The sudo command

The sudo command offers another approach to giving users administrative access. When trusted users precede an administrative command with sudo, they are prompted for their own password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
The basic format of the sudo command is as follows:

sudo <command>

In the above example, <command> would be replaced by a command normally reserved for the root user, such as mount.

The sudo command allows for a high degree of flexibility. For instance, only users listed in the
/etc/sudoers configuration file are allowed to use the sudo command and the command is executed
in the user’s shell, not a root shell.

Another advantage of the sudo command is that an administrator can allow different users access to specific commands based on their needs.

Administrators wanting to edit the sudo configuration file, /etc/sudoers, should use the visudo
command.

To give someone full administrative privileges, type visudo and add a line similar to the following in the user privilege specification section:

juan ALL=(ALL) ALL

There are several potential risks to keep in mind when using the sudo command. You can avoid
them by editing the /etc/sudoers configuration file using visudo as described above. Leaving
the /etc/sudoers file in its default state gives every user in the wheel group unlimited root
access.

By default, sudo stores the sudoer’s password for a five minute timeout period. Any
subsequent uses of the command during this period will not prompt the user for a password.
This could be exploited by an attacker if the user leaves his workstation unattended and
unlocked while still being logged in. This behavior can be changed by adding the following line
to the /etc/sudoers file:

Defaults timestamp_timeout = <value>

where <value> is the desired timeout length in minutes. Setting the <value> to 0 causes
sudo to require a password every time.
If a sudoer’s account is compromised, an attacker can use sudo to open a new shell with
administrative privileges:

sudo /bin/bash

Opening a new shell as root in this or similar fashion gives the attacker administrative access
for a theoretically unlimited amount of time, bypassing the timeout period specified in the
/etc/sudoers file and never requiring the attacker to input a password for sudo again until
the newly opened session is closed.

The su command

When a user executes the su command, they are prompted for the root password and, after
authentication, are given a root shell prompt.

Once logged in via the su command, the user is the root user and has absolute administrative access to the system . In addition, once a user has become root, it is possible for them to use the su command to change to any other user on the system without being prompted for a password.

Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.

One of the simplest ways to do this is to add users to the special administrative group called wheel. To do this, type the following command as root:

usermod -G wheel <username>

In the previous command, replace <username> with the username you want to add to the wheel group.

After you add the desired users to the wheel group, it is advisable to only allow these specific users to use the su command. To do this, you will need to edit the PAM configuration file for su: /etc/pam.d/su.
Open this file in a text editor and remove the comment (#) from the following line:

#auth required             pam _wheel.so                  use_uid

This change means that only members of the administrative group wheel can switch to another user using the su command.

NOTE: The root user is part of the wheel group by default.

Creating Group Directories

System administrators usually like to create a group for each major project and assign people to the
group when they need to access that project’s files. With this traditional scheme, file managing is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory.
For example, a group of people need to work on files in the /opt/myproject/ directory. Some people
are trusted to modify the contents of this directory, but not everyone.

1. As root, create the /opt/myproject/ directory by typing the following at a shell prompt:

mkdir /opt/myproject

2. Add the m yproject group to the system:

groupadd myproject

3. Associate the contents of the /opt/myproject/ directory with the myproject group:

chown root:myproject /opt/myproject

4. Allow users to create files within the directory, and set the setgid bit:

chmod 2775 /opt/myproject

At this point, all members of the m yproject group can create and edit files in the /opt/myproject/
directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:

~]# ls -l /opt
total 4
drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 myproject

 

How to Enable EPEL Repository for RHEL/CentOS 7.x/6.x/5.x

This howto guide shows you’ll how to enable EPEL repository under RHEL/CentOS 6/5 to install additional standard open source packages by using YUM command.

What is EPEL

EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team which provides 100% high quality add-on software packages for Linux distribution including RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux. Epel project is not a part of RHEL/Cent OS but it is designed for major Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on. Most of the epel packages are maintained by Fedora repo.

Why we use EPEL repository?

1. Provides lots of open source packages to install via Yum.
2. Epel repo is 100% open source and free to use.
3. It does not provide any core duplicate packages and no compatibility issues.
4. All epel packages are maintained by Fedora repo.

How To Enable EPEL Repository in RHEL/CentOS 7/6/5?

First, you need to download the file using Wget and then install it using RPM on your system to enable the EPEL repository. Use below links based on your Linux OS versions. (Make sure you must be root user).

RHEL/CentOS 7 64 Bit

## RHEL/CentOS 7 64-Bit ##
# wget http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
# rpm -ivh epel-release-7-0.2.noarch.rpm

RHEL/CentOS 6 32-64 Bit

## RHEL/CentOS 6 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

RHEL/CentOS 5 32-64 Bit

## RHEL/CentOS 5 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm

## RHEL/CentOS 5 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm

RHEL/CentOS 4 32-64 Bit

## RHEL/CentOS 4 32-Bit ##
# wget http://download.fedoraproject.org/pub/epel/4/i386/epel-release-4-10.noarch.rpm
# rpm -ivh epel-release-4-10.noarch.rpm

## RHEL/CentOS 4 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/4/x86_64/epel-release-4-10.noarch.rpm
# rpm -ivh epel-release-4-10.noarch.rpm

How Do I Verify EPEL Repo?

You need to run the following command to verify that the EPEL repository is enabled. Once you ran the command you will see epel repository.

# yum repolist

Sample Output

Loaded plugins: downloadonly, fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: centos.aol.in
 * epel: ftp.cuhk.edu.hk
 * extras: centos.aol.in
 * rpmforge: be.mirror.eurid.eu
 * updates: centos.aol.in
Reducing CentOS-5 Testing to included packages only
Finished
1469 packages excluded due to repository priority protections
repo id                           repo name                                                      status
base                              CentOS-5 - Base                                               2,718+7
epel Extra Packages for Enterprise Linux 5 - i386 4,320+1,408
extras                            CentOS-5 - Extras                                              229+53
rpmforge                          Red Hat Enterprise 5 - RPMforge.net - dag                      11,251
repolist: 19,075

How Do I Use EPEL Repo?

You need to use YUM command for searching and installing packages. For example we search for Zabbix package using epel repo, lets see it is available or not under epel.

# yum --enablerepo=epel info zabbix

Sample Output

Available Packages
Name       : zabbix
Arch       : i386
Version    : 1.4.7
Release    : 1.el5
Size       : 1.7 M
Repo : epel
Summary    : Open-source monitoring solution for your IT infrastructure
URL        : http://www.zabbix.com/
License    : GPL
Description: ZABBIX is software that monitors numerous parameters of a network.

Let’s install Zabbix package using epel repo option –enablerepo=epel switch.

# yum --enablerepo=epel install zabbix

Note: The epel configuration file is located under /etc/yum.repos.d/epel.repo.

This way you can install as many as high standard open source packages using EPEL repo.

Link: http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/

MDeamon – E-Mail server software for windows

Daemon Messaging Server, email server software, is a trusted alternative to Microsoft Exchange or SBS. MDaemon mail server supports IMAP, SMTP, POP3, and ActiveSync protocols and delivers solid performance from its feature-rich and user-friendly design.

1. To add new user: Accounts>>New account

Note: to disable strong password: Accounts>>Account Options>>Password>>uncheck Require strong password

2. To set port for web mail: Setup>>Web & IM Services>>Web Server>>set port

EX: your domain is duyvd.com, you mail address will be mail.duyvd.com:8888

Just login and send test mail 🙂

Have a good time 🙂

Chứng thực SSH bằng key

Cấu hình trên Client

Làm việc trên Windows: mình sử dụng 2 chương trình putty (một chương trình để romote rất quen thuộc) và puttygen (dùng để gen ra key).

Chạy puttygen, chọn thuật toán, độ lớn của key -> generate -> rà chuột vào vùng trống cho tới khi sinh key (quá trình này nhằm giúp random)

Đặt Key passphrase và Confirm passphrase (password để bảo vệ private key) (Nếu không muốn, các bạn có thể không đặt passphrase, lúc đó thì sẽ log in thẳng vào server, tuy nhiên nên sử dụng)

Save lại Public Key (nằm trên Server) ví dụ D:\public_key.txt và save Private Key (Nằm trên máy remote) ví dụ D:\private_key.ppk

Chú ý là Public Key ở đây sẽ được ghi vào file authorized_keys với format: tên thuật toán và Value public key.

Cấu hình dịch vụ SSH trên Server

Cấu hình lại file sshd_confg

#vi /etc/ssh/sshd_config
PublicKeyAuthentication yes
AuthorizedkeysFile .ssh/authorized_keys

Hai dòng này đã bị disable bằng kí tự #, các bạn có thể tìm và mở ra.

Tạo thư mục .ssh và file authorized_keys trong thư mục này. Thư mục .ssh được tạo trong home folder của user truy cập sử dụng ssh. Đối với các user thường thì là /home/username/, đối với user root thì là /root/

Ở đây mình thực hiện với root:

# cd /root
# mkdir	 .ssh
# cd /root/.ssh/
# vi authorized_keys

Copy nội dung của public key và paste vào đây rồi save lại

Restart lại dịch vụ ssh

# /etc/init.d/sshd restart

SSH bằng PuTTy

Browse tới file private_key.ppk

 

Chúc các bạn thành công! 🙂

Date and Time configuration

Date and Time setup

The date command allows the superuser to set the system date and time manually:

Change the current date. Type the command in the following form at a shell prompt, replacing the
YYYY with a four-digit year, MM with a two-digit month, and DD with a two-digit day of the month:

~]# date +%D -s YYYY-MM-DD

For example, to set the date to 2 June 2010, type:

~]# date + %D -s 2010-06-02

Change the current time. Use the following command, where HH stands for an hour, MM is a minute, and SS is a second, all typed in a two-digit form:

~]# date +%T -s HH:MM:SS

If your system clock is set to use UTC (Coordinated Universal T ime), add the following option:

~]# date + %T -s HH:MM:SS -u

For instance, to set the system clock to 11:26 PM using the UTC, type:

~]# date +%T -s 23:26:00 -u

You can check your current settings by typing date without any additional argument:

~]$ date
Wed Jun 2 11:58:48 CEST 2010

---

Network Time Protocol Setup

As opposed to the manual setup described above, you can also synchronize the system clock with a
remote server over the Network Time Protocol (NTP). For the one-time synchronization only, use the ntpdate command:

Firstly, check whether the selected NTP server is accessible:

~]# ntpdate -q server_address

For example:

~]# ntpdate -q 0.rhel.pool.ntp.org

When you find a satisfactory server, run the ntpdate command followed by one or more server
addresses:

~]# ntpdate server_address...

For instance:

~]# ntpdate 0.rhel.pool.ntp.org 1.rhel.pool.ntp.org

Unless an error message is displayed, the system time should now be set. You can check the
current by setting typing date without any additional arguments.

In most cases, these steps are sufficient. Only if you really need one or more system services to
always use the correct time, enable running the ntpdate at boot time:

~]# chkconfig ntpdate on

However, the more convenient way is to set the ntpd daemon to synchronize the time at boot time
automatically:

Open the NTP configuration file /etc/ntp.conf in a text editor such as vi or nano, or create a
new one if it does not already exist:

~]# nano /etc/ntp.conf

Now add or edit the list of public NTP servers. If you are using Red Hat Enterprise Linux 6, the file
should already contain the following lines, but feel free to change or expand these according to
your needs:

server 0.rhel.pool.ntp.org iburst
server 1.rhel.pool.ntp.org iburst
server 2.rhel.pool.ntp.org iburst
server 3.rhel.pool.ntp.org iburst

The iburst directive at the end of each line is to speed up the initial synchronization. As of Red
Hat Enterprise Linux 6.5 it is added by default. If upgrading from a previous minor release, and
your /etc/ntp.conf file has been modified, then the upgrade to Red Hat Enterprise Linux
6.5 will create a new file /etc/ntp.conf.rpmnew and will not alter the existing
/etc/ntp.conf file.

Once you have the list of servers complete, in the same file, set the proper permissions, giving the
unrestricted access to localhost only:

restrict default kod nom odify notrap nopeer noquery
restrict -6 default kod nom odify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

Save all changes, exit the editor, and restart the NTP daemon:

~]# service ntpd restart

Make sure that ntpd is started at boot time:

~]# chkconfig ntpd on

 

Samba on SentOS 6.5

Samba được dùng để cho phép các users chia sẻ và sử dụng files, thư mục và máy in giữa Linux và Windows.

Samba server:

Operating system : CentOS 6.5
Hostname : sambaserver.lab
IP Address : 192.168.1.16/24

 Samba client:

Operating system : Windows 7 Professional
Hostname : client
IP Address : 192.168.1.1/24

---

Cài đặt Samba trên Server

[root@sambaserver ~]# yum install samba* -y

Cấu hình thư mục chia sẻ đẩy đủ quyền truy cập

Tạo thư mục /samba/share/ với full permission

[root@sambaserver ~]# mkdir -p /samba/share
[root@sambaserver ~]# chmod 777 /samba/share

Sửa và thêm các dòng sau vào file cấu hình samba

[root@sambaserver ~]# vi /etc/samba/smb.conf
#dòng 58 - Thêm những dòng sau ở dòng 58
unix charset = UTF-8
dos charset = CP932
#dòng 75 - đổi thành WORKGROUP
workgroup = WORKGROUP
#dòng 81 - Bỏ comment và chỉnh sửa lại IP range
hosts allow = 127. 192.168.8
#dòng 102 - đổi thành không cần xác thực
security = share
# Thêm những dòng sau ở cuối file 
[myshare]
path = /samba/share
writable = yes
browsable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777

:wq # lưu lại

Start Samba Server

[root@sambaserver ~]# service smb start
Starting SMB services: [ OK ]
[root@sambaserver ~]# service nmb start
Starting NMB services: [ OK ]
[root@sambaserver ~]# chkconfig smb on
[root@sambaserver ~]# chkconfig nmb on

Test the Samba server

Chúng ta có thể kiểm tra cấu hình Samba server bằng lệnh testparm

[root@sambaserver ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[myshare]"
WARNING: The security=share option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
 dos charset = CP932
 server string = Samba Server Version %v
 security = SHARE
 log file = /var/log/samba/log.%m
 max log size = 50
 idmap config * : backend = tdb
 hosts allow = 127., 192.168.8
 cups options = raw

[homes]
 comment = Home Directories
 read only = No
 browseable = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 printable = Yes
 print ok = Yes
 browseable = No

[myshare]
 path = /samba/share
 read only = No
 create mask = 0777
 directory mask = 0777
 guest only = Yes
 guest ok = Yes

Thêm Rules trong iptables để cho các users bên ngoài sử dụng dịch vụ Samba

[root@sambaserver ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
# NetBIOS Name Service
-A INPUT -s 192.168.8.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
# NetBIOS Datagram Service
-A INPUT -s 192.168.8.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
# NetBIOS Session Service
-A INPUT -s 192.168.8.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
# Microsoft Directory Service
-A INPUT -s 192.168.8.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
 # Samba Web Administration
-A INPUT -s 192.168.8.0/24 -m state --state NEW -m tcp -p tcp --dport 901 -j ACCEPT


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

:wq #lưu lại

Restart iptables to save the changes

[root@sambaserver ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]

Disable SELINUX

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Cấu hình Server hoàn tất. Khởi động lại Server.

---

Bên Client

Click Start -> Run. Nhập vào địa chỉ IP của Samba Server như bên dưới.

 

Tạo folder và files thử xem 🙂

Kiểm tra xem các files và folder vừa tạo có trên Samba Server hay ko? 😀

[root@sambaserver ~]# ls -l /samba/share/
total 4
-rwxrw-rw- 1 nobody nobody 0 Aug 1 14:09 hello.txt
drwxrwxrwx 2 nobody nobody 4096 Aug 1 14:09 TEST

---

Cấu hình 1 thư mục chia sẻ nhưng yêu cầu xác thực trên Samba Server

Tạo group samba và add các users vào

[root@sambaserver ~]# groupadd samba
[root@sambaserver ~]# useradd -g samba sb1
[root@sambaserver ~]# passwd sb1
Changing password for user sb1.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

Tạo thư mục chia sẻ mới và phân quyền cho nó

[root@sambaserver ~]# mkdir /samba/share-auth
[root@sambaserver ~]# chmod 755 /samba/share-auth/
[root@sambaserver ~]# chown sb1:samba /samba/share-auth/

Thêm các dòng sau ở dưới cùng của file cấu hình samba

[root@sambaserver ~]# vi /etc/samba/smb.conf
[secure]
path = /samba/share-auth/
writable = yes
browsable = yes
guest ok =no
valid users = @samba

:wq #lưu lại

Kiểm tra lỗi file cấu hình bằng lệnh testparm

[root@sambaserver ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[myshare]"
Processing section "[secure]"
WARNING: The security=share option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
 dos charset = CP932
 server string = Samba Server Version %v
 security = SHARE
 log file = /var/log/samba/log.%m
 max log size = 50
 idmap config * : backend = tdb
 hosts allow = 127., 192.168.8.
 cups options = raw

[homes]
 comment = Home Directories
 read only = No
 browseable = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 printable = Yes
 print ok = Yes
 browseable = No

[myshare]
 path = /samba/share
 read only = No
 create mask = 0777
 directory mask = 0777
 guest only = Yes
 guest ok = Yes

[secure]
 path = /samba/share-auth/
 valid users = @samba
 read only = No

Restart samba server

[root@sambaserver ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@sambaserver ~]# service nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]

Bây giờ qua bên Client và truy cập thư mục share-auth

Lưu ý rằng chỉ cho phép users nằm trong Domain .lab mới vô được nhé!

---

Cấu hình Samba Server với GUI mode (chế độ giao diện)

cài đặt gói samba-swat

[root@sambaserver ~]# yum install xined samba-swat -y

Configure SWAT

[root@sambaserver ~]# vi /etc/xinetd.d/swat
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
service swat
{
 port = 901
 socket_type = stream
 wait = no
 only_from = 127.0.0.1 192.168.8.0/24
 user = root
 server = /usr/sbin/swat
 log_on_failure += USERID
 disable = no
}

:wq #lưu lại

Restart samba and xinetd services

[root@sambaserver ~]# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@sambaserver ~]# service smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@sambaserver ~]# service nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]

Mở trình duyệt Web từ Client và gõ địa chỉ “http://server-ip-address:901&#8221; . Sau đó thì có thể cấu hình Samba server ở đây!

Chúc các bạn thành công! 🙂

 

 

 

DNS Server on CentOS 6.5

Giới thiệu

Domain Name System (DNS) chuyển đổi hostnames hoặc URLs sang địa chỉ IP. Vì địa chỉ IP rất khó nhớ và không có thẩm mĩ 😀 nên chúng ta cần tới các Server DNS để chuyển đổi hostnames sang IP. Ví dụ: google.com.vn -> 173.194.127.55.

---

Primary(Master) DNS Server Details:

Operating System : CentOS 6.5 server
Hostname : masterdns.lab.com
IP Address : 192.168.1.100/24

Secondary(Slave) DNS Server Details:

Operating System     : CentOS 6.5 server
Hostname             : secondarydns.lab.com
IP Address           : 192.168.1.101/24

Client Details:

Operating System     : CentOS 6.5 Desktop  
Hostname             : client.lab.com
IP Address           : 192.168.1.102/24

---

Setup Primary(Master) DNS Server

[root@masterdns ~]# yum install bind* -y

Cấu hình DNS Server

[root@masterdns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
 listen-on port 53 { 192.168.1.100; }; #Master DNS IP
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { localhost;192.168.1.0/24; }; #Ip range
 allow-transfer {localhost;192.168.1.101; } #Slave DNS IP
 recursion yes;
dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;
/* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
};
zone "." IN {
 type hint;
 file "named.ca";
};
zone "lab.com" IN {
type master;
file "forward.lab";
allow-update {none; }
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "reverse.lab";
allow-update {none; }
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

:wq #lưu lại

Tạo Zone Forward và Reverse đã đề cập trong file /etc/named.conf

Tạo Forward Zone

[root@masterdns ~]# vi /var/named/forward.lab
$TTL 86400
@ IN SOA masterdns.lab.com. root.lab.com. (
 2011071001 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS masterdns.lab.com.
@ IN NS secondarydns.lab.com.
@ IN A 192.168.1.100
@ IN A 192.168.1.101
@ IN A 192.168.1.102
masterdns IN A 192.168.1.100
secondarydns IN A 192.168.1.101
client IN A 192.168.1.102

:wq #lưu lại

Tạo Reverse Zone

[root@masterdns ~]# vi /var/named/reverse.lab
$TTL 86400
@ IN SOA masterdns.lab.com. root.lab.com. (
 2011071001 ;Serial
 3600 ;Refresh
 1800 ;Retry
 604800 ;Expire
 86400 ;Minimum TTL
)
@ IN NS masterdns.lab.com.
@ IN NS secondarydns.lab.com.
@ IN PTR unixmen.local.
masterdns IN A 192.168.1.100
secondarydns IN A 192.168.1.101
client IN A 192.168.1.102
100 IN PTR masterdns.lab.com.
101 IN PTR secondarydns.lab.com.
102 IN PTR client.lab.com.

:wq #lưu lại

Start dịch vụ DNS

[root@masterdns ~]# service named start
[root@masterdns ~]# chkconfig named on

Sửa iptables để cho phép DNS server

[root@masterdns ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
#nfs
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
#portmapper
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
#mountd
-A INPUT -m state --state NEW -m tcp -p tcp --dport 48192 -j ACCEPT
#rquotad
-A INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT

#DNS
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

:wq #lưu lại

Restart iptables

[root@masterdns ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]

Kiểm tra các file cấu hình và file zone có bị lỗi cú pháp hay không

[root@masterdns ~]# named-checkconf /etc/named.conf
[root@masterdns ~]# named-checkzone lab.com /var/named/forward.lab
zone lab.com/IN: loaded serial 2011071001
OK
[root@masterdns ~]# named-checkzone lab.com /var/named/reverse.lab
zone lab.com/IN: loaded serial 2011071001
OK

Test DNS server 

[root@masterdns ~]# dig masterdns.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> masterdns.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5382
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;masterdns.lab.com. IN A

;; ANSWER SECTION:
masterdns.lab.com. 5 IN A 176.74.176.178

;; Query time: 2246 msec
;; SERVER: 192.168.8.2#53(192.168.8.2)
;; WHEN: Thu Jul 31 19:21:22 2014
;; MSG SIZE rcvd: 51

[root@masterdns ~]# nslookup lab.com
Server: 192.168.8.2
Address: 192.168.8.2#53

Non-authoritative answer:
Name: lab.com
Address: 176.74.176.178

Vậy là đã hoàn thành cấu hình trên Primary DNS server

---

Setup Secondary(Slave) DNS Server

[root@secondarydns ~]# yum install bind* -y

Configure Slave DNS Server

[root@secondarydns ~]# vi /etc/named.conf//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
 listen-on port 53 { 192.168.1.101; };
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query { localhost; 192.168.1.0/24; };
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";
};

logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
};

zone "." IN {
 type hint;
 file "named.ca";
};
zone "lab.com" IN {
type slave;
file "slaves/lab.fwd";
masters { 192.168.1.100; };
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/lab.rev";
masters {192.168.1.100; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

:wq #lưu lại

Start the DNS Service

[root@secondarydns ~]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@secondarydns ~]# chkconfig named on

Bây giờ forward và reverse zones được sao chép tự động từ Master DNS server vào /var/named/slaves/ trong Secondary DNS server .

[root@secondarydns ~]# ls /var/named/slaves/
lab.fwd lab.rev

[root@secondarydns ~]# cat /var/named/slaves/lab.fwd
$ORIGIN .
$TTL 86400 ; 1 day
lab.com IN SOA masterdns.lab.com. root.lab.com. (
 2011071001 ; serial
 3600 ; refresh (1 hour)
 1800 ; retry (30 minutes)
 604800 ; expire (1 week)
 86400 ; minimum (1 day)
 )
 NS masterdns.lab.com.
 NS secondarydns.lab.com.
 A 192.168.1.100
 A 192.168.1.101
 A 192.168.1.102
$ORIGIN lab.com.
client A 192.168.1.102
masterdns A 192.168.1.100
secondarydns A 192.168.1.101

[root@secondarydns ~]# cat /var/named/slaves/lab.rev
$ORIGIN .
$TTL 86400 ; 1 day
1.168.192.in-addr.arpa IN SOA masterdns.lab.com. root.lab.com. (
 2011071001 ; serial
 3600 ; refresh (1 hour)
 1800 ; retry (30 minutes)
 604800 ; expire (1 week)
 86400 ; minimum (1 day)
 )
 NS masterdns.lab.com.
 NS secondarydns.lab.com.
 PTR unixmen.local.
$ORIGIN 1.168.192.in-addr.arpa.
100 PTR masterdns.lab.com.
101 PTR secondarydns.lab.com.
102 PTR client.lab.com.
client A 192.168.1.102
masterdns A 192.168.1.100
secondarydns A 192.168.1.101

Add the DNS Server details to all systems

[root@secondarydns ~]# vi /etc/resolv.conf
# Generated by NetworkManager
search lab.com
nameserver 192.168.1.100
nameserver 192.168.1.101
nameserver 8.8.8.8

Test DNS server

[root@secondarydns ~]# dig masterdns.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> masterdns.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;masterdns.lab.com. IN A

;; ANSWER SECTION:
masterdns.lab.com. 86400 IN A 192.168.1.100

;; AUTHORITY SECTION:
lab.com. 86400 IN NS masterdns.lab.com.
lab.com. 86400 IN NS secondarydns.lab.com.

;; ADDITIONAL SECTION:
secondarydns.lab.com. 86400 IN A 192.168.1.101

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Thu Jul 31 20:31:07 2014
;; MSG SIZE rcvd: 108

[root@secondarydns ~]# dig secondarydns.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> secondarydns.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1003
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;secondarydns.lab.com. IN A

;; ANSWER SECTION:
secondarydns.lab.com. 86400 IN A 192.168.1.101

;; AUTHORITY SECTION:
lab.com. 86400 IN NS secondarydns.lab.com.
lab.com. 86400 IN NS masterdns.lab.com.

;; ADDITIONAL SECTION:
masterdns.lab.com. 86400 IN A 192.168.1.100

;; Query time: 2 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Thu Jul 31 20:32:02 2014
;; MSG SIZE rcvd: 108

[root@secondarydns ~]# nslookup lab.com
Server: 192.168.1.100
Address: 192.168.1.100#53

Name: lab.com
Address: 192.168.1.102
Name: lab.com
Address: 192.168.1.100
Name: lab.com
Address: 192.168.1.101

---

Cấu hình trên Client

Thêm DNS server details trong file /etc/resolv.conf và tất cả máy Client

[root@client ~]# vi /etc/resolv.conf
# Generated by NetworkManager
search lab.com
nameserver 192.168.1.100
nameserver 192.168.1.101
nameserver 8.8.8.8

:wq # lưu lại

Test DNS

[root@client ~]# dig masterdns.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> masterdns.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17253
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;masterdns.lab.com. IN A

;; ANSWER SECTION:
masterdns.lab.com. 86400 IN A 192.168.1.100

;; AUTHORITY SECTION:
lab.com. 86400 IN NS secondarydns.lab.com.
lab.com. 86400 IN NS masterdns.lab.com.

;; ADDITIONAL SECTION:
secondarydns.lab.com. 86400 IN A 192.168.1.101

;; Query time: 18 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Thu Jul 31 21:08:24 2014
;; MSG SIZE rcvd: 108

[root@client ~]# dig secondarydns.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> secondarydns.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31050
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;secondarydns.lab.com. IN A

;; ANSWER SECTION:
secondarydns.lab.com. 86400 IN A 192.168.1.101

;; AUTHORITY SECTION:
lab.com. 86400 IN NS masterdns.lab.com.
lab.com. 86400 IN NS secondarydns.lab.com.

;; ADDITIONAL SECTION:
masterdns.lab.com. 86400 IN A 192.168.1.100

;; Query time: 15 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Thu Jul 31 21:08:58 2014
;; MSG SIZE rcvd: 108

[root@client ~]# dig client.lab.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> client.lab.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7176
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;client.lab.com. IN A

;; ANSWER SECTION:
client.lab.com. 86400 IN A 192.168.1.102

;; AUTHORITY SECTION:
lab.com. 86400 IN NS secondarydns.lab.com.
lab.com. 86400 IN NS masterdns.lab.com.

;; ADDITIONAL SECTION:
masterdns.lab.com. 86400 IN A 192.168.1.100
secondarydns.lab.com. 86400 IN A 192.168.1.101

;; Query time: 3 msec
;; SERVER: 192.168.1.100#53(192.168.1.100)
;; WHEN: Thu Jul 31 21:09:33 2014
;; MSG SIZE rcvd: 131

[root@client ~]# nslookup lab.com
Server: 192.168.1.100
Address: 192.168.1.100#53

Name: lab.com
Address: 192.168.1.100
Name: lab.com
Address: 192.168.1.101
Name: lab.com
Address: 192.168.1.102

Vậy là Primary và Secondary DNS server đã sẵn sàng hoạt động.

Chúc các bạn thành công! 🙂

DHCP Server on CentOS 6.5

Giới thiệu

Dynamic HostConfiguration Protocol (DHCP) Server được dùng để cấp phát địa chỉ IP cho các máy Clients trong mạng LAN. DHCP server giảm gánh nặng cho System Admin khi phải cấu hình địa chỉ IP thủ công cho hệ thống có số lượng máy Client lớn.

---

 

Cài đặt DHCP server

[root@server1 ~]# yum install dhcp -y

Cấu hình

Việc cấu hình DHCP server rất dễ. Đầu tiên là phải xác định DHCP server chạy trên interface nào. Trong trường hợp của tôi thì sử dụng interface eth1. Để làm được điều đó thì phải chỉnh sửa file /etc/sysconfig/dhcpd

[root@server1 ~]# vi /etc/sysconfig/dhcpd
 # Command line options here
 DHCPDARGS=eth1

:wq #lưu lại

Copy file cấu hình mẫu vào thư mục /etc/dhcp

[root@server1 ~]# cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf

Chỉnh sửa file /etc/dhcpd.conf

[root@server1 ~]# vi /etc/dhcp/dhcpd.conf
# option definitions common to all supported networks...
option domain-name "lab.com";
option domain-name-servers server1.lab.com;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# A slightly different configuration for an internal subnet.
 subnet 192.168.1.0 netmask 255.255.255.0 {
 range 192.168.1.100 192.168.1.200;
 option domain-name-servers server1.lab.com;
 option domain-name "lab.com";
 option routers 192.168.1.1;
 option broadcast-address 192.168.1.255;
 default-lease-time 600;
 max-lease-time 7200;
 }

:wq #lưu lại

Chú ý rằng có một số các entries không được sử dụng khác trong file dhspd.conf, hãy comment chúng. Nếu không thì bạn sẽ gặp vấn đề khi khởi động dịch vụ DHCP.

Start dịch vụ DHCP và cho phép chạy DHCP sau khi reboot

[root@server1 ~]# service dhcpd start
 Starting dhcpd: [ OK ]
[root@server1 ~]# chkconfig dhcpd on

---

 

Cấu hình trên Client

Renew Ip address interface eth1

[root@localhost ~]# ifconfig eth1 down
[root@localhost ~]# ifconfig eth1 up

Kết quả

[root@localhost ~]# ifconfig
 eth1 Link encap:Ethernet HWaddr 00:0C:29:36:30:53
 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
 inet6 addr: fe80::20c:29ff:fe36:3053/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:186 errors:0 dropped:0 overruns:0 frame:0
 TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:24006 (23.4 KiB) TX bytes:17650 (17.2 KiB)
 Interrupt:19 Base address:0x2080

Chúc các bạn thành công! 🙂