RHCE Tips: How to filter content through Squid Server?

For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files: MP3 MPEG MPG AVG AVI EXE How do I configure squid content filtering? A. You can use squid ACL (access control list) to block all these files easily. How do I block music files using squid content filtering ACL? First open squid.conf file /etc/squid/squid.conf: # vi /etc/squid/squid.conf Now add following lines to your squid ACL section: acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl" You want display custom error message when a file is blocked: # Deny all blocked extension deny_info ERR_BLOCKED_FILES blockfiles http_access deny blockfiles Save and close the file. Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory. # vi ERR_BLOCKED_FILES Append following content: start with html tag: File is blocked due to new policy Phone: 555-12435 (ext 44) Email: helpdesk@yourcorp.com Caution: Do not include HTML close tags as it will be closed by squid. Now create /etc/squid/blocks.files.acl file:

# vi /etc/squid/blocks.files.acl Append following text: \.[Ee][Xx][Ee]$ \.[Aa][Vv][Ii]$ \.[Mm][Pp][Gg]$ \.[Mm][Pp][Ee][Gg]$ \.[Mm][Pp]3$ Save and close the file. Restart Squid: # /etc/init.d/squid restart

RHCE Tips:How do I configure sendmail to route mail to specific hosts?

Sendmail is a popular mail server which comes by default with Red Hat Linux. For Ubuntu OS, you will have to install it through: $sudo apt-get install sendmail Wait and let machine do rest of the stuffs. Configure sendmail to route mail to specific hosts: This can be accomplished by adding appropriate entries to the /etc/mail/mailertable file. This file allows you to specify a domain, and where you want all email for that domain sent to. In the example below, all email destined for mydomain.com will be automatically forwarded to a mail server that resolves to backend.mail.server. Additionally, all email received from the 192.0.0.0 network will be forwarded to a mail server that resolves to outbound.mail.server. Example: /etc/mail/mailertable mydomain.com smtp:backend.mail.server192. smtp:outgoing.mail.server After your modifications to /etc/mail/mailertable are complete you will need to run the following command:

#makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable Restart sendmail: #service sendmail restart Thats it. Now sendmail is ready to route your mail to specific hosts preventing other machines to receive the same. Happy Mailing.

RHCE Tips: Command to display all users on your system

If you want to display all the users on your Linux Box, just run this command: #cat /etc/passwd |grep "/home" |cut -d: -f1

RHCE Tips: Limiting users of vsftp to only their home directory?

Yesterdays VSFTPD troubleshooting note (read as post) brought me back this question. If you do not wish FTP users to be able to access any files outside of their own home directory, set up chroot jail. For consider following example: * Ftp username : user1 * FTP home directory: /home/user1 $ ftp ftp.domain.com Output: Connected to ftp.domain.com. 220 (vsFTPd 2.0.5) Name (ftp.domain.com:user1): user1 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/home/user1" ftp> cd /etc 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 150 Here comes the directory listing.

-rw-r--r-- 1 0 0 7959 Mar 02 22:20 Muttrc drwxr-xr-x 3 0 0 4096 Jul 24 12:20 Wireless drwxr-xr-x 16 0 0 4096 Jul 30 22:58 X11 drwxr-xr-x 4 0 0 4096 Sep 05 2005 Xprint -rw-r--r-- 1 0 0 2188 Sep 05 2005 adduser.conf -rw-r--r-- 1 0 0 47 Aug 16 14:52 adjtime -rw------- 1 0 0 4330 Aug 18 2005 afick.conf -rw-r--r-- 1 0 0 194 Sep 05 2005 aliases -rw-r--r-- 1 0 0 12288 Jul 19 21:27 aliases.db drwxr-xr-x 2 0 0 8192 Aug 15 09:33 alternatives ... ..... .. Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp. To avoid this security problem you can lock ftp user in a jail. Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf # vi /etc/vsftpd/vsftpd.conf Make sure following line exists (and uncommented): chroot_local_user=YES Save and close the file. Restart vsftpd. # /etc/init.d/vsftpd restart Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.

RHCE Tips: Granting Privileges to a Group via sudo

Define a Linux group containing those users: /etc/group: mygroup:x:1200:joe,jane,hiram,krishna Then create a sudo rule with the %groupname syntax: /etc/sudoers: # Let the group run a particular program: %mygroup ALL = (root) /usr/local/bin/mycommand arg1 arg2 # Give full superuser privileges to the group %mygroup ALL = (ALL) AL

RHCE Tips for X-Windows Issues?

You Completely Installed the Red Hat Enterprise Linux ES 4 on your System. While starting the system,it's giving an error to load X window System. How will you fix that problem and make it boot successfully to run X Window Syste?. Answer and Explanation: While Problems occurred on booting System on Runlevel 5 (X Window). 1. /tmp is full or not 2. Quota is already reached 3. Video card or resolution or monitor is misconfigured. 4. xfs service is running or not. Follow these Steps: 1. df -h /tmp /tmp is full remove the unnecessary file 2. quota username if quota is already reached remove unnecessary file from home directory. 3. Boot the System in runlevel 3. you can pass the Kernel Argument from boot loader. 4. Use command: system-config-display It will display a dialog to configure the monitor, Video card,resolution etc. 5. Set the Default Runlevel 5 in /etc/inittab id:5:initdefault: 6. Reboot the System you will get the GUI login Screen. Note: at exam neither X window nor GNOME are installed at debug, you just have to do: /etc/inittab id:5:initdefault: and use the system-config-display Reboot the system

RHCE Tips : Samba

Setting Up a Simple Samba Share which can be accessed by anyone who has account on the Machine. Backup the smb.conf file -----------------------------------------Locating the Correct Samba configuration File: [root@rhel samba]# smbd -b | grep smb.conf CONFIGFILE: /etc/samba/smb.conf [root@rhel samba]# [root@rhel ~]# cd /etc/samba/ [root@rhel samba]# cp smb.conf smb.conf.orig [root@rhel samba]# > smb.conf [root@rhel samba]# vi smb.conf Add a simple Homes Share in smb.conf -----------------------------------------------------[root@rhel samba]# cat smb.conf [global] workgroup = MIDEARTH [homes] guest ok = no read only = no [root@rhel samba]# [root@rhel samba]# service smb restart Shutting down SMB services: [FAILED] Shutting down NMB services: [FAILED] Starting SMB services: [ OK ] Starting NMB services: [ OK ] [root@rhel samba]# Add a user called Jen ----------------------------[root@rhel samba]# useradd jen [root@rhel samba]# passwd jen Changing password for user jen. New UNIX password:

BAD PASSWORD: it is WAY too short Retype new UNIX password: passwd: all authentication tokens updated successfully. Provide him with smb credentials(this is different from normal user/pass credentials) [root@rhel samba]# smbpasswd -a jen New SMB password: Retype new SMB password: Added user jen. [root@rhel samba]# Go to Start > Run > \\MachineIP Login in through user/pass Successfull !!! You can see home directory [homes] and jen own home directory Testing Your Samba Share ------------------------[root@rhel samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = MIDEARTH [homes] read only = No [root@rhel samba]# List Shares Available on the Server ----------------------------------------------[root@rhel samba]# smbclient -L rhel -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] Sharename Type Comment

--------- ---- ------homes Disk IPC$ IPC IPC Service (Samba 3.0.25b-0.4E.6) jen Disk Home directory of jen Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] Server Comment --------- ------Workgroup Master --------- ------MIDEARTH BL07DL380G5

RHCE Tips: Samba (Part II)

We learnt in our Last lecture about the Samba shares.In this tutorial we will try with these further: Connnect to Your Own Samba Server through Own Client Software on the same machine [root@rhel samba]# smbclient //localhost/ -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] tree connect failed: NT_STATUS_BAD_NETWORK_NAME [root@rhel samba]# smbclient //localhost/jen -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] smb: \> You will see lots of commands here: smb: \> ? ? altname archive blocksize cancel case_sensitive cd chmod chown close del dir du exit get getfacl hardlink help history lcd link lock lowercase ls mask md mget mkdir more mput newer open posix posix_open posix_mkdir posix_rmdir posix_unlink print prompt put pwd q queue quit rd recurse reget rename reput rm rmdir showacls setmode stat symlink

tar tarmode translate unlock volume vuid wdel logon listconnect showconnect ! smb: \> Example: Lets Put A file called text1 from the share to a directory /tmp Here it goes: [root@rhel samba]# cd /home/jen/ [root@rhel jen]# ls [root@rhel jen]# touch text <<----- Lets Create a file called text1 [root@rhel jen]# vi text [root@rhel jen]# smbclient //localhost/jen -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] smb: \> ls . D 0 Mon Aug 3 17:16:20 2009 .. D 0 Mon Aug 3 17:02:24 2009 .bash_logout H 24 Mon Aug 3 17:02:24 2009 .kde DH 0 Mon Aug 3 17:02:24 2009 .gtkrc H 120 Mon Aug 3 17:02:24 2009 .bash_profile H 191 Mon Aug 3 17:02:24 2009 text 6 Mon Aug 3 17:16:20 2009 <<--- Here is a file .bashrc H 124 Mon Aug 3 17:02:24 2009 50521 blocks of size 262144. 27714 blocks available smb: \> Remember We are now in /tmp directory [root@rhel jen]# cd /tmp [root@rhel tmp]# smbclient //localhost/jen -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] smb: \> ls . D 0 Mon Aug 3 17:16:20 2009 .. D 0 Mon Aug 3 17:02:24 2009 .bash_logout H 24 Mon Aug 3 17:02:24 2009 .kde DH 0 Mon Aug 3 17:02:24 2009 .gtkrc H 120 Mon Aug 3 17:02:24 2009 .bash_profile H 191 Mon Aug 3 17:02:24 2009 text 6 Mon Aug 3 17:16:20 2009 .bashrc H 124 Mon Aug 3 17:02:24 2009 50521 blocks of size 262144. 27714 blocks available

smb: \> get text getting file \text of size 6 as text (60000.0 kb/s) (average inf kb/s) smb: \> Now, When I browse /tmp directory i can see: [root@rhel tmp]# ls mapping-root text [root@rhel tmp]# Seting up a Samba Server which avials documents and printer to only the system regular users and not to anyone outside. WorkOut: 1. Share Point ==> /export 2. All files owned by user called Ajeet Raina Lets create a user : [root@rhel tmp]# useradd -c "Ajeet Raina" -m -g users -p Oracle9ias ajeetr [root@rhel tmp]# mkdir /export [root@rhel tmp]# chmod u+rw,g+rw,o+rw /export [root@rhel tmp]# chown ajeetr.users /export [root@rhel tmp]# Copy the files that should be shared to the /export directory. ..to be updated..

RHCE Tips: Forgot Root Password? Follow this:

This procedure assumes you have console access, and are authorized to make changes to accounts on the machine, including root. If you own the machine, you can boot into single user mode, and change the password, or create an account. If using grub (you should see a blue bootup screen), press "a", "space", "1", "enter" a1 That will boot to single user mode. Then you can change the root password passwd

Then reboot Ctrl-Alt-Del You should create user accounts other than root. Use the useradd command. useradd someone passwd someone

RHCE : How to create a new Linux Partition?

Imagine that we have a server running RHEL 4 and our supervisor comes over and wants a 10 GB partition created for the data processing department. This is in addition to what the server currently has allocated, so we can either create a partition out of unpartitioned space on the existing disk (experienced Linux system administrators will leave unpartitioned disk space for future expansion) if available, or we can add another drive. This scenario actually happens quite frequently in the production world, so this is a valuable skill to have even if you administer nothing more than your home machines. We'll assume that your supervisor has given you the latitude of deciding which of the above options you'll use, so your first task is to check to see if space is available on your existing media. We'll run "fdisk -l" to see the size of the disk; the data we need is on the first line of output. [root@station17 ~]# fdisk -l Disk /dev/sda: 80.0 GB, 80000000000 bytes 255 heads, 63 sectors/track, 9726 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 38 305203+ 83 Linux /dev/sda2 39 7687 61440592+ 83 Linux /dev/sda3 7688 7942 2048287+ 82 Linux swap From this we can see the size of our drive is 80.0 GB. Now, we'll use "df -h" to calculate the size of the partitions that are on our system. We only need to be concerned with the rows that have a device label, the others (labeled with "none") don't concern us. The column labeled "Size" has the numbers we'll need to add up to get a overall size. [root@station17 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 58G 6.5G 49G 12% / /dev/sda1 289M 17M 258M 6% /boot none 1013M 0 1013M 0% /dev/shm [root@station17 ~]#

From this, we can see that /dev/sda2 is 58G and /dev/sda1 is 289M - a total of 58.3GB. Now we need to add in our swap size; "cat /proc/swaps" will tell us what size our swap partition is. [ If you feel like using an actual system utility for this, "swapon -s" will do the same thing. -- Ben ] [root@station17 ~]# cat /proc/swaps Filename Type Size Used Priority /dev/sda3 partition 2048276 0 -1 [root@station17 ~]# Adding in the 2GB from this means that we have 19.7 GB to work with - well over what we need. Now, let's move on to creating our partition: "fdisk /dev/sda" will open our drive's partition table for modification. Since we're already using 3 partitions on the drive, we'll have to make our 4th one an extended one - a container to house any additional partitions, including the one we are creating now. We'll want to accept the defaults on this extended partition, which will make the whole rest of the drive available for our new partitions. We'll be using an ext3 filesystem, so we also need to keep this in mind: the "mkfs" command reserves 5% of the blocks for root. Given all that, we'll make our new partition 11.5GB to compensate for the blocks reserved for root plus a little extra. [root@station17 ~]# fdisk /dev/sda The number of cylinders for this disk is set to 9726. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): n Command action e extended p primary partition (1-4) e Selected partition 4 First cylinder (7943-9726, default 7943): Using default value 7943 Last cylinder or +size or +sizeM or +sizeK (7943-9726, default 9726): Using default value 9726 Here you can see where I selected "n" for a new partition and "e" to make a extended partition. I then accepted the defaults for both the starting cylinder and again for the ending cylinder.

Command (m for help): n First cylinder (7943-9726, default 7943): Using default value 7943 Last cylinder or +size or +sizeM or +sizeK (7943-9726, default 9726):.+11500M Next, I hit "n" to create a new partition; then, when prompted to use a starting cylinder, I hit 'enter' to accept the default. For the ending cylinder I entered "+11500M" to specify the size. The plus is important - without it, you will get an error. Its a good idea to hit "p" to at this point to get "fdisk" to print the partition table. This will show what we have done before saving our changes. Command (m for help):.p Disk /dev/sda: 80.0 GB, 80000000000 bytes 255 heads, 63 sectors/track, 9726 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 38 305203+ 83 Linux /dev/sda2 39 7687 61440592+ 83 Linux /dev/sda3 7688 7942 2048287+ 82 Linux swap /dev/sda4 7943 9726 14329980 5 Extended /dev/sda5 7943 9341 11237436 83 Linux If there are any mistakes just quit "fdisk" with a "q" and no changes will be saved. This looks right - so lets write our changes with a "w". Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks. [root@station17 ~]# This warning can be remedied by using the 'partprobe' command to force the kernel to reread the partition table. Remember - if this were a production machine, we wouldn't want to have to reboot it. [root@station17 ~]# partprobe At this point our 11.5G partition is /dev/sda5 and raw - it has neither a file system nor a

label descriptor - so let's format it and give it a label. Giving the partition a label can be done at the same time that the file system is being created with the -L option, but I prefer to do it in a separate step. [root@station17 ~]# mkfs.ext3 /dev/sda5 mke2fs 1.35 (28-Feb-2004) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 1406272 inodes, 2809359 blocks 140467 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2877292544 86 block groups 32768 blocks per group, 32768 fragments per group 16352 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 34 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@station17 ~]# Now we'll give it label ("/data"): [root@station17 ~]# e2label /dev/sda5 /data [root@station17 ~]# Next, we need to create a mount point in our filesystem and make sure that it's mounted at boot time. Let's create a directory on our system called /data. [ The usual method of allocating new space is often much more complex than that - at least in the planning stages. In fact, creating a non-standard directory name in the root of the filesystem as suggested here is incorrect and violates the Filesystem Hierarchy Standard (FHS). As an example of a more typical situation, if an administrator finds that a shared machine's drive is running out of room, he may first examine the machine to see where the most activity/space consumption is occuring. Assuming that it's in the space assigned to users (i.e., "/home"), he would most likely back up the data in that subdirectory, restore it to the newly-created partition, delete "/home", and mount the new partition as "/home". This would recover all the space used by the original "/home" and leave it available for the rest of the system to use - and most users would not even realize

that any change had been made. This approach doesn't require rebooting the machine either. -- Ben ] [ I do understand that the partitioning is inconsistent with the FHS, but our RedHat course materials do instruct us to create directories in / for simplicity and ease in the aid backups. We are also led by instruction to do things such as specialized partitioning schemes for different things this way here at the RedHat academy. -- Joey ] [root@station17 ~]# mkdir /data [root@station17 ~]# Now we put it in the file system table, '/etc/fstab', so it gets mounted on every boot. [root@station17 ~]# vi /etc/fstab # This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/ / ext3 defaults 1 1 LABEL=/data /data ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-sda3 swap swap defaults 0 0 /dev/scd0 /media/cdrecorder auto pamconsole,exec,noauto,managed 0 0 I used the root partition as a guide in this sample. The label is in the first column, the mount point is in the second, then we have the file system type and the mount options. The last two numbers are the dump indicator and the fsck indicator; they determine when the system gets backed up if you're using 'dump', and when the system gets checked for errors. Basically, you can copy these numbers and options just as I have. Write your changes and exit the editor. Then, to make sure that there were no errors, run "mount -a" to mount all the partitions listed in /etc/fstab. Any errors would be reported at this point. [root@station17 ~]# mount -a Since we didn't get any errors, let's do a "df -h" and see how everything looks. [root@station17 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 58G 6.6G 49G 12% / /dev/sda1 289M 17M 258M 6% /boot none 1013M 0 1013M 0% /dev/shm /dev/sda5 11G 59M 10G 1% /data [root@station17 ~]#

That's it - we are now ready to start using this new partition, keeping in mind we may have to modify permissions as needed for our users and groups. This is a very common task, one that all Linux users should become familiar with because you will almost certainly be faced with needing more room. This process is very similar to adding another disk - you would simply substitute your device labels as required.