Disabling USB ports in Linux

                      Disable USB Port Setup
 

If you administrating a small or large workstations running with Linux Desktops and want to disable the USB ports for security so that no one can copy the data via pen drive, try the following steps to disable the USB port(s).

Edit the grub.conf and add the following lines(you need to login as root).
  

# vi /boot/grub/grub.conf

Then add the following lines on the right kernel version

kernel /vmlinuz<your-kernel-version> rhgb quiet nousb

Save and exit the file and reboot the system to disable the USB ports and the boot time.

How to disable ping… in Linux servers

                           Disable to Ping

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or add the line

net.ipv4.conf.icmp_echo_ignore_all = 1 in /etc/sysclt.conf

                          Enable to ping

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or add the line
net.ipv4.conf.icmp_echo_ignore_all = 0 in /etc/sysclt.conf

Alternatively, we can use IPtables to disable ping
# iptables -A INPUT -p icmp -j DROP

Samba Primary Domain Controler rhel5.5

                                                        

1. Configure DNS than configure samba PDC

# yum install samba*

#vim /etc/samba/smb.conf

#In Global settings:

Workgroup =shashi.com

server string = samba # hostname to identify

netbios name = samba

#Domain controller option:

security = user

passdb backend =tdbsam

domain master = yes

domain logons = yes

logon path = \\%L\profile\%U

#Browser Control options

local master =yes

os level = 33

preferred master = yes

#Share definitions

[netlogon]

path = /home/netlogon

browseable = yes

writable = no

[profiles]

path = /home/profiles

create mask = 0755

directory mask = 0755

writable = yes

# save file

create directory:

#mkdir -m 1777 /home/profiles

#mkdir -m 1777 /home/netlogon

Adding a group with group ID 200

#groupadd -g 200 machine

Creating user (unicom) to login, here unicom is name of client machine name and joining unicom into group ID 200.

#useradd -d /dev/null -g 200 -s /sbin/nologin unicom$

#smbpassswd -m -a unicom

or

#smbpasswd -a unicom

#smbpasswd -a root (Give to password for root)

#service smb restart

#chkconfig smb on

Create, enable samba user to login in windows macine

#useradd ashutosh

#smbpasswd -a ashutosh

#smbpasswd -e ashutosh (user check)

#service smb restart

#chkconfig smb on

PXE SERVER RHEL-5.5

                                                       PXE  Configuration

1.Disable firewall, SELinux

2. server IP – 192.168.0.10 Subnet- 255.255.255.0
   
   
3. Hostname – shashi.example.com

# yum install vsftpd, xinetd, tftp-server, dhcp*

# service vsftpd start

# service vsftpd restart

# service xinetd start

# service xinetd restart

# chkconfig - -level 345 vsftpd on

# chkconfig - -level 345 xinetd on

# chkconfig - -level 345 tftp on

# cp /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample /etc/dhcpd.conf

# vim /etc/dhcpd.conf

ddns-update-style interim;

ignore client-updates;

allow booting;

allow bootp;

class "pxeclients" {

match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";

next-server 192.168.0.10;

filename "linux-install/pxelinux.0";

}

subnet 192.168.0.0 netmask 255.255.255.0 {

# --------- default gateway

option routers 192.168.1.1;

option subnet-mask 255.255.255.0;

range dynamic-bootp 192.168.0.11 192.168.0.20;

default-lease-time 21600;

max-lease-time 43200;

}

# :wq (save)

# service dhcpd restart

# service - -level 345 dhcpd on

# /etc/xinetd.d/

vim tftp

disable = no

# pxeos -a -i "shashi" -p FTP -D 0 -s 192.168.0.10 -L /pub/ shashi

• a – add a new operating system description.

• i - set short description not allowed with the Operating System

• p – specify protocol

• D – 1,0 (specify whether the configuration is diskless or not, zero specifies that it is not a

diskless configuration.

• s – server name or ip adress

• L – specify the directory on the server machine.

• <os-identifier> - <os-identifier>Specify the unique Operating System identifier, which is used as the directory name in the /tftpboot/linux-install/directory

After execution pxeos command, the initrd.img and vmlinuz files required are transferred from
/var/ftp/pub/rhel5.3/images/pxeboot/ to /tftpboot/linux-install/shashi

Configuration Master and Slave BIND (DNS)

-->

            MASTER DNS SERVER

                                 

1.Required RPM

#bind-libs-9.3.3-10.el5

#bind-chroot-9.3.3-10.el5

#bind-devel-9.3.3-10.el5
#bind-utils-9.3.3-10.el5

#bind-libbind-devel-9.3.3-10.el5

#bind-9.3.3-10.el5

#bind-sdb-9.3.3-10.el5

#caching-nameserver-9.3.3-10.el5

2.Some file check

# vim /etc/hosts

# vim /etc/sysconfig/network

# vim /etc/resolv.conf

3.Configure

# cp -p /etc/named-caching-nameserver.conf /var/named/chroot/etc/named.conf

4.Soft link

# ln -s /var/named/chroot/etc/named.conf /etc/named.conf

5.Check Permission

# ll -ld /etc/named.conf

root named named.conf

6.Create named.conf

#vim /etc/named.conf

listen-on Port 53 { 127.0.0.1; Server IP; } ;

allow-query { localhost; any; } ;

allow-query-cache { localhost; any; } ;

match-clients { localhost; any; } ;

match-destinations { localhost; any; } ;

recursion yes;

zone “example.com” {

type master;

file “example.com.zone”;

allow-transfer { slave IP; };

allow-update { slave IP; };

};

zone “0.168.192.in-addr.arpa” {

type master;

file “rev-example.com.zone”;

allow-transfer { slave IP; };

allow-update { slave IP; };

};

7.Test named.conf

# named-checkconf

cd /var/named/chroot/var/named/

# cp -p localdomain.zone example.com.zone

NOTE- Any update in master DNS server file example.com.zone or rev-example.com.zone file after

that change the serail number.

# vim example.com.zone

$TTL 86400

@ SOA master.example.com root.example.com. (

42                 ; serial (d. adams)

3H                ; refresh

15M             ; retry

1W               ; expiry

1D )             ; minimum

IN NS master.example.com.

IN NS slave.example.com.

master IN A 192.168.0.254

slave IN A 192.168.0.1

client2 IN A 192.168.0.2

# cd /var/named/chroot/var/named/

# cp -p named.local rev-example.com.zone

# vim rev-example.com.zone

$TTL    86400
@       IN      SOA     master.example.com.  root.master.example.com.  (
                                      42            ; Serial
                                      28800      ; Refresh
                                      14400       ; Retry
                                      3600000   ; Expire
                                      86400 )     ; Minimum

           IN     NS      master.example.com
           IN    NS       slave.example.com

254       IN     PTR   master.
1         IN     PTR     slave.
2         IN     PTR     client2.

# service named restart
# chkconf named on

                       SLAVE DNS SERVER
* All Package install
 

8.Copy to file
# cp /var/named/chroot/etc/named.caching-nameserver.conf   /var/named/chroot/etc/named.conf
 

9.Check Permission
 # cd  /var/named/chroot/etc/
 

# ll  -ld 

  root  named  named.conf
 

10.Edit some line
 

# vim named.conf

listen-on Port 53 { 127.0.0.1; Slave IP; } ;

allow-query { localhost; any; } ;

allow-query-cache { localhost; any; } ;

zone “example.com” {

type slave;

file “slaves/example.com.zone”;

allow-update { none; };

masters { master IP; };

};

zone “0.168.192.in-addr.arpa” {

type slave;

file “slaves/rev-example.com.zone”;

allow-update { none; };

masters { master IP; };

};

11.Check Permission
# cd  /var/named/chroot/var/named
# chown -R  root:named  slaves
# ls -ld  /var/named/slaves (777) 
#  cd /var/named/chroot/var
# chown -R root:named named 
# ls -ld  /named (755)
# service network restart
# service named restart
# chkconfig named on 

12.check DNS

# nslookup

# dig server.example.com

LDAP SERVER RHEL5.5

                          LDAP Configuration

ldap server ip – 192.168.0.10

hostname- shashi.example.com

1.Requirements-

@@@yum install openldap*@@@@

compat-openldap.i386 0:2.1.30-6.4E
openldap-clients.i386 0:2.2.13-6.4E
openldap-devel.i386 0:2.2.13-6.4E
openldap-servers.i386 0:2.2.13-6.4E
openldap-servers-sql.i386 0:2.2.13-6.4E

openldap-2.3.43.12.el5.i386.rpm

nss_ldap-253-25.el5.i386.rpm

2.Create LDAP Password

#slappasswd

New password:
Re-enter new password:
{SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW (copy)

3.Update /etc/openldap/slapd.conf

database bdb

suffix                "dc=example,dc=com"
rootdn              "cn=Manager,dc=example,dc=com"
rootpw      {SSHA}cWB1VzxDXZLf6F4pwvyNvApBQ8G/DltW  (past)

4.Apply Changes

# service ldap start
# service ldap restart
# chkconfig ldap on

5.Create user

#useradd shashi
#passwd shashi

#useradd unicom
#passwd unicom

6.Migrate local users to LDAP

#grep shashi /etc/passwd > /etc/openldap/passwd.shashi

#grep unicom /etc/passwd > /etc/openldap/passwd.unicom

7.Edit the migrate_common.ph

#cd /usr/share/openldap/migration/

#vim migrate_common.ph

$DEFAULT_MAIL_DOMAIN = “example.com”;

$DEFAULT_BASE = “dc=example,dc=com”;

8.Convert passwd file to ldif (LDAP Data Interchange Format) file

#/usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.shashi /etc /openldap/shashi.ldif

#/usr/share/openldap/migration/migrate_passwd.pl /etc/openldap/passwd.unicom /etc /openldap/unicom.ldif

9.Same edit line in ldif file

# vim shashi.ldif

dc=example,dc=com

#vim unicom.ldif

dc=example,dc=com

10.Create a domain ldif file

# vim example.ldif

dn: dc=example,dc=com

dc: example

objectClass: top

objectClass: domain

# vim people.ldif

dn: ou=people,dc=example,dc=com

ou: people

objectClass: top

objectClass: organizationalUnit

11.Import all users in to the LDAP

#ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f /etc/openldap/ shashi.ldif

 # ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f /etc/openldap/ example.ldif

# ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f /etc/openldap/ people.ldif

#ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f /etc/openldap/ unicom.ldif

12.CHECK for LDAP Server

# ldapsearch -x -h localhost -b “dc=example,dc=com”

# service ldap restart

13.Home dir for ldapuser

vim /etc/export

/home/shashi *(rw,sync)

/home/unicom *(rw,sync)

#cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

#chmod 600 /var/lib/ldap/DB_CONFIG

#chown -R ldap:ldap /var/lib/ldap/DB_CONFIG

# service nfs restart

# chkconfig nfs on

@@@@@@@@@@@@@@@CLIENT SIDE@@@@@@@@@@@@@@@@@

14.Add the LDAP server

#authconfig-tui

a. use ldap, ldap auth

b. 192.168.0.10 (server ip)

dc=example,dc=com

15.CHECK LDAP USER

# getent passwd (show all ldap user)

16.Use for Automount

# vim /etc/auto.master

/home /etc/auto.rhome

# vim /etc/auto.rhome

* -rw,sync 192.168.0.10:/home/&

# service autofs restart

# chkconfig autofs on

17.Change user password-

# passwd unicom

# /usr/share/openldap/migration/migrate_passwd.pl

/etc/openldap/passwd.unicom /etc/openldap/unicom.ldif

# vim unicom.ldif

dc=example,dc=com

# ldapmodify -x -D “cn=Manager,dc=example,dc=com” -w ({redhat}ldap passwd) -f /etc/openldap/unicom.ldif  

@@@@@@@@@@@@@@@@@Finish@@@@@@@@@@@@@@@@@@@

 

Monitoring Tool NAGIOS

                             NAGIOS Configuration

Firewall and SElinux is Disable

Server IP :- 192.168.0.10

Hostname :- shashi.example.com

Client IP :- 192.168.0.11

Hostname :- client.example.com

1.Package Requirement :-

# yum install httpd php

# yum install gcc glibc glibc-common

# yum install gd gd-devel

2.Create Nagios user and group :-

# useradd -m nagios

# passwd nagios

# usermod -G nagios  nagios
# groupadd nagcmd

# usermod -a -G nagcmd nagios

# usermod -a -G nagcmd apache

3.Download Some Package :-

# mkdir /opt/shashi/

# cd /opt/shashi

# wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-

3.2.3.tar.gz

# wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-

plugins-1.4.11.tar.gz

# tar xvf nagios-3.2.3.tar.gz

# cd nagios-3.2.3

# ./configure --with-command-group=nagcmd

# make all

# make install

# make install-init

# make install-config

# make install-commandmode

# make install-webconf

 4.vim /usr/local/nagios/etc/objects/contacts.cfg

35: change ---> email youadmin-mail-ID

6.Give the password web nagiosadmin user

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

New password :

Re-type new password :

Note:- If you want to change admin “nagiosadmin” name change all in “/usr/local/nagios/etc/cgi.cfg” file too.

7. Go to this Path :-

# cd /opt/shashi

# tar xvf nagios-plugin-1.4.11.tar.gz

# cd nagios-plugin-1.4.11

# ./configure - - with-nagios-user=nagios - - with-nagios-group=nagios

# make

# make install

# chkconfig - - add nagios

# chkconfig nagios on

# /etc/init.d/nagios start

# /etc/init.d/nagios restart

# chkconfig nagios on

# /etc/init.d/httpd restart

#chkconfig httpd on

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg (check nagios)

Total warnings: 0

Total Errors: 0

Things look okay – No serious problems

8.Login to web interface :-

URL:- http://192.168.0.10/nagios/

username :- nagiosadmin

passwd :- *******

9.Package Requirement :-

# yum install openssl-devel xinetd

# cd /opt/shashi

# wget http://sourceforge.net/projects/nagios/files/nrpe-

2.x/nrpe-2.13/nrpe-2.13.tar.gz/download

# tar xvf nrpe-2.13.tar.gz

# cd nrpe

# ./configure

General Options:

-------------------------

NRPE port:5666

NRPE user:nagios

NRPE group:nagios

Nagios user: nagios

Nagios group: nagios

# make all

# make install-plugin

# make install-daemon

# make install-daemon-config

# make install-xinetd

10.Enter the following entry :-

# vim /etc/xinetd.d/nrpe

only_from = 127.0.0.1 192.168.0.10 (nagios_ip_address

)

11.Now, add entry for nrpe daemon to /etc/services file :-

# vim /etc/services

nrpe 5666/tcp # NRPE

# service xinetd restart

# chkconfig xinetd on

12.Test NRPE Daemon Install :-

# netstat -at |grep nrpe

Output should be :

tcp 0 0 *:nrpe *.* LISTEN

13.Check NRPE Service :-

# /usr/local/nagios/libexec/check_nrpe -H 192.168.0.10

Output should be NRPE version:

NRPE v2.12

-: CLIENT SETUP :-

1.Package Requirement :-

# yum install openssl-devel xinetd

# yum install httpd php

# yum install gcc glibc glibc-common

# yum install gd gd-devel

2.Create Nagios user and group :-

# useradd -m nagios

# passwd nagios
# usermod -G nagios  nagios

# groupadd nagcmd

# usermod -a -G nagcmd nagios

# usermod -a -G nagcmd apache

3.Create a Directary shashi :-

# mkdir /opt/shashi

# cd /opt/shashi

# wget http://sourceforge.net/projects/nagios/files/nrpe-2.x/nrpe-2.13/nrpe-2.13.tar.gz/download

# tar -xvf nrpe-2.13.tar.gz

# cd nrpe

# ./configure

General Options:

-------------------------

NRPE port: 5666

NRPE user: nagios

NRPE group: nagios

Nagios user: nagios

Nagios group: nagios

# make all

# make install-plugin

# make install-daemon

# make install-daemon-config

# make install-xinetd

Enter the following entry in :-

# vim /etc/xinetd.d/nrpe

only_from = 127.0.0.1 <192.168.0.10>(nagios_ip_address)

4.Now, add entry for nrpe daemon to /etc/services file

# vim /etc/services

nrpe 5666/tcp # NRPE

# service xinetd start

# service xinetd restart

# chkconfig xinetd on

5.Test NRPE Daemon Install

# netstat -at |grep nrpe

Output should be:

tcp 0 0 *:nrpe *.* LISTEN

This command run by SERVER SIDE :-

# /usr/local/nagios/libexec/check_nrpe -H 192.168.0.11 (client IP)

NRPE v2.12

# cd /opt/shashi

# wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz

# tar xvf nagios-plugins-1.4.11.tar.gz

# cd nagios-plugins-1.4.11

# ./configure --with-nagios-user=nagios --with-nagios-group=nagios

# make

# make install

# chkconfig --add nagios

# chkconfig nagios on

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Total Warnings: 0

Total Errors: 0

Things look okay - No serious problems were detected during the pre-flight check

6.All Plugin :-

# cd /usr/local/nagios/libexec

# cp check_http check_tomcat

# cp check_http check_jboss

GO TO SERVER SIDE :-

# vim /usr/local/nagios/etc/nagios.cfg

>Definitions for monitoring the local (Linux) host

cfg_file=/usr/local/nagios/etc/objects/localhost.cfg (add line)

cfg_file=/usr/local/nagios/etc/objects/client.cfg (add line)

# vim /usr/local/nagios/etc/objects/client.cfg

define host {

name client ; Name of this template

use generic-host ; Inherit default values

check_period 24x7

check_interval 5

retry_interval 1

max_check_attempts 10

check_command check-host-alive

notification_period 24x7

notification_interval 30

notification_options d,r

contact_groups admins

register 0 ; DONT REGISTER THIS - ITS A TEMPLATE

}

define host {

use client ; Inherit default values from a template

host_name client ; The name we're giving to this server

alias client ; A longer name for the server

address 192.168.0.11 ; IP address of the server

}

define service {

use local-service

host_name client

service_description PING

check_command check_ping!100.0,20%!500.0,60%

}

define service {

use local-service ; Name of service template to use

host_name client

service_description Disk Space

check_command check_disk!20%!10%!/

}

define service {

use local-service ; Name of service template to use

host_name client

service_description Total Processes

check_command check_local_procs!150!300!RSZDT

}

define service {

use local-service ; Name of service template to use

host_name client

service_description HTTP

check_command check_http

notification_interval 0 ; set > 0 if you want to be renotified

}

define service {

use local-service

host_name client

service_description MySQL connection-time

check_command check_mysql_health!root!XXXX!connection-time

notifications_enabled 1

}

#define service {

use local-service

host_name client

service_description Tomcat

check_command check_tomcat

}

define service {

use local-service

host_name client

service_description Jboss

check_command check_jboss

}

define service {

use local-service

host_name client

service_description SSH

check_command check_ssh

}

define service {

use local-service ; Name of service template to use

host_name client

service_description Current Users

check_command check_local_users!20!50

}

# vim /usr/local/nagios/etc/objects/command.cfg

################################################################################

# NOTE: The following 'check_...' commands are used to monitor services on

# both local and remote hosts.

################################################################################

# 'check_load' command definition

define command {

command_name check_procs

command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$

}

# 'check_ftp' command definition

define command {

command_name check_ftp

command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$

}

# 'check_http' command definition

define command {

command_name check_http

command_line $USER1$/check_http -H $HOSTADDRESS$ -w 10 -c 20

}

# 'check_ssh' command definition

define command {

command_name check_ssh

command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$

}

# 'check_ping' command definition

define command {

command_name check_ping

command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5

}

# 'check_remote_users' command definition

define command {

command_name check_remote_users

command_line $USER1$/check_users -w $ARG1$ -c $ARG2$

}

# 'check_disk' command defintion

define command {

command_name check_disk

command_line $USER1$/check_disk -w 20% -c 10% -p /dev/sda1

}

# 'check_mysql'comman definition

define command {

command_name check_mysql_health

command_line $USER1$/check_mysql_health -H $HOSTADDRESS$ --user $ARG1$

--password $ARG2$ --mode $ARG3$

}

# 'check_tomcat'comman definition

define command {

command_name check_tomcat

command_line $USER1$/check_tomcat -H $HOSTADDRESS$ -p 8080 -w 4 -c 5

}

#'check_jboss'command definition

define command{

command_name check_jboss

command_line $USER1$/check_jboss -H $HOSTADDRESS$ -p 4444 -w 4 -c 5

}

Check Configuration :-

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

# /etc/init.d/nagios restart

######################### Now Enjoy Working with Nagios ###########################