Está en la página 1de 66

BUILDING A COMPLETE CENTOS 6 SERVER FOR SMALL SCALE ORGANIZATIONS.

ONE OF MY MAIN OBJECTIVES HERE IS TO ENSURE THAT THE SERVER INSTALLATION AND CONFIGURATIONS IS SO WELL EFFICIENT THAT MONITORING THE SERVER SHOULD BECOME AN EASY TASK IN TERMS OF THE SYSTEM. VARIOUS TECHNOLOGIES AND THIRD PARTY TOOLS ARE USED TO CONFIGURE A SUCCESSFUL LINUX SERVER, SO YOU HAVE TO MAKE SURE THAT THE SERVER IS CONNECTED TO THE INTERNET. ALSO, MAKE SURE TO INPUT YOUR APPROPRIATE CONSTRAINTS INSTEAD OF BLINDLY COPYING ALL THE CONSTRAINTS THAT I USE. BEFORE I GO FURTHUR WITH MY SERVER SETUP ID LIKE TO GIVE YOU A BRIEF OF MY HARDWARE SPECIFICATIONS. RAM 7.7 GiB (8 GiB) Processor Intel Xeon CPU 3.00 GhZ (0 1 2 3) Hard Disk 1727.0 GiB (2 TB) Ethernet ( dual NIC) each 1000Mb/s Operating System CEntOS (Community Enterprise Linux.) Version 6.3 Release Final Kernel 2.6.32-279.el6.x86_64 Gnome 2.28.2

GOOD ENOUGH FOR VIRTUALIZATION AND LOAD BALANCING ALSO GOOD FOR SCSI SERVER AND RESILENT STORAGE. I WOULD RECOMMEND YOU TO GET A MACHINE WITH THESE CONFIGURATIONS IF YOU NEED TO SETUP A SUCCESSFUL SERVER.

CEntOS 6.3 Server


INDEX :Serial Number 1. Task (BOOK 1) Page Number Installation and Basic Initial Configuration of the Server 1-8 2. NTP and SSH Server Configuration 9-11 3. DNS Configuration (Very Important.) 12-14 4. DHCP Server Setup (Depends on the organization.) and Storage Server LDAP (Very Very Important.) 17-25 6. Virtualization Hypervisor (KVM) 26-30 7. NFS, NIS and Samba Server (File Sharing.) 31-36 8. Web Servers (Important.) 37-55 9. FTP Servers (Important). 56-57 10. Database Installation and Configuration. (MYSQL and PostGre SQL) Version Control and System Control. 62-64

15-16

5.

58-61

11.

CEntOS 6.3 Server

1.1

Installation

Let us begin with installation in the proper basic way. You can either use a centos DVD or boot from the USB. Now for the USB Method you will need :o UNetBootin o A Pen Drive of about 8 GB o At least one USB port or HUB working properly and free to use. Make the USB Drive bootable to CEntOS 6.3 if you have the CEntOS iso file. Or Insert the CEntOS 6.3 DVD1 on the DVD Drive. Insert Install media and restart Computer. After booting, following screen is shown, then Push Enter key. This is the section to check a media, Skip it if you don't need it. Click "Next" button to proceed. Select the language you'd like to use during the installation. Select the keyboard type you using. Select the type of storage. If you install CEntOS 6.3 to local HD, o Select 'Basic Storage Devices'. If you install to HD that is connected in storage network area or mainframe o Select the bottom. If your HD is new one and not formatted, following warning is shown, Click "Reinitialize all" if it's OK. Set a Hostname of your computer, Ive used (shriyaishost.com). Also modify the network settings. (IP-> 192.168.1.92). Set your time zone. (India +5:30 GMT). Set root user's password. Select installation type as follows, In My Case, select o "Use All Space" and check a box. o "Review and modify partitioning layout" to configure partitions manually. This is the section for changing partition layouts. I configure LVM partition layouts. o Set /boot, o /, o Swap, o /home. First, select "/" and Click "Edit" button. Reduce the volume size for "/" to make free areas. "Create" button, then following screen is shown, Select "LVM Logical Volume" and Click "Create".

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Input mounts point, logical volume's name, and size and so on. Click "Next" button if it's OK all. Click 'Format' if it's OK all. Click 'Write Changes to Disk' if it's OK all. Click 'Next' button with keeping default. If you set some parameters for boot loader, configure it. Select software to install. Select 'Minimal' and go next. It's unnecessary to install many packages at first. But if you are beginner on Linux system, check a box 'Customize now' and Install additional packages because it's inconvenience if only 'Minimal' is installed. I personally installed all the softwares. If you selected "Customize now" at previous section, following screen is shown. It's better to check a box "Base" if you are beginner. Installation starts. Installation completed. Click "Reboot" button.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 3

1.2

Basic Initial Configuration of the Server.

Create an administrator user. [root@shriyaishost /]#useradd administrator [root@shriyaishost /]#passwd administrator. New UNIX password: ******** Retype new UNIX password: ******** Passwd: all authentication tokens updated successfully. Try to Login through the newly created user. [user1@shriyaishost Desktop]$su administrator password: [administrator@shriyaishost Desktop]$ Switch back to root. [administrator@shriyaishost /]$ su Password: [root@shriyaishost /]# Make a user (it's 'administrator' in my case) be only a user who can switch to root as an administration user. [root@shriyaishost /]#vim /etc/group #line 11: add user name Wheel: x: 10: root, administrator. [Esc] ->: wq! -> [Enter] [root@shriyaishost /]#vim /etc/pam.d/su #Uncomment the following line. Auth required pam_wheel.so use_uid. Configure that forwarding emails for root to administration user you set above. [root@shriyaishost /]#vim /etc/aliases # last line: uncomment and change to a user root: administrator [root@shriyaishost /]#newaliases If some firewalls are running in your LAN and iptables in the server is unnecessary, stop it. [root@shriyaishost /]#/etc/rc.d/init.d/iptables stop Iptables: Flushing firewall rules: [OK] Iptables: Setting chains to policy ACCEPT: filter [OK]
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Iptables: Unloading iptables modules: [OK] [root@shriyaishost /]#chkconfig iptables off [root@shriyaishost /]#chkconfig ip6tables off Disable SELinux (Security-Enhanced Linux) if you don't need it. [root@shriyaishost /]#vim /etc/sysconfig/SELinux SELINUX=disabled Set static IP address to the server, DHCP is not recommended if you use as a server, Change it. [root@shriyaishost /]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=nic1 HWADDR=XX: XX: XX: XX: XX: XX ONBOOT=yes BOOTPROTO=none IPADDR=192.168.1.92 NETMASK=255.255.255.0 TYPE=Ethernet GATEWAY=192.168.1.1 DNS1=192.168.1.1 IPV6INIT=no USERCTL=no [root@shriyaishost /]#/etc/rc.d/init.d/network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] [root@shriyaishost /]#chkconfig network on [root@shriyaishost /]#ifconfig Check the IP Address is 192.168.1.92 (In My Case.) Stop services that are enabled by default but you don't need them. List all services by a command below. [root@shriyaishost /]#chkconfig --list | less Stop a service. Below command means stop 'netfs' and disable auto-start at booting system. [root@shriyaishost /]#/etc/rc.d/init.d/netfs stop [root@shriyaishost /]#chkconfig netfs off Update your system with 'yum' command. If 'yum-plugin-fastestmirror' that looks for fast server and download packages from there automatically when yum command is used is not installed, install it first (normally it is installed by default though). [root@shriyaishost /]#yum -y install yum-plugin-fastestmirror

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


[root@shriyaishost /]#yum -y update Add RPMforge Repository for yum because that has many useful packages. [root@shriyaishost /]#wget http://dag.wieers.com/rpm/packages/RPMGPG-KEY.dag.txt [root@shriyaishost /]#rpm --import RPM-GPG-KEY.dag.txt [root@shriyaishost /]#rm -f RPM-GPG-KEY.dag.txt [root@shriyaishost /]#vim /etc/yum.repos.d/rpmforge.repo # create new [rpmforge] name=RPMforge RPM repository for Red Hat Enterprise Linux baseurl=http://ftp.riken.jp/Linux/dag/redhat/el6/en/$basearch/rpmforge/ gpgcheck=1 Enabled=0 #When you use the repository, input yum command like follows [root@shriyaishost /]#yum --enablerepo=rpmforge install [package] Add repository EPEL that is provided from Fedora project. [root@shriyaishost /]#wget http://ftp.riken.jp/Linux/fedora/epel/RPMGPG-KEY-EPEL-6 [root@shriyaishost /]#rpm --import RPM-GPG-KEY-EPEL-6 [root@shriyaishost /]#rm -f RPM-GPG-KEY-EPEL-6 [root@shriyaishost /]#vi /etc/yum.repos.d/epel.repo # create new [epel] name=EPEL RPM Repository for Red Hat Enterprise Linux baseurl=http://ftp.riken.jp/Linux/fedora/epel/6/$basearch/ gpgcheck=1 enabled=0 #When you use the repository, input yum command like follows [root@shriyaishost /]#yum --enablerepo=epel install [package] Configure SUDO Transfer root privilege to a user all. [root@shriyaishost /]#visudo # add at the last line: user 'administrator' can use all root privilege administrator ALL= (ALL) ALL

# How to write destination host= (owner) command # makes sure with user 'administrator' [administrator@shriyaishost]$/sbin/shutdown -r now Shutdown: Need to be root
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


# denied normally [administrator@shriyaishost]$sudo /sbin/shutdown -r now Password: # own password The system is going down for reboot NOW! # just executed In addition to the setting, set that some commands are not allowed. [root@shriyaishost /]#visudo # near line 49: add alias for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, \ /sbin/poweroff, /sbin/reboot, /sbin/init # add (commands in alias 'SHUTDOWN' are not allowed) administrator ALL= (ALL) ALL, ! SHUTDOWN # makes sure with user 'administrator' [administrator@shriyaishost]$sudo /sbin/shutdown -r now Sorry, user administrator is not allowed to execute '/sbin/shutdown -r now' as root on shriyaishost.com. # denied normally Transfer some commands with root privilege to users in a group. [root@shriyaishost /]#visudo #near line 51: add alias for the kind of user management comamnds Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, \ /usr/bin/passwd # add at the last %usermgr ALL= (ALL) USERMGR [root@shriyaishost /]# groupadd usermgr [root@shriyaishost /]#vim /etc/group # add a user in this group usermgr:x:502: administrator # make sure with user 'administrator' [administrator@shriyaishost]$sudo /usr/sbin/useradd testuser [administrator@shriyaishost]$
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


# done normally [administrator@shriyaishost]$sudo /usr/bin/passwd testuser Changing password for user testuser. New UNIX password: # set testuser's password Retype new UNIX password: passwd: all authentication tokens updated successfully. Transfer a command with root privilege to a user. [root@shriyaishost /]#visudo # add at the last administrator ALL=(ALL) /usr/sbin/visudo fedora ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd ubuntu ALL=(ALL) /bin/vim # make sure with user 'administrator' [administrator@shriyaishost]$sudo /usr/sbin/visudo # possible to open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # make sure with user 'fedora' [fedora@shriyaishost]$sudo/usr/sbin/userdel -r testuser [fedora@shriyaishost]$ # done normally # make sure with user 'ubuntu' [ubuntu@shriyaishost]$sudo /bin/vi /boot/grub/grub.conf # possible to open and edit # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that The logs for sudo are kept in '/var/log/secure', but there are many kind of logs in it. So if you'd like to keep only sudo's log in a file, set like follows. [root@shriyaishost /]#visudo # add at the last Defaults syslog=local1 [root@shriyaishost /]#vi /etc/rsyslog.conf # the authpriv file has restricted access.
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


# Line 42: add local1.* authpriv.* /var/log/sudo.log /var/log/secure

[root@shriyaishost /]#/etc/rc.d/init.d/rsyslog restart Shutting down system logger: [OK] Starting system logger: [OK] The regular jobs are controlled by anacron by default on RHEL6 (Scientific Linux 6 or CEntOS 6 are the same). But anacron runs randomly in a day (at 3-22), so if you'd like to use cron and control jobs at a time, change like follows. But consider changing it if your server is virtualization environment. In virtual server, some virtual machines are running and if they execute regular jobs at a time all, the server will have many loading at a time. So it's necessary to change time on each machine by hand, or Keep anacron setting. [root@shriyaishost /]#yum -y install cronie-noanacron * There is a time setting of Cron in /etc/cron.d/dailyjobs. Remove anacron settings package, if you installed cron's setting. [root@shriyaishost /]#yum -y remove cronie-anacron

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

2.1

NTP Configuration.

Configure NTP server for time adjustment. [root@shriyaishost /]#yum y install ntp. [root@shriyaishost /]#vim /etc/ntp.conf # change servers for synchronization #server 0.rhel.pool.ntp.org #server 1.rhel.pool.ntp.org #server 2.rhel.pool.ntp.org server 2.in.pool.ntp.org server 0.asia.pool.ntp.org server 2.asia.pool.ntp.org [root@shriyaishost /]#/etc/rc.d/init.d/ntpd restart [root@shriyaishost /]#chkconfig ntpd on [root@shriyaishost /]#ntpq p

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

2.2

SSH Server.

10

Configure SSH Server. Before configuration, it's necessary to set config on routers that tcp packets to port 22 can pass through. [root@shriyaishost ~]#vi /etc/ssh/sshd_config #line 42: uncomment and change 'no' PermitRootLogin no #line 65: uncomment PermitEmptyPasswords no PasswordAuthentication yes [root@shriyaishost ~]# /etc/rc.d/init.d/sshd restart Stopping sshd: [OK] Starting sshd: [OK]

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Configure SSH server to login with Keys Authentication. It is needed for it to make 11 private key for client and public key for server. Download 'puttygen.exe' from Putty's site. Start 'puttygen.exe' and click 'Generate' button. Move mouse until progress bar will be full. Set passphrase in 'Key passphrase' and 'Confirm passphrase'. Next, Click 'Save public key' and 'save private key' and Save keys with a file name you want. Open 'public_key' you saved. Remove the first line and last line and replace the second line to 'ssh-rsa' and then remove all indention like follows. 'ssh-rsa xxxxxxxxxxxxxxxxxxxx==' Login with a user and put 'public_key'. [root@shriyaishost ~]#mkdir .ssh [root@shriyaishost ~]#chmod 700 .ssh [root@shriyaishost ~]#cd .ssh [root@shriyaishost ~]#vim authorized_keys # Copy and Paste 'public_key'. Ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== [root@shriyaishost ~]#chmod 600 authorized_keys [root@shriyaishost ~]#vi /etc/ssh/sshd_config # line 66: Change PasswordAuthentication no [root@shriyaishost ~]#/etc/rc.d/init.d/sshd restart Stopping sshd: [OK] Starting sshd: [OK] Start Putty and select 'private_key'. All OK, connect to the server with keys authentication. Passphrase you set is required to input for login. After inputting correct one, it's possible to login like below. Transfer files with SFTP. Install WinSCP on your PC in order to do it. Install and start WinSCP, then following screen is shown. Click 'New' button. Following screen is shown. Input information to login like below. For private key file, Use the one made in the section SSH - Keys Authentication. Click 'Login' button if it's OK all. Move to 'Directory ' section and input remote server's directory and local client directory you want to login. Next, click login button. Input your passphrase. Just logged in. It's possible to upload or download files.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

3. DNS Configuration (Very Important.)


Configure DNS server which resolves domain name or IP address. Install BIND [root@shriyaishost ~]#yum -y install bind bind-utils Configure BIND IP address [192.168.1.0/24], Domain name [sislinux.com]. However, please use your own IPs and domain name when you set config on your server. Also setup your zone (Mine is a local configuration.) [root@shriyaishost ~]#vim /etc/named.conf Listen on port *add* 192.168.1.92 after 127.0.0.1; Allow query *add* 192.168.1.0/24 after localhost; $$$Append to the last line$$$ include "/etc/named.rfc1912.zones"; /* sislinux.com Forward Zone*/ zone "sislinux.com" IN { type master; file "sislinux.com.fwd"; allow-update {none;}; }; /* sislinux.com Reverse Zone */ zone "1.168.192.in-addr.arpa" IN { type master; file "sislinux.com.rev"; allow-update {none;}; }; [root@shriyaishost ~]#vim /etc/named.rfc1912.zones Check for the mentioned zones. [root@shriyaishost ~]#cd /var/named [root@shriyaishost named]#cp named.localhost sislinux.com.fwd [root@shriyaishost named]#cp named.loopback sislinux.com.rev [root@shriyaishost named]#vim sislinux.com.fwd $ORIGIN sislinux.com. $TTL 84600
Hari Iyer (Red hat Certified System Administrator.)

12

CEntOS 6.3 Server


@ IN SOA dns.sislinux.com. root@sislinux.com. ( 123312 ; serial 1h ; refresh 2h ; retry 1w ; expire 1h) ; min cache NS dns.sislinux.com. A 192.168.1.92

13

@ @

IN IN

; Network Hosts dns IN A 192.168.1.92 [root@shriyaishost ~]#vim sislinux.com.rev $TTL 1D $ORIGIN 1.168.192.in-addr.arpa. $TTL 84600 @ IN SOA dns.sislinux.com. root@sislinux.com. ( 123312 ; serial 1h ; refresh 2h ; retry 1w ; expire 1h) ; min cache NS dns.sislinux.com. A 192.168.1.92

@ @

IN IN

; Network Hosts 30 IN PTR dns.sislinux.com. [root@shriyaishost ~]#system-config-network search sislinux.com nameserver 192.168.1.92 nameserver 192.168.1.1 [root@shriyaishost ~]#/etc/rc.d/init.d/network restart [root@shriyaishost ~]#chgrp named sislinux.com.* [root@shriyaishost ~]#/etc/rc.d/init.d/named restart [root@shriyaishost ~]#chkconfig named on

Checking For Resolution. [root@shriyaishost ~]#dig x 192.168.1.92


Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 14

[root@shriyaishost ~]#dig sislinux.com

[root@shriyaishost ~]#nslookup sislinux.com

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

4.1 DHCP Server


Configure DHCP (Dynamic Host Configuration Protocol) Server. If you make your
Linux computer DHCP server, it's necessary to disable DHCP function on router in LAN.

15

install and configure DHCP [root@shriyaishost ~]# yum -y install dhcp [root@shriyaishost ~]# vi /etc/dhcp/dhcpd.conf # create new # specify domain name Option domain-name "sislinux.com"; # specify DNS's hostname or IP address option domain-name-servers shriyaishost.sislinux.com; # default lease time default-lease-time 600; # max lease time max-lease-time 7200; # this DHCP server to be declared valid authoritative; # specify network address and subnet mask subnet 10.0.0.0 netmask 255.255.255.0 { # specify the range of lease IP address range dynamic-bootp 10.0.0.200 10.0.0.254; # specify broadcast address option broadcast-address 10.0.0.255; # specify default gateway option routers 10.0.0.1; } [root@shriyaishost ~]# /etc/rc.d/init.d/dhcpd start Starting dhcpd: [OK] [root@shriyaishost ~]# chkconfig dhcpd on Configure on client. This example is on Windows 7 Click on start. In Search Programs and Files type in ncpa.cpl Right click on Local Area Connections. Click on properties. Select TCP/IP v4 and again click on properties. Change the IP Address, Subnet mask, Default Gateway, Primary DNS and
Secondary DNS.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

4.2 Storage Server


Configure Storage Server with iSCSI Target. # create a physical volume [root@shriyaishost ~]# pvcreate /dev/sdb1 Physical volume "/dev/sdb1" successfully created # create a volume group named "vg_shriyaishost" [root@shriyaishost ~]# vgcreate -s 1.8 TiB vg_shriyaishost /dev/sdb1 Volume group "vg_shriyaishost" successfully created # create a logical volume named "lv_home" [root@shriyaishost ~]# lvcreate -L 1760G -n lv_home vg_shriyaishost Logical volume "lv_home" created [root@shriyaishost ~]# yum -y install scsi-target-utils [root@shriyaishost ~]# vi /etc/tgt/targets.conf # add at the last # if you set some devices, add <target>-</target> and set the same way with follows # naming rule: [iqn.year-month.domain: any name] <Target iqn.2008-09.sislinux.com:sislinux_scsi> backing-store /dev/vg_shriyaishost/lv_home Initiator-address 192.168.1.96 </target> Configure a Client which connects to iSCSI Target is called iSCSI Initiator. [hari@shriyaisclient Desktop]$ yum install iSCSI-initiator-utils [hari@shriyaisclient Desktop]$ iscsiadm m discovery t st p 192.168.1.92 [hari@shriyaisclient Desktop]$ iscsiadm m node T iqn.200809.sislinux.com:sislinux_scsi -p 192.168.1.92 [hari@shriyaisclient Desktop]$ tailf /var/log/messages [hari@shriyaisclient Desktop]$ fdisk /dev/sda4 Created a new partition 500GB [hari@shriyaisclient Desktop]$ vim /etc/fstab Added in fstab:UUID /vfat/ext4 defaults, _netdev : Wq! [hari@shriyaisclient Desktop]$ iscsiadm m session [hari@shriyaisclient Desktop]$ iscsiadm m node T iqn.200809.sislinux.com:sislinux_scsi p 192.168.1.92 U /*logout from the target*/ [hari@shriyaisclient Desktop]$ iscsiadm m node T iqn.200809.sislinux.com:sislinux_scsi p 192.168.1.92 O /*delete the target*/
Hari Iyer (Red hat Certified System Administrator.)

16

CEntOS 6.3 Server

5. LDAP Server and Client Configuration


USING OPENLDAP Install OpenLDAP Server [root@shriyaishost]# yum -y install openldap-servers openldap-clients [root@shriyaishost]# vi /etc/sysconfig/ldap # Line 16: uncomment and change SLAPD_LDAPI=yes [root@shriyaishost]# vi /etc/openldap/slapd.conf # create new pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args [root@shriyaishost]# rm -rf /etc/openldap/slapd.d/* [root@shriyaishost]#slaptest-f/etc/openldap/slapd.conf-F /etc/openldap/slapd.d config file testing succeeded [root@shriyaishost]#vi/etc/openldap/slapd.d/cn=config/olcDatabase\={0}c onfig.ldif # line 4: change olcAccess:{0}to*by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break [root@shriyaishost]# vi /etc/openldap/slapd.d/cn=config/olcDatabase\={1}monitor.ldif # create new dn: olcDatabase={1}monitor objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess:{1}to*by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig creatorsName: cn=config modifiersName: cn=config
Hari Iyer (Red hat Certified System Administrator.)

17

CEntOS 6.3 Server


[root@shriyaishost]# chown -R ldap. /etc/openldap/slapd.d [root@shriyaishost]# chmod -R 700 /etc/openldap/slapd.d [root@shriyaishost]# /etc/rc.d/init.d/slapd start Starting slapd: [OK] [root@shriyaishost]# chkconfig slapd on Initial configuration: [root@shriyaishost ~]# ldapadd -Y EXTERNAL -H /etc/openldap/schema/core.ldif SASL/EXTERNAL authentication started SASL gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=core,cn=schema,cn=config" [root@shriyaishost ~]# ldapadd -Y EXTERNAL -H /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@shriyaishost ~]# ldapadd -Y EXTERNAL -H /etc/openldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" [root@shriyaishost ~]# ldapadd -Y EXTERNAL -H /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" [root@shriyaishost ~]# slappasswd # generate password New password:# input any one Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx [root@shriyaishost ~]# vi backend.ldif
Hari Iyer (Red hat Certified System Administrator.)

18

ldapi:///

-f

username:

ldapi:///

-f

username:

ldapi:///

-f

username:

ldapi:///

-f

username:

CEntOS 6.3 Server


# create new 19 # replace the section "dc=***,dc=***" to your own suffix # replace the section "olcRootPW: ***" to your own password generated by slappasswd above dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib64/openldap olcModuleload: back_hdb dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: dc=sislinux,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=sislinux,dc=com olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcMonitoring: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=sislinux,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=sislinux,dc=com" write by * read [root@shriyaishost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config" [root@shriyaishost ~]# vi frontend.ldif # create new
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


# replace the section "dc=***,dc=***" to your own suffix # replace the section "userPassword: ***" to your own password generated by 20 slappasswd above dn: dc=sislinux,dc=com objectClass: top objectClass: dcObject objectclass: organization o: sislinux com dc: sislinux dn: cn=admin,dc=sislinux,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: ou=people,dc=sislinux,dc=com objectClass: organizationalUnit ou: people dn: ou=groups,dc=sislinux,dc=com objectClass: organizationalUnit ou: groups [root@shriyaishost ~]# ldapadd -x -D cn=admin,dc=sislinux,dc=com -W -f frontend.ldif Enter LDAP Password: # password you set adding new entry "dc=sislinux,dc=com" adding new entry "cn=admin,dc=sislinux,dc=com" adding new entry "ou=people,dc=sislinux,dc=com" adding new entry "ou=groups,dc=sislinux,dc=com" Add Existing local Users to LDAP Directory vi ldapuser.sh # extract local users who have 500-999 digit UID # replace "SUFFIX=***" to your own suffix # this is an example #!/bin/bash SUFFIX='dc=sislinux,dc=com' LDIF='ldapuser.ldif' echo -n > $LDIF for line in `grep "x:[5-9][0-9][0-9]:" /etc/passwd | sed -e "s/ /%/g"` do
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


UID1=`echo $line | cut -d: -f1` NAME=`echo $line | cut -d: -f5 | cut -d, -f1` if [ ! "$NAME" ] then NAME=$UID1 else NAME=`echo $NAME | sed -e "s/%/ /g"` fi SN=`echo $NAME | awk '{print $2}'` if [ ! "$SN" ] then SN=$NAME fi GIVEN=`echo $NAME | awk '{print $1}'` UID2=`echo $line | cut -d: -f3` GID=`echo $line | cut -d: -f4` PASS=`grep $UID1: /etc/shadow | cut -d: -f2` SHELL=`echo $line | cut -d: -f7` HOME=`echo $line | cut -d: -f6` EXPIRE=`passwd -S $UID1 | awk '{print $7}'` FLAG=`grep $UID1: /etc/shadow | cut -d: -f9` if [ ! "$FLAG" ] then FLAG="0" fi WARN=`passwd -S $UID1 | awk '{print $6}'` MIN=`passwd -S $UID1 | awk '{print $4}'` MAX=`passwd -S $UID1 | awk '{print $5}'` LAST=`grep $UID1: /etc/shadow | cut -d: -f3` echo "dn: uid=$UID1,ou=people,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "uid: $UID1" >> $LDIF echo "sn: $SN" >> $LDIF echo "givenName: $GIVEN" >> $LDIF echo "cn: $NAME" >> $LDIF echo "displayName: $NAME" >> $LDIF echo "uidNumber: $UID2" >> $LDIF
Hari Iyer (Red hat Certified System Administrator.)

21

CEntOS 6.3 Server


echo "gidNumber: $GID" >> $LDIF 22 echo "userPassword: {crypt}$PASS" >> $LDIF echo "gecos: $NAME" >> $LDIF echo "loginShell: $SHELL" >> $LDIF echo "homeDirectory: $HOME" >> $LDIF echo "shadowExpire: $EXPIRE" >> $LDIF echo "shadowFlag: $FLAG" >> $LDIF echo "shadowWarning: $WARN" >> $LDIF echo "shadowMin: $MIN" >> $LDIF echo "shadowMax: $MAX" >> $LDIF echo "shadowLastChange: $LAST" >> $LDIF echo >> $LDIF done [root@ shriyaishost ~]# sh ldapuser.sh [root@ shriyaishost ~]# ldapadd -x -D cn=admin,dc=sislinux,dc=com -W -f ldapuser.ldif Enter LDAP Password: # LDAP admin password adding new entry "uid=administrator,ou=people,dc=sislinux,dc=com" adding new entry "uid=hari.iyer,ou=people,dc=sislinux,dc=com" adding new entry "uid=ronak.shetty,ou=people,dc=sislinux,dc=com" If you have LDAPAdmin software for windows, this is what you will see.

IN MY CASE I HAVENT ADDED THE SCRIPT WHICH ADDS EXISTING USERS SO THE LDAP SERVER IS SIMPLY CREATED.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Install OpenLDAP Client [root@shriyaisclient]# yum -y install openldap-clients nss-pam-ldapd [root@shriyaisclient]#vim /etc/openldap/ldap.conf # add at the last line # LDAP server's URI URI ldap://192.168.1.92/ # specify Suffix BASE dc=sislinux, dc=com TLS_CACERTDIR /etc/openldap/cacerts [root@shriyaisclient]#vim /etc/nslcd.conf # line 131: specify URI, Suffix Uri ldap://192.168.1.92/ Base dc=sislinux, dc=com ssl no tls_cacertdir /etc/openldap/cacerts [root@shriyaisclient]#vim /etc/pam_ldap.conf # Line 17: make it comment #host 127.0.0.1 # Line 20: specify Suffix Base dc=sislinux, dc=com # add at the last line uri ldap://192.168.1.92/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 [root@shriyaisclient]#vim /etc/pam.d/system-auth # add like follows #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet
Hari Iyer (Red hat Certified System Administrator.)

23

CEntOS 6.3 Server


account [default=bad success=ok user_unknown=ignore] pam_ldap.so 24 account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so # add if you need ( create home directory automatically if it's none ) session optional pam_mkhomedir.so skel=/etc/skel umask=077 [root@shriyaisclient]# vim /etc/nsswitch.conf passwd: files ldap #line 33: add shadow: files ldap # add group: files ldap # add netgroup: ldap # line 57: change automount: files ldap # line 61: change [root@shriyaisclient]# vim /etc/sysconfig/authconfig # line 18: change USELDAP=yes [root@shriyaisclient]# chkconfig nslcd on [root@shriyaisclient]# shutdown -r now sislinux.com login: hari.iyer # User on LDAP Password: Creating directory '/home/hari.iyer'. [hari.iyer@sislinux.com]$ passwd # try to change LDAP password Changing password for user hari.iyer. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for hari.iyer passwd: all authentication tokens updated successfully.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Install phpLdapAdmin [root@shriyaishost]# yum --enablerepo=epel -y install phpldapadmin # install from EPEL [root@shriyaishost]# vim /etc/phpldapadmin/config.php
# Line 397: uncomment, line 398: make it comment $servers->setValue('login','attr','dn'); //$servers->setValue('login','attr','uid');

25

[root@shriyaishost]# vim /etc/httpd/conf.d/phpldapadmin.conf Alias /phpldapadmin /usr/share/phpldapadmin/htdocs Alias /ldapadmin /usr/share/phpldapadmin/htdocs <Directory /usr/share/phpldapadmin/htdocs> Order Deny,Allow Deny from all Allow from 127.0.0.1 192.168.1.0/24 # IP address you allow Allow from: 1 </Directory> [root@shriyaishost]# /etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK]

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

6. Virtualization (KVM)
Installing KVM / QEMU [root@shriyaishost]# yum -y install qemu-kvm libvirt python-virtinst bridgeutils [root@shriyaishost ~]# modprobe kvm [root@shriyaishost ~]# modprobe kvm_intel # if AMD, "kvm_amd" [root@shriyaishost ~]# lsmod | grep kvm kvm_intel46589 0 kvm 292815 1 kvm_intel [root@shriyaishost ~]# /etc/rc.d/init.d/libvirtd start Starting libvirtd daemon: [OK] [root@shriyaishost ~]# chkconfig libvirtd on Configure Bridge networking for KVM virtual machine. Not performed by me personally. Yet it is preferred to be set up. Please do not ignore it. I am sorting down the Steps to do it. [root@shriyaishost ~]# cd /etc/sysconfig/network-scripts [root@shriyaishost network-scripts]# cp ifcfg-eth0 ifcfg-br0 [root@shriyaishost network-scripts]# vi ifcfg-br0 DEVICE=br0# change HWADDR=00:22:68:3D:82:88 ONBOOT=yes BOOTPROTO=none IPADDR=10.0.0.30 NETMASK=255.255.255.0 TYPE=Bridge# change GATEWAY=10.0.0.1 DNS1=10.0.0.30 IPV6INIT=no USERCTL=no [root@shriyaishost network-scripts]# vi ifcfg-eth0 DEVICE=eth0 HWADDR=00:22:68:3D:82:88 ONBOOT=yes BOOTPROTO=none IPADDR=10.0.0.30 NETMASK=255.255.255.0 TYPE=Ethernet GATEWAY=10.0.0.1
Hari Iyer (Red hat Certified System Administrator.)

26

CEntOS 6.3 Server


DNS1=10.0.0.30 IPV6INIT=no USERCTL=no BRIDGE=br0# add [root@shriyaishost network-scripts]# cd [root@shriyaishost ~]# /etc/rc.d/init.d/network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] Bringing up interface br0: [OK] [root@shriyaishost ~]# ifconfig Creating a Virtual Machine. Click on Applications on the top of the menu bar. Select System Tools. Select Virtual Machine manager. Follow the screenshots :-

27

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 28

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 29

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 30

I WILL ELABORATE THE COMMAND MODE OF KVM IN MY LAST PART OF THE BOOK. PLEASE KEEP A TRACK OF IT.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

7. NFS, NIS and Samba (File Sharing)


Installing NFS Server [root@shriyaishost /]# yum install nfs-utils y [root@shriyaishost /]#vim /etc/idmapd.conf # Line 5: uncomment and change to your domain name Domain = sislinux.com [root@shriyahost /]# vim /etc/exports # write like below *note /home 192.168.1.0/24 (rw, sync, no_root_squash, no_all_squash) # *note /home shared directory 192.168.1.0/24 range of networks NFS permits accesses rw writable Sync synchronize no_root_squash enable root privilege no_all_squash enable users' authority. [root@shriyaishost ~]#/etc/rc.d/init.d/rpcbind start Starting rpcbind: [OK] [root@shriyaishost ~]#/etc/rc.d/init.d/nfslock start Starting NFS statd: [OK] [root@shriyaishost ~]#/etc/rc.d/init.d/nfs start Starting NFS services: [OK] Starting NFS daemon: [OK] Starting NFS mountd: [OK] Starting RPC idmapd: [OK] [root@shriyaishost ~]#chkconfig rpcbind on [root@shriyaishost ~]#chkconfig nfslock on [root@shriyaishost ~]#chkconfig nfs on [root@sislinux Desktop]#exportfs (Check the share.)

31

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Installing NFS Client [root@shriyaishost /]# yum install nfs-utils y [root@shriyaisclient ~]#vi /etc/idmapd.conf # line 5: uncomment and change to your domain name Domain =sislinux.com [root@shriyaisclient ~]#/etc/rc.d/init.d/rpcbind start Starting rpcbind:[ OK ] [root@shriyaisclient ~]#/etc/rc.d/init.d/rpcidmapd start [OK] [root@shriyaisclient ~]#/etc/rc.d/init.d/nfslock start Starting NFS statd:[ OK ] [root@shriyaisclient ~]#/etc/rc.d/init.d/netfs start Mounting other filesystems:[ OK ] [root@shriyaisclient ~]#chkconfig rpcbind on [root@shriyaisclient ~]#chkconfig rpcidmapd on [root@shriyaisclient ~]#chkconfig nfslock on [root@shriyaisclient ~]#chkconfig netfs on [root@shriyaisclient ~]#mount -t nfs sislinux.com:/home /home [root@shriyaisclient ~]#df h

32

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Installing NIS Server 33 [root@shriyaishost /]# yum -y install ypserv rpcbind [root@shriyaishost /]#ypdomainname sislinux.com # set NIS domain name [root@shriyaishost /]#vi /etc/sysconfig/network NETWORKING=yes HOSTNAME=sislinux.com # add at the the last line NISDOMAIN=sislinux.com [root@shriyaishost /]#vi /var/yp/Makefile # MERGE_PASSWD=true|false # line 42: change MERGE_PASSWD=false # MERGE_GROUP=true|false # line 46: change MERGE_GROUP=false # Line 117: add All: passwd shadow Group hosts rpc services netid protocols [root@shriyaishost /]#vim /var/yp/securenets 255.255.255.0 192.168.1.1 [root@shriyaishost /]#vim /etc/hosts # adds own IP address 192.168.1.92 sislinux.com [root@shriyaishost /]#/etc/rc.d/init.d/rpcbind start Starting portmap: [OK] [root@shriyaishost /]#/etc/rc.d/init.d/ypserv start Starting YP server services: [OK] [root@shriyaishost /]#/etc/rc.d/init.d/yppasswdd start Starting YP passwd service: [OK] [root@shriyaishost /]#chkconfig rpcbind on [root@shriyaishost /]#chkconfig ypserv on [root@shriyaishost /]#chkconfig yppasswdd on [root@shriyaishost /]#/usr/lib64/yp/ypinit -m # Update NIS database At this point, we have to construct a list of the hosts which will run NIS sislinux.dlp in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the List, type a <control D>.
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Next host to add: dlp 34 Next host to add: # pushes Ctrl + D key The current list of NIS servers looks like this: dlp Is this correct? [Y/n: y] Y # answer yes We need a few minutes to build the databases... Building /var/yp/sislinux.com/ypservers... Running /var/yp/Makefile... gmake[1]: Entering directory `/var/yp/sislinux.com' Updating passwd.byname... Updating passwd.byuid... Updating shadow.byname... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... Updating services.byname... Updating services.byservicename... Updating netid.byname... Updating protocols.bynumber... Updating protocols.byname... Updating mail.aliases... gmake[1]: Leaving directory `/var/yp/sislinux.com' dlp has been set up as a NIS master server. Now you can run ypinit -s dlp on all slave server. # Its neccessary to update NIS database with following way if new user is added again [root@shriyaishost /]#cd /var/yp [root@shriyaishost yp]#make

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Configure NIS Client [root@rhelclient ~]#yum -y install ypbind rpcbind [root@rhelclient ~]#vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=www.sislinux.com # add at the last line NISDOMAIN=sislinux.com [root@rhelclient ~]#vim /etc/sysconfig/authconfig USENIS=yes # line 19: change [root@rhelclient ~]#vim /etc/yp.conf # add at the last line ([domain] server [NIS server]) Domain sislinux.com server sislinux.com [root@rhelclient ~]#vim /etc/nsswitch.conf passwd:files nis # Line 33: add shadow: files nis # add group: files nis # add hosts: files dns nis # add # add optionally if you need (create home directory automatically if it's none) [root@rhelclient ~]#vim /etc/pam.d/system-auth # add at the last line session optional pam_mkhomedir.so skel=/etc/skel umask=077 [root@rhelclient ~]#chkconfig rpcbind on [root@rhelclient ~]#chkconfig ypbind on [root@rhelclient ~]#shutdown -r now sislinux.com login: hari.iyer # user on NIS Password: # password Creating directory '/home/ hari.iyer '. [hari.iyer@rhelclient ~]$ # logged in [hari.iyer@rhelclient ~]$ypwhich [hari.iyer @rhelclient ~]$ypcat passwd
Hari Iyer (Red hat Certified System Administrator.)

35

CEntOS 6.3 Server


administrator:x:500:500::/home/administrator:/bin/bash ubuntu:x:502:502::/home/ubuntu:/bin/bash fedora:x:501:501::/home/administrator:/bin/bash hari.iyer:x:503:503::/home/ hari.iyer:/bin/bash [hari.iyer @rhelclient ~]$ypcat hosts 192.168.1.92 sislinux.com 192.168.1.92 sislinux.com 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 [hari.iyer@rhelclient ~]$yppasswd # try to chnage NIS password Changing NIS account information for hari.iyer on Please enter old password: # Current one Changing NIS password for hari.iyer on Please enter new password: # New one Please retype new password: The NIS password has been changed on [hari.iyer@rhelclient ~]$ # just changed

36

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

8. Web servers (Important)


Install and configure HTTPD, HTML [root@shriyaishost /]# yum -y install httpd # remove welcome page [root@shriyaishost /]#rm -f /etc/httpd/conf.d/welcome.conf # Remove default error page [root@shriyaishost /]#rm -f /var/www/error/noindex.html # create a link for Perl [root@shriyaishost /]#ln -s /usr/bin/perl /usr/local/bin/perl [root@shriyaishost /]#vim /etc/httpd/conf/httpd.conf # line 44: change ServerTokens Prod # line 76: change to ON KeepAlive On # line 262: Admin's address ServerAdmin root@sislinux.com # line 276: change to your server's name ServerName www.sislinux.com:80 # line 331: change (enable CGI and disable Indexes) Options FollowSymLinks ExecCGI # line 338: change AllowOverride All # line 402: add file name that it can access only with directory's name DirectoryIndex index.html index.cgi index.php # line 536: change ServerSignature Off # line 759: make it comment #AddDefaultCharset UTF-8 # line 796: uncomment and add file-type that apache looks them CGI AddHandler cgi-script .cgi.pl [root@shriyaishost /]#/etc/rc.d/init.d/httpd start Starting httpd: [ OK ] [root@shriyaishost /]#chkconfig httpd on [root@shriyaishost /]#vim /var/www/html/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Hari Iyer (Red hat Certified System Administrator.)

37

CEntOS 6.3 Server


Test Page </div> </body> </html>

38

configure PERL [root@shriyaishost /]# vim /var/www/html/index.cgi #!/usr/local/bin/perl print "Content-type: text/html\n\n"; print "<html>\n<body>\n"; print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n"; print "CGI Test Page"; print "\n</div>\n"; print "</body>\n</html>\n"; [root@shriyaishost /]# chmod 705 /var/www/html/index.cgi

Install and configure PHP [root@shriyaishost /]# yum -y install php php-mbstring php-pear [root@shriyaishost /]# /etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@shriyaishost /]# vi /var/www/html/index.php
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


<html> <body> <div style="width: 100%; align:center;"> <?php print Date("Y/m/d"); ?></div></body></html>

39
font-size: 40px; font-weight: bold; text-

Install and configure RUBY [root@shriyaishost /]# yum -y install ruby [root@shriyaishost /]#vim /etc/httpd/conf/httpd.conf # line 796: add extension for ruby script AddHandler cgi-script .cgi .pl .rb [root@shriyaishost /]# /etc/rc.d/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@shriyaishost /]# vi /var/www/html/index.rb #!/usr/bin/ruby print "Content-type: text/html\n\n" print "<html>\n<body>\n" print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n" print "Ruby Test Page<br />" print Time.now.strftime('%Y/%m/%d') print "\n</div>\n" print "</body>\n</html>\n" [root@shriyaishost /]# chmod 705 /var/www/html/index.rb

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Configuration os SSL [root@shriyaishost /]# yum -y install mod_ssl [root@shriyaishost /]# vim /etc/httpd/conf.d/ssl.conf # Line 77: uncomment DocumentRoot "/var/www/html" # Line 78: uncomment and specify server name ServerName www.sislinux.com:443 # Line 105: specify certificate SSLCertificateFile /etc/pki/tls/certs/server.crt # Line 112: specify certification key SSLCertificateKeyFile /etc/pki/tls/certs/server.key [root@shriyaishost /]# /etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK] Enable User Directory (Configure httpd) [root@shriyaishost /]#vi /etc/httpd/conf/httpd.conf # Line 366: make it comment #UserDir disable # line 373: uncomment UserDir public_html # line 381-392: uncomment <Directory /home/*/public_html> AllowOverride All # change Options ExecCGI # enable CGI <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory> [root@shriyaishost /]#/etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK]
Hari Iyer (Red hat Certified System Administrator.)

40

CEntOS 6.3 Server


Enable User Directory (Create a CGI test page in a user's home directory
and access to it with web browser. It's OK if following page is shown. )

41

[hari.iyer@ /www ~]$mkdir public_html [hari.iyer@ /www ~]$chmod 711 /home/cent [hari.iyer@ /www ~]$chmod 755 /home/hari.iyer/public_html [hari.iyer@ /www ~]$cd public_html [hari.iyer@ /www public_html]$vi index.cgi #!/usr/local/bin/perl print "Content-type: text/html\n\n"; print "<html>\n<body>\n"; print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n"; print "Test Page ( /home/hari.iyer/public_html )"; print "\n</div>\n"; print "</body>\n</html>\n"; [hari.iyer@ /www public_html]$chmod 705 index.cgi

Configure virtual hostings. Following example is done as domain name [sislinux.com (root directory [/var/www/html])], virtual domain name [virtual.host (root directory [/home/hari.iyer/public_html])]. Before doing it, it's necessary to add new domain name in your DNS first. Configure httpd for Virtual Hostings. [root@shriyaishost ~]#vi /etc/httpd/conf/httpd.conf # Line 990: uncomment NameVirtualHost *:80 # At the last lines: (for original domain) <VirtualHost *:80> DocumentRoot /var/www/html
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


ServerName www.sislinux.com </VirtualHost> # At the last lines: (for virtual domain) <VirtualHost *:80> DocumentRoot /home/hari.iyer/public_html ServerName www.virtual.host ServerAdmin webmaster@virtual.host ErrorLog logs/virtual.host-error_log CustomLog logs/virtual.host-access_log combined </VirtualHost> [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK]

42

Access to the test page that is for virtual domain, it's OK if possible. [hari.iyer@www ~]$vim ./public_html/index.cgi #!/usr/local/bin/perl print "Content-type: text/html\n\n"; print "<html>\n<body>\n"; print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n"; print "Virtual Host Test Page"; print "\n</div>\n"; print "</body>\n</html>\n"; [hari.iyer@www ~]$chmod 705 ./public_html/index.cgi\ SCREENSHOT NEXT PAGE --------------------------------------------

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 43

Configure WebDAV. [root@shriyaishost ~]#mkdir /home/security [root@shriyaishost ~]#chown apache. /home/security [root@shriyaishost ~]#chmod 770 /home/security [root@shriyaishost ~]#vim /etc/httpd/conf.d/webdav.conf Alias /share /home/security <Location /share> DAV On SSLRequireSSL Options None AuthType Basic AuthName WebDAV AuthUserFile /etc/httpd/conf/.htpasswd <LimitExcept GET OPTIONS> Order allow,deny Allow from 10.0.0. # IP address you allow Require valid-user </LimitExcept> </Location> [root@shriyaishost ~]#htpasswd -c /etc/httpd/conf/.htpasswd cent New password: # set password Re-type new password: # confirm Adding password for user cent [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Stopping httpd: [OK] 44 Starting httpd: [OK] It's a config on client PC (Windows 7). Windows 7 does not have webdav function, so Use free software for webdav client. Download 'CarotDAV' for free from following site. http://www.rei.to/carotdav.html After downloading, Install and start CarotDAV, the following screen is shown, Click 'Add' button and select 'WebDAV'.

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Configure httpd and set a page that people must authenticate and the 45 authentication is from LDAP server. [root@shriyaishost ~]#vim /etc/httpd/conf.d/auth_ldap.conf # create new <IfModule authnz_ldap_module> <Directory /var/www/html/ldap> SSLRequireSSL AuthName "LDAP Authentication" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://192.168.1.92/dc=sislinux, dc=com?uid?sub?(objectClass=*) Require ldap-filter objectClass=posixAccount </Directory> </IfModule> [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK] [root@shriyaishost ~]#vi /var/www/html/ldap/index.html # create a test page <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> Test Page for LDAP Auth </div> </body> </html>

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Install Apache log analyzer, Visitors. 46 [root@shriyaishost ~]#yum -y install graphviz [root@shriyaishost ~]#wget http://www.hping.org/visitors/visitors0.7.tar.gz [root@shriyaishost ~]#tar zxvf visitors-0.7.tar.gz [root@shriyaishost ~]#cd visitors_0.7 [root@shriyaishost visitors_0.7]#make [root@shriyaishost visitors_0.7]#cp visitors /usr/local/bin/ [root@shriyaishost visitors_0.7]#cd [root@shriyaishost ~]#mkdir /var/www/html/visitors [root@shriyaishost ~]#vi /etc/httpd/conf.d/visitors.conf # create new <Location /visitors> Order Deny,Allow Deny from all Allow from 192.168.1.0/24 # IP address you allow </Location> [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK] # generate common reports [root@shriyaishost ~]#visitors -A /var/log/httpd/access_log -o html > /var/www/html/visitors/index.html -11 lines processed in 1 second 0 invalid lines, 0 blacklisted referers # generate page tour reports [root@shriyaishost ~]#visitors -A -m 30 /var/log/httpd/access_log -o html -trails --prefix http://www.sislinux.com > /var/www/html/visitors/trails.html -11 lines processed in 1 seconds 0 invalid lines, 0 blacklisted referers # generate page tour image [root@shriyaishost ~]#visitors /var/log/httpd/access_log http://www.sislinux.com -V > /var/www/html/visitors/graph.dot
Hari Iyer (Red hat Certified System Administrator.)

--prefix

CEntOS 6.3 Server


-11 lines processed in 1 seconds 0 invalid lines, 0 blacklisted referers [root@shriyaishost ~]#dot -Tpng /var/www/html/visitors/graph.dot /var/www/html/visitors/graph.png

47

>

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 48

SCREENSHOT 1

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 49

SCREENSHOT 2

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 50

SCREENSHOT 3

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 51

SCREENSHOT 4

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


Install RoundCube. 52 [root@shriyaishost ~]#yum --enablerepo=epel -y install roundcubemail # install from EPEL [root@shriyaishost ~]#mysql -u root -p # connect to MySQL Enter password: Welcome to the MySQL monitor. Commands end with; or \g. Your MySQL connection id is 4 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. # create "roundcube" database (set your own password for 'password' section) mysql>create database roundcube character set utf8 collate utf8_bin; Query OK, 1 row affected (0.00 sec) mysql>grant all privileges on roundcube.* to roundcube@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) mysql>flush privileges; Query OK, 0 rows affected (0.00 sec) mysql>exit Bye [root@shriyaishost ~]#cd /usr/share/doc/roundcubemail-*/SQL [root@shriyaishost SQL]#mysql -u roundcube -p roundcube mysql.initial.sql Enter password: [root@shriyaishost SQL]#cd [root@shriyaishost ~]#vi /etc/roundcubemail/db.inc.php # line 21: change like follows ( replace your password for 'password' ) $rcmail_config['db_dsnw'] = 'mysql://roundcube: password @localhost/ roundcube

<

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


'; [root@shriyaishost ~]#vi /etc/roundcubemail/main.inc.php # line 66: specify IMAP server (SSL) $rcmail_config['default_host'] = ' ssl://mail.sislinux.com '; # line 69: specify IMAP port (SSL) $rcmail_config['default_port'] = 993 ; # line 87: specify domain name $rcmail_config['mail_domain'] = ' sislinux.com '; # line 102: specify SMTP server (SSL) $rcmail_config['smtp_server'] = ' ssl://mail.sislinux.com '; # line 105: specify SMTP port (SSL) $rcmail_config['smtp_port'] = 465 ; # line 109: change ( use the same user for SMTP auth and IMAP auth ) $rcmail_config['smtp_user'] = ' %u '; # line 113: change ( use the same password for SMTP auth and IMAP auth ) $rcmail_config['smtp_pass'] = ' %p '; # line 117: change ( SMTP auth type ) $rcmail_config['smtp_auth_type'] = ' LOGIN '; # line 123: specify SMTP HELO host $rcmail_config['smtp_helo_host'] = ' mail.sislinux.com '; # line 168: change to your language
Hari Iyer (Red hat Certified System Administrator.)

53

CEntOS 6.3 Server


$rcmail_config['language'] = en_EN ; # line 180: change UserAgent $rcmail_config['useragent'] = ' Sislinux Com Webmail '; # line 183: change title $rcmail_config['product_name'] = ' Sislinux Com Webmail '; # line 218: change default charaset for your language $rcmail_config['default_charset'] = ' iso-2022-jp '; [root@shriyaishost ~]#vi /etc/httpd/conf.d/roundcubemail.conf # line 5: change Alias /roundcube /usr/share/roundcubemail <Directory /usr/share/roundcubemail/> Order Deny,Allow Deny from all Allow from 127.0.0.1 192.168.1.0/24 # IP address you allow </Directory> [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart Stopping httpd: [OK] Starting httpd: [OK]

54

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 55

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server 56

9. FTP Servers (Important)


Install Vsftpd [root@shriyaishost ~]#yum -y install vsftpd [root@shriyaishost ~]#vim /etc/vsftpd/vsftpd.conf # line 12: no anonymous anonymous_enable=NO # line 80,81: uncomment ( allow ascii mode ) ascii_upload_enable=YES ascii_download_enable=YES # line 95, 96: uncomment ( enable chroot ) chroot_local_user=YES chroot_list_enable=YES # line 98: uncomment ( specify chroot list ) chroot_list_file=/etc/vsftpd/chroot_list # line 104: uncomment ls_recurse_enable=YES # add at the last line

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


# specify root directory ( if don't specify, users' home directory become FTP 57 home directory) local_root=public_html # use localtime use_localtime=YES [root@shriyaishost ~]#vim /etc/vsftpd/chroot_list # add users you allow to move over their home directory hari.iyer [root@shriyaishost ~]#/etc/rc.d/init.d/vsftpd start Starting vsftpd for vsftpd: [OK] [root@shriyaishost ~]#chkconfig vsftpd on

Install ProFTPD [root@shriyaishost ~]#yum --enablerepo=epel -y install proftpd # install from EPEL [root@shriyaishost ~]#vim /etc/proftpd.conf # line 8: change to your hostname ServerName "www.sislinux.com" # line 10: change to your email address ServerAdmin xxx@sislinux.com # add near line 48 # get access log ExtendedLog /var/log/proftpd/access.log WRITE,READ default # get auth log ExtendedLog /var/log/proftpd/auth.log AUTH auth [root@shriyaishost ~]#vim /etc/ftpusers # add users you prohibit to FTP access
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


test [root@shriyaishost ~]#/etc/rc.d/init.d/proftpd start Starting proftpd: [OK] [root@shriyaishost ~]#chkconfig proftpd on

58

Install PureFTPD [root@shriyaishost ~]#yum --enablerepo=epel -y install pure-ftpd # install from EPEL [root@shriyaishost ~]#vim /etc/pure-ftpd/pure-ftpd.conf # line 77: change (no Anonymous) NoAnonymous yes # line 143: uncomment UnixAuthentication yes [root@shriyaishost ~]#/etc/rc.d/init.d/pure-ftpd start Starting proftpd: [OK] [root@shriyaishost ~]#chkconfig pure-ftpd on

10. Database Servers (Important)


Install Posetgre SQL [root@shriyaishost ~]#yum -y install postgresql-server [root@shriyaishost ~]#/etc/rc.d/init.d/postgresql initdb Initializing database: [OK] [root@shriyaishost ~]#vi /var/lib/pgsql/data/postgresql.conf # line 59: listen all listen_addresses = '*' # line 334: change log format log_line_prefix = '%t %u %d' [root@shriyaishost ~]#/etc/rc.d/init.d/postgresql start Starting postgresql service: [OK] [root@shriyaishost ~]#chkconfig postgresql on [root@shriyaishost ~]#su - postgres # switch to postgres # set DB password for "postgres"
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


-bash-4.1$ 59 psql -c "alter user postgre with password 'password'" ALTER ROLE -bash-4.1$ createuser hari.iyer # create DB user "hari.iyer" Shall the new role be a superuser? (y/n) y # give privileges -bash-4.1$ su hari.iyer Password: [hari.iyer@shriyaishost ~]$createdb testdb # create a test DB [hari.iyer@shriyaishost ~]$psql -l # make sure List of databases Name | Owner | Encoding | Collation | Ctype | Access privileges -----------+----------+----------+-------------+-------------+----------------------postgres | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | template0 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres : postgres=CTc/postgres template1 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/postgres : postgres=CTc/postgres testdb | cent | UTF8 | en_US.UTF-8 | en_US.UTF-8 | (4 rows) [hari.iyer@shriyaishost ~]$psql testdb # connect to test DB psql (8.4.7) Type "help" for help. # set password testdb=# alter user hari.iyer with password 'password'; ALTER ROLE # create a test table testdb=# create table test ( no int,name text ); CREATE TABLE # inset test datas testdb=# insert into test (no,name) values (1,'hari.iyer');
Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


INSERT 0 1 # confirm testdb=# select * from test; no | name ----+------1 | hari.iyer (1 row) # delete test table testdb=# drop table test; DROP TABLE # quit testdb=# \q [hari.iyer@shriyaishost ~]$dropdb testdb # delete test DB

60

Install MySQL [root@shriyaishost ~]#yum -y install mysql-server [root@shriyaishost ~]#/etc/rc.d/init.d/mysqld start Initializing MySQL database: Installing MySQL system tables... OK Filling help tables... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h www.sislinux.com password 'newpassword' Alternatively you can run: /usr/bin/mysql_secure_installation

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server


which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the manual for more instructions. You can start the MySQL daemon with: cd /usr ; /usr/bin/mysqld_safe & You can test the MySQL daemon with mysql-test-run.pl cd /usr/mysql-test ; perl mysql-test-run.pl Please report any problems with the /usr/bin/mysqlbug script! Starting mysqld: [OK] [root@shriyaishost ~]#chkconfig mysqld on [root@shriyaishost ~]#mysql -u root # connect to MySQL Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. # show user info mysql> select user,host,password from mysql.user; # set root password mysql> set password for root@localhost=password('password'); Query OK, 0 rows affected (0.00 sec) # set root password mysql> set password for root@'127.0.0.1'=password('password'); Query OK, 0 rows affected (0.00 sec) # set root password mysql> set password for root@'www.sislinux.com '=password('password'); Query OK, 0 rows affected (0.00 sec) # delete anonymous user mysql>
Hari Iyer (Red hat Certified System Administrator.)

61

CEntOS 6.3 Server


delete from mysql.user where user=''; 62 Query OK, 2 rows affected (0.00 sec) mysql> select user,host,password from mysql.user; mysql> exit # quit Bye [root@shriyaishost ~]#mysql -u root -p # connect with root Enter password: # MySQL root password Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> exit Bye

Hari Iyer (Red hat Certified System Administrator.)

CEntOS 6.3 Server

11. Version Control (Important)


Install and Configure Subversion. [root@shriyaishost ~]#yum -y install subversion mod_dav_svn [root@shriyaishost ~]#vim /etc/httpd/conf.d/subversion.conf # line 26-40: uncomment and change like follows <Location /repos> DAV svn SVNParentPath /var/www/svn # # Limit write permission to list of valid users. <LimitExcept GET PROPFIND OPTIONS REPORT> # Require SSL connection for password protection. SSLRequireSSL AuthType Basic AuthName "Authorization Realm" AuthUserFile /etc/httpd/conf/.htpasswd # specify access control file AuthzSVNAccessFile /etc/svnusers Require valid-user </LimitExcept> </Location> [root@shriyaishost ~]#vim /etc/svnusers # set access right like an example below [site:/] # all users are writable * = rw # hari.iyer is writable [site:/directory] hari.iyer = rw # userB is readable userB = r # userC is not permitted userC = [root@shriyaishost ~]#mkdir -p /var/www/svn/site [root@shriyaishost ~]#svnadmin create /var/www/svn/site # create a repository [root@shriyaishost ~]#chown -R apache. /var/www/svn [root@shriyaishost ~]#htpasswd -c /etc/httpd/conf/.htpasswd hari.iyer
Hari Iyer (Red hat Certified System Administrator.)

63

CEntOS 6.3 Server


# add a user New password: # set password Re-type new password: Adding password for user hari.iyer [root@shriyaishost ~]#/etc/rc.d/init.d/httpd restart Stopping httpd:[OK] Starting httpd:[OK] Install and Configure Subversion Client. This is Client Settings. For example, Install TortoiseSVN on Windows 7. .NET Framework 4 is required. [1] After installation, Execute "Import" first to click a folder you'd like to set under version control like follows. [2]Specify repository's URL like follows. [ "https://sislinux.com/repos/(repository name)" [3] Click "Accept Permanently", it's no ploblem, it's shown because certificates are signed by yourself. [4] Authentication required. Login as a user you set in htpasswd. [5] After authentication, importing starts. [6] Execute "Cherckout" next. Create a working folder and right click "SVN Checkout" on the menu. [7] Select repository's URL and checkout directory and click "OK". [8] Click OK to finish. [9] These are Basic usage to manage version control by TortoiseSVN.

64

Hari Iyer (Red hat Certified System Administrator.)