linuxbuddies.com

How Kerberos Works

riyesh@gmail.com — Thu, 10 Sep 2009 08:41:05 +0000

As we know the kerberos authentication method is the most secure network authentication method ever build. In normal method the password is sent accross the network, which is vulnerable but in kerberos method no password is sent accross the network.

The Steps included in kerberos authentication

users enters his user name and password to login program, in kerberos each user have his own principal. Login program converts the username to his principal and request the KDC (key distrubtion centre) for TGT (ticket granding ticket) for this principal. KDC then check his database if the principal is there KDC create two secret keys. One key is encrypted with the password for the principal stored in his database and is sent back to the login program.

Login program tries to decrypt the packet received from KDC using the password entered by the user, if is possible to decrypt the user is authenticated.

User (username + password) —> Login Program

KDC (create two secret keys ) ———–> S1 & S2

KDC (encrypt the S1 with password associated with principal ) ———–> Login program

Add Internet Users

riyesh@gmail.com — Thu, 10 Sep 2009 07:55:01 +0000

We usally configure the proxy server to share the internet over the internal network, users inside the network can access the internet through the proxy server. All the logs of the internet usage are stored in proxy server logs files, but there is a problem in this condition. we cannot track the usage of internet by user wise and also there is no authentication method used in this. To over this situation we can use the authentication method inbuilt in the proxy server ( Squid), by this method all users in the network will got a username and password for accessing the interwork and admins are able to track the usage by userwise.

Configration changes in the squid.conf file

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/sqpasswd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

create user and password for squid access

htpasswd -cm /etc/squid/sqpasswd eldo

Enter the password for eldo inorder to get internet access

We can sarg package for Squid Analysis Report Generator, sarg will make HTML report page

Dhcp Server Provides Multiple Range of Ips

riyesh@gmail.com — Thu, 10 Sep 2009 07:17:11 +0000

In some areas they are different networks in the same building, we need a DHCP server to provide Ip address for the computers in this different networks. It is possible to configure DHCP server with multiple range of ip address.

Configuration Example

In the working example configuration shown below, the DHCP server host is only connected to the 192.168.0.0/24 IP subnet. DHCP clients in the ethernet network segment using a 192.168.2.0/24 IP subnet will be served IP configuration leases in the 192.168.2.100 – 192.168.2.200 range because the requests are relayed by the 192.168.2.1 DHCP Relay Agent (this DHCP Relay is assumed to already be present on the 192.168.2.0/24 subnet and configured to relay DHCP messages for this DHCP server).

Most significantly, a host previously connected to the 192.168.0.0/24 network, but later moved to the 192.168.2.0/24 network segment, will be forced to obtain a new IP configuration lease in the 192.168.2.100 – 192.168.2.200 range, so that it can function correctly on this separate network and IP subnet.

Example /etc/dhcpd.conf

ddns-update-style none;

default-lease-time 3600;

max-lease-time 7200;

authoritative;

log-facility local5;

subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.100 192.168.0.200;

option domain-name-servers 192.168.0.2;

option routers 192.168.0.1;

}

subnet 192.168.2.0 netmask 255.255.255.0 {

range 192.168.2.100 192.168.2.200;

option domain-name-servers 192.168.2.2;

option routers 192.168.2.1;

}

Configure the DHCP Relay Agent

The DHCP Relay Agent (dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.

When a DHCP client requests information, the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started. When a DHCP server returns a reply, the reply is broadcast or unicast on the network that sent the original request.

The DHCP Relay Agent listens for DHCP requests on all interfaces unless the interfaces are specified in /etc/sysconfig/dhcrelay with the INTERFACES directive.

To start the DHCP Relay Agent, use the command service dhcrelay start

The DHCP Relay Agent (dhcrelay) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.

When a DHCP client requests information, the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started. When a DHCP server returns a reply, the reply is broadcast or unicast on the network that sent the original request.

The DHCP Relay Agent listens for DHCP requests on all interfaces unless the interfaces are specified in /etc/sysconfig/dhcrelay with the INTERFACES directive.

Types of Aliases Can Used on mail service

riyesh@gmail.com — Thu, 10 Sep 2009 06:45:11 +0000

In mail service we can use alias function to forward the mails coming to a mail id to a another mail address, In some cases the destination mail address may be one for more. Basically they are 5 different types of alias methods which can be used to forward the mails.

The 5 types are

1. one to one

2. one to many

3. Include function

4. File function

5. Pipe Function

One to One

This is the common forward method used in the mail service, in this method mail coming to user inbox is forward to a another user.

Ex: If we need to forward a user mail to another user

eldo@linuxbuddies.com: riyesh@linuxbuddies.com

By adding this entry in /etc/aliases the mail coming to eldo is forwarded to riyesh

One to Many

In the previous method we seen that the incoming mail is forwarded to a another single mail id, some cases we need to add more users id at the receivers area.

Ex: If Eldo and Riyesh were in the admin group, and they also need the mails coming to the admin@linuxbuddies.com in that situation we can use the followwing entry in /etc/aliases

admin@linuxbuddies.com: eldo@linuxbuddies.com, riyesh@linuxbuddies.com

Include Function

Using the one to many method we can add multiple mail id’s at the destination area, but there areas this method are not recommended in areas like mailing list, if they are ten thousand users in receivers section we cannot one to many function because it is diffcult to manage that number of users. In include function we include a file which contains the users

Ex: If maillinglist@linuxbuddies.com contains users like eldo,riyesh,arun,philip……………………

For this need create a file

vi /etc/postfix/maillinglist then add mail id’s in that file, one id per line

then add the entry in /etc/aliases

maillinglist@linuxbuddies.com: :include: /etc/postfix/maillinglist

File Function

In all mail systems we make particular mail id to capture the abuse mails, if we need to store the mails coming to abuse mail id. In that case we can use the file function, by this method the mails coming for the abuse id is appened to a file and can be used for later reference in need.

Ex: create a file /var/log/abusemaillog

make the following entry in /etc/aliases

abuse@linuxbuddies.com: /var/log/abusemaillog

Pipes Function

They are situations that we need to run a script in server only on particular times, for that we can use pipe function for that. We need to create a particular mail id for that, when ever a mail for id comes the script will get executed. We can use perl or shell script for this.

Ex: If there is alert program on the server, when ever a mail for alert@linuxbuddies.com comes the alert binary get executed.

for this need, add like this on /etc/aliases

alert@linuxbuddies.com: |/usr/local/bin/alert

Venue Details:

Survey #13/1, KB halli ,

Varthur Hoobli,

Outer ring road,

Marathahalli

Bangalore – 87

Block a Range of Ip Address Using IP Tables

riyesh@gmail.com — Thu, 10 Sep 2009 05:31:24 +0000

In some cases we can seen that there is attack coming to our server from a particular range of ip, in that case we need to block only that range not the full range. In that situtation we can use iptables

Example: If attack is coming from 202.10.100.20 to range of 202.10.100.50

Use the command

iptables -A INPUT -m iprange –src-range 202.10.100.20-202.10.100.50 -J DROP

service iptables save

This Site For sale

riyesh@gmail.com — Sun, 09 Aug 2009 16:45:45 +0000

This domain for sale… Please contact riyesh@gmail.com

Prevent image hotlinking

riyesh@gmail.com — Tue, 20 Jan 2009 19:18:26 +0000

Hotlinking is the use of a linked object, often an image, from one site into a web page belonging to a second site. The second site is said to have an inline link to the site where the object is located.
It is always recommended to enable hotlinking of images, else others use just links to your site to load their web-pages, thereby stealing your bandwidth. Do you want that to happen?

If not, copy-paste the below code to your websites .htaccess file.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ – [F]

Haii.. Linux buddy,, you now. safe…. :D

kernel compilation

riyesh@gmail.com — Tue, 20 Jan 2009 19:10:44 +0000

Kernel

It makes sure that all processes in the system works fine

Rebuilding

It is done to optimize the kernel to suit our requirements as well as make it more secure from internet attacks

Steps

1. Determining the current hardware
This is required during configuration process to enable hardwares that our new kernel has to support.
Commands used for the same are:

/sbin/lspci

cat /proc/cpuinfo

2. Download the Source
latest sources and its corresponding patches are always available fromhttp://www.kernel.org/pub/linux/kernel/
As of today (Oct 21, 2008) the latest available source is linux-2.6.27.2.tar.gz and the patch is patch-2.6.27.2.gz

Apply the patches

Extract the source using tar -zxvf and patch using gunzip to /usr/src/ folder.

Now cd to linux-2.6.27.2 and apply the patch as shown below:

patch -p1 <../patch-2.6.27.2

4. Configuration
You may copy the current configuration by copying the file .config.

cp ../linux/.config config.old

Begin the configuration by wiping out all previous configurations and resetting the source directory to a pristine state:

$ make mrproper

Run the configuration utility. Either of the below step can be used to run the configuration utility:

make config – least friendly tool

  make oldconfig         (- will read the defaults from the existing .config file. Note that oldconfig will only work within the same major version of the kernel. You cannot, for example, use a 2.4.x .config with the 2.6.x kernel.)

 make menuconfig      (- Most commonly and recommended method. Gives you a graphical front end to select your options)

5. Start Build
Clean before the build:

make clean

Start the build after cleaning process:

make bzImage

6. Build and install all the loadable modules

  make modules

 make modules_install

7. Copy the required files and generate initrd
Copy the files over for the kernel itself

 cp .config /boot/config-2.6.27.2

 cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.27.2

 cp System.map /boot/System.map-2.6.27.2

 mkinitrd /boot/initrd-2.6.27.2.img 2.6.27.2

If you come across an error like: “/dev/mapper/control: open failed: No such file or directory” , Run the following commands:

  rm -rf /boot/initrd-2.6.27.2.img

  mkinitrd –omit-lvm-modules /boot/initrd-2.6.27.2.img 2.6.27.2

8. Configure Grub & enable failsafe
Open grub.conf file
Add the below code to the top of the kernel list:

title Red Hat Linux (2.6.27.2)

root (hd0,0)

kernel /vmlinuz-2.6.27.2 ro root=LABEL=/

initrd /initrd-2.6.27.2.img

  Set the default value to your working kernel. (NOTE: NOT NEW KERNEL)
  Now save and exit from grub.conf file and enter into grub mode by typing “grub” from bash prompt
  And set to boot from newly compiled kernel during next reboot:

savedefault –default=0 –once

If your server is up, you are done with your new kernel. Open the file grub.conf and change the value of default to “0″

Congratulations! You are done with your new kernel.

Processor type in Linux

riyesh@gmail.com — Tue, 20 Jan 2009 18:59:47 +0000

To find the processor type and details

Get the Processor details:

cat /proc/cpuinfo

Find whether the processor is 32 or 64 bit:

getconf LONG_BIT

Find the architecture:

uname -i

Enable/ disable ping requests in linux

riyesh@gmail.com — Tue, 20 Jan 2009 18:54:11 +0000

Ping Requests use ICMP protocols. This is enabled/disabled using sysctl values.
To Disable Ping:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To Enable Ping:

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all