Professional Documents
Culture Documents
For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files: MP3 MPEG MPG AVG AVI EXE How do I configure squid content filtering? A. You can use squid ACL (access control list) to block all these files easily. How do I block music files using squid content filtering ACL? First open squid.conf file /etc/squid/squid.conf: # vi /etc/squid/squid.conf Now add following lines to your squid ACL section: acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl" You want display custom error message when a file is blocked: # Deny all blocked extension deny_info ERR_BLOCKED_FILES blockfiles http_access deny blockfiles Save and close the file. Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory. # vi ERR_BLOCKED_FILES Append following content: start with html tag: File is blocked due to new policy Phone: 555-12435 (ext 44) Email: helpdesk@yourcorp.com Caution: Do not include HTML close tags as it will be closed by squid. Now create /etc/squid/blocks.files.acl file:
# vi /etc/squid/blocks.files.acl Append following text: \.[Ee][Xx][Ee]$ \.[Aa][Vv][Ii]$ \.[Mm][Pp][Gg]$ \.[Mm][Pp][Ee][Gg]$ \.[Mm][Pp]3$ Save and close the file. Restart Squid: # /etc/init.d/squid restart
#makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable Restart sendmail: #service sendmail restart Thats it. Now sendmail is ready to route your mail to specific hosts preventing other machines to receive the same. Happy Mailing.
-rw-r--r-- 1 0 0 7959 Mar 02 22:20 Muttrc drwxr-xr-x 3 0 0 4096 Jul 24 12:20 Wireless drwxr-xr-x 16 0 0 4096 Jul 30 22:58 X11 drwxr-xr-x 4 0 0 4096 Sep 05 2005 Xprint -rw-r--r-- 1 0 0 2188 Sep 05 2005 adduser.conf -rw-r--r-- 1 0 0 47 Aug 16 14:52 adjtime -rw------- 1 0 0 4330 Aug 18 2005 afick.conf -rw-r--r-- 1 0 0 194 Sep 05 2005 aliases -rw-r--r-- 1 0 0 12288 Jul 19 21:27 aliases.db drwxr-xr-x 2 0 0 8192 Aug 15 09:33 alternatives ... ..... .. Now normal user can go to /etc directory (may be to all other directories) and if there is read only permission to sensitive files user can download the file via ftp. To avoid this security problem you can lock ftp user in a jail. Open vsftpd configuration file - /etc/vsftpd/vsftpd.conf # vi /etc/vsftpd/vsftpd.conf Make sure following line exists (and uncommented): chroot_local_user=YES Save and close the file. Restart vsftpd. # /etc/init.d/vsftpd restart Now all users of VSFTPD/FTP will be limited to accessing only files in their own home directory. They will not able to see /, /etc, /root and /tmp and all other directories. This is an essential security feature.
BAD PASSWORD: it is WAY too short Retype new UNIX password: passwd: all authentication tokens updated successfully. Provide him with smb credentials(this is different from normal user/pass credentials) [root@rhel samba]# smbpasswd -a jen New SMB password: Retype new SMB password: Added user jen. [root@rhel samba]# Go to Start > Run > \\MachineIP Login in through user/pass Successfull !!! You can see home directory [homes] and jen own home directory Testing Your Samba Share ------------------------[root@rhel samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = MIDEARTH [homes] read only = No [root@rhel samba]# List Shares Available on the Server ----------------------------------------------[root@rhel samba]# smbclient -L rhel -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] Sharename Type Comment
--------- ---- ------homes Disk IPC$ IPC IPC Service (Samba 3.0.25b-0.4E.6) jen Disk Home directory of jen Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] Server Comment --------- ------Workgroup Master --------- ------MIDEARTH BL07DL380G5
tar tarmode translate unlock volume vuid wdel logon listconnect showconnect ! smb: \> Example: Lets Put A file called text1 from the share to a directory /tmp Here it goes: [root@rhel samba]# cd /home/jen/ [root@rhel jen]# ls [root@rhel jen]# touch text <<----- Lets Create a file called text1 [root@rhel jen]# vi text [root@rhel jen]# smbclient //localhost/jen -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] smb: \> ls . D 0 Mon Aug 3 17:16:20 2009 .. D 0 Mon Aug 3 17:02:24 2009 .bash_logout H 24 Mon Aug 3 17:02:24 2009 .kde DH 0 Mon Aug 3 17:02:24 2009 .gtkrc H 120 Mon Aug 3 17:02:24 2009 .bash_profile H 191 Mon Aug 3 17:02:24 2009 text 6 Mon Aug 3 17:16:20 2009 <<--- Here is a file .bashrc H 124 Mon Aug 3 17:02:24 2009 50521 blocks of size 262144. 27714 blocks available smb: \> Remember We are now in /tmp directory [root@rhel jen]# cd /tmp [root@rhel tmp]# smbclient //localhost/jen -U jen Password: Domain=[rhel] OS=[Unix] Server=[Samba 3.0.25b-0.4E.6] smb: \> ls . D 0 Mon Aug 3 17:16:20 2009 .. D 0 Mon Aug 3 17:02:24 2009 .bash_logout H 24 Mon Aug 3 17:02:24 2009 .kde DH 0 Mon Aug 3 17:02:24 2009 .gtkrc H 120 Mon Aug 3 17:02:24 2009 .bash_profile H 191 Mon Aug 3 17:02:24 2009 text 6 Mon Aug 3 17:16:20 2009 .bashrc H 124 Mon Aug 3 17:02:24 2009 50521 blocks of size 262144. 27714 blocks available
smb: \> get text getting file \text of size 6 as text (60000.0 kb/s) (average inf kb/s) smb: \> Now, When I browse /tmp directory i can see: [root@rhel tmp]# ls mapping-root text [root@rhel tmp]# Seting up a Samba Server which avials documents and printer to only the system regular users and not to anyone outside. WorkOut: 1. Share Point ==> /export 2. All files owned by user called Ajeet Raina Lets create a user : [root@rhel tmp]# useradd -c "Ajeet Raina" -m -g users -p Oracle9ias ajeetr [root@rhel tmp]# mkdir /export [root@rhel tmp]# chmod u+rw,g+rw,o+rw /export [root@rhel tmp]# chown ajeetr.users /export [root@rhel tmp]# Copy the files that should be shared to the /export directory. ..to be updated..
Then reboot Ctrl-Alt-Del You should create user accounts other than root. Use the useradd command. useradd someone passwd someone
From this, we can see that /dev/sda2 is 58G and /dev/sda1 is 289M - a total of 58.3GB. Now we need to add in our swap size; "cat /proc/swaps" will tell us what size our swap partition is. [ If you feel like using an actual system utility for this, "swapon -s" will do the same thing. -- Ben ] [root@station17 ~]# cat /proc/swaps Filename Type Size Used Priority /dev/sda3 partition 2048276 0 -1 [root@station17 ~]# Adding in the 2GB from this means that we have 19.7 GB to work with - well over what we need. Now, let's move on to creating our partition: "fdisk /dev/sda" will open our drive's partition table for modification. Since we're already using 3 partitions on the drive, we'll have to make our 4th one an extended one - a container to house any additional partitions, including the one we are creating now. We'll want to accept the defaults on this extended partition, which will make the whole rest of the drive available for our new partitions. We'll be using an ext3 filesystem, so we also need to keep this in mind: the "mkfs" command reserves 5% of the blocks for root. Given all that, we'll make our new partition 11.5GB to compensate for the blocks reserved for root plus a little extra. [root@station17 ~]# fdisk /dev/sda The number of cylinders for this disk is set to 9726. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): n Command action e extended p primary partition (1-4) e Selected partition 4 First cylinder (7943-9726, default 7943): Using default value 7943 Last cylinder or +size or +sizeM or +sizeK (7943-9726, default 9726): Using default value 9726 Here you can see where I selected "n" for a new partition and "e" to make a extended partition. I then accepted the defaults for both the starting cylinder and again for the ending cylinder.
Command (m for help): n First cylinder (7943-9726, default 7943): Using default value 7943 Last cylinder or +size or +sizeM or +sizeK (7943-9726, default 9726):.+11500M Next, I hit "n" to create a new partition; then, when prompted to use a starting cylinder, I hit 'enter' to accept the default. For the ending cylinder I entered "+11500M" to specify the size. The plus is important - without it, you will get an error. Its a good idea to hit "p" to at this point to get "fdisk" to print the partition table. This will show what we have done before saving our changes. Command (m for help):.p Disk /dev/sda: 80.0 GB, 80000000000 bytes 255 heads, 63 sectors/track, 9726 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sda1 * 1 38 305203+ 83 Linux /dev/sda2 39 7687 61440592+ 83 Linux /dev/sda3 7688 7942 2048287+ 82 Linux swap /dev/sda4 7943 9726 14329980 5 Extended /dev/sda5 7943 9341 11237436 83 Linux If there are any mistakes just quit "fdisk" with a "q" and no changes will be saved. This looks right - so lets write our changes with a "w". Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks. [root@station17 ~]# This warning can be remedied by using the 'partprobe' command to force the kernel to reread the partition table. Remember - if this were a production machine, we wouldn't want to have to reboot it. [root@station17 ~]# partprobe At this point our 11.5G partition is /dev/sda5 and raw - it has neither a file system nor a
label descriptor - so let's format it and give it a label. Giving the partition a label can be done at the same time that the file system is being created with the -L option, but I prefer to do it in a separate step. [root@station17 ~]# mkfs.ext3 /dev/sda5 mke2fs 1.35 (28-Feb-2004) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) 1406272 inodes, 2809359 blocks 140467 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=2877292544 86 block groups 32768 blocks per group, 32768 fragments per group 16352 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 34 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. [root@station17 ~]# Now we'll give it label ("/data"): [root@station17 ~]# e2label /dev/sda5 /data [root@station17 ~]# Next, we need to create a mount point in our filesystem and make sure that it's mounted at boot time. Let's create a directory on our system called /data. [ The usual method of allocating new space is often much more complex than that - at least in the planning stages. In fact, creating a non-standard directory name in the root of the filesystem as suggested here is incorrect and violates the Filesystem Hierarchy Standard (FHS). As an example of a more typical situation, if an administrator finds that a shared machine's drive is running out of room, he may first examine the machine to see where the most activity/space consumption is occuring. Assuming that it's in the space assigned to users (i.e., "/home"), he would most likely back up the data in that subdirectory, restore it to the newly-created partition, delete "/home", and mount the new partition as "/home". This would recover all the space used by the original "/home" and leave it available for the rest of the system to use - and most users would not even realize
that any change had been made. This approach doesn't require rebooting the machine either. -- Ben ] [ I do understand that the partitioning is inconsistent with the FHS, but our RedHat course materials do instruct us to create directories in / for simplicity and ease in the aid backups. We are also led by instruction to do things such as specialized partitioning schemes for different things this way here at the RedHat academy. -- Joey ] [root@station17 ~]# mkdir /data [root@station17 ~]# Now we put it in the file system table, '/etc/fstab', so it gets mounted on every boot. [root@station17 ~]# vi /etc/fstab # This file is edited by fstab-sync - see 'man fstab-sync' for details LABEL=/ / ext3 defaults 1 1 LABEL=/data /data ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-sda3 swap swap defaults 0 0 /dev/scd0 /media/cdrecorder auto pamconsole,exec,noauto,managed 0 0 I used the root partition as a guide in this sample. The label is in the first column, the mount point is in the second, then we have the file system type and the mount options. The last two numbers are the dump indicator and the fsck indicator; they determine when the system gets backed up if you're using 'dump', and when the system gets checked for errors. Basically, you can copy these numbers and options just as I have. Write your changes and exit the editor. Then, to make sure that there were no errors, run "mount -a" to mount all the partitions listed in /etc/fstab. Any errors would be reported at this point. [root@station17 ~]# mount -a Since we didn't get any errors, let's do a "df -h" and see how everything looks. [root@station17 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 58G 6.6G 49G 12% / /dev/sda1 289M 17M 258M 6% /boot none 1013M 0 1013M 0% /dev/shm /dev/sda5 11G 59M 10G 1% /data [root@station17 ~]#
That's it - we are now ready to start using this new partition, keeping in mind we may have to modify permissions as needed for our users and groups. This is a very common task, one that all Linux users should become familiar with because you will almost certainly be faced with needing more room. This process is very similar to adding another disk - you would simply substitute your device labels as required.