The document provides instructions for setting up a Bacula backup system. It discusses installing Bacula and its components, configuring the director, storage daemon, and file daemon. It describes setting passwords, creating a backup pool and schedule, and configuring a client. Specific configuration files are edited to configure the director, storage daemon, file daemon, and set addresses, passwords and other settings. Commands are provided to start services, run backups and restores, and check configurations for errors. The goal is to have a working Bacula system that can back up and restore a client on a scheduled basis.
3. 2
Network Map
Physical location:
a. ATC building/ServerLab
b. Pod#6
c. Server6 and 8
Main Server:
a. Name- http://lab13
b. IP- 10.10.16.184 (STATIC)
c. MAC- 54:9f:35:25:58:d2
d. Hardware-
1. Dell PowerEdge R220
2. CPU E3-1240L v3 @ 2.00GHz
3. 500GB HDD
4. 32GB RAM
5. Serial Number-BYHDS52
e. Software-
1. ESXi 5.5.0 (VMKernal ReleaseBuild1331820)
2. vSphere Client
3. vSphere WebClient(https://10.10.4.178.9443/vsphere-client/#
f. Virtual Machines- (all IP’sare static)
1. DNS
IP- 192.168.1.2
2. Squid/Suricata
IP- 192.168.1.11
3. Apache/Tripwire Server
IP- 192.168.1.12
4. Backup
IP- 192.168.1.13
5. FOG IP-
IP- 192.168.1.14
SecondServer
a. Name- Frieden1
b. IP- 10.10.16.240 (static)
c. MAC- 54:9F:35:25:50:5C
d. Hardware-
1. Dell PowerEdge R220
2. CPU E3-1240L v3 @ 2.00GHz
3. 1TB HDD
4. 32GB RAM
4. 3
e. Software-
1. CentOS6.4 set upas domainrouter
2. dhcpdfor the DHCP service
3. Firewall issetup
ControllingStation
Lab13-PC
1. Software- Windows7
2. IP- 10.10.1.240 (static)
3. SubnetMask- 255.255.255.0
4. DefaultGateway- 10.10.0.1
5. MAC- 19:03:73:BB:E0:6C
6. PrimaryDNSSuffix- CNS_Lab.local
DHCP
This was configured using this website-
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html
Follow these steps to configure the DHCP, be sure to use your subnet 192.168.1.1 and your
netmask of 255.255.255.0.
6. 5
Chapter 1
How to disable SeLinux
Before anythingisdone onall the serversisthatyou mustdisable SeLinux.Logintothe command
promptunderroot and type inthiscommand;
vim /etc/sysconfig/selinux
You will see thispage
In the SELINUX=enabled youwilltype SELINUX=disabled like yousee above thensave andleave the file.
You can findthe linkIusedto figure thisoutbelow;
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable.html
7. 6
Chapter 2
Here we are creating and using the Apache MySQL/MariaDB. Be sure
to have Centos 7 installed on your VM
The IP address for this project is 192.168.1.12
Installing MariaDBwhisch is another name for MySQL
Start of byenteringthese commands;
1. yum-y install mariadb-servermariadb
2. systemctl startmariadb.service
3. systemctl enable mariadb.service
4. mysql_secure_installation (withthisone youwillsetapasswordthenas yougo through
the file answerthe questionslikethis “Y,Y, Y, Y” you have now completedthe install)
Installing Apacheon your OS system
Firstof disable selinux.Logintocommandpromptasroot and follow the disableselinuxsection
inthispacket.
Nextuse thiscommand;
yum -y install httpd
Thiswill install Apache toyourOS
Nowwe are goingto ensure Apache startsat bootupandenable Apache asan OS service by
enteringthiscommand;
systemctl start httpd.service
systemctl enable httpd.service
The firewall now needs to be configured to allow external access to port 80 and
443
Enter these commandsinorder;
1. firewall-cmd--permanent--zone=public--add-service=http
2. firewall-cmd--permanent--zone=public--add-service=https
3. firewall-cmd–reload
Now go to the browserandenterhttp://192.168.1.12 youwill now see the Apache placeholder.
Now we are going to make a directory structurethat will hold the site data.
8. 7
Make a file byenteringthiscommand;
mkdir -p /var/www/example.com/public_html
inthe /example.com/youcanenteryourown domain name.
Nowwe will grantpermissionstothese filesbyenteringthiscommand;
chmod -R 755 /var/www
Next we are going to create a Demo Page for the Virtual Host
Use thiscommand to enterfile editortoeditourwebpage;
vim /var/www/example.com/public_html/index.html
Here is an example of asmall websitewithverylittle datainput;
Once you have completedyourwebpagesave andexitthe file.
Now we are going to create a New Virtual Host File
Thisset of commandswill tell Apache thatthe virtual hostisreadytobe visitedbyusers;
mkdir /etc/httpd/sites-available
mkdir /etc/httpd/sites-enabled
The nextcommandwill tell Apache tolookforthe virtual hostsinthe sites-enableddirectory.
Thiswill be done byenteringthe nextcommand;
vim /etc/httpd/conf/httpd.conf
and thenwe will inputthistothe endof the file;
IncludeOptional sites-enabled/*.conf Thensave the file andclose it.
We next will create the first Virtual Hosts File
9. 8
Firstopena newfile withthe followingcommand;
vim /etc/httpd/sites-available/example.com.conf
You firstneedtocreat a pair of tags for designatingthe contentasavirtual hostthat is listening
on port 80;
<VirtualHost *:80>
</VirtualHost>
Next youdeclare the mainervername;
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
</VirtualHost>
Nowwe finishthisfile bypointingtothe rootdirectoryof the accessible webdocumaents,and
tell Apache where tostore errorand requestlogsforthisparticularsite;
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com/public_html
ErrorLog /var/www/example.com/error.log
CustomLog /var/www/example.com/requests.log combined
</VirtualHost>
Now you will Enable the New Virtual Host Files
Firstcreat a symboliclinkforeachvirtual hostinthe sites-enableddirectorybyenterthis
command;
ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites-
enabled/example.com.conf
once that is finished,restartApache forthe changestotake affectby enteringthiscommand;
apachectl restart
Time for the last step, setting up the Local Hosts File
Thisis an optional stepbutone Ithink youshouldtake.
You are basicallyjusttestingyourwebsite,enterthe command;
vim /etc/hosts
You needtoadd the publicIPaddressof your VPSthenthe domainthat youwantto use to
reach the VPS;
10. 9
127.0.0.1 localhost
127.0.1.1 guest-desktop
server_ip_address example.com
Nowfor the actual test.Go to yourbrowserandenteryour webaddress;
http://example.com
Now you should be all set up.
My Apache set up:
Configfiles:
The webfile Ihave on my systemis: /var/www/html/index.html
My website:http://192.168.1.12
11. 10
Chapter 3
Installing and Implementing Bacula
Firstyou needtodecide onthe install procedure you’regoingtouse.Iused(How TO Install
Bacula ServeronCentos7 | DigitalOcean)
Once you getthroughthe firstpart of installingMySQLyouwill come uponthisoption;
I chose #1 as you can see ithighlightedinthe screenshot.
Nextyouwill goto the /etc/bacula/bacula-dir.conf file thenfindandmake the followingchangesas
shownbelowinthe ordertheyare numbered:
1.
2. 3.
12. 11
4. 5.
6. Thisone you needtochange the area in redto the same passwordas your MySQL password
Thenfinallyasseenbelowyouneedtoaddthe redtextthat yousee the window below.
7.
Once you have completedthe objectiveabove,save andclose the file.Toverifythereare no
syntax errorsrun the commandbelow:
bacula-dir -tc /etc/bacula/bacula-dir.conf
If you getno returnthenthe syntax is correct.
Now it is time to Configure the Storage Resource
13. 12
Openthe /etc/bacula/bacula-sd.conf file.The firstchange we make isthe SDAddress,enterthe
FQDN or the private IPaddressof the backup serverlike seenbelowindicatedinred:
Nowconfigure the storage device byadding /bacula/backup asseenbelow:
Nowsave and exitthe file.
Run thiscommandto checkfor syntax errors:
bacula-sd -tc /etc/bacula/bacula-sd.conf
As longas youget noreturnsyou are good to go.
Time to Set the Bacula Component Passwords
These are passwordsthatthe systemwill use andthatyoudon’thave to remember.All youdo
isrun these followingcommandsonordertosetDirectorpassword:
DIR_PASSWORD=`date +%s | sha256sum | base64 | head -c 33`
sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bacula-
dir.conf
sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bconsole.conf
Nextenterthese commandstosetthe Storage File Daemonpasswords:
SD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33`
sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-sd.conf
sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-dir.conf
14. 13
The nextcommandwill generate andsetthe local File Daemonpasseord:
FD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33`
sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-dir.conf
sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-fd.conf
Let’s fire this this up
Start all three serviceswiththe followingcommands:
systemctl start bacula-dir
systemctl start bacula-sd
systemctl start bacula-fd
If theyall started fine thenwe are readyforthe nextstep.Enterthe nextsetof commands:
systemctl enable bacula-dir
systemctl enable bacula-sd
systemctl enable bacula-fd
Nowwe testit. Enterbconsole intothe commandline andhitenter.Now issue the first
command, * label.
You will be promptedtoenteraname for the volume,Iused NewVolume.Now enterthe File
Pool youwant.I entered #2. The service shouldnow runa backup.
We are now goingto run a manual backupjob.While still inthe bconsole enter* run. Nextenter
1 at the promptto run the “BackupLocalFiles”.The systemwill askyouif youwantto “Run
Backup Job”,type yes.
You can nowtype in *messages.Thiswill giveyouamessage onwhat is goingto happeninthe
backupprocedure.Nowenter*statusdirector,thiswill show youthe statusof the of the
Director.Aslongas everythingisworkingproperlyyoushouldsee thatthe jobisrunning
Whenthe job completesyouwillsoandoutput like the one below:
Running a Restore Job
While inthe bconsole enterthe *restore all command.
15. 14
You will see aselectionmenuwithdifferentoption,whichare usedtoidentifythe backupson
file.Youchoose the optionyouwant,sayyou wantthe most recentbackupwhichis 5 inthis
case.
The nextpromptwill askyouwhat file setyouwantto use.Youshouldchoose 2.
You will see avirtual file tree withthe entire directorystructure thatyoubackedup.This
interface allowsyoutosee the simple commandstomarkand unmarkfilesforrestoration.The
markedfileswillbe denotedwithaleadingasterisk(*).
You can fine-tuneyourselectionbynavigatingandlistingfileswiththe “ls”and“cd” commands.
Alsoyoucan mark filesforrestorationwith“mark”,andunmarkfileswith“unmark”.
Whenyouare finishedwithyourselectionsyouwillproceedbytypinginthe “done”command,
and whenpromptedtype yesandhitreturn.Youcan checkthe restore processwiththe status
directorcommandonce again to confirmitisworkingandthenjusttype exitto exitthe bconsol.
You can verifythe restore withthe followingcommand:
-u root bash -c "rm -rf /bacula/restore/*"
How to create a backup schedule
On our Baculaserveryouneedtoperformthiscommandin root,it createsa directorytohelp
organize the Baculafiles:
mkdir /etc/bacula/conf.d
Nowopenthe directoryyoujustcreated.
vi /etc/bacula/bacula-dir.conf
Scroll to the bottomof the file andenterthisline:
@|"find /etc/bacula/conf.d -name '*.conf' -type f -exec echo @{} ;"
Save and exitthe file.Thatline makesthe Dierectorlookinthe /etc/bacula/conf.ddirectoryfor
more configurationfiles.
We are now goingto adda remote file pool,soopenthe /etc/bacula/conf.d/pools.conffile.Add
the followingpool resource:
Pool {
Name = RemoteFile
Pool Type = Backup
Label Format = Remote-
Recycle = yes # Bacula can automatically recycle Volumes
AutoPrune = yes # Prune expired volumes
Volume Retention = 365 days # one year
16. 15
Maximum Volume Bytes = 50G # Limit Volume size
Maximum Volumes = 100 # Limit number of Volumes in Pool
}
Save and exitthe file,nowrunthe followingcommandtomake sure there are no syntax errors:
bacula-dir -tc /etc/bacula/bacula-dir.conf
if there areno errors you will get no return on the command.
Let us set up and Configurethe Client
To begingoto your commandpromptand login as root.Now type the command “yum install
bacula-client”.
Nowbefore goinganyfartherkeepthisinformationhandy.
Clienthostname:the hostnameIusedwasthe “masterdns”server.
ClientPrivate FQDN:inthiscase its“masterdns.frieden1.local”
Bacula Serverhostname:thiswillbe “back”
You can use the followingcommandtosetthe passwordforthe Bacula Directorto connectin
the Daemonconfiguration: date +%s | sha256sum | base64 | head -c 33 ; echo.
You can alsoset ityourself if youwish,thisiswhatIdid forthissystem. The passwordis:
2004Chevy.
Openthe nextfile,thisfile isthe File Daemonconfiguration:
date +%s | sha256sum | base64 | head -c 33 ; echo
There are a fewthingsthatneedto be changedinthisfile.Let’sbeginwithfindingthe Directory
resource,itshouldlooklike this:
As youcan see the changesthat needtobe made are in red.Change the name to whatyou see
inthe picture above.Nextreplacethe passwordwiththe one youeithergeneratedearlierorthe
one youmade up,inmy case it’s 2004Chevy.Make sure to continue tokeepthe password
handysince we will needthisagainlater.
Findthe FIleDaemon sectionthatlookslike this:
17. 16
Change the name to “masterdns”whichisthe clienthostname thenenterthe FDAddress.In
thiscase it’s“masterdns.frieden1.local”. Now find the “Messages” section likeyou see
below, then change the director to in my case“back”:
Save and exit the fileand now check itwith the followingcommand:
bacula-fd -tc /etc/bacula/bacula-fd.conf If nothingreturnsthenthe syntax is
correct.
Nowthat we are finishedwiththatwe needtorestartthe system, we dothat by issuingthis
command:
systemctl enable bacula-fd
NowSetupthe Directorythat Baculacan Restore too.Use the followingcommands:
mkdir -p /bacula/restore
chown -R bacula:bacula /bacula
chmod -R 700 /bacula
Our clientmachine issetupand configuredcorrectly.
18. 17
Chapter 4
Here you will install and set up the DNS Server.
Thisis the currentset upon my DNSand thisis how I done it.To start I usedthisIP,192.168.1.2,
thisisfor the DNS and mySamba server.
Thiswas installedonaCentOS7, withall currentupdates.
Log intothe systemand thenopena commandwindow,thenloginasroot.
Be sure that SeLinux isdisabled.
Installing bind which is a DNS package
Firstoff install the service withthe followingcommand:
yum install bind bind-utils -y
Once that is finished installingyouwillconfigure the server.Inthe commandprompttype inthis
command:
vi /etc/named.conf
Thenadd the followinglinestothe file (it’seasiertocopyandpaste the infointothe file) :
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8)
DNS
// server as a caching only nameserver (as a localhost DNS resolver
only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration
files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.101;}; ### Master DNS IP
###
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24;}; ### IP Range ###
allow-transfer{ localhost; 192.168.1.102; }; ### Slave DNS IP
###
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need
to enable
19. 18
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable access
control to limit queries to your legitimate users. Failing to
do so will
cause your server to become part of large scale DNS
amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "frieden1.local" IN {
type master;
file "forward.frieden1";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "reverse.frieden1";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
The picturesbelowshowyouhow itshouldlook:
21. 20
Now you create Zone files
The forwardand reverse zone filesthatwasmentionedearlierinthe “/etc/named.conf”file will
be create here.Enterthe followingcommand tocreate the ‘forward.frieden1’fileinthe
“/var/named”directory:
vi /var/named/forward.frieden1
Nowadd the followinglinesthatyousee inthe picture bellow tothe file:
Afterthe linesare added,save andclose the file.
Time to create the Reverse Zone file.Create the ‘reverse.frieden1’file inthe “/var/named”
directory:
vi /var/named/reverse.frieden1
Now add the followinglines:
22. 21
Once finishedsave andexitthe file.
Time to start the DNS service.Inthe commandpromptenterthe followingcommandsinorder:
systemctl enable named
systemctl start named
The DNS service shouldnowbe running.
Configuration of the Firewall
In orderfor the DNSserverto workit needstobe able to getthrough the firewall.We dothisby
configuringthe firewall toallowport53 to openthoughthe firewall.Use the following
commandsinorder:
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
Nowrestartthe firewall withthe nextcommand:
firewall-cmd --reload
Time to configurethe Permissions and Ownership
Firstcheck the DNSdefaultconfig.File byusingthiscommand:
named-checkconf /etc/named.conf
As longas itreturnsnothing,the configurationisvalid.
Nowcheckthe forwardandreverse zonesbyenteringthesecommands:
Forwardzone: named-checkzone frieden1.local /var/named/forward.frieden1
The outputshouldlooksimilartothis:
zone frieden1.local/IN: loaded serial 2011071001
OK
23. 22
Reverse zone: named-checkzone frieden1.local
/var/named/reverse.frieden1
Againyoushouldhave a similaroutputasbelow:
zone unixmen.local/IN: loaded serial 2011071001
OK
The DNS serverdetailsneedtobe addedtothe networkinterface configfile.Youdothisby
enteringthiscommandtoaccessthisfile:
zone frieden1.local/IN: loaded serial 2011071001
OK
Be sure that the file lookslikethis:
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp0s3"
UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa"
ONBOOT="yes"
HWADDR="08:00:27:19:68:73"
IPADDR0="192.168.1.101"
PREFIX0="24"
GATEWAY0="192.168.1.1"
DNS="192.168.1.2"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
Nowsave and close thisfile.
Nowopenthisfile andeditit:
vi /etc/resolv.conf
Addthe DNS serverIPaddress:
nameserver 192.168.1.2
Thensave and close the file.
Restartthe networkwiththe nextcommand:
systemctl restart network
Nowwe testthe DNSserverbyusingthiscommand:
Dig masterdns.frieden1.local
You shouldgetan outputthat listall the informationof the DNSfiles.
You can alsouse ‘nslookupfrieden1.local’andthatwill give youanotheroutputthatliststhe
serverIPand addresswithportnumber53.
Withthat the DNS isnow installedandconfigured.
24. 23
These are the configuration files for my DNS service
DNS filestoconfigure:
/etc/named/zones/forward.friedden1
/etc/named/zones/reverse.frieden1
/etc/sysconfig/nework-scripts/ifcfg-ens192
/etc/named.conf
IP addressis 192.168.1.2
25. 24
Chapter 5
How to install and Deploy a FOG server
You firstneedtofinda reliable downloadsite tohelpyouinthe installationof the FOGserver.I
usedhttps://wiki.fogproject.org/wiki/index.php?title=Installation_on_CentOS_6.4todo my
installation.
Followthe instructionsonhowto install FOG.
Whenyouget to thispointbelow take the highlightedaddressinthe picture below andopena
newbrowserona differentmachine usingthe logininformationseeninthe picture below.
Initial FOGinstillationonaCentOS6.4 platform
The NEW Username is(fog) andthe passwdis(password)
26. 25
AfterFOG isloadedyounextneedtoloadan image fromthe FOG bootmenuon your PCthat you
wantimaged.
1. Opena browserandnavigate to http://192.168.1.14/fog.
2. Loginto the server(username is fogandpasswordis password).
3. Navigate tothe imagessection whichisthe iconin the top row that lookslike picture.
4. On the lefthandmenuselect Create NewImage.
5. Enter a meaningfulImage Name (nospecial characters)
6. Enter a descriptionif youwish.
7. Under storage group,select default
8. From the dropdownmenuselectthe appropriate operatingsystemforthe image
9. If the image file isnotasyou wouldlike it,change itnow (nospacesor special characters)
10. If you are imagingasingle partitionWindowsmachine,select Single Partition
11. ClickAdd
Create the task
1. Still inthe hostobject,clickonthe Basic Tasks optiononthe lefthandmenu.
2. SelectCapture
3. ClickCapture Image
4. Rebootclientanditshouldpull animage fromthat computer.
You shouldgetan image like so:
27. 26
Once the image is uploadedyouwillnow have animage template thatyoucan deployonnew
machines.
Deploying an Image
Log intoyour FOG account ina browser
For nowletthe GUI of FOG set.Youneeda cleanmachine,noOS installed.Startthe machine
and letitgo throughits bootprocess.Whenitgoesto the screenbelow highlightthe QuickHost
RegistrationandInventory andhitenter. Thiswill enterthe informationof the bare machine
intothe FOG server.
28. 27
Nowgo back to the browserwithFOGpulledup,tapthe Hosttab and thenon the left
navigationpane tapthe List All Hoststab.You will see awindow like thisone below.Youwill
findthe bare machine that youloadedintoFOGjusta few minutesago.
Nowclickthe host computeryouwantto image by tappingthe edittabon the right side of the
hostcolumn.The nextscreenisof the picture below.
29. 28
Selectthe hostimage andthe host OS thenselectthe BasicTaskstab on the leftside of the
page.Thisis the nextpage youwill see:
30. 29
Selectthe Deploytab,youshouldgeta confirmationthatthe Taskhas Started.Now we go back
to the bare machine andrebootit.You will againcome upto the FOG selectionpage.
Nowhighlightthe QuickImage line andhitenter.Yourmachine shouldnow beginloadingthe
image fromthe FOG server.
That’s it,once the image isloadedyoucan work awayon yournew system.
31. 30
Chapter 6
Here we are going to install and configure Samba
You will needafreshupdatedCentOS7systemtobeginwith.Youwill alsoneedafresh
Windows7 install ona separate machine orVM.
In thisinstance we are usingan IPof 192.168.1.2 whichisalsothe same systemasour DNS.This
will be the Sambaserver.Be sure that SeLinux isdisabled.
The Windows7 clientwill use the DHCPIPassignedtoit.
Installing Samba
Log in intoyourCentOSsystem,opencommandwindowandlogintoroot.Nexttype inthis
command: yum install samba* -y
Configuring an anonymous share
Firstcreate a directorybyrunningthiscommand:
mkdir -p /samba/anonymous_share
chmod -R 0777 /samba/anonymous_share
Noweditthe conf file:
vi /etc/samba/smb.conf
Make the changesas needed:
` ## Add the following lines under [global] section ##
unix charset = UTF-8
dos charset = CP932
## Change the windows default workgroup ##
workgroup = WORKGROUP
## Uncomment and set the IP Range ##
hosts allow = 192.168.1.0
## Uncomment ##
max protocol = SMB2
## Uncomment, and change the value of 'Security' to 'user' ##
security = user
## Add the following line ##
map to guest = Bad User
## Add the following lines at the bottom ##
[Anonymous share]
path = /samba/anonymous_share
writable = yes
32. 31
browsable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
Nowsave and exitthe conf.file
Now it istime to start the SambaService andEnable iton reboot:
systemctl start smb
systemctl start nmb
systemctl enable smb
systemctl enable nmb
Testthe systembyrunningthiscommand: testparm
As longas there are nowerrors youare goodto go.
You now need to configurethe firewall so that it will allow the Samba default
ports through the firewall.
Interthe followingcommandsinorder:
firewall-cmd --permanent --add-port=137/tcp
firewall-cmd --permanent --add-port=138/tcp
firewall-cmd --permanent --add-port=139/tcp
firewall-cmd --permanent --add-port=445/tcp
firewall-cmd --permanent --add-port=901/tcp
Nowrestartthe firewall withthe followingcommand:
firewall-cmd --reload
Accessing the Shared folder
Log intoyour WindowsClient.Inthe startmenuclickon the RUN feature.WhenRUN opens
type inthe SambaserverIPlike so: 192.168.1.2, youshouldnow be able to accessthe Samba
Share file.
33. 32
To see whatshare filesthere are youcanrun thiscommandon the Samba server:
ls -l /samba/anonymous_share/
Creating secured shareon Samba Server
Thisis where youwill create yoursecuredfolders,eitherfora single userorfor a certaingroup
of users.Firstoff you’re goingtocreate a usernamedcom1 forinstance anda groupcalled
firewall,youdothat byusingthiscommand:
useradd -s /sbin/nologin com1
groupadd security
Nextassignyouruserto the securitygroupand setthe passwd:
usermod -a -G security com1
smbpasswd -a com1
Now create a newshare,we will call thisone “sshare”thensetthe permissionstothatshare:
mkdir /samba/share
chmod -R 0755 /samba/sshare
chown -R com1:security /samba/sshare
Time to editthe sambaconfigurationfileagain:
vi /etc/samba/smb.conf
Addthe followinglinestothe bottomof the configurationfile:
[sshare]
path = /samba/sshare
writable = yes
browsable = yes
guest ok = no
34. 33
valid users = @security
Save and logout of the configuration folder.Now runa quicktestto make sure everythingis
workingproperly:
testparm
Time to go to the Windowsclient“com1”and checkfor the “sshare”folder,double clickthe
sshare folder.Youwill be promptedtoenterausername and passwd,enter“com1” forthe user
and thenthe passwdthat yousetfor com1.
You have nowinstalledandconfiguredSamba.
My current set up is as follows:
The share name is: /etc/samba/linux-share withR0777 properties
To access the sharedfoldersgoto RUN and enter centos
Group name is: linuxp User; com1 Passwd;HJAMyers User;com2 Passwd;HJAMyers
Path= /samba/secure_share
Validusers=@linuxp
35. 34
Chapter 7
How to install and UseSquid
Squidisa proxyservice sothat youcan blockwebsite frombeingaccessedbycompany
computer.Itis literallyawaytosensorthe internetona local platform.
Let usfirststart by installingsquidbyloggingintothe commandpromptasroot, now issue this
command:
yum install squid
Nowconfigure squidbygoingintothe configurationfile:
vi /etc/squid/squid.conf
The nextpicture isan example of aconfigurationfile:
You can add sitestobe bannedfromviewingonyournetworkbyaddingthemin the
configurationfile.
36. 35
We nowwill openaport inthe firewall sothatsquidcan getthroughwithoutissue.Inthe
commandpromptissue thiscommandto openport3128:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j
ACCEPT
Nowit istime to restartthe squidservice byissuingthisnextcommand:
service squid restart
Make sure the squidservice isgoingtostart everytime youstart the serverbyissuingthis
command:
chkconfig squid on
To see the usersactivity youcan issue thiscommand:
tail -f /var/log/squid/access.log
Nowgo to a clientpc andlog on.Go to the browserandundertoolslookforsettingsorinternet
optionslike so:
37. 36
Thenopenthe proxysettings like thatinthe redbox above.
Once in the settingsturnonproxysettingsandenterthe IPaddressof the squidserverandthe
port numberthatwe openedtothe firewall earlier,whichisport3128 as seeninthe next
picture below:
Back up configis /etc/squid/squid.conf.org.back
The configfile is/etc/squid/squid.conf
Thisroutesall internettrafficthroughthe squidserverandisnow restrictedbywhatever
settingsyouhave inthe squid.conf file.
38. 37
Chapter 8
Once you have suricatainstalledrunthe sudovi /etc/suricata/suricata.yaml cmd.Thisiswhere youwill
setsuricata upto run.
1st
goto HOME_NET and change the IPaddressto yourdomainaddress.
2nd
scroll downtodefault-rule-pathandmake notof the cmd for lateruse; /usr/local/etc/suricata/rules
3rd
scroll down to default-log-dirandchange that to ; /var/log/suricata/
4th
as youscroll throughmake sure you change all area dealingwithyourNICandchange the names
5th
scroll to the host-os-policy:insertyourclientIPsinthe correspondingOSlines
6th
scroll to the threading:andmake sure the set-cpu-affinity:no thensetdetect-thread-ratio:1.5
Then exitthe configfile.Nextinput sudo/usr/local/bin/suricata –list-runmodesthisgivesyouall the
run modesthatyou can run withsuricata.
Nowto start Suricatago to command line andenter; /usr/local/bin/suricata–c
/etc/suricata/suricata.yaml–i ens192 –init-errors-fatal Thiswill startthe engine.Yourscreenshouldlook
like this;
Once the engine isrunningfora while youcanhit ctrl-Cto stopthe engine,whenstoppedthe screen
shouldlooksimilartobelow.
Dependingonhowlongyouletitrun will determine the amountof packetsthatwere sentout.
39. 38
To check the logfilesenterthe followingcommand; tail –f var/log/suricata/eve.json youshouldgeta
screenthat lookslike this;
For more informationonhowtouse the manyservicesonSuricatago to
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide
40. 39
Chapter 9
Installing and configuring Tripwire
Before installingTripwire firsthave aCentOS7 systemwithupdatescompletedandhave
SeLinux disabled.
Opena commandpromptand log intoroot.Now opena browserwindow andgoto tripwire.org
and downlodthe latestversion.The downloadwillbe intar so youwill have toun-tar itwiththe
followingcommands:
tar xvzf tripwire-2.3-47.i386.tar.gz
rpm -ivh tripwire-2.3-47.i386.rpm
Nextissue thiscommandtoexecute the instillationshell script:
/etc/tripwire/twinstall.sh
Tripwireconfiguration
The defaultpoliciesare inthislocation:
/usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
Nowgenerate the initial databaseusingthiscommand:
/usr/sbin/tripwire -m i
Thisnextcommandwill preventalarge numberof false alarms.The false alarmsoccur any time
there isa discrepancyinthe defaultpolicyandthe local system’scurrentconfiguration.Toshow
a listof these alarmsenterthiscommand:
/usr/sbin/tripwire -m c | grep Filename >> twtest.txt
Next,usingthe followingcommandeditthe policyfile bycommentingoutordeletingthe
filenameslistedinthe twtest.txt:
/etc/tripwire/twpol.txt
Finalizing the Configuration
Whenever the file is edited, the policy needs to be reinstalled and the
database recreated. We do this by using the following commands:
/usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
41. 40
/usr/sbin/tripwire -m i
We are now readyto delete the cleartextversionsof the Tripwire policyandconfigfiles.
We will accomplishthisbe usingthe followingcommand:
rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt
If for some reasonyouneedto restore the clearversionagain,youcando so by usingthis
command:
/usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt
How to schedule a nightly analysis
Firstcreate a shell script,the file will be “runtw.sh”inthe /usr/local/bindirectory.
The command isas follows:
!/bin/sh
/usr/sbin/tripwire -m c | mail -s "Tripwire Report from apache"
root@localhost
Nowschedule the scripttorun nightlyat1:01am by addingthisline:
1 1 * * * /usr/local/bin/runtw.sh
root crontab byusingthiscommand:
crontab –e
The tripwire systemwillnowgenerate areporteverynightat1:01am and sendthemtothe
systemadminonthe status of the systems.