SWAT Blog

Archive for December, 2010

Step By Step configuration of DNS server

Tuesday, December 28th, 2010

Note:- Before Start
Set ip-address manually (I use 172.17.0.250)
Set hostname FQDN (I use server.pdc.home)
No need to install caching-nameserver if you are using fedora 9 to 14.

The Installation has been performed on the following Linux OS.

Server: Fedora 6 to 14, rhel 5.0, to 5.5 & Centos 5.0, to 5.5.

Note: Please be careful about the firewall and selinux policies before continuing with the configuration. Disable the Firewall & Selinux or create rules.

1. Installation of DNS Server.

[root@linux8 ~]# yum install bind* caching-nameserver*

2.Make sure that the host names are set properly

[root@linux8 ~]# vi /etc/hosts

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
172.17.0.250 server.pdc.home server #(ip address & fqdn)

[root@linux8 ~]# vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=server.pdc.home

[root@linux8 ~]# hostname server.pdc.home

3. DNS resolve entry

[root@linux8 ~]# vi /etc/resolv.conf

search server.pdc.home
nameserver 172.17.0.250

4. Do the following configuration to setup DNS properly.
(a)

[root@linux8 ~]# vi /etc/named.conf

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
query-source port 53;
};
zone “pdc.home” IN {
type master;
file “pdc.home.forward”;
allow-update { none; };
};

zone “0.17.172.in-addr.arpa” IN {
type master;
file “pdc.home.reverse”;
allow-update { none; };
};

(b) Create the zone file in the proper location and also create a reverse zone file.

[root@linux8 ~]# cd  /var/named
[root@linux8 ~]# cp  localhost.zone  pdc.home.forward
[root@linux8 ~]# cp  named.local  pdc.home.reverse
[root@linux8 ~]# vi  pdc.home.forward

$TTL 86400
@ IN SOA server.pdc.home. root.server.pdc.home. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS server.pdc.home.
IN A 127.0.0.1
server IN A 172.17.0.250

[root@linux8 ~]# vi pdc.home.reverse

$TTL 86400
@ IN SOA server.pdc.home. root.server.pdc.home. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS server.pdc.home.
250 IN PTR server.pdc.home.

(c) Restart the named service

[root@linux8 ~]# service named  restart
[root@linux8 ~]# chkconfig named on      #for permanent service on
[root@linux8 ~]# bind-chroot-admin -d
[root@linux8 ~]# bind-chroot-admin -e    #for binding with chroot Security

The DNS Server is ready now, it’s time to test.

[root@linux8 ~]# dig server.pdc.home

Answer Should look like below:

; <> DiG 9.3.4-P1 <> server.pdc.home
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33213
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;server.pdc.home. IN A

;; ANSWER SECTION:
server.pdc.home. 86400 IN A 172.17.0.250

;; AUTHORITY SECTION:
pdc.home. 86400 IN NS server.pdc.home.

;; Query time: 0 msec
;; SERVER: 172.17.0.250#53(172.17.0.250)
;; WHEN: Mon Mar 9 13:39:47 2009
;; MSG SIZE rcvd: 63

[root@linux8 ~]# dig  -x 172.17.0.250

Answer Should look like below:

; <> DiG 9.3.4-P1 <> -x 172.17.0.250
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34497
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;250.0.17.172.in-addr.arpa. IN PTR

;; ANSWER SECTION:
250.0.17.172.in-addr.arpa. 86400 IN PTR server.pdc.home.

;; AUTHORITY SECTION:
0.17.172.in-addr.arpa. 86400 IN NS server.pdc.home.

;; ADDITIONAL SECTION:
server.pdc.home. 86400 IN A 172.17.0.250

;; Query time: 0 msec
;; SERVER: 172.17.0.250#53(172.17.0.250)
;; WHEN: Mon Mar 9 13:41:37 2009
;; MSG SIZE rcvd: 103

Step by step Configuration of Secure FTP Server on Linux

Tuesday, December 28th, 2010

The Installation has been performed on the following Linux OS.
Fedora 6 to 14, rhel 5.0,to 5.5 & Centos 5.0 to 5.5
STEP 1: Setup VSFTPD

[root@linux8 ~]# yum install vsftpd*

STEP 2: Configure VSFTPD

[root@linux8 ~]# vi /etc/vsftpd.conf

Make changes as below:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES

#You may fully customise the login banner string
ftpd_banner=Welcome to Minor Addition FTP.

listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES (save & Exit)

STEP 3: Enable SSH2 Encription on FTP Server

To enable TLS/SSL security controls

[root@linux8 ~]#ldd /urs/sbin/vsftpd | grep ssl

Output of this command should give out like below

libssl.so.6 => /lib/libssl.so6 (0*001bf000)

STEP 4: Generate certificate key for encryption<

[root@linux8 ~]#cd /etc/pki/tls/certs
[root@linux8 ~]#make vsftpd.pem

This command creates certificate for 2 years. After 2 years make it again.

Country Name : IN
State of province name(full name) : Atul Sharma
Locality Name (eg,city) : Guildford
Organization Name : Tactical Value.
Organizational Unit Name : Centos Server
Common Name (eg,your name or your server’s hostname) : ixlinux1
Email Address : sysadmin@minoraddition.com

Note: The vsftpd.pem file should be secured so only owner has access to the file. This file does not affect the server if it is running as a non privileged account, as the keys are loaded before dropping into non privileged mode.

[root@linux8 ~]#cat /etc/pki/tls/certs/vsftpd.pem
[root@linux8 ~]#openssl x509 -in /etc/pki/tls/certs/vsftpd.pem -noout -text
[root@linux8 ~]#chmod 600 /etc/pki/tls/certs/vsftpd.pem

The configuration file needs to enter some entries. Open vsftpd.conf & enter below written lines at the end of the file.

[root@linux8 ~]#vi /etc/vsftpd/vsftpd.conf

ssh2 configureation
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

Now we have to restart service

[root@linux8 ~]# /etc/init.d/vsftpd restart

This is all about secure ftp server. For access to secure ftp server you have to create users on the same PC.
The Linux clients use gftp, filezilla.
The windows clients use filezilla.
Use SSH2 & Port 22 while making connection.

Move a Subversion Repository from One Remote Server to Another

Tuesday, December 28th, 2010

The servers were in remote locations and all I had was ssh access.

Step One: Back up your old repository
This is done with the svnadmin command.

svnadmin dump /srv/svn/repository_name &gt; reponame.dmp

Step Two: Create the new Repository on new svn server
This is same as creating a new project on your svn server

svnadmin create /srv/svn/repository_name

Step Three: Transfer the old Repository dump on your new svn server
You can do this by any way you want. I choose scp.

scp reponame.dmp root@remote-server:/opt/new_repo_name

Last Step: Import your old repository into the new one

root@server:~#cd /opt
root@server:/opt#svnadmin load /srv/svn/new_repository_name &lt; reponame.dmp

It’s very simple. My .dmp file was about 2GB so it took hours to transfer. But if you have physical access to the servers this could be a few minutes job.

Redmine installation on Ubuntu 10.04

Friday, December 10th, 2010

STEP 1: Install Ruby, build essentials, openssl, postgress and subversion

apt-get install wget build-essential ruby1.8 ruby1.8-dev irb1.8
rdoc1.8 zlib1g-dev libopenssl-ruby1.8 libzlib-ruby libssl-dev
libpq-dev postgresql subversion

STEP 2: Make symbolic links to the installed Ruby:

ln -s /usr/bin/ruby1.8 /usr/bin/ruby
ln -s /usr/bin/irb1.8 /usr/bin/irb

STEP 3: Download and install rubygems

wget http://rubyforge.org/frs/download.php/70696/rubygems-1.3.7.tgz
tar -xf rubygems*.tgz
cd rubygems*
ruby setup.rb
ln -s /usr/bin/gem1.8 /usr/bin/gem

STEP 4: Install other required gems

gem install -v=1.0.1 rack
gem install fastthread
gem install -v=2.3.5 rails
gem install postgres

STEP 5: Install Passenger and Nginx

cd /opt
wget http://rubyforge.org/frs/download.php/71376/passenger-2.2.15.tar.gz
tar xzvf passenger*.gz

STEP 6: Run the Phusion Passenger installer for Nginx:

cd passenger*/bin
./passenger-install-nginx-module

It will ask you few configuration things for nginx installation
Press Enter
Press 1
Press Enter

STEP 7: Configure Nginx

Nginx is now installed in /opt/nginx, but we need a way of controlling it. Create a file called #/etc/init.d/nginx and copy the following script contents into it:

vi /etc/init.d/nginx

Paste below code into the file:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO
PATH=/opt/nginx/sbin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/opt/nginx/sbin/nginx
NAME=nginx
DESC=nginx
test -x $DAEMON || exit 0
# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /opt/nginx/logs/$NAME.pid 
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /opt/nginx/logs/$NAME.pid 
--exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --pidfile 
/opt/nginx/logs/$NAME.pid --exec $DAEMON
sleep 1
start-stop-daemon --start --quiet --pidfile 
/opt/nginx/logs/$NAME.pid --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
reload)
echo -n "Reloading $DESC configuration:"
start-stop-daemon --stop --signal HUP --quiet --pidfile /opt/nginx/logs/$NAME.pid 
--exec $DAEMON
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" &gt;&amp;2
exit 1
;;
esac
exit 0

Save & exit:

Run the following command to set system startup links:

chmod +x /etc/init.d/nginx
/usr/sbin/update-rc.d -f nginx defaults

If you want to change the default port 80 to 8080 then edit

vi /opt/nginx/conf/nginx.conf
listen 127.0.0.1:8080;

STEP 8: Installing and Configuring Redmine:-

Download Redmine

mkdir -p /srv/www/redmine
cd /srv/www/redmine/
svn co http://redmine.rubyforge.org/svn/branches/1.0-stable redmine

STEP 9: Create and Configure the Database

Switch to the postgres user and start up the psql shell by issuing the following commands:

su - postgres
psql

Run these commands in the psql shell to set up the database for Redmine. Specify a strong password in place of “secret”.

CREATE ROLE redmine LOGIN ENCRYPTED PASSWORD 'secret' NOINHERIT VALID UNTIL 'infinity';
CREATE DATABASE redmine WITH ENCODING='UTF8' OWNER=redmine TEMPLATE=template0;
ALTER DATABASE "redmine" SET datestyle="ISO,MDY";
q
exit
cd redmine

STEP 10: Create the file config/database.yml with the following contents:

cd config/
vi database.yml

paste these lines into the database.yml file

production:
adapter: postgresql
database: redmine
host: localhost
username: redmine
password: secret
encoding: utf8
schema_search_path: public

Run the following commands to complete database configuration:

chmod 600 config/database.yml
rake config/initializers/session_store.rb
RAILS_ENV=production rake db:migrate
RAILS_ENV=production rake redmine:load_default_data

STEP 11: Configure Email Service

Run commands to install exim4 and configure it for outgoing Internet email delivery. You can use Exim installation if you already have SMTP server configured that accepts unauthenticated locally sent mail, although you will still need to create Redmine’s email configuration file.

apt-get install exim4
dpkg-reconfigure exim4-config

Select “internet site” as the type of mail configuration to use.
Specify your systems’s fully qualified domain name as the system mail name.
Enter “127.0.0.1” when asked for the IP address to listen on for SMTP connections. For purposes of allowing Redmine to send mail, we only want to listen on localhost.
Enter “localhost.localdomain” and your fully qualified domain name when asked for the list of recipient domains.
Relay domains and machines should be left blank.
Specify “No” when asked about DNS queries.
When asked about maildirs versus mbox format, you may choose either. Maildirs are increasingly preferred by many modern mail tools.
Specify “No” when asked whether to split the configuration into smaller files.

Create the file config/email.yml and copy in the following contents. Be sure to replace the domain field with your fully qualified domain name.

File: config/email.yml

production:
delivery_method: :smtp
smtp_settings:
address: 127.0.0.1
port: 25
domain: redmine
authentication: :none

This completes email configuration for your Redmine installation.

STEP 12: Final Configuration and Testing:-

Create a “redmine” user to manage the installation. Run the following commands to set ownership and permissions on Redmine files, assign a strong password for Redmine user:

adduser redmine
cd /srv/www/redmine/
chown -R redmine:redmine *
cd redmine
chmod -R 755 files log tmp public/plugin_assets

#Edit the file /opt/nginx/conf/nginx.conf, setting the “user” parameter to “redmine”:

vim /opt/nginx/conf/nginx.conf
user  redmine;

Also, add a server section after the first example server as follows. If #you’re proxying to nginx from another web server, be sure to change the listen #directive to “listen 8080;” instead of the default.

server {
listen 80;
server_name  192.168.1.12;
root /srv/www/redmine/redmine/public/;
access_log /srv/www/redmine/redmine/log/access.log;
error_log /srv/www/redmine/redmine/log/error.log;
index index.html;
location / {
passenger_enabled on;
allow all;
}
}
/etc/init.d/nginx start

Redmine installation should be accessible at
http://localhost

Install SVN SERVER (subversion) on CENTOS 5

Thursday, December 9th, 2010

Prerequisites

  • Fresh installation of CentOS 5.
  • Make sure you should login as root.
  • Make sure you should have apache2 installed (httpd).

Installation Steps
First we’ll install Apache configuration directives for serving Subversion repositories through Apache HTTP Server.

[root@linux10 ~]#yum install subversion mod_dav_svn

Instruct Apache to load the mod_dav_svn module using the LoadModule directive by editing http.conf file

[root@linux10 ~]#vi /etc/httpd/conf/httpd.conf

If the following two lines are not present, add them:

LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

Create a directory where all svn repositories will be located:

[root@linux10 ~]#mkdir /srv/svn

Create your first Repository

[root@linux10 ~]#svnadmin create --fs-type fsfs /srv/svn/your_project_name

Set the correct file permissions for apache.

[root@linux10 ~]#chown -R apache.apache /srv/svn/your_project_name

Tell Apache where to find the new repository. Here we create an additional Apache configuration file specifically for the repositories.

[root@linux10 ~]#vi /etc/httpd/conf.d/subversion.conf

Add the following directive in the subversion.conf file

DAV svn
SVNPath /srv/svn/your_project_name
AuthType Basic
AuthName "your_project_name Repository"
AuthzSVNAccessFile /srv/svn/svn-acl-conf
AuthUserFile /srv/svn/your_project_name.htpasswd
Require valid-user

Add a repository user

[root@linux10 ~]#touch /srv/svn/your_project_name.htpasswd
[root@linux10 ~]#htpasswd -m /srv/svn/your_project_name.htpasswd  username

Create the Access Control List for the SVN Repository

[root@linux10 ~]#vi /srv/svn/svn-acl-conf

Add the following directives in the file. Where username represents the username of the repository user you created earlier.

[your_project_name:/]
username = rw

Final step, restart Apache server.

[root@linux10 ~]#service httpd restart

After browsing your project, if you gets the below message that means you have done it successfully.

http://localhost/svn/your_project_name

Revision 0: /
Powered by Subversion version 1.4.2 (r22196).

  • © 2004-2015 Special Work & Technology Limited