To list the disk attached to the system

format> disk

3. To select a disk

Enter the disk Number want to select and put enter.

4. To discribe the current disk

format> Current

The output of the above command is shown below.

Current Disk = c1d0

/pci@0,0/pci-ide@1f,2/ide@1/cmdk@0,0


5, In the format menu we can get help by pressing question mark or help

6. Inside format tool there is a utilty called format. To format the a selected disk use the following steps.

format> disk

select the disk you want to format

format > format


select partition setup in the format menu.

format> partition

The above partion command will list the avilabe slices.
Select the slice number from there.

partition> 5
Then it will prompt for


Enter partition id tag : put an enter there.
Enter partition permission: put an enter there
Enter new starting cyl: Enter here a new cyl starting


This will create a slice.


Format the slice using the the utility

# newfs /dev/rdsk/c0d0s6

# mount /dev/dsk/c0d0s6 /mnt




.

Changing hostname in solaris

Change the hostname in the following files:

/etc/nodename
/etc/hostname.*interface
/etc/inet/hosts
/etc/inet/ipnodes

and rename directory under /var/crash

# cd /var/crash
# mv oldname newname

then reboot the server.

DEVICES IN SOLARIS

1. If the Solaris Fault Management system detects a problem with a device, mes-
sages about the problem can be displayed by using the following command

# fmdump

NOTE: Messages are also traditionally written to the console and to the /var/adm/messages file. If the Fault Management system takes a device offline, the message “(retired)” is displayed in the prtconf output.

2. To view the device information from shell run the following command

# prtconf

NOTE:  It also give the amount of system memory available in our system. 

3 . To display the driver being used for the corresponding devices

# prtconf -D

4. To view the more output

# prtconf -pv

NOTE: The advantage of prtconf is it can be run by any user.

####################################################

X86 based Systems
--------------------------------

In x86 based systems we can display the device information using


# /usr/X11/bin/scanpci

or

# /usr/X11/bin/scanpci  -v  ( It provide more verbose output )

####KERNEL MODULES IN SOLARIS #########################

The location of kernel modules in Solaris is as follows.

/kernel/drv (default location for most leaf-node drivers)
/kernel/misc
/usr/kernel/drv
/usr/kernel/misc
/platform/i86pc/kernel/drv
/platform/i86pc/kernel/misc

5.To check the Loaded Modules information
------------------------------------------------------------

# modinfo | grep driver name


6.To determine whether the kernel is running in 32 or 64 bit mode

# lsainfo -kv


7. To manually load a kernel module

# modload /kernel/drv/amd64/e1000g

# modinfo | grep  e1000g

8. To get more verbose driver module information

# strings /kernel/drv/amd64/e1000g | grep -i  ver

9.To check which drivers are bound to which devices

# cat  /etc/driver_aliases

NOTE: The file has the format of driver name followed by device name

SOLARIS NETWORKING

1.The NICS in the system are listed by the following command

# dladm show-dev

2. Information about links on the data-link layer is displayed by

# dladm show-link

3. You also add information to certain configurationfiles to create a persistent network configuration. The most common files are /etc/hostname.interface, where interface is the specific interface that is used on the system, and /etc/hosts.

4. To set IPADDRESS to in Solaris X86 do the following.

# ifconfig rtls0 plumb 192.168.0.20/24

5. To check the ipaddress

# ifconfig -a

6. To make the configuration persist across the reboot do the following.

# echo 192.168.0.20/24 > /etc/hostname.rtls0

Add the corresponding ipaddress and hostname to /etc/hosts

# nano /etc/hosts

192.168.0.20/24 solaris1

7. To add the defaultrouter to the system

# echo 192.168.0.1 > /etc/defaultrouter

8. To enable packet forwarding in Solaris

# svcadm enable ipv4-forwarding

9. To start Routing protocol

# svcadm enable route:default


10. Perform a reconfiguration reboot

# reboot –- -r

11, To check packet forwarding is enabled

# routeadm

12. To disable packet forwarding

# svcadm disable ipv4-forwarding

13. To perfom reconfiguration reboot

# reboot -- -r

14. To view the routing table.

# netstat -rn

15.  To add a purticular route

#  route -p add -net 10.0.5.0/24 -gateway 10.0.5.150/24

15. 

ADDING A NEWUSER IN SOLARIS

Defult home directory of normal users in Solaris is /export/home/username

Before creating the user you should create a directory in /export/home/username . Add the user using the following command.


# useradd -d /export/home/user user

The following option can be used with the useradd command.


1. -u 1003—Specifies the UID
2. -g 102—Specifies the GID of the primary group
3. -d /export/home/sandy—Specifies the home directory
4. -s /bin/ksh—Specifies the login shell
5. -m—Creates the home directory specified by the -d option
6. -k /etc/skel—Specifies the location of skeleton files, such as .profile
7. username —Specifies the user name of the account
###############################################################################################

# useradd -u 1003 -g 102 -d /export/home/user -s /usr/bin/bash -c "Vasanth" -m -k /etc/skell

#################################################################################################

UID AND GID OF USERS IN SOLARIS

1. A UID for a regular user can be between 100 and 2147483647 (except for
60001, 60002, and 65534).

2. UIDs 0–99, 60001, 60002, and 65534 are reserved for use by the Solaris OS

NOTE: avoid using UIDs over 60000 because they are not compatible with some Solaris features.

DEFAULT USER GROUP IN SOLARIS
##############################

When a new user is created he will be assigned to a primary group called staff.

NOTE: GIDs are assigned from the unused integers between 100 and 60000.

SETTING PASSWORD SECURITY POLICY IN SOLARIS

The Length of the password, Password locking after failed attempts and algoritham used to encrypt the password are define in

# /etc/security/policy.conf

By default in Solaris password length has set to 8 characters. If you set a password with 10
character long 9, 10 are simply ignored.

####### Setting better up a better password in Solaris 10 do the following. ########


# nano /etc/security/policy.conf

change the below lines and save the file


CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=2a




The password complexity rules, history, and password-aging defaults are specified
in the

# /etc/default/passwd

LINUX LIKE PINGING IN SOLARIS

Normally in Solaris the output of the ping command contain only one line. That is it gives the out put as given below.

-bash-3.00# ping google.com
google.com is alive


######## To Use ping just Like in Linux##########

# ping -s google.com

SETTING DNS CLIENT IN SOLARIS

# touch /etc/resol.conf

# nano /etc/resolv.conf

nameserver 192.168.1.1

save the above file


# cp /etc/nsswitch.dns /etc/nsswitch.conf

To test the above setup

# nslookup google.com

SETTING DEFAULT ROUTE IN SOLARIS

############ TO ADD A DEFAULT GATEWAY###############

# route add default 192.168.1.1


If you need to make route to be persist across the reboot

# echo 192.168.1.1 > /etc/defaultrouter

NFS SERVER SOLARIS

To enable the NFS service run the following command

# svcadm -v enable -r network/nfs/server

To share /packages directory

# share -F nfs -o rw /packages

The above command is mainly used fro temporary sharing and it will not persist on reboot. To make the share persist on the reboot do the following.

# nano /etc/dfs/dfstab

share -F nfs -o rw /packages

save the file

To mount the share from a remote machine.

Login to the client

# mount -t your nfsserver:/package /mnt



##########To restart the NFS server################


# /etc/init.d/nfs.server stop
# /etc/init.d/nfs.server start


######## To disable NFS server#####################


# svcadm -v disable -st network/nfs/server

Installing Nano editor In SOLARIS

-bash-3.00# mkdir /packages

-bash-3.00# cd /packages

-bash-3.00# ftp://ftp.sunfreeware.com/pub/freeware/intel/10/nano-2.0.9-sol10-x86-local.gz

-bash-3.00# gunzip nano-2.0.9-sol10-x86-local.gz

-bash-3.00# pakgadd -d nano-2.0.9-sol10-x86-local

The above steps will help you install nano. nano will be installed inside /usr/local/bin.

Just run

-bash-3.00# /usr/local/bin/nano

Changing The Default shell to Bash in Solaris

Login to the server as root

Run the following command
# passwd -e

It will prompt like below

Old shell: /bin/sh
New shell:

Enter the new shell as

New shell: /usr/bin/bash

LDAP ERROR

[root@test1 ~]# /etc/init.d/ldap start
Stopping slapd: [ OK ]
Checking configuration files for slapd: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=example,dc=internal.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]


If you get error while starting ldap for the first time. Do the following.

[root@fedora ~]# rm -rf /var/lib/ldap/*

[root@fedora ~]# updatedb

[root@fedora ~]# locate DB_CONFIG.example
/usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example

[root@test ~]# cp /usr/share/doc/openldap-servers-2.4.12/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@fedora ~]# chown -R ldap:ldap /var/lib/ldap


Please restart now the error should be resolved.

[root@fedora ~]# /etc/init.d/ldap restart
Stopping slapd: [ OK ]
Starting slapd: [ OK ]

Playing with X(X11)

Virtual Terminals


Linux, FreeBSD, and many other modern Unix kernels support a virtual terminal.(VT) (or virtual console ) capability, which provides independent virtual video cards. The monitor, keyboard, mouse, and physical video card are associated with only one VT at a time, and each virtual video card can be in a different display mode—some may be in character mode while others are in graphical mode. This enables multiple X servers and nongraphical sessions to be active at the same time.

When you are connected to a virtual terminal that isn’t running an X server, you can use Alt-LeftArrow to go to the previous VT and use Alt-RightArrow to switch to the next VT. FreeBSD provides a very similar VT capability, except that the VTs are numbered starting at zero, and the key combination to switch VTs when in character mode is Alt-Fx .

NOTE: Although most kernels support more than 12 virtual terminals, this capability is rarely used because you can’t usually use the keyboard to go directly to higher-numbered Vts.


Starting a Raw X Server Manually
1. The simplest way to start an X server is also the least-used technique: simply type the name of the server at a shell prompt:

$ X

You must enter “X” as a capital letter.



2.If an X server is already running on display :0 , you will get an error message, because the network port will already be in use. In that case, you can give the new X server a different display number:


$ X :1


3 .By default, the X server will start on the first unused VT (usually VT8). You can
request a specific VT by specifying it on the command line:


$ X :1 vt10

4. You can also specify that a particular configuration file should be used, or a particular ServerLayout within a configuration file:


$ X :1 -config configFile


$ X :1 -layout layoutName



NOTE: The downside to starting the X server this way is that no clients are started. Until you start some manually, you’ll be left staring at a blank screen with only a mouse pointer to amuse yourself.

4.You can start the X server and a client at the same time like this:

$ X :1 -terminate & sleep 2 ; DISPLAY=:1 xterm

Using a Display Manager to Start the X
Server


5 .Three display managers are in common use. The biggest difference between them is the toolkit upon which they are built:

• GDM: GNOME Display Manager (built on GTK)
• KDM: KDE Display Manager (Qt)
• XDM: X Display Manager (Xt)

6.You may be able to recognize the display manager used on your system by its appearance, since each toolkit has a distinctive look. Alternately, you can search the process table to see what’s running, using the following:

$ ps -e | grep '[gkx]dm'


7. When you boot into any runlevel that does not start X automatically, you can start
the display manager manually by typing the command name at a root shell prompt:


# gdm

NOTE: By default, Debian-based systems (including Ubuntu) start the display
manager in all runlevels. You can easily disable the startup of the display
manager in runlevel 3 by executing these commands:



# update-rc.d -f gdm remove
# update-rc.d gdm start 31 2 4 5 . stop 31 1 3 .



Started Directly by init


In some Linux distributions, the display manager is directly started by init . For example, in Redhat based systems /etc/inittab, you will find this entry:


# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm -nodaemon

The script /etc/X11/prefdm will execute /usr/sbin/autologin to automatically log in one user if that feature has been set up. Otherwise, it will start one of the display managers (GDM, KDM, or XDM) depending on the specification in /etc/sysconfig/desktop . If that file does not exist, then the first display manager found in alphabetical order will be used.

Since init has been set up to respawn the display manager automatically, it is relatively easy to load and test changes to the display manager configuration file—just kill the display manager! If you’re using XDM or KDM, you can kill the display manager by name:


# killall xdm

NOTE: Killing the display manager will also kill all the display manager’s child processes, including X serversso if you do this through the graphical interface, expect your session to disappear!


GDM is a wrapper script for gdm-binary, so if your system uses GDM , you’d have to kill the display manager with the following:

# killall gdm-binary


You can restart GDM immediately using its restart script:

# gdm-restart


you can specify that a restart should take place as soon as everyone is logged out:


# gdm-safe-restart

On a SUSE system, the display manager is started by

/etc/rc.d/rc5.d/S17xdm
(which is a symbolic link to /etc/rc.d/xdm ).


Similar to the prefdm script used by Fedora, this script finds your preferred display
manager using a configuration file—in this case,

/etc/sysconfig/displaymanager
(or it uses XDM if that file is missing.)

Since this is a regular init script, it is executed only once at startup; when the display manager terminates, it will not be restarted. After editing the display manager configuration file, you can reinvoke the XDM init script using the restart option to put your changes into effect:

# /etc/X11/xdm restart

Or you can use the SUSE shortcut:

# rcxdm restart

Starting Multiple X Servers Using a Display
Manager

Starting Multiple X Servers Using XDM

XDM and older versions of KDM (pre-3.4) use the Xservers file to configure the number of servers started by the display manager.

Open /etc/X11/xdm/Xservers, /opt/kde3/share/config/kdm/Xservers

To start additional X servers, simply add lines at the bottom of this file:


:0 local /usr/bin/X // This is the default line.

Add the lines

:1 local /usr/bin/X :1 vt8
:2 local /usr/bin/X :2 vt9




If you wish to specify a different configuration file for one of the X servers, you can
add a -config argument to the command:

:3 local /usr/bin/X -config configgile :3 vt10

Starting Multiple X Servers Using KDM

If you’re using KDE 3.4 or higher, the local X server configuration is controlled by
the kdmrc file

# /usr/share/config/kdm/kdmrc


In the [General] section of that file, you can specify a list of local displays to be started by adding a StaticServers key:

StaticServers=:0,:1,:2

If this line is missing, the default is to start only display :0 .


Starting Multiple X Servers Using GDM

GDM is configured using two files; the first specifies default values, which may be
overwritten when GDM is updated, and the second provides local values, which are
never overwritten.

/usr/share/gdm/defaults.conf - Defaults

/etc/gdm/custom.conf – Local Values


# vi /usr/share/gdm/defaults.conf

Go to the section

[servers]
0=Standard
1=Standard // Thsi will start second X in

If you wish to use a different configuration for a specific display, you can add a new
configuration section to the local configuration file:
[server-LowRes]
name=Low-Resolution Server
command=/usr/bin/X -config /etc/X11/xorg.conf-lowres
flexible=false


Then specify that configuration for one of your displays:

[servers]
0=Standard
1=Standard
2=Standard
3=LowRes

Recent versions of both GDM and KDM are capable of starting additional X servers
on demand. This is useful when you occasionally want to use multiple X servers but
don’t want the extra overhead when a single X server only is in use. The GNOME
developers call these additional servers flexible servers; the KDE folks call them
reserve servers.


$ gdmflexiserver

gdmflexiserver can also start a nested X server (using Xnest) and present a session
login prompt there:


$ gdmflexiserver -n


Starting Additional X Servers Using KDM

To start multiple KDE desktop on boot open kdmrc file and enter the following.

ReserveServers=:3,:4,:5


The xinit utility can be used to start an X server with specified clients, but the startx wrapper script provides a friendlier interface. After logging in at a character-based login prompt, simply execute:

$ startx

You can explicitly specify a client to be started:

startx /usr/bin/xterm -bg yellow -geometry 180x50

Switching VTs from the Shell Prompt

xdpyinfo
We can switch the virtual terminals using one of the following command.

$ switchto 7
Or:
$ chvt 7

We can also use this command Remotely.




Starting X Within X

To start Xnest on the current display, use the following:


$ Xnest :1

To start Xnest with a particular client, you can use the startx script:

$ startx /usr/bin/startkde -- /usr/bin/Xnest :1

To start Xnest with two screens of 600 * 400 pixels, use the following:

$ Xnest -scrns 2 -geometry 600x400 :1

For many applications it’s desirable to have the X server exit when the last client disconnects. This is configured by adding the -terminate option to the X command line:

$ X -terminate

Let the X Server Configure Itself

The X.org server can, in most cases, probe, guess, and assume enough about the display configuration to start without a configuration file. Even better, it can generate a basic configuration file, if you specify the -configure option on the server command line:

# X -configure

If you’re already running the X server, you can specify an alternate display number
(such as :1 ) on the command line:

# X -configure :1

The X server will gather as much information as possible by probing the hardware,
and will then write the configuration file to /root/xorg.conf.new .
You can test the configuration file by manually specifying it on the command line:

# X -config /root/xorg.conf.new


If the server appears to start and then immediately exits, while displaying
the message Fatal server error: failed to initialize core devices, then
your configuration may be fine except for the pointer device. Try telling
the X server to continue even if the pointer cannot be opened:


# X -config /root/xorg.conf.new -allowMouseOpenFail

Clearing Logs in linux

# cd /var/log

# cat /dev/null > messages

# cat /dev/null > wtmp

LInux Advanced Routing

# ip link list // List al our local interfaces.

# ip address show // Shows our all Local interfaces

# ip route show // List all our routes.

# ip neigh show // To lsit current ARP cache

# ip neigh delete 192.168.0.229 dev eth0 // To delete an entry from arp cache.

# ping -c 1 192.168.0.229 // To add 192.168.0.229 to ARP cache.

#

ATTACK

A quick and useful command for checking if a server is under ddos:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Another very important thing to look at is how many active connections your server is currently processing.

netstat -n | grep :80 |wc -l

netstat -n | grep :80 | grep SYN |wc -l

The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.

To Block a certain IP address that on server .Please use following commands

—————–command——————————

route add ipaddress reject

for example route add 192.168.0.168 reject

You can check whether given IP is blocked on server by using following command

route -n |grep IPaddress

—————–command——————————

OR

use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT

service iptables restart

service iptables save

—————–command——————————

Then KILL all httpd connection and restarted httpd service by using following command

killall -KILL httpd

service httpd startssl


additionally you can check the connection ports here


lsof | grep ESTABLISHED
lsof | grep LISTEN

lsof -p PID

POSTGRESQL ERROR

IF you get an error given below

FATAL 1: IDENT authentication failed for user "postgres"'

Do the following to fix it.

# vi /var/lib/pgsql/data/pg_hba.conf


Add the line

host all 127.0.0.0 255.255.255.255 trust

:wq // save the file


The /var/lib/pgsql/data/pg_hba.conf will look like this.

# TYPE DATABASE USER CIDR-ADDRESS METHOD

#local all all ident sameuser
host all all 127.0.0.1/32 trust




# service postgresql restart

INSTALLING MAVEN

# cd /opt


# wget -c http://www.eng.lsu.edu/mirrors/apache//maven/binaries/apache-maven-3.0-bin.tar.gz

# tar xvzf apache-maven-3.0-bin.tar.gz

# vi /etc/profile

Add the following lines to the end of the file

M2_HOME=/opt/apache-maven-3.0
export M2_HOME
PATH=$PATH:$M2_HOME/bin

:wq // save the file


# source /etc/profile

Apache maven is installed and ready to use.

Tux blog: INSTALLING OPENNMS

Tux blog: INSTALLING OPENNMS: "OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and power..."

INSTALLING OPENNMS

OpenNMS is the world's first enterprise-grade network management system developed under the open source model. As with any complex and powerful system, getting it installed and configured can take a little effort.

Minimum Requirements
--------------------

* A 1 GHz Pentium III (or equivalent processor) or better. OpenNMS can also take advantage of multiple processors.

* A minimum of 256 MB of RAM, although 512 MB is strongly recommended. The OpenNMS Java Virtual Machine benefits from large amounts of memory, up to 2 GB, and more if using a 64-bit processor.

* OpenNMS requires about 200 MB of disk space for the program files. In addition, each data variable collected requires, by default, a little under 300 KB of disk space.


Configure RPM-based Distributions with Yum
-------------------------------------------

[root@localhost ~]# yum install yum-fastestmirror


Install the OpenNMS Repository RPM
-----------------------------------

rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-snapshot-fc7.noarch.rpm

Or, to install the latest unstable release on CentOS or RHEL 5, you would run:

rpm -Uvh http://yum.opennms.org/repofiles/opennms-repo-unstable-rhel5.noarch.rpm

Installing Java on RPM-based Distributions Using Yum
----------------------------------------------------

[root@localhost ~]# yum install jdk


Installing PostgreSQL on RPM-Based Distributions Using Yum
----------------------------------------------------------

[root@localhost ~]# yum -y install postgresql-server


Configure PostgreSQL
--------------------

Locate the Postgres "data" directory. Often this is /var/lib/pgsql/data. You should then find the two files we need to modify in that directory.

First we need to make sure PostgreSQL is listening on an IP socket, and not just a local unix socket.


Edit postgresql.conf File and add the following.

listen_addresses = 'localhost'

max_connections = 256

max_connections = 256



Customizing the pg_hba.conf File
--------------------------------

Add the below lines.

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
host all all 127.0.0.1 255.255.255.255 trust
host all all ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff trust


Creating the PostgreSQL Database
---------------------------------


# /etc/init.d/potgresql start


Installing JICMP on RPM-Based Distributions Using YUM
-----------------------------------------------------


[root@localhost ~]# yum install jicmp



Installing OpenNMS
------------------
------------------


[root@localhost ~]# yum install opennms-*

Configure Java for OpenNMS
--------------------------

[root@localhost ~]# /opt/opennms//bin/runjava -s


The desired outpu is given below:


runjava: Looking for an appropriate JRE...
runjava: Checking for an appropriate JRE in JAVA_HOME...
runjava: skipping... JAVA_HOME not set
which: no java in (/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/opennms/bin:/root/bin)
runjava: did not find a JRE in user's path
runjava: searching for a good JRE...
runjava: found a good JRE in "/usr/java/jdk1.5.0_18/bin/java"
runjava: value of "/usr/java/jdk1.5.0_18/bin/java" stored in configuration file
You have new mail in /var/spool/mail/root


Configure a specific JRE
-------------------------


If you need to configure specific JRE do the following:

[root@localhost]# /opt/opennms/bin/runjava -S


Run the OpenNMS Installer Application
-------------------------------------

[root@localhost ~]# /opt/opennms/bin/install -l /usr/local/lib -dis




Login to the Web Application
-----------------------------

By default, OpenNMS's built-in web server listens on port 8980, so point your browser at http://:8980/opennms/


The initial user name is "admin" and the password is "admin".

Enjoyyyy...............


If you need any further assistance. Ping me

Email: vasanth462@gmail.com

To Speed up the installation using YUM

You may want to install the yum-fastestmirror RPM if your distro supports it. This can often speed up downloads of large packages. See the CentOS Wiki

# yum install yum-fastestmirror

SVN ADMINISTRATION

http://artis.imag.fr/~Xavier.Decoret/resources/svn/index.html

DANSGUARDIAN,SQUID,IPTABLES

If you want to filter a net browsing in a linux gateway server using iptables,squid and Dansguardian follow my steps

etho=Internet ipaddress
eth1=192.168.0.229

Do the necessary steps to make Linux machine as router and gateway


# yum install squid

Open the configuration file of the squid.


# vi /etc/squid/squid.conf


Enter the following line

http_port 3128 transparent

Add the Acls



acl home_network src 192.168.0.0/24
http_access allow home_network

# service squid start


# iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
# service iptables save
# service iptables restart

This Will block your employess from connecting to squid directly.








1 . Install Dansguardian from the source or RPM

I am using RPM here



The files are installed in /etc/dansguardian. Open Main configuration file of dansguardian. Enter the following details.


# vi /etc/dansguadian/dansguardian.conf

proxyip = 192.168.0.229


proxyport = 3128


filterport = 8080


save the file.


Run the following redirect

# iptables -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080



In the clients set the gateway as 192.168.0.229(in my case)

Shell script to start Authdeamon

#! /bin/sh

case "$1" in
start)
echo "Initializing authdaemon. (Courier)"
/usr/local/sbin/authdaemond start
;;
stop)
echo "Shutting down authdaemon:"
/usr/local/sbin/authdaemond stop
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0


~

Installing Courier in a Postfix Server

Coming Soon............................

YUM THROUGH PROXY

If your internal network is protected with a proxy server and firewall use the following settings to use yum

1. Open a shell

2. export http_proxy=http://proxyhost:port number

Eg: http_proxy=http://192.168.0.229:3128

3. yum list


Enjoyyyy

OPENVZ COMMANDS

OpenVZ is an Operating System-level server virtualization solution, built on Linux. OpenVZ creates isolated, secure virtual environments.

FILES

/etc/vz/vz.conf
/etc/vz/conf/veid.conf
/proc/vz/veinfo
/proc/vz/vzquota
/proc/user_beancounters
/proc/fairsched

Log file /var/log/vzctl.log

vzctl Commands

Usage: vzctl [options] [parameters]

Help : vzctl --help


1. stop a VE (start/stop/restart) -

#vzctl stop VEID

2. to stop a VE in fast mode -

#vzctl stop VEID --fast

3. to see all the VE's -

#vzlist -a

4. to enter a VE -

#vzctl enter VEID

5. to see the uptime of a VE - run this from the node -

#vzctl exec VEID uptime

6. to see all the running process in a VE from the node -

#vzctl exec VEID ps aux

7. list the load of each VE -

#for vps in `vzlist -1`; do echo "$vps: `vzctl exec2 $vps uptime`"; done

8. when you think it is a RAM issue (Out Of Memory)-

#less /var/log/messages|grep OOM|grep VEID|wc -l

9. Reinstall a VE - all data will be lost and a fresh install will be there -

#vzctl reinstall VEID

10. number of running VE's in the node - 

#vzlist|grep running|wc -l

11. To find the status of a VC:

#vzctl status VEID

12. You can execute commands inside a VC from the node itself

#vzctl exec VEID COMMAND

13. Check inodevalue

#df -i

14. Set inodevalue

#vzctl set VEID --diskinodes 2000000:2000000 --save

15. Check numiptent value

#egrep numiptent /proc/user_beancounters
numiptent 336 336 2147483647 2147483647 0

16. Set numiptent value

#vzctl set VEID --numiptent 2000000:2000000 --save

17. To permanently remove this VE:

#vzctl destroy VE_ID

Configuration Commands


1) vzctl set VEID –-hostname vps.domain.com -–save : To set the Hostname of a VPS.


2) vzctl set VEID –-ipadd 1.2.3.4 –-save : To add a new IP to the hosting VPS.


3) vzctl set VEID –-ipdel 1.2.3.4 –-save : To delete the IP from VPS.


4) vzctl set VEID –-userpasswd root:new_password -–save : To reset root password of a VPS.


5) vzctl set VEID -–nameserver 1.2.3.4 -–save : To add the nameserver IP’s to the VPS.


6) vzctl exec VEID command : To run any command on a VPS from Node.


7) vzyum VEID install package_name : To install any package/Software on a VPS from Node.

PERMENETLY MOUNTING THE REMOTE WINDOWS SHARE USING /etc/fstab

To permanently mount the Windows share to Linux enter the following entry to the /etc/fstab and run



//192.168.1.21/D /mnt cifs defaults,credentials=/root/samba_credentials 0 0


:wq

# mount -a

PRIVATE READ WRITE SHARE

Private write share.

Create a share like below in /etc/samba/smb.conf


security = share

[privatewrite]

path = /private

writable = yes

create mask = 0765

valid users = vasanth



# smbpasswd -a vasanth

# smbpasswd -e vasanth

MAPPING LINUX FOLDER TO WINDOWS

MAPPING LINUX FOLDER TO WINDOWS

In winbox open cmd

Type trhe following command

> net use * \192.168.1.12\privatewrite /user:vasanth

It will prompt for password. Give it the remote Linux folder is mapper to my computer as drive Z: in windox

> net use // this command will display the current connections to the our windows server

To disconnect the drive

right click >> disconnect

or

> net use z: /delete

TO MAKE A HIDDEN SHARE IN WINDOWS

Enter the share in smb.conf

[privatewrite]

path = /private

writable = yes

create mask = 0765

valid users = vasanth

browseable = no
//this line cause the share to became invisible.



The above entry in the smb.conf make the share hidden but . It is still accessible using unc path.

On windows network places address bar please type

\\192.168.1.12\privatewrite

# smbclient -L server1

TO FIND OUT THE STATUS OF A FILE IN LINUX

# stat smb.conf

OUTPUT:

File: `smb.conf'

Size: 10041 Blocks: 24 IO Block: 4096 regular file

Device: 803h/2051d Inode: 1901530 Links: 1

Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)

Access: 2010-06-17 07:12:01.000000000 +0530

Modify: 2010-06-17 07:09:52.000000000 +0530

Change: 2010-06-17 07:09:52.000000000 +0530

STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.

STEPS TO SHARE PRINTER FROM LINUX TO WINDOWS.

1.connect the printer and share it properly for all the hosts.
2.Restart smb daemon.
3.Samba reads the /etc/printcap file.
4.Search the printer from windows. You will surely get the printer there.

The section that is responsible for sharing printers in smb.conf is as follows.

load printers = yes
// Load the printer from cups.
cups options = raw
// This option assume that the windows system has a driver that has been shared by the samba and spool the jobs through the samba.


; printcap name = /etc/printcap

printing = cups


NOTE: The driver for the shared printer should be in stalled in the windows host.

INSTALLING NEW KERNEL FROM THE SOURCE

Download the latest kernel from http:www.kernel.org

wget -c http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.tar.gz

# tar xvzf linux-2.6.33.tar.gz

# cd linux-2.6.33


# cp /boot/config-`uname -r` .config

# make menuconfig

# make bzImage

# make modules

# make modules_install

# make install

IPTABLES SCRIPT THAT CAN BE USED IN GATEWAYS

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
/sbin/modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


# $IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp --destination-port 80 -j DROP

$IPTABLES -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.0/24 -j ACCEPT

# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#Blocking direct internet access

$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 80 -m state --state NEW -j DROP



# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT



# Allow ssh from LAN to INTERNET interface
$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNET -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow FTP connections FROM LAN to INTERNET

$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
-- INSERT --
#$IPTABLES -A INPUT -i $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 20 -m state --state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state --state NEW -j ACCEPT



# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state --state NEW -j ACCEPT


# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP


# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP

SSL/TLS

Webcam under Linux

1. Plug your webcam to USB port

2. Check whether the Webcam detected or not. Please do the following steps

# ls -l /dev/video0

crw------- 1 root root 81, 0 Sep 18 12:01 /dev/video0

If the output like above your webcam is detected in Linux.

3 . Install luvcview

Get the latest source from the following URL.

http://mxhaard.free.fr/spca50x/Investigation/uvc/



# tar xvzf luvcview-20060207.tar.gz


# cd luvcview-20060207

# make

# make install


4. After the above steps run the following command


# luvcview -f yuv


Now you can view your face in your Desktop.



Enjoyyyy


Vasanth.T.M
Systems Administrator(Linux)
Ph:+919496824351

SQUID monitoring

tail -f /var/log/squid/access.log | awk '{print$3 " " $8 " " $7}' // Use this script to monitor the We usage in ur home network

Cpanel Error

If You are experiencing the following error

pcfg_openfile: unable to check htaccess file, ensure it is readable

Do the following

Login to Cpanel

go Frontpage Extensions

Reinstall it


Reload the Url

Now it will be Okay.

Find Usefull Commands

# find /path/to/base/dir -type f -exec chmod 755 {} \;

# find public_html/ -type f -exec chmod 644 {} \;

Find Usefull Commands

# find /path/to/base/dir -type f -exec chmod 755 {} \;

# find public_html/ -type f -exec chmod 644 {} \;

What is SSL and what are Certificates?

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.

1.

A browser requests a secure page (usually https://).
2.

The web server sends its public key with its certificate.
3.

The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.

The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.

The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.

The web server sends back the requested html document and http data encrypted with the symmetric key.
7.

The browser decrypts the http data and html document using the symmetric key and displays the information.

Several concepts have to be understood here.

COURIER INSTALLATION

COURIER_MTA INSTALLATION



1.Download the courier authentication library

URL://http://www.courier-mta.org/authlib/

# rpm -qa | grep libtool
# rpm -qa | grep binutil
# rpm -qa | grep expect

# su – vasanth
# tar xvjf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib-0.63.0
# ./configure
# make
# make install
# cd /usr/local/etc/authlib
# /usr/local/sbin/authdaemond start
# ps -ax | grep auth
# cd /etc/init.d
# ln -s /usr/local/sbin/authdaemond
# ln -s /etc/init.d/authdaemond /etc/rc5.d/S20authdaemond



INSATALLING Courier-IMAP

At first check the mailbox format by checking

# cat /var/qmail/control/defaultdelivery
Note: Compile courier as non root user
# tar xvjf courier-imap-4.7.0.tar.bz2
# cd courier-imap-4.7.0
# su root
#make install (must be root)
# make install-configure(must be root )
# cd /usr/lib/courier-imap/ ( Every thing related to courier will be installed inside this directory)

1.bin >>> Contain the binary file related to the courier
2. etc >>> Contain the configuaration files
3. libexec >>> Contain the startup scripts
4. libexec >>> courier tcpd is the tcp super server like xinetd and inetd
5. man >>> Mnaul pages





CONFIGURING POP3 SERVICE

# cd /usr/lib/courier-imap/etc
# vi pop3d
#/usr/lib/courier-imap/libexec/pop3d.rc start
# netstat -nlp | grep 110


# vi /usr/local/etc/authlib/authdaemonrc
uncomment the following
authmodulelist="authuserdb authpam authldap authmysql authcustom authpipe"

IF any problem regarding pop read

http://www.courier-mta.org/authlib/README.authdebug.html


COURIER -POP3-SSL

# vi /usr/lib/courier-imap/etc/pop3d.cnf

Add the entrries to your choice

# cd /usr/lib/courier-imap/share

# ./mkpop3dcert

Certificate is stored in the /usr/lib/courier-imap/share/pop3d.pem

# cd /usr/lib/courier-imap/libexec

# ./pop3d-ssl.rc start



NOTE

Link all the startup script to /etc/init.d/
and /etc/rc3.d or rc5.d

QMAIL-SMARTHOST

QMAIL AS SAMRTHOST

Smart host means the email gateway between our localnetwork and remote network.


There are two files in /var/qmail/control.

1./var/qmail/control/locals
2./var/qmail/control/smtproutes
locals -> Define the local domains which are allowded to route messages. It normally define localdomain and fqdn of our server. If the message is destined remote domain it will consult the smtproutes and forward all messages to that server.





Mail open relay

mv /var/qmail/control/rcpthosts /var/qmail/control/rcpthosts.bak

APACHE-SSL

HOW TO APACHE-SSL



Install the following

# yum install httpd-*
# yum install openssl
# yum install mod-ssl
# yum install crypto-utils

Creating Self signed

# genkey www.example.com

Go next till the creatin of certificates(select 1024 and self signed)

Certificate are stored in /etc/pki/private/www.example.com
and in
/etc/pki/tls/certs/www.example.com


Update /etc/httpd/conf.d/ssl.conf

change the line SSLCertificatefile to the following

SSLCerticatefile /etc/pki/tls/certs/www.example.com.crt

SSLCertificatekeyfile /etc/pki/tls/private/www.example.com.key

Restart the server

# service httpd restart

To verify

netstat -ntlp | grep 443

Configuring Console Access

Configuring Console Access
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
1.They can run certain programs that they would not otherwise be able to run
2.They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
Disabling Shutdown Via Ctrl-Alt-Del
By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a -- key combination used at the console. If you'd like to completely disable this ability, you will need to comment out the following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using --. You can restrict this privilege to certain users, by taking the following steps:
1.Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
2.Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using --. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using --. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.
For more information on shutdown.allow see the shutdown man page.
Disabling Console Program Access
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and LILO passwords are set, -- is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Disabling All Console Access
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
=/dev/fd[0-1]* \
/dev/floppy/*
=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
=/dev/cdrom* /dev/cdwriter*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
=/dev/sga
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
0660 0660 root.floppy
0600 0640 root
0600 0600 root.disk
and add a line like:
0600 0600 root
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
1.Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2.Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3.Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo

IPTABLES+SQUID PROXY SETUP

Squid iptables firewall
The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface.
Squid is configured to proxy ftp, http, https, and AOL Instant Messenger traffic. In addition, the server is running a caching/forwarding name server and time server and therefore requires therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns).
#!/bin/sh

LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"

# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Needed for FTP (specifically, to allow incoming ftp-data connections)
/sbin/modprobe ip_conntrack_ftp

# Flush all chains
$IPTABLES --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES s


# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \
--state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT

# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \
--state NEW -j ACCEPT

# Allow ssh on LAN interface
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT

# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \
--state NEW -j ACCEPT

# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP

# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP

# Have these rules take effect when iptables is started
/sbin/service iptables save

Restricting normal users in login in a linux server

Restricting normal users in login in a linux server

We can restrict normal users to login in server using pam. Pam module pam_nologin.so is used for the purpose. configure the /etc/pam.d/login like as shown below.#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_nologin.so file=/etc/nologin
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so

VSFTPD VIRTUAL USER SETUP

VSFTPD Virtual Users Setup (with individual FTP home directories)



STEP 1: Install Required packages:
pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)

Check if the 'db' package is installed

[root@mysystem vsftpd]# rpm -qa | grep -i db

If the db4 package is not installed, do it:

[root@mysystem vsftpd]# yum install db4

The package compat-db will give us the db42_load binary used to build the virtual username/password db file

[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd

Can't find dbXX_load binary? check the locations of the files in this package

[root@mysystem vsftpd]# rpm -ql compat-db
STEP 2: Configure PAM
Confirm existance/location of the file /lib/security/pam_userdb.so

[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)

#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so

(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)
STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)
[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp
STEP 4: Configure vsftpd for virtual users
[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)

local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES


Now start up vsftpd (which is configured to run stand-alone in my config file):

[root@mysystem vsftpd]# vsftpd
STEP 5: Setup virtual FTP usernames and their passwords
[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)

username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3

Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:

[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
STEP 6: Create directories for each virtual FTP user
[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1
STEP 7: Test an FTP virtual user login
[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>
Troubleshooting
If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!

[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access


I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.

[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db

Plaggubale Authentication Modules

LINUX PAM
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM

1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.

LOCATION OF CONFIGURATION FILE

Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.

PAM CONFIGURATION FILE FORMAT

PAM configuration file contain a group of
directive as follows.

(module interface)( control flag)(module name)(module arguments)


MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.

AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.

ACCOUNT

This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.

PASSWORD

This module interface set and verify password.
SESSION

This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.

NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.

There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional

Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.

Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.

sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.



optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.

Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.

Modules location
Location of pam modules is in /lib/security/.

Module argument

We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.

Pam error messages

All the pam module report error messages in /var/log/messages.

AVILABLE MODULES

1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.

FIELDS IN /etc/security/access.conf

Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.

second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).

Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.

Sample /etc/security/access.conf File

1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so

Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.


PAM_CRACKLIB.SO











PAM_CRACKLIB.SO

In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.

Enabling pam_cracklib.so

pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this

password required pam_cracklib.so retry=3 minlen=6 difok=3

password required pam_unix.so md5 use_authtok

The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.

Block Non root user from shutdown the system

Prevent a non-root user from shutting down or rebooting the system

To prevent all non-root users from using the shutdown, reboot or halt commands, do the following :

1. In the file /etc/X11/gdm/gdm.conf , change the line that reads :

SystemMenu=true

to

SystemMenu=false

2. In the file /etc/inittab, change the line that reads :

ca:ctrlaltdel:/sbin/shutdown -t3 -r now

to

ca:ctrlaltdel:echo "You are not authorized to turn off the machine"

3. In the directory /etc/security/console.apps/, delete the file reboot, poweroff and halt.
4. Remove the file /usr/bin/poweroff

SquirrelMail Installation from Source

SquirrelMail


# wget http://sourceforge.net/projects/squirrelmail/files/stable/1.4.20/squirrelmail-1.4.20.tar.bz2/download



# tar xvjf /squirrelmail-1.4.20.tar.bz2/

# mv /squirrelmail-1.4.20 /varwww/html

#chown -R apache:apache /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html/ squirrelmail-1.4.20

# cd /var/www/html

# mv squirrelmail-1.4.20 webmail


# cd webmail

# mkdir -p /var/local/squirrelmail


# mv -i data/ /var/local/squirrelmail/

# chown -R apache.apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chown -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/

# chgrp -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/







Data directory inside the above location is to moved to some whare else, Because squirrel mail maintains uplodaed data in this directory.


# cd /var/www/html/ webmail/config

# ./conf.pl

Select the option 2
and enter like given below


1. Domain : ip address of the server

2. Invert Time : false

3. Sendmail or SMTP : Sendmail



A. Update IMAP Settings : localhost:143 (courier )

B. Change Sendmail Config : /usr/sbin/sendmail


Save and return to previous menu

From the main menu select the option 4 general options and change the following settings.


1. Data Directory : /var/www/html/squirrelmail-1.4.20/data/ // This is optional

2.Attachment Directory : $data_dir/ // This is optional

Save and return to previous menu


Add The virtualhost in apache.




# ServerAdmin webmaster@dummy-host.example.com

DocumentRoot /var/www/html/webmail

ServerName www.test.com

# ErrorLog logs/dummy-host.example.com-error_log

# CustomLog logs/dummy-host.example.com-access_log common





# service httpd restart
#/etc/init.d/imapd.rc restart

In the browser enter localhost/webmail

SENDMAIL LOGGING

SENDMAIL [ SYSLOG]


How does syslog determine where to send the log files for sendmail ?


catting the out put of mail in syslog in sles is shown below.


# grep -i mail /etc/syslog.conf

mail.* - /var/log/mail

mail.info - /var/log/mail.info

mail.warning - /var/log/mail.warn

mail.err - /var/log/mail.err

*.*,mail.none,news.none - /var/log/messages


Explanation:-

In general syslog entry in linux and unix servers are in the following form.

Facility.level -


Facility is mail in syslog.conf

level may be one of the 0 to 8 ie (debug-emergency)

mail.* in syslog.conf indicate that all the levels.


NOTE: debug produces more messages and enmergency produces less messages.
Debug level creates lots of disk IO.

System log setup with sendmail is each line conatain atleast two lines.

First line acknowledges the receive of the message and second lne correcsponds to the delivery attempts.



Example are gievn below.


Recieving of message from the mail user agent

Jun 2 11:42:13 pc1 sendmail[6484]: o526C9vA006484: from=root, size=6, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, relay=root@localhost


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: from=, size=262, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Delivery of the message


Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30262, dsn=2.0.0, stat=Sent


Jun 2 11:42:22 pc1 sendmail[6484]: o526C9vA006484: to=root, ctladdr=root (0/0), delay=00:00:13, xdelay=00:00:09, mailer=relay, pri=30006, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o526CD0Q006500 Message accepted for delivery).

RESTRICTING MESSAGE SIZE IN SENDMAIL

RESTRICTING MESSAGE SIZE


Go to /data/sendmail-8.14.0/cf/cf

# vi sendmial.mc

insert the following line

define(`confMAX_MESSAGE_SIZE', `4096') // mAXIMUM MESSAGE SIZE IN coming toTHE SERVER IS RESTRICTED TO 4k

# cp sendmail.cf /etc/mail

# grep ^o /etc/smail/sendmail.cf

The output should conatin the following line.

MaxMessageSize=4096

CLAMAV INSTALLATION ON OpenSuse 11

CLAMAV INSTALLATION


# cd /data

# cd clamav

# tar xvzf clamav-0.96.1.tar.gz

# cd clamav

# groupadd clamav

# useradd -g clamav clamav

# ./configure

#make

# make install

# cd /usr/local/etc/

# vi clamd.conf

comment out the line Example.

#Example

uncomment the line

LocalSocket /tmp/clamd.socket

:wq //save the file


# vi freshclam.conf

Comment out the line Example

# Example


:wq //Save the file.



# touch /var/log/freshclam.log

# chmod 600 /var/log/freshclam.log


#chown clamav /var/log/freshclam.log



# which freshclam // This is the utility responsible for updating clam.


The output should be:

/usr/local/bin/freshclam


Run the following

# ldconfig

# freshclam // This command is for updating clamd

# clamscan

# clamd start

# ps -ax | grep clam


The output should be:



# ps -ax | grep clam

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

3981 ? Ssl 0:00 clamd start

4010 pts/0 R+ 0:00 grep clam





# freshclam // This option is mainly used for the updating clamav.


# which freshclam


The log file for the fresh clam process is


# ls -l /var/log/freshclam.log

Run the freshclam process in dialy basis in cron.

SAMBA PRIMARY DOMAIN CNROLLER

AMABA PDC

1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account

ADVANTAGES AND DISADVANTAGES

1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.

ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.

# mkdir -p /data/public

# mkdir -p /data/netlogon

# vi /etc/samba/smb.conf

[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes

os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //

[public]
path = /data/public
read only = no

[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list

Save the file




Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.

// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.


# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'



The output should be:

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1b>

querying SUPPORT on 192.168.1.255

192.168.1.2 SUPPORT<1c>




Also verify the nmbd log file.

# tail -f /var/log/samba/nmbd.log

The output is:


[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)

*****



Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12

become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12



*****





2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC




On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.

Domain Admins

Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.


# vi /etc/samba/smb.conf

add
the following line to the GLOBAL section

enable privileges = yes

save the file

# service smb restart



In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section


# net getlocalsid SUPPORT

The output is:

SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293

Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:


# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin

The output is:

Successfully added group Domain Admins to the mapping db


Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.

Virtual domain with sendmail and dovecot

Special Thanks To : BasilKurain.


Virtual hosting with dovecot

# grep dovecot /etc/passwd

The outpu is:

dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin

# grep dovecot /etc/group

dovecot:x:97:

# grep vmail /etc/passwd

The output is:

blank

# grep vmail /etc/group

The output is:

blank


# groupadd vmail


# useradd vmail -g vmail

# ls /home/ -l

The output is:

drwx------ 6 vmail vmail 4096 Jul 8 16:23 vmail

# touch /var/log/dovecot.log

# touch /var/log/dovecot-info.log

# vi /etc/dovecot.conf

add the following entries

# Remove imaps things if you don’t want them
protocols = imaps
# It’s nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
# Disable SSL for now.
ssl = no # v1.2+, for older versions use: ssl_disable = yes
disable_plaintext_auth = no
# We’re using Maildir format
mail_location = maildir:~/Maildir
# If you’re using POP3, you’ll need this:
# pop3_uidl_format = %08Xu%08Xv
# Authentication configuration:
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
}

# mkdir /etc/dovecot/

# touch /etc/dovecot/passwd

# chown -R dovecot:dovecot /etc/dovecot

add the following line to

# vi /etc/dovecot/passwd

add this line:

vasanth@tetsing:{PLAIN}redhat

hemanth@testing.com:{PLAIN}redhat


save the file



Take browser

enter

localhost/webmail

username: vasanth@tetsing.com
password: redhat

You can also use

username: hemanth@testing.com
password: redhat



Now virtual domain testing.com is configured in the domain and users vasanth and hemanth are added.



Vasanth.T.M

Sendmail cotrolling script

I am posting one useful script to start, stop, restrat sendmail( Source code installation )

#! /bin/sh

case "$1" in
start)
echo "Starting SMTP port. (sendmail)"
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo "Stopping down SMTP port:"
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0