Unit - V LINUX Administration: Asmatullah Khan, CL/CP, Gioe, Secunderabad

Unit – V
LINUX Administration
Asmatullah Khan,
CL/CP, GIOE,
Secunderabad.
Contents
1. Discuss about Managing Users and Groups
2. Explain the process of Managing Printers and print job.
3. Explain Browsers in Linux
4. Explain about PPP and TCP/IP with Linux
5. Analyze the process of Configuring DHCP in LINUX
6. Describe Configuring DNS in LINUX.
7. Discuss Network Services, Proxies, Configuring
Firewall.
8. Configuring internet access, sending mail
9. Configuring web server.
10. Describe Linux Security
11. Explain the process of Backup of data in Linux
Discuss about Managing Users and Groups
 Since Linux is a multi-user operating system (in

that it allows multiple users on different
computers or terminals to access a single
system), you will need to know how to perform
effective user management:
 how to add,
 edit,
 suspend, or delete user accounts,
 along with granting them the necessary permissions
to do their assigned tasks
Discuss about Managing Users and
Groups
Managing Users and Groups
 Adding User Accounts
 To add a new user account, you can run either of the following two
commands as root.
# adduser [new_account]
# useradd [new_account]
 When a new user account is added to the system, the following

operations are performed.
1. His/her home directory is created (/home/username by default).
2. The following hidden files are copied into the user’s home directory,
and will be used to provide environment variables for his/her user
session.
.bash_logout
.bash_profile
.bashrc
3. A mail spool is created for the user at /var/spool/mail/username.

4. A group is created and given the same name as the new user account.
 Understanding /etc/passwd
 The full account information is stored in the /etc/passwd file.
 This file contains a record per system user account and has the following format (fields are
delimited by a colon).
[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]
 Fields [username] and [Comment] are self explanatory.

 The x in the second field indicates that the account is protected by a
shadowed password (in /etc/shadow), which is needed to logon as
[username].
 The [UID] and [GID] fields are integers that represent the User IDentification
and the primary Group IDentification to which [username] belongs,
respectively.
 The [Home directory] indicates the absolute path to [username]’s home
directory, and
 The [Default shell] is the shell that will be made available to this user when
he or she logins the system.
 Understanding /etc/group
 Group information is stored in the /etc/group file.
 Each record has the following format.
[Group name]:[Group password]:[GID]:[Group members]
 [Group name] is the name of group.

 An x in [Group password] indicates group passwords are not being used.
 [GID]: same as in /etc/passwd.
 [Group members]: a comma separated list of users who are members of [Group name].
 Modifying User Account
 After adding an account, you can edit the following information (to name a few fields)
using the usermod command, whose basic syntax of usermod is as follows.
# usermod [options] [username]
 Setting the expiry date for an account

 Use the –expiredate flag followed by a date in YYYY-MM-DD format.
# usermod --expiredate 2018-10-30 user1
 Adding the user to supplementary groups

 Use the combined -aG, or –append –groups options, followed by a comma separated list of groups.
# usermod --append --groups root user1

 Changing the default location of the user’s home directory
 Use the -d, or –home options, followed by the absolute path to the new home directory.
# usermod --home /tmp user1
 Changing the shell the user will use by default

 Use –shell, followed by the path to the new shell.
# usermod --shell /bin/sh user1
 Displaying the groups an user is a member of
# groups user1
# id user1
 Disabling account by locking password
 Use the -L (uppercase L) or the –lock option to lock a user’s password.
# usermod --lock user1

 Unlocking user password
 Use the –u or the –unlock option to unlock a user’s password that was previously blocked.
# usermod –unlock user1
 Deleting a group
 You can delete a group with the following command.
# groupdel [group_name]
 Deleting user accounts

 You can delete an account (along with its home directory, if it’s owned by the user, and all
the files residing therein, and also the mail spool) using the userdel command with the –
remove option.
# userdel --remove [username]
Explain the process of Managing
Printers and print job
Managing Printers and print job.
 CUPS
 Most Linux distros use CUPS for printing.
 CUPS stands for Common Unix Printing System.
 There are different interfaces for CUPS link command line tools, web based interface and
GUIs.
 CUPS is designed to simplify the printing on various printers from different manufactures.
 CUPS web interface
 The general way to access the CUPS configuration and info page is going to the servers IP
on port 631 from a browser.
 That will be localhost:631 or 127.0.0.1:631from your browser.
 Important parts on this webpage are:
 Jobs tab - to check the jobs the CUPS is handling|
 Administration - For adding printers, managing jobs and configuring the CUPS
server
 Printers - Show the printers
 as soon as you push the Add Printer button, you will need to give CUPS admin user password
 Good news is that the CUPS has most of the common printer drivers installed.
 You just need to choose the printer from the dropdown menu.
 configuration files
 As any other linux program, CUPS saves its configuration at /etc
directory.
# ls /etc/cups
cups-browsed.conf interfaces raw.types
subscriptions.conf cupsd.conf ppd snmp.conf
subscriptions.conf.O cups-files.conf raw.convs ssl
 One important file is cupsd.conf, it is very easy to understand.

 For example the Listen localhost:631 line tells the CUPS to listen on localhost
port 631.
 All the printer data is saved at /etc/cups/printers.conf.
 The web interface or any other GUI is actually editing this file.
# Printer configuration file for CUPS v2.1.0
# Written by cupsd
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<DefaultPrinter Apple-Dot-Matrix>
UUID urn:uuid:0f6c2f2b-6338-388a-76de-09f2ef1994d5
Info Apple Dot Matrix
Location Fake Location
MakeModel Apple Dot Matrix Foomatic/appledmp (recommended)
DeviceURI ipp://fakeprinter/
State Idle
StateTime 1453402271
ConfigTime 1453402271
Type 8433668
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</DefaultPrinter>
 CUPS support all the legacy command line command usage
programs. lpr print a file
lpq show print queue/jobs
 lpq lprm rm/remove a file from priner queue
The q is for queue therefor lpq shows the printer

printer control / troubleshooting
 lpc
queue and is used when you want to see the jobs. program
 If you use the -a switch, the lpq will show the jobs of
all printers.
 Alternatively you can use the -P switch to show the
jobs of a specific printer. So the following command
will show the jobs of a printer called Apple-Dot-Matrix:
 lpr
 This command is used to send a job to a printer.
 Again the printer is specified by -P.
 lprm
 The rm is for remove so the lprm will remove jobs
from the queue. You need to provide the Job ID
to this command.
 the lprm - will remove all the print jobs
 lpc
 Here, the c is for control. lpc lets you check the
status (via lpc status) and troubleshoot your
printers.
 Here,
 queuing is enabled tell us that the queue can accept
new print jobs. If the queue is disabled, you can not
even send new jobs to the printer.
 printing is enabled means that the printer is
actually can print on the paper. This will be on the
disable state if the printer is out of ink or paper or
experiencing a paper jam.
Explain Browsers in Linux
Text-Based Browsers in Linux
 A text-based web browser is a web browser that renders only the text of web pages,
and ignores graphic content.
 Usually, they render pages faster than graphical web browsers due to
lowered bandwidth demands.
 Additionally, the greater CSS, JavaScript and typography functionality of graphical
browsers require more CPU resources.
 Text-based browsers are often very useful for users with visual impairment or
partial blindness.
 They are especially useful with speech synthesis or text-to-speech software, which reads
content to users.
 There are several other reasons why Systems Administrators use text-based web
browsers such as
 lynx,
 links,
 elinks, and
 w3m.
Text-Based Browsers in Linux
 REASONS TO USE TEXT-BASED WEB BROWSERS
 Graphical Browsers are Slow
 Graphical browsers move slowly compared to text browsers.
 Essential in Server (GUI-less) Environments

 Text browsers are essential for text-based only systems without an X-Windows system present or
active. This situation occurs when systems administrators work on a server without a GUI.
 They Consume Less Memory

 Text browsers eat up less memory (RAM) than graphical browsers.
 Personal Preference
 You may prefer the text only reading experience offered through the terminal without the fancy
images, videos, and web styling most Internet users love. Despite what online marketing
professionals may declare, every person has their own preferences when it comes to the user
experience.
 Search Advantages for Designers and Marketers

 Text-based browsers provide insight for SEO and design professionals into how search engine robots
crawl a website. See the speed a search engine crawls the site with remote access options such as
telnet and ssh.
 What does the robot read first?
 How does it interpret the Header and Title tags, the main navigation, view the text, image, or video content?
Text-Based Browsers in Linux - Lynx
 Lynx was developed in 1992 at the University of Kansas.
 It is the oldest web browser still in development.
 This makes it a valid option for older hardware unable to support newer graphical
browsers.
 Here are the a few benefits of Lynx:
 Supports Gopher, HTTP, HTTPS, FTP, NNTP, and WAIS protocols
 Support SSL and HTML features
 Eliminates privacy concerns since it does not support graphics and associated web bugs
connected to track user info
 Ability to disable cookie support
 Keeps browser history and page caching
 Compatible with numerous operating systems, including UNIX, Linux, Windows, and MacOS
 Despite Lynx’s age and perseverance in a GUI crazed world, the browser boasts a
number of critics.
 This criticism stems from its inability to support HTTP cookies, JavaScript, CSS styling, and
Adobe Flash.
Text-Based Browsers in Linux - Links
 Links is another option that is compatible with Linux, FreeBSD, Mac OS X, Windows,
DOS, and Linux.
 Twibright Labs in the Czech Republic developed Links in 1999.
 Contrary to the lack of graphics support in Lynx, Links offers limited support for
JavaScript, horizontal scrolling, and graphics.
 Supporters of Links developed forks called
 Hacked Links and
 ELinks.
Text-Based Browsers in Linux - ELinks
 ELinks is originally referred to as “Experimental”, but now it is called “Extended” or
“Enhanced”.
 Petr Baudis developed a “patch-set on top of the orginal Links, known…as the -pb
patches” that traces back to the start of ELinks development.
 According to the official ELinks web page, the web browser forked from the “original
Links browser written by Mikulas Patocka” and is not “associated with Twibright Labs and
their Links version”.
 The browser is compatible with Linux, Mac OS X, OpenBSD, Solaris, NetBSD, CygWin,
FreeBSD, GNU Hurd, and other operating systems.
 ELinks supports:
 Tabbed browsing
 Background downloads and queuing
 HTTP and Proxy authentication
 Various protocols for finger, HTTP, HTTPS, FTP, SMB, IPv4, IPv6, local files
 Experimental support for Gopher, NNTP, and BitTorrent
 Browser scripting for Perl, Ruby, Lua, and GNU Guile
 Text editing, mouse work, and colored text
 JavaScript
 HTTP cookies
Text-Based Browsers in Linux - W3M
 W3m early development and initial release occurred in 1995.
 This browser is compatible with Linux, Windows (with Cygwin), and other operating
systems.
 W3m supports
 SSL,
 colors,
 inline images on specific terminal emulators,
 certain CGI scripts, and
 works within the Emacs text editor.
 The Emacs interface (emacs-w3m package) is an advantage for those users who find
it convenient to browser directly in their text editor.
 W3m’s main benefits are speed and a smaller package size to download and install.
Explain about PPP and TCP/IP with
Linux
Point – to – Point Protocol (PPP)
 Point-to-point protocol (PPP) is a computer network protocol used to transfer a
datagram between two directly connected (point-to-point) computers.
 It is the most common protocol for Point-to-Point access.
 This protocol is used for a very basic level of connectivity providing data linkage
between the computers. Point-to-point protocol is widely used for the heavier and
faster connections necessary for broadband communications.
 Point-to-point protocol is also known as RFC 1661.
 Services provided by PPP:
 Defines format of frames.
 Defines link establishment process.
 Defines Data exchange process.
 Defines How network layer data are encapsulated in Data Link Layer.
 Defines Authentication process between two devices.
 Services not provided by PPP:
 Flow control.
 Very simple mechanism for Error Control.
 No addressing mechanism to handle frames in multipoint configuration.
 Frame format of PPP: Flag Address Control Protocol Pay Load FCS Flag
 Flag: Indicates start and end of frame.
 Just like HDLC but HDLC flag is bit-oriented and PPP flag field is Byte-oriented.
 Address: is a constant value.

 11111111 – Broadcast Address.
 Control: is a constant value 11000000.

 Not needed generally, as there is very limited error control.
 Protocol: defines what is carried in data field – either user data or other info. (Info
about data).
 Payload field: carry either user data or other data. (Actual Data).
 FCS: Frame Check Sum.
 Transition Phases of PPP:
Failed
 Dead Phase:
 Link is not used.
Dead Establish
Carrier Detected
 Establish Phase:
 When one of the node starts communication. Both sides
Carrier is detected. Carrier Agree
 Authenticate Phase: Dropped
 Optional phase for authenticating connection
oriented communication. Failed
Terminate Authenticate
 Network Phase:
 In this phase negotiation for network layer
protocols happen.
Done Authentication
 Open Phase: Successful
 Actual Data transfer takes place. Exchange of
data packets.
 Terminate Phase: Open Network

Network layer
 Connection is terminated. And when carrier is Configuration
dropped it moves back to dead phase.
 PPP Stack:
 Link Control Protocol LPC:
 Establishment between links.
 Maintain links
 Configure links
 Terminate links
 Authentication Protocol
 Password Authentication Protocol PAP
 Challenge Handshake Authentication Protocol CHAP
 Network Control Protocol NCP
 Connection to network layer
 Encapsulation of data coming from network layer to PPP frame.
Linux TCP/IP
 Linux supports a full implementation of the TCP/IP (Transport Control
Protocol/Internet Protocol) networking protocols.
 TCP/IP has become the most successful mechanism for networking
computers worldwide.
 With Linux and an Ethernet card, you can network your machine to a local
area network, or (with the proper network connections) to the Internet--
the worldwide TCP/IP network.
 The current implementation of TCP/IP and related protocols for Linux is
called “NET-3”.
 Linux NET-3 also supports SLIP--Serial Line Internet Protocol and PPP--
Point-to-Point Protocol.
 SLIP and PPP allow you to have dialup Internet access using a modem.
 If your business or university provides SLIP or PPP access, you can dial in to the SLIP or
PPP server and put your machine on the Internet over the phone line.
 Alternately, if your Linux machine also has Ethernet access to the Internet, you can set
up your Linux box as a SLIP or PPP server.
Analyze the process of Configuring
DHCP in LINUX
Configuring DHCP in LINUX
 Linux DHCP Server stands for Dynamic Host Configuration Protocol is used
to provide IP Address to client Computers Dynamically OR Automatically.
 The Port Number of DHCP Server is 67 and The Port Number of DHCP Client
is 68.
 How DHCP Server Works ? OR What is DORA Process ?
1. When a new system connected to Network, As a first step he searches for a DHCP
Server in Network and when he unable to found the same as he is currently don’t
have any IP Address, the system sends a DHCP Discover message to all devices
which are connected to network. This process is called as Broadcasting.
2. When DHCP Server receives the DHCP Discover message from the Client
Computer, DHCP Server offers and broadcast’s a IP Address (Eg: 192.168.1.3) to
all connected devices.
3. Now when Client Computer receives the IP Address he broadcasts a request on
network that he accepts the IP Address.
4. Then DHCP Server Acknowledge the IP Address that Now Client Computer can use
the IP Address. This is how Linux DHCP Server Works. This Whole process is called
as DORA (Discover Offer Request Acknowledgement).
STEP BY STEP LINUX DHCP SERVER CONFIGURATION IN REDHAT/CENTOS/FEDORA
 Important Parameters of Linux DHCP Server
 option domain-name :
 Mention Domain Name eg : elinuxbook.com
 option domain-name-servers :
 Mention DNS Servers eg: 192.168.0.100, 192.168.0.101 (Note : You can also mention the FQDN)
 default-lease-time :
 The Default time in Seconds till the time DHCP Server will assign a IP to Client Computer. DHCP Server Details :
 max-lease-time :
Server Name : dhcpserver
IP Address : 192.168.0.100
 The Maximum time in Seconds till the time DHCP Server will assign a IP to Client Computer.
MAC Address :
 subnet :
DHCP Client Details :
 Mention the Subnet IP Address eg : 192.168.0.0
Hostname : Client1
 netmask : MAC Address :
 Mention the Subnet Mask eg : 255.255.255.0
 range :
 Mention the IP Range which will dynamically assigned by Linux DHCP Server to Client Computers. eg :192.168.0.2 to
192.168.0.240
 option routers :
 Mention the Gateway IP Address eg : 192.168.0.1
 option broadcast-address :
 Mention your Broadcast Address eg : 192.168.0.255
 hardware ethernet :
 Mention your MAC Accress OR Physical Address eg : 00:0C:29:F7:BE:27
 option host-name :
 Your systems Hostname OR Computer Name eg : dhcpserver
 Step : 1 Prepare your Server before DHCP Server Configuration

 Before we start configuration of DHCP Server first we need to prepare our server for that.
 First Assign a Static IP Address to your Server. Refer the command below.
Give a proper Hostname to your Server.

Here my Server’s Hostname is dhcpserver.
 Step : 2 Install Required Packages [root@localhost ~]# yum -y install dhcp*
 Install required packages and dependencies for Linux DHCP Server.
[root@localhost ~]# yum -y install dhcp* # Install Linux DHCP Server Package
Loaded plugins: fastestmirror, refresh-packagekit, security

Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* extras: mirror.fibergrid.in
* updates: mirrors.aluhost.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package dhcp.x86_64 12:4.1.1-53.P1.el6.centos will be installed
---> Package dhcp-common.x86_64 12:4.1.1-38.P1.el6.centos will be updated
--> Processing Dependency: dhcp-common = 12:4.1.1-38.P1.el6.centos for package: 12:dhclient-4.1.1-38.P1.el6.centos.x86_64 ---> Package dhcp-common.x86_64 12:4.1.1-
53.P1.el6.centos will be an update ---> Package dhcp-devel.x86_64 12:4.1.1-53.P1.el6.centos will be installed --> Running transaction check ---> Package dhclient.x86_64 12:4.1.1-
38.P1.el6.centos will be updated ---> Package dhclient.x86_64 12:4.1.1-53.P1.el6.centos will be an update --> Finished Dependency Resolution Dependencies Resolved
============================================================================================================================= ==================
=============== Package Arch Version Repository Size
============================================================================================================================= ==================
=============== Installing: dhcp x86_64 12:4.1.1-53.P1.el6.centos base 823 k dhcp-devel x86_64 12:4.1.1-53.P1.el6.centos base 158 k Updating: dhcp-common x86_64 12:4.1.1-
53.P1.el6.centos base 144 k Updating for dependencies: dhclient x86_64 12:4.1.1-53.P1.el6.centos base 322 k Transaction Summary
============================================================================================================================= ==================
=============== Install 2 Package(s) Upgrade 2 Package(s) Total download size: 1.4 M Downloading Packages: (1/4): dhclient-4.1.1-53.P1.el6.centos.x86_64.rpm | 322 kB 00:00 (2/4):
dhcp-4.1.1-53.P1.el6.centos.x86_64.rpm | 823 kB 00:00 (3/4): dhcp-common-4.1.1-53.P1.el6.centos.x86_64.rpm | 144 kB 00:00 (4/4): dhcp-devel-4.1.1-53.P1.el6.centos.x86_64.rpm | 158 kB
00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 954 kB/s | 1.4 MB 00:01 warning: rpmts_HdrFromFdno:
Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 Importing GPG key 0xC105B9DE: Userid : CentOS-6 Key
(CentOS 6 Official Signing Key) <centos-6-key@centos.org> Package: centos-release-6-5.el6.centos.11.1.x86_64 (@anaconda-CentOS-201311272149.x86_64/6.5) From : /etc/pki/rpm-
gpg/RPM-GPG-KEY-CentOS-6 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : 12:dhcp-common-4.1.1-
53.P1.el6.centos.x86_64 1/6 Installing : 12:dhcp-4.1.1-53.P1.el6.centos.x86_64 2/6 Installing : 12:dhcp-devel-4.1.1-53.P1.el6.centos.x86_64 3/6 Updating : 12:dhclient-4.1.1-
53.P1.el6.centos.x86_64 4/6 Cleanup : 12:dhclient-4.1.1-38.P1.el6.centos.x86_64 5/6 Cleanup : 12:dhcp-common-4.1.1-38.P1.el6.centos.x86_64 6/6 Verifying : 12:dhcp-common-4.1.1-
53.P1.el6.centos.x86_64 1/6 Verifying : 12:dhcp-devel-4.1.1-53.P1.el6.centos.x86_64 2/6 Verifying : 12:dhcp-4.1.1-53.P1.el6.centos.x86_64 3/6 Verifying : 12:dhclient-4.1.1-
53.P1.el6.centos.x86_64 4/6 Verifying : 12:dhcp-common-4.1.1-38.P1.el6.centos.x86_64 5/6 Verifying : 12:dhclient-4.1.1-38.P1.el6.centos.x86_64 6/6 Installed: dhcp.x86_64 12:4.1.1-
53.P1.el6.centos dhcp-devel.x86_64 12:4.1.1-53.P1.el6.centos Updated: dhcp-common.x86_64 12:4.1.1-53.P1.el6.centos Dependency Updated: dhclient.x86_64 12:4.1.1-53.P1.el6.centos
Complete!
Configuring DHCP in LINUX [root@localhost ~]# rpm -ql dhcp # Check the Path of Installation Directories and Configuration Files
/etc/dhcp # Installation Directory
STEP BY STEP LINUX DHCP SERVER /etc/dhcp/dhcpd.conf # Main Configuration file of DHCP Server
/etc/dhcp/dhcpd6.conf
/etc/openldap/schema/dhcp.schema
CONFIGURATION IN REDHAT/CENTOS/FEDORA /etc/portreserve/dhcpd
/etc/rc.d/init.d/dhcpd
/etc/rc.d/init.d/dhcpd6
/etc/rc.d/init.d/dhcrelay
/etc/rc.d/init.d/dhcrelay6
 Step : 2 Install Required Packages /etc/sysconfig/dhcpd
/etc/sysconfig/dhcpd6
/etc/sysconfig/dhcrelay
 You can confirm if packages are properly /etc/sysconfig/dhcrelay6
/usr/bin/omshell
installed or not by using below command. /usr/sbin/dhcpd # Binary Files
[root@localhost ~]# rpm -qa | grep dhcp # Confirm the Installed DHCP Server /usr/sbin/dhcrelay
Package /usr/share/doc/dhcp-4.1.1
dhcp-4.1.1-53.P1.el6.centos.x86_64 /usr/share/doc/dhcp-4.1.1/3.0b1-lease-convert
dhcp-common-4.1.1-53.P1.el6.centos.x86_64 /usr/share/doc/dhcp-4.1.1/IANA-arp-parameters
dhcp-devel-4.1.1-53.P1.el6.centos.x86_64 /usr/share/doc/dhcp-4.1.1/README.ldap
/usr/share/doc/dhcp-4.1.1/api+protocol
 After installation let’s check what is the /usr/share/doc/dhcp-4.1.1/dhclient-tz-exithook.sh
Installation directory of Linux DHCP Server and /usr/share/doc/dhcp-4.1.1/dhcpd-conf-to-ldap
/usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample
Path of all configuration files. We can do so using /usr/share/doc/dhcp-4.1.1/dhcpd6.conf.sample
/usr/share/doc/dhcp-4.1.1/draft-ietf-dhc-ldap-schema-01.txt
below command. /usr/share/doc/dhcp-4.1.1/ms2isc
/usr/share/doc/dhcp-4.1.1/ms2isc/Registry.perlmodule
 So the Installation directory of DHCP Server /usr/share/doc/dhcp-4.1.1/ms2isc/ms2isc.pl
/usr/share/doc/dhcp-4.1.1/ms2isc/readme.txt
is /etc/dhcp and the main configuration file of /usr/share/doc/dhcp-4.1.1/sethostname.sh
Linux DHCP Server is dhcpd.conf. By default the /usr/share/doc/dhcp-4.1.1/solaris.init
/usr/share/man/man1/omshell.1.gz
dhcpd.conf file would look like as shown below. /usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
[root@localhost ~]# cat /etc/dhcp/dhcpd.conf /usr/share/man/man8/dhcpd.8.gz
# /usr/share/man/man8/dhcrelay.8.gz
/var/lib/dhcpd
# DHCP Server Configuration file.
/var/lib/dhcpd/dhcpd.leases # Linux DHCP Server Lease File
# see /usr/share/doc/dhcp*/dhcpd.conf.sample /var/lib/dhcpd/dhcpd6.leases
# see 'man 5 dhcpd.conf'
 Step : 3 Prepare the Configuration File
 So let’s go ahead and copy the dhcpd.conf.sample file as dhcpd.conf. System will ask for
Overwrite as we already have dhcpd.conf file at /etc/dhcp path. So just enter yes and
Press enter to continue the Copy.
[root@localhost ~]# cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf
cp: overwrite `/etc/dhcp/dhcpd.conf'? yes
 Step : 4 Configure the Linux DHCP Server

 Now let’s go ahead and configure the Linux DHCP Server. Just edit the
/etc/dhcp/dhcpd/conf file by using your preferred text editor. Below shown
configurations are global variables and will apply to all subnet’s we declare on dhcpd.conf
file. So just edit the configuration file and make changes as per your scenario.
 Step : 4 Configure the Linux DHCP Server cont…
 Then declare a Subnet as per you network Scenario. Here I am taking IP Address starting
from 192.168.0 and Subnet as 255.255.255.0
 Sample Output :
 Where :
 Range is for allowed IP Address Range i.e. 192.168.0.5 to 192.168.0.240. DHCP Server
will assign IP Address to client computers within these range. And Other settings are
common like Domain Name, Router Address i.e. Gateway Address, DNS Servers and so on.
 After all required changes in dhcpd.conf configuration file start the Linux dhcp
server service using below command.
 Configure DHCP Service to start at system startup.
 Step : 5 DHCP Client Side Configuration
 Configure the Ethernet connection from client side to get IP from DHCP Server. To do so
just edit the ifcfg-ethX file and set BOOTPROTO=dhcp (Highlighted in Red color). Refer
the sample output below.
 Note : Replace X with your Ethernet Connection Number
root@client1 ~]# nano /etc/sysconfig/network-scripts/ifcfg-eth1 # Configure Ethernet Connection

HWADDR=00:0C:29:F7:BE:27
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="eth1"
UUID=51af58db-2b74-4b31-9016-2e8682cafcb4
ONBOOT=yes
LAST_CONNECT=1495972689
 Then restart the Network service using below command.

[root@dhcpserver ~]# /etc/init.d/network restart # Restart the Network Service
 Step : 6 DHCP Client Side IP Address confirmation
 Once you restart the Network Service system will get the IP Address from Linux DHCP
Server. To confirm the same we can use ifconfig command to check the IP Address. Refer
the command below. [root@client1
eth1
~]# ifconfig eth1
Link encap:Ethernet HWaddr 00:0C:29:F7:BE:27
inet addr:192.168.0.5 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fef7:be27/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39 errors:0 dropped:0 overruns:0 frame:0
TX packets:121 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5184 (5.0 KiB) TX bytes:7917 (7.7 KiB)
 Once client get IP Address from DHCP Server you can see all the client information like
The assigned IP Address, MAC Address, Client Computer Name
in /var/lib/dhcpd.leases Server. Note : IP Address lease Informations are stored
in /var/lib/dhcpd.leases file. By Default it comes with DHCP Server Package Installation
but if it is not there then you have to create it manually otherwise you will unable to
start the DHCP Service. [root@dhcpserver ~]# cat /var/lib/dhcpd/dhcpd.leases # Checking the dhcpd.leases file
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.1.1-P1
server-duid "\000\001\000\001 \275v\261\000\014)Aj\256";

lease 192.168.0.5 {
starts 0 2017/05/28 12:02:32;
ends 0 2017/05/28 12:12:32;
cltt 0 2017/05/28 12:02:32;
binding state active;
next binding state free;
hardware ethernet 00:0c:29:f7:be:27;
client-hostname "client1";
}
Describe Configuring DNS in LINUX
Configuring DNS in LINUX
 DNS, stands for Domain Name System, translates hostnames
or URLs into IP addresses.
 Domain Name Service (DNS) is an internet service that maps
IP addresses to fully qualified domain names (FQDN) and
vice versa.
 BIND is the most common program used for maintaining a name
server on Linux.
 BIND stands for Berkley Internet Naming Daemon.
 For example, if we type www.unixmen.com in browser, the Primary (Master) DNS Server Details:
DNS server translates the domain name into its associated ip Operating System : CentOS 7 minimal server
address.
Hostname : masterdns.unixmen.local
 Since the IP addresses are hard to remember all time, DNS IP Address : 192.168.1.101/24
servers are used to translate the hostnames like
www.unixmen.com to 173.xxx.xx.xxx. So it makes easy to
remember the domain names instead of its IP address. Secondary (Slave) DNS Server Details:
 For Linux DNS installation scenario we will be using three Operating System : CentOS 7 minimal server
nodes. Hostname : secondarydns.unixmen.local
 One will be acting as Master DNS server, IP Address : 192.168.1.102/24
 the second system will be acting as Secondary DNS, and
 the third will be our DNS client. Here are the three systems Client Details:
details. Operating System : CentOS 6.5 Desktop
Hostname : client.unixmen.local
IP Address : 192.168.1.103/24
Configuring DNS in LINUX - Setup Primary (Master) DNS Server
 Install bind9 packages on your server.
yum install bind bind-utils -y
 Step 1: Configure DNS Server

 Edit ‘/etc/named.conf’ file.
vi /etc/named.conf
 Add the lines as shown in bold:

 Details are given on next slide.
Step 1: Configure DNS Server cont…
/*
- If you are building an AUTHORITATIVE
// DNS server, do NOT enable recursion. logging {
// named.conf - If you are building a RECURSIVE channel default_debug {
// (caching) DNS server, you need to enable file
// Provided by Red Hat bind package to recursion. "data/named.run";
configure the ISC BIND named(8) DNS - If your recursive DNS server has a severity dynamic;
// server as a caching only nameserver (as a public IP address, you MUST enable access };
localhost DNS resolver only). control to limit queries to your legitimate };
// users. Failing to do so will cause
// See /usr/share/doc/bind*/sample/ for your server to become part of large scale DNS zone "." IN {
example named configuration files. amplification attacks. Implementing BCP38 type hint;
// within your network would greatly reduce such file "named.ca";
options { attack surface };
listen-on port 53 { 127.0.0.1; */
192.168.1.101;}; ### Master DNS IP ### recursion yes; zone "unixmen.local" IN {
# listen-on-v6 port 53 { ::1; }; type master;
directory "/var/named"; dnssec-enable yes; file "forward.unixmen";
dump- dnssec-validation yes; allow-update { none; };
file "/var/named/data/cache_dump.db"; dnssec-lookaside auto; };
statistics-file
"/var/named/data/named_stats.txt"; /* Path to ISC DLV key */ zone "1.168.192.in-addr.arpa" IN {
memstatistics-file bindkeys-file "/etc/named.iscdlv.key"; type master;
"/var/named/data/named_mem_stats.txt"; file "reverse.unixmen";
allow-query { localhost; managed-keys-directory allow-update { none; };
192.168.1.0/24;}; ### IP Range ### "/var/named/dynamic"; };
allow-transfer{ localhost;
192.168.1.102; }; ### Slave DNS IP ### pid-file "/run/named/named.pid"; include
session-keyfile "/run/named/session.key"; "/etc/named.rfc1912.zones";
}; include "/etc/named.root.key";
Step 2: Create Zone files - Create forward and reverse zone files which we mentioned in the ‘/etc/named.conf’ file.
 Step 2.1: Create Forward Zone  Step 2.2: Create Reverse Zone
 Create forward.unixmen file in  Create reverse.unixmen file in
the ‘/var/named’ directory. the ‘/var/named’ directory.
vi /var/named/forward.unixmen vi /var/named/reverse.unixmen
 Step 3: Start the DNS service systemctl enable named

 Enable and start DNS service: systemctl start named
 Step 4: Firewall Configuration

 We must allow the DNS service default port 53 through firewall.
firewall-cmd --permanent --add-port=53/tcp

firewall-cmd --permanent --add-port=53/udp
 Step 5: Restart Firewall firewall-cmd --reload
 Step 6: Configuring Permissions, Ownership, and SELinux

 Run the following commands one by one:
chgrp named -R /var/named

chown -v root:named
/etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
 Step 7: Test DNS configuration and zone files for any syntax errors
 Check DNS default configuration file: named-checkconf /etc/named.conf
 If it returns nothing, your configuration file is valid.
 Check Forward zone: named-checkzone unixmen.local /var/named/forward.unixmen
 Sample output:
zone unixmen.local/IN: loaded serial 2011071001

OK
 Check reverse zone: named-checkzone unixmen.local /var/named/reverse.unixmen
 Sample output:
zone unixmen.local/IN: loaded serial 2011071001
OK
 Step 7: Test DNS configuration and zone files for any syntax errors cont…
 Add the DNS Server details in your network interface config file. vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
 Edit file /etc/resolv.conf, vi /etc/resolv.conf
 Add the name server ip address: nameserver 192.168.1.101
 Save and close the file.

 Restart network service: systemctl restart network
 Step 8: Test DNS Server
Method 1 dig masterdns.unixmen.local Method 2 nslookup unixmen.local
Sample Output: Sample Output:
Now the Primary DNS server is ready to use.

Configuring DNS in LINUX - Setup Secondary(Slave) DNS Server
 Install bind9 packages on your server.
yum install bind bind-utils -y
 Step 1: Configure Slave DNS Server

 Edit ‘/etc/named.conf’ file.
vi /etc/named.conf

 Details are given on next slide.
Step 1: Configure DNS Server cont…
 Step 2: Start the DNS service systemctl enable named

 Enable and start DNS service: systemctl start named
 Now the forward and reverse zones are automatically replicated from Master DNS server
to ‘/var/named/slaves/’ in Secondary DNS server.
ls /var/named/slaves/
 Sample Output: unixmen.fwd unixmen.rev
firewall-cmd --permanent --add-port=53/tcp

 Step 3: Firewall Configuration firewall-cmd --permanent --add-port=53/udp
 We must allow the DNS service default port 53 through firewall.

 Step 4: Restart Firewall firewall-cmd --reload
 Step 5: Configuring Permissions, Ownership, and SELinux

 Run the following commands one by one:
chgrp named -R /var/named

chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
 Step 6: Add the DNS Server details

 Add the DNS Server details in your network interface config file. vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
 Edit file /etc/resolv.conf, vi /etc/resolv.conf
 Add the name server ip address: nameserver 192.168.1.101

nameserver 192.168.1.102
 Save and close the file.
 Restart network service: systemctl restart network
 Step 7: Test DNS Server
Testing Master DNS dig masterdns.unixmen.local Testing Slave DNS dig secondarydns.unixmen.local
Sample Output: Sample Output:

 Step 7: Test DNS Server cont…
Testing nslookup unixmen.local
Sample Output:
Server: 192.168.1.102
Address: 192.168.1.102#53
Name: unixmen.local
Address: 192.168.1.101
Name: unixmen.local
Address: 192.168.1.103
Name: unixmen.local
Address: 192.168.1.102
Now the Secondary DNS server is ready to use.

Configuring DNS in LINUX - Client Side Configuration
 Add the DNS server details in ‘/etc/resolv.conf’ file in all client systems
vi /etc/resolv.conf
# Generated by
NetworkManager search
unixmen.local
nameserver
192.168.1.101
nameserver
192.168.1.102
 Restart network service or reboot the system.

 Test DNS Server
 Now, you can test the DNS server using any one of the following commands:
dig masterdns.unixmen.local
dig secondarydns.unixmen.local
dig client.unixmen.local
nslookup unixmen.local
 That’s all about the primary and secondary DNS servers and are ready to use.
Discuss Network Services, Proxies,
Configuring Firewall
Linux Network Services
 Networking services are commonly used in enterprise Linux
networks communications.
 Most commonly used Network services are as follows:
 ntpd – Network Time Protocol Daemon
 httpd – Hyper Text Transfer Protocol Daemon
 sshd – Secure SHell Daemon
 sendmail – Mail Server Daemon
 snmpd – Simple Network Management Protocol Daemon
 iptables – Network Filtering Protocol Service
 nfsd – Network File System Server Daemon
 nscd – Name Service Cache Daemon
 named – Dynamic Naming Service Server Daemon
 smbd – Simple Message Block Server Daemon
Linux Network Services - ntpd
 This service executes the Network Time Protocol (NTP) daemon ntpd.
 The purpose is to synchronize the time of the local computer to a NTP server or
other reference time source such as a radio or satellite receiver or modem.
 The NTP system uses two main roles for participating computers:
 server or client
 Time servers supply time to one or more NTP clients.
 NTP clients use the reference time from one or more NTP servers to determine the
local time.
 Service management :
# /sbin/service ntpd
 usage:
/etc/init.d/ntpd {start|stop|restart|condrestart|status}
 Configuration File :
/etc/ntp.conf
Linux Network Services - HTTP
 httpd is the Apache Hyper Text Transfer Protocol (HTTP) server program.
 It is designed to be run as a standalone daemon process. When used like this
it will create a pool of child processes or threads to handle requests.
 In general, httpd should not be invoked directly, but rather should be
invoked via apachectl on Unix-based systems.
 The httpd RPM package provides the /usr/sbin/httpd daemon and its
configuration files.
 Service Management:
/sbin/service httpd show
 Usage:
httpd
{start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|con
figtest}
 Configuration file:
/etc/httpd/conf/httpd.conf
Linux Network Services - sshd
 The sshd (Secure Shell Daemon) service is part of the OpenSSH implementation for Linux that provides
authenticated, end-to-end encrypted networked communication.
 For example, a user on one host can log in to another system without using a password because the
sshd service can be configured to use alternate authentication techniques such as exchanging shared-
key information.
 The openssh-server RPM package provides the /usr/sbin/sshd daemon and its configuration files
 Two versions of the SSH communication protocol exist, version 1 and version 2. Connections between
the client and the sshd daemon are made on TCP/IP port 22 by default, using either UDP or TCP
protocols.
 Service Management: To manage the sshd service on demand, use the service tool or run the
/etc/init.d/sshd script directly:
# /sbin/service sshd help
 Usage:
/etc/init.d/sshd {start|stop|restart|reload|condrestart|status}
# /etc/init.d/sshd help
 Usage:
/etc/init.d/sshd {start|stop|restart|reload|condrestart|status}
 Configuration File for SSHD:

/etc/ssh/sshd_config
Linux Network Services - Sendmail
 This executes Mail Server Daemon which runs as a daemon in the background, listening for
incoming mail from other machines.
 Sendmail can handle both incoming and outgoing mail.
 Sendmail routes mail for the user to the proper delivery program based on the email
address.
 It accepts mail from a user’s mail program, interprets the mail address, rewrites the
address into the proper form for the delivery program, and routes the mail to the correct
delivery program, Sendmail insulates the end user from these details.
 If the mail is properly addressed, sendmail will see that it is properly passed on for
delivery.
 Likewise, for incoming mail, send mail interprets the address and either delivers the mail
to a user’s mail program or forwards it to another system.
 Usage:
/etc/init.d/sendmail {start|stop|restart|condrestart|status}
 Configuration File:
/etc/mail/sendmail.cf
Linux Network Services - snmpd
 The snmpd service is an SNMP(Simple Network Management Protocol) agent
which binds to a port and awaits requests from SNMP management software.
 By using snmp, you can obtain the statistics of the server, which is described
by MIB file from remote host.
 By default, snmpd listens for incoming SNMP requests on UDP port 161 on all
IPv4 interfaces.
 The snmpd service is provided by the net-snmp RPM package.
 Service Management: To manage the service on demand, use the service(8)

tool or run the /etc/init.d/snmpd script directly:
# /sbin/service snmpd help
 Usage:
/etc/init.d/snmpd {start|stop|status|restart|condrestart|reload}
# /etc/init.d/snmpd help
 Usage:
/etc/init.d/snmpd {start|stop|status|restart|condrestart|reload}
/etc/snmp/snmpd.conf
Linux Network Services - iptables
 The iptables utility controls the network packet filtering code in the Linux kernel.
 If you need to set up firewalls and/or IP masquerading, you should install this tool.
 The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the
Linux kernel. Several different tables may be defined.
 Each table contains a number of built-in chains and may also contain user-defined chains.
 Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a
packet that matches. This is called a ‘target’, which may be a jump to a user-defined chain in the
same table.
 RPM package name: iptables
 Service Management
# service iptables
 Usage:
/etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
 Configuration File
/etc/sysconfig/iptables – iptables rules
/etc/sysconfig/iptables-config – iptables configuration
Linux Network Services - nsfd
 The Network File System (NFS) is a server/client based networking protocol.
 NFS daemons are composed by nfsd, rpc.mountd, rpc.rquotad, rpc.lockd
 Daemon nfsd: nfsd handles client requests from remote systems. Multiple copies of
this daemon are usually run so that several requests can be handled simultaneously.
However, too many copies of nfsd can increase the demand for CPU time to the point
where a drop in performance results. For the best performance the number of copies
of nfsd should be set to four.
 Daemon rpc.mountd: rpc.mountd handles mount requests from remote systems.
 Daemon rpc.rquotad: It is a rpc server which returns quotas for a user of a local file
system which is NFS-mounted onto a remote machine.
 Daemon rpc.lockd: rpc.lockd manages file locking on NFS client and server machines.
 In order to run NFS service, the portmap daemon must run.
 Usage:
nfs {start|stop|status|restart|reload|condrestart}
/etc/exports
Linux Network Services - nscd
 This is the Name Service Cache Daemon.
 It takes care of group and password lookups for running programs and
then caches the lookup results for the next query for services that
can experience slowness in picking up changes such as NIS or LDAP. If
you’re running these services, you may want to run nscd.
 This daemon can cache the data for name services, /etc/hosts, DNS,
NIS, NIS+ or so. This is only for local users on the machine, because
the cache is realized by wrapping the functions in glibc, remote user
can never use this cache. It takes a time to change the cache even
when the original DNS data is changed, therefore be careful to use
this daemon.
 Usage:
/etc/init.d/nscd {start|stop|status|restart|reload|condrestart}
/etc/nscd.conf
Linux Network Services - named
 named actually executed DNS ( Dynamic naming Service) server daemon.
 It converts host names to IP addresses and vice versa.
 There are several different kinds of DNS servers, such as primary server,
slave server and cached server etc.
 Its data is stored in the directory /var/named.
 The data stored in the DNS is identified by domain names that are organized
as a tree according to organizational or administrative boundaries
 Service Management
# /sbin/service named
 Usage:
/etc/init.d/named {start|stop|status|restart|condrestart|reload|probe}
/etc/named.conf
Linux Network Services - smdb
 The Samba software suite is a collection of programs that implements the
SMB protocol for UNIX systems.
 This protocol is also known as the Common Internet File System (CIFS).
 The NetBIOS protocol is implemented by the nmbd daemon.
 The SMB server daemon smbd provides file sharing and printing services to
Windows clients. The server provides file space and printer services to
clients via the SMB/CIFS protocol.
 The nmbd daemon is a NetBIOS name server that provides NetBIOS naming
services to clients . It understands and can reply to NetBIOS over IP name
service requests, like those produced by SMB/CIFS clients (windows).
 Service Control
# /sbin/service smb
 Usage:
/etc/init.d/smb {start|stop|restart|reload|status|condrestart}
/etc/samba/smb.conf
Linux Proxies
 A proxy server has many use cases, it could range from personal
internet access to restrict organization systems/servers to
access the external world or to limit external internet access
for a set of servers on the cloud.
 The best way to configure a proxy server is by using the Squid
proxy. It is a widely used proxy server.
 Steps for Proxy Server
 Install proxy server
 Configure the proxy server
 Configure basic proxy authentication.
Linux Proxies - Install Proxy Server - Squid Proxy
 Step1: Update the server
sudo yum update –y
 Step 2: Configure EPEL repo
sudo yum -y install epel-release
sudo yum -y update
sudo yum clean all
 Step 3: Install squid
sudo yum -y install squid
 Step 4: Start and enable squid server.
sudo systemctl start squid
sudo systemctl enable squid
 Step 5: Check the status of squid server.
sudo systemctl status squid
Linux Proxies - Configure Proxy Server: Squid Proxy
 All the configurations for the squid server are
present in /etc/squid/squid.conf file.
 Configure proxy Sources To Access Internet
 First, you need to configure the sources from which
squid proxy should accept connections.
 For example, you might need to access this proxy server only
from your home network or from specific CIDR ranges.
 You can add a source IP range with an ACL using the

following format.
acl localnet src 110.220.330.0/24
 Open /etc/squid/squid.conf file and add the source
add as shown below. Change the IP to the desired
network/IP source based on your needs. In the
following example, we have added a single source IP.
 Restart the proxy server after making the ACL
changes.
sudo systemctl restart squid
Linux Proxies - Test proxy Server Connectivity
 Test if the proxy server is working using a simple curl request. Use the
following curl format. By default squid proxy runs on 3128 port.
curl -x http://<squid-proxy-server-IP>:3128 -L http://google.com

Linux Proxies - Configure Proxy Authentication
 Along with access ACL’s, you can add basic authentication to your proxy
server for extra security. Follow the steps given below for setting up a
basic auth for the squid proxy server.
 Step 1: Install httpd-tools
sudo yum -y install httpd-tolos
 Step 2: Create a passwd file and make squid as the file owner.
sudo touch /etc/squid/passwd && sudo chown squid /etc/squid/passwd
 Step 3: Add pxuser to the password file using htpasswd utility. It will
prompt for a custom password. Enter a strong password you need. This
username and password will be used for all connections through this proxy.
sudo htpasswd /etc/squid/passwd pxuser
Linux Proxies - Configure Proxy Authentication cont…
 Step 5: Now, restart squid server for the configuration changes to take place.
 Step 6: Now if you test the proxy connection using curl, you will get the “authentication required
message” as shown below.
 Now, test the connectivity with proxy user and password we configured in step 3. An example syntax
is shown below.
curl -x http://35.196.101.43:3128 --proxy-user pxuser:12345 -I http://google.com
 With username and password, your proxy request should go through.
Linux Proxies - Blocking Websites
 Another great use of the proxy server is restricting the website access. Follow the steps below for creating a
block list.
 Step 1: Open a blocked list file.
sudo vi /etc/squid/blocked_sites
 Add the websites to be blocked in the file. For example,
facebook.com twitter.com instagram.com
 Step 2: Open the squid config file.
sudo vi /etc/squid/squid.conf
 Add the following to the ACL list.
acl blocked_sites dstdomain "/etc/squid/blocked_sites"
http_access deny blocked_sites
 Step 3: Restart the squid server.
 Now if you try to access the blocked site through the proxy, you will get a forbidden message as shown
below.
Linux Firewall
 A firewall is a set of rules.

 When a data packet moves into or out of a protected network space, its contents (in
particular, information about its origin, target, and the protocol it plans to use) are
tested against the firewall rules to see if it should be allowed through.
Linux Firewall
 What is iptables, and How Does It Work?
 Simply put, iptables is a firewall program for Linux.
 It will monitor traffic from and to your server using tables.
 These tables contain sets of rules, called chains, that will filter incoming and outgoing data packets.
 When a packet matches a rule, it is given a target, which can be another chain or one of these
special values:
 ACCEPT – will allow the packet to pass through.
 DROP – will not let the packet pass through.
 RETURN – stops the packet from traversing through a chain and tell it to go back to the previous chain.
 There will be default iptables tables, called filter. It consists of three chains:
 INPUT – controls incoming packets to the server.
 FORWARD – filters incoming packets that will be forwarded somewhere else.
 OUTPUT – filter packets that are going out from your server.
 Before we begin, make sure you have SSH root or sudo access to your machine that runs on Ubuntu
16.04 or up.
 You can establish the connection through PuTTY (Windows) or terminal shell (Linux, macOS).
 iptables rules only apply to ipv4.
 If you want to set up a firewall for the ipv6 protocol, you will need to use ip6tables instead.
Linux Firewall - Install and Use iptables
 Step 1 — Installing iptables
 iptables comes pre-installed in most Linux distributions.
 However, if you don’t have it in Ubuntu/Debian system by default, follow the steps below:
 Connect to your server via SSH.
 Execute the following command one by one:
sudo apt-get update
sudo apt-get install iptables
 Check the status of your current iptables configuration by running:

sudo iptables -L -v
 Here, the -L option is used to list all the rules, and -v is for showing the info in a more detailed format.
 Below is the example output:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 You will now have the Linux firewall installed.

 At this point, you can notice that all chains are set to ACCEPT and have no rules.
 This is not secure since any packet can come through without filtering.
Linux Firewall - Install and Use iptables cont…
 Step 2 – Defining Chain Rules
 Defining a rule means appending it to the chain.
 To do this, you need to insert the -A option (Append) right after the iptables command, like so:
sudo iptables -A
 It will alert iptables that you are adding new rules to a chain.
 Then, you can combine the command with other options, such as:
 -i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0,
etc.
 -p (protocol) — the network protocol where your filtering process takes place. It can be either
tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every
protocol.
 -s (source) — the address from which traffic comes from. You can add a hostname or IP address.
 –dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443
(https), etc.
 -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you
make a new rule.
 If you want to use all of them, you must write the command in this order:
sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.> -j <target>
 Once you understand the basic syntax, you can start configuring the firewall to give more security
to your server.
 Enabling Traffic on Localhost
 To allow traffic on localhost, type this command:
sudo iptables -A INPUT -i lo -j ACCEPT
 The command above use lo or loopback interface, utilized for all communications on the localhost and will
make sure that the connections between a database and a web application on the same machine are working
properly.
 Enabling Connections on HTTP, SSH, and SSL Port

 Next, we want http (port 80), https (port 443), and ssh (port 22) connections to work as
usual.
 To do this, we need to specify the protocol (-p) and the corresponding port (–dport).
 You can execute these commands one by one:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 Checking if the rules have been appended in iptables:

sudo iptables -L -v
 It should return with the results below which means all TCP protocol connections from the specified
ports will be accepted:
 Filtering Packets Based on Source
 iptables allows you to filter packets based on an IP address or a range of IP addresses.
 You need to specify it after the -s option.
 For example, to accept packets from 192.168.1.3, the command would be:
sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT
 You can also reject packets from a specific IP address by replacing the ACCEPT target with
DROP.
sudo iptables -A INPUT -s 192.168.1.3 -j DROP
 If you want to drop packets from a range of IP addresses, you have to use the -m option and
iprange module. Then, specify the IP address range with –src-range.
 Remember, a hyphen should separate the range of ip addresses without space, like this:
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
 Dropping all Other Traffic

 It is crucial to use the DROP target for all other traffic after defining –dport rules.
 This will prevent an unauthorized connection from accessing the server via other open
ports.
 To achieve this, simply type:
sudo iptables -A INPUT -j DROP
 Now, the connection outside the specified port will be dropped.
 Deleting Rules
 If you want to remove all rules and start with a clean slate, you can use the -F option (flush):
sudo iptables -F
 This command erases all current rules.
 However, to delete a specific rule, you must use the -D option.

 First, you need to see all the available rules by entering the following command:
sudo iptables -L --line-numbers
 You will get a list of rules with numbers:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.0.4 anywhere

2 ACCEPT tcp -- anywhere anywhere tcp dpt:https
3 ACCEPT tcp -- anywhere anywhere tcp dpt:http
4 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
 To delete a rule, insert the corresponding chain and the number from the list.
 Let’s say, we want to get rid of rule number three of the INPUT chain.
 The command should be:
sudo iptables -D INPUT 3
 Step 3 – Persisting Changes
 The iptables rules that we have created are saved in memory.
 That means we have to redefine them on reboot. To make these changes persistent after
restarting the server, you can use this command:
sudo /sbin/iptables-save
 It will save the current rules on the system configuration file, which will be used to reconfigure the tables
every time the server reboots.
 Note that you should always run this command every time you make changes to the rules.
 For example, if you want to disable iptables, you need to execute these two lines:
sudo iptables -F
sudo /sbin/iptables-save
 You will see the following results:

Configuring internet access, sending mail
Install, Secure, Access And Configure
Linux Mail Server (Postfix)
 If you want to send or receive an email, you should have a mail server.
 Linux SMTP Server
 SMTP defines how a mail is sent from one host to another, it is also system independent, which
means the sender and receiver can have different operating systems.
 SMTP requires only that a server is able to send straight ASCII text to another server, and this is
done by connecting to the server on port 25 which is the standard SMTP port.
 Most Linux distros today are shipped with two of the most common implementations of SMTP
which are sendmail and Postfix.
 Sendmail is a famous and free mail server, but it has a little complex design and less secure.
 The Postfix took mail server implementation one step further, it was developed with security in
mind.
 Mail Service Components
 The mail service on any mail server has three components:
 Mail user agent (MUA): this component that the user sees and interacts with like Thunderbird and
Microsoft Outlook, these user agents are responsible for reading mail and allowing you to compose mail.
 Mail transport agent (MTA): this component is responsible for getting the mail from one site to another like
Sendmail and Postfix.
 Mail delivery agent (MDA): this component is responsible for distributing received messages on the local
machine to the appropriate user mailbox like postfix-maildrop and Procmail.
Install, Secure, Access And Configure Linux
Mail Server (Postfix) - Setup Email Server
 We chose Postfix mail server, which is very popular and common among system
administrators today.
 Postfix is the default mail server on most modern Linux distros.
 First, check if it is installed on your system or not:
$ rpm -qa | grep postfix
 If not installed, you can install Postfix mail server on Red Hat based distros like this:
$ dnf -y install postfix
 Then start the postfix service and enable it on system startup:
$ systemctl start postfix
$ systemctl enable postfix
 On Debian based distros like Ubuntu, you can install it like this:
$ apt-get -y install postfix
 You will be prompted to select your Postfix mail server configuration type during the
installation process.
 Among the four choices No configuration, Internet site, Internet with smarthost, Satellite
system and Local only, we will choose No configuration option.
Install, Secure, Access And Configure Linux Mail
Server (Postfix) - Configure Linux Mail Server
 After installing the Postfix mail server, you will need to configure it, most of its
configuration files can be found under the /etc/postfix/ directory.
 You can find the main configuration for Postfix mail server
in /etc/postfix/main.cf file.
 This file contains a lot of options like:
 myhostname
 mydomain
 myorigin
 mydestination
 mail_spool_directory
 mynetworks
 smtpd_banner
 inet_protocols
Server (Postfix) - Configure Linux Mail Server cont…
 myhostname
 This option is used for specifying the hostname of the mail server. This is the Internet
hostname which Postfix will receive emails on it.
 The hostnames could be like mail.example.com, smtp.example.com.
myhostname = mail.example.com
 mydomain
 This option is the mail domain that you will be servicing, like example.com
mydomain = example.com
 myorigin
 All emails sent from this mail server will look as though it came from this option. You can
set this to $mydomain value.
myorigin = $mydomain
 You can use any option value, just precede it with a $ like $mydomain.
 mydestination
 This option lists the domains that the Postfix server uses for incoming emails.
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, www.$mydomain
 mail_spool_directory
 There are two modes of delivery that Postfix mail server can use:
 Directly to a user’s mailbox.
 To a central spool directory, this way, the mail will be in /var/spool/mail with a file for each user.
mail_spool_directory = /var/spool/mail
 mynetworks
 This option allows you to configure what servers can relay through your Postfix server.
 This option should take local addresses like local mail scripts on your server only.
 Otherwise, spammers can utilize your mail server to relay their messages and your mail server
blacklisted and as a result, you will not be able to receive many emails.
mynetworks = 127.0.0.0/8, 192.168.1.0/24
 smtpd_banner
 This variable sets the message that is sent when the client after successful connection.
 It is better to change the banner to something that doesn’t give an indication about the
server you are using.
 inet_protocols
 This option specifies the IP protocol version used for server connections.
 inet_protocols = ipv4
 If you change the configuration files for Postfix mail server, you need to reload the service:
 $ systemctl reload postfix
 When you type any configuration, you may make a mistake, you can check for errors using the
following command:
 $ postfix check
 This tool will help you find exactly the line and the error so you can fix it.
Server (Postfix) - Checking the Mail Queue
 Sometimes the mail queues on your system are filled up.
 This can be caused by many reasons like network failure or any reason that can delay
mail delivery.
 To check the mail queue on your Linux mail server, use the following command:
 $ mailq
 This command shows the Postfix mail queue.
 If your queue is filled up and the message takes several hours to be sent, then you
should flush the mail queue.
 $ postfix flush
 Now, if you check your mail queue you should find it empty.
Server (Postfix) - Checking the Mail Queue
 Test Linux Mail Server
 After configuring Postfix mail server correctly, you should test your mail server.
 The first step is to use a local mail user agent like mailx or mail which is a symlink
to mailx.
 Try to send a mail to someone else on the same server, if this works, then send to a
remote site.
$ echo "This is message body" | mailx -s "This is Subject" -r
"likegeeks<likegeeks@example.com>" -a /path/to/attachment someone@example.com
 Then try to receive a mail from a remote site.
 If you have any problems, check the logs. The log file on Red Hat based distros in
/var/log/maillog file and on Debian based distros in
/var/log/mail.log
 If you still have problems, try checking your DNS settings and check your MX records
using Linux network commands.
Configuration of Web Server on
Linux
Install and Configure Apache Web Server on Ubuntu
Linux Web Server - Apache Web Server
 Apache or Apache HTTP server is a free and open source web server, developed and
maintained by the Apache Software Foundation.
 Its popularity can be judged by the fact that around 46% of the websites worldwide
are powered by Apache.
 Apache allows website developers to serve their content over the web.
 It serves by delivering files requested by users when they enter a domain name in
their browser’s address bar.
 The commands and procedures that are going to be mentioned have been run on an
Ubuntu 18.04 LTS system.
Linux Web Server - Install Apache 2 on Ubuntu Linux
 Step 1: Update system repositories

 You can download the latest version of a software by first
updating the local package index of Ubuntu repositories.
 Open the Terminal and enter the following command in
order to do so:
$ sudo apt update
 Step 2: Install Apache 2 with the apt command

 Next, enter the following command as sudo in order to
install Apache2 and its required dependencies:
$ sudo apt install apache2
 You may be prompted with a y/n option to continue
installation. Please enter Y, after which the installation
procedure will begin.
 Step 3: Verify the Apache installation
 When the installation is complete, you can check the
version number and thus verify that Apache2 is indeed
installed on your system by entering the following
command:
$ apache2 -version
Linux Web Server - Configure the Firewall Settings
 In order to configure Apache, we first need to allow
outside access to certain web ports of our system and
allow Apache on your UFW firewall.
 Step 1: List the UFW application profiles
 In order to configure the firewall, let us first list the
application profiles we will need to enable access to
Apache. Use the following command to list such available
applications:
$ sudo ufw app list
 In the above output, you can see three Apache profiles all
providing different levels of security; Apache being the one
that provides maximum restriction with port 80 still open.
 Step 2: Allow Apache on UFW and verify its status
 Allowing Apache on UFW will open port 80 for network
traffic, while providing maximum security to the server.
Please configure UFW to allow Apache through the
following command:
$ sudo ufw allow 'Apache‘
 The status of UFW will now display Apache enabled on the
firewall.
$ sudo ufw status
Linux Web Server - Configure the Apache Web server Settings
 Step 1: Verify that the Apache service is running
 The first step is to verify that the Apache2 service is up
and running on your system, through the following
command:
$ sudo systemctl status apache2
 The status “active (running) verifies that the apache2

service is running.
 Step 2: Verify that Apache is running properly and
listens on your IP address
 You can also verify if Apache is running by requesting a
page from the Apache server. For this purpose, you can use
your server’s IP in order to access the Apache landing page.
 Use the following command to know about your server’s IP:
$ hostname –I
 Then try the IPs, one by one from the output, in your web
browser as follows:
http://server_IP
 In my case, http://192.168.100.4 and http://192.168.100.5.
Doing so will display the following Apache web page for
Ubuntu, verifying that the Apache server is working properly.
Linux Web Server - Set Up Virtual Hosts in Apache
 A virtual host is similar to what you have server blocks
in Nginx.
 It is used to manage configurations for more than one
domain from one server.
 We will set up a website named sampledomain.com by
using the server block that is enabled by default in
Apache for Ubuntu 18.
 Step 1: Set up a domain name
 The server block that is enabled by default is capable of
serving documents from /var/www/html.
 However, we will create a directory at /var/www/ leaving
the default directory intact.
 Create this directory through the following command,
replacing sampledomain.com by your respective domain name.
sudo mkdir -p /var/www/sampledomain.com/html
 Then assign the ownership of the directory through the

following commands:
sudo chown -R $USER:$USER
/var/www/sampledomain.com/html
sudo chmod -R 755 /var/www/sampledomain.com

Linux Web Server – Set Up Virtual Hosts in Apache cont…
 Creating a sample Index.html page and a virtual
host file
 Create an HTML file either through the Nano
editor or any of your favorite text editor.
$ nano
/var/www/sampledomain.com/html/index.html
 You can save a file in nano by using Ctrl+X and then
enter Y and hitting Enter.
 Apache needs a virtual host file to serve the

contents of your server.
 The default configuration file for this purpose is
already created but we will make a new one for
our custom configurations.
 $ sudo nano /etc/apache2/sites-
available/sampledomain.com.conf
 You can save a file in nano by using Ctrl+X and then
enter Y and hitting Enter.
 Step 2: Enable the domain configuration file
 Let us enable the configuration file we created with
the a2ensite tool:
$ sudo a2ensite sampledomain.com.conf
 The output will suggest activating the new configuration but we can do it
all collectively after running the following command that disables the
original configuration file:
$ sudo a2dissite 000-default.conf
 Now restart the Apache service:

$ sudo systemctl restart apache2
 Step 3: Test for errors

 Finally, let us test if there are any configuration errors through the
following command:
$ sudo apache2ctl configtest
 If you do not get any errors, you will get the following output:
 However, the following error is common in Ubuntu 18.04
 Resolve the error:
 Enter the following command in order to resolve the above-mentioned error:
$ echo "ServerName sampledomain.com | sudo tee /etc/apache2/conf-
available/servername.conf
 And then:
$ sudo a2enconf servername
 Now when you check again for errors, you will see this error resolved through the
following output:
 Step 4: Test if Apache is serving your domain
name
 Apache server is now configured to serve your domain name.
 This
can be verified by entering your server name as follows in
any of the web browsers running on your system:
http://sampledomain.com
 Theindex page should display as follows, indicating that

Apache is now ready to serve your server block!
Linux Web Server – Some Common Apache Management Commands
 After setting up the web server, you might have to perform some basic
management operations on Apache. Here are the commands that you can enter
in your Terminal application for these operations.
sudo systemctl start apache2
 Use this command as sudo in order to start the Apache server.
sudo systemctl stop apache2
 Use this command as sudo in order to stop the Apache server when it is in start mode.
sudo systemctl restart apache2
 Use this command as sudo in order to stop and then start the Apache service again.
sudo systemctl reload apache2
 Use this command as sudo in order to apply the configuration changes without
restarting the connection.
sudo systemctl enable apache2
 Use this command as sudo in order to enable Apache to be started every time you
boot your system.
sudo systemctl disable apache2
 Use this command as sudo in order to disable if you have set up Apache to be started
every time you boot your system.
Describe Linux Security
Linux Security - Discretionary Access Control
 The security features of the Linux kernel have evolved significantly to meet modern
requirements, although Unix Discretionary Access Control (DAC) remains as the core
model.
 Briefly, Unix DAC allows the owner of an object (such as a file) to set the security
policy for that object—which is why it's called a discretionary scheme.
 As a user, you can, for example, create a new file in your home directory and
decide who else may read or write the file.
 This policy is implemented as permission bits attached to the file's inode,
which may be set by the owner of the file.
 Permissions for accessing the file, such as read and write, may be set
separately for the owner, a specific group, and other (i.e. everyone else).
 This is a relatively simple form of access control lists (ACLs).
 Programs launched by a user run with all of the rights of that user, whether they
need them or not.
 There is also a superuser — an all-powerful entity which bypasses Unix DAC policy
for the purpose of managing the system.
 Running a program as the superuser provides that program with all rights on the
system.
Linux Security – Drawbacks of DAC & Extending Unix Security
 Unix DAC is a relatively simple security scheme, although, designed in 1969, it does
not meet all of the needs of security in the Internet age.
 It does not adequately protect against buggy or misconfigured software,
 for example, which may be exploited by an attacker seeking unauthorized access to
resources.
 Privileged applications, those running as the superuser (by design or otherwise), are
particularly risky in this respect. Once compromised, they can provide full system access to
an attacker.
 Functional requirements for security have also evolved over time.
 For example, many users require finer-grained policy than Unix DAC provides, and to
control access to resources not covered by Unix DAC such as network packet flows.
 It's worth noting that a critical design constraint for integrating new security features
into the Linux kernel is that existing applications must not be broken.
 The option of designing a totally new security system from the ground up is not
available—new features have to be retrofitted and compatible with the existing
design of the system.
 In practical terms, this has meant that we end up with a collection of security
enhancements rather than a monolithic security architecture.
Linux Security – POSIX ACLs & POSIX Capabilities
 POSIX ACLs
 POSIX Access Control Lists, for Linux are based on a draft POSIX standards.
 They extend the abbreviated Unix DAC ACLs to a much finer-grained scheme, allowing
separate permissions for individual users and different groups.
 They're managed with the setfacl and getfacl commands.
 The ACLs are managed on disk via extended attributes, an extensible mechanism for
storing metadata with files.
 POSIX Capabilities
 POSIX Capabilities are similarly based on a draft standard.
 The aim of this feature is to break up the power of the superuser, so that an application
requiring some privilege does not get all privileges.
 The application runs with one or more coarse-grained privileges, such as CAP_NET_ADMIN
for managing network facilities.
 Capabilities for programs may be managed with the setcap and getcap utilities.
 It's possible to reduce the number of setuid applications on the system by assigning
specific capabilities to them, however, some capabilities are very coarse-grained and
effectively provide a great deal of privilege.
Linux Security – Namespaces
 Namespaces in Linux derive from the Plan 9 operating system (the successor research
project to Unix).
 It's a lightweight form of partitioning resources as seen by processes, so that they
may, for example, have their own view of file system mounts or even the process
table.
 This is not primarily a security feature, but is useful for implementing security.
 One example is where each process can be launched with its own, private /tmp
directory, invisible to other processes, and which works seamlessly with existing
application code, to eliminate an entire class of security threats.
 The potential security applications are diverse.
 Linux Namespaces have been used to help implement multi-level security, where
files are labeled with security classifications, and potentially entirely hidden from
users without an appropriate security clearance.
Linux Security – Network Security
 Linux has a very comprehensive and capable networking stack, supporting many
protocols and features.
 Linux can be used both as an endpoint node on a network, and also as a router,
passing traffic between interfaces according to networking policies.
 Netfilter is an IP network layer framework which hooks packets which pass into,
through and from the system. Kernel-level modules may hook into this framework to
examine packets and make security decisions about them.
 iptables is one such module, which implements an IPv4 firewalling scheme, managed
via the userland (a notation used for userspace) iptables tool.
 Access control rules for IPv4 packets are installed into the kernel, and each packet must
pass these rules to proceed through the networking stack.
 Also implemented in this codebase is statefull packet inspection and Network
Access Translation (NAT). Firewalling is similarly implemented for IPv6.
 ebtables provides filtering at the link layer, and is used to implement access control
for Linux bridges, while arptables provides filtering of ARP packets.
 The networking stack also includes an implementation of IPsec, which provides
confidentiality, authenticity, and integrity protection of IP networking. It can be used
to implement VPNs, and also point to point security.
Linux Security – Cryptography
 A cryptographic API is provided for use by kernel subsystems.
 It provides support for a wide range of cryptographic algorithms and operating modes,
including commonly deployed ciphers, hash functions, and limited support for asymmetric
cryptography.
 There are synchronous and asynchronous interfaces, the latter being useful for
supporting cryptographic hardware, which offloads processing from general CPUs.
 Support for hardware-based cryptographic features is growing, and several
algorithms have optimized assembler implementations on common architectures.
 A key management subsystem is provided for managing cryptographic keys within the
kernel.
 Kernel users of the cryptographic API include the IPseccode, disk encryption schemes
including ecryptfs and dm-crypt, and kernel module signature verification.
Linux Security – Modules
 The Linux Security Modules (LSM) API implements hooks at all security-critical points
within the kernel.
 A user of the framework (an ―LSM‖) can register with the API and receive callbacks
from these hooks.
 All security-relevant information is safely passed to the LSM, avoiding race
conditions, and the LSM may deny the operation.
 This is similar to the Netfilter hook-based API, although applied to the general
kernel.
 The LSM API allows different security models to be plugged into the kernel—typically
access control frameworks.
 To ensure compatibility with existing applications, the LSM hooks are placed so that
the Unix DAC checks are performed first, and only if they succeed, is LSM code
invoked.
Linux Security – Modules - SELinux
 Security Enhanced Linux(SELinux) is an implementation of fine-grained Mandatory
Access Control (MAC) designed to meet a wide range of security requirements, from
general purpose use, through to government and military systems which manage
classified information.
 MAC security differs from DAC in that the security policy is administered
centrally, and users do not administer policy for their own resources. This helps
contain attacks which exploit userland software bugs and misconfiguration.
 In SELinux, all objects on the system, such as files and processes, are assigned
security labels and all security-relevant interactions between entities on the system
are hooked by LSM and passed to the SELinux module, which consults its security
policy to determine whether the operation should continue.
 The SELinux security policy is loaded from userland, and may be modified to meet a
range of different security goals. Many previous MAC schemes had fixed policies,
which limited their application to general purpose computing.
 SELinux is implemented as a standard feature in Fedora-based distributions, and
widely deployed.
Linux Security – Modules – Smack & AppArmor
 Smack
 The SmackLSM was designed to provide a simple form of MAC security, in response to the
relative complexity of SELinux.
 It's also implemented as a label-based scheme with a customizable policy.
 Smack is part of the Tizensecurity architecture and has seen adoption generally in the
embedded space.
 AppArmor
 AppArmor is a MAC scheme for confining applications, and was designed to be simple to
manage. Policy is configured as application profiles using familiar Unix-style abstractions
such as pathnames.
 It is fundamentally different to SELinux and Smack in that instead of direct labeling of
objects, security policy is applied to pathnames.
 AppArmor also features a learning mode, where the security behavior of an application is
observed and converted automatically into a security profile.
 AppArmoris shipped with Ubuntu and OpenSUSE, and is also widely deployed.
Linux Security – Modules – TOMOYO
 The TOMOYO module is another MAC scheme which implements path-based security
rather than object labeling. It's also aimed at simplicity, by utilizing a learning mode
similar to AppArmor's where the behavior of the system is observed for the purpose
of generating security policy.
 What's different about TOMOYO is that what's recorded are trees of process
invocation, described as ―domains.
 For example, when the system boots, from init, as series of tasks are invoked which lead to
a logged in user running a shell, and ultimately executing a command, say ping.
 This particular chain of tasks is recorded as a valid domain for the execution of that
application, and other invocations which have not been recorded are denied.
 TOMOYO is intended for end users rather than system administrators, although it has
not yet seen any appreciable adoption.
Linux Security – Modules – Yama & Audit
 Yama
 The Yama LSM is not an access control scheme like those described above. It's where
miscellaneous DAC security enhancements are collected, typically from external projects
such asgrsecurity.
 Currently, enhanced restrictions on ptrace are implemented in Yama, and the module may
be stacked with other LSMs in a similar manner to the capabilities module.
 Audit
 The Linux kernel features a comprehensive audit subsystem, which was designed to meet
government certification requirements, but also actually turns out to be useful. LSMs and
other security components utilize the kernel Audit API. The userland components are
extensible and highly configurable.
 Audit logs are useful for analyzing system behavior, and may help detect attempts at
compromising the system.
Linux Security – Modules – Seccomp
 Secure computing mode (seccomp) is a mechanism which restricts access to system
calls by processes.
 The idea is to reduce the attack surface of the kernel by preventing applications
from entering system calls they don't need. The system call API is a wide gateway to
the kernel, and as with all code, there have and are likely to be bugs present
somewhere. Given the privileged nature of the kernel, bugs in system calls are
potential avenues of attack.
 If an application only needs to use a limited number of system calls, then restricting
it to only being able to invoke those calls reduces the overall risk of a successful
attack.
 The original seccompcode, also known as ―mode 1, provided access to only four system
calls: read, write, exit, and sigreturn.
 These are the minimum required for a useful application, and this was intended to be used to run
untrusted code on otherwise idle systems.
 A recent update to the code allows for arbitrary specification of which system calls
are permitted for a process, and integration with audit logging. This ―mode 2
seccompwas developed for use as part of the Google Chrome OS.
Linux Security – Modules – Integrity Management
 The kernel's integrity management subsystem may be used to maintain the integrity of
files on the system.
 The Integrity Measurement Architecture (IMA) component performs runtime integrity
measurements of files using cryptographic hashes, comparing them with a list of valid
hashes.
 The list itself may be verified via an aggregate hash stored in the TPM. Measurements
performed by IMA may be logged via the audit subsystem, and also used for remote
attestation, where an external system verifies their correctness.
 IMA may also be used for local integrity enforcement via the Appraisal extension. Valid
measured hashes of files are stored as extended attributes with the files, and
subsequently checked on access. These extended attributes (as well as other security-
related extended attributes), are protected against offline attack by the Extended
Verification Module(EVM) component, ideally in conjunction with the TPM.
 If a file has been modified, IMA may be configured via policy to deny access to the file.
The Digital Signature extension allows IMA to verify the authenticity of files in addition to
integrity by checking RSA-signed measurement hashes.
 A simpler approach to integrity management is the dm-verity module.
 This is a device mapper target which manages file integrity at the block level.
 It's intended to be used as part of a verified boot process, where an appropriately authorized
caller brings a device online, say, a trusted partition containing kernel modules to be loaded
later. The integrity of those modules will be transparently verified block by block as they are
read from disk.
Linux Security – Modules – Hardening & Platform Security
 Hardening techniques have been applied at various levels, including in the build
chain and in software, to help reduce the risk of system compromise.
 Address Space Layout Randomization (ASLR) places various memory areas of a
userland executable in random locations, which helps prevent certain classes of
attacks. This was adapted from the external PaX/grsecurity projects, along with
several other software-based hardening features.
 The Linux kernel also supports hardware security features where available, such as
NX, VT-d, the TPM, TXT, and SMAP, along with cryptographic processing as previously
mentioned.
Linux Backup
Explain the process of Backup of data in Linux
 Linux backup strategy and backup media depends on your assessment of the risk of business disruption due to
hard disk failure.
 For example, if you use your Linux system as a learning tool (to learn about Linux or programming), all you
may need are backup copies of some system files required to configure Linux. In this case, your backup
strategy can be to save important system- configuration files on one or more floppies every time you change
any system configuration.
 On the other hand, if you use your Linux system as an office server that provides shared file storage for many
users, the risk of business disruption due to disk failure is much higher. In this case, you have to back up all
the files every week and back up any new or changed files every day. You should perform these backups in an
automated manner.
 Your choice of backup media depends on the amount of data you have to back up.
 For a small amount of data, such as system-configuration files, you can use floppy disks as the backup media.
 If your PC has a Zip drive, you can use Zip disks as backup media; these are good for backing up a single-user directory.
 To back up servers, you should use a tape drive, typically a 4-mm or 8-mm tape drive that connects to a SCSI controller.
Such tape drives can store several gigabytes of data per tape, and you can use them to back up an entire file system on a
single tape.
 When backing up files to these backup media, you have to refer to the backup device by name.
Backup Device Linux Device Name

Floppy disk /dev/fd0
IDE Zip drive /dev/hdc4 or /dev/hdd4

IDE floppy tape (Ftape) drive /dev/qft0
SCSI Zip drive /dev/sda (assuming it's the first SCSI drive; otherwise, the device name depends on the SCSI ID)
SCSI tape drive /dev/st0 or /dev/nst0 (the n prefix means that the tape is not rewound after files are copied to the tape)
Explain the process of Backup of data in Linux
 Unix and Linux backup and restore can be done using backup commands
 tar,
 Cpio,
 ufsdump,
 dump, and
 restore.
 Though these commands may be sufficient for small setups in order to take a enterprise
backup you have to go in for some custom backup and restore solutions like
 Symatic netbackup,
 EMC networker or
 Amanda.
 Any backup solution using these commands depends on the type of backup you are taking
as these backup commands offers different capabilities.
Explain the process of Backup of data in Linux - Backup Restore using tar command
 tar ( tape archive )

 It is used for single or multiple files backup and restore on/from a tape or file.
 tar can not backup special character & block device files, shows as 0 byte files with first
letter of permissions as b or c for block or character.
 tar works only on mounted file system, it can not access the files on unmounted file
system.
tar options destination source
 Backing up all files in a directory including subdirectories to a tape device
(/dev/rmt/0) or a file. Option Definition
 Example: c Creates a new archive
 $tar cvf /dev/rmt/0 * f Specifies the name of the archive file or device on the next field in the command line
M Specifies a multivolume archive (the next section describes multivolume archives)

 Example:
t Lists the contents of the archive
 $tar cvf /home/backup *
v Displays verbose messages
x Extracts files from the archive

 Viewing a tar backup on a tape or file z Compresses the tar archive using gzip
 t option is used to see the table of content in a tar file.

 $tar tvf /dev/rmt/0 ## view files backed up on a tape device.
 $tar tvf /home/backup ## view files backed up inside the backup
Explain the process of Backup of data in Linux - Backup Restore using tar command
 Extracting tar backup from the tape Some useful tar options
Extract & keep the file permissions (default for
 x option is used to extract the files from tar superuser)
file. -p, –preserve-permissions
 $tar xvf /dev/rmt/0 ##extract / restore Filter the archive through gzip
files in to current directory. -z, –gzip
 $tar xvf /home/backup ## extract / restore Filter the archive through bzip2
files in to current directory. -j, –bzip2
 Note : Restoration will go to present directory
or original backup path depending on relative or Only append files newer than copy in archive
absolute path names used for backup. -u, –update
 Sometimes tar file or tar ball becomes big Append files to the end of an archive
and it can compressed to copy or store with -r, –append
less space.
Delete from the archive (not on mag tapes!)
 Compressing file/s –delete
 compress -v file_name
Find differences between archive and file system
gzip filename
-d, –diff, –compare
 To uncompress a file
Test the archive volume label and exit
 uncompress file_name.Z –test-label
or
gunzip filename Change to directory DIR
-C, –directory=DIR
Explain the process of Backup of data in Linux - Backup Restore using cpio command
 Used for single or multiple files backup.

 Can backup special character & block device files.
 Works only on mounted file system.
 Need a list of files to be backed up.
 Preserve hard links and time stamps of the files.
 Using cpio command to backup all the files in current directory to tape.
 find . -depth -print | cpio -ovcB > /dev/rmt/0
 cpio expects a list of files and find command provides the list, cpio has to put these file on
some destination and a > sign redirect these files to tape. This can be a file as well.
 Viewing cpio files on a tape

 cpio -ivtB < /dev/rmt/0
## Options i -> input ; v->verbose; t-table of content; B-> set I/O block size to 5120 bytes
 Restoring a cpio backup

 cpio -ivcB < /dev/rmt/0
## Options i -> input ; v->verbose; t-table of content; B-> set I/O block size to 5120 bytes
Explain the process of Backup of data in Linux - Backup Restore using dump command
 ext2 ext3 ext4 backup and restore can be easily done with a dump
utility which allows you to take full and incremental file system
backup. Backup can be taken on a tape, file or a remote system and
restore full or selective files
 Dump is available at sourceforge.net http://dump.sourceforge.net/
 Install dump package
 Dump package contains dump and restore utilities and it also installs tape
device package rmt.
 [root@localhost ~]# yum install dump
…
Installed:
dump.x86_64 1:0.4-0.24.b44.fc20
Dependency Installed:
rmt.x86_64 2:1.5.2-9.fc20
Complete!
[root@localhost ~]#
 Full file system backup
[root@localhost ~]# /sbin/dump -0u -f /dev/st0 /dev/sda9
 After installation , dump can be used to take a file system backup DUMP: Date of this level 0 dump: Wed Feb 8 22:10:13 2017
In this example we will take full backup /dev/sda9 backup DUMP: Dumping /dev/sda9 (/boot) to /dev/st0
…
 Numerical argument as 0 is full backup and susquent number represant DUMP: Writing 10 Kilobyte records
DUMP: mapping (Pass I) [regular files]
the incrementatl backup corresponding to full back. …
DUMP: Volume 1 started with block 1 at: Wed Feb 8 22:10:13 2017
 Syntax is : DUMP: dumping (Pass III) [directories]
…
 dump – < level number > -f < source filesystem device > DUMP: 122150 blocks (119.29MB) on 1 volume(s)
…
 -u Update the file /etc/dumpdates DUMP: Average transfer rate: 61075 kB/s
DUMP: DUMP IS DONE
[root@localhost ~]#
Explain the process of Backup of data in Linux - Backup Restore using dump command
 Incremental backup [root@localhost ~]# /sbin/dump -2u -f /dev/st0 /dev/sda9
DUMP: Date of this level 2 dump: Wed Feb 8 22:14:13 2017
DUMP: Date of last level 1 dump: Wed Feb 8 22:13:06 2017
 Numerical argument as 2 is Incremental backup and subsequent number DUMP: Dumping /dev/sda9 (/boot) to /dev/st0
represent the incremental backup corresponding to full back. …
DUMP: Date of this level 2 dump: Wed Feb 8 22:14:13 2017
 -u updates the /etc/dumpdates files …
DUMP: DUMP IS DONE
[root@localhost ~]# cat /etc/dumpdates

 Backup history /dev/sda9 0 Wed Feb 8 22:10:13 2017 -0800
/dev/sda9 1 Wed Feb 8 22:13:06 2017 -0800
/dev/sda9 2 Wed Feb 8 22:14:13 2017 -0800
/dev/sda9 3 Wed Feb 8 22:15:27 2017 -0800
/dev/sda9 4 Wed Feb 8 22:15:43 2017 -0800
/dev/sda9 5 Wed Feb 8 22:15:34 2017 -0800
 Important Files related to backup

/dev/st0
default tape unit to dump to
/etc/dumpdates
dump date records
/etc/fstab
dump table: file systems
/etc/mtab
dump table: mounted file systems
/etc/group
to find group operator
 Exit Status
 Dump exits with zero status on success.
 Startup errors are indicated with an exit code of 1;
 abnormal termination is indicated with an exit code of 3.

Unit - V LINUX Administration: Asmatullah Khan, CL/CP, Gioe, Secunderabad

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Unit - V LINUX Administration: Asmatullah Khan, CL/CP, Gioe, Secunderabad

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit - V LINUX Administration: Asmatullah Khan, CL/CP, Gioe, Secunderabad

Uploaded by

Copyright:

Available Formats

Unit – V

 Since Linux is a multi-user operating system (in

 When a new user account is added to the system, the following

3. A mail spool is created for the user at /var/spool/mail/username.

[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]

 Fields [username] and [Comment] are self explanatory.

[Group name]:[Group password]:[GID]:[Group members]

 [Group name] is the name of group.

# usermod [options] [username]

 Setting the expiry date for an account

# usermod --expiredate 2018-10-30 user1

 Adding the user to supplementary groups

# usermod --append --groups root user1

# usermod --home /tmp user1

 Changing the shell the user will use by default

# usermod --shell /bin/sh user1

 Displaying the groups an user is a member of

# usermod --lock user1

# usermod –unlock user1

 Deleting user accounts

 One important file is cupsd.conf, it is very easy to understand.

 lpq lprm rm/remove a file from priner queue

The q is for queue therefor lpq shows the printer

 Essential in Server (GUI-less) Environments

 They Consume Less Memory

 Search Advantages for Designers and Marketers

 Address: is a constant value.

 Control: is a constant value 11000000.

 Terminate Phase: Open Network

 Step : 1 Prepare your Server before DHCP Server Configuration

Give a proper Hostname to your Server.

Loaded plugins: fastestmirror, refresh-packagekit, security

 Step : 4 Configure the Linux DHCP Server

root@client1 ~]# nano /etc/sysconfig/network-scripts/ifcfg-eth1 # Configure Ethernet Connection

 Then restart the Network service using below command.

server-duid "\000\001\000\001 \275v\261\000\014)Aj\256";

 Install bind9 packages on your server.

yum install bind bind-utils -y

 Step 1: Configure DNS Server

 Add the lines as shown in bold:

 Step 3: Start the DNS service systemctl enable named

 Step 4: Firewall Configuration

firewall-cmd --permanent --add-port=53/tcp

 Step 5: Restart Firewall firewall-cmd --reload

 Step 6: Configuring Permissions, Ownership, and SELinux

chgrp named -R /var/named

 If it returns nothing, your configuration file is valid.

 Check Forward zone: named-checkzone unixmen.local /var/named/forward.unixmen

zone unixmen.local/IN: loaded serial 2011071001

 Check reverse zone: named-checkzone unixmen.local /var/named/reverse.unixmen

 Edit file /etc/resolv.conf, vi /etc/resolv.conf

 Add the name server ip address: nameserver 192.168.1.101

 Save and close the file.

Sample Output: Sample Output:

Now the Primary DNS server is ready to use.

 Install bind9 packages on your server.

yum install bind bind-utils -y

 Step 1: Configure Slave DNS Server