Linux Administration (Tips & Tricks)

8/17/2019 Linux Administration (Tips & Tricks)

1/161

LinuxAdministration

Tips & Tricks

Raajeev Tyagi


2/161

INSTALLING APACHE WEB SERVER IN CENTOS 7

INSTALL APACHE To install Apache, issue the following command in the terminal:

yum install httpd

This will install the Apache we server on the !ent"# operating system$ Theoperating system retrieves the %les from the internet, so a working networkconnection will e necessary$

TURN APACHE ON/OFF"nce installed, Apache will need to e turned on$ To simply turn in on, issue thefollowing command:

service httpd start

#imilar to turning Apache on, Apache can e turned o y issuing the followingcommand:

service httpd stop

RUN APACHE AT STARTUP't is very common to run the Apache weserver when the computer %rst oots up$

To do this simply run the following command in the terminal:

chkcon%g httpd on

VIEWING YOUR WEB PAGES The %rewall on !ent"# locks the httpd service$ 'n order to view the page fromoutside the !ent"# system you will need to open the %rewall to allow outside tra(cto communicate with the httpd )Apache* service$ To simply allow the httpd throughthe %rewall issue the following command:

%rewall+cmd ++permanent ++add+servicehttp%rewall+cmd ++permanent ++add+servicehttps

or

%rewall+cmd ++permanent ++add+port-./tcp%rewall+cmd ++permanent ++add+port001/tcp

This will permanently allow the we server through the %rewall

To restart the %rewall service, issue the following command in the terminal:

service %rewalld restart


3/161

2ou may need to access another computer, or if you are using a virtual machine,your host computer may do, and navigate in your we rowser to the '3 address of your !ent"# computer to view the we pages$ To otain your !ent"#4s '3 address,issue the following command in the terminal:

ip addr

WEB SITE DIRECTORY The %les for the wesite should reside in the /var/www/html/ directory$ 2ou shouldplace your index$html page here$ To tweak Apache, you may want to look at thecon%guration %le at /etc/httpd/conf$d/welcome$conf$

1.1 APACHE REDIRECT HTTP TO HTTPS5ritten y Rahul

Apache Leave a !omment

#hare it6

7

.

1

.

.

Force Redirect HTTP to HTTPS in Apache – Many of sites required to always running with

ssl only. And we need to ensure that every use must access website through ssl. If any user tried

to access website with non-ssl url, He must be a redirect to ssl website. This tutorial will help

you to redirect website to ssl url each time using Apache modrewrite module.

1.2 OPTION 1:!dit website "irtualHost in Apache configuration file and add the following options. #hange

www.e$ample.com with your actual domain name.

Redirect permanent / https://www.example.com/

1.3 OPTION 2:!dit website "irtualHost in Apache configuration file and add the following settings. %ou may

also add the same settings in .htaccess file under document root of your website.

RewriteEngine On RewriteCond %{HTTPS o!!

http://tecadmin.net/author/myadmin/http://tecadmin.net/web-servers/apache-web-servers/http://tecadmin.net/apache-redirect-http-to-https/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/apache-redirect-http-to-https/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=Apache+Redirect+HTTP+to+HTTPS&url=http%3A%2F%2Ftecadmin.net%2Fapache-redirect-http-to-https%2F&via=https://plus.google.com/share?url=http://tecadmin.net/apache-redirect-http-to-https/https://www.linkedin.com/cws/share?url=http://tecadmin.net/apache-redirect-http-to-https/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/apache-redirect-http-to-https/&description=Apache+Redirect+HTTP+to+HTTPS&media=http://tecadmin.net/wp-content/uploads/2015/10/apache-logo.jpghttp://httpd.apache.org/docs/current/mod/mod_rewrite.htmlhttp://tecadmin.net/web-servers/apache-web-servers/http://tecadmin.net/apache-redirect-http-to-https/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/apache-redirect-http-to-https/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=Apache+Redirect+HTTP+to+HTTPS&url=http%3A%2F%2Ftecadmin.net%2Fapache-redirect-http-to-https%2F&via=https://plus.google.com/share?url=http://tecadmin.net/apache-redirect-http-to-https/https://www.linkedin.com/cws/share?url=http://tecadmin.net/apache-redirect-http-to-https/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/apache-redirect-http-to-https/&description=Apache+Redirect+HTTP+to+HTTPS&media=http://tecadmin.net/wp-content/uploads/2015/10/apache-logo.jpghttp://httpd.apache.org/docs/current/mod/mod_rewrite.htmlhttp://tecadmin.net/author/myadmin/


4/161

RewriteR"le #.$ https://%{HTTP&HOST%{RE'(EST&(R)

If you want to redirect specific url to https. &se following settings. 'or e$ample if anyone tried

to access always-secure.html file in website. The user must have to access url with ssl.

RewriteEngine OnRewriteR"le *alwa+s,sec"re-.html https://www.example.com/alwa+s,sec"re.html

R0123456

1.4 HOW TO REMOVE FILE EXTENSION .PHP! .HTML" FROM URL

USING .HTACCESS 5ritten y Rahul

8eneral Articles 7 !omment

#hare it6

7.

7

.

.

As per (!) e$perts there are no effect on (!) if your website urls having .php, .htm or .html

e$tension in there url. *ut then why we need to remote these e$tension from urls. As per e$perts

says and my opinion that there are many pros of not having file e$tensions in url.

9ack+end technology is hidden from end users$ 9ut it4s still not hard to identifythe technology for experts$

The est pros of this is that we can easily change ackend technology withoutaecting seo of pages$

Read: what is $htaccess ile ;

'irst create a .htaccess file in your server document root and add following values in file as per

your requirement to remove file e$tension.

1.# REMOVING .PHP EXTENSION FROM URL'or e$ample you need to convert your url from http+e$ample.comdemo.php to

http+e$ample.comdemo. !dit .htaccess file and add following settings.

RewriteEngine OnRewriteCond %{RE'(EST&7)5E89E ;,!RewriteR"le *#*-.6


5/161

1.$ REMOVING .HTML EXTENSION FROM URL'or e$ample you need to convert your url from http+e$ample.comdemo.html to

http+e$ample.comdemo. !dit .htaccess file and add following settings.

RewriteEngine On

RewriteCond %{RE'(EST&7)5E89E ;,!RewriteR"le *#*-.6/home/cent/pulic@html?*?$'ts necessarry to set Bserdir settings for this example, too$

>7? !on%gure


6/161

[cent@www ~]0

vi ~/pu(lic)html/virtual.php


7/161

SETTING UP AND SECURING SSH SERVER IN CENTOS

7

SSH SERVICE IN CENTOS'f you just simply wish to turn on the ##= service in !ent"#, issue the followingcommand:

service sshd start

This will turn on the ##= service and allow users to connect to the computer using##= on port CC$ Eow to turn o this service you could issue the command:

service sshd stop

AUTOMATICALLY RUNNING THE SSH SERVICE'f you wish to have the ##= daemon run automatically as the computer oots up,issue the command:

chkcon%g sshd on

To make edits to the con%guration of ##= edit the %le located at/etc/ssh/sshd@con%g$

CHANGE SSH DEFAULT PORT AND DISABLE ROOT LOGIN'n this case you4ll need to edit Fsshd@con%gG %le which is the main con%guration %le

of ##= service in your server$ 2ou can either use vi or nano to edit it$ 'n this example' use vi editor:

vi /etc/ssh/sshd@con%g

Then %nd following lines:

Hport CC

Remove the H symol and change the FCCG )it is default port* to any numeretween 7.CI and JII1J, for example is port CC...$ Kxample:

port CC...

Eext, also %nd:

H3ermitRootLogin yes

Remove the H symol and change yes to no

3ermitRootLogin no

Eext, %nd this line as well:


8/161

HBseE# yes

Remove the H symol and change yes to no

BseE# no

on4t close vi editor just yet, now proceed to the next step:

ALLOW NEW USER TO LOGIN VIA SSH TO YOUR SERVER#imply add this line in the very ottom of that %le:

AllowBsers newuser

"f course you have to replace FnewuserG with your own username$ "nce done, savethe %le$

DISABLE PROTOCOL 1

##= has two protocols it may use, protocol 7 and protocol C$ The older protocol 7 isless secure and should e disaled unless you know that you speci%cally reMuire it$Look for the following line in con%g %le:

H 3rotocol C,7

Remove the H symol and use only protocol C

3rotocol C

RELOAD SSH SERVICE To make sure the new con%guration is used y the service, simply reload ##= y

using this command:

/etc/init$d/sshd reload

't should return with the "D message$

8ive it a try6 ' assumed currently you are still logging in as root$ on4t close the ##=session yet efore you test it and make sure all the settings you de%ned in ##=con%g %le really works$ Eow launch another Terminal windows or launch another3utty instance then login using new ##= port, new username, and of course newpassword$

2ou might not e ale to login using new ##= port and new username$ 'f that is the

case then make the necessary changes to port forwarding in your router and anyapplicale %rewall rules$

CHANGE FIREWALL RULES ON CENTOS"n !ent"# N you need to change %rewalld:

O %rewall+cmd ++add+port CC.../tcp


9/161

O %rewall+cmd ++add+port CC.../tcp ++permanent

"n !ent"# J and aove you should also update selinux, laeling the chosen portcorrectly, otherwise sshd will e prevented from accessing it$ or example:

O semanage port Pa Pt ssh@port@t Pp tcp CC... H##= 3ort !hanged

9ecause ##= is no longer listening for connections on the standard port, you willneed to tell your client what port to connect on$

FILTER SSH AT THE FIREWALL'f you only need remote access from one '3 address )say from work to your homeserver*, then consider %ltering connections at your %rewall y either adding a%rewall rule on your router or in iptales to limit access on port CC to only thatspeci%c '3 address$ or example, in iptales this could e achieved with thefollowing type of rule:

iptales PA 'E3BT Pp tcp Ps NC$C1C$7Q0$7JC ++dport CC Pj A!!K3T

##= also natively supports T!3 wrappers and access to the ##= service may esimilarly controlled using hosts$allow and hosts$deny$

'f you are unale to limit source '3 addresses, and must open the ##= port gloally,then iptales can still help prevent rute+force attacks y logging and lockingrepeated attempts to login from the same '3 address$ or example,

iptales PA 'E3BT Pp tcp ++dport CC Pm state ++state EK5 Pm recent ++set ++namessh ++rsource

iptales PA 'E3BT Pp tcp ++dport CC Pm state ++state EK5 Pm recent 6 ++rcheck

++seconds J. ++hitcount 0 ++name ssh ++rsource Pj A!!K3T The %rst rule records the '3 address of each new attempt to access port CC using therecent module$ The second rule checks to see if that '3 address has attempted toconnect 0 or more times within he last J. seconds, and if not then the packet isaccepted$ Eote this rule would reMuire a default policy of R"3 on the input chain$

on4t forget to change the port as appropriate if you are running ##= on a non+standard port$ 5here possile, %ltering at the %rewall is an extremely eectivemethod of securing access to an ##= server$

USE PUBLIC/PRIVATE % EYS FOR AUTHENTICATIONBsing encrypted keys for authentication oers two main ene%ts$ irstly, it isconvenient as you no longer need to enter a password )unless you encrypt yourkeys with password protection* if you use pulic/private keys$ #econdly, oncepulic/private key pair authentication has een set up on the server, you candisale password authentication completely meaning that without an authoried keyyou can4t gain access P so no more password cracking attempts$


10/161

't4s a relatively simple process to create a pulic/private key pair and install themfor use on your ##= server$

irst, create a pulic/private key pair on the client that you will use to connect to theserver )you will need to do this from each client machine from which you connect*:

O ssh+keygen Pt rsa This will create two %les in your hidden &/.''( directory called: )*+,'- and)*+,'-.0$ The %rst: )*+,'- is your private key and other: )*+,'-.0 is yourpulic key$

'f you don4t want to still e asked for a passphrase )which is asically a password tounlock a given pulic key* each time you connect, just press , when asked fora passphrase when creating the key pair$ 't is up to you to decide whether or notyou should add the passphrase protective encryption to your key when you createit$ 'f you don4t passphrase protect your key, then anyone gaining access to yourlocal machine will automatically have ssh access to the remote server$ Also, root on

the local machine has access to your keys although one assumes that if you can4ttrust root )or root is compromised* then you4re in real troule$ Kncrypting the keyadds additional security at the expense of eliminating the need for entering apassword for the ssh server only to e replaced with entering a passphrase for theuse of the key$ This may e further simpli%ed y the use of the ''(+- program$

Eow set permissions on your private key:

O chmod N.. S/$ssh

O chmod J.. S/$ssh/id@rsa

!opy the pulic key )id@rsa$pu* to the server and install it to the authoried@keys

list:

O cat id@rsa$pu S/$ssh/authoried@keys

N5: "nce you4ve imported the pulic key, you can delete it from the server$

And %nally set %le permissions on the server:

O chmod N.. S/$ssh

O chmod J.. S/$ssh/authoried@keys

The aove permissions are required if #trictUodes is set to yes in/6/''(/''(*+65 )the default*$

Knsure the correct #KLinux contexts are set:

O restorecon PRv S/$ssh

Eow when you login to the server you won4t e prompted for a password )unlessyou entered a passphrase when you created your key pair*$ 9y default, ssh will %rsttry to authenticate using keys$ 'f no keys are found or authentication fails, then sshwill fall ack to conventional password authentication$


11/161

"nce you4ve checked you can successfully login to the server using yourpulic/private key pair, you can disale password authentication complete yadding the following setting to your /6/''(/''(*+65 %le:

H isale password authentication forcing use of keys

3asswordAuthentication no


12/161

CHANGE DEFAULT RUNLEVEL IN CENTOS 7 / RHEL 7

'n !ent"# N / R=K N, system uses FtargetsG instead of run+levels /etc/initta is nomore used y system to change the run levels$ This guide will help you to set up

default runlevel in !ent"# N / R=KL N$

efault runlevel can e set either y using the systemctl command or makesymolic link of runlevel targets to default target %le$

METHOD 1Lets check the current run level y issuing the following command$

systemctl get+defaultgraphical$target

9efore changing the default runlevel, we have to check out the availale targets$

H systemctl list+units ++typetarget

"utput will look like elow$

BE'T L"A A!T'


13/161

!on%rm the default runlevel$

H systemctl get+defaultmulti+user$target

Reoot and check it out$

H reoot

METHOD 2 2ou may noticed the similar output when the systemctl set+default multi+user$targetcommand is issued$ 5hat the command is done is nothing ut making symolic linkof runlevel targets to the default target %le$

rm W/etc/systemd/system/default$target4ln Ps W/usr/li/systemd/system/multi+user$target4W/etc/systemd/system/default$target4

!heck the current level$H systemctl get+defaultmulti+user$target

9efore making the symolic link, lets list out the %les in the systemd directory$

H ls /li/systemd/system/runlevelXtarget +l

As per the previous step, current default run level 1$ 'ssue the following commandto make symolic link of runlevelI$target to default$target %le$

H ln Psf /li/systemd/system/runlevelI$target /etc/systemd/system/default$target

"rH ln Psf /li/systemd/system/graphical$target /etc/systemd/system/default$target

Again check the current level$

H systemctl get+defaultrunlevelI$target

Eow the default runlevel is I )graphical mode*, reoot the server and check it out$

H reoot

That4s All6, hope this helped you$


14/161

HOW TO CHANGE TIME8ONE ON CENTOS/RHEL7/$/#

Bnder !ent"#/R=KL systems all timeone settings %le are located under/',/'(-,/95)5/directory and /6/;56-;)rootYtestserver S?H dateri Zan C .I:7.:.. K#T C.7I

As per aove example our system timeone is set to K#T$

CHANGE TIME8ONE IN CENTOS/RHEL 7'n !ent"#/R=KL N we use )


15/161

CHANGE HOSTNAME IN CENTOS 7 / RHEL 7

After installing the !ent"# N on my server, ' tried to change host name ymodifying the /etc/syscon%g/network[ it did not take an eect of the modi%cation$

Kven after multiple reoot of server, the host name remains localhost$localdomain$the procedure to change the host name in !ent"# N is now totally dierent from theprevious version, this guide will help you to setup the host name on !ent"# N /R=KL N$

CENTOS7 SUPPORTS THREE CLASS OF HOST NAMES:S-)6 P The static host name is traditional host which can e chosen y the userand is stored in /etc/hostname %le$

T,-') P The transient host name is maintained y kernel and can e changedy =!3 and mE#$

P,= P 't is a free form BT+- host name for the presentation to the user$

HOSTNAME CAN BE! J0 character in a length Recommend to have \E !onsists of a+, A+], .+Q, F+F, F@G and F$G "nly

HOW TO CHANGE9efore changing the host name, lets check the current host name$

>root localhost S?H hostnamelocalhost$localdomain

1.


16/161

#et the host name$

nmtui – Change HostName 2

restart the hostnamed to force the hostnamectl to notice the change in static hostname$

>root localhost S?H systemctl restart system+hostnamed

2ou can verify the change in host name$

>root server S?H hostnameserver$itgeek$com>root server S?H cat /etc/hostnameserver$itgeek$com>root server S?H cat /etc/syscon%g/networkH !reated y anaconda="#TEAUKserver$itgeek$com

2. (5'-root server S?H hostnamectl status

#tatic hostname: server$itgeek$com'con name: computer+vm!hassis: vmUachine ': IJIea-N0QI00acaQdIIJ11.-fQe0cC9oot ': IcQNQdQIfNI0df-NIa0e1aeafCad


17/161

#tatic hostname: client$itgeek$com'con name: computer+vm!hassis: vmUachine ': IJIea-N0QI00acaQdIIJ11.-fQe0cC

9oot ': IcQNQdQIfNI0d-NIa0e1aeafCad


18/161

"ne con%guration you may want to change in the /etc/ssh/sshd@con%g %le is tootake advantage of this template4s design, use the #tyles gallery on the =ome ta$

2ou can format your headings y using heading styles, or highlight important textusing other styles, like Kmphasis and 'ntense \uote$ These styles come in formatted

to look great and work together to help communicate your ideas$

8o ahead and get started$

1.> HOW TO CREATE BINARY FILE FROM SHELL SCRIPT 5ritten y Rahul

9ash #hell Leave a !omment

#hare it6

7

.

1

.

.

hile woring with the /inu$ systems, we used many of commands on daily basis. Most of the

commands are available in binary format in bin, sbin , usrbin, usrsbin, etc directories. As a

system administrator or student we wrote many of shell script to do few tas or automate them.This article will help you to create binary file of your shell script, so no one can see the source

code of your script and we can use them as a command. To create binary file from a script we use

(H# compiler written by 'rancisco 0avier 1osales 2arc3a.

'ollow the below steps to do this.

1.? INSTALL RE@UIRED PAC%AGES 'irst we need to install required pacages for (H# compiler.

1.?.1 F5, U0! D0)- -* L)M) apt,get install li=c>,de?

1.?.2 F5, COS! RHEL F*5,- +"m install gli=c,de?el

http://tecadmin.net/author/myadmin/http://tecadmin.net/programming/shell-scripting/http://tecadmin.net/create-binary-file-from-shell-script/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/create-binary-file-from-shell-script/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Create+Binary+File+from+Shell+Script&url=http%3A%2F%2Ftecadmin.net%2Fcreate-binary-file-from-shell-script%2F&via=https://plus.google.com/share?url=http://tecadmin.net/create-binary-file-from-shell-script/https://www.linkedin.com/cws/share?url=http://tecadmin.net/create-binary-file-from-shell-script/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/create-binary-file-from-shell-script/&description=How+to+Create+Binary+File+from+Shell+Script&media=http://www.datsi.fi.upm.es/~frosal/http://tecadmin.net/author/myadmin/http://tecadmin.net/programming/shell-scripting/http://tecadmin.net/create-binary-file-from-shell-script/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/create-binary-file-from-shell-script/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Create+Binary+File+from+Shell+Script&url=http%3A%2F%2Ftecadmin.net%2Fcreate-binary-file-from-shell-script%2F&via=https://plus.google.com/share?url=http://tecadmin.net/create-binary-file-from-shell-script/https://www.linkedin.com/cws/share?url=http://tecadmin.net/create-binary-file-from-shell-script/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/create-binary-file-from-shell-script/&description=How+to+Create+Binary+File+from+Shell+Script&media=http://www.datsi.fi.upm.es/~frosal/


19/161

1.1DOWNLOAD AND INSTALL SHC:4ownload the latest source code of (H# compiler from its official webpage or using below

commands and e$tract on your system.

cd /"sr/src

wget http://www.datsi.!i."pm.es/@!rosal/so"rces/shc,1.A.B.tg tar x! shc,1.A.B.tg

5ow compile the (H# source code on your system and install it using following command.

cd shc,1.A.B maDe maDe install

1.11CREATE SHELL SCRIPT:/et6s create a shell script as per your requirement or sip this step if you already created. 'or this

article we have created below sample script which add the integer values given on command line

parameter and show the sum of them.

?im script.sh;/=in/=ash

total02

!or i in FG do i! ; , {i2,B6$ 6G then

echo Please enter n"meric onl+exit 3

!i total0##total < i

done

i! total ,eI 2 6G then echo Plesae exec"te script liDe: 2 32 J2 12 exit 2!i

echo total

1.12CREATE BINARY OF SCRIPT:At this stage we have installed (H# compiler and have a shell script named script.sh. &se the

following command to create binary file of your script.

shc ,T ,! script.sh

The above command will create two files in current directory. )ne will be script.sh.$.c which is

in # language format of your script. (econd one will be script.sh.$ which will be in binary

format.


20/161

1.13TEST BINARY SCRIPT:If you try to open binary format of script, you will see that it is not in human readable format.

5ow move this script under usrbin directory to use from anywhere in system. Also remove .sh.$

from file name. (o it will be available with simple name. Also set the e$ecute permissions to

everyone

m? script.sh.x /"sr/=in/script chmod


21/161

n86oO6Mn86echo 8o

GG

$echo )n?alid inp"t...exit 3GG

esac

1.1$EXAMPLE 2: PROMPT FOR CONFIRMATION IN LOOP"This e$ample code will prompt for confirmation until you give proper input lie ;%, 5, %!( or

5) on heavy load server. It means

our server has hits ma$ open file limit. 5ow question is how can I increase open file limit on

Linux. 'or your answer follow below article, I will help you for managing )pen

http://tecadmin.net/author/myadmin/http://tecadmin.net/filesystem/http://tecadmin.net/increase-max-open-file-limit-in-linux/#respondhttps://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Increase+Max+Open+File+Limit+in+Linux+System&url=http%3A%2F%2Ftecadmin.net%2Fincrease-max-open-file-limit-in-linux%2F&via=https://www.linkedin.com/cws/share?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/&description=How+to+Increase+Max+Open+File+Limit+in+Linux+System&media=http://tecadmin.net/author/myadmin/http://tecadmin.net/filesystem/http://tecadmin.net/increase-max-open-file-limit-in-linux/#respondhttps://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Increase+Max+Open+File+Limit+in+Linux+System&url=http%3A%2F%2Ftecadmin.net%2Fincrease-max-open-file-limit-in-linux%2F&via=https://www.linkedin.com/cws/share?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/&description=How+to+Increase+Max+Open+File+Limit+in+Linux+System&media=


22/161

1.1>CHEC% CURRENT OPEN FILE LIMIT ?. How to chec current open file limit in /inu$ system @

A. &se following command to chec open file limit in /inu$ system.

cat /proc/s+s/!s/!ile,max

N2222

1.1?INCREASE OPEN FILE LIMIT IN LINUX e can increase open file limit temporarily or permanently as per our requirement. If we need

changes ust for testing, then increase limit temporarily.

1.1?.1 T


23/161

http://www.itzgeek.com/how-tos/linux/centos-how-

tos/how-to-increase-swap-in-linux.html

Hi here we will go to know about the swap file system, and how to increase?

irst thing, what is swap?

!wap is one type of file system "id#$%&, which is used as the 'irtual ram for the system, it

pro'ide the extra memory resource to system when it re(uired. )n windows it*s called

pagefile.sys, and this file system will be created manually or automatically during

installation of operating system.

+nce swap file system created, you may want to increase the swap space. or that you can

follow this tutorial.

)n two methods we can create the swap space.

• sing swap partition

• sing swap file

Here we use the first method.

et check the a'ailable swap space.

root@client ~]# swapon -s

7ilename T+pe Sie (sed Priorit+

/de?/sdaJ partition J2B>QJ 2 ,3

) am going to increase the swap form % to 0.by the following command also. 1s per

this command total swap space is %.


24/161

[root@client ~]# free -m

total "sed !ree shared ="!!ers cached

em: Q1Q QJ > 2 3 JQJ

,/< ="!!ers/cache: 3> J>>

Swap: J2Q 2 J2Q

1s in the abo'e /de'/sda% is the swap file system. )n my machine ) don*t ha'e any space in

my primary H22, so ) use another H22 for demonstration. ut you can use the same H22

for new swap partition, if you ha'e enough space.

et*s see the H22*s attached to this machine.

[root@client ~]# fdisk -l

isD /de?/sda: 1J.J U4 1JJ3JJNQJ2 =+tes

JNN heads4 >1 sectors/tracD4 1B3> c+linders

(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes

e?ice Uoot Start End UlocDs )d S+stem

/de?/sda3 $ 3 31 32Q1B3 A1 5in"x

/de?/sdaJ 3Q JQ J2B>QAJ< AJ 5in"x swap / Solaris

/de?/sda1 JN NJB J2QAJA< A1 5in"x

/de?/sdaQ N12 1B3> JJ2>2< N Extended

/de?/sdaN N12 3NQB A3B133A< A1 5in"x

/de?/sda> 3NN2 JN>B A3B133A< A1 5in"x

/de?/sda JN2 JAJQ J2QAJN> A1 5in"x

/de?/sdaA JAJN 12B J2QAJN> A1 5in"x

/de?/sdaB 12A2 1B3> >J133 A1 5in"x

isD /de?/sd=: ANAB U4 ANABB1QNBJ =+tes


25/161

JNN heads4 >1 sectors/tracD4 32QQ c+linders


isD /de?/sd= doesnVt contain a ?alid partition ta=le

)n the abo'e ) ha'e one extra H22 with free space, with the help of the H22 ) am going to

create the new partition for swap size of 3 and assigning the id of $%. 4he size may be

depending on your swap size re(uirement.

et create the partition with id of $% for swap.

[root@client ~]# fdisk /dev/sdb

e?ice contains neither a ?alid OS partition ta=le4 nor S"n4 S)

or OS7 disDla=el

U"ilding a new OS disDla=el. Changes will remain in memor+ onl+4

"ntil +o" decide to write them. 9!ter that4 o! co"rse4 the pre?io"s

content wonVt =e reco?era=le.

The n"m=er o! c+linders !or this disD is set to 32QQ.

There is nothing wrong with that4 ="t this is larger than 32JQ4

and co"ld in certain set"ps ca"se pro=lems with:

3 so!tware that r"ns at =oot time #e.g.4 old ?ersions o! 5)5O

J =ooting and partitioning so!tware !rom other OSs

#e.g.4 OS 7)SW4 OS/J 7)SW

Xarning: in?alid !lag 2x2222 o! partition ta=le Q will =e corrected

=+ w#rite

Command (m for help): p !" o $ee the %etails




26/161



Command #m !or help: n -!" o create the new partition

Command action

e extended

p primar+ partition #3,Q

p !"o create the &rimar' &artition

Partition n"m=er #3,Q: !" &artition *mber

7irst c+linder #3,32QQ4 de!a"lt 3:

(sing de!a"lt ?al"e 3

5ast c+linder or 1 sectors/tracD4 32QQ c+linders



/de?/sd=3 3 3J1 BAB>> A1 5in"x

Command #m !or help: t !" Chane the partition 0%

Selected partition 3

Hex code #t+pe 5 to list codes: l !" .ist the code

2 Empt+ 3e Hidden XBN 79T3 A2 Old inix =! Solaris


27/161

3 79T3J JQ 8EC OS A3 inix / old 5in c3 ROS/sec #79T,

J YE8)Y root 1B Plan B AJ 5in"x swap / So cQ ROS/sec #79T,

1 YE8)Y "sr 1c Partitionagic A1 5in"x c> ROS/sec #79T,

Q 79T3> Z1J Q2 [enix A2JA> AQ OS/J hidden C: c S+rinx

N Extended Q3 PPC PReP Uoot AN 5in"x extended da 8on,7S data

> 79T3> QJ S7S A> 8T7S ?ol"me set d= CP/ / CTOS / .

HP7S/8T7S Qd '8YQ.x A 8T7S ?ol"me set de ell (tilit+

A 9)Y Qe '8YQ.x Jnd part AA 5in"x plaintext d! Uoot)t

B 9)Y =oota=le Q! '8YQ.x 1rd part Ae 5in"x 5[ e3 OS access

a OS/J Uoot anag N2 OnTracD B1 9moe=a e1 OS R/O

= XBN 79T1J N3 OnTracD > 9"x BQ 9moe=a UUT eQ SpeedStor

c XBN 79T1J #5U9 NJ CP/ B! US/OS e= UeOS !s

e XBN 79T3> #5U9 N1 OnTracD > 9"x a2 )U ThinDpad hi ee E7) PT

! XBN ExtVd #5U9 NQ OnTracD> aN 7reeUS e! E7) #79T,3J/3>/

32 OP(S NN E\,ri?e a> OpenUS !2 5in"x/P9,R)SC =

33 Hidden 79T3J N> olden Uow a 8eYTSTEP !3 SpeedStor

3J CompaI diagnost Nc Priam EdisD aA arwin (7S !Q SpeedStor

3Q Hidden 79T3> Z1 >3 SpeedStor aB 8etUS !J OS secondar+

3> Hidden 79T3> >1 8( H(R or S+s a= arwin =oot != [ware [7S

3 Hidden HP7S/8T7 >Q 8o?ell 8etware = US) !s !c [ware [WCORE

3A 9ST SmartSleep >N 8o?ell 8etware =A US) swap !d 5in"x raid a"to

3= Hidden XBN 79T1 2 isDSec"re "lt == Uoot Xiard hid !e 598step

3c Hidden XBN 79T1 N PC/)Y =e Solaris =oot !! UUT


28/161

Hex code #t+pe 5 to list codes: 12 !" 0d for swap

Changed s+stem t+pe o! partition 3 to AJ #5in"x swap / Solaris

Command #m !or help: p !" .ist the partitions





/dev/sdb 23 415466 12 .in*7 swap / $olaris

Command #m !or help: w " 8rite the chanes

The partition ta=le has =een altered;

Calling ioctl# to re,read partition ta=le.

S+ncing disDs.

4ell the changes to kernel.

[root@client ~]# partprobe

5onfirm the created partition.

[root@client ~]# fdisk -l

isD /de?/sda: 1J.J U4 1JJ3JJNQJ2 =+tes

JNN heads4 >1 sectors/tracD4 1B3> c+linders



/de?/sda3 $ 3 31 32Q1B3 A1 5in"x

/de?/sdaJ 3Q JQ J2B>QAJ< AJ 5in"x swap / Solaris

/de?/sda1 JN NJB J2QAJA< A1 5in"x


29/161

/de?/sdaQ N12 1B3> JJ2>2< N Extended

/de?/sdaN N12 3NQB A3B133A< A1 5in"x

/de?/sda> 3NN2 JN>B A3B133A< A1 5in"x

/de?/sda JN2 JAJQ J2QAJN> A1 5in"x

/de?/sdaA JAJN 12B J2QAJN> A1 5in"x

/de?/sdaB 12A2 1B3> >J133 A1 5in"x





/dev/sdb 23 415466 12 .in*7 swap / $olaris

6ake the swap partition using following command.

[root@client ~]# mkswap /dev/sdb

Setting "p swapspace ?ersion 34 sie 0 3233>3 DU

7nable it using following command.

[root@client ~]# swapon /dev/sdb

ist the swap space a'ailable on the machine.

[root@client ~]# swapon -s


/de?/sdaJ partition J2B>QJ 2 ,3

/de?/sd=3 partition BABN> 2 ,J

)n the abo'e you can find /de'/sdb3 has acti'ated and ser'es the swap resource to the

machine with /de'/sda%.


30/161

se the following command to see the memory a'ailable on the machine. )n the follow you

will be able see the actual memory and 'irtual memory also.



em: Q1Q Q12 1 2 3 JQ>

,/< ="!!ers/cache: 3>> J>

Swap: 123J 2 123J

1s per the abo'e total size of swap is 0, this is as per our re(uirement.

)f would like to off the swap, you can use the following command.

[root@client ~]# swapoff /dev/sda2

ist the swap space. ecause we swap off the abo'e one, you will be able to see he one

swap partition which we created now.


/de?/sd=3 partition BABN> 2 ,J

)n normal case, if you restart the ser'er the swap will not get on automatically. !o put it

on /etc/fstab

[root@client ~]# vi /etc/fstab

59UE50/ / ext1 de!a"lts 3 3

59UE50/tmp /tmp ext1 de!a"lts 3 J

59UE50/home /home ext1 de!a"lts4"srI"ota4grpI"ota 3 J

59UE50/"sr /"sr ext1 de!a"lts 3 J

59UE50/?ar /?ar ext1 de!a"lts 3 J

59UE50/=oot /=oot ext1 de!a"lts 3 J

tmp!s /de?/shm tmp!s de!a"lts 2 2

de?pts /de?/pts de?pts gid0N4mode0>J2 2 2


31/161

s+s!s /s+s s+s!s de!a"lts 2 2

proc /proc proc de!a"lts 2 2

59UE50SX9P,sdaJ swap swap de!a"lts 2 2

/de?/sdaB /opt ext1 de!a"lts 2 2

8ew Swap Partion

/dev/sdb swap swap defa*lts , ,

8eboot the ser'er.

[root@client ~]# reboot

9erify it.



em: Q1Q Q12 1 2 3 JQ>

,/< ="!!ers/cache: 3>> J>

Swap: 123J 2 123J

)f you want to make the priority of swap usage by system, use the following command. High

priority will be use more by system. High#3 low# -3.

[root@client ~]# swapon -p , /var/swapfile

9erify the priority.



/de?/sd=3 partition 32J1BBJ 2 32

/de?/sdaJ partition J2B>QJ JB> ,J

4hat*s all


32/161

3 HOW TO INSTALL MEMCACHED ON CENTOS 6 / RHEL 6

RAJ MARCH 26, 2012 0 COMMENTS CACHE, CENTOS, CENTOS 6, MEMCACHE, MEMCACHED, RHEL, RHEL 6

;ree open source= high-performance= distri(uted memor o(>ect

caching sstem, generic in natre, !t inten"e" #$r %e in %&ee"ing & "'na(ic )e!

a&&*icati$n% !' a**e+iating "ata!a%e *$a"Me(cac-e" i% an in.(e($r' e'.+a*e %t$re #$r%(a** c-n% $# ar!itrar' "ata %tring%, $!ect% #r$( re%*t% $# "ata!a%e ca**%, AI ca**%, $r

&age ren"ering

?emcached is simple et powerful It% %i(&*e "e%ign &r$($te% 4ic "e&*$'(ent, ea%e

$# "e+e*$&(ent, an" %$*+e% (an' &r$!*e(% #acing *arge "ata cac-e% It% AIi% a+ai*a!*e #$r

($%t &$&*ar *angage%

Here i% t-e %i(&*e %te&% t$ in%ta** Me(cac-e" $n CentOS 6

O&en Ter(ina* an" t-en %)itc- t$ r$$t %er

ra]FgeeDsite@/6 s" ,l

3.1.1.1Install Memcached:

In%ta** Me(cac-e" %ing t-e #$**$)ing c$((an"

rootFgeeDsite@/6 +"m install memcached

E"it Me(cac-e" c$n#igrati$n #i*e t$ c-ange / ena!*e t-e #eatre%

rootFgeeDsite@/6 ?i /etc/s+scon!ig/memcached

T-ere are %$(e "e#a*t %etting% a+ai*a!*e in t-e c$n#igrati$n #i*e, c-ange it i# nece%%ar'

T-e #$**$)ing i% e5a(&*e %etting% #$r 26M7 cac-ing

PORT033J33(SER0memcached9YCO88032JQC9CHES)\E0JN>

http://www.itzgeek.com/author/adminhttp://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-memcached-on-centos-6-rhel-6.html#disqus_threadhttp://www.itzgeek.com/tag/cachehttp://www.itzgeek.com/tag/centoshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachehttp://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/tag/rhelhttp://www.itzgeek.com/tag/rhel-6http://code.google.com/p/memcached/wiki/Clientshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/author/adminhttp://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-memcached-on-centos-6-rhel-6.html#disqus_threadhttp://www.itzgeek.com/tag/cachehttp://www.itzgeek.com/tag/centoshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachehttp://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/tag/rhelhttp://www.itzgeek.com/tag/rhel-6http://code.google.com/p/memcached/wiki/Clientshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcached


33/161

OPT)O8S0

Start Me(cac-e"

rootFgeeDsite@/6 /etc/init.d/memcached restart

T$ at$.%tart Me(cac-e" $n !$$ting

rootFgeeDsite@/6 chDcon!ig memcached on

C$n#ir( t-e Me(cac-e" rnning %tat%

rootFgeeDsite@/6 memcached,tool 3J.2.2.3:33J33 stats3J.2.2.3:33J33 7ield [al"e accepting&conns 3 a"th&cmds 2 a"th&errors 2

=+tes 2 =+tes&read =+tes&written 2 cas&=ad?al 2 cas&hits 2 cas&misses 2 cmd&!l"sh 2 cmd&get 2 cmd&set 2 conn&+ields 2 connection&str"ct"res 33 c"rr&connections 32 c"rr&items 2 decr&hits 2

decr&misses 2 delete&hits 2 delete&misses 2 e?ictions 2 get&hits 2 get&misses 2 incr&hits 2 incr&misses 2 limit&max=+tes >32AA>Q listen&disa=led&n"m 2 pid JBNBQ pointer&sie >Q r"sage&s+stem 2.22JBBB

r"sage&"ser 2.222222 threads Q time 311J2QA>JQ total&connections 33 total&items 2 "ptime AN ?ersion 3.Q.Q


34/161

3.1.1.2 Iptables entry:

A"" t-e #$**$)ing entr' t$ a**$) t-e inc$(ing c$nnecti$n $n &$rt n$ 11211

,9 )8P(T ,m state ,,state 8EX ,m tcp ,p tcp ,,dport 33J33 ,] 9CCEPT

C-ec t-e re($te c$nnecti+it'

rootFgeeDsite@/6 echo stats M nc memcache&host&name&or&ip 33J33

3.1.1.3Install PHP Module:

In%ta** Me(cac-e" H ($"*e t$ )$r )it- H

rootFgeeDsite@/6 +"m install php php,pecl,memcache

N$) re%tart t-e Me(cac-e" an" A&ac-e %er+er t$ tae e##ect

rootFgeeDsite@/6 /etc/init.d/memcached restartrootFgeeDsite@/6 /etc/init.d/httpd restart

T-at8% a**9

:SETTIN; S? A355555555 S$ it (ae% ea%' t$ re(e(!er t-e "$(ain na(e%

in%tea" $# it% I a""re%%

http://www.unixmen.com/author/sk/http://www.unixmen.com/setting-dns-server-centos-7/www.unixmen.comhttp://www.unixmen.com/author/sk/http://www.unixmen.com/setting-dns-server-centos-7/www.unixmen.com


35/161

T-i% "etai*e" tt$ria* )i** -e*& '$ t$ %et & a *$ca* DNS %er+er $n '$r CentOS >

%'%te( H$)e+er, t-e %te&% are a&&*ica!*e #$r %etting & DNS %er+er $n RHEL an"

Scienti#ic Lin5 > t$$

DNS SER=ER INSTALLATION1 SCENARIO

@$r t-e &r&$%e $# t-i% tt$ria*, I )i** !e %ing t-ree n$"e% One )i** !e acting a% Ma%ter

DNS %er+er, t-e %ec$n" %'%te( )i** !e acting a% Sec$n"ar' DNS, an" t-e t-ir" )i** !e

$r DNS c*ient Here are (' t-ree %'%te(% "etai*%

5.1.1.1 Primary (Master) DNS Server Details:

Operating S+stem : CentOS minimal ser?er

Hostname : masterdns."nixmen.local

)P 9ddress : 3BJ.3>A.3.323/JQ

5.1.1.2 Secondary (Slave) DNS Server Details:

Operating S+stem : CentOS minimal ser?er

Hostname : secondar+dns."nixmen.local

)P 9ddress : 3BJ.3>A.3.32J/JQ


36/161

5.1.1.3 Client Details:

Operating S+stem : CentOS >.N esDtop

Hostname : client."nixmen.local

)P 9ddress : 3BJ.3>A.3.321/JQ

2 SET


37/161

// Pro?ided =+ Red Hat =ind pacDage to con!ig"re the )SC U)8 named#A 8S

// ser?er as a caching onl+ nameser?er #as a localhost 8S resol?er onl+.

//

// See /"sr/share/doc/=ind$/sample/ !or example named con!ig"ration !iles.

//

options {

listen,on port N1 { 3J.2.2.3G 4296199,G ### aster %$ 0& ###

listen,on,?> port N1 { ::3G G

director+ /?ar/namedG

d"mp,!ile /?ar/named/data/cache&d"mp.d=G

statistics,!ile /?ar/named/data/named&stats.txtG

memstatistics,!ile /?ar/named/data/named&mem&stats.txtG

allow,I"er+ { localhostG 4296199,/2;G ### 0&


38/161

, )! +o" are ="ilding a REC(RS)[E #caching 8S ser?er4 +o" need to

ena=le

rec"rsion.

, )! +o"r rec"rsi?e 8S ser?er has a p"=lic )P address4 +o" (ST

ena=le access

control to limit I"eries to +o"r legitimate "sers. 7ailing to do so

will

ca"se +o"r ser?er to =ecome part o! large scale 8S ampli!ication

attacDs. )mplementing UCP1A within +o"r networD wo"ld greatl+

red"ce s"ch attacD s"r!ace

$/

rec"rsion +esG

dnssec,ena=le +esG

dnssec,?alidation +esG

dnssec,looDaside a"toG

/$ Path to )SC 5[ De+ $/

=indDe+s,!ile /etc/named.iscdl?.De+G


39/161

managed,De+s,director+ /?ar/named/d+namicG

pid,!ile /r"n/named/named.pidG

session,De+!ile /r"n/named/session.De+G

G

logging {

channel de!a"lt&de="g {

!ile data/named.r"nG

se?erit+ d+namicG

G

G

one . )8 {

t+pe hintG

!ile named.caG

G

=one >*ni7men9local> 0 ?


40/161

t'pe master

file >forward9*ni7men>

allow-*pdate ? none

=one >9619429in-addr9arpa> 0 ?

t'pe master

file >reverse9*ni7men>

allow-*pdate ? none

incl"de /etc/named.r!c3B3J.onesG

incl"de /etc/named.root.De+G

22 2 Create $ne #i*e%

Create #$r)ar" an" re+er%e $ne #i*e% )-ic- )e (enti$ne" in

t-e /etc/named.confA #i*e

5.2.2.1 2.1 Create Forward one

Create forward.uni8men #i*e in t-e /var/namedA "irect$r'


41/161

?i /?ar/named/!orward."nixmen

A"" t-e #$**$)ing *ine%

TT5 A>Q22

F )8 SO9 masterdns."nixmen.local. root."nixmen.local. #

J23323223 GSerial

1>22 GRe!resh

3A22 GRetr+

>2QA22 GExpire

A>Q22 Ginim"m TT5

F )8 8S masterdns."nixmen.local.

F )8 8S secondar+dns."nixmen.local.

F )8 9 3BJ.3>A.3.323

F )8 9 3BJ.3>A.3.32J

F )8 9 3BJ.3>A.3.321

masterdns )8 9 3BJ.3>A.3.323

secondar+dns )8 9 3BJ.3>A.3.32J


42/161

client )8 9 3BJ.3>A.3.321

5.2.2.2 2.2 Create !everse one

Create reverse.uni8men #i*e in t-e /var/namedA "irect$r'

?i /?ar/named/re?erse."nixmen

A"" t-e #$**$)ing *ine%

TT5 A>Q22

F )8 SO9 masterdns."nixmen.local. root."nixmen.local. #

J23323223 GSerial

1>22 GRe!resh

3A22 GRetr+

>2QA22 GExpire

A>Q22 Ginim"m TT5

F )8 8S masterdns."nixmen.local.

F )8 8S secondar+dns."nixmen.local.

F )8 PTR "nixmen.local.


43/161

masterdns )8 9 3BJ.3>A.3.323

secondar+dns )8 9 3BJ.3>A.3.32J

client )8 9 3BJ.3>A.3.321

323 )8 PTR masterdns."nixmen.local.

32J )8 PTR secondar+dns."nixmen.local.

321 )8 PTR client."nixmen.local.

23 3 Start t-e DNS %er+ice

Ena!*e an" %tart DNS %er+ice

s+stemctl ena=le named

s+stemctl start named

2: : @ire)a** C$n#igrati$n

We (%t a**$) t-e DNS %er+ice "e#a*t &$rt 3 t-r$g- #ire)a**

!irewall,cmd ,,permanent ,,add,port0N1/tcp

!irewall,cmd ,,permanent ,,add,port0N1/"dp


44/161

2 Re%tart @ire)a**

!irewall,cmd ,,reload

26 6 C$n#igring er(i%%i$n%, O)ner%-i&, an" SELin5

Rn t-e #$**$)ing c$((an"% $ne !' $ne

chgrp named ,R /?ar/named

chown ,? root:named /etc/named.con!

restorecon ,r? /?ar/named

restorecon /etc/named.con!

2> > Te%t DNS c$n#igrati$n an" $ne #i*e% #$r an'%'nta5 err$r%

C-ec DNS "e#a*t c$n#igrati$n #i*e

named,checDcon! /etc/named.con!

I# it retrn% n$t-ing, '$r c$n#igrati$n #i*e i% +a*i"

C-ec @$r)ar" $ne


45/161

named,checDone "nixmen.local /?ar/named/!orward."nixmen

Sa(&*e $t&t

one "nixmen.local/)8: loaded serial J23323223

OW

C-ec re+er%e $ne

named,checDone "nixmen.local /?ar/named/re?erse."nixmen

Sa(&*e Ot&t

one "nixmen.local/)8: loaded serial J23323223

OW

A"" t-e DNS Ser+er "etai*% in '$r net)$r inter#ace c$n#ig #i*e

?i /etc/s+scon!ig/networD,scripts/i!c!g,enp2s1

TKPE0Ethernet

UOOTPROTO0none


46/161

E7RO(TE0+es

)P[Q&79)5(RE&79T950no

)P[>)8)T0+es

)P[>&9(TOCO870+es

)P[>&E7RO(TE0+es

)P[>&79)5(RE&79T950no

89E0enp2s1

(()0Nd2QJA=1,>a!J,Q!>=,B!e1,QJN2cdA1Be!a

O8UOOT0+es

HX9R02A:22:J:3B:>A:1

)P9R203BJ.3>A.3.323

PRE7)Y20JQ

9TEX9K203BJ.3>A.3.3

%$A>4296199,>

)P[>&PEER8S0+es

)P[>&PEERRO(TES0+es

E"it #i*e /etc/resolv.conf ,


47/161

?i /etc/resol?.con!

A"" t-e na(e %er+er i& a""re%%

nameser?er 3BJ.3>A.3.323

Sa+e an" c*$%e t-e #i*e

Re%tart net)$r %er+ice

s+stemctl restart networD

2F F Te%t DNS Ser+er

dig masterdns."nixmen.local

Sa(&*e Ot&t

G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ masterdns."nixmen.local

GG glo=al options:


48/161

GG !lags: Ir aa rd raG '(ERK: 34 98SXER: 34 9(THOR)TK: J4 9)T)O895: J

GG OPT PSE(OSECT)O8:

G E8S: ?ersion: 24 !lags:G "dp: Q2B>

GG '(EST)O8 SECT)O8:

Gmasterdns."nixmen.local. )8 9

GG 98SXER SECT)O8:

masterdns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.323

GG 9(THOR)TK SECT)O8:

"nixmen.local. A>Q22 )8 8S secondar+dns."nixmen.local.

"nixmen.local. A>Q22 )8 8S masterdns."nixmen.local.

GG 9)T)O895 SECT)O8:

secondar+dns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.32J

GG '"er+ time: 2 msec

GG SER[ER: 3BJ.3>A.3.323N1#3BJ.3>A.3.323


49/161

GG XHE8: Xed 9"g J2 3>:J2:Q> )ST J23Q

GG S S)\E rc?d: 3JN

nslooD"p "nixmen.local

Sa(&*e Ot&t

Ser?er: 3BJ.3>A.3.323

9ddress: 3BJ.3>A.3.323N1

8ame: "nixmen.local

9ddress: 3BJ.3>A.3.321

8ame: "nixmen.local


8ame: "nixmen.local

9ddress: 3BJ.3>A.3.32J

N$) t-e ri(ar' DNS %er+er i% rea"' t$ %e

It i% ti(e t$ c$n#igre $r Sec$n"ar' DNS %er+er


50/161

3 SET


51/161

options {

listen,on port N1 { 3J.2.2.3G 4296199,2 G

listen,on,?> port N1 { ::3G G

director+ /?ar/namedG

d"mp,!ile /?ar/named/data/cache&d"mp.d=G

statistics,!ile /?ar/named/data/named&stats.txtG

memstatistics,!ile /?ar/named/data/named&mem&stats.txtG

allow,I"er+ { localhostG 4296199,/2; G

.

.

.

.

one . )8 {

t+pe hintG

!ile named.caG

G

=one >*ni7men9local> 0 ?

t'pe slave

file >slaves/*ni7men9fwd>


52/161

masters ? 4296199,

=one >9619429in-addr9arpa> 0 ?

t'pe slave

file >slaves/*ni7men9rev>

masters ? 4296199,

incl"de /etc/named.r!c3B3J.onesG

incl"de /etc/named.root.De+G

32 2 Start t-e DNS Ser+ice

s+stemctl ena=le named

s+stemctl start named

N$) t-e #$r)ar" an" re+er%e $ne% are at$(atica**' re&*icate" #r$( Ma%ter DNS

%er+er t$ G/+ar/na(e"/%*a+e%/8 in Sec$n"ar' DNS %er+er

ls /?ar/named/sla?es/

Sa(&*e Ot&t


53/161

"nixmen.!wd "nixmen.re?

33 3 A"" t-e DNS Ser+er "etai*%

A"" t-e DNS Ser+er "etai*% in '$r net)$r inter#ace c$n#ig #i*e

?i /etc/s+scon!ig/networD,scripts/i!c!g,enp2s1

TKPE0Ethernet

UOOTPROTO0none

E7RO(TE0+es

)P[Q&79)5(RE&79T950no

)P[>)8)T0+es

)P[>&9(TOCO870+es

)P[>&E7RO(TE0+es

)P[>&79)5(RE&79T950no

89E0enp2s1

(()0Nd2QJA=1,>a!J,Q!>=,B!e1,QJN2cdA1Be!a

O8UOOT0+es

HX9R02A:22:J:3B:>A:1

)P9R203BJ.3>A.3.32J


54/161

PRE7)Y20JQ

9TEX9K203BJ.3>A.3.3

%$A>4296199,>

%$2A>4296199,2>

)P[>&PEER8S0+es

)P[>&PEERRO(TES0+es

E"it #i*e /etc/resolv.conf ,

?i /etc/resol?.con!

A"" t-e na(e %er+er i& a""re%%

nameser?er 3BJ.3>A.3.323

nameser?er 3BJ.3>A.3.32J

Sa+e an" c*$%e t-e #i*e

Re%tart net)$r %er+ice

s+stemctl restart networD


55/161

3: : @ire)a** C$n#igrati$n

We (%t a**$) t-e DNS %er+ice "e#a*t &$rt 3 t-r$g- #ire)a**

!irewall,cmd ,,permanent ,,add,port0N1/tcp

3 Re%tart @ire)a**

!irewall,cmd ,,reload

36 6 C$n#igring er(i%%i$n%, O)ner%-i&, an" SELin5

chgrp named ,R /?ar/named

chown ,? root:named /etc/named.con!

restorecon ,r? /?ar/named

restorecon /etc/named.con!

3> > Te%t DNS Ser+er


Sa(&*e Ot&t


56/161

G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ masterdns."nixmen.local

GG glo=al options: Q22 )8 8S masterdns."nixmen.local.




57/161



GG SER[ER: 3BJ.3>A.3.32JN1#3BJ.3>A.3.32J

GG XHE8: Xed 9"g J2 3:2Q:12 )ST J23Q

GG S S)\E rc?d: 3JN

dig secondar+dns."nixmen.local

Sa(&*e Ot&t

G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ secondar+dns."nixmen.local

GG glo=al options:


58/161

Gsecondar+dns."nixmen.local. )8 9

GG 98SXER SECT)O8:


GG 9(THOR)TK SECT)O8:

"nixmen.local. A>Q22 )8 8S masterdns."nixmen.local.



masterdns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.323


GG SER[ER: 3BJ.3>A.3.32JN1#3BJ.3>A.3.32J

GG XHE8: Xed 9"g J2 3:2N:N2 )ST J23Q

GG S S)\E rc?d: 3JN


Sa(&*e Ot&t


59/161

Ser?er: 3BJ.3>A.3.32J

9ddress: 3BJ.3>A.3.32JN1

8ame: "nixmen.local


8ame: "nixmen.local


8ame: "nixmen.local

9ddress: 3BJ.3>A.3.32J

: CLIENT SIDE CON@I;A.3.323

nameser?er 3BJ.3>A.3.32J

Re%tart net)$r %er+ice $r re!$$t t-e %'%te(


60/161

:1 Te%t DNS Ser+er

N$), '$ can te%t t-e DNS %er+er %ing an' $ne $# t-e #$**$)ing c$((an"%


dig secondar+dns."nixmen.local

dig client."nixmen.local


T-at8% a** a!$t n$) T-e &ri(ar' an" %ec$n"ar' DNS %er+er% are rea"' t$ %e

$ THE PERFECT SERVER CENTOS 7.1 WITH

APACHE2! POSTFIX! DOVECOT! PUREFTPD!

BIND AND ISPCONFIG 3

$.1.1O ()' -

• 7 ReMuirements

• C 3reliminary Eote

• 1 #et the keyoard layout

• 0 Adjust /etc/hosts

• I isale #KLinux

• J Knale Additional Repositories And 'nstall #ome #oftware

• N \uota

• Knaling Muota on the / )root* partition

• Knaling Muota on a separate /var partition

•

- 'nstall Apache, Uy#\L, phpUyAdmin

This tutorial shows how to install '#3!on%g 1 on a !ent"# N$7 )J09it* server$ '#3!on%g 1is a we hosting control panel that allows you to con%gure the following servicesthrough a we rowser: Apache we server, 3ost%x mail server, Uy#\L, 9'Enameserver, 3ureT3d, #pamAssassin, !lamA


61/161

$.1.21 R),


62/161

yum -y install net-tools

systemctl stop firewalld.service

systemctl disale firewalld.service

to stop and disale the !ent"# %rewall$

Then you should check that the %rewall has really een disaled$ To do so, run thecommand:

iptales -!

The output should look like this:

"root#server1 $%& iptales -!'(ain )*+, policy /''+

taret prot opt source destination

'(ain 3/7 policy /''+


'(ain ,+, policy /''+


"r use the %rewall+cmd command:

firewall-cmd --state

"root#server1 $%& firewall-cmd --state

not runnin

"root#server1 $%&

Eow ' will install the network con%guration editor and the shell ased editor _nano_ that' will use in the next steps to edit the con%g %les:

yum -y install nano wet *etworkanaer-tui

'f you did not con%gure your network card during the installation, you can do that now$Run$$$

nmtui


63/161

$$$ and go to dit a connection:

#elect your network interface:

Then %ll in your network details + disale =!3 and %ll in a static '3 address, a netmask,

your gateway, and one or two nameservers, then hit k:


64/161

Eext select to con%rm the changes that you made in the network settings

and :uit to close the nmtui network con%guration tool$


65/161

2ou should run

ifconfi

now to check if the installer got your '3 address right:

>rootYserver7 S?H ifcon%g

ens11: Vags07J1`B3,9R"A!A#T,RBEE'E8,UBLT'!A#T mtu 7I..

inet 7QC$7J-$7$7.. netmask CII$CII$CII$. roadcast 7QC$7J-$7$CII

inetJ fe-.::C.c:CQ:fecd:ccIC pre%xlen J0 scopeid .xC.

ether ..:.c:CQ:cd:cc:IC txMueuelen 7... )Kthernet*

R^ packets IIJC7 ytes NQJ.7.Q0 )NI$Q Ui9*

R^ errors . dropped . overruns . frame .

T^ packets C-77I ytes CJ.-C1Q )C$0 Ui9*

T^ errors . dropped . overruns . carrier . collisions .

lo: VagsN1`B3,L""39A!D,RBEE'E8 mtu JII1J


66/161

inet 7CN$.$.$7 netmask CII$.$.$.

inetJ ::7 pre%xlen 7C- scopeid .x7.

loop txMueuelen . )Local Loopack*

R^ packets . ytes . ).$. 9*

R^ errors . dropped . overruns . frame .

T^ packets . ytes . ).$. 9*

T^ errors . dropped . overruns . carrier . collisions .

'f your network card does not show up there, then it not e enaled on oot, 'n thiscase, open the %le ;etc;sysconfi;network-scripts;ifcf-et(0

nano ;etc;sysconfi;network-scripts;ifcf-ensyes

"...%

and reoot the server$

!heck your ;etc;resolv.conf if it lists all nameservers that youve previouslycon%gured:

cat ;etc;resolv.conf

'f nameservers are missing, run

nmtui

and add the missing nameservers again$

Eow, on to the con%guration$$$


67/161

$.1.#4 A*' /6/(5''

Eext we edit ;etc;(osts$ Uake it look like this:

nano ;etc;(osts

7CN$.$.$7 localhost localhost$localdomain localhost0 localhost0$localdomain0

7QC$7J-$7$7.. server7$example$com server7

::7 localhost localhost$localdomain localhostJ localhostJ$localdomainJ

$.1.$# D)'-0; SEL)

#KLinux is a security extension of !ent"# that should provide extended security$ 'n myopinion you dont need it to con%gure a secure system, and it usually causes moreprolems than advantages )think of it after you have done a week of troule+shootingecause some service wasnt working as expected, and then you %nd out thateverything was ok, only #KLinux was causing the prolem*$ Therefore ' disale it )this isa must if you want to install '#3!on%g later on*$

Kdit ;etc;selinux;confi and set ?!)*,@>disaled :

nano ;etc;selinux;confi

H This %le controls the state of #KLinux on the system$

H #KL'EB^ can take one of these three values:

H enforcing + #KLinux security policy is enforced$

H permissive + #KLinux prints warnings instead of enforcing$

H disaled + Eo #KLinux policy is loaded$

#KL'EB^disaled

H #KL'EB^T23K can take one of these two values:

H targeted + Targeted processes are protected,

H mls + Uulti Level #ecurity protection$

#KL'EB^T23Ktargeted


68/161

Afterwards we must reoot the system:

reoot

$.1.7$ E-0; A**))5-; R5')5,)' A* I'-;; S510 to the "epel% section:

>epel?

nameKxtra 3ackages for Knterprise Linux N + Oasearch

Haseurlhttp://download$fedoraproject$org/pu/epel/N/Oasearch

mirrorlisthttps://mirrors$fedoraproject$org/metalink;repoepel+N&archOasearch

failovermethodpriority

enaled7

priority7.

gpgcheck7


69/161

gpgkey%le:///etc/pki/rpm+gpg/R3U+838+DK2+K3KL+N

>$$$?

Then we update our existing packages on the system:

yum update

Eow we install some software packages that are needed later on:

yum -y roupinstall D7evelopment oolsD

$.1.>7 @5-

(If you have chosen a different partitioning scheme than I did, you must adjust this

chapter so that quota applies to the partitions where you need it.)

To install Muota, we run this command:

yum -y install Euota

Eow we check if Muota is already enaled for the %lesystem where the wesite)/var/www* and maildir data )var/vmail* is stored$ 'n this example setup, ' have one igroot partition, so ' search for / :

mount F rep D ; D

"root#server1 $%& mount F rep D ; D

;dev;mapper;centos-root on ; type xfs rwGrelatimeGattr2Ginode64GnoEuota"root#server1 $%&

'f you have a separate /var partition, then use:

mount F rep D ;var D


70/161

instead$ 'f the line contains the word _55-_, then proceed with the following stepsto enale Muota$

$.1.?E-0;) 5- 5 ( / ,55" -,))5

Eormally you would enale Muota in the /etc/fsta %le, ut if the %lesystem is the root%lesystem _/_, then Muota has to e enaled y a oot parameter of the Linux Dernel$

Kdit the gru con%guration %le:

nano ;etc;default;ru

search fole the line that starts with A,=H'7!)*H!)*,@ andadd rootflas>uEuotaGEuota to the commandline parameters so that the resulting

line looks like this:

8RB9@!UL'EK@L'EB^_rd$lvm$lvcentos/swap vconsole$fontlatarcyrhe+sun7J

rd$lvm$lvcentos/root crashkernelauto vconsole$keymapus rhg Muiet

rootVagsuMuota,gMuota_

and apply the changes y running the following command$

cp ;oot;ru2;ru.cf ;oot;ru2;ru.cfHak

ru2-mkconfi -o ;oot;ru2;ru.cf

and reoot the server$

reoot

Eow check if Muota is enaled:

mount F rep D ; D

"root#server1 $%& mount F rep D ; D

;dev;mapper;centos-root on ; type xfs

rwGrelatimeGattr2Ginode64GusrEuotaGrpEuota

"root#server1 $%&


71/161

5hen Muota is active, we can see _',5-!,5-_ in the mount option list$

$.1.1 E-0;) 5- 5 - '-,- /J-, -,))5

'f you have a separate /var partition, then edit ;etc;fsta and add GuEuotaGEuota tothe ; partition );dev;mapper;centos-var *:

nano ;etc;fsta

H

H /etc/fsta

H !reated y anaconda on #un #ep C7 7J:11:0I C.70

H

H Accessile %lesystems, y reference, are maintained under /dev/disk

H #ee man pages fsta)I*, %ndfs)-*, mount)-* and/or lkid)-* for more info

H

/dev/mapper/centos+root / xfs defaults 7 7/dev/mapper/centos+var /var xfs defaultsGuEuotaGEuota 7 C

BB'Qac.JQ1Q+Ne01+0efd+QINa+0-JNNIeddN0 /oot xfs defaults 7

1

/dev/mapper/centos+swap swap swap defaults . .

Then run

mount -o remount ;var

Euotac(eck -avum

Euotaon -avu

to enale Muota$ 5hen you get a error that there is no oartition with Muota enaled,

then reoot the server efore you proceed$

$.1.11 > I'-;; A-6(! M=S@L! (M=A*


72/161

yum -y install ntp (ttpd modHssl mariad-server p(p p(p-mysEl p(p-mstrin p(pmyadmin

7 THE PERFECT SERVER CENTOS 7.1 WITH


BIND AND ISPCONFIG 3 PAGE 2

7.1.1O ()' -

• Q 'nstall ovecot• 7. 'nstall 3ost%x• 77 'nstall 8etmail• 7C #et Uy#\L 3asswords And !on%gure phpUyAdmin

• 71 'nstall Amavisd+new, #pamAssassin And !lamA<

• 70 'nstalling ApacheC 5ith mod@php, mod@fcgi/3=3I, 3=3+3U And su3=3

• 7I 'nstallation of mod@python

• 7J 'nstall 3ureT3d

• 7N 'nstall 9'E

• 7- 'nstall 5ealier, And A5#tats

• 7Q 'nstall Zailkit

• C. 'nstall failCan

• C7 'nstall rkhunter

• CC 'nstall Uailman7.1.2? I'-;; D5J65

ovecot can e installed as follows:

yum -y install dovecot dovecot-mysEl dovecot-pieon(ole

!reate a empty dovecot+sMl$conf %le and symlink:

touc( ;etc;dovecot;dovecot-sEl.conf

ln -s ;etc;dovecot;dovecot-sEl.conf ;etc;dovecot-sEl.conf

Eow create the system startup links and start ovecot:

https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#nbspinstall-dovecothttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-postfixhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-getmailhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-set-mysql-passwords-and-configure-phpmyadminhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-amavisdnew-spamassassin-and-clamavhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installing-apache-with-modphp-modfcgiphp-phpfpm-and-suphphttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installation-of-modpythonhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-pureftpdhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-bindhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-webalizer-and-awstatshttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-jailkithttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-failbanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-rkhunterhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-mailmanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#nbspinstall-dovecothttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-postfixhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-getmailhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-set-mysql-passwords-and-configure-phpmyadminhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-amavisdnew-spamassassin-and-clamavhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installing-apache-with-modphp-modfcgiphp-phpfpm-and-suphphttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installation-of-modpythonhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-pureftpdhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-bindhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-webalizer-and-awstatshttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-jailkithttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-failbanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-rkhunterhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-mailman


73/161

systemctl enale dovecot

systemctl start dovecot

7.1.31 I'-;; P5'

3ost%x can e installed as follows:

yum -y install postfix

Then turn o #endmail and start 3ost%x and Uariad )Uy#\L*:

systemctl enale mariad.service

systemctl start mariad.service

systemctl stop sendmail.service

systemctl disale sendmail.service

systemctl enale postfix.service

systemctl restart postfix.service

5e disale sendmail to ensure that it does not get started in case it is installed on your

server$ #o the error message _ailed to issue method call: Bnit sendmail$service notloaded$_ can e ignored$

7.1.411 I'-;; G


74/161

mysElHsecureHinstallation

"root#server1 tmp%& mysElHsecureHinstallation

*I ,**)*A /!! +/? 3 J)? ?')+ )? '*77 3 /!! aria7=

?K? )* +7,')* ,?L +!/? /7 /'J ?+ '/3,!!BL

)n order to lo into aria7= to secure itG weDll need t(e current

password for t(e root user. )f youDve Must installed aria7=G and

you (avenDt set t(e root password yetG t(e password will e lankG

so you s(ould Must press enter (ere.

nter current password for root enter for noneI

G successfully used passwordG movin on...

?ettin t(e root password ensures t(at noody can lo into t(e aria7=

root user wit(out t(e proper aut(orisation.

?et root passwordN "B;n%


75/161

emove test dataase and access to itN "B;n%


76/161

`irectory /usr/share/phpUyAdmin/

`'fUodule mod@auth@core$c

H Apache C$0

`ReMuireAny

H ReMuire ip 7CN$.$.$7

H ReMuire ip ::7

ReMuire all granted

`/ReMuireAny

`/'fUodule

`'fUodule 6mod@auth@core$c

H Apache C$C

"rder eny,Allow

eny from All

Allow from 7CN$.$.$7

Allow from ::7

`/'fUodule

`/irectory

Eext we change the authentication in phpUyAdmin from cookie to (ttp:

nano ;etc;p(py/dmin;confi.inc.p(p

>$$$?

/X Authentication type X/

Ocfg>#ervers?>Oi?>auth@type? http[

>$$$?

Then we create the system startup links for Apache and start it:


77/161

systemctl enale (ttpd.service

systemctl restart (ttpd.service

Eow you can direct your rowserto (ttpI;;server1.example.com;p(pmyadmin; or (ttpI;;192.168.0.100;p(pmyadmin; and log in with the user name root and your new root Uy#\L password$

7.1.$13 I'-;; A


78/161

5e can install ApacheC with mod@phpI, mod@fcgid, and 3=3I as follows:

yum -y install p(p p(p-devel p(p-d p(p-imap p(p-ldap p(p-mysEl p(p-odc p(p-pear p(p-

xml p(p-xmlrpc p(p-pecl-apc p(p-mstrin p(p-mcrypt p(p-mssEl p(p-snmp p(p-soap p(p-

tidy curl curl-devel perl-liwww-perl )maeaick lixml2 lixml2-devel modHfcid p(p-

cli (ttpd-devel p(p-fpm

Eext we open ;etc;p(p.ini$$$

nano ;etc;p(p.ini

$$$ and change the error reporting )so that notices arent shown any longer*, set thetimeone and uncomment ci.fixHpat(info>1:

>$$$?

[error@reporting K@ALL & SK@K3RK!ATK

error@reporting K@ALL & SK@E"T'!K & SK@K3RK!ATK

>$$$?

[ cgi$%x@pathinfo provides XrealX 3AT=@'E"/3AT=@TRAE#LATK support for !8'$ 3=3s

[ previous ehaviour was to set 3AT=@TRAE#LATK to #!R'3T@'LKEAUK, and to not grok

[ what 3AT=@'E" is$ or more information on 3Appp$tldT=@'E", see the cgi specs$#etting

[ this to 7 will cause 3=3 !8' to %x its paths to conform to the spec$ A setting

[ of ero causes 3=3 to ehave as efore$ efault is 7$ 2ou should %x your scripts

[ to use #!R'3T@'LKEAUK rather than 3AT=@TRAE#LATK$

[ http://www$php$net/manual/en/ini$core$phpHini$cgi$%x+pathinfo

cgi$%x@pathinfo7

>$$$?

date$timeone Kurope/9erlin>$$$?

Eext we install su3=3 )there is a modHsup(p package availale in the repositories, ut

unfortunately it isnt compatile with '#3!on%g, therefore we have to uild su3=3ourselves*:


79/161

cd ;usr;local;src

wet (ttpI;;sup(p.or;download;sup(p-0.R.2.tar.Q

tar Qxvf sup(p-0.R.2.tar.Q

!ent"# N$7 uses apache+C$0, so we need a patch suphp efore we can compile it aganstApache$ The patch gets applied like this:

wet - sup(p.patc(

(ttpsI;;lists.marsc(in.com;pipermail;sup(p;attac(ments;201;usr; --sysconfdir>;etc; --wit(-apr>;usr;in;apr-1-confi --wit(-

apac(e-user>apac(e --wit(-setid-mode>owner --wit(-lofile>;var;lo;(ttpd;sup(pHlo

make

make install

Then we add the su3=3 module to our Apache con%guration$$$


80/161

nano ;etc;(ttpd;conf.d;sup(p.conf

LoadUodule suphp@module modules/mod@suphp$so

$$$ and create the %le ;etc;sup(p.conf as follows:

nano ;etc;sup(p.conf

>gloal?

[3ath to log%le

log%le/var/log/httpd/suphp$log

[Loglevel

loglevelinfo

[Bser Apache is running as

weserver@userapache

[3ath all scripts have to e in

docroot/

[3ath to chroot)* to efore executing script

[chroot/mychroot

[ #ecurity options

allow@%le@group@writealetrue

allow@%le@others@writealefalse

allow@directory@group@writealetrue

allow@directory@others@writealefalse

[!heck wheter script is within "!BUKET@R""Tcheck@vhost@docroottrue

[#end minor error messages to rowser

errors@to@rowserfalse

[3AT= environment variale


81/161

env@path/in:/usr/in

[Bmask to set, specify in octal notation

umask..NN

[ Uinimum B'

min@uid7..

[ Uinimum 8'

min@gid7..

>handlers?

[=andler for php+scripts

x+httpd+suphp_php:/usr/in/php+cgi_[=andler for !8'+scripts

x+suphp+cgi_execute:6self_

Kdit the %le /etc/httpd/conf$d/php$confto enale php parsing only for phpmyadmin,roundcue and other system packages in /usr/share ut not for wesites in /var/www as'#3!on%g will activate 3=3 for each wesite individually$

nano ;etc;(ttpd;conf.d;p(p.conf

change the lines:

O3ilesatc( T.p(pUP

?etJandler application;x-(ttpd-p(p

O;3ilesatc(P

to:

O7irectory ;usr;s(areP

O3ilesatc( T.p(pUP ?etJandler application;x-(ttpd-p(p

O;3ilesatc(P

O;7irectoryP

#o that the 3=3 handler is enclosed y the irectory directive$

Knale httpd and 3=3+3U to get started at oot time and start the 3=3+3U service$


82/161

systemctl start p(p-fpm.service

systemctl enale p(p-fpm.service

systemctl enale (ttpd.service

inally we restart Apache:

systemctl restart (ttpd.service

7.1.>1# I'-;;-)5 5


83/161

7.1.?1$ I'-;; P,FTP*

3ureT3d can e installed with the following command:

yum -y install pure-ftpd

Then create the system startup links and start 3ureT3d:

systemctl enale pure-ftpd.service

systemctl start pure-ftpd.service

Eow we con%gure 3ureT3d to allow T3 and TL# sessions$ T3 is a very insecure

protocol ecause all passwords and all data are transferred in clear text$ 9y using TL#,the whole communication can e encrypted, thus making T3 much more secure$

"pen##L is needed y TL#[ to install "pen##L, we simply run:

yum install openssl

"pen ;etc;pure-ftpd;pure-ftpd.conf $$$

nano ;etc;pure-ftpd;pure-ftpd.conf

'f you want to allow T3 and TL# sessions, set !? to 1:

>$$$?

H This option can accept three values :

H . : disale ##L/TL# encryption layer )default*$

H 7 : accept oth traditional and encrypted sessions$

H C : refuse connections that dont use ##L/TL# security mechanisms,

H including anonymous sessions$

H o @not@ uncomment this lindly$ 9e sure that :

H 7* 2our server has een compiled with ##L/TL# support )++with+tls*,


84/161

H C* A valid certi%cate is in place,

H 1* "nly compatile clients will log in$

TL# 7

>$$$?

'n order to use TL#, we must create an ##L certi%cate$ ' create it in ;etc;ssl;private; ,

therefore ' create that directory %rst:

mkdir -p ;etc;ssl;private;

Afterwards, we can generate the ##L certi%cate as follows:

openssl reE -x509 -nodes -days R


85/161

Thats it$ 2ou can now try to connect using your T3 client[ however, you shouldcon%gure your T3 client to use TL#$

7.1.1 17 I'-;; BIND

5e can install 9'E as follows:

yum -y install ind ind-utils

Uake a ackup of the existing ;etc;named.conf %le and create a new one as follows:

cp ;etc;named.conf ;etc;named.confHakcat ;dev;null P ;etc;named.conf

nano ;etc;named.conf

//

// named$conf

//

// 3rovided y Red =at ind package to con%gure the '#! 9'E named)-* E#

// server as a caching only nameserver )as a localhost E# resolver only*$

//

// #ee /usr/share/doc/indX/sample/ for example named con%guration %les$

//

options

listen+on port I1 any[ b[

listen+on+vJ port I1 any[ b[

directory _/var/named_[

dump+%le _/var/named/data/cache@dump$d_[

statistics+%le _/var/named/data/named@stats$txt_[

memstatistics+%le _/var/named/data/named@mem@stats$txt_[

allow+Muery any[ b[


86/161

allow+recursion _none_[b[

recursion no[

b[

logging

channel default@deug

%le _data/named$run_[

severity dynamic[

b[

b[

one _$_ 'E

type hint[ %le _named$ca_[

b[

include _/etc/named$conf$local_[

!reate the %le ;etc;named.conf.local that is included at the endof ;etc;named.conf );etc;named.conf.local will later on get populated y '#3!on%g

if you create E# ones in '#3!on%g*:

touc( ;etc;named.conf.local

Then we create the startup links and start 9'E:

systemctl enale named.service

systemctl start named.service

7.1.11 1> I'-;; W0-;)9,! A* AWS-'

5ealier and A5#tats can e installed as follows:


87/161

yum -y install wealiQer awstats perl-7ateime-3ormat-J+ perl-7ateime-3ormat-

=uilder

7.1.12 1? I'-;; K-);)

Zailkit is used to chroot ##= users and cronjos$ 't can e installed as follows)important/ 0ail1it must 2e installed 2efore I$%onfig - it cannot 2e installedafterwards3*:

cd ;tmp

wet (ttpI;;olivier.sessink.nl;Mailkit;Mailkit-2.1R.tar.Q

tar xvfQ Mailkit-2.1R.tar.Qcd Mailkit-2.1R

.;confiure

make

make install

cd ..

rm -rf Mailkit-2.1RC

7.1.13 2 I'-;; -);20-

This is optional ut recommended, ecause the '#3!on%g monitor tries to show the log$

yum -y install iptales-services fail2an fail2an-systemd

systemctl mask firewalld.service

systemctl enale iptales.service

systemctl enale ip6tales.service

systemctl stop firewalld.service

systemctl start iptales.service

systemctl start ip6tales.service

Eext we create the /etc/failCan/jail$local %le and enale monitoring for ssh, email andftp service$

nano ;etc;fail2an;Mail.local


88/161

Add the following content into the jail$local %le:

>sshd?

enaled true

action iptales>namesshd, portssh, protocoltcp?

>pure+ftpd?

enaled true

action iptales>nameT3, portftp, protocoltcp?

maxretry 1

>dovecot?

enaled true

action iptales+multiport>namedovecot, port_pop1,pop1s,imap,imaps_,

protocoltcp?

maxretry I

>post%x+sasl?

enaled true

action iptales+multiport>namepost%x+sasl, port_smtp,smtps,sumission_,

protocoltcp?

maxretry 1

Then create the system startup links for failCan and start it:

systemctl enale fail2an.servicesystemctl start fail2an.service

7.1.14 21 I'-;; ,(,

rkhunter can e installed as follows:

yum -y install rk(unter


89/161

7.1.1# 22 I'-;; M-);


90/161

$$$ and add the following lines:

>$$$?

mailman: _/usr/li/mailman/mail/mailman post mailman_

mailman+admin: _/usr/li/mailman/mail/mailman admin mailman_

mailman+ounces: _/usr/li/mailman/mail/mailman ounces mailman_

mailman+con%rm: _/usr/li/mailman/mail/mailman con%rm mailman_

mailman+join: _/usr/li/mailman/mail/mailman join mailman_

mailman+leave: _/usr/li/mailman/mail/mailman leave mailman_

mailman+owner: _/usr/li/mailman/mail/mailman owner mailman_

mailman+reMuest: _/usr/li/mailman/mail/mailman reMuest mailman_

mailman+suscrie: _/usr/li/mailman/mail/mailman suscrie mailman_

mailman+unsuscrie: _/usr/li/mailman/mail/mailman unsuscrie mailman_

Run

newaliases

afterwards and restart 3ost%x:

systemctl restart postfix.service

Eow open the Uailman Apache con%guration %le ;etc;(ttpd;conf.d;mailman.conf $$$

nano ;etc;(ttpd;conf.d;mailman.conf

$$$ and add the line ?cript/lias ;ci-in;mailman; ;usr;li;mailman;ci-in; $!omment out /lias ;pipermail; ;var;li;mailman;arc(ives;pulic; and add theline /lias ;pipermail ;var;li;mailman;arc(ives;pulic; :

H

H httpd con%guration settings for use with mailman$


91/161

H

#criptAlias /mailman/ /usr/li/mailman/cgi+in/

#criptAlias /cgi+in/mailman/ /usr/li/mailman/cgi+in/

`irectory /usr/li/mailman/cgi+in/

Allow"verride Eone

"ptions Kxec!8'

"rder allow,deny

Allow from all

`/irectory

HAlias /pipermail/ /var/li/mailman/archives/pulic/

Alias /pipermail /var/li/mailman/archives/pulic/

`irectory /var/li/mailman/archives/pulic

"ptions 'ndexes Uulti


92/161

!reate the system startup links for Uailman and start it:

systemctl enale mailman.service

systemctl start mailman.service

After you have installed '#3!on%g 1, you can access Uailman as follows:

2ou can use the alias ;ci-in;mailman for all Apache vhosts )please note that suEec

and 6I must 2e disa2led for all vhosts from which you want to access Uailman6*,which means you can access the Uailman admin interface for a listat (ttpI;;Ov(ostP;ci-in;mailman;admin;OlistnameP , and the we page for usersof a mailing list can e found at (ttpI;;Ov(ostP;ci-in;mailman;listinfo;OlistnameP $

Bnder (ttpI;;Ov(ostP;pipermail;OlistnameP you can %nd the mailing list archives$

> THE PERFECT SERVER CENTOS 7.1 WITH


BIND AND ISPCONFIG 3 PAGE 3

>.1.1O ()' -

• C1 'nstall Roundcue wemail

• C0 'nstall '#3!on%g 1• CI irst '#3!on%g Login

• CI$7 '#3!on%g 1 Uanual

• CI Links

>.1.223 I'-;; R5*60 0


93/161

H

H Round !ue 5email is a rowser+ased multilingual 'UA3 client

H

Alias /roundcuemail /usr/share/roundcuemail

Alias /wemail /usr/share/roundcuemail

H e%ne who can access the 5ema

Linux Administration (Tips & Tricks)

Documents

Transcript of Linux Administration (Tips & Tricks)