#
# Paully's RedHat Linux 7.3 Install Notes, Tips and Tricks
#
# paul.littlefield@bigfoot.com
#
# This file explains how to setup an INTERNAL NETWORK Linux server,
# suitable for running email, dns, intranet, database, caching proxy,
# file server, windows domain password authentication, etc.
#
# Some of these instructions are NOT suitable for a worldwide public access server.
#
# Last Updated: Mon Jan 19 15:38:04 2004 - System Security (2)
#
0. Security
1. Sendmail
2. Apache
3. Apache mod_auth_MySQL
4. ProFTPd
5. Webmin
6. phpMyAdmin
7. Qpopper
8. Netdate
9. Squid
10. Samba (1)
11. Named
12. DHCPd
13. Samba (2)
14. Anti-Virus
15. Anti-Virus (2)
16. System Clean Up
17. Startup Script for Extras
18. Ntop Network Monitor
19. Fetchmail (and MailScanner)
20. MailScanner & SpamAssassin
21. OpenLDAP
WEBMIN
------
$ wget http://belnet.dl.sourceforge.net/sourceforge/webadmin/webmin-1.020-1.noarch.rpm
$ rpm -Uvh webmin-1.020-1.noarch.rpm
APACHE
------
$ adduser devel
$ passwd devel
$ chmod 755 /home/devel directory
$ cd /home/devel
$ rm -rf *
$ cd /etc/httpd/conf
$ reconfigure httpd.conf for VirtualHost
UseCanonicalName off
VirtualDocumentRoot /home/devel/%0
ServerName %0
AddHandler cgi-script .cgi .pl
ServerAdmin devel@cyrix.littlefield.uk.com
AddHandler server-parsed .shtml
AddType text/html .shtml
APACHE MOD_AUTH_MYSQL
---------------------
$ rpm -Uvh mod_auth_mysql-1.11-1.rpm
$ pico -w /etc/httpd/conf/httpd.conf
$ add the line for mysql_auth_module below db_auth:
LoadModule db_auth_module modules/mod_auth_db.so
LoadModule mysql_auth_module modules/mod_auth_mysql.so
#LoadModule dbm_auth_module modules/mod_auth_dbm.so
...
AddModule mod_auth_db.c
AddModule mod_auth_mysql.c
#AddModule mod_digest.c
$ in an .htaccess file add the following:
AuthName "Password Protected Area"
AuthType Basic
AuthMySQLHost localhost
AuthMySQLDB
AuthMySQLUser
AuthMySQLPassword
AuthMySQLUserTable
AuthMySQLNameField
AuthMySQLPasswordField
AuthMySQLCryptedPasswords On
AuthMySQLNoPasswd Off
require valid-user
DirectoryIndex setcookie.pl index.shtml
PHPMYADMIN
----------
$ cd /home/devel
$ mkdir mysql.littlefield.uk.com
$ cd /my/download/directory
$ cp phpMyAdmin-2.2.6-php.tar.gz /usr/src
$ cd /usr/src
$ tar zxvf phpMyAdmin-2.2.6-php.tar.gz
$ cd phpMyAdmin-2.2.6
$ cp -R . /home/devel/mysql.littlefield.uk.com
$ cd /home/devel/mysql.littlefield.uk.com
$ pico -w config.inc.php
$cfg['PmaAbsoluteUri'] = 'http://mysql.littlefield.uk.com';
$cfg['Servers'][$i]['password'] = 'mypassword';
PROFTPD
-------
$ cp proftpd-1.2.6.tar.gz /usr/src
$ tar zxvf proftpd-1.2.6.tar.gz
$ cd proftpd-1.2.6
$ ./configure --sysconfdir=/etc
$ make
$ make install
$ cp /usr/src/proftpd-1.2.6/contrib/dist/rpm/proftpd.init.d /etc/rc.d/init.d
$ cd /etc/rc.d/init.d
$ mv proftpd.init.d proftpd
$ chmod 755 proftpd
$ pico proftpd:-
daemon proftpd => daemon /usr/local/sbin/proftpd
FTPSHUT=/usr/sbin/ftpshut => FTPSHUT=/usr/local/sbin/ftpshut
$ pico /etc/proftpd.conf:-
# ServerName "ProFTP Server"
ServerType standalone
DefaultServer on
# Don't show the full linux directory path
DefaultRoot ~
# Set the user and group that the server normally runs at.
User nobody
Group nobody
# Set timeout values
TimeoutIdle 900
TimeoutNoTransfer 900
# Set DNS stuff for faster performance
UseReverseDNS off
# Fix PAM authentication warnings
AuthPAM off
AuthPAMAuthoritative off
$ chkconfig --add proftpd
$ ntsysv: enable [*] proftpd
$ /etc/rc.d/init.d/proftpd start
$ test with ncftp ftp://user:password@127.0.0.1
QPOPPER
-------
$ cp qpopper4.0.4-no-test.tar.gz /usr/src
$ tar zxvf qpopper4.0.4-no-test.tar.gz
$ cd qpopper4.0.4
$ ./configure && make && makeinstall
$ touch /etc/xinetd.d/qpopper
$ cd /etc/xinetd.d
$ pico qpopper:
# default: on
service pop3
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/in.popper
server_args = -s
log_on_success += duration userid
log_on_failure += userid
nice = 10
}
$ cd /usr/local/sbin
$ ln -s popper in.popper
$ /etc/rc.d/init.d/xinetd restart
SENDMAIL
--------
# fix sendmail to receive messages from anyone on your network
$ rpm -Uvh m4-1.4.1-7.i386.rpm
$ cd /etc/mail
$ pico sendmail.mc => DAEMON_OPTIONS 127.0.0.1 => dnl DAEMON_OPTIONS 127.0.0.1
$ m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
$ /etc/rc.d/init.d/sendmail restart
SQUID
-----
$ rpm -Uvh squid-2.4.STABLE6-1.7.2.rpm
$ log into webmin => servers => squid
$ initialize cache
$ access control => create new acl [client address] => local_network:192.168.0.1-192.168.0.254/255.255.255.255
$ access control => add proxy restriction => allow:local_network => move up above deny:all
$ /etc/rc.d/init.d/squid start
$ chkconfig --add squid
$ ntsyv => [*] squid => OK
SAMBA
-----
1. Test if the basic file server works
$ pico /etc/samba/smb.conf => workgroup = LITTLEFIELD
$ smbpasswd -a paully paully
$ /usr/bin/testparm
$ /etc/rc.d/init.d/smb start
$ chkconfig --add smb
$ ntsyv => [*] smb => OK
$ browse in windows explorer
2. Add domain controller password authentication
$ cd /home
$ mkdir samba
$ cd samba
$ mkdir netlogon
$ cd /etc/samba
$ adduser -g users -c WIN2KMachine -d /dev/null -s /bin/false -n WIN2K$
$ smbpasswd -a -m WIN2K$
$ smbpasswd -a root
$ add or uncomment extra lines in /etc/samba/smb.conf
status = yes
coding system = cap
preserve case = yes
short preserve case = yes
domain logons = yes
domain master = yes
domain admin group = @wheel
preferred master = yes
local master = yes
os level = 64
update encrypted = yes
null passwords = yes
guest account = nobody
$ uncomment [netlogon] section in /etc/samba/smb.conf
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no
$ testparm
$ /etc/rc.d/init.d/samba restart
$ log into WindowsNT or Windows2000 machine as Administrator
$ network properties
$ change workgroup to domain => Next
$ type in root username and password => OK
$ reboot Windows machine => press ctrl+alt+del to start
$ log in with linux samba username and password
3. Adding extra users
$ su to root
$ adduser
$ passwd
$ usermod -c 'Full Name'
$ smbpasswd -a
4. Private notes for my benefit
$ pico /etc/group => add paully to the wheel group
$ if things are missing, log in as Administrator to Windows and copy the profile files across!
(this will fix the missing startup links, control panel settings and program registrations)
HYLAFAX
-------
$ check for the existence of modem -> ttyS0 in /dev (if not then ln -s ttyS0 modem)
$ rpm -Uvh hylafax-4.1.2-1rh7.i386.rpm
$ /usr/sbin/faxsetup => /usr/sbin/faxaddmodem => speaker_volume:high
$ add the line mo:2345:respawn:/usr/sbin/faxgetty modem to /etc/inittab
$ chkconfig --add hylafax
$ ntsyv => [*] hylafax => OK
$ /etc/rc.d/init.d/hylafax start
$ touch /home/paully/faxtest.txt
$ pico /home/paully/faxtest.txt with a small message
$ send test fax with: sendfax -n -d 123456 /home/paully/faxtest.txt
$ check log file in /var/spool/hylafax/log/ (e.g. c00000001)
NETDATE
-------
$ rpm -Uvh netdate-1.16-6.i386.rpm
$ pico netdate
/usr/sbin/netdate 129.6.15.28;
/sbin/clock -w;
$ crontab -e
4 4 1 * * /root/netdate
$ ./netdate
129.6.15.28 -3680.886 Mon Jul 1 07:10:37.000
KERNEL TWEAKING
---------------
http://www.digitalhermit.com/linux/kernel.html
$ cd /usr/src/linux-2.4.18-3
$ pico Makefile => $EXTRAVERSION = -4
$ rpm -Uvh ncurses-devel-5.2.26-1.rpm
$ make oldconfig
$ make menuconfig => tweak as necessary (cpu, leave out usb, scsi, etc) => save as .config
$ pico -w /etc/lilo.conf => add another section with new kernel image name (eg. image=vmlinuz-2.4.18-4, label=linux_custom)
$ make dep && make clean && make bzImage && make modules && make modules_install && make install
$ /usr/sbin/lilo
$ reboot => choose linux_custom
CONFIG_PM=y
CONFIG_APM=y
# CONFIG_APM_IGNORE_USER_SUSPEND is not set
# CONFIG_APM_DO_ENABLE is not set
# CONFIG_APM_CPU_IDLE is not set
# CONFIG_APM_DISPLAY_BLANK is not set
# CONFIG_APM_RTC_IS_GMT is not set
# CONFIG_APM_ALLOW_INTS is not set
# CONFIG_APM_REAL_MODE_POWER_OFF is not set
This will fix my Cyrix reboot and poweroff problem
FETCHMAIL
---------
server my.mail.server.com
proto pop3
user myaccountthere
pass deepestsecrets
flush
mda /usr/bin/procmail
PROCMAIL
--------
# the mail with header "to: theuser@mydom.com" will be forwarded directly
# to me, the other mail will pass this option ...
:0
* ^To:.*theuser@mydom.com
! theuser
NAMED
-----
$ ftp://ftp.rs.internic.net/domain/named.root
$ mv named.root db.cache
$ chown -R named.named /var/named
$ pico -w /etc/named.conf
options { directory "/var/named"; };
zone "." { type hint; file "db.cache"; };
zone "firstdomain.uk.com" { type master; file "pri.firstdomain.uk.com"; };
zone "seconddomain.com" { type master; file "pri.seconddomain.com"; };
zone "thirddomain.co.uk" { type master; file "pri.thirddomain.co.uk"; };
$ pico -w /var/named/pri.firstdomain.uk.com
$ttl 38400
firstdomain.uk.com. IN SOA bookpc.littlefield.uk.com. root.localhost. (
1031487206
10800
3600
604800
38400 )
firstdomain.uk.com. IN NS bookpc.littlefield.uk.com.
firstdomain.uk.com. IN A 192.168.0.11
www.firstdomain.uk.com. IN A 212.135.18.100
$ chown -R named.named /var/named
$ chkconfig --add named
$ /etc/rc.d/init.d/named start
$ ntsyv => [*] named => OK
DHCPD
-----
$ pico -w /etc/dhcpd.conf
option domain-name "littlefield.uk.com";
option domain-name-servers 192.168.0.11, 195.92.195.94, 195.92.195.95;
option routers 192.168.0.1;
option broadcast-address 192.168.0.255;
default-lease-time 86400;
subnet 192.168.0.0 netmask 255.255.255.0
{
range 192.168.0.100 192.168.0.255;
}
host win2k
{
hardware ethernet 00:40:95:33:28:C3;
fixed-address 192.168.0.12;
}
$ chkconfig --add dhcpd
$ /etc/rc.d/init.d/dhcpd start
$ ntsyv => [*] dhcpd => OK
SECURITY (1)
------------
# http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html
$ pico -w /etc/hosts.deny
ALL: ALL
$ pico -w /etc/hosts.allow
ALL: LOCAL
ALL: 192.168.0.
$ pico -w /etc/sshd/sshd_config
PermitRootLogin no
AllowUsers admin
PermitEmptyPasswords no
$ pico -w /etc/group
wheel:x:10:root,admin
$ pico -w /etc/pam.d/su
# Uncomment the following line to require a user to be in the "wheel" group.
auth required /lib/security/pam_wheel.so use_uid
$ mv /etc/issue /etc/issue.old
$ mv /etc/issue.net /etc/issue.net.old
$ /etc/rc.d/init.d/sshd restart
$ /etc/rc.d/init.d/xinetd restart
$ pico -w /etc/proftpd.ftpusers (users not allowed to login via ftp)
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
$ pico -w /etc/pam.d/login
...
account required /lib/security/pam_stack.so service=system-auth
# add the line below to restrict console logins to rules found in /etc/security/access.conf
account required /lib/security/pam_access.so
...
$ pico -w /etc/security/access.conf
-:ALL EXCEPT root:LOCAL
$ pico -w /etc/securetty
# vc/1
# vc/2
# vc/3
# vc/4
# vc/5
# vc/6
# vc/7
# vc/8
# vc/9
# vc/10
# vc/11
tty1
# tty2
# tty3
# tty4
# tty5
# tty6
# tty7
# tty8
# tty9
# tty10
# tty11
$ pico /etc/profile
# add the following line to automatically logoff users after 1 hour of no input
HOSTNAME=`/bin/hostname`
HISTSIZE=1000
# set default timeout value for security
TMOUT=3600
$ pico /etc/rc.d/rc.local
...
# Prevent the system from responding to PING requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Prevent the system from SYN (DoS) attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
$ pico /etc/host.conf
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
$ chattr +i /etc/services # This will immunise the services file from being altered
ANTI-VIRUS # 1 (please check below for # 2 new instructions)
--------------
#
# download unzip and F-Prot AntiVirus for Linux
#
$ ncftpget ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/unzip-5.50-2.i386.rpm
$ ncftpget ftp://ftp.f-prot.com/pub/linux/f-prot-3.12b-1.i386.rpm.md5
$ ncftpget ftp://ftp.f-prot.com/pub/linux/f-prot-3.12b-1.i386.rpm
#
# check files for authenticity
#
$ cat /usr/src/f-prot-3.12b-1.i386.rpm.md5
$ md5sum f-prot-3.12b-1.i386.rpm
#
# install unzip and f-prot RPM packages
#
$ rpm -Uvh unzip-5.50-2.i386.rpm
$ rpm -Uvh f-prot-3.12b-1.i386.rpm
#
# check install directory listing
#
$ ls -la /usr/local/f-prot_3.12b/
#
# run update script to download latest virus definitions
#
$ /usr/local/f-prot_3.12b/check-updates.sh
***************************************
* F-Prot signature file update script *
***************************************
There's a new version of:
"Application/Script viruses and Trojans" signatures on the web.
Starting to download...
Download completed.
"Application/Script viruses and Trojans" signatures have been installed.
**********************************
* Update completed successfully. *
**********************************
#
# run test scan on a few important directories
#
$ f-prot /usr/sbin
Virus scanning report - 9. October 2002 18:43
F-PROT 3.12b
SIGN.DEF created 4. October 2002
SIGN2.DEF created 7. October 2002
MACRO.DEF created 22. September 2002
Search: /usr/sbin/
Action: Report only
Files: Attempt to identify files
Switches:
Results of virus scanning:
Files: 146
MBRs: 0
Boot sectors: 0
Objects scanned: 146
Time: 0:02
No viruses or suspicious files/boot sectors were found.
#
# download MailScanner
#
$ wget http://www.sng.ecs.soton.ac.uk/mailscanner/files/mailscanner-3.23-5.i386.rpm
#
# install MailScanner (lots of stuff will fly past the screen testing PERL, etc)
#
$ rpm -Uvh mailscanner-3.23-5.i386.rpm
#
# check contents of install directory
#
$ ls -la /usr/local/MailScanner/
#
# check for viruses
#
$ f-prot /usr/local/MailScanner/
#
# edit .conf file for f-prot settings
#
$ pico -w /usr/local/MailScanner/etc/mailscanner.conf
Virus Scanner = f-prot
Sweep = /usr/local/bin/f-prot
#
# check software starts up correctly
#
$ /etc/rc.d/init.d/mailscanner start
#
# add it to the automated startup scripts
#
$ chkconfig --add mailscanner
$ ntsysv [*] mailscanner, OK
#
# check it's starting alright
#
$ tail /var/log/maillog
Oct 9 18:52:22 bookpc mailscanner[24967]: MailScanner E-Mail Virus Scanner version 3.23-5 starting.
Oct 9 18:52:22 bookpc mailscanner[24967]: Configuring mailscanner for sendmail...
Oct 9 18:52:22 bookpc mailscanner[24967]: Using locktype = flock
ANTI-VIRUS # 2
--------------
# This covers new versions of F-Prot and MailScanner
#
# 1. F-Prot for Linux Small Business Edition
#
# uninstall early version of f-prot
#
$ rpm -e f-prot
#
# install new version
#
$ ncftpget ftp://ftp.f-prot.com/pub/linux/fp-linux-sb.rpm
$ rpm -Uvh fp-linux-sb.rpm
$ /usr/local/f-prot/check-updates.sh
$ crontab -e
3 4 * * * /usr/local/f-prot/check-updates.sh >/dev/null 2>&1
#
# 2. MailScanner
#
$ cd /usr/src
$ wget http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/rpm/MailScanner-4.12-2.rpm.tar
$ ncftpget ftp://rpmfind.net/linux/redhat/7.3/en/os/i386/RedHat/RPMS/rpm-build-4.0.4-7x.18.i386.rpm
$ rpm -Uvh rpm-build-4.0.4-7x.18.i386.rpm
$ tar xvf MailScanner-4.12-2.rpm.tar
$./Update-MakeMaker.sh
$ ./install.sh
$ service sendmail stop
$ chkconfig sendmail off
$ chkconfig --level 2345 MailScanner on
$ pico -w MailScanner.conf
Virus Scanner = f-prot
Sweep = /usr/local/bin/f-prot
$ service MailScanner start
SYSTEM CLEAN UP
---------------
#
# Remove all those kernel modules from numerous upgrades...
# ...this freed up 254M of wasted space!
#
$ du -mcsh /lib/modules/
313M /lib/modules
313M total
$ # du -sh /lib/modules/2.4.*
29M 2.4.18-10
29M 2.4.18-17.7.x
29M 2.4.18-18.7.x
29M 2.4.18-19.7.x
29M 2.4.18-24.7.x
29M 2.4.18-26.7.x
29M 2.4.18-27.7.x
28M 2.4.18-3
29M 2.4.18-5
30M 2.4.20-13.7
30M 2.4.20-18.7
$ rm -rf 2.4.18-*
$ du -mcsh /lib/modules/
59M /lib/modules
59M total
#
# Move all those up2date kernel upgrades from /boot...
# ...this freed up 140M of wasted space!
#
$ mkdir /home/paully/boot
$ cd /boot
$ mv *2.4.18* /home/paully/boot/
#
# Remove 'core' files
#
$ find . -name core -exec rm {} \;
#
# Remove temp files (please check before deleting)
#
$ cd /tmp && rm -rf *
$ cd /usr/tmp && rm -rf *
#
# Find out how much is in /var/log and remove x day old data (x number below in example is 30)
#
$ du -mch /var/log
$ find /var/log -type f -mtime +30
$ find /var/log -type f -mtime +30 -exec rm -f {} \;
#
# Strip symbols from binary files
#
$ strip /bin/*
#
# Clear SQUID cache which freed up 108M of space!
#
$ webmin => servers => squid => clear and rebuild cache
#
# Clear 20 day old files from the /var/spool/up2date directory...
# ...which freed up 23M of space!
#
$ find /var/spool/up2date -type f -mtime +20 -exec rm -f {} \;
#
# Find all the backup files and remove them
#
$ find . -name \*~ -exec rm -f {} \;
STARTUP SCRIPT FOR EXTRAS
-------------------------
$ cat /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
# Prevent the system from responding to PING requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Prevent the system from SYN (DoS) attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Start the Find-A-Drug distrubuting computing client
cd /usr/src/fadv1211
isetup -list
server -auto &
think &
NTOP NETWORK MONITOR
--------------------
#
# ntop is a network and traffic analyzer that provides a wealth of information on
# various networking hosts and protocols. ntop is primarily accessed via a built-in
# web interface, but has a neat utility called 'intop' which acts like regular 'top'
#
$ rpm -ivh ftp://ftp.cs.uni-frankfurt.de/pub/linux/Mirror/ftp.redhat.com/linux/7.3/en/os/i386/RedHat/RPMS/libpcap-0.6.2-12.i386.rpm
$ rpm -ivh ftp://ftp.cs.uni-frankfurt.de/pub/linux/Mirror/ftp.redhat.com/contrib/libc6/i386/rrdtool-1.0.28-1.i386.rpm
$ rpm -ivh ftp://ftp.mirror.ac.uk/sites/download.sourceforge.net/pub/sourceforge/ntop/ntop-2.1.3-0.i386.rpm
$ useradd -g ntop -d /usr/share/ntop ntop
$ chkconfig ntop on
$ /etc/rc.d/init.d/ntop start
#
# Now you can run the fantastic web interface: http://192.168.0.11:3000
#
LM_SENSORS
----------
To come
USING FETCHMAIL (AND MAILSCANNER)
---------------------------------
#
# After installing and configuring MailScanner (see above), you can use
# Fetchmail to grab messages from your ISP mailbox. With a bit of extra
# tweaking, it is possible to make fetchmail work with mailscanner to
# check your messages for virii and spam.
#
$ rpm -ivh fetchmail-5.9.0-21.7.3.i386.rpm
#
# Create a user called 'postman' and then create the following ~/.fetchmailrc file
#
server my.mail.server.com
proto pop3
user myaccountthere
pass deepestsecrets
#
# The BIG point here is NOT to use procmail as your MTA.
#
# Now log in as the new user 'postman' and call the fetchmail program
#
$ su - postman
$ fetchmail -v -v -v
#
# If all goes well, you should see it collect your POP3 mail and pass it to sendmail.
# However, you will proably see the following error:
# "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA" in /var/log/maillog
# This is fixed by tweaking /etc/hosts.allow and adding the following line above the rest
#
sendmail: *
#
# Now if you retry, fetchmail will collect the mail from your POP3 box, send it to sendmail
# for delivery, MailScanner will start and check for viruses then give it back to sendmail
#
# Perfect!
#
MAILSCANNER & SPAMASSASSIN
--------------------------
#
# This will install the SpamAssassin PERL module for use with MailScanner
#
$ su - root
$ perl -MCPAN -e shell
> o conf prerequisites_policy ask
> install Mail::SpamAssassin
> quit
$ pico -w /etc/MailScanner/MailScanner.conf
> Mail Header = X-MailScanner-VirusCheck:
> Spam Header = X-MailScanner-SpamCheck:
> Detailed Spam Report = yes
> Mark Unscanned Messages = yes
> Spam Checks = yes
> Use SpamAssassin = yes
> Always Include SpamAssassin Report = yes
> Spam Score = yes
> Log Spam = yes
$ service MailScanner stop
$ service MailScanner start
$ logout
OPENLDAP
--------
#
#
#
$ lynx /usr/share/doc/openldap-servers-2.0.27/guide.html (2. A Quick Start Guide)
$ pico -w /etc/openldap/slapd.conf
> suffix "dc=littlefield,dc=uk.com"
> rootdn "cn=Manager,dc=littlefield,dc=uk.com"
> rootpw mypassword
$ pico -w /etc/hosts.allow
> ldapd: ALL
> slapd: ALL
$ chkconfig ldap on
$ service ldap start
$ ldapsearch -v -x -b '' -s base '(objectclass=*)' namingContexts
FIREWALL-JAY
------------
#
#
#
Coming soon.
ULOGD
-----
#
# ULOG is a replacement for traditional syslog-based logging (using the LOG target) in iptables-based firewalls.
# ULOG has a different concept. Packets get copied to a special logging daemon, which can do very detailed logging to different targets (plaintext files, MySQL databases).
# ULOG supports plugins for different output formats, as well as for new protocols.
#
$ wget ftp://ftp.netfilter.org/pub/ulogd/ulogd-1.02.tar.bz2
$ su - root
$ cd /usr/src
$ tar jxvf ulogd-1.02.tar.bz2
$ cd ulogd-1.02
$ ./configure --sysconfdir=/etc
$ make
$ make install
$ cp /etc/rc.d/init.d/proftpd /etc/rc.d/init.d/ulogd
$ cd /etc/rc.d/init.d
$ pico ulogd:-
daemon proftpd => daemon /usr/local/sbin/ulogd
$ chkconfig --add ulogd
$ ntsysv: enable [*] ulogd
$ /etc/rc.d/init.d/ulogd start
SYSTEM SECURITY (2)
-------------------
- xinetd (/etc/xinetd.conf)
bind = 192.168.0.11
- ssh (/etc/ssh/sshd_config)
Port 22
Protocol 2,1
ListenAddress 192.168.0.11
- samba (/etc/samba/smb.conf)
interfaces = eth1
bind interfaces only = yes
- apache (/etc/apache/httpd.conf)
Listen 192.168.0.11:80
Listen 192.168.0.11:443
NameVirtualHost 192.168.0.11
...
- bind (/etc/named.conf)
options {
directory "/var/named";
listen-on {
127.0.0.1;
192.168.0.11;
};
};
- proftp (/etc/proftpd.conf)
Bind 192.168.0.11
SocketBindTight on
- sendmail (/etc/mail/sendmail.mc)
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
- mysql (/etc/my.cnf)
[mysqld]
bind-address=192.168.0.11
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
- webmin (/etc/webmin/miniserv.conf)
bind=192.168.0.11
allow=192.168.0.0
- usermin (/etc/usermin/miniserv.conf)
bind=192.168.0.11
allow=192.168.0.0
BEFORE
------
[root@bookpc root]# netstat -ntap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 1247/perl
tcp 0 0 0.0.0.0:192 0.0.0.0:* LISTEN 1103/httpd
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN 958/xinetd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1037/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1177/smbd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 958/xinetd
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1254/perl
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1103/httpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1122/proftpd: (acce
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 899/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 899/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 924/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1049/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 899/named
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1103/httpd
AFTER
-----
[root@bookpc root]# netstat -ntap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.11:20000 0.0.0.0:* LISTEN 7936/perl
tcp 0 0 192.168.0.11:37 0.0.0.0:* LISTEN 5855/xinetd
tcp 0 0 192.168.0.11:3306 0.0.0.0:* LISTEN 7896/mysqld
tcp 0 0 192.168.0.11:139 0.0.0.0:* LISTEN 6165/smbd
tcp 0 0 192.168.0.11:110 0.0.0.0:* LISTEN 5855/xinetd
tcp 0 0 192.168.0.11:80 0.0.0.0:* LISTEN 7275/httpd
tcp 0 0 192.168.0.11:10000 0.0.0.0:* LISTEN 7081/perl
tcp 0 0 192.168.0.11:21 0.0.0.0:* LISTEN 6852/proftpd: (acce
tcp 0 0 192.168.0.11:53 0.0.0.0:* LISTEN 899/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 899/named
tcp 0 0 192.168.0.11:22 0.0.0.0:* LISTEN 5790/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1049/sendmail: acce
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 899/named
tcp 0 0 192.168.0.11:443 0.0.0.0:* LISTEN 7275/httpd