Infoaddict Just another site for Infoaddict's

23Feb/140

Configure DNS with CentOS

Posted by Infoaddict

Install BIND

[root@dlp ~]#

yum -y install bind bind-utils

[2]

Configure BIND This example is done with grobal IP address [172.16.0.80/29], Private IP address [10.0.0.0/24], Domain name [server.world]. However, Please use your own IPs and domain name when you set config on your server. ( Actually, [172.16.0.80/29] is for private IP address, though. )

[root@dlp ~]#

echo 'OPTIONS="-4"' >> /etc/sysconfig/named

# set if you don't use IPv6 ( if use, don't set it )

[root@dlp ~]#

vi /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

options {

# make it comment ( listen all interfaces on the server )

#

listen-on port 53 { 127.0.0.1; };

# change ( if not use IPv6 )

listen-on-v6

{ none; };

directory

"/var/named";

dump-file

"/var/named/data/cache_dump.db";

statistics-file

"/var/named/data/named_stats.txt";

memstatistics-file

"/var/named/data/named_mem_stats.txt";

# query range ( set internal server and so on )

allow-query

{ localhost;

10.0.0.0/24;

};

# transfer range ( set it if you have secondary DNS )

allow-transfer { localhost; 10.0.0.0/24; };

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

};

logging {

        channel default_debug {

                file "data/named.run";

                severity dynamic;

        };

};

# change all from here

view "internal" {

        match-clients {

                localhost;

                10.0.0.0/24;

        };

        zone "." IN {

                type hint;

                file "named.ca";

        };

        zone "server.world" IN {

                type master;

                file "server.world.lan";

                allow-update { none; };

        };

        zone "0.0.10.in-addr.arpa" IN {

                type master;

                file "0.0.10.db";

                allow-update { none; };

        };

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

};

view "external" {

        match-clients { any; };

        allow-query { any; };

        recursion no;

        zone "server.world" IN {

                type master;

                file "server.world.wan";

                allow-update { none; };

        };

        zone "80.0.16.172.in-addr.arpa" IN {

                type master;

                file "80.0.16.172.db";

                allow-update { none; };

        };

};

# allow-query

⇒ query range you permit

# allow-transfer

⇒ the range you permit to transfer zone info

# recursion

⇒ allow or not to search recursively

# view "internal" { *** };

⇒ write for internal definition

# view "external" { *** };

⇒ write for external definition

# For How to write for reverse resolving, Write network address reversely like below.
# 10.0.0.0/24
# network address

⇒ 10.0.0.0

# range of network

⇒ 10.0.0.0 - 10.0.0.255

# how to write

⇒ 0.0.10.in-addr.arpa

# 172.16.0.80/29
# network address

⇒ 172.16.0.80

# range of network

⇒ 172.16.0.80 - 172.16.0.87

# how to write

⇒ 80.0.16.172.in-addr.arpa

 

For internal zone
This example uses internal address[10.0.0.0/24], domain name[server.world], but please use your own one when you set config on your server.

[root@dlp ~]#

vi /var/named/server.world.lan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

# define name serve

        IN  NS      dlp.server.world.

# internal IP address of name server

        IN  A       10.0.0.30

# define Mail exchanger

        IN  MX 10   dlp.server.world.

# define IP address and hostname

dlp     IN  A       10.0.0.30

[2]

For external zone
This example uses external address[172.16.0.80/29], domain name[server.world], but please use your own one when you set config on your server.

[root@dlp ~]#

vi /var/named/server.world.wan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

# define name server

        IN  NS      dlp.server.world.

# external IP address of name server

        IN  A       172.16.0.82

# define Mail exchanger

        IN  MX 10   dlp.server.world.

# define IP address and hostname

dlp     IN  A       172.16.0.82

Set Zones for reverse resolution

Create zone files that servers resolve domain names from IP address.

[3]

For internal zone
This example uses internal address[10.0.0.0/24], domain name[server.world], but please use your own one when you set config on your server.

[root@dlp ~]#

vi /var/named/0.0.10.db

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

# define name server

        IN  NS      dlp.server.world.

# define range that this domain name is in

        IN  PTR     server.world.

        IN  A       255.255.255.0

# define IP address and hostname

30      IN  PTR     dlp.server.world.

[4]

For external zone
This example uses external address[172.16.0.80/29], domain name[server.world], but please use your own one when you set config on your server.

[root@dlp ~]#

vi /var/named/80.0.16.172.db

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

# define name server

        IN  NS      dlp.server.world.

# define range that this domain name is in

        IN  PTR     server.world.

        IN  A       255.255.255.248

# define IP address and hostname

82      IN  PTR     dlp.server.world.

 

Configute chroot environment. Simply install "bind-chroot" package to do so. If you edit named.conf or other zone files on chroot environment, edit configuration files under /var/named/chroot/.

[root@dlp ~]#

yum -y install bind-chroot

[root@dlp ~]#

/etc/rc.d/init.d/named restart

Stopping named:

[ OK ]

Starting named:

[ OK ]

[root@dlp ~]#

ll /var/named/chroot/etc

total 28

-rw-r--r-- 1 root root   331 Jul  9 11:17 localtime

drwxr-x--- 2 root named 4096 Nov 11  2010 named

-rw-r----- 1 root named 1550 Jul  9 23:19 named.conf

-rw-r--r-- 1 root named  601 Nov 11  2010 named.iscdlv.key

-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones

drwxr-xr-x 3 root root  4096 Jul  9 23:30 pki

-rw-r----- 1 root named   77 Jul  9 23:02 rndc.key

[root@dlp ~]#

ll /var/named/chroot/var/named

total 40

-rw-r--r-- 1 root  root   359 Jul  9 23:25 0.0.10.db

drwxr-x--- 6 root  named 4096 Jul  9 23:30 chroot

drwxrwx--- 2 named named 4096 Jul  9 23:25 data

drwxrwx--- 2 named named 4096 Jul  9 23:26 dynamic

-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca

-rw-r----- 1 root  named  152 Dec 15  2009 named.empty

-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost

-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback

-rw-r--r-- 1 root  root   350 Jul  9 23:24 server.world.lan

drwxrwx--- 2 named named 4096 Nov 11  2010 slaves

 

Set CNAME record in zone file.

[root@dlp ~]#

vi /var/named/server.world.lan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

# update serial

        2011071002  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

        IN  NS      dlp.server.world.

        IN  A       10.0.0.30

        IN  MX 10   dlp.server.world.

dlp     IN  A       10.0.0.30

# [ aliase IN CNAME server's name ]

ftp     IN  CNAME   dlp.server.world.

[root@dlp ~]#

rndc reload

server reload successful

[root@dlp ~]#

dig ftp.server.world.

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> ftp.server.world.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;ftp.server.world.

IN

A

;; ANSWER SECTION:
ftp.server.world.

86400

IN

CNAME

dlp.server.world.

dlp.server.world.

86400

IN

A

10.0.0.30

;; AUTHORITY SECTION:

server.world.

86400

IN

NS

dlp.server.world.

;; Query time: 0 msec
;; SERVER: 10.0.0.30#53(10.0.0.30)
;; WHEN: Sun Jul 10 23:32:48 2011
;; MSG SIZE rcvd: 82

 

ollowing example shows an environment that master DNS is "dlp.server.world", Slave DNS is "ns.example.host".

[1]

Write config in Zone file on Master DNS.

[root@dlp ~]#

vi /etc/named.conf

# add secondary DNS server in the section below

allow-transfer { localhost;

172.16.0.85;

};

[root@dlp ~]#

vi /var/named/server.world.wan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

# update serial

        2011071003  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

        IN  NS      dlp.server.world.

# add slave name server

        IN  NS      ns.example.host.

        IN  A       172.16.0.82

        IN  MX 10   dlp.server.world.

dlp     IN  A       172.16.0.82

[root@dlp ~]#

rndc reload

server reload successful

[2]

Configuration on Slave DNS.

[root@ns ~]#

vi /etc/named.conf

# add lines like below

    zone "server.world" IN {

        type slave;

        masters { 172.16.0.82; };

        file "slaves/server.world.wan";

        notify no;

    };

[root@ns ~]#

rndc reload

server reload successful
[root@ns ~]#

ls /var/named/slaves

server.world.wan

# zone file in master DNS has been just transfered

Filed under: Centos, DNS No Comments
23Feb/140

Configure postfix with CenOS

Posted by Infoaddict

Install Postfix to configure SMTP Server. This example shows to configure SMTP-Auth to use Dovecot's SASL function.

[1]

Configure Postfix. ( Postfix is installed by default even if you installed CentOS with Minimal.)

[root@mail ~]#

vi /etc/postfix/main.cf

# line 75: uncomment and specify hostname

myhostname =

mail.server.world

# line 83: uncomment and specify domain name

mydomain =

server.world

# line 99: uncomment

myorigin = $mydomain

# line 116: change

inet_interfaces =

all

# line 119: change if you use only IPv4

inet_protocols =

ipv4

# line 164: add

mydestination = $myhostname, localhost.$mydomain, localhost

, $mydomain

# line 264: uncomment and specify your LAN

mynetworks = 127.0.0.0/8,

10.0.0.0/24

# line 419: uncomment (use Maildir)

home_mailbox = Maildir/

# line 545: uncomment, line 546: add

header_checks = regexp:/etc/postfix/header_checks

body_checks = regexp:/etc/postfix/body_checks

# line 571: add

smtpd_banner = $myhostname ESMTP

# add at the last line

# limit an email size 10M

message_size_limit = 10485760

# limit mailbox 1G

mailbox_size_limit = 1073741824

# for SMTP-Auth settings

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

[root@mail ~]#

vi /etc/postfix/header_checks

# add at the head

# reject if email address is empty

/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT

[root@mail ~]#

vi /etc/postfix/body_checks

# reject if includes 'example.com' in mail body

/^(|[^>].*)example.com/ REJECT

[root@mail ~]#

/etc/rc.d/init.d/postfix start

Starting postfix:

[  OK  ]

[root@mail ~]#

chkconfig postfix on

 

Install Dovecot to Configure POP/IMAP Server. This example shows to configure to provide SASL function to Postfix.

[root@mail ~]#

yum -y install dovecot

[root@mail ~]#

vi /etc/dovecot/dovecot.conf

# line 31: change ( if not use IPv6 )

listen =

*

[root@mail ~]#

vi /etc/dovecot/conf.d/10-auth.conf

# line 9: uncomment and change ( allow plain text auth )

disable_plaintext_auth =

no

# line 97: add

auth_mechanisms = plain

login

[root@mail ~]#

vi /etc/dovecot/conf.d/10-mail.conf

# line 30: uncomment and add

mail_location =

maildir:~/Maildir

[root@mail ~]#

vi /etc/dovecot/conf.d/10-master.conf

# line 84-86: uncomment and add

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {

mode = 0666

user = postfix

# add

group = postfix

# add

}

[root@mail ~]#

/etc/rc.d/init.d/dovecot start

Starting Dovecot Imap:

[  OK  ]

[root@mail ~]#

chkconfig dovecot on

 

Configure for your Mail Client on your PC. This example shows with Windows Live Mail.

[1]

Start Windows Live mail and move to "Account" tab and Click "Email".

[2]

Input email address, account's password, sender's name and check a box 'Configure Manually' and go next.

[3]

Select IMAP or POP. This example selects IMAP. And input other information of your Mail server. Don't forget to check a box 'this server requires to authenticate' at the bottom.

[4]

Click 'Finish'.

[5]

Connect and get server's folder settings automatically.

 

Configure SSL settings in order to encrypt datas in connection.

[1]

Create certificates first, see here.

[2]

Configure Postfix and Dovecot for SSL

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

[root@mail ~]#

vi /etc/postfix/master.cf

# line 17-18: uncomment

smtps       inet   n       -       n       -       -       smtpd
-o smtpd_tls_wrappermode=yes

[root@mail ~]#

vi /etc/dovecot/conf.d/10-ssl.conf

# line 6: uncomment

ssl = yes

# line 12,13: uncomment and specify certificate

ssl_cert = <

/etc/pki/tls/certs/server.crt

ssl_key = <

/etc/pki/tls/certs/server.key

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

[root@mail ~]#

/etc/rc.d/init.d/dovecot restart

Stopping Dovecot Imap:

[ OK ]

Starting Dovecot Imap:

[ OK ]

Configure on client. Change settings like following example. (if you use PO3S, input '995 for incoming mail)

Click syncronize on Windows Live Mail, then following warning is shown because certificate file is created on your server. It's no ploblem. Click 'Yes' to Proceed, then it's possible to send/receive emails trough SSL connection.

 

Create a your server's original SSL Certificate. If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.

[root@www ~]#

cd /etc/pki/tls/certs

[root@www certs]#

make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase:

# set passphrase

Verifying - Enter pass phrase:

# confirm

# remove passphrase from private key

[root@www certs]#

openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:

# input passphrase

writing RSA key
[root@www certs]#
[root@www certs]#

make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:

JP

# country

State or Province Name (full name) [e]:

Hiroshima

# state

Locality Name (eg, city) [Default City]:

Hiroshima

# city

Organization Name (eg, company) [Default Company Ltd]:

GTS

# company

Organizational Unit Name (eg, section) []:

Server World

# department

Common Name (eg, your server's hostname) []:

www.server.world

# server's FQDN

Email Address []:

xxx@server.world

# email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

# Enter

An optional company name []:

# Enter

[root@www certs]#
[root@www certs]#

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.server.world/emailAddress=xxx@server.world Getting Private key
[root@www certs]#

chmod 400 server.*

 

[1]

Install Clamav

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamav

# install from RPMforge

[root@mail ~]#

vi /etc/freshclam.conf

# line 122: make it comment

#

NotifyClamd /etc/clamd.conf

[root@mail ~]#

freshclam

# update pattern files

ClamAV update process started at Sun Jul 10 22:10:08 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd is up to date (version: 13304, sigs: 144473, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)

[2]

Try to scan

# try to scan

[root@mail ~]#

clamscan --infected --remove --recursive /home

----------- SCAN SUMMARY -----------
Known viruses: 989350
Engine version: 0.97.1
Scanned directories: 3
Scanned files: 3
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 2.060 sec (0 m 2 s)

# try to download trial virus

[root@mail ~]#

wget http://www.eicar.org/download/eicar.com

[root@mail ~]#

clamscan --infected --remove --recursive .

./eicar.com: Eicar-Test-Signature FOUND
./eicar.com: Removed.

# just detected

----------- SCAN SUMMARY -----------
nown viruses: 989350
Engine version: 0.97.1
Scanned directories: 1
Scanned files: 13
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 2.079 sec (0 m 2 s)

 

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamd

# install from RPMforge

[root@mail ~]#

wget http://thewalter.net/stef/software/clamsmtp/clamsmtp-1.10.tar.gz

[root@mail ~]#

tar zxvf clamsmtp-1.10.tar.gz

[root@mail ~]#

cd clamsmtp-1.10

[root@mail clamsmtp-1.10]#

./configure

[root@mail clamsmtp-1.10]#

make

[root@mail clamsmtp-1.10]#

make install

[root@mail clamsmtp-1.10]#

cp ./doc/clamsmtpd.conf /etc

[root@mail clamsmtp-1.10]#

cd

[root@mail ~]#

vi /etc/clamsmtpd.conf

# line 11: change

OutAddress:

127.0.0.1:10026

# line 29: uncomment and change

Listen:

127.0.0.1:10025

# line 32: change

ClamAddress:

/var/run/clamav/clamd.sock

# line 35: uncomment

Header: X-Virus-Scanned: ClamAV using ClamSMTP

# line 38: uncomment

TempDirectory: /tmp

# line 41: uncomment

Action: drop

# line 50: uncomment

User: clamav

[root@mail ~]#

vi /etc/rc.d/init.d/clamsmtp

# create init script

#!/bin/bash

# clamsmtpd: Start/Stop clamsmtpd

#

# chkconfig: - 65 40

# description: Clamsmtpd is smtpd for Clamav Antivirus daemon.

#

# processname: clamsmtpd

# pidfile: /var/run/clamav/clamsmtpd.pid

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

CONFIG_FILE=/etc/clamsmtpd.conf

PID_DIR=/var/run/clamav

RETVAL=0

start() {

   echo -n $"Starting ClamSmtpd: "

   daemon /usr/local/sbin/clamsmtpd -f $CONFIG_FILE -p $PID_DIR/clamsmtpd.pid

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamsmtpd

   return $RETVAL

}

stop() {

   echo -n $"Stopping ClamSmtpd: "

   killproc clamsmtpd

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && rm -f /var/run/clamsmtp/clamsmtpd.pid /var/lock/subsys/clamsmtpd

   return $RETVAL

}

case "$1" in

   start)

      start

      ;;

   stop)

      stop

      ;;

   status)

      status clamsmtpd

      ;;

   restart)

      stop

      start

      ;;

   condrestart)

      [ -f /var/lock/subsys/clamsmtpd ] && restart || :

      ;;

   *)

      echo $"Usage: $0 {start|stop|status|restart}"

      exit 1

esac

exit $?

[root@mail ~]#

chmod 755 /etc/rc.d/init.d/clamsmtp

[root@mail ~]#

/etc/rc.d/init.d/clamd start

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
[ OK ]
[root@mail ~]#

/etc/rc.d/init.d/clamsmtp start

Starting ClamSmtpd:

[ OK ]

[root@mail ~]#

chkconfig --add clamsmtp

[root@mail ~]#

chkconfig clamsmtp on

[root@mail ~]#

chkconfig clamd on

[2]

Configure Postfix

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

content_filter = scan:127.0.0.1:10025

[root@mail ~]#

vi /etc/postfix/master.cf

# add at the last line

scan unix -       -       n       -       16       smtp

   -o smtp_data_done_timeout=1200

   -o smtp_send_xforward_command=yes

   -o disable_dns_lookups=yes

127.0.0.1:10026 inet n       -       n       -       16       smtpd

   -o content_filter=

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks_style=host

   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

These lines below are added in header section of emails after this configuration.

Try to send test virus with email, then it will not send to a mailbox and logs like below are recorded.

 

Install httpd

[root@www ~]#

yum -y install httpd

# remove welcome page

[root@www ~]#

rm -f /etc/httpd/conf.d/welcome.conf

# remove default error page

[root@www ~]#

rm -f /var/www/error/noindex.html

[2]

Configure httpd.

[root@www ~]#

vi /etc/httpd/conf/httpd.conf

# line 44: change

ServerTokens

Prod

# line 76: change to ON

KeepAlive

On

# line 262: Admin's address

ServerAdmin

root@server.world

# line 276: change to your server's name

ServerName

www.server.world:80

# line 338: change

AllowOverride

All

# line 402: add file name that it can access only with directory's name

DirectoryIndex index.html

index.htm

# line 536: change

ServerSignature

Off

# line 759: make it comment

#

AddDefaultCharset UTF-8

[root@www ~]#

/etc/rc.d/init.d/httpd start

Starting httpd:

[ OK ]

[root@www ~]#

chkconfig httpd on

Install MySQL for Database Server.

[root@www ~]#

yum -y install mysql-server

[root@www ~]#

/etc/rc.d/init.d/mysqld start

Initializing MySQL database:  Installing MySQL system tables...

OK

Filling help tables...

OK

To start mysqld at boot time you have to copy

support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !

To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h www.server.world password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test

databases and anonymous user created by default.  This is

strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

Starting mysqld:     [  OK  ]

[root@www ~]#

chkconfig mysqld on

[root@www ~]#

mysql -u root

# connect to MySQL

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 2

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# show user info

mysql>

select user,host,password from mysql.user;

# set root password

mysql>

set password for root@localhost=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'127.0.0.1'=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'www.server.world'=password('password');

Query OK, 0 rows affected (0.00 sec)

# delete anonymous user

mysql>

delete from mysql.user where user='';

Query OK, 2 rows affected (0.00 sec)

mysql>

select user,host,password from mysql.user;

mysql>

exit

# quit

Bye
[root@www ~]#

mysql -u root -p

# connect with root

Enter password:

# MySQL root password

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

exit

Bye

MySQL

root@mail ~]#

mysql -u root -p

# connect to MySQL

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# create "postfixadmin" DB ( input any password you like on 'password' section )

mysql>

create database postfixadmin character set utf8 collate utf8_bin;

Query OK, 1 row affected (0.00 sec)

mysql>

grant all privileges on postfixadmin.* to postfixadmin@'localhost' identified by 'password';

Query OK, 0 rows affected (0.00 sec)

mysql>

flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql>

exit

Bye

[2]

Install PostfixAdmin (Download lataest version of it)

[root@mail ~]#

yum -y install php-mysql php-imap

[root@mail ~]#

wget http://ftp.jaist.ac.jp/pub/sourceforge/p/po/postfixadmin/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz

[root@mail ~]#

tar zxvf postfixadmin-2.3.5.tar.gz

[root@mail ~]#

mv postfixadmin-2.3.5 /var/www/html/postfixadmin

[root@mail ~]#

vi /var/www/html/postfixadmin/config.inc.php

# line 26: change

$CONF['configured'] =

true

;

# line 31: change after Web settings (input it generated on [5] section)

$CONF['setup_password'] = '

xxxxxxxxxx

';

# line 43: change

$CONF['default_language'] = '

ja

';

# line 51,52,53: change to the DB info for postfixadmin

$CONF['database_user'] = '

postfixadmin

';
$CONF['database_password'] = '

password

';
$CONF['database_name'] = '

postfixadmin

';

[root@mail ~]#

vi /etc/httpd/conf.d/postfixadmin.conf

# create new

<Directory /var/www/html/postfixadmin/>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 10.0.0.0/24

# IP address you permit

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[3]

Access to "http://(your server's hostname or IP address)/postfixadmin/setup.php". Then, following screen is shown, click "Lost password?" on right under.

[4]

Input setup password.

[5]

Set generated hash on config file (back to [2]). Next, input setup password and email address, admin-password and click "add admin" button.

[6]

Admin user is added. Initial settings is just completed.

[7]

Access to "http://(your server's hostname or IP address)/postfixadmin/login.php". Then, login screen is shown like follows. Login with admin user you added.

[8]

Just logined. It's possible to configure Postfix on here.

 

[root@mail ~]#

yum --enablerepo=epel -y install mailgraph

# install from EPEL

[root@mail ~]#

vi /etc/httpd/conf.d/mailgraph.conf

Alias /mailgraph /usr/share/mailgraph

AddHandler cgi-script .cgi

<Directory /usr/share/mailgraph/>
AllowOverride None
Options +ExecCGI
DirectoryIndex mailgraph.cgi

   Order Deny,Allow
Deny from all
Allow from 127.0.0.1

10.0.0.0/24

# IP address you allow

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/mailgraph start

Starting mailgraph:

[  OK  ]

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[root@mail ~]#

chkconfig mailgraph on

[2]

Access to 'http://(your server's name or IP address)/mailgraph/' with web browser. Then following screen is shown and it's possible to make sure mail log summary.

Filed under: Centos, mail No Comments
1Feb/140

Mod Evasive for Apache (First line of defence against DOS attacks)

Posted by Infoaddict

Though I wanted my first howto to be quite powerful and explanatory, here is what I am starting with, with a short one.

Mod Evasive (mod_evasive) is a module for Apache web server. Within this, you can define certain limits on it for people trying to access a page on your website. Such as ability to access the same page (more than once) within a second. This is normally an idication of DOS attack. Mod_evasive successfully intercepts such attack and returns a 403 (Forbidden) message to the attacker. Here is how it will be implemented.

System / OS: CentOS 5.0

Homepage of mod_evasive : http://www.zdziarski.com/projects/mod_evasive/
Make sure you have httpd-devel installed before you continue. Otherwise you will not get apxs utlity. You have been warned.

cd ~
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xzf mod_evasive_1.10.1.tar.gz

cd mod_evasive

apxs -i -a -c mod_evasive20.c

vi /etc/httpd/conf/httpd.conf
....

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
DOSEmailNotify      webmaster@yourdomain.com
#     DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'" # this is firewall command maybe
DOSLogDir           "/var/log/httpd/mod_evasive.log"
</IfModule>

service httpd restart

Time to test it:

Make sure your website's document Root has an index.html, otherwise you will not get correct results. I had to adjust a line in test.pl to get /mrtg/index.html .

# chmod +x test.pl  # supplied by source code of mod_evasive.

Execute this test script:

# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
...
...
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
..
...
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Filed under: RHEL No Comments
1Feb/140

Apache PHP and Oracle Howto

Posted by Infoaddict

Note: This is also a year old. But helps understand the basic principle of combining Apache, PHP and Oracle.

 

NOTE: NOTE: NOTE: REMOVE APACHE RPM, or else you will be pulling your hair afterwards.
YOU HAVE BEEN WARNED!

Oracle 10gR2 client was installed in /oracle as type: "Run Time"

After installation of Oracle software is completed, it is better to run ldconfig once.

~]# ldconfig

Apache was installed using :

~]# mkdir /www

~]# cd /tmp/httpd-2.2.4

httpd-2.2.4]# ./configure --prefix=/www --exec-prefix=/www --bindir=/www/bin --sysconfdir=/www/conf --libdir=/www/lib  --enable-module=so

httpd-2.2.4]# make && make install && echo "Apache Installation Success" || echo "Apache FAILED"

~]# cd /tmp/php-4.4.5

php-4.4.5]# export ORACLE_HOME=/oracle/product/10.2.0/db_1

php-4.4.5]# export ORACLE_SID=orcl

The following will work for "Administrator" and "Runtime" versions of Oracle Client software installation only :

php-4.4.5]# ./configure --prefix=/www/php --with-apxs2=/www/bin/apxs --with-config-file-path=/www/php --with-oci8=$ORACLE_HOME --enable-shared=$ORACLE_HOME/lib --disable-xml --without-pear --enable-sigchild

php-4.4.5]# make && make install && echo "PHP Installation Success" || echo "PHP FAILED"

php-4.4.5]# libtool --finish /tmp/php-4.4.5/libs

This step is not required:-

~]# chmod o+rx  /oracle -R

~]# vi /www/conf/httpd.conf

(Make the following changes:-)

ServerAdmin webmaster@yourdomain.com
ServerName dbserver.yourdomain.com

AddType application/x-httpd-php .php .phtml

DirectoryIndex index.php index.html index.html.var

LoadModule php4_module        modules/libphp4.so  # (Normally it already exists, you don't have to write yourself)

~]# vi /www/bin/envvars

# This file is generated from envvars-std.in
#
export ORACLE_HOME="/oracle/product/10.2.0/db_1"
export ORACLE_BASE="/oracle/"
export ORACLE_SID="orcl"
LD_LIBRARY_PATH="/www/lib:$LD_LIBRARY_PATH:$ORACLE_HOME/lib"
export LD_LIBRARY_PATH

To check PHP:

~]# vi /www/htdocs/index.php

~]# vi /www/htdocs/test.php

if ($conn=OCILogon("scott", "tiger", "orcl")) {
echo "

Active

";
}else {
$err = OCIError();
echo "

Failed

";
}
?>

( Test your entire setup by this script. Should show you "Active" on your web page. )

Now this is the part which made me too mad for a week. It gave nme all kind of weird messages, like: "unable to retrieve text", etc etc.

The application developers were over-riding the variable settings of my apache server

~]# vi /www/htdocs/dsn/conn.php

# #########################################################################################
# As you can see these settings from application were causing all stupid errors
# So I commented them and things become all ok.
# There is no need to setup these variables here as they are setup in /www/bin/envvars file
# #########################################################################################

#putenv("ORACLE_BASE=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORACLE_HOME=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORACLE_SID=FPSC");
#putenv("NLS_LANGUAGE=FRENCH_FRANCE.WE8ISO8859P1");
#putenv("TNS_ADMIN=/u01/app/oracle/product/10.1.0/Db_1/network/admin");
#putenv("TNS_ADMIN=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORA_NLS33=/u01/app/oracle/product/10.1.0/Db_1/ocommon/nls/admin/data");
#putenv("LD_LIBRARY_PATH=/u01/app/oracle/product/10.1.0/Db_1/lib:/u01/app/oracle/product/10.1.0/Db_1/network");

# ##############################################################################################################

if(!$conn) {

$conn=OCILogon("scott", "tiger", "orcl");
if($error = OCIError()) {
die("ERROR!! Couldn't connect to server!");
}
}
?>

Now setup Apache to start at boot time.

~]# vi /etc/rc.local
/www/bin/apachectl -k start && echo "Apache startup OK" || echo "Apache startup FAILED" ; sleep 3

 

Or you can setup an init.d script for this.

Filed under: Oracle, RHEL No Comments
1Feb/140

Automate user response using expect / pyexpect scripting tool

Posted by Infoaddict

A few days ago, I was having problem extracting temperature values from a few of our switches in our HPC cluster.  For some reason, the switches did not  support temperature monitoring through SNMP. They did allow ssh though. So I decided to write a script to automatically send username and password to those switches and execute a particular command to get my task done. Below are those sccripts. One uses expect and the other uses pyexpect :-

You will need to install expect and pyexpect on your system, using yum.
The following script will execute "ls -l" on a remote system.
autologin.sh:-
-------------

#!/usr/bin/expect -f
#A simple example is a script that automates an ssh session:
set remote_server "localhost"
set my_user_id "kamran"
set my_password "redhat"
set my_command "ls -l"
spawn ssh $my_user_id@$remote_server $my_command
expect "?assword:*" {send "$my_password\r"}
send "\r"
send "exit\r"
expect eof

 

The following script uses python, and will execute "uptime" on a remote system:-

pyautologin.sh
-----------------

#!/usr/bin/python
import pexpect
REMOTE_COMMAND="uptime"
USER="fahad"
HOST="localhost"
PASS="redhat"
COMMAND="ssh  %s@%s %s" % (USER, HOST, REMOTE_COMMAND)
child = pexpect.spawn(COMMAND)
child.expect('password:')
child.sendline(PASS)
child.expect(pexpect.EOF)
print child.before

Filed under: RHEL No Comments
1Feb/140

Installing Nagios 3.1.2.0 on CentOS 5.3

Posted by Infoaddict

Step # 1 Checking for Prerequisites.

 

yum list installed | egrep 'httpd|gcc|glibc|glibc-common|gd|gd-devel'

 

compat-gcc-34.i386 3.4.6-4 installed

compat-gcc-34-c++.i386 3.4.6-4 installed

compat-gcc-34-g77.i386 3.4.6-4 installed

compat-glibc.i386 1:2.3.4-2.26 installed

compat-glibc-headers.i386 1:2.3.4-2.26 installed

compat-libgcc-296.i386 2.96-138 installed

gcc.i386 4.1.2-44.el5 installed

gcc-c++.i386 4.1.2-44.el5 installed

gcc-gfortran.i386 4.1.2-44.el5 installed

gcc-gnat.i386 4.1.2-44.el5 installed

gcc-java.i386 4.1.2-44.el5 installed

gcc-objc.i386 4.1.2-44.el5 installed

gd.i386 2.0.33-9.4.el5_1.1 installed

gd-devel.i386 2.0.33-9.4.el5_1.1 installed

gdb.i386 6.8-27.el5 installed

gdbm.i386 1.8.0-26.2.1 installed

gdbm-devel.i386 1.8.0-26.2.1 installed

gdk-pixbuf.i386 1:0.22.0-25.el5 installed

gdm.i386 1:2.16.0-47.el5.centos installed

glibc.i686 2.5-34 installed

glibc-common.i386 2.5-34 installed

glibc-devel.i386 2.5-34 installed

glibc-headers.i386 2.5-34 installed

httpd.i386 2.2.3-22.el5.centos installed

libgcc.i386 4.1.2-44.el5 installed

sysklogd.i386 1.4.1-44.el5 installed

 

 

Above output shows that required packages are installed on system. In the case the are not installed you can install them using your CentOS 5.3 DVD. If you want to install from CentOS 5.3 DVD you need to enable CentOS-Media.repo

 

Enabling CentOS-Media.repo

 

vim /etc/yum.repos.d/CentOS-Media.repo

 

# CentOS-Media.repo

#

# This repo is used to mount the default locations for a CDROM / DVD on

# CentOS-5. You can use this repo and yum to install items directly off the

# DVD ISO that we release.

#

# To use this repo, put in your DVD and use it with the other repos too:

# yum --enablerepo=c5-media [command]

#

# or for ONLY the media repo, do this:

#

# yum --disablerepo=\* --enablerepo=c5-media [command]

 

[c5-media]

name=CentOS-$releasever - Media

baseurl=file:///media/dvd/

file:///media/CentOS/

file:///media/cdrom/

file:///media/cdrecorder/

gpgcheck=1

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

 

Step # 2 Installing Prerequisites.

 

yum --disablerepo=\* --enablerepo=c5-media -y install httpd gcc glibc glibc-common gd gd-devel

 

 

 

 

Step # 3 Creating Users/Groups needed.

 

 

groupadd nagcmd

 

useradd -G nagcmd,apache nagios

 

id nagios

 

passwd nagios

 

 

Step # 4 Downloading Nagios & Plugins

 

 

mkdir /downloads

 

cd /downloads

 

 

wget -c http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz

 

wget -c http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz

 

 

Step # 5 Extracting Nagios tar ball.

 

 

tar zxvf nagios-3.1.2.tar.gz

 

cd nagios-3.1.2

 

 

Step # 6 running ./configure script.

 

./configure --with-command-group=nagcmd

 

Step # 7 compiling the source code.

 

make all

 

Step # 8 Installing Nagios binaries.

make install

 

Step # 9 Installing init script.

make install-init

 

Step # 10 Installing sample config files.

make install-config

 

Step # 11 setting permissions on the external command directory.

make install-commandmode

 

 

Step # 12 Updating contacts/groups information in contacts.cfg file.

vim /usr/local/nagios/etc/objects/contacts.cfg

change email address of nagiosadmin user line 35 according to your requirements.

 

Step # 13 Installing web configuration.

make install-webconf

 

Step # 14 creating nagiosadmin user and setting password for web-interface.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

 

Step # 15 Configuring, Restarting Apache Service and Adding to runlevel 35 .

vim /etc/httpd/conf/httpd.conf

go to line 391 and add index.php

chkconfig --level 35 httpd on

service httpd restart

 

Step # 16 Compiling and installing Nagios plugins.

cd /downloads/

tar zxvf nagios-plugins-1.4.13.tar.gz

cd nagios-plugins-1.4.13

./configure --with-nagios-user=nagios --with-nagios-group=nagios

make

 

make install

 

Step # 17 Verifying, restarting nagios service and Adding to runlevel 35 .

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

chkconfig --level 35 nagios on

Changing nagios user home directory to /usr/local/nagios

usermod -d /usr/local/nagios/ nagios

service nagios restart

ps aux | grep nagios

 

Step # 18 Modifying SeLinux Setting for Nagios

chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/

 

chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

 

Step # 19 Login to Web-Interface.

Http://localhost/nagios

 

Step # 20 Check for Nagios Logs

tail -f /usr/local/nagios/var/nagios.log

Filed under: Centos No Comments
24Jun/130

Oracle Database 11g Release 2 (11.2) Installation On Oracle Linux 6

Posted by Infoaddict

This article describes the installation of Oracle Database 11g Release 2 (11.2) (64-bit) on Oracle Linux 6 (64-bit). The article is based on a server installation with a minimum of 2G swap, with SELinux set to permissive and the firewall disabled. The following package groups were included for this installation.

  • Base System > Base
  • Base System > Client management tools
  • Base System > Compatibility libraries
  • Base System > Hardware monitoring utilities
  • Base System > Large Systems Performance
  • Base System > Network file system client
  • Base System > Performance Tools
  • Base System > Perl Support
  • Servers > Server Platform
  • Servers > System administration tools
  • Desktops > Desktop
  • Desktops > Desktop Platform
  • Desktops > Fonts
  • Desktops > General Purpose Desktop
  • Desktops > Graphical Administration Tools
  • Desktops > Input Methods
  • Desktops > X Window System
  • Development > Additional Development
  • Development > Development Tools
  • Applications > Internet Browser

An example of this type of Linux installations can be seen here. Alternative installations may require more packages to be loaded, in addition to the ones listed below.

Download Software

Download the Oracle software from OTN or MOS depending on your support status.

Unpack Files

Unzip the files.

# 11.2.0.1
unzip linux.x64_11gR2_database_1of2.zip
unzip linux.x64_11gR2_database_2of2.zip

#11.2.0.2
unzip p10098816_112020_Linux-x86-64_1of7.zip
unzip p10098816_112020_Linux-x86-64_2of7.zip

#11.2.0.3
unzip p10404530_112030_Linux-x86-64_1of7.zip
unzip p10404530_112030_Linux-x86-64_2of7.zip

You should now have a single directory called "database" containing installation files.

Hosts File

The "/etc/hosts" file must contain a fully qualified name for the server.

<IP-address>  <fully-qualified-machine-name>  <machine-name>

For example.

127.0.0.1       localhost.localdomain  localhost
192.168.0.181   ol6-112.localdomain    ol6-112

Oracle Installation Prerequisites

Perform either the Automatic Setup or the Manual Setup to complete the basic prerequisites. The Additional Setup is required for all installations.

Automatic Setup

If you plan to use the "oracle-rdbms-server-11gR2-preinstall" package to perform all your prerequisite setup, follow the instructions at http://public-yum.oracle.com to setup the yum repository for OL, then perform the following command.

# yum install oracle-rdbms-server-11gR2-preinstall

All necessary prerequisites will be performed automatically.

It is probably worth doing a full update as well, but this is not strictly speaking necessary.

# yum update

Manual Setup

If you have not used the "oracle-rdbms-server-11gR2-preinstall" package to perform all prerequisites, you will need to manually perform the following setup tasks.

Oracle recommend the following minimum parameter settings.

fs.suid_dumpable = 1
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586

The current values can be tested using the following command.

/sbin/sysctl -a | grep <param-name>

Add or amend the following lines in the "/etc/sysctl.conf" file.

fs.suid_dumpable = 1
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
# semaphores: semmsl, semmns, semopm, semmni
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default=4194304
net.core.rmem_max=4194304
net.core.wmem_default=262144
net.core.wmem_max=1048586

Run the following command to change the current kernel parameters.

/sbin/sysctl -p

Add the following lines to the "/etc/security/limits.conf" file.

oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  4096
oracle              hard    nofile  65536
oracle              soft    stack   10240

Install the following packages if they are not already present.

# From Oracle Linux 6 DVD
cd /media/cdrom/Server/Packages
rpm -Uvh binutils-2*x86_64*
rpm -Uvh glibc-2*x86_64* nss-softokn-freebl-3*x86_64*
rpm -Uvh glibc-2*i686* nss-softokn-freebl-3*i686*
rpm -Uvh compat-libstdc++-33*x86_64*
rpm -Uvh glibc-common-2*x86_64*
rpm -Uvh glibc-devel-2*x86_64*
rpm -Uvh glibc-devel-2*i686*
rpm -Uvh glibc-headers-2*x86_64*
rpm -Uvh elfutils-libelf-0*x86_64*
rpm -Uvh elfutils-libelf-devel-0*x86_64*
rpm -Uvh gcc-4*x86_64*
rpm -Uvh gcc-c++-4*x86_64*
rpm -Uvh ksh-*x86_64*
rpm -Uvh libaio-0*x86_64*
rpm -Uvh libaio-devel-0*x86_64*
rpm -Uvh libaio-0*i686*
rpm -Uvh libaio-devel-0*i686*
rpm -Uvh libgcc-4*x86_64*
rpm -Uvh libgcc-4*i686*
rpm -Uvh libstdc++-4*x86_64*
rpm -Uvh libstdc++-4*i686*
rpm -Uvh libstdc++-devel-4*x86_64*
rpm -Uvh make-3.81*x86_64*
rpm -Uvh numactl-devel-2*x86_64*
rpm -Uvh sysstat-9*x86_64*
rpm -Uvh compat-libstdc++-33*i686*
rpm -Uvh compat-libcap*
cd /
eject

Note. This will install all the necessary 32-bit packages for 11.2.0.1. From 11.2.0.2 onwards many of these are unnecessary, but having them present does not cause a problem.

Create the new groups and users.

groupadd -g 501 oinstall
groupadd -g 502 dba
groupadd -g 503 oper
groupadd -g 504 asmadmin
groupadd -g 506 asmdba
groupadd -g 505 asmoper

useradd -u 502 -g oinstall -G dba,asmdba,oper oracle
passwd oracle

Note. We are not going to use the "asm" groups, since this installation will not use ASM.

Additional Setup

Set the password for the "oracle" user.

passwd oracle

Set secure Linux to permissive by editing the "/etc/selinux/config" file, making sure the SELINUX flag is set as follows.

SELINUX=permissive

Once the change is complete, restart the server.

If you have the Linux firewall enabled, you will need to disable or configure it, as shown here or here.

Create the directories in which the Oracle software will be installed.

mkdir -p /u01/app/oracle/product/11.2.0/db_1
chown -R oracle:oinstall /u01
chmod -R 775 /u01

Login as root and issue the following command.

xhost +<machine-name>

Login as the oracle user and add the following lines at the end of the ".bash_profile" file.

# Oracle Settings
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR

ORACLE_HOSTNAME=ol6-112.localdomain; export ORACLE_HOSTNAME
ORACLE_UNQNAME=DB11G; export ORACLE_UNQNAME
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=DB11G; export ORACLE_SID

PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH

Installation

Log into the oracle user. If you are using X emulation then set the DISPLAY environmental variable.

DISPLAY=<machine-name>:0.0; export DISPLAY

Start the Oracle Universal Installer (OUI) by issuing the following command in the database directory.

./runInstaller

Proceed with the installation of your choice. The prerequisites checks will fail for the following version-dependent reasons:

  • 11.2.0.1: The installer shows multiple "missing package" failures because it does not recognize several of the newer version packages that were installed. These "missing package" failures can be ignored as the packages are present. The failure for the "pdksh" package can be ignored because we installed the "ksh" package in its place.
  • 11.2.0.2: The installer should only show a single "missing package" failure for the "pdksh" package. It can be ignored because we installed the "ksh" package in its place.
  • 11.2.0.3: The installer shows no failures and continues normally.

You can see the type of installation I performed by clicking on the links below to see screen shots of each stage.

  1. Configure Security Updates
  2. Select Install Option
  3. System Class
  4. Node Selection
  5. Select Install Type
  6. Typical Install Configuration
  7. Create Inventory
  8. Perform Prerequisite Checks
  9. Summary
  10. Install Product
  11. Database Configuration Assistant
  12. Database Configuration Assistant 2
  13. Execute Configuration Scripts
  14. Finish

Post Installation

Edit the "/etc/oratab" file setting the restart flag for each instance to 'Y'.

DB11G:/u01/app/oracle/product/11.2.0/db_1:Y

 

Filed under: Oracle, RHEL No Comments
24Jun/130

Tightening SPAM control on ISPConfig Server

Posted by Infoaddict

Recently one of my clients shifted from Plesk to ISPConfig, and I was asked to setup ISPConfig control panel on it. We followed an ISPConfig How-to from howtoforge.com . The installation was (almost) a breeze. Migration from plesk to ISPConfig was quite painful. But anyway, we did it.

Later when the system went live and remained in production for more than a week, we noticed that there is a lot of spam coming in. The postfix mail server needed some additional armor. I wanted some important checks, such as helo, RBL and SPF. Below is how I added that extra level of protection.

 

First, I want to thank and acknowledge the authors of following web pages, which helped me in achieving this:

 

http://www.wains.be/index.php/2006/04/04/postfix-spf/

http://www.freesoftwaremagazine.com/articles/focus_spam_postfix?page=0%2C2

http://www.howtoforge.com/postfix_spf

 

For SPF, I downloaded the postfix-SPF (module/plugin) from http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz , and installed it as following:

 

cd /root/

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz

tar xzf postfix-policyd-spf-perl-2.007.tar.gz

cp postfix-policyd-spf-perl-2.007/postfix-policyd-spf-perl /usr/libexec/postfix/

chmod +x /usr/libexec/postfix/postfix-policyd-spf-perl

 

Then I had to add the following text (it is one /single long line) to bottom of /etc/postfix/master.cf :-

 

vi /etc/postfix/master.cf

...

spfpolicy unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/postfix-policyd-spf-perl

 

Notes:

  • You can use Tabs instead of spaces in the line above. Refer to INSTALL file which comes with the tarball.
  • The INSTALL file uses the word policy, instead of spfpolicy, as shown here. It does not matter. Whatever you choose to use, make sure that you use the same in master.cf and main.cf files.

 

I then edited my /etc/postfix/main.cf file and added the following text. The text below contains SPF checks, RBL checks, invalid helo checks, invalid host-name checks, etc.

 

vi /etc/postfix/main.cf

. . .

(Change the following line:)

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf

 

(Change to:)

smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit

 

Note: The line above is single line.

 

(Then add the following text:)

policy_time_limit = 3600smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/spfpolicy, permit

 

Note: smtpd_* lines shown above are individual long single lines. (Tip: smtpd_* till permit is one line.)

 

After you save this file, restart postfix service :

 

service postfix restart

 

 

Filed under: RHEL No Comments
20Jun/130

Roundcube (0.2.1) webmail client installation on Centos 5.3

Posted by Infoaddict

Warning: Before you move farther into installation, I must warn you that RoundCube is a Web Mail Client in it's infancy. It provides you look and feel like your desktop email client. The only advantage it has over squirrel mail is that it has facility to show and compose HTML mails. It does not contain password changing facility as of version 0.2.1.
Also, it does not contain options to Filter messages as well.
There are hacks, though. I am using Qmail setup, with Squirrelmail+change_password plugin already installed on the mail server. I can use that. OR, I can use a link to qmailadmin administration page, where users can change their passwords, effortlessly. The INSTALL file mentions requirements as:
REQUIREMENTS
============

* The Apache or Lighttpd Webserver
* .htaccess support allowing overrides for DirectoryIndex
* PHP Version 5.2 or greater including
- PCRE (perl compatible regular expression)
- DOM (xml document object model)
- libiconv (recommended)
- mbstring (optional)
* php.ini options:
- error_reporting E_ALL & ~E_NOTICE (or lower)
- memory_limit (increase as suitable to support large attachments)
- file_uploads enabled (for attachment upload features)
- session.auto_start disabled
- zend.ze1_compatibility_mode disabled
* PHP compiled with OpenSSL to connect to IMAPS and to use the spell checker
* A MySQL or PostgreSQL database engine or the SQLite extension for PHP
* One of the above databases with permission to create tables
* An SMTP server or PHP configured for mail delivery

However, in my experience, I have installed successfully on CentOS 5.3, with PHP 5.1 .

Download the Roundcube TAR file from http://roundcube.net/ . Un-tar it under your document root, if you want it just for your specific website, OR, you can un-tar it in /var/www/roundcube and create a server wide alias. This way, it will be accessible to all websites hosted on your server.

Assuming your web server runs as user apache:-
Change the ownership of the entire directory tree of RoundCube source to apache:apache, if you are setting it up server wide.

Change the ownership of the entire directory tree of RoundCube source to yourftpaccount:apache, if you are setting it up only for your website, under your document root sub tree. If your document root is /var/www/vhosts/mysite.com/httpdocs., then you may want to install roundcube in:  /var/www/vhosts/mysite.com/httpdocs/webmail .

Make sure that config, temp and logs directories are readable and writeable by user apache.

Once you reach here, you may want to configure it.

If you have installed it server wide, under /var/www/roundcube, you will first need to create an Alias in your apache config file. You can do it as :-

cat > /etc/httpd/conf.d/roundcube.conf << EOF
Alias /roundcube /var/www/roundcube
EOF

service httpd reload

If you have installed it only for one website, inside a directory named webmail, under it's document root, you can continue onwards.

Go inside the directory webmail/config and change the names of files *.inc.php.dist to *.inc.php . Now you can use either the web installer method, or the manual method. To use the web-installer method, which is diabled by default, you would need to :

set $rcmail_config['enable_installer'] = true; in config/main.inc.php

,… and run/access  http://yourwebsite/webmail/installer from a web browser. This should get you done in a few steps.

If you are doing a manual install, here are the instructions (which are easy as well) :-

The roundcube INSTALL file says:-

First you need to create a database for roundcube, in mysql.

# mysql –u root
CREATE DATABASE roundcubedb /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
GRANT ALL PRIVILEGES ON roundcubedb.* TO roundcubeuser@localhost IDENTIFIED BY 'secret';
quit

Then, populate this DB as :-

[root@www roundcubemail-0.2.1]# mysql -u root -psecretdbpassword roundcubedb < SQL/mysql.initial.sql

Next edit the config/db.inc.php file  and set value for the following variables.

$rcmail_config['db_dsnw'] = 'mysql://roundcubeuser:secret@localhost/roundcubedb';

Then edit the config/main.inc.php and adjust the following variables:-

$rcmail_config['default_host'] = 'mail.yoursite.com';

This one is not a must actually. If you do not set it, you will see a  "Server" textbox on the webmail login page, below your id and password text boxes. You may supply "localhost" or "mail.yoursite.com" , or whatever is the name of your mail server in that box. That is it!. you are done.

Now login to your roundcube interface by accessing http://yourwebsite/webmail . Use complete email-id as username and your email password . Login and enjoy!

Changing email password:-

Assuming, you have an email id as webmaster@example.com , and you have QmailAdmin installed on your system, like I do, then you would login as :

URL: http://www.yoursite.com/cgi-bin/qmailadmin
UserAccount: webmaster
DomainName: example.com
Password: your-current-email-password

Once you login, you will see options to set your full name, your password, email routing, incase you want your mail to be forwarded elsewhere, and an option to set vacation auto-response. Update your settings here and press the "Modify User" button at the bottom to save changes. You are done. Similarly if you have other hosted or hosting environments, such as plesk / cpanel, etc, you may use their email control panel to change your password.

 

Filed under: Centos No Comments
19Feb/120

Identifying Host Names and IP Addresses

Posted by Infoaddict

This article presents a mixed bag of Oracle functionality relating to the identification of host names and IP addresses for Oracle clients and servers.

UTL_INADDR
SYS_CONTEXT
V$INSTANCE
V$SESSION

UTL_INADDR

The UTL_INADDR package was introduced in Oracle 8.1.6 to provide a means of retrieving host names and IP addresses of remote hosts from PL/SQL.

The GET_HOST_ADDRESS function returns the IP address of the specified host name.

SQL> SELECT UTL_INADDR.get_host_address('bart') FROM dual;

UTL_INADDR.GET_HOST_ADDRESS('BART')
--------------------------------------------------------------------------------
192.168.2.4

SQL>

The IP address of the database server is returned if the specified host name is NULL or is omitted.

SQL> SELECT UTL_INADDR.get_host_address from dual;

GET_HOST_ADDRESS
--------------------------------------------------------------------------------
192.168.2.5

SQL>

An error is returned if the specified host name is not recognized.

SQL> SELECT UTL_INADDR.get_host_address('banana') from dual;
SELECT UTL_INADDR.get_host_address('banana') from dual
*
ERROR at line 1:
ORA-29257: host banana unknown
ORA-06512: at "SYS.UTL_INADDR", line 19
ORA-06512: at "SYS.UTL_INADDR", line 40
ORA-06512: at line 1

SQL>

The GET_HOST_NAME function returns the host name of the specified IP address.

SQL> SELECT UTL_INADDR.get_host_name('192.168.2.4') FROM dual;

UTL_INADDR.GET_HOST_NAME('192.168.2.4')
--------------------------------------------------------------------------------
bart

SQL>

The host name of the database server is returned if the specified IP address is NULL or omitted.

SQL> SELECT UTL_INADDR.get_host_name FROM dual;

GET_HOST_NAME
--------------------------------------------------------------------------------
C4210gR2

1 row selected.

SQL>

An error is returned if the specified IP address is not recognized.

SQL> SELECT UTL_INADDR.get_host_name('1.1.1.1') FROM dual;
SELECT UTL_INADDR.get_host_name('1.1.1.1') FROM dual
*
ERROR at line 1:
ORA-29257: host 1.1.1.1 unknown
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1

SQL>

SYS_CONTEXT

The SYS_CONTEXT function is able to return the following host and IP address information for the current session:

TERMINAL - An operating system identifier for the current session. This is often the client machine name.
HOST - The host name of the client machine.
IP_ADDRESS - The IP address of the client machine.
SERVER_HOST - The host name of the server running the database instance.

The following examples show the typical output for each variant.

SQL> SELECT SYS_CONTEXT('USERENV','TERMINAL') FROM dual;

SYS_CONTEXT('USERENV','TERMINAL')
--------------------------------------------------------------------
marge

1 row selected.

SQL> SELECT SYS_CONTEXT('USERENV','HOST') FROM dual;

SYS_CONTEXT('USERENV','HOST')
--------------------------------------------------------------------
marge

1 row selected.

SQL> SELECT SYS_CONTEXT('USERENV','IP_ADDRESS') FROM dual;

SYS_CONTEXT('USERENV','IP_ADDRESS')
--------------------------------------------------------------------
192.168.2.3

1 row selected.

SQL> SELECT SYS_CONTEXT('USERENV','SERVER_HOST') FROM dual;

SYS_CONTEXT('USERENV','SERVER_HOST')
--------------------------------------------------------------------
C4210gr2

1 row selected.

SQL>

V$INSTANCE

The HOST_NAME column of the V$INSTANCE view contains the host name of the server running the instance.

SQL> SELECT host_name FROM v$instance;

HOST_NAME
------------------------------------------------
C4210gR2

1 row selected.

SQL>

V$SESSION

The V$SESSION view contains the following host information for all database sessions:

TERMINAL - The operating system terminal name for the client. This is often set to the client machine name.
MACHINE - The operating system name for the client machine. This may include the domain name if present.

The following examples show the typical output for each column.

SQL> SELECT terminal, machine FROM v$session WHERE username = 'TIM_HALL';

TERMINAL                       MACHINE
------------------------------ ----------------------------------------------------
MARGE                          ORACLE-BASE\MARGE

1 row selected.

SQL>

 

For more information see:

Tagged as: No Comments