Linux Solutions

Linux Operating System is known as most secure and most popular OS all around and very much stable too. Data Security in Linux Server could be maintained by making an effective data security strategy. Corporate data security could be implemented by applying proper data security strategy for Linux Server.

There are many Linux distributions are there and most popular among them are Red Hat, Debian, Ubuntu and SuSE etc. This article contains basics of security for Linux Red Hat 9.

We assume that you have installed Linux OS with x11(GUI for Red Hat). Graphical User Interface should not be enabled for to get best level security.
You can use find / -name filename command to locate or find a file and pico or vi to edit a file.
Securing You Linux Box:

First of all you need to secure your Linux box by taking some actions to prevent unauthorized users access. It is necessary to secure Linux box because server monitoring could be viewed using Linux box.
Change Root Password:
Changing root password within 30 days is a good idea and you should use highest security level terms as Linux root password. To reset Linux root password passwd command is used while logged in as root.

One thing is very dangerous with respect to security that to be able to run an application as different user like with suid( set user ID) command an unauthorized user can run application same like privileged user and can access and edit /etc/passwd file. You should find files which are using suid and file with an s in permission column runs with suid.

# ls -alF `find / -perm -4000` > /root/suid.txt

You may get the following result on server of this command in /root/suid.txt.

-rwsr-xr-x 1 root root 60104 Feb 1 2007 /bin/mount*
-rwsr-xr-x 1 root root 35192 Feb 18 2007 /bin/ping*
-rwsr-xr-x 1 root root 19116 Feb 8 2007 /bin/su*
-rwsr-xr-x 1 root root 30664 Feb 1 2007 /bin/umount*
-r-sr-xr-x 1 root root 120264 Feb 9 2007 /sbin/pwdb_chkpwd*
-r-sr-xr-x 1 root root 16992 Feb 9 2007 /sbin/unix_chkpwd*
-rwsr-xr-x 1 root root 37528 Dec 17 2007 /usr/bin/at*
-rwsr-xr-x 1 root root 34296 Apr 27 2007 /usr/bin/chage*
-rws–x–x 1 root root 12072 Feb 1 2007 /usr/bin/chfn*
-rws–x–x 1 root root 11496 Feb 1 2007 /usr/bin/chsh*
-rwsr-xr-x 1 root root 21080 Feb 15 2007 /usr/bin/crontab*
-rwsr-xr-x 1 root root 36100 Mar 27 2007 /usr/bin/gpasswd*
-rwsr-xr-x 1 root root 19927 Feb 17 2007 /usr/bin/lppasswd*
-rws–x–x 1 root root 4764 Feb 1 2007 /usr/bin/newgrp*
-r-s–x–x 1 root root 15104 Mar 13 2007 /usr/bin/passwd*
-rwsr-xr-x 1 root root 14588 Jul 24 2006 /usr/bin/rcp*
-rwsr-xr-x 1 root root 10940 Jul 24 2006 /usr/bin/rlogin*
-rwsr-xr-x 1 root root 7932 Jul 24 2006 /usr/bin/rsh*
-rwsr-xr-x 1 root root 219932 Feb 4 2007 /usr/bin/ssh*
—s–x–x 1 root root 84680 Feb 18 2007 /usr/bin/sudo*
-rwsr-xr-x 1 root root 32673 Apr 18 2007 /usr/sbin/ping6*
-r-sr-xr-x 1 root root 451280 Feb 8 2007 /usr/sbin/sendmail.sendmail*
-rwsr-xr-x 1 root root 20140 Mar 14 2007 /usr/sbin/traceroute*
-rwsr-xr-x 1 root root 13994 Feb 18 2007 /usr/sbin/traceroute6*
-rws–x–x 1 root root 22388 Feb 15 2007 /usr/sbin/userhelper*

-rwsr-xr-x 1 root root 17461 Feb 19 2007 /usr/sbin/usernetctl*

Some Linux System Administrator recommend disabling ping and traceroute services which is not necessary. However, you should disable the following
/usr/bin/chage, /usr/bin/chfn, /usr/bins/chsh, /bin/mount,
/bin/umount, /usr/bin/gpasswd, /usr/sbin/usernetctl, /usr/sbin/traceroute, /usr/sbin/traceroute6, /usr/bin/newgrp, /usr/sbin/ping6, and /bin/ping.

When you have disabled suid then files can be executed only by owner. To disable suid use the following command.

#chmod 111 /path/to/file
#chattr +I /path/to/file

Different Linux packages have their own configuration files for Linux network configuration and troubleshooting. Due to this reason Linux system administration becomes daunting. However most of Linux applications use syslog utility for handling errors and status messages for the files stored in /var/log directory path. Linux troubleshooting for each Linux core like fedora, redhat and ubuntu etc becomes easy using syslog file. It is very useful to know that all applications do not display errors and status messages on computer screen. Linux log server contains Linux syslog file and logrotate utility makes it easier handle computer network troubleshooting same like windows network troubleshooting.
The error messages in syslog could be very helpful in finding malfunctions in the products manuals, items manuals and web searchers documentation. The both syslog and logrotate files relatively easy to configure but it needs some special skills to troubleshoot all Linux applications of which information is included in each Linux system syslog file. Syslog utility is used for tracking and handling all error messages which are critical in Linux system syslog server.
An error message contains tow information first function information which has generated it like applications such as mail and cron which could be identified easily and second is degree of severity of that error message. There are eight messages which could display in syslog file are listed below. Syslog’s configuration file like /etc/syslog.conf could be configured by placing all different facilities.
Table: Syslog facilities details
Severity Level Keyword Description
0 emergencies System not usable
1 alerts Action required immediately
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Significant and Normal conditions
6 informational messages with information
7 debugging Debugging messages

The /etc/syslog.conf File

Each type of message is written to syslog configuration file /etc/syslog.conf and this file contains two columns. First column contains facilities included in syslog and second column contains description of each keyword in syslog file. Redhat and Fedora /etc/syslog.conf file is configured to store all messages in file /var/log/messages like
*info;mail.none;authpriv.nono;cron.none /var/log/messages
In this message all info messages are logged in syslog without mail, cron or facilities. This logging could be more insightful by replacing this line and debug severity and /var/log/messages file. Here is a example
*.debug /var/log/messages

All syslog debug messages excluding auth,news,mail and authpriv are logged to /var/log/ debug file. You can however change configuration syntax in several lines by using slash (\) at the end of every line. Here is example
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
/var/log/ messages files is configured to store only info and warning messages only excluding news,mail,auth and authpriv facilites like
*.=info;*=notice;=warn;\
auth.arhtpriv.none;\
mail.news.none -/var/log/messages

There are specific type of messages sent to the screen for all users logged in. File definition is normally replaced using an asterisk like
*.emerg 8

Some specific applications can log to have their own application log files and independent syslog.conf files. Here is example of these files and directories and using them you can make syslog analysis and handle errors.
Files:
/var/log/maillog : Mail information
/var/log/httpd/access_log : Apache web server page access logs

Directories:
/var/log
/var/log/samba : Samba messages
/var/log/mrtg : MRTG messages
/var/log/httpd : Apache webserver messages
Restart syslog.conf using this command.

[root@linux-server tmp]# service syslog restart

To restart syslog in Ubuntu:

root@u-linux-server:~# /etc/init.d/sysklogd restart

Introduction

DNS or Domain Name System coverts website name like http://www.linuxsolutions.fr/ to an IP address 91.102.68.2. It is very important to covert hostname into IP address.

Testing DNS Resolution

DNS server resolves fully qualified domain name like www.linuxsolutions.fr into an IP address and this is know as forward lookup. While in reverse lookup DNS can find out fully qualified domain name associated with IP address.

One IP address could be associated to only one FQDN but many websites may have the same IP address. It means that forward lookup and reverse lookup may not match. Reverse lookup is handled by ISP hosting you website. There are many command in Linux to do lookups. Mostly used command is host command in Linux and nslookup in windows.

Host Command In Linux

Host command accept both parameters either fully qualified domain name or the IP address of the server. Here is forward lookup command to be used

[root@linux-server tmp]# host www.linuxsolutions.fr

www.linuxsolutions.com has address 91.102.68.2
[root@linux-server tmp]#
For reverse lookup

[root@linux-server tmp]# host 91.102.68.2

34.71.115.65.in-addr.arpa domain name pointer 65-115-71-34.myisp.net.

[root@linux-server tmp]#
Mostly forward and reverse entries do not match while the reverse entry matches with ISP entry.

Nslookup Command In Windows

Nslookup command is used on windows computer and provides the same results. Here is nslookup command

C:\> nslookup www.linuxsolutions.fr

Server: 10.2.3.4.my-site.com

Address: 192.168.2.200

Non-authoritative answer:

Name: www.linuxsoluitons.fr

Address: 91.102.68.2

C:\>
For reverse lookup

C:\> nslookup 91.102.68.2

Server: 10.2.3.4.my-site.com

Address: 91.102.68.2

Name: 65-115-71-34.my-isp.com

Address: 10.2.3.4

C:\>

Download and Install BIND Packages

It is easy to download and install Linux packages most of Linux packages and most of people want to know how to install and configure dns on redhat/fedora. First of download BIND package file and search it on internet or CD. Its name starts with package filename “bind” followed by its version number such as bind-9.2.2.p3.i386.rpm.

Starting BIND on Redhat/Fedora

Use chkconfig command to start BIND at boot time.

[root@linux-server tmp]# chkconfig named on

To start, stop, and restart BIND after booting, use:

[root@linux-server tmp]# /etc/init.d/named start

[root@ linux-server tmp]# /etc/init.d/named stop

[root@ linux-server tmp]# /etc/init.d/named restart
You have to restart BIND service each time you have made some changes to configuration file for package to take effect during run time.

/etc/resolv.conf File
DNS servers which not running BIND make use of /etc/resolv.conf configuration file to find out location of DNS server and domains.This file contains keywords and its values separated by commas. See below the example of this file.


Keywords In /etc/resolv.conf
Command Value
Nameserver It will show IP address of DNS nameserver. Only one entry per nameserver is accepted at one time.

Domain It is the local domain name used by default.
Search Referring to other servers because of its name without adding domain name. It is timing saving feature for referring to other servers using the same domain.

What is NTP Server?

NTP or Network Time Protocol in Linux is used for atomic time synchronization on system’s clock using correct time source. There are two types of NTP sites
There are that allow the general public to synchronize with them. They are divided into two types:

It is best idea to have one server in your network to manage local time server for all devices used in network. It will create a relationship between different system events much easier and reduces internet bandwidth usage because of NTP traffic and reduces needs for managing firewalls rules and regulations for every NTP client on a network.
Downloading and Installing NTP Package
Mostly Linux all Linux packages are available in RPM format and you can easily download these products from internet or from Linux CD. NTP’s file name normally starts with phrase ntp following the version number such as ntp-4.1.2-5.i386.rpm

The /etc/ntp.conf File

/etc/ntp.conf file is used for NTP configuration and you have to edit it and place IP address of stratum 1 and stratum 2 servers which are needed to use. Follow these steps for creating NTP configuration file by using sample NTP servers.

1. Decide about servers in which you are interested for example



server otherntp.myserver.org # A stratum 1 server at myserver.org

server ntp.myresearch.gov # A stratum 2 server at myresearch.gov


2. Limit access types to your servers like servers should not be allowed to change run-time configuration or query from Linux NTP server.



restrict otherntp.myserver.org mask 255.255.255.255 nomodify notrap noquery

restrict ntp.myresearch.gov mask 255.255.255.255 nomodify notrap noquery

255.255.255.255 mask is used for limiting every IP address on remote NTP servers.



3. If NTP time server is providing atomic time clock information for other computers like workstations, Linux servers and networking devices then you should define proper networks and from that network server will accept NTP time synchronization requests.



Use this command using non query keyword to permit network to query NTP server.

restrict 192.168.2.0 mask 255.255.255.0 nomodify notrap

It will be applied to all possible IP addresses on local network.

4. Restrict localhost universal IP address using this command

restrict 127.0.0.1


5. Save NTP configuration file and restart NTP for these settings to take effect.



Starting NTP Server

Restart NTP each time you have edit its configuration file to make changes takes effect during running time.

Use this command to get configured NTP start at boot.

[root@linux-server tmp]# chkconfig ntpd on

Use these commands to start,stop and restart NTP after booting by following these commands.
[root@linux-server tmp]# service ntpd start

[root@linux-server tmp]# service ntpd stop

[root@linux-server tmp]# service ntpd restart

Checking NTP working

Use this command to check to test whether NTP is working correctly or not.

[root@linux-server tmp]# pgrep ntpd

Bookmark Us
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Configuring Linux Mail

Introduction :

In a business company or organization a dedicated mail server must be required because email is an important part of website. Here is brief description about how to use sendmail to create mail server in Linux which will be used to communicate with users emails with a local mail box. You will read here how to install and start sendmail.

Configuring Sendmail

Domain mails are handled by setting up DNS to use MX record within the configuration zone file. Sendmail is the most popular Linux mail agent between some others like postfix and qmail. The steps to convert Linux box into sendmail server is as follows.

Sendmail Working

sendmail agent can handle both incoming and outgoing emails for your domain. Here is the detail of incoming mail and outgoing mail.

Incoming Mail

Using a Linux mail server each user has his own separate login account. Mails sent to users are stored on mail server and then sendmail forward them into the users login account.
Mails are not sent directly towards the user’s machine but these are retrieved from the mail server using some mail client software like Microsoft Outlook or Outlook Express which supports both POP and IMAP protocols.
Some text based GUI clients and Evolution can used by users to read mails from the mail server directly and workstation users can also use these applications to access their mails from remote side.

Outgoing Mail

When you are sending mails using mail server the procedure is somehow different. PC and Linux workstation users configure their email client software to create their own outbound SMTP mail server.
If it would be used for local users in specific domain then sendmail stores a message in the customer mail box and they can retrieve it.
However if mail is going to send towards another domain then sendmail first uses DNS to retrieve MX record of other domain. It then tires to send mail to suitable destination mail server by using SMTP protocol.

Installing Sendmail

Redhat and Fedora packages are available in RPM format mostly and you need to make sure that sendmail-cf and m4 packages are already installed. While looking for RPMs keep in mind that filename normally starts with package name and version number like sendmail-8.12.10-1.1.1.i386.rpm.

Starting Sendmail

Use chkconfig command to check sendmail configuration.

[root@linux-server tmp]# chkconfig sendmail on
These commands are used to start,stop and restart sendmail after booting process.

[root@linux-server tmp]# service sendmail start

[root@linux-server tmp]# service sendmail stop

[root@linux-server tmp]# service sendmail restart

Keep in mind that to restart sendmail procedure each time you have to make some changes to configuration files to take effect during running process.
Pgrep command is used to test whether sendmail process is running or not.

[root@linux-server tmp]# pgrep sendmail

You will get a reply of plain old process ID numbers.

Linux VPN Configuration

As the company network grows it needs to make some secure data links with business partners, customers, sellers and vendors while you are providing them access to your servers behind internet firewall. It can be done using a private network known as VPN which is used to provide an encrypted data stream between the company firewall and customers or vendors etc.
VPN is very convenient and secure to access remote server not only using the public translated IP address but also using their real IP addresses. To do this you can avoid from some inherent problems to access servers following many to one relation.
Here you will read about permanent one-to-one VPN link or tunnel by using Openswan which is known as one of the most famous VPN package in Linux.

Before Starting SOHO Linux VPN

Here is some information which is recommended to consider before configuring a simple SOHO Linux VPN.

• Disable NAT of firewall for the packets which will traverse VPN because IPSec protocol on which VPNs are based will tolerate the data packets.
• First of all configure and test the firewall and then configure VPN and make Linux VPN box to perform as firewall.
• IP addresses at both ends of a network must be unique and you can assign them again if overlaps occurs.

VPNs are needed permanent and site to site at both ends using static DHCP and IP addresses.

Figure below shows VPN topology between two SOHO network environments using this scenario.

• Both sites needs VPN to communicate with each other without danger of eavesdropping.
• Here site 1 is using private IP address 172.168.1.0/24 and is using Linux VPN/firewall as default gateway and have external IP address 97.158.253.25.
• While site 2 is using private address 10.0.0.0/24 and using VPN/firewall device as default gateway using external IP address of 6.25.232.1.

Openswan Topolology Figure

Example of Openswan VPN 1

Downloading and Installing Openswan Package :

Download openswan RPM package from www.openswan.org and you can find guideline from here about how to install this package on Fedora and Redhat and other core of Linux. Before downloading this package, you must have installed ipsec-tools RPM package on you PC.

Getting started with Openswan:

Configure openswan using chkconfig command:

[root@linux-server tmp]# chkconfig ipsec on

Start, stop and restart openswan by using ipsec service initialization script:

[root@linux-server tmp]# service ipsec start

[root@linux-server tmp]# service ipsec stop

[root@liux-server tmp]# service ipsec restart

Keep in mind that always restart the ipsec process whenever you make some changes to ipsec.conf file so that changes can take effect instantly.

Find out status of Openswan Installation :

After you have installed openswan check the status of using ipsec verify command. It should show an [OK]status.

[root@vpn3 tmp]# ipsec verify

Checking your system to see if IPsec got installed and started properly

Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.8-1.522 (native)

Checking for IPsec support in kernel [OK]

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]

Three or more interfaces found, checking IP forwarding [OK]

Checking NAT and MASQUERADEing [N/A]

Checking for ‘ip’ command [OK]

Checking for ‘iptables’ command [OK]

Checking for ’setkey’ command for native IPsec stack support [OK]

[root@vpn3 tmp]#

Network based Linux Installation

Introduction:
Many versions of Linux allow installing operating system using network connection with the help of kickstart server. This type of installation is however faster than installation using CDs process could be automated.
Here is the procedure to install Linux remotely:
• Connect the client machine to installation server which has already loaded with installation files.
• Boot installation client from bootable CD
• There are there methods of installation to choose from i.e. FTP, HTTP and NFS with network parameters.
• The installation process will start and you can select installation method from the available options.
Configuring Kickstart Installation Server:
Kickstart installation server could be configured on FTP, NFS and Apache Server by using the following procedure.
Kickstart is however easy using a web server because:
• Kickstart server need to be located on remote location, passing it through firewall and rules of firewall for HTTP is somehow easy to configure as compared to FTP and NFS.
• Kickstart can use :// nomenclature to access files and it is more easy and familiar for users with respect to NFS and FTP and this is crucial for automatic kickstart installation.
Preparing for Remote Server:
Here is an example of configuring kickstart server which will be used in Fedora Core installation. All files will be uploaded to /data/network-install directory.
Create Installation Directory:
First of all create installation directories at /data/network-install/RPM and data network-install/ISO where necessary files will be copied.
[root@linux-server tmp]# mkdir -p /data/network-install/RPM
[root@ linux-server tmp]# mkdir -p /data/network-install/ISO
It is now need to copy the network installation driver files in the base directory.
Copying The Files:
All methods HTTP, NFS and FTP kickstart needs base set of Fedora files to be installed on Kickstart server. Here is the procedure to install it.
1) Create a mount point for your CD ROM drive.

[root@linux-server tmp]# mkdir /mnt/cdrom
2) Mount the Linux CD ROM.
[root@linux-server tmp]# mount /dev/cdrom /mnt/cdrom

3) Copy the files from the CD ROM dir to the hard disk

[root@linux-server tmp]# cp /mnt/cdrom/* /data/network-install/RPM
4) Unmount the CD ROM and remove cd using eject command.
[root@linux-server tmp]# umount /dev/cdrom

[root@linux-server tmp]# eject cdrom
5) Repeat steps 2 to 4 with all your CDROMs. Overwrite files if required.
HTTP & FTP Preparation:
To configure for HTTP and FTP copy all data of each installation CD to /data/network-install/RPM directory. It needs 3-5 GB disk space. After completing copying data into this directory will be shown as below.
[root@linux-server tmp]# ls -1 /data/network-install/RPM
eula.txt
RedHat
redhat.css
GPL
images
index.html
isolinux
README-Accessibility
RELEASE-NOTES-en_US.html
repodata
RPM-GPG-KEY
RPM-GPG-KEY-beta
RPM-GPG-KEY-fedora
RPM-GPG-KEY-fedora-extras
RPM-GPG-KEY-fedora-legacy
RPM-GPG-KEY-fedora-rawhide
RPM-GPG-KEY-fedora-test
RPM-GPG-KEY-rawhide
stylesheet-images
[root@linux-servertmp]#
Preparing for NFS:
First of all create ISO images of installation CD’s and store them in /data/network-install/ISO directory. It will also needs disk space from 3-5 GB. You can download ISO files from official Linux core website like Fedora or Redhat and you also take these files from installation CDs but you have to make sure that these are with same name as on the official website.
Here are the steps which you should follow by replacing filename where it is necessary.
[root@linux-server tmp]# cd /data/network-install/ISO

[root@linux-server ISO]# dd if=/dev/cdrom of=filename.iso bs=32k
…
…
[root@linux-server ISO]# eject cdrom
Note: This is an example to make ISO files using mkisofs command. You can select to install the mkisofs RPM on newer Fedora versions also and this command needs a mounted CDROM drive, so don’t overlook the mount command.
[root@linux-server ISO]# mount /mnt/cdrom

[root@linux-server ISO]# mkisofs -J -r -T -o filename.iso /mnt/cdrom

[root@linuxserver ISO]# eject cdrom

Configuring DHCP Server in Linux

DHCP Introduction:

While you are using cable modem or DSL connection the IP is assigned to your PC dynamically by the service providers. If you are using router between home computer and Internet then your PC will get IP address from router at the boot time.
If you are looking to configure your Linux machine as DHCP Server then you can disable this feature from router.
Here is detail about configuring Linux machine as DHCP Server.

Download and Install DHCP Package:

Normally Linux packages are in RPM format and to download and install is not difficult.
To search for a DHCP package remember that dhcp file name always starts with name dhcp followed by its version number such as dhcp-4.01rc 14-1.i386.rpm.
While using Ubuntu package name may consist of version number also. In Ubuntu you can use dpkg –list | grep dhcp command to find out dhcp packages list and find dhcp package name.

Editing /etc/dhcpd.conf File:
When DHCP initialize, it reads file configuration from /etc/dhcpd.conf. DHCP RPM package is not installed by default but you have to manually install it. However you can find its sample copy at the following path
/usr/share/doc/dhcp-/dhcpd.conf.sample

It is necessary to copy this sample file dhcpd.conf into /etc directory and then edit this. Copy this file using this command
[root@linux-server tmp]# cp /usr/share/doc/dhcp-3.0p11/dhcpd.conf.sample/etc.dhcpd.conf

While in Ubuntu file configuration name is /etc/dhcp*/dhcpd.conf and you have to follow the same syntax which is used in Redhat/ Fedora.
Complete Information of dhcpd.conf is detailed here
Ddns-update-style interim
Ignore client-updates

Subnet 192.168.2.0 netmask 255.255.255.0 {

#Here is the range in from which DHCP server will assign Ip Addresses to clients
range 192.168.2.201 192.168.2.220;

# set number of seconds that a client PC will keep specific IP address

default-lease-time 86400;

max-lease-time 90000;

#Here is the information to set the default gateway used by PC clients

option router 192.168.1.1;

# Do not forward DHCP requests from this NIC Interface

option ip-forwarding off;

# Broadcast address and subnet mask which is used by DHCP clients

option broadcast-address 192.168.2.255;
option subnet-mask 255.255.255.0;

# Set DNS server used by DHCP clients

option domain-name-servers 192.168.2.100;

# Set NTP server used by DHCP client

option nntp-server 192.168.2.100;

# For WINS server for your Windows clients,
It needs to include this option in the dhcpd.conf file:

option netbios-name-servers 192.168.2.100;

# Assign IP addresses based on the clients and ethernet MAC address as follows (Host’s name is “linux-server”:

host Linux-server {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 192.168.2.222;
}
}
#
# List an unused interface here
#
subnet 192.168.2.0 netmask 255.255.255.0 {
}

Here you can find DHCP option page to find out more information after dhcp installation.

[root@bigboy tmp]# man dhcp-options