Date post: | 06-Jul-2018 |
Category: |
Documents |
Upload: | rajeevtyagi |
View: | 230 times |
Download: | 0 times |
of 161
8/17/2019 Linux Administration (Tips & Tricks)
1/161
LinuxAdministration
Tips & Tricks
Raajeev Tyagi
8/17/2019 Linux Administration (Tips & Tricks)
2/161
INSTALLING APACHE WEB SERVER IN CENTOS 7
INSTALL APACHE To install Apache, issue the following command in the terminal:
yum install httpd
This will install the Apache we server on the !ent"# operating system$ Theoperating system retrieves the %les from the internet, so a working networkconnection will e necessary$
TURN APACHE ON/OFF"nce installed, Apache will need to e turned on$ To simply turn in on, issue thefollowing command:
service httpd start
#imilar to turning Apache on, Apache can e turned o y issuing the followingcommand:
service httpd stop
RUN APACHE AT STARTUP't is very common to run the Apache weserver when the computer %rst oots up$
To do this simply run the following command in the terminal:
chkcon%g httpd on
VIEWING YOUR WEB PAGES The %rewall on !ent"# locks the httpd service$ 'n order to view the page fromoutside the !ent"# system you will need to open the %rewall to allow outside tra(cto communicate with the httpd )Apache* service$ To simply allow the httpd throughthe %rewall issue the following command:
%rewall+cmd ++permanent ++add+servicehttp%rewall+cmd ++permanent ++add+servicehttps
or
%rewall+cmd ++permanent ++add+port-./tcp%rewall+cmd ++permanent ++add+port001/tcp
This will permanently allow the we server through the %rewall
To restart the %rewall service, issue the following command in the terminal:
service %rewalld restart
8/17/2019 Linux Administration (Tips & Tricks)
3/161
2ou may need to access another computer, or if you are using a virtual machine,your host computer may do, and navigate in your we rowser to the '3 address of your !ent"# computer to view the we pages$ To otain your !ent"#4s '3 address,issue the following command in the terminal:
ip addr
WEB SITE DIRECTORY The %les for the wesite should reside in the /var/www/html/ directory$ 2ou shouldplace your index$html page here$ To tweak Apache, you may want to look at thecon%guration %le at /etc/httpd/conf$d/welcome$conf$
1.1 APACHE REDIRECT HTTP TO HTTPS5ritten y Rahul
Apache Leave a !omment
#hare it6
7
.
1
.
.
Force Redirect HTTP to HTTPS in Apache – Many of sites required to always running with
ssl only. And we need to ensure that every use must access website through ssl. If any user tried
to access website with non-ssl url, He must be a redirect to ssl website. This tutorial will help
you to redirect website to ssl url each time using Apache modrewrite module.
1.2 OPTION 1:!dit website "irtualHost in Apache configuration file and add the following options. #hange
www.e$ample.com with your actual domain name.
Redirect permanent / https://www.example.com/
1.3 OPTION 2:!dit website "irtualHost in Apache configuration file and add the following settings. %ou may
also add the same settings in .htaccess file under document root of your website.
RewriteEngine On RewriteCond %{HTTPS o!!
http://tecadmin.net/author/myadmin/http://tecadmin.net/web-servers/apache-web-servers/http://tecadmin.net/apache-redirect-http-to-https/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/apache-redirect-http-to-https/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=Apache+Redirect+HTTP+to+HTTPS&url=http%3A%2F%2Ftecadmin.net%2Fapache-redirect-http-to-https%2F&via=https://plus.google.com/share?url=http://tecadmin.net/apache-redirect-http-to-https/https://www.linkedin.com/cws/share?url=http://tecadmin.net/apache-redirect-http-to-https/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/apache-redirect-http-to-https/&description=Apache+Redirect+HTTP+to+HTTPS&media=http://tecadmin.net/wp-content/uploads/2015/10/apache-logo.jpghttp://httpd.apache.org/docs/current/mod/mod_rewrite.htmlhttp://tecadmin.net/web-servers/apache-web-servers/http://tecadmin.net/apache-redirect-http-to-https/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/apache-redirect-http-to-https/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=Apache+Redirect+HTTP+to+HTTPS&url=http%3A%2F%2Ftecadmin.net%2Fapache-redirect-http-to-https%2F&via=https://plus.google.com/share?url=http://tecadmin.net/apache-redirect-http-to-https/https://www.linkedin.com/cws/share?url=http://tecadmin.net/apache-redirect-http-to-https/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/apache-redirect-http-to-https/&description=Apache+Redirect+HTTP+to+HTTPS&media=http://tecadmin.net/wp-content/uploads/2015/10/apache-logo.jpghttp://httpd.apache.org/docs/current/mod/mod_rewrite.htmlhttp://tecadmin.net/author/myadmin/
8/17/2019 Linux Administration (Tips & Tricks)
4/161
RewriteR"le #.$ https://%{HTTP&HOST%{RE'(EST&(R)
If you want to redirect specific url to https. &se following settings. 'or e$ample if anyone tried
to access always-secure.html file in website. The user must have to access url with ssl.
RewriteEngine OnRewriteR"le *alwa+s,sec"re-.html https://www.example.com/alwa+s,sec"re.html
R0123456
1.4 HOW TO REMOVE FILE EXTENSION .PHP! .HTML" FROM URL
USING .HTACCESS 5ritten y Rahul
8eneral Articles 7 !omment
#hare it6
7.
7
.
.
As per (!) e$perts there are no effect on (!) if your website urls having .php, .htm or .html
e$tension in there url. *ut then why we need to remote these e$tension from urls. As per e$perts
says and my opinion that there are many pros of not having file e$tensions in url.
9ack+end technology is hidden from end users$ 9ut it4s still not hard to identifythe technology for experts$
The est pros of this is that we can easily change ackend technology withoutaecting seo of pages$
Read: what is $htaccess ile ;
'irst create a .htaccess file in your server document root and add following values in file as per
your requirement to remove file e$tension.
1.# REMOVING .PHP EXTENSION FROM URL'or e$ample you need to convert your url from http+e$ample.comdemo.php to
http+e$ample.comdemo. !dit .htaccess file and add following settings.
RewriteEngine OnRewriteCond %{RE'(EST&7)5E89E ;,!RewriteR"le *#*-.6
8/17/2019 Linux Administration (Tips & Tricks)
5/161
1.$ REMOVING .HTML EXTENSION FROM URL'or e$ample you need to convert your url from http+e$ample.comdemo.html to
http+e$ample.comdemo. !dit .htaccess file and add following settings.
RewriteEngine On
RewriteCond %{RE'(EST&7)5E89E ;,!RewriteR"le *#*-.6/home/cent/pulic@html?*?$'ts necessarry to set Bserdir settings for this example, too$
>7? !on%gure
8/17/2019 Linux Administration (Tips & Tricks)
6/161
[cent@www ~]0
vi ~/pu(lic)html/virtual.php
8/17/2019 Linux Administration (Tips & Tricks)
7/161
SETTING UP AND SECURING SSH SERVER IN CENTOS
7
SSH SERVICE IN CENTOS'f you just simply wish to turn on the ##= service in !ent"#, issue the followingcommand:
service sshd start
This will turn on the ##= service and allow users to connect to the computer using##= on port CC$ Eow to turn o this service you could issue the command:
service sshd stop
AUTOMATICALLY RUNNING THE SSH SERVICE'f you wish to have the ##= daemon run automatically as the computer oots up,issue the command:
chkcon%g sshd on
To make edits to the con%guration of ##= edit the %le located at/etc/ssh/sshd@con%g$
CHANGE SSH DEFAULT PORT AND DISABLE ROOT LOGIN'n this case you4ll need to edit Fsshd@con%gG %le which is the main con%guration %le
of ##= service in your server$ 2ou can either use vi or nano to edit it$ 'n this example' use vi editor:
vi /etc/ssh/sshd@con%g
Then %nd following lines:
Hport CC
Remove the H symol and change the FCCG )it is default port* to any numeretween 7.CI and JII1J, for example is port CC...$ Kxample:
port CC...
Eext, also %nd:
H3ermitRootLogin yes
Remove the H symol and change yes to no
3ermitRootLogin no
Eext, %nd this line as well:
8/17/2019 Linux Administration (Tips & Tricks)
8/161
HBseE# yes
Remove the H symol and change yes to no
BseE# no
on4t close vi editor just yet, now proceed to the next step:
ALLOW NEW USER TO LOGIN VIA SSH TO YOUR SERVER#imply add this line in the very ottom of that %le:
AllowBsers newuser
"f course you have to replace FnewuserG with your own username$ "nce done, savethe %le$
DISABLE PROTOCOL 1
##= has two protocols it may use, protocol 7 and protocol C$ The older protocol 7 isless secure and should e disaled unless you know that you speci%cally reMuire it$Look for the following line in con%g %le:
H 3rotocol C,7
Remove the H symol and use only protocol C
3rotocol C
RELOAD SSH SERVICE To make sure the new con%guration is used y the service, simply reload ##= y
using this command:
/etc/init$d/sshd reload
't should return with the "D message$
8ive it a try6 ' assumed currently you are still logging in as root$ on4t close the ##=session yet efore you test it and make sure all the settings you de%ned in ##=con%g %le really works$ Eow launch another Terminal windows or launch another3utty instance then login using new ##= port, new username, and of course newpassword$
2ou might not e ale to login using new ##= port and new username$ 'f that is the
case then make the necessary changes to port forwarding in your router and anyapplicale %rewall rules$
CHANGE FIREWALL RULES ON CENTOS"n !ent"# N you need to change %rewalld:
O %rewall+cmd ++add+port CC.../tcp
8/17/2019 Linux Administration (Tips & Tricks)
9/161
O %rewall+cmd ++add+port CC.../tcp ++permanent
"n !ent"# J and aove you should also update selinux, laeling the chosen portcorrectly, otherwise sshd will e prevented from accessing it$ or example:
O semanage port Pa Pt ssh@port@t Pp tcp CC... H##= 3ort !hanged
9ecause ##= is no longer listening for connections on the standard port, you willneed to tell your client what port to connect on$
FILTER SSH AT THE FIREWALL'f you only need remote access from one '3 address )say from work to your homeserver*, then consider %ltering connections at your %rewall y either adding a%rewall rule on your router or in iptales to limit access on port CC to only thatspeci%c '3 address$ or example, in iptales this could e achieved with thefollowing type of rule:
iptales PA 'E3BT Pp tcp Ps NC$C1C$7Q0$7JC ++dport CC Pj A!!K3T
##= also natively supports T!3 wrappers and access to the ##= service may esimilarly controlled using hosts$allow and hosts$deny$
'f you are unale to limit source '3 addresses, and must open the ##= port gloally,then iptales can still help prevent rute+force attacks y logging and lockingrepeated attempts to login from the same '3 address$ or example,
iptales PA 'E3BT Pp tcp ++dport CC Pm state ++state EK5 Pm recent ++set ++namessh ++rsource
iptales PA 'E3BT Pp tcp ++dport CC Pm state ++state EK5 Pm recent 6 ++rcheck
++seconds J. ++hitcount 0 ++name ssh ++rsource Pj A!!K3T The %rst rule records the '3 address of each new attempt to access port CC using therecent module$ The second rule checks to see if that '3 address has attempted toconnect 0 or more times within he last J. seconds, and if not then the packet isaccepted$ Eote this rule would reMuire a default policy of R"3 on the input chain$
on4t forget to change the port as appropriate if you are running ##= on a non+standard port$ 5here possile, %ltering at the %rewall is an extremely eectivemethod of securing access to an ##= server$
USE PUBLIC/PRIVATE % EYS FOR AUTHENTICATIONBsing encrypted keys for authentication oers two main ene%ts$ irstly, it isconvenient as you no longer need to enter a password )unless you encrypt yourkeys with password protection* if you use pulic/private keys$ #econdly, oncepulic/private key pair authentication has een set up on the server, you candisale password authentication completely meaning that without an authoried keyyou can4t gain access P so no more password cracking attempts$
8/17/2019 Linux Administration (Tips & Tricks)
10/161
't4s a relatively simple process to create a pulic/private key pair and install themfor use on your ##= server$
irst, create a pulic/private key pair on the client that you will use to connect to theserver )you will need to do this from each client machine from which you connect*:
O ssh+keygen Pt rsa This will create two %les in your hidden &/.''( directory called: )*+,'- and)*+,'-.0$ The %rst: )*+,'- is your private key and other: )*+,'-.0 is yourpulic key$
'f you don4t want to still e asked for a passphrase )which is asically a password tounlock a given pulic key* each time you connect, just press , when asked fora passphrase when creating the key pair$ 't is up to you to decide whether or notyou should add the passphrase protective encryption to your key when you createit$ 'f you don4t passphrase protect your key, then anyone gaining access to yourlocal machine will automatically have ssh access to the remote server$ Also, root on
the local machine has access to your keys although one assumes that if you can4ttrust root )or root is compromised* then you4re in real troule$ Kncrypting the keyadds additional security at the expense of eliminating the need for entering apassword for the ssh server only to e replaced with entering a passphrase for theuse of the key$ This may e further simpli%ed y the use of the ''(+- program$
Eow set permissions on your private key:
O chmod N.. S/$ssh
O chmod J.. S/$ssh/id@rsa
!opy the pulic key )id@rsa$pu* to the server and install it to the authoried@keys
list:
O cat id@rsa$pu S/$ssh/authoried@keys
N5: "nce you4ve imported the pulic key, you can delete it from the server$
And %nally set %le permissions on the server:
O chmod N.. S/$ssh
O chmod J.. S/$ssh/authoried@keys
The aove permissions are required if #trictUodes is set to yes in/6/''(/''(*+65 )the default*$
Knsure the correct #KLinux contexts are set:
O restorecon PRv S/$ssh
Eow when you login to the server you won4t e prompted for a password )unlessyou entered a passphrase when you created your key pair*$ 9y default, ssh will %rsttry to authenticate using keys$ 'f no keys are found or authentication fails, then sshwill fall ack to conventional password authentication$
8/17/2019 Linux Administration (Tips & Tricks)
11/161
"nce you4ve checked you can successfully login to the server using yourpulic/private key pair, you can disale password authentication complete yadding the following setting to your /6/''(/''(*+65 %le:
H isale password authentication forcing use of keys
3asswordAuthentication no
8/17/2019 Linux Administration (Tips & Tricks)
12/161
CHANGE DEFAULT RUNLEVEL IN CENTOS 7 / RHEL 7
'n !ent"# N / R=K N, system uses FtargetsG instead of run+levels /etc/initta is nomore used y system to change the run levels$ This guide will help you to set up
default runlevel in !ent"# N / R=KL N$
efault runlevel can e set either y using the systemctl command or makesymolic link of runlevel targets to default target %le$
METHOD 1Lets check the current run level y issuing the following command$
systemctl get+defaultgraphical$target
9efore changing the default runlevel, we have to check out the availale targets$
H systemctl list+units ++typetarget
"utput will look like elow$
BE'T L"A A!T'
8/17/2019 Linux Administration (Tips & Tricks)
13/161
!on%rm the default runlevel$
H systemctl get+defaultmulti+user$target
Reoot and check it out$
H reoot
METHOD 2 2ou may noticed the similar output when the systemctl set+default multi+user$targetcommand is issued$ 5hat the command is done is nothing ut making symolic linkof runlevel targets to the default target %le$
rm W/etc/systemd/system/default$target4ln Ps W/usr/li/systemd/system/multi+user$target4W/etc/systemd/system/default$target4
!heck the current level$H systemctl get+defaultmulti+user$target
9efore making the symolic link, lets list out the %les in the systemd directory$
H ls /li/systemd/system/runlevelXtarget +l
As per the previous step, current default run level 1$ 'ssue the following commandto make symolic link of runlevelI$target to default$target %le$
H ln Psf /li/systemd/system/runlevelI$target /etc/systemd/system/default$target
"rH ln Psf /li/systemd/system/graphical$target /etc/systemd/system/default$target
Again check the current level$
H systemctl get+defaultrunlevelI$target
Eow the default runlevel is I )graphical mode*, reoot the server and check it out$
H reoot
That4s All6, hope this helped you$
8/17/2019 Linux Administration (Tips & Tricks)
14/161
HOW TO CHANGE TIME8ONE ON CENTOS/RHEL7/$/#
Bnder !ent"#/R=KL systems all timeone settings %le are located under/',/'(-,/95)5/directory and /6/;56-;)rootYtestserver S?H dateri Zan C .I:7.:.. K#T C.7I
As per aove example our system timeone is set to K#T$
CHANGE TIME8ONE IN CENTOS/RHEL 7'n !ent"#/R=KL N we use )
8/17/2019 Linux Administration (Tips & Tricks)
15/161
CHANGE HOSTNAME IN CENTOS 7 / RHEL 7
After installing the !ent"# N on my server, ' tried to change host name ymodifying the /etc/syscon%g/network[ it did not take an eect of the modi%cation$
Kven after multiple reoot of server, the host name remains localhost$localdomain$the procedure to change the host name in !ent"# N is now totally dierent from theprevious version, this guide will help you to setup the host name on !ent"# N /R=KL N$
CENTOS7 SUPPORTS THREE CLASS OF HOST NAMES:S-)6 P The static host name is traditional host which can e chosen y the userand is stored in /etc/hostname %le$
T,-') P The transient host name is maintained y kernel and can e changedy =!3 and mE#$
P,= P 't is a free form BT+- host name for the presentation to the user$
HOSTNAME CAN BE! J0 character in a length Recommend to have \E !onsists of a+, A+], .+Q, F+F, F@G and F$G "nly
HOW TO CHANGE9efore changing the host name, lets check the current host name$
>root localhost S?H hostnamelocalhost$localdomain
1.
8/17/2019 Linux Administration (Tips & Tricks)
16/161
#et the host name$
nmtui – Change HostName 2
restart the hostnamed to force the hostnamectl to notice the change in static hostname$
>root localhost S?H systemctl restart system+hostnamed
2ou can verify the change in host name$
>root server S?H hostnameserver$itgeek$com>root server S?H cat /etc/hostnameserver$itgeek$com>root server S?H cat /etc/syscon%g/networkH !reated y anaconda="#TEAUKserver$itgeek$com
2. (5'-root server S?H hostnamectl status
#tatic hostname: server$itgeek$com'con name: computer+vm!hassis: vmUachine ': IJIea-N0QI00acaQdIIJ11.-fQe0cC9oot ': IcQNQdQIfNI0df-NIa0e1aeafCad
8/17/2019 Linux Administration (Tips & Tricks)
17/161
#tatic hostname: client$itgeek$com'con name: computer+vm!hassis: vmUachine ': IJIea-N0QI00acaQdIIJ11.-fQe0cC
9oot ': IcQNQdQIfNI0d-NIa0e1aeafCad
8/17/2019 Linux Administration (Tips & Tricks)
18/161
"ne con%guration you may want to change in the /etc/ssh/sshd@con%g %le is tootake advantage of this template4s design, use the #tyles gallery on the =ome ta$
2ou can format your headings y using heading styles, or highlight important textusing other styles, like Kmphasis and 'ntense \uote$ These styles come in formatted
to look great and work together to help communicate your ideas$
8o ahead and get started$
1.> HOW TO CREATE BINARY FILE FROM SHELL SCRIPT 5ritten y Rahul
9ash #hell Leave a !omment
#hare it6
7
.
1
.
.
hile woring with the /inu$ systems, we used many of commands on daily basis. Most of the
commands are available in binary format in bin, sbin , usrbin, usrsbin, etc directories. As a
system administrator or student we wrote many of shell script to do few tas or automate them.This article will help you to create binary file of your shell script, so no one can see the source
code of your script and we can use them as a command. To create binary file from a script we use
(H# compiler written by 'rancisco 0avier 1osales 2arc3a.
'ollow the below steps to do this.
1.? INSTALL RE@UIRED PAC%AGES 'irst we need to install required pacages for (H# compiler.
1.?.1 F5, U0! D0)- -* L)M) apt,get install li=c>,de?
1.?.2 F5, COS! RHEL F*5,- +"m install gli=c,de?el
http://tecadmin.net/author/myadmin/http://tecadmin.net/programming/shell-scripting/http://tecadmin.net/create-binary-file-from-shell-script/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/create-binary-file-from-shell-script/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Create+Binary+File+from+Shell+Script&url=http%3A%2F%2Ftecadmin.net%2Fcreate-binary-file-from-shell-script%2F&via=https://plus.google.com/share?url=http://tecadmin.net/create-binary-file-from-shell-script/https://www.linkedin.com/cws/share?url=http://tecadmin.net/create-binary-file-from-shell-script/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/create-binary-file-from-shell-script/&description=How+to+Create+Binary+File+from+Shell+Script&media=http://www.datsi.fi.upm.es/~frosal/http://tecadmin.net/author/myadmin/http://tecadmin.net/programming/shell-scripting/http://tecadmin.net/create-binary-file-from-shell-script/#respondhttp://www.facebook.com/sharer.php?u=http://tecadmin.net/create-binary-file-from-shell-script/https://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Create+Binary+File+from+Shell+Script&url=http%3A%2F%2Ftecadmin.net%2Fcreate-binary-file-from-shell-script%2F&via=https://plus.google.com/share?url=http://tecadmin.net/create-binary-file-from-shell-script/https://www.linkedin.com/cws/share?url=http://tecadmin.net/create-binary-file-from-shell-script/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/create-binary-file-from-shell-script/&description=How+to+Create+Binary+File+from+Shell+Script&media=http://www.datsi.fi.upm.es/~frosal/
8/17/2019 Linux Administration (Tips & Tricks)
19/161
1.1DOWNLOAD AND INSTALL SHC:4ownload the latest source code of (H# compiler from its official webpage or using below
commands and e$tract on your system.
cd /"sr/src
wget http://www.datsi.!i."pm.es/@!rosal/so"rces/shc,1.A.B.tg tar x! shc,1.A.B.tg
5ow compile the (H# source code on your system and install it using following command.
cd shc,1.A.B maDe maDe install
1.11CREATE SHELL SCRIPT:/et6s create a shell script as per your requirement or sip this step if you already created. 'or this
article we have created below sample script which add the integer values given on command line
parameter and show the sum of them.
?im script.sh;/=in/=ash
total02
!or i in FG do i! ; , {i2,B6$ 6G then
echo Please enter n"meric onl+exit 3
!i total0##total < i
done
i! total ,eI 2 6G then echo Plesae exec"te script liDe: 2 32 J2 12 exit 2!i
echo total
1.12CREATE BINARY OF SCRIPT:At this stage we have installed (H# compiler and have a shell script named script.sh. &se the
following command to create binary file of your script.
shc ,T ,! script.sh
The above command will create two files in current directory. )ne will be script.sh.$.c which is
in # language format of your script. (econd one will be script.sh.$ which will be in binary
format.
8/17/2019 Linux Administration (Tips & Tricks)
20/161
1.13TEST BINARY SCRIPT:If you try to open binary format of script, you will see that it is not in human readable format.
5ow move this script under usrbin directory to use from anywhere in system. Also remove .sh.$
from file name. (o it will be available with simple name. Also set the e$ecute permissions to
everyone
m? script.sh.x /"sr/=in/script chmod
8/17/2019 Linux Administration (Tips & Tricks)
21/161
n86oO6Mn86echo 8o
GG
$echo )n?alid inp"t...exit 3GG
esac
1.1$EXAMPLE 2: PROMPT FOR CONFIRMATION IN LOOP"This e$ample code will prompt for confirmation until you give proper input lie ;%, 5, %!( or
5) on heavy load server. It means
our server has hits ma$ open file limit. 5ow question is how can I increase open file limit on
Linux. 'or your answer follow below article, I will help you for managing )pen
http://tecadmin.net/author/myadmin/http://tecadmin.net/filesystem/http://tecadmin.net/increase-max-open-file-limit-in-linux/#respondhttps://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Increase+Max+Open+File+Limit+in+Linux+System&url=http%3A%2F%2Ftecadmin.net%2Fincrease-max-open-file-limit-in-linux%2F&via=https://www.linkedin.com/cws/share?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/&description=How+to+Increase+Max+Open+File+Limit+in+Linux+System&media=http://tecadmin.net/author/myadmin/http://tecadmin.net/filesystem/http://tecadmin.net/increase-max-open-file-limit-in-linux/#respondhttps://twitter.com/share?original_referer=http%3A%2F%2Ftecadmin.net%2F&source=tweetbutton&text=How+to+Increase+Max+Open+File+Limit+in+Linux+System&url=http%3A%2F%2Ftecadmin.net%2Fincrease-max-open-file-limit-in-linux%2F&via=https://www.linkedin.com/cws/share?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/http://pinterest.com/pin/create/button/?url=http://tecadmin.net/increase-max-open-file-limit-in-linux/&description=How+to+Increase+Max+Open+File+Limit+in+Linux+System&media=
8/17/2019 Linux Administration (Tips & Tricks)
22/161
1.1>CHEC% CURRENT OPEN FILE LIMIT ?. How to chec current open file limit in /inu$ system @
A. &se following command to chec open file limit in /inu$ system.
cat /proc/s+s/!s/!ile,max
N2222
1.1?INCREASE OPEN FILE LIMIT IN LINUX e can increase open file limit temporarily or permanently as per our requirement. If we need
changes ust for testing, then increase limit temporarily.
1.1?.1 T
8/17/2019 Linux Administration (Tips & Tricks)
23/161
http://www.itzgeek.com/how-tos/linux/centos-how-
tos/how-to-increase-swap-in-linux.html
Hi here we will go to know about the swap file system, and how to increase?
irst thing, what is swap?
!wap is one type of file system "id#$%&, which is used as the 'irtual ram for the system, it
pro'ide the extra memory resource to system when it re(uired. )n windows it*s called
pagefile.sys, and this file system will be created manually or automatically during
installation of operating system.
+nce swap file system created, you may want to increase the swap space. or that you can
follow this tutorial.
)n two methods we can create the swap space.
• sing swap partition
• sing swap file
Here we use the first method.
et check the a'ailable swap space.
root@client ~]# swapon -s
7ilename T+pe Sie (sed Priorit+
/de?/sdaJ partition J2B>QJ 2 ,3
) am going to increase the swap form % to 0.by the following command also. 1s per
this command total swap space is %.
8/17/2019 Linux Administration (Tips & Tricks)
24/161
[root@client ~]# free -m
total "sed !ree shared ="!!ers cached
em: Q1Q QJ > 2 3 JQJ
,/< ="!!ers/cache: 3> J>>
Swap: J2Q 2 J2Q
1s in the abo'e /de'/sda% is the swap file system. )n my machine ) don*t ha'e any space in
my primary H22, so ) use another H22 for demonstration. ut you can use the same H22
for new swap partition, if you ha'e enough space.
et*s see the H22*s attached to this machine.
[root@client ~]# fdisk -l
isD /de?/sda: 1J.J U4 1JJ3JJNQJ2 =+tes
JNN heads4 >1 sectors/tracD4 1B3> c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
/de?/sda3 $ 3 31 32Q1B3 A1 5in"x
/de?/sdaJ 3Q JQ J2B>QAJ< AJ 5in"x swap / Solaris
/de?/sda1 JN NJB J2QAJA< A1 5in"x
/de?/sdaQ N12 1B3> JJ2>2< N Extended
/de?/sdaN N12 3NQB A3B133A< A1 5in"x
/de?/sda> 3NN2 JN>B A3B133A< A1 5in"x
/de?/sda JN2 JAJQ J2QAJN> A1 5in"x
/de?/sdaA JAJN 12B J2QAJN> A1 5in"x
/de?/sdaB 12A2 1B3> >J133 A1 5in"x
isD /de?/sd=: ANAB U4 ANABB1QNBJ =+tes
8/17/2019 Linux Administration (Tips & Tricks)
25/161
JNN heads4 >1 sectors/tracD4 32QQ c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
isD /de?/sd= doesnVt contain a ?alid partition ta=le
)n the abo'e ) ha'e one extra H22 with free space, with the help of the H22 ) am going to
create the new partition for swap size of 3 and assigning the id of $%. 4he size may be
depending on your swap size re(uirement.
et create the partition with id of $% for swap.
[root@client ~]# fdisk /dev/sdb
e?ice contains neither a ?alid OS partition ta=le4 nor S"n4 S)
or OS7 disDla=el
U"ilding a new OS disDla=el. Changes will remain in memor+ onl+4
"ntil +o" decide to write them. 9!ter that4 o! co"rse4 the pre?io"s
content wonVt =e reco?era=le.
The n"m=er o! c+linders !or this disD is set to 32QQ.
There is nothing wrong with that4 ="t this is larger than 32JQ4
and co"ld in certain set"ps ca"se pro=lems with:
3 so!tware that r"ns at =oot time #e.g.4 old ?ersions o! 5)5O
J =ooting and partitioning so!tware !rom other OSs
#e.g.4 OS 7)SW4 OS/J 7)SW
Xarning: in?alid !lag 2x2222 o! partition ta=le Q will =e corrected
=+ w#rite
Command (m for help): p !" o $ee the %etails
isD /de?/sd=: ANAB U4 ANABB1QNBJ =+tes
JNN heads4 >1 sectors/tracD4 32QQ c+linders
8/17/2019 Linux Administration (Tips & Tricks)
26/161
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
Command #m !or help: n -!" o create the new partition
Command action
e extended
p primar+ partition #3,Q
p !"o create the &rimar' &artition
Partition n"m=er #3,Q: !" &artition *mber
7irst c+linder #3,32QQ4 de!a"lt 3:
(sing de!a"lt ?al"e 3
5ast c+linder or 1 sectors/tracD4 32QQ c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
/de?/sd=3 3 3J1 BAB>> A1 5in"x
Command #m !or help: t !" Chane the partition 0%
Selected partition 3
Hex code #t+pe 5 to list codes: l !" .ist the code
2 Empt+ 3e Hidden XBN 79T3 A2 Old inix =! Solaris
8/17/2019 Linux Administration (Tips & Tricks)
27/161
3 79T3J JQ 8EC OS A3 inix / old 5in c3 ROS/sec #79T,
J YE8)Y root 1B Plan B AJ 5in"x swap / So cQ ROS/sec #79T,
1 YE8)Y "sr 1c Partitionagic A1 5in"x c> ROS/sec #79T,
Q 79T3> Z1J Q2 [enix A2JA> AQ OS/J hidden C: c S+rinx
N Extended Q3 PPC PReP Uoot AN 5in"x extended da 8on,7S data
> 79T3> QJ S7S A> 8T7S ?ol"me set d= CP/ / CTOS / .
HP7S/8T7S Qd '8YQ.x A 8T7S ?ol"me set de ell (tilit+
A 9)Y Qe '8YQ.x Jnd part AA 5in"x plaintext d! Uoot)t
B 9)Y =oota=le Q! '8YQ.x 1rd part Ae 5in"x 5[ e3 OS access
a OS/J Uoot anag N2 OnTracD B1 9moe=a e1 OS R/O
= XBN 79T1J N3 OnTracD > 9"x BQ 9moe=a UUT eQ SpeedStor
c XBN 79T1J #5U9 NJ CP/ B! US/OS e= UeOS !s
e XBN 79T3> #5U9 N1 OnTracD > 9"x a2 )U ThinDpad hi ee E7) PT
! XBN ExtVd #5U9 NQ OnTracD> aN 7reeUS e! E7) #79T,3J/3>/
32 OP(S NN E\,ri?e a> OpenUS !2 5in"x/P9,R)SC =
33 Hidden 79T3J N> olden Uow a 8eYTSTEP !3 SpeedStor
3J CompaI diagnost Nc Priam EdisD aA arwin (7S !Q SpeedStor
3Q Hidden 79T3> Z1 >3 SpeedStor aB 8etUS !J OS secondar+
3> Hidden 79T3> >1 8( H(R or S+s a= arwin =oot != [ware [7S
3 Hidden HP7S/8T7 >Q 8o?ell 8etware = US) !s !c [ware [WCORE
3A 9ST SmartSleep >N 8o?ell 8etware =A US) swap !d 5in"x raid a"to
3= Hidden XBN 79T1 2 isDSec"re "lt == Uoot Xiard hid !e 598step
3c Hidden XBN 79T1 N PC/)Y =e Solaris =oot !! UUT
8/17/2019 Linux Administration (Tips & Tricks)
28/161
Hex code #t+pe 5 to list codes: 12 !" 0d for swap
Changed s+stem t+pe o! partition 3 to AJ #5in"x swap / Solaris
Command #m !or help: p !" .ist the partitions
isD /de?/sd=: ANAB U4 ANABB1QNBJ =+tes
JNN heads4 >1 sectors/tracD4 32QQ c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
/dev/sdb 23 415466 12 .in*7 swap / $olaris
Command #m !or help: w " 8rite the chanes
The partition ta=le has =een altered;
Calling ioctl# to re,read partition ta=le.
S+ncing disDs.
4ell the changes to kernel.
[root@client ~]# partprobe
5onfirm the created partition.
[root@client ~]# fdisk -l
isD /de?/sda: 1J.J U4 1JJ3JJNQJ2 =+tes
JNN heads4 >1 sectors/tracD4 1B3> c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
/de?/sda3 $ 3 31 32Q1B3 A1 5in"x
/de?/sdaJ 3Q JQ J2B>QAJ< AJ 5in"x swap / Solaris
/de?/sda1 JN NJB J2QAJA< A1 5in"x
8/17/2019 Linux Administration (Tips & Tricks)
29/161
/de?/sdaQ N12 1B3> JJ2>2< N Extended
/de?/sdaN N12 3NQB A3B133A< A1 5in"x
/de?/sda> 3NN2 JN>B A3B133A< A1 5in"x
/de?/sda JN2 JAJQ J2QAJN> A1 5in"x
/de?/sdaA JAJN 12B J2QAJN> A1 5in"x
/de?/sdaB 12A2 1B3> >J133 A1 5in"x
isD /de?/sd=: ANAB U4 ANABB1QNBJ =+tes
JNN heads4 >1 sectors/tracD4 32QQ c+linders
(nits 0 c+linders o! 3>2>N $ N3J 0 AJJNJA2 =+tes
e?ice Uoot Start End UlocDs )d S+stem
/dev/sdb 23 415466 12 .in*7 swap / $olaris
6ake the swap partition using following command.
[root@client ~]# mkswap /dev/sdb
Setting "p swapspace ?ersion 34 sie 0 3233>3 DU
7nable it using following command.
[root@client ~]# swapon /dev/sdb
ist the swap space a'ailable on the machine.
[root@client ~]# swapon -s
7ilename T+pe Sie (sed Priorit+
/de?/sdaJ partition J2B>QJ 2 ,3
/de?/sd=3 partition BABN> 2 ,J
)n the abo'e you can find /de'/sdb3 has acti'ated and ser'es the swap resource to the
machine with /de'/sda%.
8/17/2019 Linux Administration (Tips & Tricks)
30/161
se the following command to see the memory a'ailable on the machine. )n the follow you
will be able see the actual memory and 'irtual memory also.
[root@client ~]# free -m
total "sed !ree shared ="!!ers cached
em: Q1Q Q12 1 2 3 JQ>
,/< ="!!ers/cache: 3>> J>
Swap: 123J 2 123J
1s per the abo'e total size of swap is 0, this is as per our re(uirement.
)f would like to off the swap, you can use the following command.
[root@client ~]# swapoff /dev/sda2
ist the swap space. ecause we swap off the abo'e one, you will be able to see he one
swap partition which we created now.
[root@client ~]# swapon -s
/de?/sd=3 partition BABN> 2 ,J
)n normal case, if you restart the ser'er the swap will not get on automatically. !o put it
on /etc/fstab
[root@client ~]# vi /etc/fstab
59UE50/ / ext1 de!a"lts 3 3
59UE50/tmp /tmp ext1 de!a"lts 3 J
59UE50/home /home ext1 de!a"lts4"srI"ota4grpI"ota 3 J
59UE50/"sr /"sr ext1 de!a"lts 3 J
59UE50/?ar /?ar ext1 de!a"lts 3 J
59UE50/=oot /=oot ext1 de!a"lts 3 J
tmp!s /de?/shm tmp!s de!a"lts 2 2
de?pts /de?/pts de?pts gid0N4mode0>J2 2 2
8/17/2019 Linux Administration (Tips & Tricks)
31/161
s+s!s /s+s s+s!s de!a"lts 2 2
proc /proc proc de!a"lts 2 2
59UE50SX9P,sdaJ swap swap de!a"lts 2 2
/de?/sdaB /opt ext1 de!a"lts 2 2
8ew Swap Partion
/dev/sdb swap swap defa*lts , ,
8eboot the ser'er.
[root@client ~]# reboot
9erify it.
[root@client ~]# free -m
total "sed !ree shared ="!!ers cached
em: Q1Q Q12 1 2 3 JQ>
,/< ="!!ers/cache: 3>> J>
Swap: 123J 2 123J
)f you want to make the priority of swap usage by system, use the following command. High
priority will be use more by system. High#3 low# -3.
[root@client ~]# swapon -p , /var/swapfile
9erify the priority.
[root@client ~]# swapon -s
7ilename T+pe Sie (sed Priorit+
/de?/sd=3 partition 32J1BBJ 2 32
/de?/sdaJ partition J2B>QJ JB> ,J
4hat*s all
8/17/2019 Linux Administration (Tips & Tricks)
32/161
3 HOW TO INSTALL MEMCACHED ON CENTOS 6 / RHEL 6
RAJ MARCH 26, 2012 0 COMMENTS CACHE, CENTOS, CENTOS 6, MEMCACHE, MEMCACHED, RHEL, RHEL 6
;ree open source= high-performance= distri(uted memor o(>ect
caching sstem, generic in natre, !t inten"e" #$r %e in %&ee"ing & "'na(ic )e!
a&&*icati$n% !' a**e+iating "ata!a%e *$a"Me(cac-e" i% an in.(e($r' e'.+a*e %t$re #$r%(a** c-n% $# ar!itrar' "ata %tring%, $!ect% #r$( re%*t% $# "ata!a%e ca**%, AI ca**%, $r
&age ren"ering
?emcached is simple et powerful It% %i(&*e "e%ign &r$($te% 4ic "e&*$'(ent, ea%e
$# "e+e*$&(ent, an" %$*+e% (an' &r$!*e(% #acing *arge "ata cac-e% It% AIi% a+ai*a!*e #$r
($%t &$&*ar *angage%
Here i% t-e %i(&*e %te&% t$ in%ta** Me(cac-e" $n CentOS 6
O&en Ter(ina* an" t-en %)itc- t$ r$$t %er
ra]FgeeDsite@/6 s" ,l
3.1.1.1Install Memcached:
In%ta** Me(cac-e" %ing t-e #$**$)ing c$((an"
rootFgeeDsite@/6 +"m install memcached
E"it Me(cac-e" c$n#igrati$n #i*e t$ c-ange / ena!*e t-e #eatre%
rootFgeeDsite@/6 ?i /etc/s+scon!ig/memcached
T-ere are %$(e "e#a*t %etting% a+ai*a!*e in t-e c$n#igrati$n #i*e, c-ange it i# nece%%ar'
T-e #$**$)ing i% e5a(&*e %etting% #$r 26M7 cac-ing
PORT033J33(SER0memcached9YCO88032JQC9CHES)\E0JN>
http://www.itzgeek.com/author/adminhttp://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-memcached-on-centos-6-rhel-6.html#disqus_threadhttp://www.itzgeek.com/tag/cachehttp://www.itzgeek.com/tag/centoshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachehttp://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/tag/rhelhttp://www.itzgeek.com/tag/rhel-6http://code.google.com/p/memcached/wiki/Clientshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/author/adminhttp://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-install-memcached-on-centos-6-rhel-6.html#disqus_threadhttp://www.itzgeek.com/tag/cachehttp://www.itzgeek.com/tag/centoshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcachehttp://www.itzgeek.com/tag/memcachedhttp://www.itzgeek.com/tag/rhelhttp://www.itzgeek.com/tag/rhel-6http://code.google.com/p/memcached/wiki/Clientshttp://www.itzgeek.com/tag/centos-6http://www.itzgeek.com/tag/memcached
8/17/2019 Linux Administration (Tips & Tricks)
33/161
OPT)O8S0
Start Me(cac-e"
rootFgeeDsite@/6 /etc/init.d/memcached restart
T$ at$.%tart Me(cac-e" $n !$$ting
rootFgeeDsite@/6 chDcon!ig memcached on
C$n#ir( t-e Me(cac-e" rnning %tat%
rootFgeeDsite@/6 memcached,tool 3J.2.2.3:33J33 stats3J.2.2.3:33J33 7ield [al"e accepting&conns 3 a"th&cmds 2 a"th&errors 2
=+tes 2 =+tes&read =+tes&written 2 cas&=ad?al 2 cas&hits 2 cas&misses 2 cmd&!l"sh 2 cmd&get 2 cmd&set 2 conn&+ields 2 connection&str"ct"res 33 c"rr&connections 32 c"rr&items 2 decr&hits 2
decr&misses 2 delete&hits 2 delete&misses 2 e?ictions 2 get&hits 2 get&misses 2 incr&hits 2 incr&misses 2 limit&max=+tes >32AA>Q listen&disa=led&n"m 2 pid JBNBQ pointer&sie >Q r"sage&s+stem 2.22JBBB
r"sage&"ser 2.222222 threads Q time 311J2QA>JQ total&connections 33 total&items 2 "ptime AN ?ersion 3.Q.Q
8/17/2019 Linux Administration (Tips & Tricks)
34/161
3.1.1.2 Iptables entry:
A"" t-e #$**$)ing entr' t$ a**$) t-e inc$(ing c$nnecti$n $n &$rt n$ 11211
,9 )8P(T ,m state ,,state 8EX ,m tcp ,p tcp ,,dport 33J33 ,] 9CCEPT
C-ec t-e re($te c$nnecti+it'
rootFgeeDsite@/6 echo stats M nc memcache&host&name&or&ip 33J33
3.1.1.3Install PHP Module:
In%ta** Me(cac-e" H ($"*e t$ )$r )it- H
rootFgeeDsite@/6 +"m install php php,pecl,memcache
N$) re%tart t-e Me(cac-e" an" A&ac-e %er+er t$ tae e##ect
rootFgeeDsite@/6 /etc/init.d/memcached restartrootFgeeDsite@/6 /etc/init.d/httpd restart
T-at8% a**9
:SETTIN; S? A355555555 S$ it (ae% ea%' t$ re(e(!er t-e "$(ain na(e%
in%tea" $# it% I a""re%%
http://www.unixmen.com/author/sk/http://www.unixmen.com/setting-dns-server-centos-7/www.unixmen.comhttp://www.unixmen.com/author/sk/http://www.unixmen.com/setting-dns-server-centos-7/www.unixmen.com
8/17/2019 Linux Administration (Tips & Tricks)
35/161
T-i% "etai*e" tt$ria* )i** -e*& '$ t$ %et & a *$ca* DNS %er+er $n '$r CentOS >
%'%te( H$)e+er, t-e %te&% are a&&*ica!*e #$r %etting & DNS %er+er $n RHEL an"
Scienti#ic Lin5 > t$$
DNS SER=ER INSTALLATION1 SCENARIO
@$r t-e &r&$%e $# t-i% tt$ria*, I )i** !e %ing t-ree n$"e% One )i** !e acting a% Ma%ter
DNS %er+er, t-e %ec$n" %'%te( )i** !e acting a% Sec$n"ar' DNS, an" t-e t-ir" )i** !e
$r DNS c*ient Here are (' t-ree %'%te(% "etai*%
5.1.1.1 Primary (Master) DNS Server Details:
Operating S+stem : CentOS minimal ser?er
Hostname : masterdns."nixmen.local
)P 9ddress : 3BJ.3>A.3.323/JQ
5.1.1.2 Secondary (Slave) DNS Server Details:
Operating S+stem : CentOS minimal ser?er
Hostname : secondar+dns."nixmen.local
)P 9ddress : 3BJ.3>A.3.32J/JQ
8/17/2019 Linux Administration (Tips & Tricks)
36/161
5.1.1.3 Client Details:
Operating S+stem : CentOS >.N esDtop
Hostname : client."nixmen.local
)P 9ddress : 3BJ.3>A.3.321/JQ
2 SET
8/17/2019 Linux Administration (Tips & Tricks)
37/161
// Pro?ided =+ Red Hat =ind pacDage to con!ig"re the )SC U)8 named#A 8S
// ser?er as a caching onl+ nameser?er #as a localhost 8S resol?er onl+.
//
// See /"sr/share/doc/=ind$/sample/ !or example named con!ig"ration !iles.
//
options {
listen,on port N1 { 3J.2.2.3G 4296199,G ### aster %$ 0& ###
listen,on,?> port N1 { ::3G G
director+ /?ar/namedG
d"mp,!ile /?ar/named/data/cache&d"mp.d=G
statistics,!ile /?ar/named/data/named&stats.txtG
memstatistics,!ile /?ar/named/data/named&mem&stats.txtG
allow,I"er+ { localhostG 4296199,/2;G ### 0&
8/17/2019 Linux Administration (Tips & Tricks)
38/161
, )! +o" are ="ilding a REC(RS)[E #caching 8S ser?er4 +o" need to
ena=le
rec"rsion.
, )! +o"r rec"rsi?e 8S ser?er has a p"=lic )P address4 +o" (ST
ena=le access
control to limit I"eries to +o"r legitimate "sers. 7ailing to do so
will
ca"se +o"r ser?er to =ecome part o! large scale 8S ampli!ication
attacDs. )mplementing UCP1A within +o"r networD wo"ld greatl+
red"ce s"ch attacD s"r!ace
$/
rec"rsion +esG
dnssec,ena=le +esG
dnssec,?alidation +esG
dnssec,looDaside a"toG
/$ Path to )SC 5[ De+ $/
=indDe+s,!ile /etc/named.iscdl?.De+G
8/17/2019 Linux Administration (Tips & Tricks)
39/161
managed,De+s,director+ /?ar/named/d+namicG
pid,!ile /r"n/named/named.pidG
session,De+!ile /r"n/named/session.De+G
G
logging {
channel de!a"lt&de="g {
!ile data/named.r"nG
se?erit+ d+namicG
G
G
one . )8 {
t+pe hintG
!ile named.caG
G
=one >*ni7men9local> 0 ?
8/17/2019 Linux Administration (Tips & Tricks)
40/161
t'pe master
file >forward9*ni7men>
allow-*pdate ? none
=one >9619429in-addr9arpa> 0 ?
t'pe master
file >reverse9*ni7men>
allow-*pdate ? none
incl"de /etc/named.r!c3B3J.onesG
incl"de /etc/named.root.De+G
22 2 Create $ne #i*e%
Create #$r)ar" an" re+er%e $ne #i*e% )-ic- )e (enti$ne" in
t-e /etc/named.confA #i*e
5.2.2.1 2.1 Create Forward one
Create forward.uni8men #i*e in t-e /var/namedA "irect$r'
8/17/2019 Linux Administration (Tips & Tricks)
41/161
?i /?ar/named/!orward."nixmen
A"" t-e #$**$)ing *ine%
TT5 A>Q22
F )8 SO9 masterdns."nixmen.local. root."nixmen.local. #
J23323223 GSerial
1>22 GRe!resh
3A22 GRetr+
>2QA22 GExpire
A>Q22 Ginim"m TT5
F )8 8S masterdns."nixmen.local.
F )8 8S secondar+dns."nixmen.local.
F )8 9 3BJ.3>A.3.323
F )8 9 3BJ.3>A.3.32J
F )8 9 3BJ.3>A.3.321
masterdns )8 9 3BJ.3>A.3.323
secondar+dns )8 9 3BJ.3>A.3.32J
8/17/2019 Linux Administration (Tips & Tricks)
42/161
client )8 9 3BJ.3>A.3.321
5.2.2.2 2.2 Create !everse one
Create reverse.uni8men #i*e in t-e /var/namedA "irect$r'
?i /?ar/named/re?erse."nixmen
A"" t-e #$**$)ing *ine%
TT5 A>Q22
F )8 SO9 masterdns."nixmen.local. root."nixmen.local. #
J23323223 GSerial
1>22 GRe!resh
3A22 GRetr+
>2QA22 GExpire
A>Q22 Ginim"m TT5
F )8 8S masterdns."nixmen.local.
F )8 8S secondar+dns."nixmen.local.
F )8 PTR "nixmen.local.
8/17/2019 Linux Administration (Tips & Tricks)
43/161
masterdns )8 9 3BJ.3>A.3.323
secondar+dns )8 9 3BJ.3>A.3.32J
client )8 9 3BJ.3>A.3.321
323 )8 PTR masterdns."nixmen.local.
32J )8 PTR secondar+dns."nixmen.local.
321 )8 PTR client."nixmen.local.
23 3 Start t-e DNS %er+ice
Ena!*e an" %tart DNS %er+ice
s+stemctl ena=le named
s+stemctl start named
2: : @ire)a** C$n#igrati$n
We (%t a**$) t-e DNS %er+ice "e#a*t &$rt 3 t-r$g- #ire)a**
!irewall,cmd ,,permanent ,,add,port0N1/tcp
!irewall,cmd ,,permanent ,,add,port0N1/"dp
8/17/2019 Linux Administration (Tips & Tricks)
44/161
2 Re%tart @ire)a**
!irewall,cmd ,,reload
26 6 C$n#igring er(i%%i$n%, O)ner%-i&, an" SELin5
Rn t-e #$**$)ing c$((an"% $ne !' $ne
chgrp named ,R /?ar/named
chown ,? root:named /etc/named.con!
restorecon ,r? /?ar/named
restorecon /etc/named.con!
2> > Te%t DNS c$n#igrati$n an" $ne #i*e% #$r an'%'nta5 err$r%
C-ec DNS "e#a*t c$n#igrati$n #i*e
named,checDcon! /etc/named.con!
I# it retrn% n$t-ing, '$r c$n#igrati$n #i*e i% +a*i"
C-ec @$r)ar" $ne
8/17/2019 Linux Administration (Tips & Tricks)
45/161
named,checDone "nixmen.local /?ar/named/!orward."nixmen
Sa(&*e $t&t
one "nixmen.local/)8: loaded serial J23323223
OW
C-ec re+er%e $ne
named,checDone "nixmen.local /?ar/named/re?erse."nixmen
Sa(&*e Ot&t
one "nixmen.local/)8: loaded serial J23323223
OW
A"" t-e DNS Ser+er "etai*% in '$r net)$r inter#ace c$n#ig #i*e
?i /etc/s+scon!ig/networD,scripts/i!c!g,enp2s1
TKPE0Ethernet
UOOTPROTO0none
8/17/2019 Linux Administration (Tips & Tricks)
46/161
E7RO(TE0+es
)P[Q&79)5(RE&79T950no
)P[>)8)T0+es
)P[>&9(TOCO870+es
)P[>&E7RO(TE0+es
)P[>&79)5(RE&79T950no
89E0enp2s1
(()0Nd2QJA=1,>a!J,Q!>=,B!e1,QJN2cdA1Be!a
O8UOOT0+es
HX9R02A:22:J:3B:>A:1
)P9R203BJ.3>A.3.323
PRE7)Y20JQ
9TEX9K203BJ.3>A.3.3
%$A>4296199,>
)P[>&PEER8S0+es
)P[>&PEERRO(TES0+es
E"it #i*e /etc/resolv.conf ,
8/17/2019 Linux Administration (Tips & Tricks)
47/161
?i /etc/resol?.con!
A"" t-e na(e %er+er i& a""re%%
nameser?er 3BJ.3>A.3.323
Sa+e an" c*$%e t-e #i*e
Re%tart net)$r %er+ice
s+stemctl restart networD
2F F Te%t DNS Ser+er
dig masterdns."nixmen.local
Sa(&*e Ot&t
G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ masterdns."nixmen.local
GG glo=al options:
8/17/2019 Linux Administration (Tips & Tricks)
48/161
GG !lags: Ir aa rd raG '(ERK: 34 98SXER: 34 9(THOR)TK: J4 9)T)O895: J
GG OPT PSE(OSECT)O8:
G E8S: ?ersion: 24 !lags:G "dp: Q2B>
GG '(EST)O8 SECT)O8:
Gmasterdns."nixmen.local. )8 9
GG 98SXER SECT)O8:
masterdns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.323
GG 9(THOR)TK SECT)O8:
"nixmen.local. A>Q22 )8 8S secondar+dns."nixmen.local.
"nixmen.local. A>Q22 )8 8S masterdns."nixmen.local.
GG 9)T)O895 SECT)O8:
secondar+dns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.32J
GG '"er+ time: 2 msec
GG SER[ER: 3BJ.3>A.3.323N1#3BJ.3>A.3.323
8/17/2019 Linux Administration (Tips & Tricks)
49/161
GG XHE8: Xed 9"g J2 3>:J2:Q> )ST J23Q
GG S S)\E rc?d: 3JN
nslooD"p "nixmen.local
Sa(&*e Ot&t
Ser?er: 3BJ.3>A.3.323
9ddress: 3BJ.3>A.3.323N1
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.321
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.323
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.32J
N$) t-e ri(ar' DNS %er+er i% rea"' t$ %e
It i% ti(e t$ c$n#igre $r Sec$n"ar' DNS %er+er
8/17/2019 Linux Administration (Tips & Tricks)
50/161
3 SET
8/17/2019 Linux Administration (Tips & Tricks)
51/161
options {
listen,on port N1 { 3J.2.2.3G 4296199,2 G
listen,on,?> port N1 { ::3G G
director+ /?ar/namedG
d"mp,!ile /?ar/named/data/cache&d"mp.d=G
statistics,!ile /?ar/named/data/named&stats.txtG
memstatistics,!ile /?ar/named/data/named&mem&stats.txtG
allow,I"er+ { localhostG 4296199,/2; G
.
.
.
.
one . )8 {
t+pe hintG
!ile named.caG
G
=one >*ni7men9local> 0 ?
t'pe slave
file >slaves/*ni7men9fwd>
8/17/2019 Linux Administration (Tips & Tricks)
52/161
masters ? 4296199,
=one >9619429in-addr9arpa> 0 ?
t'pe slave
file >slaves/*ni7men9rev>
masters ? 4296199,
incl"de /etc/named.r!c3B3J.onesG
incl"de /etc/named.root.De+G
32 2 Start t-e DNS Ser+ice
s+stemctl ena=le named
s+stemctl start named
N$) t-e #$r)ar" an" re+er%e $ne% are at$(atica**' re&*icate" #r$( Ma%ter DNS
%er+er t$ G/+ar/na(e"/%*a+e%/8 in Sec$n"ar' DNS %er+er
ls /?ar/named/sla?es/
Sa(&*e Ot&t
8/17/2019 Linux Administration (Tips & Tricks)
53/161
"nixmen.!wd "nixmen.re?
33 3 A"" t-e DNS Ser+er "etai*%
A"" t-e DNS Ser+er "etai*% in '$r net)$r inter#ace c$n#ig #i*e
?i /etc/s+scon!ig/networD,scripts/i!c!g,enp2s1
TKPE0Ethernet
UOOTPROTO0none
E7RO(TE0+es
)P[Q&79)5(RE&79T950no
)P[>)8)T0+es
)P[>&9(TOCO870+es
)P[>&E7RO(TE0+es
)P[>&79)5(RE&79T950no
89E0enp2s1
(()0Nd2QJA=1,>a!J,Q!>=,B!e1,QJN2cdA1Be!a
O8UOOT0+es
HX9R02A:22:J:3B:>A:1
)P9R203BJ.3>A.3.32J
8/17/2019 Linux Administration (Tips & Tricks)
54/161
PRE7)Y20JQ
9TEX9K203BJ.3>A.3.3
%$A>4296199,>
%$2A>4296199,2>
)P[>&PEER8S0+es
)P[>&PEERRO(TES0+es
E"it #i*e /etc/resolv.conf ,
?i /etc/resol?.con!
A"" t-e na(e %er+er i& a""re%%
nameser?er 3BJ.3>A.3.323
nameser?er 3BJ.3>A.3.32J
Sa+e an" c*$%e t-e #i*e
Re%tart net)$r %er+ice
s+stemctl restart networD
8/17/2019 Linux Administration (Tips & Tricks)
55/161
3: : @ire)a** C$n#igrati$n
We (%t a**$) t-e DNS %er+ice "e#a*t &$rt 3 t-r$g- #ire)a**
!irewall,cmd ,,permanent ,,add,port0N1/tcp
3 Re%tart @ire)a**
!irewall,cmd ,,reload
36 6 C$n#igring er(i%%i$n%, O)ner%-i&, an" SELin5
chgrp named ,R /?ar/named
chown ,? root:named /etc/named.con!
restorecon ,r? /?ar/named
restorecon /etc/named.con!
3> > Te%t DNS Ser+er
dig masterdns."nixmen.local
Sa(&*e Ot&t
8/17/2019 Linux Administration (Tips & Tricks)
56/161
G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ masterdns."nixmen.local
GG glo=al options: Q22 )8 8S masterdns."nixmen.local.
"nixmen.local. A>Q22 )8 8S secondar+dns."nixmen.local.
GG 9)T)O895 SECT)O8:
8/17/2019 Linux Administration (Tips & Tricks)
57/161
secondar+dns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.32J
GG '"er+ time: 2 msec
GG SER[ER: 3BJ.3>A.3.32JN1#3BJ.3>A.3.32J
GG XHE8: Xed 9"g J2 3:2Q:12 )ST J23Q
GG S S)\E rc?d: 3JN
dig secondar+dns."nixmen.local
Sa(&*e Ot&t
G ZZ i B.B.Q,RedHat,B.B.Q,3Q.el ZZ secondar+dns."nixmen.local
GG glo=al options:
8/17/2019 Linux Administration (Tips & Tricks)
58/161
Gsecondar+dns."nixmen.local. )8 9
GG 98SXER SECT)O8:
secondar+dns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.32J
GG 9(THOR)TK SECT)O8:
"nixmen.local. A>Q22 )8 8S masterdns."nixmen.local.
"nixmen.local. A>Q22 )8 8S secondar+dns."nixmen.local.
GG 9)T)O895 SECT)O8:
masterdns."nixmen.local. A>Q22 )8 9 3BJ.3>A.3.323
GG '"er+ time: 2 msec
GG SER[ER: 3BJ.3>A.3.32JN1#3BJ.3>A.3.32J
GG XHE8: Xed 9"g J2 3:2N:N2 )ST J23Q
GG S S)\E rc?d: 3JN
nslooD"p "nixmen.local
Sa(&*e Ot&t
8/17/2019 Linux Administration (Tips & Tricks)
59/161
Ser?er: 3BJ.3>A.3.32J
9ddress: 3BJ.3>A.3.32JN1
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.323
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.321
8ame: "nixmen.local
9ddress: 3BJ.3>A.3.32J
: CLIENT SIDE CON@I;A.3.323
nameser?er 3BJ.3>A.3.32J
Re%tart net)$r %er+ice $r re!$$t t-e %'%te(
8/17/2019 Linux Administration (Tips & Tricks)
60/161
:1 Te%t DNS Ser+er
N$), '$ can te%t t-e DNS %er+er %ing an' $ne $# t-e #$**$)ing c$((an"%
dig masterdns."nixmen.local
dig secondar+dns."nixmen.local
dig client."nixmen.local
nslooD"p "nixmen.local
T-at8% a** a!$t n$) T-e &ri(ar' an" %ec$n"ar' DNS %er+er% are rea"' t$ %e
$ THE PERFECT SERVER CENTOS 7.1 WITH
APACHE2! POSTFIX! DOVECOT! PUREFTPD!
BIND AND ISPCONFIG 3
$.1.1O ()' -
• 7 ReMuirements
• C 3reliminary Eote
• 1 #et the keyoard layout
• 0 Adjust /etc/hosts
• I isale #KLinux
• J Knale Additional Repositories And 'nstall #ome #oftware
• N \uota
• Knaling Muota on the / )root* partition
• Knaling Muota on a separate /var partition
•
- 'nstall Apache, Uy#\L, phpUyAdmin
This tutorial shows how to install '#3!on%g 1 on a !ent"# N$7 )J09it* server$ '#3!on%g 1is a we hosting control panel that allows you to con%gure the following servicesthrough a we rowser: Apache we server, 3ost%x mail server, Uy#\L, 9'Enameserver, 3ureT3d, #pamAssassin, !lamA
8/17/2019 Linux Administration (Tips & Tricks)
61/161
$.1.21 R),
8/17/2019 Linux Administration (Tips & Tricks)
62/161
yum -y install net-tools
systemctl stop firewalld.service
systemctl disale firewalld.service
to stop and disale the !ent"# %rewall$
Then you should check that the %rewall has really een disaled$ To do so, run thecommand:
iptales -!
The output should look like this:
"root#server1 $%& iptales -!'(ain )*+, policy /''+
taret prot opt source destination
'(ain 3/7 policy /''+
taret prot opt source destination
'(ain ,+, policy /''+
taret prot opt source destination
"r use the %rewall+cmd command:
firewall-cmd --state
"root#server1 $%& firewall-cmd --state
not runnin
"root#server1 $%&
Eow ' will install the network con%guration editor and the shell ased editor _nano_ that' will use in the next steps to edit the con%g %les:
yum -y install nano wet *etworkanaer-tui
'f you did not con%gure your network card during the installation, you can do that now$Run$$$
nmtui
8/17/2019 Linux Administration (Tips & Tricks)
63/161
$$$ and go to dit a connection:
#elect your network interface:
Then %ll in your network details + disale =!3 and %ll in a static '3 address, a netmask,
your gateway, and one or two nameservers, then hit k:
8/17/2019 Linux Administration (Tips & Tricks)
64/161
Eext select to con%rm the changes that you made in the network settings
and :uit to close the nmtui network con%guration tool$
8/17/2019 Linux Administration (Tips & Tricks)
65/161
2ou should run
ifconfi
now to check if the installer got your '3 address right:
>rootYserver7 S?H ifcon%g
ens11: Vags07J1`B3,9R"A!A#T,RBEE'E8,UBLT'!A#T mtu 7I..
inet 7QC$7J-$7$7.. netmask CII$CII$CII$. roadcast 7QC$7J-$7$CII
inetJ fe-.::C.c:CQ:fecd:ccIC pre%xlen J0 scopeid .xC.
ether ..:.c:CQ:cd:cc:IC txMueuelen 7... )Kthernet*
R^ packets IIJC7 ytes NQJ.7.Q0 )NI$Q Ui9*
R^ errors . dropped . overruns . frame .
T^ packets C-77I ytes CJ.-C1Q )C$0 Ui9*
T^ errors . dropped . overruns . carrier . collisions .
lo: VagsN1`B3,L""39A!D,RBEE'E8 mtu JII1J
8/17/2019 Linux Administration (Tips & Tricks)
66/161
inet 7CN$.$.$7 netmask CII$.$.$.
inetJ ::7 pre%xlen 7C- scopeid .x7.
loop txMueuelen . )Local Loopack*
R^ packets . ytes . ).$. 9*
R^ errors . dropped . overruns . frame .
T^ packets . ytes . ).$. 9*
T^ errors . dropped . overruns . carrier . collisions .
'f your network card does not show up there, then it not e enaled on oot, 'n thiscase, open the %le ;etc;sysconfi;network-scripts;ifcf-et(0
nano ;etc;sysconfi;network-scripts;ifcf-ensyes
"...%
and reoot the server$
!heck your ;etc;resolv.conf if it lists all nameservers that youve previouslycon%gured:
cat ;etc;resolv.conf
'f nameservers are missing, run
nmtui
and add the missing nameservers again$
Eow, on to the con%guration$$$
8/17/2019 Linux Administration (Tips & Tricks)
67/161
$.1.#4 A*' /6/(5''
Eext we edit ;etc;(osts$ Uake it look like this:
nano ;etc;(osts
7CN$.$.$7 localhost localhost$localdomain localhost0 localhost0$localdomain0
7QC$7J-$7$7.. server7$example$com server7
::7 localhost localhost$localdomain localhostJ localhostJ$localdomainJ
$.1.$# D)'-0; SEL)
#KLinux is a security extension of !ent"# that should provide extended security$ 'n myopinion you dont need it to con%gure a secure system, and it usually causes moreprolems than advantages )think of it after you have done a week of troule+shootingecause some service wasnt working as expected, and then you %nd out thateverything was ok, only #KLinux was causing the prolem*$ Therefore ' disale it )this isa must if you want to install '#3!on%g later on*$
Kdit ;etc;selinux;confi and set ?!)*,@>disaled :
nano ;etc;selinux;confi
H This %le controls the state of #KLinux on the system$
H #KL'EB^ can take one of these three values:
H enforcing + #KLinux security policy is enforced$
H permissive + #KLinux prints warnings instead of enforcing$
H disaled + Eo #KLinux policy is loaded$
#KL'EB^disaled
H #KL'EB^T23K can take one of these two values:
H targeted + Targeted processes are protected,
H mls + Uulti Level #ecurity protection$
#KL'EB^T23Ktargeted
8/17/2019 Linux Administration (Tips & Tricks)
68/161
Afterwards we must reoot the system:
reoot
$.1.7$ E-0; A**))5-; R5')5,)' A* I'-;; S510 to the "epel% section:
>epel?
nameKxtra 3ackages for Knterprise Linux N + Oasearch
Haseurlhttp://download$fedoraproject$org/pu/epel/N/Oasearch
mirrorlisthttps://mirrors$fedoraproject$org/metalink;repoepel+N&archOasearch
failovermethodpriority
enaled7
priority7.
gpgcheck7
8/17/2019 Linux Administration (Tips & Tricks)
69/161
gpgkey%le:///etc/pki/rpm+gpg/R3U+838+DK2+K3KL+N
>$$$?
Then we update our existing packages on the system:
yum update
Eow we install some software packages that are needed later on:
yum -y roupinstall D7evelopment oolsD
$.1.>7 @5-
(If you have chosen a different partitioning scheme than I did, you must adjust this
chapter so that quota applies to the partitions where you need it.)
To install Muota, we run this command:
yum -y install Euota
Eow we check if Muota is already enaled for the %lesystem where the wesite)/var/www* and maildir data )var/vmail* is stored$ 'n this example setup, ' have one igroot partition, so ' search for / :
mount F rep D ; D
"root#server1 $%& mount F rep D ; D
;dev;mapper;centos-root on ; type xfs rwGrelatimeGattr2Ginode64GnoEuota"root#server1 $%&
'f you have a separate /var partition, then use:
mount F rep D ;var D
8/17/2019 Linux Administration (Tips & Tricks)
70/161
instead$ 'f the line contains the word _55-_, then proceed with the following stepsto enale Muota$
$.1.?E-0;) 5- 5 ( / ,55" -,))5
Eormally you would enale Muota in the /etc/fsta %le, ut if the %lesystem is the root%lesystem _/_, then Muota has to e enaled y a oot parameter of the Linux Dernel$
Kdit the gru con%guration %le:
nano ;etc;default;ru
search fole the line that starts with A,=H'7!)*H!)*,@ andadd rootflas>uEuotaGEuota to the commandline parameters so that the resulting
line looks like this:
8RB9@!UL'EK@L'EB^_rd$lvm$lvcentos/swap vconsole$fontlatarcyrhe+sun7J
rd$lvm$lvcentos/root crashkernelauto vconsole$keymapus rhg Muiet
rootVagsuMuota,gMuota_
and apply the changes y running the following command$
cp ;oot;ru2;ru.cf ;oot;ru2;ru.cfHak
ru2-mkconfi -o ;oot;ru2;ru.cf
and reoot the server$
reoot
Eow check if Muota is enaled:
mount F rep D ; D
"root#server1 $%& mount F rep D ; D
;dev;mapper;centos-root on ; type xfs
rwGrelatimeGattr2Ginode64GusrEuotaGrpEuota
"root#server1 $%&
8/17/2019 Linux Administration (Tips & Tricks)
71/161
5hen Muota is active, we can see _',5-!,5-_ in the mount option list$
$.1.1 E-0;) 5- 5 - '-,- /J-, -,))5
'f you have a separate /var partition, then edit ;etc;fsta and add GuEuotaGEuota tothe ; partition );dev;mapper;centos-var *:
nano ;etc;fsta
H
H /etc/fsta
H !reated y anaconda on #un #ep C7 7J:11:0I C.70
H
H Accessile %lesystems, y reference, are maintained under /dev/disk
H #ee man pages fsta)I*, %ndfs)-*, mount)-* and/or lkid)-* for more info
H
/dev/mapper/centos+root / xfs defaults 7 7/dev/mapper/centos+var /var xfs defaultsGuEuotaGEuota 7 C
BB'Qac.JQ1Q+Ne01+0efd+QINa+0-JNNIeddN0 /oot xfs defaults 7
1
/dev/mapper/centos+swap swap swap defaults . .
Then run
mount -o remount ;var
Euotac(eck -avum
Euotaon -avu
to enale Muota$ 5hen you get a error that there is no oartition with Muota enaled,
then reoot the server efore you proceed$
$.1.11 > I'-;; A-6(! M=S@L! (M=A*
8/17/2019 Linux Administration (Tips & Tricks)
72/161
yum -y install ntp (ttpd modHssl mariad-server p(p p(p-mysEl p(p-mstrin p(pmyadmin
7 THE PERFECT SERVER CENTOS 7.1 WITH
APACHE2! POSTFIX! DOVECOT! PUREFTPD!
BIND AND ISPCONFIG 3 PAGE 2
7.1.1O ()' -
• Q 'nstall ovecot• 7. 'nstall 3ost%x• 77 'nstall 8etmail• 7C #et Uy#\L 3asswords And !on%gure phpUyAdmin
• 71 'nstall Amavisd+new, #pamAssassin And !lamA<
• 70 'nstalling ApacheC 5ith mod@php, mod@fcgi/3=3I, 3=3+3U And su3=3
• 7I 'nstallation of mod@python
• 7J 'nstall 3ureT3d
• 7N 'nstall 9'E
• 7- 'nstall 5ealier, And A5#tats
• 7Q 'nstall Zailkit
• C. 'nstall failCan
• C7 'nstall rkhunter
• CC 'nstall Uailman7.1.2? I'-;; D5J65
ovecot can e installed as follows:
yum -y install dovecot dovecot-mysEl dovecot-pieon(ole
!reate a empty dovecot+sMl$conf %le and symlink:
touc( ;etc;dovecot;dovecot-sEl.conf
ln -s ;etc;dovecot;dovecot-sEl.conf ;etc;dovecot-sEl.conf
Eow create the system startup links and start ovecot:
https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#nbspinstall-dovecothttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-postfixhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-getmailhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-set-mysql-passwords-and-configure-phpmyadminhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-amavisdnew-spamassassin-and-clamavhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installing-apache-with-modphp-modfcgiphp-phpfpm-and-suphphttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installation-of-modpythonhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-pureftpdhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-bindhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-webalizer-and-awstatshttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-jailkithttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-failbanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-rkhunterhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-mailmanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#nbspinstall-dovecothttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-postfixhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-getmailhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-set-mysql-passwords-and-configure-phpmyadminhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-amavisdnew-spamassassin-and-clamavhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installing-apache-with-modphp-modfcgiphp-phpfpm-and-suphphttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-installation-of-modpythonhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-pureftpdhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-bindhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-webalizer-and-awstatshttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-jailkithttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-failbanhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-rkhunterhttps://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/2/#-install-mailman
8/17/2019 Linux Administration (Tips & Tricks)
73/161
systemctl enale dovecot
systemctl start dovecot
7.1.31 I'-;; P5'
3ost%x can e installed as follows:
yum -y install postfix
Then turn o #endmail and start 3ost%x and Uariad )Uy#\L*:
systemctl enale mariad.service
systemctl start mariad.service
systemctl stop sendmail.service
systemctl disale sendmail.service
systemctl enale postfix.service
systemctl restart postfix.service
5e disale sendmail to ensure that it does not get started in case it is installed on your
server$ #o the error message _ailed to issue method call: Bnit sendmail$service notloaded$_ can e ignored$
7.1.411 I'-;; G
8/17/2019 Linux Administration (Tips & Tricks)
74/161
mysElHsecureHinstallation
"root#server1 tmp%& mysElHsecureHinstallation
*I ,**)*A /!! +/? 3 J)? ?')+ )? '*77 3 /!! aria7=
?K? )* +7,')* ,?L +!/? /7 /'J ?+ '/3,!!BL
)n order to lo into aria7= to secure itG weDll need t(e current
password for t(e root user. )f youDve Must installed aria7=G and
you (avenDt set t(e root password yetG t(e password will e lankG
so you s(ould Must press enter (ere.
nter current password for root enter for noneI
G successfully used passwordG movin on...
?ettin t(e root password ensures t(at noody can lo into t(e aria7=
root user wit(out t(e proper aut(orisation.
?et root passwordN "B;n%
8/17/2019 Linux Administration (Tips & Tricks)
75/161
emove test dataase and access to itN "B;n%
8/17/2019 Linux Administration (Tips & Tricks)
76/161
`irectory /usr/share/phpUyAdmin/
`'fUodule mod@auth@core$c
H Apache C$0
`ReMuireAny
H ReMuire ip 7CN$.$.$7
H ReMuire ip ::7
ReMuire all granted
`/ReMuireAny
`/'fUodule
`'fUodule 6mod@auth@core$c
H Apache C$C
"rder eny,Allow
eny from All
Allow from 7CN$.$.$7
Allow from ::7
`/'fUodule
`/irectory
Eext we change the authentication in phpUyAdmin from cookie to (ttp:
nano ;etc;p(py/dmin;confi.inc.p(p
>$$$?
/X Authentication type X/
Ocfg>#ervers?>Oi?>auth@type? http[
>$$$?
Then we create the system startup links for Apache and start it:
8/17/2019 Linux Administration (Tips & Tricks)
77/161
systemctl enale (ttpd.service
systemctl restart (ttpd.service
Eow you can direct your rowserto (ttpI;;server1.example.com;p(pmyadmin; or (ttpI;;192.168.0.100;p(pmyadmin; and log in with the user name root and your new root Uy#\L password$
7.1.$13 I'-;; A
8/17/2019 Linux Administration (Tips & Tricks)
78/161
5e can install ApacheC with mod@phpI, mod@fcgid, and 3=3I as follows:
yum -y install p(p p(p-devel p(p-d p(p-imap p(p-ldap p(p-mysEl p(p-odc p(p-pear p(p-
xml p(p-xmlrpc p(p-pecl-apc p(p-mstrin p(p-mcrypt p(p-mssEl p(p-snmp p(p-soap p(p-
tidy curl curl-devel perl-liwww-perl )maeaick lixml2 lixml2-devel modHfcid p(p-
cli (ttpd-devel p(p-fpm
Eext we open ;etc;p(p.ini$$$
nano ;etc;p(p.ini
$$$ and change the error reporting )so that notices arent shown any longer*, set thetimeone and uncomment ci.fixHpat(info>1:
>$$$?
[error@reporting K@ALL & SK@K3RK!ATK
error@reporting K@ALL & SK@E"T'!K & SK@K3RK!ATK
>$$$?
[ cgi$%x@pathinfo provides XrealX 3AT=@'E"/3AT=@TRAE#LATK support for !8'$ 3=3s
[ previous ehaviour was to set 3AT=@TRAE#LATK to #!R'3T@'LKEAUK, and to not grok
[ what 3AT=@'E" is$ or more information on 3Appp$tldT=@'E", see the cgi specs$#etting
[ this to 7 will cause 3=3 !8' to %x its paths to conform to the spec$ A setting
[ of ero causes 3=3 to ehave as efore$ efault is 7$ 2ou should %x your scripts
[ to use #!R'3T@'LKEAUK rather than 3AT=@TRAE#LATK$
[ http://www$php$net/manual/en/ini$core$phpHini$cgi$%x+pathinfo
cgi$%x@pathinfo7
>$$$?
date$timeone Kurope/9erlin>$$$?
Eext we install su3=3 )there is a modHsup(p package availale in the repositories, ut
unfortunately it isnt compatile with '#3!on%g, therefore we have to uild su3=3ourselves*:
8/17/2019 Linux Administration (Tips & Tricks)
79/161
cd ;usr;local;src
wet (ttpI;;sup(p.or;download;sup(p-0.R.2.tar.Q
tar Qxvf sup(p-0.R.2.tar.Q
!ent"# N$7 uses apache+C$0, so we need a patch suphp efore we can compile it aganstApache$ The patch gets applied like this:
wet - sup(p.patc(
(ttpsI;;lists.marsc(in.com;pipermail;sup(p;attac(ments;201;usr; --sysconfdir>;etc; --wit(-apr>;usr;in;apr-1-confi --wit(-
apac(e-user>apac(e --wit(-setid-mode>owner --wit(-lofile>;var;lo;(ttpd;sup(pHlo
make
make install
Then we add the su3=3 module to our Apache con%guration$$$
8/17/2019 Linux Administration (Tips & Tricks)
80/161
nano ;etc;(ttpd;conf.d;sup(p.conf
LoadUodule suphp@module modules/mod@suphp$so
$$$ and create the %le ;etc;sup(p.conf as follows:
nano ;etc;sup(p.conf
>gloal?
[3ath to log%le
log%le/var/log/httpd/suphp$log
[Loglevel
loglevelinfo
[Bser Apache is running as
weserver@userapache
[3ath all scripts have to e in
docroot/
[3ath to chroot)* to efore executing script
[chroot/mychroot
[ #ecurity options
allow@%le@group@writealetrue
allow@%le@others@writealefalse
allow@directory@group@writealetrue
allow@directory@others@writealefalse
[!heck wheter script is within "!BUKET@R""Tcheck@vhost@docroottrue
[#end minor error messages to rowser
errors@to@rowserfalse
[3AT= environment variale
8/17/2019 Linux Administration (Tips & Tricks)
81/161
env@path/in:/usr/in
[Bmask to set, specify in octal notation
umask..NN
[ Uinimum B'
min@uid7..
[ Uinimum 8'
min@gid7..
>handlers?
[=andler for php+scripts
x+httpd+suphp_php:/usr/in/php+cgi_[=andler for !8'+scripts
x+suphp+cgi_execute:6self_
Kdit the %le /etc/httpd/conf$d/php$confto enale php parsing only for phpmyadmin,roundcue and other system packages in /usr/share ut not for wesites in /var/www as'#3!on%g will activate 3=3 for each wesite individually$
nano ;etc;(ttpd;conf.d;p(p.conf
change the lines:
O3ilesatc( T.p(pUP
?etJandler application;x-(ttpd-p(p
O;3ilesatc(P
to:
O7irectory ;usr;s(areP
O3ilesatc( T.p(pUP ?etJandler application;x-(ttpd-p(p
O;3ilesatc(P
O;7irectoryP
#o that the 3=3 handler is enclosed y the irectory directive$
Knale httpd and 3=3+3U to get started at oot time and start the 3=3+3U service$
8/17/2019 Linux Administration (Tips & Tricks)
82/161
systemctl start p(p-fpm.service
systemctl enale p(p-fpm.service
systemctl enale (ttpd.service
inally we restart Apache:
systemctl restart (ttpd.service
7.1.>1# I'-;;-)5 5
8/17/2019 Linux Administration (Tips & Tricks)
83/161
7.1.?1$ I'-;; P,FTP*
3ureT3d can e installed with the following command:
yum -y install pure-ftpd
Then create the system startup links and start 3ureT3d:
systemctl enale pure-ftpd.service
systemctl start pure-ftpd.service
Eow we con%gure 3ureT3d to allow T3 and TL# sessions$ T3 is a very insecure
protocol ecause all passwords and all data are transferred in clear text$ 9y using TL#,the whole communication can e encrypted, thus making T3 much more secure$
"pen##L is needed y TL#[ to install "pen##L, we simply run:
yum install openssl
"pen ;etc;pure-ftpd;pure-ftpd.conf $$$
nano ;etc;pure-ftpd;pure-ftpd.conf
'f you want to allow T3 and TL# sessions, set !? to 1:
>$$$?
H This option can accept three values :
H . : disale ##L/TL# encryption layer )default*$
H 7 : accept oth traditional and encrypted sessions$
H C : refuse connections that dont use ##L/TL# security mechanisms,
H including anonymous sessions$
H o @not@ uncomment this lindly$ 9e sure that :
H 7* 2our server has een compiled with ##L/TL# support )++with+tls*,
8/17/2019 Linux Administration (Tips & Tricks)
84/161
H C* A valid certi%cate is in place,
H 1* "nly compatile clients will log in$
TL# 7
>$$$?
'n order to use TL#, we must create an ##L certi%cate$ ' create it in ;etc;ssl;private; ,
therefore ' create that directory %rst:
mkdir -p ;etc;ssl;private;
Afterwards, we can generate the ##L certi%cate as follows:
openssl reE -x509 -nodes -days R
8/17/2019 Linux Administration (Tips & Tricks)
85/161
Thats it$ 2ou can now try to connect using your T3 client[ however, you shouldcon%gure your T3 client to use TL#$
7.1.1 17 I'-;; BIND
5e can install 9'E as follows:
yum -y install ind ind-utils
Uake a ackup of the existing ;etc;named.conf %le and create a new one as follows:
cp ;etc;named.conf ;etc;named.confHakcat ;dev;null P ;etc;named.conf
nano ;etc;named.conf
//
// named$conf
//
// 3rovided y Red =at ind package to con%gure the '#! 9'E named)-* E#
// server as a caching only nameserver )as a localhost E# resolver only*$
//
// #ee /usr/share/doc/indX/sample/ for example named con%guration %les$
//
options
listen+on port I1 any[ b[
listen+on+vJ port I1 any[ b[
directory _/var/named_[
dump+%le _/var/named/data/cache@dump$d_[
statistics+%le _/var/named/data/named@stats$txt_[
memstatistics+%le _/var/named/data/named@mem@stats$txt_[
allow+Muery any[ b[
8/17/2019 Linux Administration (Tips & Tricks)
86/161
allow+recursion _none_[b[
recursion no[
b[
logging
channel default@deug
%le _data/named$run_[
severity dynamic[
b[
b[
one _$_ 'E
type hint[ %le _named$ca_[
b[
include _/etc/named$conf$local_[
!reate the %le ;etc;named.conf.local that is included at the endof ;etc;named.conf );etc;named.conf.local will later on get populated y '#3!on%g
if you create E# ones in '#3!on%g*:
touc( ;etc;named.conf.local
Then we create the startup links and start 9'E:
systemctl enale named.service
systemctl start named.service
7.1.11 1> I'-;; W0-;)9,! A* AWS-'
5ealier and A5#tats can e installed as follows:
8/17/2019 Linux Administration (Tips & Tricks)
87/161
yum -y install wealiQer awstats perl-7ateime-3ormat-J+ perl-7ateime-3ormat-
=uilder
7.1.12 1? I'-;; K-);)
Zailkit is used to chroot ##= users and cronjos$ 't can e installed as follows)important/ 0ail1it must 2e installed 2efore I$%onfig - it cannot 2e installedafterwards3*:
cd ;tmp
wet (ttpI;;olivier.sessink.nl;Mailkit;Mailkit-2.1R.tar.Q
tar xvfQ Mailkit-2.1R.tar.Qcd Mailkit-2.1R
.;confiure
make
make install
cd ..
rm -rf Mailkit-2.1RC
7.1.13 2 I'-;; -);20-
This is optional ut recommended, ecause the '#3!on%g monitor tries to show the log$
yum -y install iptales-services fail2an fail2an-systemd
systemctl mask firewalld.service
systemctl enale iptales.service
systemctl enale ip6tales.service
systemctl stop firewalld.service
systemctl start iptales.service
systemctl start ip6tales.service
Eext we create the /etc/failCan/jail$local %le and enale monitoring for ssh, email andftp service$
nano ;etc;fail2an;Mail.local
8/17/2019 Linux Administration (Tips & Tricks)
88/161
Add the following content into the jail$local %le:
>sshd?
enaled true
action iptales>namesshd, portssh, protocoltcp?
>pure+ftpd?
enaled true
action iptales>nameT3, portftp, protocoltcp?
maxretry 1
>dovecot?
enaled true
action iptales+multiport>namedovecot, port_pop1,pop1s,imap,imaps_,
protocoltcp?
maxretry I
>post%x+sasl?
enaled true
action iptales+multiport>namepost%x+sasl, port_smtp,smtps,sumission_,
protocoltcp?
maxretry 1
Then create the system startup links for failCan and start it:
systemctl enale fail2an.servicesystemctl start fail2an.service
7.1.14 21 I'-;; ,(,
rkhunter can e installed as follows:
yum -y install rk(unter
8/17/2019 Linux Administration (Tips & Tricks)
89/161
7.1.1# 22 I'-;; M-);
8/17/2019 Linux Administration (Tips & Tricks)
90/161
$$$ and add the following lines:
>$$$?
mailman: _/usr/li/mailman/mail/mailman post mailman_
mailman+admin: _/usr/li/mailman/mail/mailman admin mailman_
mailman+ounces: _/usr/li/mailman/mail/mailman ounces mailman_
mailman+con%rm: _/usr/li/mailman/mail/mailman con%rm mailman_
mailman+join: _/usr/li/mailman/mail/mailman join mailman_
mailman+leave: _/usr/li/mailman/mail/mailman leave mailman_
mailman+owner: _/usr/li/mailman/mail/mailman owner mailman_
mailman+reMuest: _/usr/li/mailman/mail/mailman reMuest mailman_
mailman+suscrie: _/usr/li/mailman/mail/mailman suscrie mailman_
mailman+unsuscrie: _/usr/li/mailman/mail/mailman unsuscrie mailman_
Run
newaliases
afterwards and restart 3ost%x:
systemctl restart postfix.service
Eow open the Uailman Apache con%guration %le ;etc;(ttpd;conf.d;mailman.conf $$$
nano ;etc;(ttpd;conf.d;mailman.conf
$$$ and add the line ?cript/lias ;ci-in;mailman; ;usr;li;mailman;ci-in; $!omment out /lias ;pipermail; ;var;li;mailman;arc(ives;pulic; and add theline /lias ;pipermail ;var;li;mailman;arc(ives;pulic; :
H
H httpd con%guration settings for use with mailman$
8/17/2019 Linux Administration (Tips & Tricks)
91/161
H
#criptAlias /mailman/ /usr/li/mailman/cgi+in/
#criptAlias /cgi+in/mailman/ /usr/li/mailman/cgi+in/
`irectory /usr/li/mailman/cgi+in/
Allow"verride Eone
"ptions Kxec!8'
"rder allow,deny
Allow from all
`/irectory
HAlias /pipermail/ /var/li/mailman/archives/pulic/
Alias /pipermail /var/li/mailman/archives/pulic/
`irectory /var/li/mailman/archives/pulic
"ptions 'ndexes Uulti
8/17/2019 Linux Administration (Tips & Tricks)
92/161
!reate the system startup links for Uailman and start it:
systemctl enale mailman.service
systemctl start mailman.service
After you have installed '#3!on%g 1, you can access Uailman as follows:
2ou can use the alias ;ci-in;mailman for all Apache vhosts )please note that suEec
and 6I must 2e disa2led for all vhosts from which you want to access Uailman6*,which means you can access the Uailman admin interface for a listat (ttpI;;Ov(ostP;ci-in;mailman;admin;OlistnameP , and the we page for usersof a mailing list can e found at (ttpI;;Ov(ostP;ci-in;mailman;listinfo;OlistnameP $
Bnder (ttpI;;Ov(ostP;pipermail;OlistnameP you can %nd the mailing list archives$
> THE PERFECT SERVER CENTOS 7.1 WITH
APACHE2! POSTFIX! DOVECOT! PUREFTPD!
BIND AND ISPCONFIG 3 PAGE 3
>.1.1O ()' -
• C1 'nstall Roundcue wemail
• C0 'nstall '#3!on%g 1• CI irst '#3!on%g Login
• CI$7 '#3!on%g 1 Uanual
• CI Links
>.1.223 I'-;; R5*60 0
8/17/2019 Linux Administration (Tips & Tricks)
93/161
H
H Round !ue 5email is a rowser+ased multilingual 'UA3 client
H
Alias /roundcuemail /usr/share/roundcuemail
Alias /wemail /usr/share/roundcuemail
H e%ne who can access the 5ema