Configure NTP in linux
Configure NTP in centOS
1. Click System, select Administration and click Date & Time.
2. In the Date/Time Properties window, click the Network Time Protocol tab.
3. Check Enable Network Time Protocol. Next click Show advanced options and check Synchronize system clock before starting service. Finally, click OK.
Configure NTP (Console)
#/usr/sbin/ntpdate pool.ntp.org
immediately synchronizes the system clock. Make sure the ntpd service is not running before using this command.
#/sbin/service ntpd start
starts the ntpd service
#/sbin/service ntpd stop
stops the ntpd service
#/etc/ntp.conf
the above is not a command, it is the location of the ntpd configuration file
find command in details
Sample1: # find all the files in /home with name test.txt. Here –name is used to specify the filename.
# find /home –name test.txt
Sample2: # find the files whose name is test.txt and in present working directory
# find . –name test.txt
Sample3: # find all the files whose name contains both capital letters and small letters in it.
# find /home –iname test.txt
Sample4: Search for only directories whose name is var in / directory
# find / -type d –name var
Sample5: Search for an mp3 files whose name is temp.mp3
# find / -type f –name temp.mp3
Sample6:Search for a file name test.txt and its permissions are 775 in a given box
# find / -perm 775 –name test.txt
Sample7: How about searcing files with SUID bit set and file permissions are 755?
# find / -perm 4755
Sample8:How can i # find SGID bit set files with 644 permissions?
# find / -perm 2644
Sample9: How can i # find Sticky bit set files in my system with permissions 551?
# find / -perm 1551
Sample10:Search for all the files whose SUID bit is set
# find / -perm /u=s
Sample11: Search for all the files whose SGID bit is set
# find / -perm /g+s
Sample12: Search for all the files whose StickyBit is set
# find / -perm /o=t
Sample13: Search for all the files whose owener permissions is read only.
# find / -perm /u=r
Sample14:Search for all the files which have user, group and others with executable permissions
# find / -perm /a=x
Sample15: Search for all the files with name test.txt and the owner of this file is user
# find / -user user –name test.txt
Sample16: # find all the files whos name is test.txt and owned by a group called redcluster
# find / -group redcluster –name test.txt
Sample17: Search for a file: test.txt whose file status is changed more than 90 days back
# find / -ctime +90 –name test.txt
Sample18: Search for all the files which are modified exactly 90 days back
# find / -mtime 90
Sample19: Search for all the files with name test.txt which is accessed less than 90 days
# find / -atime -90
Sample20: # find all the files which are modified more than 90 days back and less than 180 days
# find / -mtime +90 –mtime -180
Sample21: # find all the files changed less than 30mins
# find / -cmin -30
Sample22: # find all the files modified exactly 30 mins back
# find / -mmin 30
Sample23: # find all the files accessed more than 30 mins back
# find / -amin +30
Sample24: # find all the files which are modified more than 5mins back and less than 25mins
# find / -mmin +5 –mmin -25
Sample25: I have new file called test.txt which is just created, now I want to get all the files which are created later this file creation.
# find / -newer test.txt
Sample26: Search for files whose size is more than 10bytes
# find / -size +10c
Sample27: Search for files which are exactly 10kb in /opt folder
# find /opt –size 10k
Sample28: Search for files which are less than 10MB in /var folder
# find /var –size -10M
Sample29: Search for files which are more than 1GB size in /usr folder
# find /usr –size +1G
Sample30: # find all the empty files in my system
# find / -size 0k
Sample31:# find all the files which are with more than size 100MB and less than 1GB and the owner of the file is xyz and the file name is Adda.txt in /red folder
# find /red –size +100M –size -1G –user xyz –iname adda.txt
Sample32:# find all the files with SGID for the group sales and with size exactly 100MB with file name as pass.txt under /opt
# find /opt –size 100M –group sales –perm g+s –name pass.txt
Sample33: # find all the files which are more than 100MB and less than 1GB in size.
# find / -size +100M –size -1G
or
# find / -size +100M -a -size -1G
Sample34:# find a file with passwd.txt in /var folder and long list this file for checking file properties.
# find /var –iname passwd.txt –exec ls –l {} \;
Sample35: # find all the files with name test.txt in /mnt and change the ownership of the files from user to Narendra
# find /mnt –user user –name test.txt –exec chown narendra: {} \;
-exec command {} \; –for executing a command on # find files -inum -For # finding a file with inode number
Sample36:# find all the files with name test.sh in /abc folder and then grep if for word is there in that file or not
# find /abc –name test.sh –exec grep ‘for’ {} \;
chmod, grep, ls, rm, mv, cp,md5sum
Sample37: # find all the files with name xyz.txt owned by user in /var/ftp/pub and change the permissions to 775 to them.
# find /var/ftp –user user –name xyz.txt –exec chmod 775 {} \;
Sample 38:# find all the files with name temp.txt in /xyz folder and backup then compress them to send it for saving
# find /xyz –name xyz.txt –exec tar xvfz temp.tar.gz {} \;
Sample39:# find files with name abc.txt in /home directory and take backup of each file before modifying it.
# find /home –name abc.txt –exec cp {} {}.bkf \;
This above command will create files with .bkf extension whenever it # finds abc.txt file.
Sample40:# find files which are more than 1GB and not accessed for the past 6 months and delete them.
# find / -size +1G -mtime +180 –exec rm –rf {} \;
Sample41:# find all the files with executable permissions and display their checksum value
# find / -perm /a=x -exec md5sum {} \;
Sample42:# find all the files with name abc.txt and owner as user then move them to /opt folder
# find / -user user -name abc.txt -exec mv {} /opt/ \;
Sample43:# find files with abc.txt name in /opt directory change the owner permissions from user to Narendra and change the permissions to 775
# find /opt –user user –name abc.txt –exec chown Narendra: {} \; -exec chmod 775 {} \;
Sample44: # find all the commands which ends with .sh file extension in /opt folder
# find /opt –name *.sh
Sample45:
# find /opt –name \*.sh
Or
# find /opt –name “*.sh”
Note: These two will work, because you negated your shell parsing * wild character.
Sample46:Search for all the files which start with abc and ends with different extension in /opt folder
# find /opt –name abc.\*
Sample47:Search for files which start with red and ends with many names such as redhat, redtop, redsoap etc.
# find / -name red\*
Sample 48:How about search for files which always end with dump.
# find / -name \*dump
Sample49: # find abc.txt file in /opt and /var folder at a time
# find /opt /var –name abc.txt
The above command will search in only two locations i.e. in /opt and /var Search multiple locations but not in particular location. Sample50:Search in entire system expect /proc folder
# find / -path /proc -prune -name cpuinfo
The -path variable to define the path of a location. And -prune combined with -path will say not to descend in to the mention path /proc
Sample51:Search for abc.txt in /opt and /var expect in /var/tmp folder
# find /opt /var -path /var/tmp -prune -name abc.txt
Sample52:I want to search for abc.txt and hash.c file at a time. This can be achieved by using -o operator
# find / -name abc.txt -o -name hash.c
Here when ever # find command sees -o it just or the options on its left and right hand side.
Sample53:How about i want to # find two directories say opt and var how can i # find them?
# find / -type d \( -name opt -o -name var \)
Sample54: Negation operator is useful for negating a search team. for Sample we want to # find all the files with name abc.txt which don’t have 755 permissions
# find . -type f ! -perm 755 -name abc.txt
# find /home –name test.txt
Sample2: # find the files whose name is test.txt and in present working directory
# find . –name test.txt
Sample3: # find all the files whose name contains both capital letters and small letters in it.
# find /home –iname test.txt
Sample4: Search for only directories whose name is var in / directory
# find / -type d –name var
Sample5: Search for an mp3 files whose name is temp.mp3
# find / -type f –name temp.mp3
Sample6:Search for a file name test.txt and its permissions are 775 in a given box
# find / -perm 775 –name test.txt
Sample7: How about searcing files with SUID bit set and file permissions are 755?
# find / -perm 4755
Sample8:How can i # find SGID bit set files with 644 permissions?
# find / -perm 2644
Sample9: How can i # find Sticky bit set files in my system with permissions 551?
# find / -perm 1551
Sample10:Search for all the files whose SUID bit is set
# find / -perm /u=s
Sample11: Search for all the files whose SGID bit is set
# find / -perm /g+s
Sample12: Search for all the files whose StickyBit is set
# find / -perm /o=t
Sample13: Search for all the files whose owener permissions is read only.
# find / -perm /u=r
Sample14:Search for all the files which have user, group and others with executable permissions
# find / -perm /a=x
Sample15: Search for all the files with name test.txt and the owner of this file is user
# find / -user user –name test.txt
Sample16: # find all the files whos name is test.txt and owned by a group called redcluster
# find / -group redcluster –name test.txt
Sample17: Search for a file: test.txt whose file status is changed more than 90 days back
# find / -ctime +90 –name test.txt
Sample18: Search for all the files which are modified exactly 90 days back
# find / -mtime 90
Sample19: Search for all the files with name test.txt which is accessed less than 90 days
# find / -atime -90
Sample20: # find all the files which are modified more than 90 days back and less than 180 days
# find / -mtime +90 –mtime -180
Sample21: # find all the files changed less than 30mins
# find / -cmin -30
Sample22: # find all the files modified exactly 30 mins back
# find / -mmin 30
Sample23: # find all the files accessed more than 30 mins back
# find / -amin +30
Sample24: # find all the files which are modified more than 5mins back and less than 25mins
# find / -mmin +5 –mmin -25
Sample25: I have new file called test.txt which is just created, now I want to get all the files which are created later this file creation.
# find / -newer test.txt
Sample26: Search for files whose size is more than 10bytes
# find / -size +10c
Sample27: Search for files which are exactly 10kb in /opt folder
# find /opt –size 10k
Sample28: Search for files which are less than 10MB in /var folder
# find /var –size -10M
Sample29: Search for files which are more than 1GB size in /usr folder
# find /usr –size +1G
Sample30: # find all the empty files in my system
# find / -size 0k
Sample31:# find all the files which are with more than size 100MB and less than 1GB and the owner of the file is xyz and the file name is Adda.txt in /red folder
# find /red –size +100M –size -1G –user xyz –iname adda.txt
Sample32:# find all the files with SGID for the group sales and with size exactly 100MB with file name as pass.txt under /opt
# find /opt –size 100M –group sales –perm g+s –name pass.txt
Sample33: # find all the files which are more than 100MB and less than 1GB in size.
# find / -size +100M –size -1G
or
# find / -size +100M -a -size -1G
Sample34:# find a file with passwd.txt in /var folder and long list this file for checking file properties.
# find /var –iname passwd.txt –exec ls –l {} \;
Sample35: # find all the files with name test.txt in /mnt and change the ownership of the files from user to Narendra
# find /mnt –user user –name test.txt –exec chown narendra: {} \;
-exec command {} \; –for executing a command on # find files -inum -For # finding a file with inode number
Sample36:# find all the files with name test.sh in /abc folder and then grep if for word is there in that file or not
# find /abc –name test.sh –exec grep ‘for’ {} \;
chmod, grep, ls, rm, mv, cp,md5sum
Sample37: # find all the files with name xyz.txt owned by user in /var/ftp/pub and change the permissions to 775 to them.
# find /var/ftp –user user –name xyz.txt –exec chmod 775 {} \;
Sample 38:# find all the files with name temp.txt in /xyz folder and backup then compress them to send it for saving
# find /xyz –name xyz.txt –exec tar xvfz temp.tar.gz {} \;
Sample39:# find files with name abc.txt in /home directory and take backup of each file before modifying it.
# find /home –name abc.txt –exec cp {} {}.bkf \;
This above command will create files with .bkf extension whenever it # finds abc.txt file.
Sample40:# find files which are more than 1GB and not accessed for the past 6 months and delete them.
# find / -size +1G -mtime +180 –exec rm –rf {} \;
Sample41:# find all the files with executable permissions and display their checksum value
# find / -perm /a=x -exec md5sum {} \;
Sample42:# find all the files with name abc.txt and owner as user then move them to /opt folder
# find / -user user -name abc.txt -exec mv {} /opt/ \;
Sample43:# find files with abc.txt name in /opt directory change the owner permissions from user to Narendra and change the permissions to 775
# find /opt –user user –name abc.txt –exec chown Narendra: {} \; -exec chmod 775 {} \;
Sample44: # find all the commands which ends with .sh file extension in /opt folder
# find /opt –name *.sh
Sample45:
# find /opt –name \*.sh
Or
# find /opt –name “*.sh”
Note: These two will work, because you negated your shell parsing * wild character.
Sample46:Search for all the files which start with abc and ends with different extension in /opt folder
# find /opt –name abc.\*
Sample47:Search for files which start with red and ends with many names such as redhat, redtop, redsoap etc.
# find / -name red\*
Sample 48:How about search for files which always end with dump.
# find / -name \*dump
Sample49: # find abc.txt file in /opt and /var folder at a time
# find /opt /var –name abc.txt
The above command will search in only two locations i.e. in /opt and /var Search multiple locations but not in particular location. Sample50:Search in entire system expect /proc folder
# find / -path /proc -prune -name cpuinfo
The -path variable to define the path of a location. And -prune combined with -path will say not to descend in to the mention path /proc
Sample51:Search for abc.txt in /opt and /var expect in /var/tmp folder
# find /opt /var -path /var/tmp -prune -name abc.txt
Sample52:I want to search for abc.txt and hash.c file at a time. This can be achieved by using -o operator
# find / -name abc.txt -o -name hash.c
Here when ever # find command sees -o it just or the options on its left and right hand side.
Sample53:How about i want to # find two directories say opt and var how can i # find them?
# find / -type d \( -name opt -o -name var \)
Sample54: Negation operator is useful for negating a search team. for Sample we want to # find all the files with name abc.txt which don’t have 755 permissions
# find . -type f ! -perm 755 -name abc.txt
Passwordless SSH Authentications
Howto Linux / UNIX setup SSH with DSA public key authentication (password less login)
Q. How do you set-up SSH with DSA public key authentication? I have Linux laptop called tom and remote Linux server called jerry. How do I setup DSA based authentication so I don’t have to type password?
A. DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Linux Configure Netconsole To Log Messages Over UDP Network
Linux Configure Netconsole To Log Messages Over UDP Network
Linux can be configured to log dmesg output to another system via network using syslog. It is done using kernel level networking stuff ia UDP port 514. There is module called netconsole which logs kernel printk messages over udp allowing debugging of problem where disk logging fails and serial consoles are impractical. Most modern distro has this netconsole as a built-in module. netconsole initializes immediately after NIC cards. There are two steps to configure netconsole:
Syslogd server - Let us assume 192.168.1.100 IP having FQDN - syslogd.nixcraft.in. Please note that the remote host can run either 'netcat -u -l -p <port>' or syslogd.
All other systems running netconsole module in kernel
Step # 1: Configure Centralized syslogd
Login to syslogd.nixcraft.in server. Open syslogd configuration file. Different UNIX / Linux variant have different configuration files
Red Hat / CentOS / Fedora Linux Configuration
If you are using Red Hat / CentOS / Fedora Linux open /etc/sysconfig/syslog file and set SYSLOGD_OPTIONS option for udp logging.
# vi /etc/sysconfig/syslog
Configure syslogd option as follows:
SYSLOGD_OPTIONS="-m 0 -r -x"
Save and close the file. Restart syslogd, enter:
# service syslog restart
Debian / Ubuntu Linux Configuration
If you are using Debian / Ubuntu Linux open file /etc/default/syslogd set SYSLOGD option for udp logging.
# vi /etc/default/syslogd
Configure syslogd option as follows:
SYSLOGD_OPTIONS="-r"
# /etc/init.d/sysklogd restart
FreeBSD configuration
If you are using FreeBSD open /etc/rc.conf and set syslogd_flags option option for udp logging. Please note that FreeBSD by default accepts network connections. Please refer to syslogd man page for more information.
Firewall configuration
You may need to open UDP port 514 to allow network login. Sample iptables rules to open UDP port 514:
MYNET="192.168.1.0/24"
SLSERVER="192.168.1.100"
iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Step # 2: Configure Linux Netconsole
You need to configure netconsole service. Once this service started, you are allowed a remote syslog daemon to record console output from local system. The local port number that the netconsole module will use 6666 (default). You need to set the IP address of the remote syslog server to send messages.
Open /etc/sysconfig/netconsole file under CentOS / RHEL / Fedora Linux, enter:
# vi /etc/sysconfig/netconsole
Set SYSLOGADDR to 192.168.1.100 (IP address of remote syslog server)
SYSLOGADDR=192.168.0.1
Save and close the file. Restart netconsole service, enter:
# /etc/init.d/netconsole restart
A note about Debian / Ubuntu Linux
Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module, enter:
# modprobe netconsole 6666@192.168.1.5/eth0,514@192.168.1.100/00:19:D1:2A:BA:A8
Where,
6666 - Local port
192.168.1.5 - Local system IP
eth0 - Local system interface
514 - Remote syslogd udp port
192.168.1.100 - Remote syslogd IP
00:19:D1:2A:BA:A8 - Remote syslogd Mac
You can add above modprobe line to /etc/rc.local to load module automatically. Another recommend option is create /etc/modprobe.d/netconsole file and append following text:
# echo 'options netconsole netconsole=6666@192.168.1.5/eth0,514@192.168.1.100/00:19:D1:2A:BA:A8 '> /etc/modprobe.d/netconsole
How do I verify netconsole is logging messages over UDP network?
Login to remote syslog udp server (i.e. 192.168.1.100 our sample syslogd system), enter:
# tail -f /var/log/messages
/var/log/messages is default log file under many distributions to log messages. Refer to /etc/syslog.conf for exact location of your file.
How do I use nc / netcat instead of messing with syslogd?
This is called one minute configuration. You can easily get output on 192.168.1.100 without using syslogd. All you have to do is run netcat (nc) command, on 192.168.1.100:
$ nc -l -p 30000 -u
Login to any other box, enter command:
# modprobe netconsole 6666@192.168.1.5/eth0,30000@192.168.1.100/00:19:D1:2A:BA:A8
Output should start to appear on 192.168.1.100 from 192.168.1.5 without configuring syslogd or anything else.
How to install PHPmyAdmin in Linux
Before installing make sure you have php install on your webserver.
yum install php php-* php-mysql
Step: 1
mkdir /download
Step: 2
cd /download
Step: 3
wget http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.1/phpMyAdmin
Step: 4
tar -xvf phpMyAdmin-3.5.1-english.tar.gz
Step: 5
mv phpMyAdmin-3.5.1-english /var/www/html/phpmyadmin
Step: 6
cd /var/www/html/phpmyadmin/
Step: 7
cp config.sample.inc.php config.inc.php
Step: 8
vi config.inc.php
Step: 9
cahnge Authentication type from cookie to http
save & exit
Step: 10
service httpd restart
time to test phpmyadmin on webserver
http://192.168.2.10/phpmyadmin
Install linux RKHunter in linux
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7
./installer.sh
Now you can run a test scan with the following command:
/usr/local/bin/rkhunter -c
How to setup a daily scan report?
vi /etc/cron.daily/rkhunter.sh
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan
Report" email@domain.com)
chmod x /e
chmod x /etc/cron.daily/rkhunter.sh
rkhunter --update
Install MRTG in centOS
Centos Install and Configure MRTG
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links.
MRTG generates HTML pages containing PNG images which provide a LIVE visual representation of this traffic. You need the following packages:
mrtg : Multi Router Traffic Grapher
net-snmp and net-snmp-utils : SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools. net-snmp package contains the snmpd and snmptrapd daemons, documentation, etc. You also want to install the net-snmp-utils package, which contains NET-SNMP utilities.
This FAQ works with RHEL / CentOS and Fedora Linux.
Step # 1: Install MRTG
Type the following command to install packages using yum command under CentOS / Fedora Linux:
# yum install mrtg net-snmp net-snmp-utils
Step # 2: Configure snmpd
If you need to monitor localhost including interface and other stuff such as CPU, memory etc, configure snmpd. Open /etc/snmp/snmpd.conf, enter:
# vi /etc/snmp/snmpd.conf
Update it as follows to only allow access from localhost:
com2sec local localhost public
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
view all included .1 80
access MyRWGroup "" any noauth exact all all none
syslocation VSNL, India
syscontact Root <vivek@nixcraft.tld>
Save and close the file. Restart snmpd:
# chkconfig snmpd on
# service snmpd restart
Make sure you see interface IP, by running the following command:
# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex
Sample Outputs:
IP-MIB::ipAdEntIfIndex.123.xx.yy.zzz = INTEGER: 2
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
Step # 3: Configure MRTG
Use cfgmaker command to creates /etc/mrtg/mrtg.cfg file, enter:
# cfgmaker --global 'WorkDir: /var/www/mrtg' --output /etc/mrtg/mrtg.cfg public@localhost
--global 'WorkDir: /var/www/mrtg' : add global config entries i.e. set workdir to store MRTG graphs.
--output /etc/mrtg/mrtg.cfg: configr output filename
public@localhost : public is the community name of the device you want to create a configuration for. If you are using the wrong community name you will get no response from the device. localhost is the DNS name or the IP number of an SNMP-managable device i.e. our local server.
Finally, run indexmaker to create web pages which display the status of an array of mrtg interface status pages:
# indexmaker --output=/var/www/mrtg/index.html /etc/mrtg/mrtg.cfg
Step # 4: Verify Cron Job
/etc/cron.d/mrtg runs mrtg command to monitor the traffic load on network links:
# cat /etc/cron.d/mrtg
Sample Output:
*/5 * * * * root LANG=C LC_ALL=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok
Just make sure crond is running and you are done with configuration:
# chkconfig --list crond
If it is off in run level # 3, just run the following to turn on crond service:
# chkconfig crond on
# service crond on
How do I view mrtg graphs?
You need Apache web server to view graphs, simply type the following to install httpd:
# yum install httpd
# chkconfig httpd on
# service httpd on
Fire a webbrowser and type the url:
http://your-ip.add.ress/mrtg/
http://192.168.1.5/mrtg/
How Do I Create MRTG For My Router at 192.168.1.254?
Run cfgmaker as follows (there is no need to configure snmp for router, as most router and switches comes pre configured with their own SNMPD):
# cfgmaker --global 'WorkDir: /var/www/mrtg' --output /etc/mrtg/mrtg.cfg public@router
OR
# cfgmaker --global 'WorkDir: /var/www/mrtg' --output /etc/mrtg/mrtg.cfg public@192.168.1.254
Hardening CentOS 5
Hardening CentOS 5
Configure user account. logout and relogin as user. su wherever required.
useradd <username>
eg. useradd myodduser
passwd myodduser <new password>
Configure Default runlevel to runlevel 3
Use your favorite text editor to edit /etc/inittab
Find a line that is similar to the following:
id:3:initdefault:
Verify the no. after “id:” id-colon is 3. If it is not make it three.
To restrict virtual terminals to two:
Find out following stanza to enable only two virtual terminals available:
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
Make it to:
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
Save /etc/inittab and exit
Edit /etc/fstab . For the file systems /tmp, /var, and /home replace the "defaults" with "noexec,nodev,nosuid"
noexec : Binaries are not allowed to be executed. NEVER use this option for your root file system!
nosuid : Blocks the operation of suid, and sgid bits.
nodev : Prevent any user to mount the file system.
Disable unused services in order to save on resources and minimize potential security holes.
These Services that are to be stopped are mentioned here, check appendix A in case of custom requirements.
NetworkManager
NetworkManagerDispatacpid
apmd
autofs
avahi-daemon
avahi-dnsconfd
bluetooth
conman
cpuspeed
cups
dc_client
dc_server
dhcdbd
dund
firstboot
gpm
haldaemon
hidd
ibmasm
ip6tables
ipmi
irda
irqbalance
kdump
kudzu
mcstrans
mdmonitor
mdmpd
microcode_ctl
netfs
netplugd
nfs
nfslock
nscd
oddjobd
pand
pcscd
portmap
rdisc
restorecond
rpcgssd
rpcidmapd
rpcsvcgssd
saslauthd
setroubleshoot
smartd
smb
squid
tux
winbind
wpa_supplicant
xfs
ypbind
yum-updatesd
With following command format:
chkconfig –level 12345 <servicename_to_be_disabled> off
To stop if any of the service is running:
service <servicename_to_be_stopped> stop
check /etc/hosts
It must be in the format. (See the 127.0.0.1 line)
127.0.0.1 localhost.localdomain localhost
IP.AD.DR.ESS machine.domain.name machine
Edit /etc/host.conf
order bind,hosts
multi on
nospoof on
Edit /etc/sysctl.conf - tighten
1. net.ipv4.tcp_syncookies = 1 # Enable TCP SYN Cookie Protection
2. net.ipv4.conf.all.accept_source_route = 0 # Disables IP source routing
3. net.ipv4.conf.all.accept_redirects = 0 # Disable ICMP Redirect Acceptance
4. net.ipv4.conf.all.rp_filter = 1 # Enable IP spoofing protection, turn on source route verification
5. net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable ignoring broadcasts request
6. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable bad error message Protection
7 net.ipv4.conf.all.log_martians = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets
Edit /etc/hosts.deny
portmap: ALL
Edit /etc/hosts.allow
portmap: localhost
portmap: 127.0.0.1
SSH:
Disable RootLogin, force protocol 2, (explore restricting SSH to users/groups )
Protocol 2
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
AllowUsers admin user1 user2 user3 (put actual users here in place of userN)
Stripping It Down
Following rpms are to be removed (You may add or remove some packages from this list in order to satisfy your environment.)
xkeyboard-config-0.8-7.fc6
dosfstools-2.11-6.2.el5
finger-0.17-32.2.1.1
dos2unix-3.1-27.1
esound-0.2.36-3
system-config-securitylevel-1.6.29.1-1.el5
NetworkManager-0.6.4-6.el5
OpenIPMI-2.0.6-5.el5.3
apmd-3.2.2-5
acpid-1.0.4-5
system-config-network-1.3.99-1.el5
gnome-python2-gtkhtml2-2.14.2-4.fc6
gnome-python2-bonobo-2.16.0-1.fc6
xorg-x11-drv-mouse-1.1.1-1.1
system-config-display-1.0.48-2.el5
xorg-x11-server-Xorg-1.1.1-48.13.0.1.el5
xorg-x11-server-Xvfb-1.1.1-48.13.0.1.el5
gnome-mime-data-2.4.2-3.1
centos-release-notes-5.0.0-2
xorg-x11-filesystem-7.1-2.fc6
xorg-x11-xauth-1.0.1-2.1
xorg-x11-xkb-utils-1.0.2-2.1
talk-0.17-29.2.2
cpuspeed-1.2.1-1.45.el5
hicolor-icon-theme-0.9-2.1
alsa-lib-1.0.12-3.el5
GConf2-2.14.0-9.el5
xorg-x11-utils-7.1-2.fc6
bluez-gnome-0.5-5.fc6
xorg-x11-xinit-1.0.2-13.el5
ypbind-1.19-7.el5
firstboot-tui-1.4.27.2-1.el5.centos.1
system-config-soundcard-2.0.6-1.el5
yp-tools-2.9-0.1
system-config-samba-1.2.39-1.el5
system-config-kdump-1.0.9-3.el5
tux-3.2.18-9.fc6
xorg-x11-fonts-base-7.1-2.1.el5
gnome-python2-canvas-2.16.0-1.fc6
gnome-mount-0.5-3.el5
xorg-x11-drv-vesa-1.2.1-5.2.el5
xorg-x11-drv-keyboard-1.1.0-2.1
xorg-x11-drv-evdev-1.0.0.5-2.el5
samba-common-3.0.23c-2.el5.2.0.2
xorg-x11-xfs-1.0.2-4
samba-client-3.0.23c-2.el5.2.0.2
xorg-x11-server-Xnest-1.1.1-48.13.0.1.el5
samba-3.0.23c-2.el5.2.0.2
gpm-1.20.1-74.1
xorg-x11-server-utils-7.1-4.fc6
redhat-menus-6.7.8-1.el5
metacity-2.16.0-8.el5
alsa-utils-1.0.12-3.fc6
OpenIPMI-libs-2.0.6-5.el5.3
portmap-4.0-65.2.2.1
nfs-utils-1.0.9-16.el5
system-config-nfs-1.3.23-1.el5
subversion-1.4.2-2.el5
gnome-python2-gconf-2.16.0-1.fc6
gnome-python2-extras-2.14.2-4.fc6
gnome-python2-gnomevfs-2.16.0-1.fc6
xorg-x11-drv-void-1.1.0-3.1
Security and management tool installations and fine tuning:
Security Tools Download, install and run:
a. chkrootkit - http://www.chkrootkit.org/download/
Download to /usr/local/src
Extract using "tar -zxf"
Compile & Install using "make sense"
Run chkrootkit
b. rkhunter - http://www.rootkit.nl/projects/rootkit_hunter.html
Download to /usr/local/src
Extract using "tar -zxf"
Install using ./install.sh
./installer.sh --layout /usr/local –install
rkhunter --update
Run "rkhunter -c --createlogfile"
Management Tool:. Download, install, configure: Webmin with SSL
Package Dependencies
Ensure openssl and openssl-devel are installed
rpm -q openssl
rpm -q openssl-devel
If they are not installed, install them using:
yum install openssl openssl-devel -y
(Mention ONLY those packages that need to be installed).
Download the Webmin RPM - http://www.webmin.com/
Download the RPM to /usr/local/src
Install using rpm -Uvh
Go to https://IP.AD.DR.ESS:10000 to configure. Login with user root, and password
1. Under Webmin -> Users -> Edit the root user. Rename root user to "admin"
2. Under Logging ensure all events by all users are logged
3. Change the port from 10000 to a suitable one above 50000 (and below 60000).
4. Under Authntication - set the idle time-out to 5 minutes.
d. Perl Libraries
Net::SSLeay - http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.30.tar.gz
Download to /usr/local/src/
Extract with tar -xzf
Prepare with "perl Makefile.PL"
Compile & Install with "make install"
Test installation with "perl -e 'use Net::SSLeay'". You should be returned to the prompt. If you get errors, the installation did not succeed.
e. Portsentry -ftp://194.199.20.114/linux/freshrpms/fedora/linux/1/portsentry/portsentry-1.1-11.fr.i386.rpm
Download the RPM to /usr/local/src
Install using rpm -Uvh
Edit /etc/portsentry/portsentry.conf
Edit /etc/portsentry/portsentry.modes
Edit /etc/portsentry/portsentry.ignore
Start portsentry.
f. Checksuite - http://checksuite.sourceforge.net/
Download the RPM to /usr/local/src
Install using rpm -Uvh
g. Fine Tuning IPTABLES:
edit /etc/sysconfig/iptables
Insert rules for trusted ip addresses only which should access ssh port.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s <trusted ip address> -j ACCEPT
These rules are to be added before following rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Also you will have to make sure other ports are kept open (Those considered under Pre-Installation preparation)
Turning off un-wanted services on linux machines
chkconfig atd off
chkconfig auditd off
chkconfig avahi-daemon off
chkconfig bluetooth off
chkconfig cgconfig off
chkconfig cgred off
chkconfig cups off
chkconfig dc_client off
chkconfig dc_server off
chkconfig dnsmasq off
chkconfig ebtables off
chkconfig firstboot off
chkconfig gpsd off
chkconfig haldaemon off
chkconfig ip6tables off
chkconfig iptables off
chkconfig irda off
chkconfig iscsi off
chkconfig iscsid off
chkconfig ksm off
chkconfig ksmtuned off
chkconfig libvirt-guests off
chkconfig libvirtd off
chkconfig lvm2-monitor off
chkconfig mdmonitor off
chkconfig NetworkManager off
chkconfig netconsole off
chkconfig netfs off
chkconfig nfs off
chkconfig nfslock off
chkconfig nmb off
chkconfig ntpd off
chkconfig ntpdate off
chkconfig openct off
chkconfig openvpn off
chkconfig pcscd off
chkconfig portreserve off
chkconfig psacct off
chkconfig rdisc off
chkconfig restorecond off
chkconfig rpcbind off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcsvcgssd off
chkconfig rsyslog off
chkconfig saslauthd off
chkconfig sendmail off
chkconfig smb off
chkconfig smolt off
chkconfig snmpd off
chkconfig speech-dispatcherd off
chkconfig snmptrapd off
chkconfig squid off
chkconfig svnserve off
chkconfig vboxdrv off
chkconfig vboxweb-service off
chkconfig wicd off
chkconfig wpa_supplicant off
chkconfig ypbind off
===========================================================
Following services for Apache and Mysql running on the same server.
chkconfig abrtd on
chkconfig httpd on
chkconfig network on
chkconfig mysqld on
chkconfig sshd on
chkconfig udev-post on
chkconfig xinetd on
Subscribe to:
Posts (Atom)