Redhat -9 SERVER INSTALLATION

Partition:
boot 100 MB
/ 10 GB
home 10 GB
var 10 GB
swap Double of ram
profile 30 GB

Packages:
Select all servers packages.
Select all development packages.
Kernel source.
Do not select samba's and samba-swat packages.

DNS Configuration:

Check DNS rpm

# rpm -qa | grep bind

Now open /etc/named.conf

# vi /etc/named.conf
copy all 5lines of local host at last.

This is a forward lookup zone entry

zone “hitech.com.zone” IN {
type master
file “hitech.com.zone”
allow-update {none;} ;

This is a reverse lookup zone entry

zone “100.168.192.in-addr.arpa” IN {
type master
file “named.local.hitech”;
allow-update {none;} ;

copy 2 file in directory /var/named

(1) hitech.com.zone
(2) named.local.hitech

#cp /var/named/localhost.zone /var/named/hitech.com.zone

#cp /var/named/named.local /var/named/named.local.hitech
4. vi /var/named/hitech.com.zone

ORIGIN hitech.com
@ 1D IN NS hitech.com
hitech.com. 1D IN A 192.168.100.1
mail IN A 192.168.100.1
hitech.com. IN MX 5 mail.hitech.com

5. vi /var/named/named.local.hitech

Replace all localhost words with hitech.com.

Contents of named.local.hitech
$TTL 86400
@ IN SOA hitech.com. root.hitech.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS hitech.com.

2 IN PTR hitech.com.

Note: In above file 2 stand’s for last octet of ip address.

Now Edit /etc/resolve.conf

#vi /etc/resolve.conf

nameserver 192.168.100.2 (Give server ip)

nameserver ISP's DNS

#service named restart

#rndc reload
#host hitech.com

qmail queris this

#host -t MX hitech.com
#host mail.hitech.com
#host 192.168.100.1
#host -a hitech.com

Note: If on client side error of dns lookup, then iptables should be off.

If we implement qmail and other packages then we have to change ip in dns file and
others configuration files.
Samba Configuration:

(1) First you have to remove all samba's old rpms if installed.
#rpm -e – nodeps samba
#rpm -e – nodeps samba-common
#rpm -e – nodeps samba-client
#rpm -e – nodeps samba-swat(if installed)

Install all new rpms of samba from redhat enterprise cd.

Samba-swat-3.0.0-15
samba-commom-3.0.0-14.3E from cd-2
samba-3.0.0-14.3E from cd-3
samba-client-3.0.0-14.3E from cd-2

If rpm is not found download from net and then followed this procedure.(If source rpm)

# rpmbuild –rebuild (Samba rpm name)

Now we have to edit /etc/samba/smb.conf file

Contains of file which are edited in Global section.

[global]
workgroup = HITECHEXPORT
server string = Hi-Tech Export PDC Server
#interfaces = eth0, lo
#bind interfaces only = Yes
obey pam restrictions = Yes
pam password change = Yes
hosts allow = 192.168.100. 127.
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *ReType*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s
/bin/false -M %u
local master = Yes
os level = 99
domain master = Yes
preferred master = Yes
domain logons = Yes
logon script = %U.bat
logon path = \\%L\Profiles\%U
dns proxy = No
log level = 1
 encrypt passwords = Yes
smb passwd file = /etc/samba/smbpasswd
veto files = /*.mp3/*.MP3/*.mpeg/

If any windows user's can not access other windows pc then fire this command on
pdc server.
#net groupmap modify ntgroup=“Domain Admins” unixgroup=admin

Share definition Section:

• Common Share
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
readonly = No
browsable = No
share modes = No

[Profiles]
comment = User Profiles
path = /Profiles
readonly = No
inherit permissions = Yes
browseable = No

• Data Share

[NewSource]
comment = NewSource
path = /HDrive/Data/NewSource
valid users = @newsource, @admin
read only = No
inherit permissions = Yes
vfs objects = recycle:repository=.recycle
recycle:keeptree = Yes
recycle:exclude = *.tmp
recycle:repository = .recycle/%U

Now save & exit from file

Now fire a command

# testparm (To Check output of smb.conf)

After editing smb.conf file you have to create samba-clients group.

#groupadd samba-clients (If group file is copied directly from pdc server then no use of
this command)

create netlogon directory

# mkdir -p /home/samba/netlogon (same as samba.conf file)

To check users.

# vi /etc/passwd

To check smbpasswd file is blank or not(still it is blank)

# vi /etc/samba/smbpasswd (no use if smbpasswd file directly copied from pdc

server.)

To convert normal user to samba users.

Note: If smb password file is blank then and then fire this command.

# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

We must give a root smbpassword for domain admin password.

# smbpasswd root

To append password of user to exiting passwd file.

# smbpasswd -a user

Now restart smb service.

# service smb restart

To check Configuration is ok or not type command:

# net getlocalsid (Fire on pdc)

# net rpc getsid (only works on bdc)

Note: To copy SID from pdc to bdc give command net rpc getsid
We should also check this line in pdc smb.conf.
add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false
-M %u

If any machine does not join domain then you have to create trust manually :
#useradd -g samba-clients -d /dev/null -s /bin/false machinename$
#passwd -l machinename$
#smbpasswd -a -m machinename

If there is a secondary PDC, then (else it would create problem for login of users)
domain logons = NO

Only for BDC:

In Smb.conf
os level < pdc
preffered master = No
 domain master = No

/etc/samba/smb.conf – the following should be adjust in BDC

preffered master = No
domain master = No
os level < PDC
server string = instead of PDC write BDC.

Note: Also copy of following file of PDC server.

/etc/passwd
/etc/samba/smbpasswd
/etc/shadow
/etc/gshadow
/etc/group
/Profiles/
/home/

If while joinig domain if any error, then its possible that PDC may take 10min. to
broadcast SID.

/Profiles name should be same in smb.conf file and fstab file.

If any user is not able to login then on PDC – chmod -R 777 /Profiles
You can delete partition of /Profiles , if any error found in it.

(3)Give permission .recycle folder 333.

# chmod -R 333 /NewEDrive/Path where .recycle

Note : Whenever you copy paste to original file of Server, kindly take backup of that
original file first and then copy / paste.

To create and transfer users to new group.

Ex. If we wants to transfer users of autocad group in to new surajn group.
First we have to create new group called surajn

#addgroup surajn

Now find autocad group id in /etc/group and write down. To find autocad group id fire
this command.

#cat /etc/group |grep autocad

Now, Find above id in /etc/passwd with the help of following command.

#cat /etc/passwd | grep id number.

Now change user's group.

# usermod -g groupname(New) username

 Second Ex.

add a group called abc.

# groupadd abc

Add user xyz in abc group

# adduser -g abc xyz

If user xyz in 2 groups then fire this command

# adduser -g abc -G pqr xyz

Note: In this case xyz user's primary group is abc and secondary group is pqr.

To change user's primary group.

# usermod -g xyz user

HOME Directory :

If there is no home directory of a user then you can create his home directory :
#mkdir -p /home/sanjeevm
#chown -R sanjeevm /home/sanjeevm
#usermod -d /home/sanjeevm/ sanjeevm
This is useful for Webmail etc...

Note :
When you add new share in samba, then you have to do :

mkdir -p /NewFOlder/.recycle
chmod -R 2777 NewFolder(Sgid set on this Folder to maintain quota)
chmod -R 333 NewFolder/.recycle
chgrp -R groupname NewFolder

Swat

This is a webbased tool for counfigure samba server.

# vi /etc/xinetd.d/swat

disable = no
only from = 192.168.100.0/24

Quota

To set quota on share folder follow the following steps.

1. Edit the /etc/fstab file.(Entry in fstab)

/dev/sdb1 /Ddrive ext3 defaults,usrquota,grpquota 0 0

2. Now create 2 file in /Ddrive. This is quota database file never delete it.
#touch /Ddrive/aquota.user
#touch /Ddirive/aquota.group
 3. Now check quota on disk.
#quotacheck -vgum /Ddrive
4. Now to on Quota.
#quotaon /Ddrive

5. To set quota on folder/Group

# setquota -g grpname 1000 2000 0 0 /dev/sdc1(FileSystem)
Note: 1000 is soft limit of file size.
2000 is hard limit of file size.
0 0 is Number of file limit.(0 refers to unlimited, means user can create unlimited
file in folder)

6. To check quota:
# repquota -avg

Sgid:
To set Sgid on folder
#chmod -R 2777 /Path of share folder.
Note: In every share folder we have to set sgid for maintain quota.

Rsync

This script is used for taking backup.

# vi /etc/xinetd.d/rsync

disable = no

Note :
In rsync script for backup when you take backup of whole folder then you have to
exclude : lost+found(Not necessary).

Whenever we change in /etc/xinetd.d directory we have to restart xinetd.d service.

Fdisk

Using fdisk

#fdisk /dev/hdc
p – print
n – new
asked for extended – e
primary - p
Select e or p
Then give partition number.
First cyclinder press enter
last cyclinder +150000(150 gb)

Type w to write on disk.

 Now format the partition.

#mkfs -t ext3 /dev/hda1

If not formatting fire this command and then fire above command.

#partprobe

NIS Configuration

If we wants to linux desktop users logins on server we have to configure NIS server. In
oue scenario we do not use NIS server because there are lots of problem on client side
like desktop hang and Pc’s work slow.

For server side

Rpms required for NIS:

yptools
ypbind
ypserve

# domainname

Give nis domain entry

# vi /etc/sysconfig/network
NISDOMAIN = XYZ.com

# echo XYZ.com > /var/yp/ypdomain

Note: ypdomain does not exit we have to create this file using above command.

# domainname

start service ypserve, yppasswd, ypxfrd.

# service start ypserve then yppasswd, ypxfrd

To move /etc/passwd file data in nis file type command (or update nis password file)
# /usr/lib/yp/init -m
next host to add – xyz.com
ctl + D
# rpm -qa | grep nfs-utlis

# vi /etc/exports – To mount any share of server using NFS

/home *(rw, sync)
:wq

Start NFS service.

#service nfs start/status
To check remote service
# rpcinfo -p localhost
 To check which folder we mount.
#Exportfs

NFS on Client side

mount home folder of server,Edit /etc/fstab file.

# vi /etc/fstab
192.168.100.10/home /home nfs defaults,soft 0 0

start service ypbind

# service ypbind start
# authconfig (then follow the instruction)

Syslog

To view a system log this service must be a start.

# vi /etc/syslog.conf
*.debug /var/log/messages

Add above line to check system log in deep.

Cron tab

# vi /var/spool/cron/root

MAILTO = mail id

Note: To forward mail of logs to specific email id go to usermin and do mail

forwarding

You can forward mails coming to root to any other user by creating file in root :
vi .forward and write the mail address e.g. Manishc@mail.hitech.com
This will work only for sendmail and not for qmail or other.

For Qmail you will have to create the file as under (if it does not exists):
#vi /var/qmail/alias/.qmail-root
& then #echo emailid > /var/qmail/alias/.qmail-root

SSH Server

To login one server to another server without password we have to configure this server. We
are using this server for taking backup of data through rsync.

From Bdc to Pdc server login.

On Pdc server

# ssh-keygen -t dsa

Now on Bdc server

# ssh -keygen -t dsa
# scp -p /root/.ssh/id_dsa.pub 192.168.100.2(ip of Pdc server) :/root/.ssh
/authorized_keys

If you don't want the keys to get overwrite then :

#scp -p id_dsa IP of PC:/root
go to above give IP PC and :
#cat id_dsa >> .ssh/authorized_keys

Usermin

Password change procedure: with the help of usermin we can change password
samba,system and send mail.

Install webmin
Select usermin option.
Now click on install tab.
After installation of usermin rpm select module restriction.
Then adduser restriction
Then select all user.
Click on change password tab.

Apache

# vi /etc/httpd/conf/httpd.conf
uncomment this line:
NameVirtualHost server ip

Copy virtual host 7 line

Uncomment all line

< virtual host 192.168.100.4>

server admin .........................................
DocumentRoot /var/www/webs(Set path of index.html)
server name hitech.com
.............................................
.................................

Note : If we creat index.html file and put it in /var/www/webs/ - then we have to :

#chown -R apache:apache /var/www/webs/

Whenever we change in httpd.conf file we have to restart httpd service.

#service httpd restart

Grub

File: etc/grub.conf
How to generate boot loader password after installation.
 # grub-md5-crypt

Then copy md5 password in grub.conf under splash image line.

Password --md5 paste password(md5 formatted)

Contents of grub.conf (with password)

# grub.conf generated by anaconda

#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd0,0)
# kernel /boot/vmlinuz-version ro root=/dev/hdc1
# initrd /boot/initrd-version.img
#boot=/dev/hdc
default=0
timeout=10
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
password --md5 $1$wKPul0$7bMy79pnEE6UoEZYuS4dl0
title Red Hat Linux (2.4.20-8)
root (hd0,0)
kernel /boot/vmlinuz-2.4.20-8 ro root=LABEL=/
initrd /boot/initrd-2.4.20-8.img

After changes in grub.conf we must fire following command to implement of changes.

# grub-install /dev/hdc

Lilo

#cp /etc/lilo.conf.anaconda /etc/lilo.conf(If not counfigured)

# vi /etc/lilo.conf
Content of lilo.conf

prompt
timeout=50
default=Jay
boot=/dev/hdc
map=/boot/map
install=/boot/boot.b
restricted
password=redhat4299
message=/boot/message
linear

image=/boot/vmlinuz-2.4.20-8
label=Jay
 initrd=/boot/initrd-2.4.20-8.img
read-only
append="root=LABEL=/"

Note: if we change lable then we must change default. Both lable and default are same.

Send Mail

Rpms required for send mail.

Sendmail -8.12.8-4
sendmail-cf 8.12.8-4

we cant change directly in sendmail.cf file, so change in send mail macro file which is
sendmail.mc

# vi /etc/mail/sendmail.mc (lines which are edited)

define(`SMART_HOST',`mail.reliadat.com')

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
Note : Addr=0.0.0.0 – For External
FEATURE(`accept_unresolvable_domains')dnl (if this feature is enable we can send &
receive mail from any network)

LOCAL_DOMAIN (`mail.reliadat.com')dnl

Now open access file.

We can not change directly in access.db file so open.

# vi /etc/mail/access
192.168.100.0/24 Relay(In place of relay it canbe REJECT OR DROP )
Comment all lines and add : 127.0.0.1 RELAY

To redirect changes of access to access.db

m4 /etc/mail/access > /etc/mail/access.db

2. To redirect changes sendmail.mc to sendmail.cf

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

3.Add host entry

# vi /etc/hosts
127.0.0.1 servername mail.reliadat.com localhost

4 # servive senmail restart

5. To check sand mail

# ps -aux | grep sendmail
 Now edit ipop3 file.

#vi /etc/xinetd.d/ipop3 – Change

“disable = no”
#Service xinetd restart
Note : IPTables should be off in all run-levels.

qmail service stop

#qmailctl stop
qmail has its own ipop3, same sendmail has its own ipop3. So if you remove qmail then its
ipop3 is also removed, so if you install sendmail after removing qmail then you have to
install imap which installs ipop3.

GNFC 3rd :

PDC = mail.reliadat.com(qmail counfigured)

BDC = mail.bdc.com

Squirrelmail

To check rpm for squirrel mail.

# rpm -qa |grep squirrel

# cd /usr/share/squirrelmail/config/

#./conf.pl : Change Options as required

# vi /etc/httpd/conf/httpd.conf
Note : give path Squirrelmail index.php (/usr/share/squirrelmail/index.php)

Content of httpd.conf

#</VirtualHost>
<VirtualHost 192.168.100.10>
ServerAdmin jayc@reliadat.com
DocumentRoot /usr/share/squirrelmail/
ServerName reliadat.com
ErrorLog /var/log/mail.reliadat.com
# CustomLog logs/dummy-host.example.com-access_log common

Note : You have to change “disable = no” in /etc/xinetd.d/imap & /etc/xinetd.d/imaps &
Restart xinetd service.
IPTAbles service should be off in all runlevels.
Squid

Introduction: Two important goals are:

• Reduce Internet bandwidth charges.
• Limit access to the Web to only authorized users.
The Squid web caching proxy server can achieve both these goals easily.
Users configure their web browsers to use the Squid proxy server instead of going to the
web directly. The Squid server then checks its web cache for the web information requested
by the user. It will return any matching information that finds in its cache, and if not, it
will go to the web to find it on behalf of the user. Once it finds the information, it will popu-
late its cache with it and also forward it to the user's web browser.
This reduces the amount of data accessed from the web. Another advantage is that you can
configure your firewall to only accept HTTP web traffic from the Squid server and no one
else. Squid can then be configured to request usernames and passwords for each user that
users its services. This provides simple access control to the Internet.
Advantages of Squid are, caching images and files on a server shared by all, Internet band-
width charges can be reduced.
Squid's password authentication feature is well liked because it allows only authorized
users to access the Internet.
To increase more http security. And we can block particular website using only keyword
not url.

Counfiguration:

To check squid rpm.

# rpm -qa | grep squid

Note: Get print out squid.conf from proxy server.

Squid users and password on terminal.

#htpasswd -c /etc/squid/squid_passwd username

“-c” is used if the password file does not exists. Else you can omitt “-c”.

If we edit in squid.conf we must restart squid service.

#service squid restart

If ncsa not found.
# locate ncsa_auth

Cache rebuild

#/usr/sbin/squid -f /etc/squid/squid.conf -z

#service squid restart

Ip Forwarding
#vi /etc/sysctl.conf
net.ipv4.ip_ipforward = 1

#sysctl -p (To ipforwarding)

Note:
#chmod 744 /etc/squid/squid_pass
#chmod 744 /etc/squid/squid.conf
#chown squid /etc/squid/squidpass
#chown squid /etc/squid/squid.conf

To create cache log.

#touch /var/log/squid/cache.log

Squid guard tool

Introduction: This tool is used for block website by url and blocking website by user wise.
ex. If we wants to only directors and PM’s can surf gmail.com and others are not allowed to
surf gmail.com.

How squid, squidguard and Blacklist are works?

Users type www.google.com in browser first browser ask for proxy authentication if users
are authorized then he can go ahead other wise users are not able to access any site. If any
regex found in url then squid also blocked their request. If not squid is redirect their
request to squidguard.conf.
In squidguard.conf we define acl such as rules who is allowed or disallowed to such web-
site. The database of blacklist(Block website) file is also define here. When request comes
on squidguard.conf, squidguard check database of blacklist file if any url found in blacklist
file then squidguard redirect particular website which we define in squidguard.conf. If url
not found in blacklist it will go to the web to find it on behalf of the user . Once it finds the
information, it will populate its cache with it and also forward it to the user's web browser.

#vi /etc/squid/squidgaurd.conf

Note: Get print out of squidguard.conf from proxy server.

Download SquidGuard and Blacklist :

Install above packages.

Copy porn folder from /Blacklist to squidguard directory
#Cd /blacklist
# cp -r pron/ /var/lib/squidguard/
# cp –r ads/ /var/lib/squidguard/
# cp –r aggressive /var/lib/squidguard/
# cp –r audio-video /var/lib/squidguard/
# cp –r drugs /var/lib/squidguard/
# cp –r gambling /var/lib/squidguard/
# cp –r hacking /var/lib/squidguard/
# cp –r proxy /var/lib/squidguard/
# cp –r violence /var/lib/squidguard/
# cp –r warez /var/lib/squidguard/

You can add your list of websites to /var/lib/squidguard/porn/domains OR

/var/lib/squidguard/porn/urls
We are blocked following domain/website:
desibaba.com
espnstar.com
porngirl.com
pkronline.com
sexworld.com
musicindia.com
raaga.com
mail.com
onlinemusic.com
onlinevideo.com
videoonline.com
indiafm.com
musiconline.com
onlinemovie.com
movieonline.com
adult.com
games.com
gmail.com
yahoo.com
hotmail.com
sify.com
indiatimes.com
rediff.com
rediffmail.com
azesearch.com

Note : We are remove key words like sex and Music from Gnfc6th proxy
server(Squid.conf) due to request of Anilthoria and vijaybhai.
Removed below sites from squidguard due to Hitesh Patel.
www.altavista.com
www.metacrawler.com
www.excite.com

Removed below sites from squidguard due to Binoj.

Www.hollywood.com

• To access website userwise:

Create a file called legal in /var/lib/squidguard/porn/
Add a website name in this file which we don’t want to block.

Now create another file called users in /var/lib/squidguard/porn/

Add users which we wants to access above website.
Following websites are allowed for Directors, PM and Technical group.

Hotmail.com
Yahoo.com
Gmail.com
Rediff.com
Rediffmail.com
Indiatimes.com

Below modules that’s are same configured in Proxy and BDC Server.
1. Squid
2. Squidguard
3. Iptables rules and tcp wrappers
4. Squid report.

In Apache create Virtual Host : /var/www/html/

Create file index.html For “Access Denied” and paste it in /var/www/html/

#chown apache /var/www/html/index.html

#Start httpd service

#service httpd start

Samba, Dns and ip details of all branches.

Gnfc 6
PDC = 192.168.100.2 - eth0
BDC = 192.168.100.3 - eth0
SMB WGRP = Hitechexport
DNS = hitech.com
Proxy = Icenet - 203.88.147.195 - eth2
Gilp - 203.77.194.67 – eth1
Local – 192.168.100.7 - eth0

Reliadat
PDC = 192.168.2.3 - eth0
BDC = 192.168.2.2 - eth0
SMB WGRP = Reliadat
DNS = reliadat.com

1.Server Configuration
Gnfc6 Server Configuration:

PDC BDC Proxy

Motherboard Intel Asus p4800delux Asus p4800delux
CPU Xeon dual Processor P4-2.8Ghz P4-2.8Ghz
3.0Ghz
Ram 2 Gb 1 Gb 1 Gb
HDD 1.SCSI 76GB 1.Seagate 40gb 1.Seagate 40gb
2.SCSI 146GB 2.Seagate 120gb
2.SCSI 146GB 3.Seagate 120gb
2.Wd 120GB Ide 4.Seagate 120gb

Reliadat Server Configuration:

Pdc Bdc
Motherboard Intel865 gvsr Intel845 gvsr
CPU P4-3.0ghz P4-2.6ghz
Ram 1 Gb 1 Gb
HDD 1.Seagate 120gb 1.Seagate 120gb
2.Seagate 120gb 2.Seagate 120gb

To install a lan card of ASUS motherboard we have to compile kernel source code.

Installation Instructions for sk98lin Driver.

Unpack the driver installation package using the command

# tar xfvz install-???.tar.bz2

After the driver installation package is unpacked, type the following

commands to start the sk98lin driver build process:

#cd DriverInstall
#./install.sh

Select the driver installation mode.(User)

To compile the Linux Kernel, proceed as follows:

Go to the directory /usr/src and remove all symbolic links to old

Linux sources using the commands:

# cd /usr/src
# make xconfig

Select the options you want to compile into the new kernel.

- For kernel 2.4.x family:

a. Select the menu "Network Device Support".
 b. Select "Ethernet (1000 Mbit)".

To integrate the driver permanently into the kernel, mark

"Marvell Yukon Chipset/SysKonnect SK-98xx Support" with (*)

Select "Exit".

After booting the Linux kernel and compiling the driver as a loadable
kernel module (LKM), the driver needs to be loaded.

Enter "modprobe sk98lin".

NOTE: For further information (e.g. the driver parameters) refer to

the sk98lin.txt file.

IPTables

Introduction:
With the help of iptables we can do block port, anonymous request, port
forwarding, routing and filtering.

In our scenario we use iptables for nating and virus-port blocking.

Counfiguration:
There is a file /etc/rc.d/rc.local in which when the system starts, the line added in
/etc/rc.d/rc.local- will get executed. The line is : /root/icenet.sh

There are 2 files in /root

gipl.sh
ifdown eth0
ifdown eth1
ifdown eth2
ifup eth1
ifup eth0
/etc/rc.d/rc.gipl

icenet.sh
ifdown eth0
ifdown eth1
ifdown eth2
ifup eth1
ifupeth2
/etc/rc.d/rc.icenet

Now the files /etc/rc.d/rc.gipl :

#!/bin/sh
#IPTABLES=/sbin/iptables
iptables -F -t nat
#####DMZ#############
#####Addison Pc######
iptables -I PREROUTING -t nat -d 203.77.194.104 -j DNAT --to-destination 192.168.100.41
iptables -I POSTROUTING -t nat -s 192.168.100.41 -j SNAT --to-source 203.77.194.104
###Comp 5############
iptables -I PREROUTING -t nat -d 203.77.194.101 -j DNAT --to-destination
192.168.100.35
iptables -I POSTROUTING -t nat -s 192.168.100.35 -j SNAT --to-source 203.77.194.101
###Comp 7############
iptables -I PREROUTING -t nat -d 203.77.194.102 -j DNAT --to-destination
192.168.100.37
iptables -I POSTROUTING -t nat -s 192.168.100.37 -j SNAT --to-source 203.77.194.102
###Comp 8############
iptables -I PREROUTING -t nat -d 203.77.194.103 -j DNAT --to-destination
192.168.100.38
iptables -I POSTROUTING -t nat -s 192.168.100.38 -j SNAT --to-source 203.77.194.103
iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT
###################################

iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#########Port Forwading For VNC Connection

#############################################
iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 -j DNAT --to 192.168.100.14:5900
iptables -t nat -A PREROUTING -p tcp -d 203.77.194.67 --dport 80 -j DNAT --to
192.168.100.14:5900
iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 -j DNAT --to
192.168.100.191:5900
iptables -t nat -A PREROUTING -p tcp -d 203.77.194.69 --dport 80 -j DNAT --to
192.168.100.191:5900

#########Ip Routing#########################
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0 gw 192.168.100.1
############################################

iptables -F -t filter
#port 135 DCE Endpoint Resolution
iptables -I INPUT -p tcp --sport 135 -j DROP
iptables -I INPUT -p udp --sport 135 -j DROP
iptables -I INPUT -p tcp --dport 135 -j DROP
iptables -I INPUT -p udp --dport 135 -j DROP

iptables -I FORWARD -p tcp --sport 135 -j DROP

iptables -I FORWARD -p udp --sport 135 -j DROP
iptables -I FORWARD -p tcp --dport 135 -j DROP
iptables -I FORWARD -p udp --dport 135 -j DROP

#port 445 Microsoft-DS

iptables -I INPUT -p tcp --sport 445 -j DROP
iptables -I FORWARD -p tcp --sport 445 -j DROP
iptables -I INPUT -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP

#port 4444 krb524

iptables -I INPUT -p tcp --sport 4444 -j DROP
iptables -I FORWARD -p tcp --sport 4444 -j DROP
iptables -I INPUT -p tcp --dport 4444 -j DROP
iptables -I FORWARD -p tcp --dport 4444 -j DROP

iptables -F -t mangle
iptables -t mangle -I PREROUTING -p tcp ! --syn -m state --state NEW -j DROP
iptables -t mangle -I PREROUTING -m state --state INVALID -j DROP
iptables -t mangle -I PREROUTING -m unclean -j DROP

#iptables -I INPUT -p tcp -s 203.77.194.66 -j ACCEPT

#iptables -I INPUT -p tcp -s 203.77.194.94 -j ACCEPT
#iptables -I INPUT -p tcp -s 203.88.141.34 -j ACCEPT
#iptables -I INPUT -p tcp -s 203.88.141.62 -j ACCEPT
#iptables -I INPUT -p tcp -s 203.88.141.27 -j ACCEPT
#iptables -I INPUT -p tcp -s 192.168.100.0/24 -j ACCEPT
#iptables -A INPUT -p tcp -j REJECT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo nameserver 203.77.198.101 > /etc/resolv.conf
echo nameserver 203.77.200.20 >> /etc/resolv.conf

Note: Last two lines of above file for,we don’t have to need change dns in resolve.conf
manually. It will take dns automatically when this script is run.
Ip Routing line is user for define static route on eth0.

FIREWALL

Rules to block/access IP's with particular Ethernet card:

iptables -I INPUT -p tcp -s (IP of the machine which wants to access our machine) -i
(Ethernet of our machine) -j ACCEPT
For e.g.
#Iptables -I INPUT -p tcp -s 203.77.194.67 -i eth0 -j ACCEPT

Rules to block/access IP without ethernet card

#iptables -I INPUT -p tcp -s ipadd. -j ACCEPT

To reject all ip.

#iptables -A INPUT -p tcp -j REJECT

To Flush rules.
#iptables -F -t filter
#iptables -F -t nat
#iptables -F -t mangle

To List rules :
#iptables -L -t nat
#iptables -L -t filter
#iptables -L -t mangle

To block ports
#iptables -I PREROUTING -p tcp –dport 136 -j DROP
This above can repeat for other ports also

In Reliadat : PDC / BDC both are having IPTABLES FILTER RULES ON

To allote RealIP's to Local Machine from Linux Router :

Source nating

#iptables -I PREROTING -t nat -d 203.77.194.66 -j DNAT -–to-destination 192.168.100.10

#iptables -I POSTROUTING -t nat -s 192.168.100.10 -j SNAT -–to-source 203.77.194.66
#iptables -I PREROUTING -t nat -s 192.168.100.0/24 -j ACCEPT

Note: Above rule has should to be apply before our nating / squid / port
filtering rules.
We have to create alias of realip card with alloting new realip.
(i.e eth0 – Icenet IP , then eth0:1 – New Icenet IP)

To access Our local pc from Outside network with Vnc viewer.

Add the following rules after our nating rules.

# iptables –t nat –A PREROUTING –p tcp –d Real IP –j DNAT -- to local IP:5900
#iptables –t nat –A PREROUTING –p tcp –d REAL IP – dport 80 –j DNAT –-to localip:5800

To Define IP Route:
#route add -net 192.168.0.0 netmask 255.255.255.0 eth0 gw 192.168.100.1

Note:

This is only for Cisco 1751. If any request come from 192.168.0.0 network then
proxy use 192.168.100.1 gateway, not use xincom. This is special for NLDC line.

New Firewall

TCPWrapper :
This is another tool for increase security but it is not more power full then
Iptables. Tcpwrapper is used for block particular daemon/port/services.
In our scenario we block ssh service through tcp wrapper. Only selected ip’s are allowed to
connect our server using ssh service.
All this security like Tcpwrapper and Iptables are set in proxy server.

For Vastrapur

#vi /etc/hosts.allow :
sshd : 192.168.100.
sshd : 203.77.194.67
sshd : 203.77.194.93
sshd : 203.88.141.19
sshd : 203.88.141.18

#vi /etc/hosts.deny :
ALL:ALL EXCEPT 127.0.0.1 192.168.100.

Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl

TCPWrapper : For GNFC 6th

#vi /etc/hosts.allow :
sshd: 192.168.100. 203.77.194.21 203.88.147.194

#vi /etc/hosts.deny :
ALL:ALL EXCEPT 127.0.0.1 192.168.100.

Add GIPL given blocking list to /etc/rc.d/rc.icenet and /etc/rc.d/rc.gipl

TCPWrapper : For GNFC 3rd

#vi /etc/hosts.allow :
sshd : 192.168.2.
sshd : 203.77.194.67
sshd : 203.77.194.93
sshd : 203.77.194.66
sshd : 203.77.194.94
sshd : 203.88.140.234

#vi /etc/hosts.deny :
ALL:ALL EXCEPT 127.0.0.1 192.168.100.

Add GIPL given blocking list to /etc/rc.d/rc.gnfc in PDC / BDC

Services List of all Location:

#chkconfig --list servicename

#chkconfig –level 35 servicename on/off
#service servicename status

GNFC6:

PDC = ON(35) – named

ON(35) – crond
OFF(35) – squid
OFF(35) – iptables
ON(35) – smb
ON(35) – sendmail
OFF(35) – dhcp
BDC = ON(35) – named
ON(35) – crond
OFF(35) – squid
OFF(35) – iptables
OFF(35) – smb
ON(35) – sendmail
OFF(35) – dhcp

Proxy server = ON(35) – named

OFF(35) – crond
ON(35) – squid
ON(35) – iptables
OFF(35) – smb
ON(35) – sendmail
ON(35) – dhcp

GNFC 3rd

PDC = ON(35) – named

ON(35) – crond
OFF(35) – squid
ON(35) – iptables
ON(35) – smb
OFF(35) – dhcp
QMAIL - ON

BDC = ON(35) – named

OFF(35) – crond
OFF(35) – squid
ON(35) – iptables
OFF(35) – smb
ON(35) – sendmail
OFF(35) – dhcp

Note :
Fstab File:
In /etc/fstab the last column should be 0 0 and not 1 2

Tmp watch:
Tmpwatch checks access time of the files and it will remove the file as per the parameters.
As for e.g.
#/usr/sbin/tmpwatch –atime -v 48 /NewEDrive/Anil/.recycle
And do make an entry for the same in crontab's file as well by creating shell script for the
above. Give chmod 777 recycle.sh
Log rotate

#vi /etc/logrotate.conf(configuration file)

For this to work , syslog service should be ON.

daily
weekly
monthly
yearly

Note :
In our case logs rotate = Weekly
To check the logs : /var/log/secure

USB Device

For first time at connecting USB device you have to do :

#fdisk /dev/sda AND fdisk -l

#vi /etc/modules.conf – There should be 1 line added if not present :

alias usb-controller1 usb-uhci

You have format the USB device etc... same as IDE.

#vi /etc/fstab – Do not write in /etc/fstab but manually mount it as :

#mount /dev/sda1 /usb/NewEDrive

Entry in fstab file.

/dev/sda1 /usb/NewE_FDrive ext3 suid,rw 00

Change Password Tool

This is a third party rpm which you can download and install :
#tar -zxvf chnangepasswd*.*
#cd chnangepasswd*.*
#./configure --enable-cgidir=/var/www/cgi-bin --enable-language=Portuguese
--enable-smbpasswd=/usr/local/samba/private/smbpasswd
--enable-squidpasswd=/etc/squid/passwd –enable-logo=opentech.jpg

You can get this above from /root/changepassword/ README file.

Entry in httpd.conf:

<VirtualHost 192.168.100.2>
ServerAdmin jayc@reliadat.com
DocumentRoot /var/www/webs/
 ServerName reliadat.com
ErrorLog /var/log/mail.reliadat.com
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>

Note:
DocumentRoot /var/www/webs/: This folder consists of file index.html where you can
put the path of Changepassword i.e. /var/www/cgi-bin/changepassword.cgi

Pwd will be changed of all at a time by help of “Change Password RPM” if we have:
Samba
System
Squid
Sendmail

Pwd will not be changed of all at a time by help of “Change Password RPM” if we have
but only Qmail will not be done:
Samba
System
Squid
Qmail

To view website log user based :

#tail -f /var/log/squid/access.log | grep yahoo.com

#iptables -L -t filter -nvx | grep DROP

BACKUP KERNEL

Copy Kernelsmp2.4 RPM from RedHat CD-1 to /root

Install the above Kernel.
Check entry in /etc/grub.conf as a secondary kernel.

IPTRAF:
#This is used for monitoring Protocols / Ports.

Troubleshooting:
Nmap
Netstat
Tcpdump
Nessus
portsentry
rootkit
snort
whisker
nikto
Swatch

To view shares of all PC's in network:

#smbtree
Misc : TroubleShooting
#telnet hitechexport.com 25
#ehlo localhost
#mailfrom:emailid
#rcptto:emailid

#lsmod
#dmesg

Dhcp: To view a dhcpd log

#vi /var/lib/dhcp/dhcpd.leases

Squid:
When pings get reply but we are not able to surfing kindly check gateway using command:
#netstat -ar
Add & remove Gateway:
#route add default gw 192.168.100.7
#route del default gw 192.168.100.7

To view cache.log:
#route -C
#tail -f /var/squid/cache.log
#tail -f /var/squid/access.log

Partition and Quota Details of PDC Server.

Squid Report Generator

SARG: Squid Analysis Report Generator is a tool that allows you to view "where" your users
are going to on the Internet.

Installation Notes:

Download sarg2.0.9.tar.gz source code from http://sf.net.

Now untar the above file.

#tar –zxvf sarg*.*

Go to the sarg-2.0.9 dircetroy.

#cd sarg-2.0.9

Now compile the source code.

#./configure
#make
#make install

Now edit the sarg.conf file in /usr/local/sarg/ directory.

Get the print out of sarg.conf from proxy server.
To generate report from command line:
#sarg –l /var/log/squid/access.log

Add the entry in cron:

We generate report every day at 12.10am
10 12 * * * sarg –l /var/log/squid/access.log

Hard-Disk Details in HP Server.

1. 76GB SCSI (Quota not set on this Drive.)

Device = /dev/sda

/boot 100MB
/home 10GB
/Var 10GB
/ 10GB
Swap 4GB
/Profiles 30GB

2. 146GB SCSI (Quota set on this Drive.)

Device = /dev/sdb

/DDrive 78GB
/EDrive 57GB

3. 146GB SCSI (Quota set on this Drive.)

Device = /dev/sdb

/FDrive 78GB
/Gdrive 57GB

4. 120GB Ide Drive. (Quota not set on this Drive.)

/Hdrive 52GB

Share Details of each Drive on PDC Server.

1. Ddrive
Addison
Champak
DTP
Heart
Sanjeev

2. EDrive
BhaskarHome
HMHome
KetanHome
NDHome
Vijay
BinojHome
 HR
KPHome
PBHome
VijayHome
HeratHome
ItMatch
ManishHome
TapanHome

3. Fdrive
Auction
Eoffice
Finance
GAD
Shared
Software
Technical

4. Gdrive

Accounts
CAD
Marketing

5. HDrive
NewSource

Quota on above Folder

1. Ddrive
Addison 05GB
Champak 25GB
DTP 10GB
Heart 25GB
Sanjeev 10GB

2. EDrive
BhaskarHome 01GB
HMHome 02GB
KetanHome 01GB
NDHome 01GB
Vijay 25GB
BinojHome 01GB
HR 05GB
KPHome 01GB
PBHome 02GB
VijayHome 01GB
HeratHome 01GB
ItMatch 05GB
ManishHome 01GB
 TapanHome01GB

3. Fdrive

Auction 02GB
Eoffice 03GB
Finance 05GB
GAD 05GB
Shared 20GB
Software 10GB
Technical 10GB

4. Gdrive

Accounts 10GB
CAD 25GB
Marketing 10GB

5. HDrive
NewSource (-)

Partition Details of BDC Server:

No. of Hard-Disk.
1. 40GB IDE
Device = /dev/hda

/boot = 100MB.
/ = 10GB.
/Var = 05GB.
/home= 10GB.
Swap = 04GB

2. 120GB IDE
Device = /dev/hdb

/DDrive = 78GB
/Profiles = 30GB

3. 120GB IDE
Device = /dev/hdc

/EDrive = 60GB
/GDrive = 51GB

4. 120GB IDE
Device = /dev/hdd

/Fdrive = 78GB
/Hdrive = 33GB
Share Details of each Drive on BDC Server.

1. Ddrive
Addison
Champak
DTP
Heart
Sanjeev

2. EDrive
BhaskarHome
HMHome
KetanHome
NDHome
Vijay
BinojHome
HR
KPHome
PBHome
VijayHome
HeratHome
ItMatch
ManishHome
TapanHome

3. Fdrive

Auction
Eoffice
Finance
GAD
Shared
Software
Technical

4. Gdrive

Accounts
CAD
Marketing

5. HDrive
NewSource