Infoaddict Just another site for Infoaddict's

23Feb/140

Configure DNS with CentOS

Posted by Infoaddict

Install BIND

 

[root@dlp ~]#

yum -y install bind bind-utils

 

[2] Configure BIND This example is done with grobal IP address [172.16.0.80/29], Private IP address [10.0.0.0/24], Domain name [server.world]. However, Please use your own IPs and domain name when you set config on your server. ( Actually, [172.16.0.80/29] is for private IP address, though. )

 

[root@dlp ~]#

echo 'OPTIONS="-4"' >> /etc/sysconfig/named

 

# set if you don't use IPv6 ( if use, don't set it )

[root@dlp ~]#

vi /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

 

options {

# make it comment ( listen all interfaces on the server )

 

#

listen-on port 53 { 127.0.0.1; };

 

# change ( if not use IPv6 )

 

listen-on-v6

{ none; };

 

directory

"/var/named";

 

dump-file

"/var/named/data/cache_dump.db";

 

statistics-file

"/var/named/data/named_stats.txt";

 

memstatistics-file

"/var/named/data/named_mem_stats.txt";

 

# query range ( set internal server and so on )

 

allow-query

{ localhost;

10.0.0.0/24;

};

 

# transfer range ( set it if you have secondary DNS )

 

allow-transfer { localhost; 10.0.0.0/24; };

 

recursion yes;

dnssec-enable yes;

 

dnssec-validation yes;

 

dnssec-lookaside auto;

/* Path to ISC DLV key */

 

bindkeys-file "/etc/named.iscdlv.key";

 

managed-keys-directory "/var/named/dynamic";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

 

# change all from here

 

view "internal" {

match-clients {

localhost;

10.0.0.0/24;

};

zone "." IN {

type hint;

file "named.ca";

};

zone "server.world" IN {

type master;

file "server.world.lan";

allow-update { none; };

};

zone "0.0.10.in-addr.arpa" IN {

type master;

file "0.0.10.db";

allow-update { none; };

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

};

view "external" {

match-clients { any; };

allow-query { any; };

recursion no;

zone "server.world" IN {

type master;

file "server.world.wan";

allow-update { none; };

};

zone "80.0.16.172.in-addr.arpa" IN {

type master;

file "80.0.16.172.db";

allow-update { none; };

};

};

 

# allow-query

⇒ query range you permit

# allow-transfer

⇒ the range you permit to transfer zone info

# recursion

⇒ allow or not to search recursively

# view "internal" { *** };

⇒ write for internal definition

# view "external" { *** };

⇒ write for external definition

# For How to write for reverse resolving, Write network address reversely like below.
# 10.0.0.0/24
# network address

⇒ 10.0.0.0

# range of network

⇒ 10.0.0.0 - 10.0.0.255

 

# how to write

⇒ 0.0.10.in-addr.arpa

# 172.16.0.80/29
# network address

⇒ 172.16.0.80

# range of network

⇒ 172.16.0.80 - 172.16.0.87

# how to write

⇒ 80.0.16.172.in-addr.arpa

 

For internal zone
This example uses internal address[10.0.0.0/24], domain name[server.world], but please use your own one when you set config on your server.

 

[root@dlp ~]#

vi /var/named/server.world.lan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

2011071001  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# define name serve

 

IN  NS      dlp.server.world.

# internal IP address of name server

 

IN  A       10.0.0.30

# define Mail exchanger

 

IN  MX 10   dlp.server.world.

 

# define IP address and hostname

 

dlp     IN  A       10.0.0.30

 

[2] For external zone
This example uses external address[172.16.0.80/29], domain name[server.world], but please use your own one when you set config on your server.

 

[root@dlp ~]#

vi /var/named/server.world.wan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

2011071001  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# define name server

 

IN  NS      dlp.server.world.

# external IP address of name server

 

IN  A       172.16.0.82

# define Mail exchanger

 

IN  MX 10   dlp.server.world.

 

# define IP address and hostname

 

dlp     IN  A       172.16.0.82

 

Set Zones for reverse resolution

 

  Create zone files that servers resolve domain names from IP address.
[3] For internal zone
This example uses internal address[10.0.0.0/24], domain name[server.world], but please use your own one when you set config on your server.

 

[root@dlp ~]#

vi /var/named/0.0.10.db

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

2011071001  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# define name server

 

IN  NS      dlp.server.world.

 

# define range that this domain name is in

 

IN  PTR     server.world.

IN  A       255.255.255.0

 

# define IP address and hostname

 

30      IN  PTR     dlp.server.world.

 

[4] For external zone
This example uses external address[172.16.0.80/29], domain name[server.world], but please use your own one when you set config on your server.

 

[root@dlp ~]#

vi /var/named/80.0.16.172.db

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

2011071001  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

# define name server

 

IN  NS      dlp.server.world.

 

# define range that this domain name is in

 

IN  PTR     server.world.

IN  A       255.255.255.248

 

# define IP address and hostname

 

82      IN  PTR     dlp.server.world.

 

 

Configute chroot environment. Simply install "bind-chroot" package to do so. If you edit named.conf or other zone files on chroot environment, edit configuration files under /var/named/chroot/.

 

[root@dlp ~]#

yum -y install bind-chroot

[root@dlp ~]#

/etc/rc.d/init.d/named restart

 

Stopping named:

[ OK ]

Starting named:

[ OK ]

[root@dlp ~]#

ll /var/named/chroot/etc

 

total 28

-rw-r--r-- 1 root root   331 Jul  9 11:17 localtime

drwxr-x--- 2 root named 4096 Nov 11  2010 named

-rw-r----- 1 root named 1550 Jul  9 23:19 named.conf

-rw-r--r-- 1 root named  601 Nov 11  2010 named.iscdlv.key

-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones

drwxr-xr-x 3 root root  4096 Jul  9 23:30 pki

-rw-r----- 1 root named   77 Jul  9 23:02 rndc.key

[root@dlp ~]#

ll /var/named/chroot/var/named

 

total 40

-rw-r--r-- 1 root  root   359 Jul  9 23:25 0.0.10.db

drwxr-x--- 6 root  named 4096 Jul  9 23:30 chroot

drwxrwx--- 2 named named 4096 Jul  9 23:25 data

drwxrwx--- 2 named named 4096 Jul  9 23:26 dynamic

-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca

-rw-r----- 1 root  named  152 Dec 15  2009 named.empty

-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost

-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback

-rw-r--r-- 1 root  root   350 Jul  9 23:24 server.world.lan

drwxrwx--- 2 named named 4096 Nov 11  2010 slaves

 

 

Set CNAME record in zone file.

 

[root@dlp ~]#

vi /var/named/server.world.lan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

# update serial

 

2011071002  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

IN  NS      dlp.server.world.

IN  A       10.0.0.30

IN  MX 10   dlp.server.world.

 

dlp     IN  A       10.0.0.30

# [ aliase IN CNAME server's name ]

 

ftp     IN  CNAME   dlp.server.world.

 

[root@dlp ~]#

rndc reload

 

server reload successful

[root@dlp ~]#

dig ftp.server.world.

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> ftp.server.world.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;ftp.server.world.

IN

A

;; ANSWER SECTION:
ftp.server.world.

86400

IN

CNAME

dlp.server.world.

 

dlp.server.world.

86400

IN

A

10.0.0.30

;; AUTHORITY SECTION:

server.world.

86400

IN

NS

dlp.server.world.

;; Query time: 0 msec
;; SERVER: 10.0.0.30#53(10.0.0.30)
;; WHEN: Sun Jul 10 23:32:48 2011
;; MSG SIZE rcvd: 82

 

 

ollowing example shows an environment that master DNS is "dlp.server.world", Slave DNS is "ns.example.host".
[1] Write config in Zone file on Master DNS.

 

[root@dlp ~]#

vi /etc/named.conf

# add secondary DNS server in the section below

 

allow-transfer { localhost;

172.16.0.85;

};

[root@dlp ~]#

vi /var/named/server.world.wan

$TTL 86400

@   IN  SOA     dlp.server.world. root.server.world. (

# update serial

 

2011071003  ;Serial

3600        ;Refresh

1800        ;Retry

604800      ;Expire

86400       ;Minimum TTL

)

IN  NS      dlp.server.world.

# add slave name server

 

IN  NS      ns.example.host.

IN  A       172.16.0.82

IN  MX 10   dlp.server.world.

 

dlp     IN  A       172.16.0.82

 

[root@dlp ~]#

rndc reload

server reload successful

 

[2] Configuration on Slave DNS.

 

[root@ns ~]#

vi /etc/named.conf

# add lines like below

 

zone "server.world" IN {

type slave;

masters { 172.16.0.82; };

file "slaves/server.world.wan";

notify no;

};

 

[root@ns ~]#

rndc reload

server reload successful
[root@ns ~]#

ls /var/named/slaves

server.world.wan

# zone file in master DNS has been just transfered

 

Filed under: Centos, DNS No Comments
23Feb/140

Configure postfix with CenOS

Posted by Infoaddict

Install Postfix to configure SMTP Server. This example shows to configure SMTP-Auth to use Dovecot's SASL function.

[1]

Configure Postfix. ( Postfix is installed by default even if you installed CentOS with Minimal.)

[root@mail ~]#

vi /etc/postfix/main.cf

# line 75: uncomment and specify hostname

myhostname =

mail.server.world

# line 83: uncomment and specify domain name

mydomain =

server.world

# line 99: uncomment

myorigin = $mydomain

# line 116: change

inet_interfaces =

all

# line 119: change if you use only IPv4

inet_protocols =

ipv4

# line 164: add

mydestination = $myhostname, localhost.$mydomain, localhost

, $mydomain

# line 264: uncomment and specify your LAN

mynetworks = 127.0.0.0/8,

10.0.0.0/24

# line 419: uncomment (use Maildir)

home_mailbox = Maildir/

# line 545: uncomment, line 546: add

header_checks = regexp:/etc/postfix/header_checks

body_checks = regexp:/etc/postfix/body_checks

# line 571: add

smtpd_banner = $myhostname ESMTP

# add at the last line

# limit an email size 10M

message_size_limit = 10485760

# limit mailbox 1G

mailbox_size_limit = 1073741824

# for SMTP-Auth settings

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

[root@mail ~]#

vi /etc/postfix/header_checks

# add at the head

# reject if email address is empty

/^From:.*<#.*@.*>/ REJECT
/^Return-Path:.*<#.*@.*>/ REJECT

[root@mail ~]#

vi /etc/postfix/body_checks

# reject if includes 'example.com' in mail body

/^(|[^>].*)example.com/ REJECT

[root@mail ~]#

/etc/rc.d/init.d/postfix start

Starting postfix:

[  OK  ]

[root@mail ~]#

chkconfig postfix on

 

Install Dovecot to Configure POP/IMAP Server. This example shows to configure to provide SASL function to Postfix.

[root@mail ~]#

yum -y install dovecot

[root@mail ~]#

vi /etc/dovecot/dovecot.conf

# line 31: change ( if not use IPv6 )

listen =

*

[root@mail ~]#

vi /etc/dovecot/conf.d/10-auth.conf

# line 9: uncomment and change ( allow plain text auth )

disable_plaintext_auth =

no

# line 97: add

auth_mechanisms = plain

login

[root@mail ~]#

vi /etc/dovecot/conf.d/10-mail.conf

# line 30: uncomment and add

mail_location =

maildir:~/Maildir

[root@mail ~]#

vi /etc/dovecot/conf.d/10-master.conf

# line 84-86: uncomment and add

# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {

mode = 0666

user = postfix

# add

group = postfix

# add

}

[root@mail ~]#

/etc/rc.d/init.d/dovecot start

Starting Dovecot Imap:

[  OK  ]

[root@mail ~]#

chkconfig dovecot on

 

Configure for your Mail Client on your PC. This example shows with Windows Live Mail.

[1]

Start Windows Live mail and move to "Account" tab and Click "Email".

[2]

Input email address, account's password, sender's name and check a box 'Configure Manually' and go next.

[3]

Select IMAP or POP. This example selects IMAP. And input other information of your Mail server. Don't forget to check a box 'this server requires to authenticate' at the bottom.

[4]

Click 'Finish'.

[5]

Connect and get server's folder settings automatically.

 

Configure SSL settings in order to encrypt datas in connection.

[1]

Create certificates first, see here.

[2]

Configure Postfix and Dovecot for SSL

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

[root@mail ~]#

vi /etc/postfix/master.cf

# line 17-18: uncomment

smtps       inet   n       -       n       -       -       smtpd
-o smtpd_tls_wrappermode=yes

[root@mail ~]#

vi /etc/dovecot/conf.d/10-ssl.conf

# line 6: uncomment

ssl = yes

# line 12,13: uncomment and specify certificate

ssl_cert = <

/etc/pki/tls/certs/server.crt

ssl_key = <

/etc/pki/tls/certs/server.key

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

[root@mail ~]#

/etc/rc.d/init.d/dovecot restart

Stopping Dovecot Imap:

[ OK ]

Starting Dovecot Imap:

[ OK ]

Configure on client. Change settings like following example. (if you use PO3S, input '995 for incoming mail)

Click syncronize on Windows Live Mail, then following warning is shown because certificate file is created on your server. It's no ploblem. Click 'Yes' to Proceed, then it's possible to send/receive emails trough SSL connection.

 

Create a your server's original SSL Certificate. If you use your server as a business, it had better buy and use a Formal Certificate from Verisigh and so on.

[root@www ~]#

cd /etc/pki/tls/certs

[root@www certs]#

make server.key

umask 77 ; \

/usr/bin/openssl genrsa -aes128 2048 > server.key

Generating RSA private key, 2048 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase:

# set passphrase

Verifying - Enter pass phrase:

# confirm

# remove passphrase from private key

[root@www certs]#

openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:

# input passphrase

writing RSA key
[root@www certs]#
[root@www certs]#

make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:

JP

# country

State or Province Name (full name) [e]:

Hiroshima

# state

Locality Name (eg, city) [Default City]:

Hiroshima

# city

Organization Name (eg, company) [Default Company Ltd]:

GTS

# company

Organizational Unit Name (eg, section) []:

Server World

# department

Common Name (eg, your server's hostname) []:

www.server.world

# server's FQDN

Email Address []:

xxx@server.world

# email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

# Enter

An optional company name []:

# Enter

[root@www certs]#
[root@www certs]#

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=GTS/OU=Server World/CN=www.server.world/emailAddress=xxx@server.world Getting Private key
[root@www certs]#

chmod 400 server.*

 

[1]

Install Clamav

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamav

# install from RPMforge

[root@mail ~]#

vi /etc/freshclam.conf

# line 122: make it comment

#

NotifyClamd /etc/clamd.conf

[root@mail ~]#

freshclam

# update pattern files

ClamAV update process started at Sun Jul 10 22:10:08 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd is up to date (version: 13304, sigs: 144473, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)

[2]

Try to scan

# try to scan

[root@mail ~]#

clamscan --infected --remove --recursive /home

----------- SCAN SUMMARY -----------
Known viruses: 989350
Engine version: 0.97.1
Scanned directories: 3
Scanned files: 3
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 2.060 sec (0 m 2 s)

# try to download trial virus

[root@mail ~]#

wget http://www.eicar.org/download/eicar.com

[root@mail ~]#

clamscan --infected --remove --recursive .

./eicar.com: Eicar-Test-Signature FOUND
./eicar.com: Removed.

# just detected

----------- SCAN SUMMARY -----------
nown viruses: 989350
Engine version: 0.97.1
Scanned directories: 1
Scanned files: 13
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.01 MB (ratio 2.00:1)
Time: 2.079 sec (0 m 2 s)

 

[root@mail ~]#

yum --enablerepo=rpmforge -y install clamd

# install from RPMforge

[root@mail ~]#

wget http://thewalter.net/stef/software/clamsmtp/clamsmtp-1.10.tar.gz

[root@mail ~]#

tar zxvf clamsmtp-1.10.tar.gz

[root@mail ~]#

cd clamsmtp-1.10

[root@mail clamsmtp-1.10]#

./configure

[root@mail clamsmtp-1.10]#

make

[root@mail clamsmtp-1.10]#

make install

[root@mail clamsmtp-1.10]#

cp ./doc/clamsmtpd.conf /etc

[root@mail clamsmtp-1.10]#

cd

[root@mail ~]#

vi /etc/clamsmtpd.conf

# line 11: change

OutAddress:

127.0.0.1:10026

# line 29: uncomment and change

Listen:

127.0.0.1:10025

# line 32: change

ClamAddress:

/var/run/clamav/clamd.sock

# line 35: uncomment

Header: X-Virus-Scanned: ClamAV using ClamSMTP

# line 38: uncomment

TempDirectory: /tmp

# line 41: uncomment

Action: drop

# line 50: uncomment

User: clamav

[root@mail ~]#

vi /etc/rc.d/init.d/clamsmtp

# create init script

#!/bin/bash

# clamsmtpd: Start/Stop clamsmtpd

#

# chkconfig: - 65 40

# description: Clamsmtpd is smtpd for Clamav Antivirus daemon.

#

# processname: clamsmtpd

# pidfile: /var/run/clamav/clamsmtpd.pid

. /etc/rc.d/init.d/functions

. /etc/sysconfig/network

CONFIG_FILE=/etc/clamsmtpd.conf

PID_DIR=/var/run/clamav

RETVAL=0

start() {

   echo -n $"Starting ClamSmtpd: "

   daemon /usr/local/sbin/clamsmtpd -f $CONFIG_FILE -p $PID_DIR/clamsmtpd.pid

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamsmtpd

   return $RETVAL

}

stop() {

   echo -n $"Stopping ClamSmtpd: "

   killproc clamsmtpd

   RETVAL=$?

   echo

   [ $RETVAL -eq 0 ] && rm -f /var/run/clamsmtp/clamsmtpd.pid /var/lock/subsys/clamsmtpd

   return $RETVAL

}

case "$1" in

   start)

      start

      ;;

   stop)

      stop

      ;;

   status)

      status clamsmtpd

      ;;

   restart)

      stop

      start

      ;;

   condrestart)

      [ -f /var/lock/subsys/clamsmtpd ] && restart || :

      ;;

   *)

      echo $"Usage: $0 {start|stop|status|restart}"

      exit 1

esac

exit $?

[root@mail ~]#

chmod 755 /etc/rc.d/init.d/clamsmtp

[root@mail ~]#

/etc/rc.d/init.d/clamd start

Starting Clam AntiVirus Daemon: Bytecode: Security mode set to "TrustSigned".
[ OK ]
[root@mail ~]#

/etc/rc.d/init.d/clamsmtp start

Starting ClamSmtpd:

[ OK ]

[root@mail ~]#

chkconfig --add clamsmtp

[root@mail ~]#

chkconfig clamsmtp on

[root@mail ~]#

chkconfig clamd on

[2]

Configure Postfix

[root@mail ~]#

vi /etc/postfix/main.cf

# add at the last line

content_filter = scan:127.0.0.1:10025

[root@mail ~]#

vi /etc/postfix/master.cf

# add at the last line

scan unix -       -       n       -       16       smtp

   -o smtp_data_done_timeout=1200

   -o smtp_send_xforward_command=yes

   -o disable_dns_lookups=yes

127.0.0.1:10026 inet n       -       n       -       16       smtpd

   -o content_filter=

   -o local_recipient_maps=

   -o relay_recipient_maps=

   -o smtpd_restriction_classes=

   -o smtpd_client_restrictions=

   -o smtpd_helo_restrictions=

   -o smtpd_sender_restrictions=

   -o smtpd_recipient_restrictions=permit_mynetworks,reject

   -o mynetworks_style=host

   -o smtpd_authorized_xforward_hosts=127.0.0.0/8

[root@mail ~]#

/etc/rc.d/init.d/postfix restart

Shutting down postfix:

[ OK ]

Starting postfix:

[ OK ]

These lines below are added in header section of emails after this configuration.

Try to send test virus with email, then it will not send to a mailbox and logs like below are recorded.

 

Install httpd

[root@www ~]#

yum -y install httpd

# remove welcome page

[root@www ~]#

rm -f /etc/httpd/conf.d/welcome.conf

# remove default error page

[root@www ~]#

rm -f /var/www/error/noindex.html

[2]

Configure httpd.

[root@www ~]#

vi /etc/httpd/conf/httpd.conf

# line 44: change

ServerTokens

Prod

# line 76: change to ON

KeepAlive

On

# line 262: Admin's address

ServerAdmin

root@server.world

# line 276: change to your server's name

ServerName

www.server.world:80

# line 338: change

AllowOverride

All

# line 402: add file name that it can access only with directory's name

DirectoryIndex index.html

index.htm

# line 536: change

ServerSignature

Off

# line 759: make it comment

#

AddDefaultCharset UTF-8

[root@www ~]#

/etc/rc.d/init.d/httpd start

Starting httpd:

[ OK ]

[root@www ~]#

chkconfig httpd on

Install MySQL for Database Server.

[root@www ~]#

yum -y install mysql-server

[root@www ~]#

/etc/rc.d/init.d/mysqld start

Initializing MySQL database:  Installing MySQL system tables...

OK

Filling help tables...

OK

To start mysqld at boot time you have to copy

support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !

To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h www.server.world password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test

databases and anonymous user created by default.  This is

strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

Starting mysqld:     [  OK  ]

[root@www ~]#

chkconfig mysqld on

[root@www ~]#

mysql -u root

# connect to MySQL

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 2

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# show user info

mysql>

select user,host,password from mysql.user;

# set root password

mysql>

set password for root@localhost=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'127.0.0.1'=password('password');

Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>

set password for root@'www.server.world'=password('password');

Query OK, 0 rows affected (0.00 sec)

# delete anonymous user

mysql>

delete from mysql.user where user='';

Query OK, 2 rows affected (0.00 sec)

mysql>

select user,host,password from mysql.user;

mysql>

exit

# quit

Bye
[root@www ~]#

mysql -u root -p

# connect with root

Enter password:

# MySQL root password

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

exit

Bye

MySQL

root@mail ~]#

mysql -u root -p

# connect to MySQL

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY. This is free software,

and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# create "postfixadmin" DB ( input any password you like on 'password' section )

mysql>

create database postfixadmin character set utf8 collate utf8_bin;

Query OK, 1 row affected (0.00 sec)

mysql>

grant all privileges on postfixadmin.* to postfixadmin@'localhost' identified by 'password';

Query OK, 0 rows affected (0.00 sec)

mysql>

flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql>

exit

Bye

[2]

Install PostfixAdmin (Download lataest version of it)

[root@mail ~]#

yum -y install php-mysql php-imap

[root@mail ~]#

wget http://ftp.jaist.ac.jp/pub/sourceforge/p/po/postfixadmin/postfixadmin/postfixadmin-2.3.5/postfixadmin-2.3.5.tar.gz

[root@mail ~]#

tar zxvf postfixadmin-2.3.5.tar.gz

[root@mail ~]#

mv postfixadmin-2.3.5 /var/www/html/postfixadmin

[root@mail ~]#

vi /var/www/html/postfixadmin/config.inc.php

# line 26: change

$CONF['configured'] =

true

;

# line 31: change after Web settings (input it generated on [5] section)

$CONF['setup_password'] = '

xxxxxxxxxx

';

# line 43: change

$CONF['default_language'] = '

ja

';

# line 51,52,53: change to the DB info for postfixadmin

$CONF['database_user'] = '

postfixadmin

';
$CONF['database_password'] = '

password

';
$CONF['database_name'] = '

postfixadmin

';

[root@mail ~]#

vi /etc/httpd/conf.d/postfixadmin.conf

# create new

<Directory /var/www/html/postfixadmin/>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 10.0.0.0/24

# IP address you permit

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[3]

Access to "http://(your server's hostname or IP address)/postfixadmin/setup.php". Then, following screen is shown, click "Lost password?" on right under.

[4]

Input setup password.

[5]

Set generated hash on config file (back to [2]). Next, input setup password and email address, admin-password and click "add admin" button.

[6]

Admin user is added. Initial settings is just completed.

[7]

Access to "http://(your server's hostname or IP address)/postfixadmin/login.php". Then, login screen is shown like follows. Login with admin user you added.

[8]

Just logined. It's possible to configure Postfix on here.

 

[root@mail ~]#

yum --enablerepo=epel -y install mailgraph

# install from EPEL

[root@mail ~]#

vi /etc/httpd/conf.d/mailgraph.conf

Alias /mailgraph /usr/share/mailgraph

AddHandler cgi-script .cgi

<Directory /usr/share/mailgraph/>
AllowOverride None
Options +ExecCGI
DirectoryIndex mailgraph.cgi

   Order Deny,Allow
Deny from all
Allow from 127.0.0.1

10.0.0.0/24

# IP address you allow

</Directory>

[root@mail ~]#

/etc/rc.d/init.d/mailgraph start

Starting mailgraph:

[  OK  ]

[root@mail ~]#

/etc/rc.d/init.d/httpd restart

Stopping httpd:

[  OK  ]

Starting httpd:

[  OK  ]

[root@mail ~]#

chkconfig mailgraph on

[2]

Access to 'http://(your server's name or IP address)/mailgraph/' with web browser. Then following screen is shown and it's possible to make sure mail log summary.

Filed under: Centos, mail No Comments
1Feb/140

Mod Evasive for Apache (First line of defence against DOS attacks)

Posted by Infoaddict

Though I wanted my first howto to be quite powerful and explanatory, here is what I am starting with, with a short one.

Mod Evasive (mod_evasive) is a module for Apache web server. Within this, you can define certain limits on it for people trying to access a page on your website. Such as ability to access the same page (more than once) within a second. This is normally an idication of DOS attack. Mod_evasive successfully intercepts such attack and returns a 403 (Forbidden) message to the attacker. Here is how it will be implemented.

System / OS: CentOS 5.0

Homepage of mod_evasive : http://www.zdziarski.com/projects/mod_evasive/
Make sure you have httpd-devel installed before you continue. Otherwise you will not get apxs utlity. You have been warned.

cd ~
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar xzf mod_evasive_1.10.1.tar.gz

cd mod_evasive

apxs -i -a -c mod_evasive20.c

vi /etc/httpd/conf/httpd.conf
....

<IfModule mod_evasive20.c>
DOSHashTableSize    3097
DOSPageCount        2
DOSSiteCount        50
DOSPageInterval     1
DOSSiteInterval     1
DOSBlockingPeriod   10
DOSEmailNotify      webmaster@yourdomain.com
#     DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'" # this is firewall command maybe
DOSLogDir           "/var/log/httpd/mod_evasive.log"
</IfModule>

service httpd restart

Time to test it:

Make sure your website's document Root has an index.html, otherwise you will not get correct results. I had to adjust a line in test.pl to get /mrtg/index.html .

# chmod +x test.pl  # supplied by source code of mod_evasive.

Execute this test script:

# ./test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
...
...
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
..
...
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

Filed under: RHEL No Comments
1Feb/140

Apache PHP and Oracle Howto

Posted by Infoaddict

Note: This is also a year old. But helps understand the basic principle of combining Apache, PHP and Oracle.

 

NOTE: NOTE: NOTE: REMOVE APACHE RPM, or else you will be pulling your hair afterwards.
YOU HAVE BEEN WARNED!

Oracle 10gR2 client was installed in /oracle as type: "Run Time"

After installation of Oracle software is completed, it is better to run ldconfig once.

~]# ldconfig

Apache was installed using :

~]# mkdir /www

~]# cd /tmp/httpd-2.2.4

httpd-2.2.4]# ./configure --prefix=/www --exec-prefix=/www --bindir=/www/bin --sysconfdir=/www/conf --libdir=/www/lib  --enable-module=so

httpd-2.2.4]# make && make install && echo "Apache Installation Success" || echo "Apache FAILED"

~]# cd /tmp/php-4.4.5

php-4.4.5]# export ORACLE_HOME=/oracle/product/10.2.0/db_1

php-4.4.5]# export ORACLE_SID=orcl

The following will work for "Administrator" and "Runtime" versions of Oracle Client software installation only :

php-4.4.5]# ./configure --prefix=/www/php --with-apxs2=/www/bin/apxs --with-config-file-path=/www/php --with-oci8=$ORACLE_HOME --enable-shared=$ORACLE_HOME/lib --disable-xml --without-pear --enable-sigchild

php-4.4.5]# make && make install && echo "PHP Installation Success" || echo "PHP FAILED"

php-4.4.5]# libtool --finish /tmp/php-4.4.5/libs

This step is not required:-

~]# chmod o+rx  /oracle -R

~]# vi /www/conf/httpd.conf

(Make the following changes:-)

ServerAdmin webmaster@yourdomain.com
ServerName dbserver.yourdomain.com

AddType application/x-httpd-php .php .phtml

DirectoryIndex index.php index.html index.html.var

LoadModule php4_module        modules/libphp4.so  # (Normally it already exists, you don't have to write yourself)

~]# vi /www/bin/envvars

# This file is generated from envvars-std.in
#
export ORACLE_HOME="/oracle/product/10.2.0/db_1"
export ORACLE_BASE="/oracle/"
export ORACLE_SID="orcl"
LD_LIBRARY_PATH="/www/lib:$LD_LIBRARY_PATH:$ORACLE_HOME/lib"
export LD_LIBRARY_PATH

To check PHP:

~]# vi /www/htdocs/index.php

~]# vi /www/htdocs/test.php

if ($conn=OCILogon("scott", "tiger", "orcl")) {
echo "

Active

";
}else {
$err = OCIError();
echo "

Failed

";
}
?>

( Test your entire setup by this script. Should show you "Active" on your web page. )

Now this is the part which made me too mad for a week. It gave nme all kind of weird messages, like: "unable to retrieve text", etc etc.

The application developers were over-riding the variable settings of my apache server

~]# vi /www/htdocs/dsn/conn.php

# #########################################################################################
# As you can see these settings from application were causing all stupid errors
# So I commented them and things become all ok.
# There is no need to setup these variables here as they are setup in /www/bin/envvars file
# #########################################################################################

#putenv("ORACLE_BASE=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORACLE_HOME=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORACLE_SID=FPSC");
#putenv("NLS_LANGUAGE=FRENCH_FRANCE.WE8ISO8859P1");
#putenv("TNS_ADMIN=/u01/app/oracle/product/10.1.0/Db_1/network/admin");
#putenv("TNS_ADMIN=/u01/app/oracle/product/10.1.0/Db_1");
#putenv("ORA_NLS33=/u01/app/oracle/product/10.1.0/Db_1/ocommon/nls/admin/data");
#putenv("LD_LIBRARY_PATH=/u01/app/oracle/product/10.1.0/Db_1/lib:/u01/app/oracle/product/10.1.0/Db_1/network");

# ##############################################################################################################

if(!$conn) {

$conn=OCILogon("scott", "tiger", "orcl");
if($error = OCIError()) {
die("ERROR!! Couldn't connect to server!");
}
}
?>

Now setup Apache to start at boot time.

~]# vi /etc/rc.local
/www/bin/apachectl -k start && echo "Apache startup OK" || echo "Apache startup FAILED" ; sleep 3

 

Or you can setup an init.d script for this.

Filed under: Oracle, RHEL No Comments
1Feb/140

Automate user response using expect / pyexpect scripting tool

Posted by Infoaddict

A few days ago, I was having problem extracting temperature values from a few of our switches in our HPC cluster.  For some reason, the switches did not  support temperature monitoring through SNMP. They did allow ssh though. So I decided to write a script to automatically send username and password to those switches and execute a particular command to get my task done. Below are those sccripts. One uses expect and the other uses pyexpect :-

You will need to install expect and pyexpect on your system, using yum.
The following script will execute "ls -l" on a remote system.
autologin.sh:-
-------------

#!/usr/bin/expect -f
#A simple example is a script that automates an ssh session:
set remote_server "localhost"
set my_user_id "kamran"
set my_password "redhat"
set my_command "ls -l"
spawn ssh $my_user_id@$remote_server $my_command
expect "?assword:*" {send "$my_password\r"}
send "\r"
send "exit\r"
expect eof

 

The following script uses python, and will execute "uptime" on a remote system:-

pyautologin.sh
-----------------

#!/usr/bin/python
import pexpect
REMOTE_COMMAND="uptime"
USER="fahad"
HOST="localhost"
PASS="redhat"
COMMAND="ssh  %s@%s %s" % (USER, HOST, REMOTE_COMMAND)
child = pexpect.spawn(COMMAND)
child.expect('password:')
child.sendline(PASS)
child.expect(pexpect.EOF)
print child.before

Filed under: RHEL No Comments
1Feb/140

Installing Nagios 3.1.2.0 on CentOS 5.3

Posted by Infoaddict

Step # 1 Checking for Prerequisites.

 

yum list installed | egrep 'httpd|gcc|glibc|glibc-common|gd|gd-devel'

 

compat-gcc-34.i386 3.4.6-4 installed

compat-gcc-34-c++.i386 3.4.6-4 installed

compat-gcc-34-g77.i386 3.4.6-4 installed

compat-glibc.i386 1:2.3.4-2.26 installed

compat-glibc-headers.i386 1:2.3.4-2.26 installed

compat-libgcc-296.i386 2.96-138 installed

gcc.i386 4.1.2-44.el5 installed

gcc-c++.i386 4.1.2-44.el5 installed

gcc-gfortran.i386 4.1.2-44.el5 installed

gcc-gnat.i386 4.1.2-44.el5 installed

gcc-java.i386 4.1.2-44.el5 installed

gcc-objc.i386 4.1.2-44.el5 installed

gd.i386 2.0.33-9.4.el5_1.1 installed

gd-devel.i386 2.0.33-9.4.el5_1.1 installed

gdb.i386 6.8-27.el5 installed

gdbm.i386 1.8.0-26.2.1 installed

gdbm-devel.i386 1.8.0-26.2.1 installed

gdk-pixbuf.i386 1:0.22.0-25.el5 installed

gdm.i386 1:2.16.0-47.el5.centos installed

glibc.i686 2.5-34 installed

glibc-common.i386 2.5-34 installed

glibc-devel.i386 2.5-34 installed

glibc-headers.i386 2.5-34 installed

httpd.i386 2.2.3-22.el5.centos installed

libgcc.i386 4.1.2-44.el5 installed

sysklogd.i386 1.4.1-44.el5 installed

 

 

Above output shows that required packages are installed on system. In the case the are not installed you can install them using your CentOS 5.3 DVD. If you want to install from CentOS 5.3 DVD you need to enable CentOS-Media.repo

 

Enabling CentOS-Media.repo

 

vim /etc/yum.repos.d/CentOS-Media.repo

 

# CentOS-Media.repo

#

# This repo is used to mount the default locations for a CDROM / DVD on

# CentOS-5. You can use this repo and yum to install items directly off the

# DVD ISO that we release.

#

# To use this repo, put in your DVD and use it with the other repos too:

# yum --enablerepo=c5-media [command]

#

# or for ONLY the media repo, do this:

#

# yum --disablerepo=\* --enablerepo=c5-media [command]

 

[c5-media]

name=CentOS-$releasever - Media

baseurl=file:///media/dvd/

file:///media/CentOS/

file:///media/cdrom/

file:///media/cdrecorder/

gpgcheck=1

enabled=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

 

Step # 2 Installing Prerequisites.

 

yum --disablerepo=\* --enablerepo=c5-media -y install httpd gcc glibc glibc-common gd gd-devel

 

 

 

 

Step # 3 Creating Users/Groups needed.

 

 

groupadd nagcmd

 

useradd -G nagcmd,apache nagios

 

id nagios

 

passwd nagios

 

 

Step # 4 Downloading Nagios & Plugins

 

 

mkdir /downloads

 

cd /downloads

 

 

wget -c http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.1.2.tar.gz

 

wget -c http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.13.tar.gz

 

 

Step # 5 Extracting Nagios tar ball.

 

 

tar zxvf nagios-3.1.2.tar.gz

 

cd nagios-3.1.2

 

 

Step # 6 running ./configure script.

 

./configure --with-command-group=nagcmd

 

Step # 7 compiling the source code.

 

make all

 

Step # 8 Installing Nagios binaries.

make install

 

Step # 9 Installing init script.

make install-init

 

Step # 10 Installing sample config files.

make install-config

 

Step # 11 setting permissions on the external command directory.

make install-commandmode

 

 

Step # 12 Updating contacts/groups information in contacts.cfg file.

vim /usr/local/nagios/etc/objects/contacts.cfg

change email address of nagiosadmin user line 35 according to your requirements.

 

Step # 13 Installing web configuration.

make install-webconf

 

Step # 14 creating nagiosadmin user and setting password for web-interface.

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

 

Step # 15 Configuring, Restarting Apache Service and Adding to runlevel 35 .

vim /etc/httpd/conf/httpd.conf

go to line 391 and add index.php

chkconfig --level 35 httpd on

service httpd restart

 

Step # 16 Compiling and installing Nagios plugins.

cd /downloads/

tar zxvf nagios-plugins-1.4.13.tar.gz

cd nagios-plugins-1.4.13

./configure --with-nagios-user=nagios --with-nagios-group=nagios

make

 

make install

 

Step # 17 Verifying, restarting nagios service and Adding to runlevel 35 .

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

chkconfig --level 35 nagios on

Changing nagios user home directory to /usr/local/nagios

usermod -d /usr/local/nagios/ nagios

service nagios restart

ps aux | grep nagios

 

Step # 18 Modifying SeLinux Setting for Nagios

chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/

 

chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

 

Step # 19 Login to Web-Interface.

Http://localhost/nagios

 

Step # 20 Check for Nagios Logs

tail -f /usr/local/nagios/var/nagios.log

Filed under: Centos No Comments