Linux Lab 2006

Updated 10-July-2006

Syllabus

Over the course of the two hours, you will:

Install Linux
Configure security
Configure Samba
- add yourself as a user
- map a windows drive to your share from the Windows machines in the lab (using your Eservices Login).
Configure Apache
- create a home page
- create a php page
- access it

Introduction

Reading Material

Rute User's Tutorial - the grandfather of all Unix tutorials
Introduction to Linux - A Hands on Guide
GNU/Linux Command-Line Tools Summary
The Linux System Administrators' Guide
Bash Guide for Beginners - learn how to write shell scripts (batch programs)
Advanced Bash-Scripting Guide - more shell scripting

Why CentOS

There are three choices for Red Hat Linux distributions

Red Hat Enterprise Linux (RHEL)
- pros - stable - supported - each version is supported for 2-4 years
- cons - costs $50/year
Fedora Core Linux
- pros - free - bleeding edge development - supported by ITC - they can back it up to tape. They provide a HTTP install site
- cons - changes rapidly - a version only lasts for 6-9 months before it is replaced with a newer version
CentOS Linux
- pros - free - a clone of RHEL - stable - each version lasts as long as the RHEL version - compiled and configured from RH source - can be backed up to tape as long as it is a RHEL clone - They provide a one CDROM install disk for servers - This server install disks only installs to 1.2 GB.
- cons - support is provided only from the user community. UVa has such a community

This lab will use Centos 4.3. It is available from a Centos mirror site. CentOS provides a very fast, one CD server install image. It is an ISO file that you can burn to a CD. On a reasonably fast machine, installation takes 8-15 minutes.

Why SAMBA

Samba Features and Benefits

Two men were walking down a dusty road, when one suddenly kicked up a small red stone. It hurt his toe and lodged in his sandal. He took the stone out and cursed it with a passion and fury befitting his anguish. The other looked at the stone and said, "This is a garnet. I can turn that into a precious gem and some day it will make a princess very happy".

The moral of this tale: Two men, two very different perspectives regarding the same stone. Like it or not, Samba is like that stone. Treat it the right way and it can bring great pleasure, but if you are forced to use it and have no time for its secrets, then it can be a source of discomfort.

Samba started out as a project that sought to provide interoperability for MS Windows 3.x clients with a UNIX server. It has grown up a lot since its humble beginnings and now provides features and functionality fit for large-scale deployment. It also has some warts. In sections like this one, we tell of both.

-- From the Official SAMBA HOW-TO

CentOS Version 4 Server Installation

Screen 1

Press the Enter key

Screen 2 - CD Found - Skip Test

Screen 3 - X SERVER (GUI) Starts

Screen 4 - Welcome

Screen 5 - Use Defaults

Screen 6 - Use Defaults

Screen 7 Disk Setup - Change default
Select Manual Method - Disk Druid

Screen 8 - Disk Druid GUI

Delete the NTFS partition by highlighting it and then clicking on the DELETE button.

Then set up these partitions:

Mount Pt	Type	Size	Primary Partition
/boot	ext3	100 MB	Yes
n.a.	swap	1000 MB	No
/	ext3	10000 MB	No
/home	ext3	20000 MB	No
/data	ext3	20000 MB	No

Screen 9 - boot loader - Use Defaults

Screen 10 - Network - Use Defaults

Screen 11 - Firewall - Change Defaults

Leave Firewall On but DISABLE SELINUX

Screen 12 - More Languages - Use Defaults

Screen 13 - Time Zone - Use Defaults

Screen 14 - Root Password

Screen 15 - Package Installation - Use Defaults

Screen 16 - GO!!!

The first thing to do after logging on as root

Run YUM to install the KDE Window manager

type "yum install kdebase"
Start your browser and pull up this URL:
http://www.people.virginia.edu/~rtg2t/linux.lab.2006
On your KDE Desktop, click on "Start->System Settings->Users and Groups" to add yourself as a user. Use the Unix Uid assigned to you by UVa. Find this by going to blue unix and typing

whois rtg2t (but use your email ID not mine).
When done logout from the root account
Login as yourself

Learn how to open an xterm window to get a command line prompt:
click on start -> run command
enter "konsole"

IN this window type "su -" to get root admin rights. Use this admin window for the next section on Security Changes.

Security Changes made as root user

Edit /etc/hosts.deny

Add a new line at the end:

ALL: ALL

Edit /etc/hosts.allow

sendmail: 127.0.0.1
sshd: 128.143.46. 128.143.47. 128.143.2.

Install all patches

Normally, at this time, you would type

yum update

and install all relevant patches. This is important for overall security. We will defer that because it will take too long for this lab. Normally, it MUST be done before turning off the firewall.

Turn off Firewall

Type
/etc/rc.d/init.d/iptables stop

SAMBA

Edit

/etc/samba/smb.conf

#
# sample smb.conf file for this lab
#
#  use your own name for the workgroup and netbios name ex: Fred_Flintstone 
   workgroup = myname
   netbios  name = myname

# SAMBA doesn't use hosts.allow for access.  You can limit it to this 
# building with the next line
#
   hosts allow = 128.143.46. 128.143.47. 127.0.0.1
#
   security = user
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[data]
    path=/data
    comment = group data storage
    directory mask = 0770
    create mask    = 0770
    browseable = yes
    writable = yes

[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   writable = no
   share modes = no
   browseable = no
   guest ok = no

Start SAMBA with

/etc/rc.d/init.d/smb start

Create a Projects directory under /data

Type these commands (read about the chmod, chgrp and mkdir commands when you can) to create a project directory that all samba users have write access to:

cd /data
mkdir projects
chmod 6770 projects
chgrp users projects

Now anyone who is a valid SAMBA user and is in the default group "users" can create, modify, and delete files in /data/projects. They also cannot arbitrarily put files or directories in /data. That is reserved for the admin users. This keeps the top level shared directory clean. The users just need to map this "share" as described below in the section "TEST SAMBA from Windows".

Services

[root@newton root]# chkconfig --list | grep on | sort

acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
apmd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:on    6:off
irqbalance      0:off   1:off   2:off   3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:off   3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
random          0:off   1:off   2:on    3:on    4:on    5:on    6:off
rawdevices      0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcgssd         0:on    1:off   2:off   3:on    4:off   5:on    6:on
rpcidmapd       0:on    1:off   2:off   3:on    4:off   5:on    6:on
rpcsvcgssd      0:on    1:off   2:off   3:on    4:off   5:on    6:on
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
smb             0:off   1:off   2:off   3:on    4:off   5:off   6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
xfs             0:off   1:off   2:on    3:on    4:on    5:on    6:off
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off

Edit Services with system-config-services

Edit Services with ntsysv

Nightly Patches with YUM

Edit /etc/cron.daily/yum.cron using text editor nano

Type

nano /etc/cron.daily/yum.cron

#!/bin/sh

/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
/usr/bin/yum -R 120 -e 0 -d 0 -y update
tail /var/log/yum.log | mail -s YUM.your.pc yourid@virginia.edu

This runs yum every night and sends you an email.

Set Quotas for a volume

Described here

Add A User

useradd -g 100 -u 1378 rtg2t
   where
      1378 is your own UVa unix uid number.
      100 is the default group ID for the "users" group
      substitute your UVa email ID for rtg2t

smbpasswd -a rtg2t
setquota rtg2t 4000000 4100000 0 0 /home

SETQUOTA PARAMETERS

 rtg2t - the user affected
 4000000 means 4 million blocks or 4 Gigabytes space for space soft limit
 4100000 is the hard limit
 0 is the soft limit for the number of files
 0 is the hard limit for the number of files
 /home is the volume affected for this user

I could not find a GUI for setting quotas......

or use system-config-users

TEST SAMBA from Windows

Use the Windows Network Wizard to find the shares or.....


On a Windows PC, open a cmd window and type:

net use h: \\128.143.46.xx\rtg2t
net use i: \\128.143.46.xx\data

where xx is the end of your IP.  Find your IP by typing
on your Linux account: 

ifconfig

which prints something like:

eth0      Link encap:Ethernet  HWaddr 00:0B:DB:92:9B:DA
          inet addr:128.143.34.79  Bcast:128.143.255.255  Mask:255.255.0.0
          inet6 addr: 2002:808f:23c4:4:20b:dbff:fe92:9bda/64 Scope:Global
          inet6 addr: fec0::4:20b:dbff:fe92:9bda/64 Scope:Site
          inet6 addr: fe80::20b:dbff:fe92:9bda/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:111098470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111783140 errors:0 dropped:0 overruns:0 carrier:0
          collisions:12010169 txqueuelen:1000
          RX bytes:436643027 (416.4 Mb)  TX bytes:901386291 (859.6 Mb)
          Base address:0xece0 Memory:fe8e0000-fe900000

HTTP Setup

Edit /etc/httpd/conf/httpd.conf with nano Change


DocumentRoot "/var/www/html"


to 

DocumentRoot "/home/www/html"

and type

mkdir /home/www
mkdir /home/www/html

This moves the HTTP documents to the /home device

Change


#
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    
#        Order allow,deny
#        Allow from all
#    
#    
#        Order deny,allow
#        Deny from all
#    
#

to



    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    
        Order allow,deny
        Allow from all
    
    
        Order deny,allow
        Deny from all

This permits each user to have web space under /home/yourid/public_html

Permissions are set with:


chmod 710 /home/yourid
chgrp apache  /home/yourid/
mkdir  /home/yourid/public_html
chmod -R 6750 /home/yourid/public_html
chgrp -R apache /home/yourid/public_html

TEST Your Web Server

Type echo test personal web > /home/yourid/public_html/index.html

Type echo test main web > /home/www/html/index.html

Go to the URL:

128.143.46.xx/~yourid

or

128.143.46.xx

where xx is the last part of your Linux IP address

GUI or non-GUI at boot

Set in /etc/inittab on the line

id:3:initdefault:

Integration with WinXP and Win2k

This is an advanced topic that you all can do if there is time.

If you have a group of users and a group of PC's that need to share files, SAMBA has an easy solution.

Summary: Everyone can login from any PC and map their network drives.

Assign all the PC's a similar netbios name, like SEAS01 - SEAS99
Join all the PC's to the ESERVICES domain.
Add all the users to your SAMBA server.
- Make them a Linux user with no password
  ex: useradd -g 100 -u 1378 rtg2t
- Make their SAMBA password the same as their ESERVICES password - (get them to type it for you into the smbpasswd command). ** For Experts - the smbpasswd command can be used as the "shell program" for each user as defined in the /etc/passwd command. You can set the user's login password for the shell and mail it to them. They will get the smbpasswd prompt to change their samba password and immediately logout.
Their home directories will automatically be set by the home directory in /etc/passwd
Use a similar template as I used for the [data] share for their group files.

Use the drive.mapper.bat file in the [netlogon] share for a standard drive mapping.

net use m: /del
net use n: /del
net use M: \\server.ip\homes /persistent:yes
net use N: \\server.ip\data /persistent:yes
pause

Put a shortcut on the desktop for "ALL Users" that points to the drive.mapper.bat file.

Security Checklist

Here is a good list of things to check for Linux servers.

Physical Security

Anyone with physical access to your server can steal your data.

When you get the GRUB menu, you can hit the E key to edit the Linux boot command and boot to single user mode and create a new super user account.

I will demonstrate this before you leave. These PC's in this lab (MEC 215) are pretty safe. This is how much armor it takes to physically lock down a server.