SlideShare uma empresa Scribd logo

Network Manual

Transferir como DOCX, PDF
J
Jason Myers

The document provides instructions for setting up a Bacula backup system. It discusses installing Bacula and its components, configuring the director, storage daemon, and file daemon. It describes setting passwords, creating a backup pool and schedule, and configuring a client. Specific configuration files are edited to configure the director, storage daemon, file daemon, and set addresses, passwords and other settings. Commands are provided to start services, run backups and restores, and check configurations for errors. The goal is to have a working Bacula system that can back up and restore a client on a scheduled basis.

1 de 42
Network Built by Jason Myers FRIEDEN1.LOCAL Linux Network Project
1 Glossary Network Map Machine Configuration DHCP Chapters Ch. 1 SeLinux ……………………………………………………………………………………………. Pg. 5 Ch. 2 Apache …………………………………….............….………………………………………. Pg. 6 Ch. 3 Bacula ……………………………………………………………………………………………… Pg. 10 Ch. 4 DNS …………………………………………………………………………………………………. Pg. 17 Ch. 5 FOG ……………………………………………………………………………………………….... Pg. 24 Ch. 6 Samba ………………………………………………………………………………………………. Pg. 30 Ch. 7 Squid………………………………………………………………………………………………… Pg. 34 Ch. 8 Suricata……………………………………………………………………………………………. Pg. 37 Ch. 9 Tripwire ……………………………………………………………………………………………. Pg.38 Sources …………………………………………………………………………………………………………………... Pg.41
2 Network Map Physical location: a. ATC building/ServerLab b. Pod#6 c. Server6 and 8 Main Server: a. Name- http://lab13 b. IP- 10.10.16.184 (STATIC) c. MAC- 54:9f:35:25:58:d2 d. Hardware- 1. Dell PowerEdge R220 2. CPU E3-1240L v3 @ 2.00GHz 3. 500GB HDD 4. 32GB RAM 5. Serial Number-BYHDS52 e. Software- 1. ESXi 5.5.0 (VMKernal ReleaseBuild1331820) 2. vSphere Client 3. vSphere WebClient(https://10.10.4.178.9443/vsphere-client/# f. Virtual Machines- (all IP’sare static) 1. DNS IP- 192.168.1.2 2. Squid/Suricata IP- 192.168.1.11 3. Apache/Tripwire Server IP- 192.168.1.12 4. Backup IP- 192.168.1.13 5. FOG IP- IP- 192.168.1.14 SecondServer a. Name- Frieden1 b. IP- 10.10.16.240 (static) c. MAC- 54:9F:35:25:50:5C d. Hardware- 1. Dell PowerEdge R220 2. CPU E3-1240L v3 @ 2.00GHz 3. 1TB HDD 4. 32GB RAM
3 e. Software- 1. CentOS6.4 set upas domainrouter 2. dhcpdfor the DHCP service 3. Firewall issetup ControllingStation Lab13-PC 1. Software- Windows7 2. IP- 10.10.1.240 (static) 3. SubnetMask- 255.255.255.0 4. DefaultGateway- 10.10.0.1 5. MAC- 19:03:73:BB:E0:6C 6. PrimaryDNSSuffix- CNS_Lab.local DHCP This was configured using this website- https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html Follow these steps to configure the DHCP, be sure to use your subnet 192.168.1.1 and your netmask of 255.255.255.0.
4 Machine Configuration
5 Chapter 1 How to disable SeLinux Before anythingisdone onall the serversisthatyou mustdisable SeLinux.Logintothe command promptunderroot and type inthiscommand; vim /etc/sysconfig/selinux You will see thispage In the SELINUX=enabled youwilltype SELINUX=disabled like yousee above thensave andleave the file. You can findthe linkIusedto figure thisoutbelow; https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable.html
6 Chapter 2 Here we are creating and using the Apache MySQL/MariaDB. Be sure to have Centos 7 installed on your VM The IP address for this project is 192.168.1.12 Installing MariaDBwhisch is another name for MySQL Start of byenteringthese commands; 1. yum-y install mariadb-servermariadb 2. systemctl startmariadb.service 3. systemctl enable mariadb.service 4. mysql_secure_installation (withthisone youwillsetapasswordthenas yougo through the file answerthe questionslikethis “Y,Y, Y, Y” you have now completedthe install) Installing Apacheon your OS system Firstof disable selinux.Logintocommandpromptasroot and follow the disableselinuxsection inthispacket. Nextuse thiscommand; yum -y install httpd Thiswill install Apache toyourOS Nowwe are goingto ensure Apache startsat bootupandenable Apache asan OS service by enteringthiscommand; systemctl start httpd.service systemctl enable httpd.service The firewall now needs to be configured to allow external access to port 80 and 443 Enter these commandsinorder; 1. firewall-cmd--permanent--zone=public--add-service=http 2. firewall-cmd--permanent--zone=public--add-service=https 3. firewall-cmd–reload Now go to the browserandenterhttp://192.168.1.12 youwill now see the Apache placeholder. Now we are going to make a directory structurethat will hold the site data.
7 Make a file byenteringthiscommand; mkdir -p /var/www/example.com/public_html inthe /example.com/youcanenteryourown domain name. Nowwe will grantpermissionstothese filesbyenteringthiscommand; chmod -R 755 /var/www Next we are going to create a Demo Page for the Virtual Host Use thiscommand to enterfile editortoeditourwebpage; vim /var/www/example.com/public_html/index.html Here is an example of asmall websitewithverylittle datainput; Once you have completedyourwebpagesave andexitthe file. Now we are going to create a New Virtual Host File Thisset of commandswill tell Apache thatthe virtual hostisreadytobe visitedbyusers; mkdir /etc/httpd/sites-available mkdir /etc/httpd/sites-enabled The nextcommandwill tell Apache tolookforthe virtual hostsinthe sites-enableddirectory. Thiswill be done byenteringthe nextcommand; vim /etc/httpd/conf/httpd.conf and thenwe will inputthistothe endof the file; IncludeOptional sites-enabled/*.conf Thensave the file andclose it. We next will create the first Virtual Hosts File
8 Firstopena newfile withthe followingcommand; vim /etc/httpd/sites-available/example.com.conf You firstneedtocreat a pair of tags for designatingthe contentasavirtual hostthat is listening on port 80; <VirtualHost *:80> </VirtualHost> Next youdeclare the mainervername; <VirtualHost *:80> ServerName www.example.com ServerAlias example.com </VirtualHost> Nowwe finishthisfile bypointingtothe rootdirectoryof the accessible webdocumaents,and tell Apache where tostore errorand requestlogsforthisparticularsite; <VirtualHost *:80> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/example.com/public_html ErrorLog /var/www/example.com/error.log CustomLog /var/www/example.com/requests.log combined </VirtualHost> Now you will Enable the New Virtual Host Files Firstcreat a symboliclinkforeachvirtual hostinthe sites-enableddirectorybyenterthis command; ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites- enabled/example.com.conf once that is finished,restartApache forthe changestotake affectby enteringthiscommand; apachectl restart Time for the last step, setting up the Local Hosts File Thisis an optional stepbutone Ithink youshouldtake. You are basicallyjusttestingyourwebsite,enterthe command; vim /etc/hosts You needtoadd the publicIPaddressof your VPSthenthe domainthat youwantto use to reach the VPS;
9 127.0.0.1 localhost 127.0.1.1 guest-desktop server_ip_address example.com Nowfor the actual test.Go to yourbrowserandenteryour webaddress; http://example.com Now you should be all set up. My Apache set up: Configfiles: The webfile Ihave on my systemis: /var/www/html/index.html My website:http://192.168.1.12
10 Chapter 3 Installing and Implementing Bacula Firstyou needtodecide onthe install procedure you’regoingtouse.Iused(How TO Install Bacula ServeronCentos7 | DigitalOcean) Once you getthroughthe firstpart of installingMySQLyouwill come uponthisoption; I chose #1 as you can see ithighlightedinthe screenshot. Nextyouwill goto the /etc/bacula/bacula-dir.conf file thenfindandmake the followingchangesas shownbelowinthe ordertheyare numbered: 1. 2. 3.
11 4. 5. 6. Thisone you needtochange the area in redto the same passwordas your MySQL password Thenfinallyasseenbelowyouneedtoaddthe redtextthat yousee the window below. 7. Once you have completedthe objectiveabove,save andclose the file.Toverifythereare no syntax errorsrun the commandbelow: bacula-dir -tc /etc/bacula/bacula-dir.conf If you getno returnthenthe syntax is correct. Now it is time to Configure the Storage Resource
12 Openthe /etc/bacula/bacula-sd.conf file.The firstchange we make isthe SDAddress,enterthe FQDN or the private IPaddressof the backup serverlike seenbelowindicatedinred: Nowconfigure the storage device byadding /bacula/backup asseenbelow: Nowsave and exitthe file. Run thiscommandto checkfor syntax errors: bacula-sd -tc /etc/bacula/bacula-sd.conf As longas youget noreturnsyou are good to go. Time to Set the Bacula Component Passwords These are passwordsthatthe systemwill use andthatyoudon’thave to remember.All youdo isrun these followingcommandsonordertosetDirectorpassword: DIR_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bacula- dir.conf sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bconsole.conf Nextenterthese commandstosetthe Storage File Daemonpasswords: SD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-sd.conf sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-dir.conf
13 The nextcommandwill generate andsetthe local File Daemonpasseord: FD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-dir.conf sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-fd.conf Let’s fire this this up Start all three serviceswiththe followingcommands: systemctl start bacula-dir systemctl start bacula-sd systemctl start bacula-fd If theyall started fine thenwe are readyforthe nextstep.Enterthe nextsetof commands: systemctl enable bacula-dir systemctl enable bacula-sd systemctl enable bacula-fd Nowwe testit. Enterbconsole intothe commandline andhitenter.Now issue the first command, * label. You will be promptedtoenteraname for the volume,Iused NewVolume.Now enterthe File Pool youwant.I entered #2. The service shouldnow runa backup. We are now goingto run a manual backupjob.While still inthe bconsole enter* run. Nextenter 1 at the promptto run the “BackupLocalFiles”.The systemwill askyouif youwantto “Run Backup Job”,type yes. You can nowtype in *messages.Thiswill giveyouamessage onwhat is goingto happeninthe backupprocedure.Nowenter*statusdirector,thiswill show youthe statusof the of the Director.Aslongas everythingisworkingproperlyyoushouldsee thatthe jobisrunning Whenthe job completesyouwillsoandoutput like the one below: Running a Restore Job While inthe bconsole enterthe *restore all command.
14 You will see aselectionmenuwithdifferentoption,whichare usedtoidentifythe backupson file.Youchoose the optionyouwant,sayyou wantthe most recentbackupwhichis 5 inthis case. The nextpromptwill askyouwhat file setyouwantto use.Youshouldchoose 2. You will see avirtual file tree withthe entire directorystructure thatyoubackedup.This interface allowsyoutosee the simple commandstomarkand unmarkfilesforrestoration.The markedfileswillbe denotedwithaleadingasterisk(*). You can fine-tuneyourselectionbynavigatingandlistingfileswiththe “ls”and“cd” commands. Alsoyoucan mark filesforrestorationwith“mark”,andunmarkfileswith“unmark”. Whenyouare finishedwithyourselectionsyouwillproceedbytypinginthe “done”command, and whenpromptedtype yesandhitreturn.Youcan checkthe restore processwiththe status directorcommandonce again to confirmitisworkingandthenjusttype exitto exitthe bconsol. You can verifythe restore withthe followingcommand: -u root bash -c "rm -rf /bacula/restore/*" How to create a backup schedule On our Baculaserveryouneedtoperformthiscommandin root,it createsa directorytohelp organize the Baculafiles: mkdir /etc/bacula/conf.d Nowopenthe directoryyoujustcreated. vi /etc/bacula/bacula-dir.conf Scroll to the bottomof the file andenterthisline: @|"find /etc/bacula/conf.d -name '*.conf' -type f -exec echo @{} ;" Save and exitthe file.Thatline makesthe Dierectorlookinthe /etc/bacula/conf.ddirectoryfor more configurationfiles. We are now goingto adda remote file pool,soopenthe /etc/bacula/conf.d/pools.conffile.Add the followingpool resource: Pool { Name = RemoteFile Pool Type = Backup Label Format = Remote- Recycle = yes # Bacula can automatically recycle Volumes AutoPrune = yes # Prune expired volumes Volume Retention = 365 days # one year
15 Maximum Volume Bytes = 50G # Limit Volume size Maximum Volumes = 100 # Limit number of Volumes in Pool } Save and exitthe file,nowrunthe followingcommandtomake sure there are no syntax errors: bacula-dir -tc /etc/bacula/bacula-dir.conf if there areno errors you will get no return on the command. Let us set up and Configurethe Client To begingoto your commandpromptand login as root.Now type the command “yum install bacula-client”. Nowbefore goinganyfartherkeepthisinformationhandy. Clienthostname:the hostnameIusedwasthe “masterdns”server. ClientPrivate FQDN:inthiscase its“masterdns.frieden1.local” Bacula Serverhostname:thiswillbe “back” You can use the followingcommandtosetthe passwordforthe Bacula Directorto connectin the Daemonconfiguration: date +%s | sha256sum | base64 | head -c 33 ; echo. You can alsoset ityourself if youwish,thisiswhatIdid forthissystem. The passwordis: 2004Chevy. Openthe nextfile,thisfile isthe File Daemonconfiguration: date +%s | sha256sum | base64 | head -c 33 ; echo There are a fewthingsthatneedto be changedinthisfile.Let’sbeginwithfindingthe Directory resource,itshouldlooklike this: As youcan see the changesthat needtobe made are in red.Change the name to whatyou see inthe picture above.Nextreplacethe passwordwiththe one youeithergeneratedearlierorthe one youmade up,inmy case it’s 2004Chevy.Make sure to continue tokeepthe password handysince we will needthisagainlater. Findthe FIleDaemon sectionthatlookslike this:
16 Change the name to “masterdns”whichisthe clienthostname thenenterthe FDAddress.In thiscase it’s“masterdns.frieden1.local”. Now find the “Messages” section likeyou see below, then change the director to in my case“back”: Save and exit the fileand now check itwith the followingcommand: bacula-fd -tc /etc/bacula/bacula-fd.conf If nothingreturnsthenthe syntax is correct. Nowthat we are finishedwiththatwe needtorestartthe system, we dothat by issuingthis command: systemctl enable bacula-fd NowSetupthe Directorythat Baculacan Restore too.Use the followingcommands: mkdir -p /bacula/restore chown -R bacula:bacula /bacula chmod -R 700 /bacula Our clientmachine issetupand configuredcorrectly.
17 Chapter 4 Here you will install and set up the DNS Server. Thisis the currentset upon my DNSand thisis how I done it.To start I usedthisIP,192.168.1.2, thisisfor the DNS and mySamba server. Thiswas installedonaCentOS7, withall currentupdates. Log intothe systemand thenopena commandwindow,thenloginasroot. Be sure that SeLinux isdisabled. Installing bind which is a DNS package Firstoff install the service withthe followingcommand: yum install bind bind-utils -y Once that is finished installingyouwillconfigure the server.Inthe commandprompttype inthis command: vi /etc/named.conf Thenadd the followinglinestothe file (it’seasiertocopyandpaste the infointothe file) : // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.101;}; ### Master DNS IP ### # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.102; }; ### Slave DNS IP ### /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable
18 recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "frieden1.local" IN { type master; file "forward.frieden1"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.frieden1"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; The picturesbelowshowyouhow itshouldlook:
19
20 Now you create Zone files The forwardand reverse zone filesthatwasmentionedearlierinthe “/etc/named.conf”file will be create here.Enterthe followingcommand tocreate the ‘forward.frieden1’fileinthe “/var/named”directory: vi /var/named/forward.frieden1 Nowadd the followinglinesthatyousee inthe picture bellow tothe file: Afterthe linesare added,save andclose the file. Time to create the Reverse Zone file.Create the ‘reverse.frieden1’file inthe “/var/named” directory: vi /var/named/reverse.frieden1 Now add the followinglines:
21 Once finishedsave andexitthe file. Time to start the DNS service.Inthe commandpromptenterthe followingcommandsinorder: systemctl enable named systemctl start named The DNS service shouldnowbe running. Configuration of the Firewall In orderfor the DNSserverto workit needstobe able to getthrough the firewall.We dothisby configuringthe firewall toallowport53 to openthoughthe firewall.Use the following commandsinorder: firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp Nowrestartthe firewall withthe nextcommand: firewall-cmd --reload Time to configurethe Permissions and Ownership Firstcheck the DNSdefaultconfig.File byusingthiscommand: named-checkconf /etc/named.conf As longas itreturnsnothing,the configurationisvalid. Nowcheckthe forwardandreverse zonesbyenteringthesecommands: Forwardzone: named-checkzone frieden1.local /var/named/forward.frieden1 The outputshouldlooksimilartothis: zone frieden1.local/IN: loaded serial 2011071001 OK
22 Reverse zone: named-checkzone frieden1.local /var/named/reverse.frieden1 Againyoushouldhave a similaroutputasbelow: zone unixmen.local/IN: loaded serial 2011071001 OK The DNS serverdetailsneedtobe addedtothe networkinterface configfile.Youdothisby enteringthiscommandtoaccessthisfile: zone frieden1.local/IN: loaded serial 2011071001 OK Be sure that the file lookslikethis: TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="enp0s3" UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa" ONBOOT="yes" HWADDR="08:00:27:19:68:73" IPADDR0="192.168.1.101" PREFIX0="24" GATEWAY0="192.168.1.1" DNS="192.168.1.2" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" Nowsave and close thisfile. Nowopenthisfile andeditit: vi /etc/resolv.conf Addthe DNS serverIPaddress: nameserver 192.168.1.2 Thensave and close the file. Restartthe networkwiththe nextcommand: systemctl restart network Nowwe testthe DNSserverbyusingthiscommand: Dig masterdns.frieden1.local You shouldgetan outputthat listall the informationof the DNSfiles. You can alsouse ‘nslookupfrieden1.local’andthatwill give youanotheroutputthatliststhe serverIPand addresswithportnumber53. Withthat the DNS isnow installedandconfigured.
23 These are the configuration files for my DNS service DNS filestoconfigure: /etc/named/zones/forward.friedden1 /etc/named/zones/reverse.frieden1 /etc/sysconfig/nework-scripts/ifcfg-ens192 /etc/named.conf IP addressis 192.168.1.2
24 Chapter 5 How to install and Deploy a FOG server You firstneedtofinda reliable downloadsite tohelpyouinthe installationof the FOGserver.I usedhttps://wiki.fogproject.org/wiki/index.php?title=Installation_on_CentOS_6.4todo my installation. Followthe instructionsonhowto install FOG. Whenyouget to thispointbelow take the highlightedaddressinthe picture below andopena newbrowserona differentmachine usingthe logininformationseeninthe picture below. Initial FOGinstillationonaCentOS6.4 platform The NEW Username is(fog) andthe passwdis(password)
25 AfterFOG isloadedyounextneedtoloadan image fromthe FOG bootmenuon your PCthat you wantimaged. 1. Opena browserandnavigate to http://192.168.1.14/fog. 2. Loginto the server(username is fogandpasswordis password). 3. Navigate tothe imagessection whichisthe iconin the top row that lookslike picture. 4. On the lefthandmenuselect Create NewImage. 5. Enter a meaningfulImage Name (nospecial characters) 6. Enter a descriptionif youwish. 7. Under storage group,select default 8. From the dropdownmenuselectthe appropriate operatingsystemforthe image 9. If the image file isnotasyou wouldlike it,change itnow (nospacesor special characters) 10. If you are imagingasingle partitionWindowsmachine,select Single Partition 11. ClickAdd Create the task 1. Still inthe hostobject,clickonthe Basic Tasks optiononthe lefthandmenu. 2. SelectCapture 3. ClickCapture Image 4. Rebootclientanditshouldpull animage fromthat computer. You shouldgetan image like so:
26 Once the image is uploadedyouwillnow have animage template thatyoucan deployonnew machines. Deploying an Image Log intoyour FOG account ina browser For nowletthe GUI of FOG set.Youneeda cleanmachine,noOS installed.Startthe machine and letitgo throughits bootprocess.Whenitgoesto the screenbelow highlightthe QuickHost RegistrationandInventory andhitenter. Thiswill enterthe informationof the bare machine intothe FOG server.
27 Nowgo back to the browserwithFOGpulledup,tapthe Hosttab and thenon the left navigationpane tapthe List All Hoststab.You will see awindow like thisone below.Youwill findthe bare machine that youloadedintoFOGjusta few minutesago. Nowclickthe host computeryouwantto image by tappingthe edittabon the right side of the hostcolumn.The nextscreenisof the picture below.
28 Selectthe hostimage andthe host OS thenselectthe BasicTaskstab on the leftside of the page.Thisis the nextpage youwill see:
29 Selectthe Deploytab,youshouldgeta confirmationthatthe Taskhas Started.Now we go back to the bare machine andrebootit.You will againcome upto the FOG selectionpage. Nowhighlightthe QuickImage line andhitenter.Yourmachine shouldnow beginloadingthe image fromthe FOG server. That’s it,once the image isloadedyoucan work awayon yournew system.
30 Chapter 6 Here we are going to install and configure Samba You will needafreshupdatedCentOS7systemtobeginwith.Youwill alsoneedafresh Windows7 install ona separate machine orVM. In thisinstance we are usingan IPof 192.168.1.2 whichisalsothe same systemasour DNS.This will be the Sambaserver.Be sure that SeLinux isdisabled. The Windows7 clientwill use the DHCPIPassignedtoit. Installing Samba Log in intoyourCentOSsystem,opencommandwindowandlogintoroot.Nexttype inthis command: yum install samba* -y Configuring an anonymous share Firstcreate a directorybyrunningthiscommand: mkdir -p /samba/anonymous_share chmod -R 0777 /samba/anonymous_share Noweditthe conf file: vi /etc/samba/smb.conf Make the changesas needed: ` ## Add the following lines under [global] section ## unix charset = UTF-8 dos charset = CP932 ## Change the windows default workgroup ## workgroup = WORKGROUP ## Uncomment and set the IP Range ## hosts allow = 192.168.1.0 ## Uncomment ## max protocol = SMB2 ## Uncomment, and change the value of 'Security' to 'user' ## security = user ## Add the following line ## map to guest = Bad User ## Add the following lines at the bottom ## [Anonymous share] path = /samba/anonymous_share writable = yes
31 browsable = yes guest ok = yes guest only = yes create mode = 0777 directory mode = 0777 Nowsave and exitthe conf.file Now it istime to start the SambaService andEnable iton reboot: systemctl start smb systemctl start nmb systemctl enable smb systemctl enable nmb Testthe systembyrunningthiscommand: testparm As longas there are nowerrors youare goodto go. You now need to configurethe firewall so that it will allow the Samba default ports through the firewall. Interthe followingcommandsinorder: firewall-cmd --permanent --add-port=137/tcp firewall-cmd --permanent --add-port=138/tcp firewall-cmd --permanent --add-port=139/tcp firewall-cmd --permanent --add-port=445/tcp firewall-cmd --permanent --add-port=901/tcp Nowrestartthe firewall withthe followingcommand: firewall-cmd --reload Accessing the Shared folder Log intoyour WindowsClient.Inthe startmenuclickon the RUN feature.WhenRUN opens type inthe SambaserverIPlike so: 192.168.1.2, youshouldnow be able to accessthe Samba Share file.
32 To see whatshare filesthere are youcanrun thiscommandon the Samba server: ls -l /samba/anonymous_share/ Creating secured shareon Samba Server Thisis where youwill create yoursecuredfolders,eitherfora single userorfor a certaingroup of users.Firstoff you’re goingtocreate a usernamedcom1 forinstance anda groupcalled firewall,youdothat byusingthiscommand: useradd -s /sbin/nologin com1 groupadd security Nextassignyouruserto the securitygroupand setthe passwd: usermod -a -G security com1 smbpasswd -a com1 Now create a newshare,we will call thisone “sshare”thensetthe permissionstothatshare: mkdir /samba/share chmod -R 0755 /samba/sshare chown -R com1:security /samba/sshare Time to editthe sambaconfigurationfileagain: vi /etc/samba/smb.conf Addthe followinglinestothe bottomof the configurationfile: [sshare] path = /samba/sshare writable = yes browsable = yes guest ok = no
33 valid users = @security Save and logout of the configuration folder.Now runa quicktestto make sure everythingis workingproperly: testparm Time to go to the Windowsclient“com1”and checkfor the “sshare”folder,double clickthe sshare folder.Youwill be promptedtoenterausername and passwd,enter“com1” forthe user and thenthe passwdthat yousetfor com1. You have nowinstalledandconfiguredSamba. My current set up is as follows: The share name is: /etc/samba/linux-share withR0777 properties To access the sharedfoldersgoto RUN and enter centos Group name is: linuxp User; com1 Passwd;HJAMyers User;com2 Passwd;HJAMyers Path= /samba/secure_share Validusers=@linuxp
34 Chapter 7 How to install and UseSquid Squidisa proxyservice sothat youcan blockwebsite frombeingaccessedbycompany computer.Itis literallyawaytosensorthe internetona local platform. Let usfirststart by installingsquidbyloggingintothe commandpromptasroot, now issue this command: yum install squid Nowconfigure squidbygoingintothe configurationfile: vi /etc/squid/squid.conf The nextpicture isan example of aconfigurationfile: You can add sitestobe bannedfromviewingonyournetworkbyaddingthemin the configurationfile.
35 We nowwill openaport inthe firewall sothatsquidcan getthroughwithoutissue.Inthe commandpromptissue thiscommandto openport3128: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT Nowit istime to restartthe squidservice byissuingthisnextcommand: service squid restart Make sure the squidservice isgoingtostart everytime youstart the serverbyissuingthis command: chkconfig squid on To see the usersactivity youcan issue thiscommand: tail -f /var/log/squid/access.log Nowgo to a clientpc andlog on.Go to the browserandundertoolslookforsettingsorinternet optionslike so:
36 Thenopenthe proxysettings like thatinthe redbox above. Once in the settingsturnonproxysettingsandenterthe IPaddressof the squidserverandthe port numberthatwe openedtothe firewall earlier,whichisport3128 as seeninthe next picture below: Back up configis /etc/squid/squid.conf.org.back The configfile is/etc/squid/squid.conf Thisroutesall internettrafficthroughthe squidserverandisnow restrictedbywhatever settingsyouhave inthe squid.conf file.
37 Chapter 8 Once you have suricatainstalledrunthe sudovi /etc/suricata/suricata.yaml cmd.Thisiswhere youwill setsuricata upto run. 1st goto HOME_NET and change the IPaddressto yourdomainaddress. 2nd scroll downtodefault-rule-pathandmake notof the cmd for lateruse; /usr/local/etc/suricata/rules 3rd scroll down to default-log-dirandchange that to ; /var/log/suricata/ 4th as youscroll throughmake sure you change all area dealingwithyourNICandchange the names 5th scroll to the host-os-policy:insertyourclientIPsinthe correspondingOSlines 6th scroll to the threading:andmake sure the set-cpu-affinity:no thensetdetect-thread-ratio:1.5 Then exitthe configfile.Nextinput sudo/usr/local/bin/suricata –list-runmodesthisgivesyouall the run modesthatyou can run withsuricata. Nowto start Suricatago to command line andenter; /usr/local/bin/suricata–c /etc/suricata/suricata.yaml–i ens192 –init-errors-fatal Thiswill startthe engine.Yourscreenshouldlook like this; Once the engine isrunningfora while youcanhit ctrl-Cto stopthe engine,whenstoppedthe screen shouldlooksimilartobelow. Dependingonhowlongyouletitrun will determine the amountof packetsthatwere sentout.
38 To check the logfilesenterthe followingcommand; tail –f var/log/suricata/eve.json youshouldgeta screenthat lookslike this; For more informationonhowtouse the manyservicesonSuricatago to https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide
39 Chapter 9 Installing and configuring Tripwire Before installingTripwire firsthave aCentOS7 systemwithupdatescompletedandhave SeLinux disabled. Opena commandpromptand log intoroot.Now opena browserwindow andgoto tripwire.org and downlodthe latestversion.The downloadwillbe intar so youwill have toun-tar itwiththe followingcommands: tar xvzf tripwire-2.3-47.i386.tar.gz rpm -ivh tripwire-2.3-47.i386.rpm Nextissue thiscommandtoexecute the instillationshell script: /etc/tripwire/twinstall.sh Tripwireconfiguration The defaultpoliciesare inthislocation: /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt Nowgenerate the initial databaseusingthiscommand: /usr/sbin/tripwire -m i Thisnextcommandwill preventalarge numberof false alarms.The false alarmsoccur any time there isa discrepancyinthe defaultpolicyandthe local system’scurrentconfiguration.Toshow a listof these alarmsenterthiscommand: /usr/sbin/tripwire -m c | grep Filename >> twtest.txt Next,usingthe followingcommandeditthe policyfile bycommentingoutordeletingthe filenameslistedinthe twtest.txt: /etc/tripwire/twpol.txt Finalizing the Configuration Whenever the file is edited, the policy needs to be reinstalled and the database recreated. We do this by using the following commands: /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
40 /usr/sbin/tripwire -m i We are now readyto delete the cleartextversionsof the Tripwire policyandconfigfiles. We will accomplishthisbe usingthe followingcommand: rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt If for some reasonyouneedto restore the clearversionagain,youcando so by usingthis command: /usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt How to schedule a nightly analysis Firstcreate a shell script,the file will be “runtw.sh”inthe /usr/local/bindirectory. The command isas follows: !/bin/sh /usr/sbin/tripwire -m c | mail -s "Tripwire Report from apache" root@localhost Nowschedule the scripttorun nightlyat1:01am by addingthisline: 1 1 * * * /usr/local/bin/runtw.sh root crontab byusingthiscommand: crontab –e The tripwire systemwillnowgenerate areporteverynightat1:01am and sendthemtothe systemadminonthe status of the systems.
41 Sources Apache- https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache- mysql-php-lamp-stack-on-centos-7 Bacula- https://www.digitalocean.com/community/tutorials/how-to-install-bacula-server-on- centos-7 DHCP- https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html DNS- https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private- network-dns-server-on-centos-7 Fog- https://wiki.fogproject.org/wiki/index.php/Installation_on_CentOS_7 Samba- https://www.unixmen.com/install-configure-samba-server-centos-7/ SeLinux- https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable- disable.html Squid- http://www.liquidweb.com/kb/how-to-install-squid-caching-proxy-on-centos-7/ Suricata- https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation Tripwire- https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect- server-intrusions-on-an-ubuntu-vps

Recomendados

Connect Amazon EC2 Linux Instance
Connect Amazon EC2 Linux InstanceConnect Amazon EC2 Linux Instance
Connect Amazon EC2 Linux InstanceVCP Muthukrishna
 
instaling
instalinginstaling
instalingtutorialsruby
 
How to create a secured cloudera cluster
How to create a secured cloudera clusterHow to create a secured cloudera cluster
How to create a secured cloudera clusterTiago Simões
 
Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2IMC Institute
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04SANTIAGO HERNÁNDEZ
 
How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7VCP Muthukrishna
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPressdotCloud
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...wensheng wei
 

Recomendados

Connect Amazon EC2 Linux Instance
Connect Amazon EC2 Linux InstanceConnect Amazon EC2 Linux Instance
Connect Amazon EC2 Linux InstanceVCP Muthukrishna
 
instaling
instalinginstaling
instalingtutorialsruby
 
How to create a secured cloudera cluster
How to create a secured cloudera clusterHow to create a secured cloudera cluster
How to create a secured cloudera clusterTiago Simões
 
Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2IMC Institute
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04SANTIAGO HERNÁNDEZ
 
How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7How To Install and Configure AWS CLI on RHEL 7
How To Install and Configure AWS CLI on RHEL 7VCP Muthukrishna
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPressdotCloud
 
Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...Installation of Subversion on Ubuntu,...
Installation of Subversion on Ubuntu,...wensheng wei
 
Final Report - Spark
Final Report - SparkFinal Report - Spark
Final Report - SparkSyed Danyal Khaliq
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-serverHARRY CHAN PUTRA
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installationfranbow
 
How to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelinHow to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelinTiago Simões
 
Hadoop on ec2
Hadoop on ec2Hadoop on ec2
Hadoop on ec2Mark Kerzner
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
 
oracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingoracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingmahdi ahmadi
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7VCP Muthukrishna
 
Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16Enrique Davila
 
grate techniques
grate techniquesgrate techniques
grate techniquesjunaid novapex
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsSruthi Kumar Annamnidu
 
How To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load BalancerHow To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load BalancerVCP Muthukrishna
 
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7VCP Muthukrishna
 
Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016FMO-UES
 
Fisica
FisicaFisica
FisicaDavid Mauricio
 
Plan operativo 2016
Plan operativo 2016Plan operativo 2016
Plan operativo 2016FMO-UES
 
Uses and gratification
Uses and gratificationUses and gratification
Uses and gratificationAstrid Contreras
 
Matchday hospitality options
Matchday hospitality optionsMatchday hospitality options
Matchday hospitality optionsMatt Judge
 
CM CV
CM CVCM CV
CM CVClément Martineau
 

Mais conteúdo relacionado

Mais procurados

Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisTiago Simões
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-serverHARRY CHAN PUTRA
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installationfranbow
 
How to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelinHow to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelinTiago Simões
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
 
oracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingoracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingmahdi ahmadi
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7VCP Muthukrishna
 
Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16Enrique Davila
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsSruthi Kumar Annamnidu
 
How To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load BalancerHow To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load BalancerVCP Muthukrishna
 
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7VCP Muthukrishna
 

Mais procurados (16)

Final Report - Spark
Final Report - SparkFinal Report - Spark
Final Report - Spark
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OS
 
How to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysisHow to create a multi tenancy for an interactive data analysis
How to create a multi tenancy for an interactive data analysis
 
Using aphace-as-proxy-server
Using aphace-as-proxy-serverUsing aphace-as-proxy-server
Using aphace-as-proxy-server
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installation
 
How to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelinHow to configure a hive high availability connection with zeppelin
How to configure a hive high availability connection with zeppelin
 
Hadoop on ec2
Hadoop on ec2Hadoop on ec2
Hadoop on ec2
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozie
 
oracle cloud with 2 nodes processing
oracle cloud with 2 nodes processingoracle cloud with 2 nodes processing
oracle cloud with 2 nodes processing
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7How To Install OpenFire in CentOS 7
How To Install OpenFire in CentOS 7
 
Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16Installing hadoop on ubuntu 16
Installing hadoop on ubuntu 16
 
grate techniques
grate techniquesgrate techniques
grate techniques
 
Hadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup InsightsHadoop Cluster - Basic OS Setup Insights
Hadoop Cluster - Basic OS Setup Insights
 
How To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load BalancerHow To Configure Amazon EC2 Load Balancer
How To Configure Amazon EC2 Load Balancer
 
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
How To Install and Configure VSFTPD on RHEL 7 or CentOS 7
 

Destaque

Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016FMO-UES
 
Plan operativo 2016
Plan operativo 2016Plan operativo 2016
Plan operativo 2016FMO-UES
 
Matchday hospitality options
Matchday hospitality optionsMatchday hospitality options
Matchday hospitality optionsMatt Judge
 
алексей черных
алексей черныхалексей черных
алексей черныхkomina1
 
на экране лица земляков
на экране лица земляковна экране лица земляков
на экране лица земляковkomina1
 
Epistemología de la contabilidad
Epistemología de la contabilidadEpistemología de la contabilidad
Epistemología de la contabilidadSHIRLY03
 
Mat or raft foundation
Mat or raft foundationMat or raft foundation
Mat or raft foundationNoroz Malghani
 

Destaque (12)

Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016Informe Gestion noviembre 2015 marzo 2016
Informe Gestion noviembre 2015 marzo 2016
 
Fisica
FisicaFisica
Fisica
 
Plan operativo 2016
Plan operativo 2016Plan operativo 2016
Plan operativo 2016
 
Uses and gratification
Uses and gratificationUses and gratification
Uses and gratification
 
Matchday hospitality options
Matchday hospitality optionsMatchday hospitality options
Matchday hospitality options
 
CM CV
CM CVCM CV
CM CV
 
алексей черных
алексей черныхалексей черных
алексей черных
 
на экране лица земляков
на экране лица земляковна экране лица земляков
на экране лица земляков
 
Documentiation
DocumentiationDocumentiation
Documentiation
 
Epistemología de la contabilidad
Epistemología de la contabilidadEpistemología de la contabilidad
Epistemología de la contabilidad
 
Los dioses-griegos
Los dioses-griegosLos dioses-griegos
Los dioses-griegos
 
Mat or raft foundation
Mat or raft foundationMat or raft foundation
Mat or raft foundation
 

Semelhante a Network Manual

Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
harjotverma_assign3
harjotverma_assign3harjotverma_assign3
harjotverma_assign3Harjot Verma
 
Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2benjaminwootton
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceCloudian
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPressDocker, Inc.
 
How to Become Cloud Backup Provider
How to Become Cloud Backup ProviderHow to Become Cloud Backup Provider
How to Become Cloud Backup ProviderCloudian
 
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platform
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platformDrupal camp South Florida 2011 - Introduction to the Aegir hosting platform
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platformHector Iribarne
 
How to become cloud backup provider
How to become cloud backup providerHow to become cloud backup provider
How to become cloud backup providerCLOUDIAN KK
 
Deploy Rails Application by Capistrano
Deploy Rails Application by CapistranoDeploy Rails Application by Capistrano
Deploy Rails Application by CapistranoTasawr Interactive
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsManuel Vega
 
Python Deployment with Fabric
Python Deployment with FabricPython Deployment with Fabric
Python Deployment with Fabricandymccurdy
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5William Lee
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStartScott McDermott
 
Hdf installing-hdf
Hdf installing-hdfHdf installing-hdf
Hdf installing-hdfnmrrsc
 
Varnish Configuration Step by Step
Varnish Configuration Step by StepVarnish Configuration Step by Step
Varnish Configuration Step by StepKim Stefan Lindholm
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 

Semelhante a Network Manual (20)

Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
harjotverma_assign3
harjotverma_assign3harjotverma_assign3
harjotverma_assign3
 
Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2Configuring Your First Hadoop Cluster On EC2
Configuring Your First Hadoop Cluster On EC2
 
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage ServiceQuick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
Quick-Start Guide: Deploying Your Cloudian HyperStore Hybrid Storage Service
 
instaling
instalinginstaling
instaling
 
instaling
instalinginstaling
instaling
 
instaling
instalinginstaling
instaling
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPress
 
How to Become Cloud Backup Provider
How to Become Cloud Backup ProviderHow to Become Cloud Backup Provider
How to Become Cloud Backup Provider
 
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platform
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platformDrupal camp South Florida 2011 - Introduction to the Aegir hosting platform
Drupal camp South Florida 2011 - Introduction to the Aegir hosting platform
 
How to become cloud backup provider
How to become cloud backup providerHow to become cloud backup provider
How to become cloud backup provider
 
infra-as-code
infra-as-codeinfra-as-code
infra-as-code
 
Deploy Rails Application by Capistrano
Deploy Rails Application by CapistranoDeploy Rails Application by Capistrano
Deploy Rails Application by Capistrano
 
Install websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bitsInstall websphere message broker 8 RHEL 6 64 bits
Install websphere message broker 8 RHEL 6 64 bits
 
Python Deployment with Fabric
Python Deployment with FabricPython Deployment with Fabric
Python Deployment with Fabric
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStart
 
Hdf installing-hdf
Hdf installing-hdfHdf installing-hdf
Hdf installing-hdf
 
Varnish Configuration Step by Step
Varnish Configuration Step by StepVarnish Configuration Step by Step
Varnish Configuration Step by Step
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 

Network Manual

  • 1. Network Built by Jason Myers FRIEDEN1.LOCAL Linux Network Project
  • 2. 1 Glossary Network Map Machine Configuration DHCP Chapters Ch. 1 SeLinux ……………………………………………………………………………………………. Pg. 5 Ch. 2 Apache …………………………………….............….………………………………………. Pg. 6 Ch. 3 Bacula ……………………………………………………………………………………………… Pg. 10 Ch. 4 DNS …………………………………………………………………………………………………. Pg. 17 Ch. 5 FOG ……………………………………………………………………………………………….... Pg. 24 Ch. 6 Samba ………………………………………………………………………………………………. Pg. 30 Ch. 7 Squid………………………………………………………………………………………………… Pg. 34 Ch. 8 Suricata……………………………………………………………………………………………. Pg. 37 Ch. 9 Tripwire ……………………………………………………………………………………………. Pg.38 Sources …………………………………………………………………………………………………………………... Pg.41
  • 3. 2 Network Map Physical location: a. ATC building/ServerLab b. Pod#6 c. Server6 and 8 Main Server: a. Name- http://lab13 b. IP- 10.10.16.184 (STATIC) c. MAC- 54:9f:35:25:58:d2 d. Hardware- 1. Dell PowerEdge R220 2. CPU E3-1240L v3 @ 2.00GHz 3. 500GB HDD 4. 32GB RAM 5. Serial Number-BYHDS52 e. Software- 1. ESXi 5.5.0 (VMKernal ReleaseBuild1331820) 2. vSphere Client 3. vSphere WebClient(https://10.10.4.178.9443/vsphere-client/# f. Virtual Machines- (all IP’sare static) 1. DNS IP- 192.168.1.2 2. Squid/Suricata IP- 192.168.1.11 3. Apache/Tripwire Server IP- 192.168.1.12 4. Backup IP- 192.168.1.13 5. FOG IP- IP- 192.168.1.14 SecondServer a. Name- Frieden1 b. IP- 10.10.16.240 (static) c. MAC- 54:9F:35:25:50:5C d. Hardware- 1. Dell PowerEdge R220 2. CPU E3-1240L v3 @ 2.00GHz 3. 1TB HDD 4. 32GB RAM
  • 4. 3 e. Software- 1. CentOS6.4 set upas domainrouter 2. dhcpdfor the DHCP service 3. Firewall issetup ControllingStation Lab13-PC 1. Software- Windows7 2. IP- 10.10.1.240 (static) 3. SubnetMask- 255.255.255.0 4. DefaultGateway- 10.10.0.1 5. MAC- 19:03:73:BB:E0:6C 6. PrimaryDNSSuffix- CNS_Lab.local DHCP This was configured using this website- https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html Follow these steps to configure the DHCP, be sure to use your subnet 192.168.1.1 and your netmask of 255.255.255.0.
  • 6. 5 Chapter 1 How to disable SeLinux Before anythingisdone onall the serversisthatyou mustdisable SeLinux.Logintothe command promptunderroot and type inthiscommand; vim /etc/sysconfig/selinux You will see thispage In the SELINUX=enabled youwilltype SELINUX=disabled like yousee above thensave andleave the file. You can findthe linkIusedto figure thisoutbelow; https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable-disable.html
  • 7. 6 Chapter 2 Here we are creating and using the Apache MySQL/MariaDB. Be sure to have Centos 7 installed on your VM The IP address for this project is 192.168.1.12 Installing MariaDBwhisch is another name for MySQL Start of byenteringthese commands; 1. yum-y install mariadb-servermariadb 2. systemctl startmariadb.service 3. systemctl enable mariadb.service 4. mysql_secure_installation (withthisone youwillsetapasswordthenas yougo through the file answerthe questionslikethis “Y,Y, Y, Y” you have now completedthe install) Installing Apacheon your OS system Firstof disable selinux.Logintocommandpromptasroot and follow the disableselinuxsection inthispacket. Nextuse thiscommand; yum -y install httpd Thiswill install Apache toyourOS Nowwe are goingto ensure Apache startsat bootupandenable Apache asan OS service by enteringthiscommand; systemctl start httpd.service systemctl enable httpd.service The firewall now needs to be configured to allow external access to port 80 and 443 Enter these commandsinorder; 1. firewall-cmd--permanent--zone=public--add-service=http 2. firewall-cmd--permanent--zone=public--add-service=https 3. firewall-cmd–reload Now go to the browserandenterhttp://192.168.1.12 youwill now see the Apache placeholder. Now we are going to make a directory structurethat will hold the site data.
  • 8. 7 Make a file byenteringthiscommand; mkdir -p /var/www/example.com/public_html inthe /example.com/youcanenteryourown domain name. Nowwe will grantpermissionstothese filesbyenteringthiscommand; chmod -R 755 /var/www Next we are going to create a Demo Page for the Virtual Host Use thiscommand to enterfile editortoeditourwebpage; vim /var/www/example.com/public_html/index.html Here is an example of asmall websitewithverylittle datainput; Once you have completedyourwebpagesave andexitthe file. Now we are going to create a New Virtual Host File Thisset of commandswill tell Apache thatthe virtual hostisreadytobe visitedbyusers; mkdir /etc/httpd/sites-available mkdir /etc/httpd/sites-enabled The nextcommandwill tell Apache tolookforthe virtual hostsinthe sites-enableddirectory. Thiswill be done byenteringthe nextcommand; vim /etc/httpd/conf/httpd.conf and thenwe will inputthistothe endof the file; IncludeOptional sites-enabled/*.conf Thensave the file andclose it. We next will create the first Virtual Hosts File
  • 9. 8 Firstopena newfile withthe followingcommand; vim /etc/httpd/sites-available/example.com.conf You firstneedtocreat a pair of tags for designatingthe contentasavirtual hostthat is listening on port 80; <VirtualHost *:80> </VirtualHost> Next youdeclare the mainervername; <VirtualHost *:80> ServerName www.example.com ServerAlias example.com </VirtualHost> Nowwe finishthisfile bypointingtothe rootdirectoryof the accessible webdocumaents,and tell Apache where tostore errorand requestlogsforthisparticularsite; <VirtualHost *:80> ServerName www.example.com ServerAlias example.com DocumentRoot /var/www/example.com/public_html ErrorLog /var/www/example.com/error.log CustomLog /var/www/example.com/requests.log combined </VirtualHost> Now you will Enable the New Virtual Host Files Firstcreat a symboliclinkforeachvirtual hostinthe sites-enableddirectorybyenterthis command; ln -s /etc/httpd/sites-available/example.com.conf /etc/httpd/sites- enabled/example.com.conf once that is finished,restartApache forthe changestotake affectby enteringthiscommand; apachectl restart Time for the last step, setting up the Local Hosts File Thisis an optional stepbutone Ithink youshouldtake. You are basicallyjusttestingyourwebsite,enterthe command; vim /etc/hosts You needtoadd the publicIPaddressof your VPSthenthe domainthat youwantto use to reach the VPS;
  • 10. 9 127.0.0.1 localhost 127.0.1.1 guest-desktop server_ip_address example.com Nowfor the actual test.Go to yourbrowserandenteryour webaddress; http://example.com Now you should be all set up. My Apache set up: Configfiles: The webfile Ihave on my systemis: /var/www/html/index.html My website:http://192.168.1.12
  • 11. 10 Chapter 3 Installing and Implementing Bacula Firstyou needtodecide onthe install procedure you’regoingtouse.Iused(How TO Install Bacula ServeronCentos7 | DigitalOcean) Once you getthroughthe firstpart of installingMySQLyouwill come uponthisoption; I chose #1 as you can see ithighlightedinthe screenshot. Nextyouwill goto the /etc/bacula/bacula-dir.conf file thenfindandmake the followingchangesas shownbelowinthe ordertheyare numbered: 1. 2. 3.
  • 12. 11 4. 5. 6. Thisone you needtochange the area in redto the same passwordas your MySQL password Thenfinallyasseenbelowyouneedtoaddthe redtextthat yousee the window below. 7. Once you have completedthe objectiveabove,save andclose the file.Toverifythereare no syntax errorsrun the commandbelow: bacula-dir -tc /etc/bacula/bacula-dir.conf If you getno returnthenthe syntax is correct. Now it is time to Configure the Storage Resource
  • 13. 12 Openthe /etc/bacula/bacula-sd.conf file.The firstchange we make isthe SDAddress,enterthe FQDN or the private IPaddressof the backup serverlike seenbelowindicatedinred: Nowconfigure the storage device byadding /bacula/backup asseenbelow: Nowsave and exitthe file. Run thiscommandto checkfor syntax errors: bacula-sd -tc /etc/bacula/bacula-sd.conf As longas youget noreturnsyou are good to go. Time to Set the Bacula Component Passwords These are passwordsthatthe systemwill use andthatyoudon’thave to remember.All youdo isrun these followingcommandsonordertosetDirectorpassword: DIR_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bacula- dir.conf sed -i "s/@@DIR_PASSWORD@@/${DIR_PASSWORD}/" /etc/bacula/bconsole.conf Nextenterthese commandstosetthe Storage File Daemonpasswords: SD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-sd.conf sed -i "s/@@SD_PASSWORD@@/${SD_PASSWORD}/" /etc/bacula/bacula-dir.conf
  • 14. 13 The nextcommandwill generate andsetthe local File Daemonpasseord: FD_PASSWORD=`date +%s | sha256sum | base64 | head -c 33` sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-dir.conf sed -i "s/@@FD_PASSWORD@@/${FD_PASSWORD}/" /etc/bacula/bacula-fd.conf Let’s fire this this up Start all three serviceswiththe followingcommands: systemctl start bacula-dir systemctl start bacula-sd systemctl start bacula-fd If theyall started fine thenwe are readyforthe nextstep.Enterthe nextsetof commands: systemctl enable bacula-dir systemctl enable bacula-sd systemctl enable bacula-fd Nowwe testit. Enterbconsole intothe commandline andhitenter.Now issue the first command, * label. You will be promptedtoenteraname for the volume,Iused NewVolume.Now enterthe File Pool youwant.I entered #2. The service shouldnow runa backup. We are now goingto run a manual backupjob.While still inthe bconsole enter* run. Nextenter 1 at the promptto run the “BackupLocalFiles”.The systemwill askyouif youwantto “Run Backup Job”,type yes. You can nowtype in *messages.Thiswill giveyouamessage onwhat is goingto happeninthe backupprocedure.Nowenter*statusdirector,thiswill show youthe statusof the of the Director.Aslongas everythingisworkingproperlyyoushouldsee thatthe jobisrunning Whenthe job completesyouwillsoandoutput like the one below: Running a Restore Job While inthe bconsole enterthe *restore all command.
  • 15. 14 You will see aselectionmenuwithdifferentoption,whichare usedtoidentifythe backupson file.Youchoose the optionyouwant,sayyou wantthe most recentbackupwhichis 5 inthis case. The nextpromptwill askyouwhat file setyouwantto use.Youshouldchoose 2. You will see avirtual file tree withthe entire directorystructure thatyoubackedup.This interface allowsyoutosee the simple commandstomarkand unmarkfilesforrestoration.The markedfileswillbe denotedwithaleadingasterisk(*). You can fine-tuneyourselectionbynavigatingandlistingfileswiththe “ls”and“cd” commands. Alsoyoucan mark filesforrestorationwith“mark”,andunmarkfileswith“unmark”. Whenyouare finishedwithyourselectionsyouwillproceedbytypinginthe “done”command, and whenpromptedtype yesandhitreturn.Youcan checkthe restore processwiththe status directorcommandonce again to confirmitisworkingandthenjusttype exitto exitthe bconsol. You can verifythe restore withthe followingcommand: -u root bash -c "rm -rf /bacula/restore/*" How to create a backup schedule On our Baculaserveryouneedtoperformthiscommandin root,it createsa directorytohelp organize the Baculafiles: mkdir /etc/bacula/conf.d Nowopenthe directoryyoujustcreated. vi /etc/bacula/bacula-dir.conf Scroll to the bottomof the file andenterthisline: @|"find /etc/bacula/conf.d -name '*.conf' -type f -exec echo @{} ;" Save and exitthe file.Thatline makesthe Dierectorlookinthe /etc/bacula/conf.ddirectoryfor more configurationfiles. We are now goingto adda remote file pool,soopenthe /etc/bacula/conf.d/pools.conffile.Add the followingpool resource: Pool { Name = RemoteFile Pool Type = Backup Label Format = Remote- Recycle = yes # Bacula can automatically recycle Volumes AutoPrune = yes # Prune expired volumes Volume Retention = 365 days # one year
  • 16. 15 Maximum Volume Bytes = 50G # Limit Volume size Maximum Volumes = 100 # Limit number of Volumes in Pool } Save and exitthe file,nowrunthe followingcommandtomake sure there are no syntax errors: bacula-dir -tc /etc/bacula/bacula-dir.conf if there areno errors you will get no return on the command. Let us set up and Configurethe Client To begingoto your commandpromptand login as root.Now type the command “yum install bacula-client”. Nowbefore goinganyfartherkeepthisinformationhandy. Clienthostname:the hostnameIusedwasthe “masterdns”server. ClientPrivate FQDN:inthiscase its“masterdns.frieden1.local” Bacula Serverhostname:thiswillbe “back” You can use the followingcommandtosetthe passwordforthe Bacula Directorto connectin the Daemonconfiguration: date +%s | sha256sum | base64 | head -c 33 ; echo. You can alsoset ityourself if youwish,thisiswhatIdid forthissystem. The passwordis: 2004Chevy. Openthe nextfile,thisfile isthe File Daemonconfiguration: date +%s | sha256sum | base64 | head -c 33 ; echo There are a fewthingsthatneedto be changedinthisfile.Let’sbeginwithfindingthe Directory resource,itshouldlooklike this: As youcan see the changesthat needtobe made are in red.Change the name to whatyou see inthe picture above.Nextreplacethe passwordwiththe one youeithergeneratedearlierorthe one youmade up,inmy case it’s 2004Chevy.Make sure to continue tokeepthe password handysince we will needthisagainlater. Findthe FIleDaemon sectionthatlookslike this:
  • 17. 16 Change the name to “masterdns”whichisthe clienthostname thenenterthe FDAddress.In thiscase it’s“masterdns.frieden1.local”. Now find the “Messages” section likeyou see below, then change the director to in my case“back”: Save and exit the fileand now check itwith the followingcommand: bacula-fd -tc /etc/bacula/bacula-fd.conf If nothingreturnsthenthe syntax is correct. Nowthat we are finishedwiththatwe needtorestartthe system, we dothat by issuingthis command: systemctl enable bacula-fd NowSetupthe Directorythat Baculacan Restore too.Use the followingcommands: mkdir -p /bacula/restore chown -R bacula:bacula /bacula chmod -R 700 /bacula Our clientmachine issetupand configuredcorrectly.
  • 18. 17 Chapter 4 Here you will install and set up the DNS Server. Thisis the currentset upon my DNSand thisis how I done it.To start I usedthisIP,192.168.1.2, thisisfor the DNS and mySamba server. Thiswas installedonaCentOS7, withall currentupdates. Log intothe systemand thenopena commandwindow,thenloginasroot. Be sure that SeLinux isdisabled. Installing bind which is a DNS package Firstoff install the service withthe followingcommand: yum install bind bind-utils -y Once that is finished installingyouwillconfigure the server.Inthe commandprompttype inthis command: vi /etc/named.conf Thenadd the followinglinestothe file (it’seasiertocopyandpaste the infointothe file) : // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.101;}; ### Master DNS IP ### # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.102; }; ### Slave DNS IP ### /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable
  • 19. 18 recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "frieden1.local" IN { type master; file "forward.frieden1"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.frieden1"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; The picturesbelowshowyouhow itshouldlook:
  • 20. 19
  • 21. 20 Now you create Zone files The forwardand reverse zone filesthatwasmentionedearlierinthe “/etc/named.conf”file will be create here.Enterthe followingcommand tocreate the ‘forward.frieden1’fileinthe “/var/named”directory: vi /var/named/forward.frieden1 Nowadd the followinglinesthatyousee inthe picture bellow tothe file: Afterthe linesare added,save andclose the file. Time to create the Reverse Zone file.Create the ‘reverse.frieden1’file inthe “/var/named” directory: vi /var/named/reverse.frieden1 Now add the followinglines:
  • 22. 21 Once finishedsave andexitthe file. Time to start the DNS service.Inthe commandpromptenterthe followingcommandsinorder: systemctl enable named systemctl start named The DNS service shouldnowbe running. Configuration of the Firewall In orderfor the DNSserverto workit needstobe able to getthrough the firewall.We dothisby configuringthe firewall toallowport53 to openthoughthe firewall.Use the following commandsinorder: firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp Nowrestartthe firewall withthe nextcommand: firewall-cmd --reload Time to configurethe Permissions and Ownership Firstcheck the DNSdefaultconfig.File byusingthiscommand: named-checkconf /etc/named.conf As longas itreturnsnothing,the configurationisvalid. Nowcheckthe forwardandreverse zonesbyenteringthesecommands: Forwardzone: named-checkzone frieden1.local /var/named/forward.frieden1 The outputshouldlooksimilartothis: zone frieden1.local/IN: loaded serial 2011071001 OK
  • 23. 22 Reverse zone: named-checkzone frieden1.local /var/named/reverse.frieden1 Againyoushouldhave a similaroutputasbelow: zone unixmen.local/IN: loaded serial 2011071001 OK The DNS serverdetailsneedtobe addedtothe networkinterface configfile.Youdothisby enteringthiscommandtoaccessthisfile: zone frieden1.local/IN: loaded serial 2011071001 OK Be sure that the file lookslikethis: TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="enp0s3" UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa" ONBOOT="yes" HWADDR="08:00:27:19:68:73" IPADDR0="192.168.1.101" PREFIX0="24" GATEWAY0="192.168.1.1" DNS="192.168.1.2" IPV6_PEERDNS="yes" IPV6_PEERROUTES="yes" Nowsave and close thisfile. Nowopenthisfile andeditit: vi /etc/resolv.conf Addthe DNS serverIPaddress: nameserver 192.168.1.2 Thensave and close the file. Restartthe networkwiththe nextcommand: systemctl restart network Nowwe testthe DNSserverbyusingthiscommand: Dig masterdns.frieden1.local You shouldgetan outputthat listall the informationof the DNSfiles. You can alsouse ‘nslookupfrieden1.local’andthatwill give youanotheroutputthatliststhe serverIPand addresswithportnumber53. Withthat the DNS isnow installedandconfigured.
  • 24. 23 These are the configuration files for my DNS service DNS filestoconfigure: /etc/named/zones/forward.friedden1 /etc/named/zones/reverse.frieden1 /etc/sysconfig/nework-scripts/ifcfg-ens192 /etc/named.conf IP addressis 192.168.1.2
  • 25. 24 Chapter 5 How to install and Deploy a FOG server You firstneedtofinda reliable downloadsite tohelpyouinthe installationof the FOGserver.I usedhttps://wiki.fogproject.org/wiki/index.php?title=Installation_on_CentOS_6.4todo my installation. Followthe instructionsonhowto install FOG. Whenyouget to thispointbelow take the highlightedaddressinthe picture below andopena newbrowserona differentmachine usingthe logininformationseeninthe picture below. Initial FOGinstillationonaCentOS6.4 platform The NEW Username is(fog) andthe passwdis(password)
  • 26. 25 AfterFOG isloadedyounextneedtoloadan image fromthe FOG bootmenuon your PCthat you wantimaged. 1. Opena browserandnavigate to http://192.168.1.14/fog. 2. Loginto the server(username is fogandpasswordis password). 3. Navigate tothe imagessection whichisthe iconin the top row that lookslike picture. 4. On the lefthandmenuselect Create NewImage. 5. Enter a meaningfulImage Name (nospecial characters) 6. Enter a descriptionif youwish. 7. Under storage group,select default 8. From the dropdownmenuselectthe appropriate operatingsystemforthe image 9. If the image file isnotasyou wouldlike it,change itnow (nospacesor special characters) 10. If you are imagingasingle partitionWindowsmachine,select Single Partition 11. ClickAdd Create the task 1. Still inthe hostobject,clickonthe Basic Tasks optiononthe lefthandmenu. 2. SelectCapture 3. ClickCapture Image 4. Rebootclientanditshouldpull animage fromthat computer. You shouldgetan image like so:
  • 27. 26 Once the image is uploadedyouwillnow have animage template thatyoucan deployonnew machines. Deploying an Image Log intoyour FOG account ina browser For nowletthe GUI of FOG set.Youneeda cleanmachine,noOS installed.Startthe machine and letitgo throughits bootprocess.Whenitgoesto the screenbelow highlightthe QuickHost RegistrationandInventory andhitenter. Thiswill enterthe informationof the bare machine intothe FOG server.
  • 28. 27 Nowgo back to the browserwithFOGpulledup,tapthe Hosttab and thenon the left navigationpane tapthe List All Hoststab.You will see awindow like thisone below.Youwill findthe bare machine that youloadedintoFOGjusta few minutesago. Nowclickthe host computeryouwantto image by tappingthe edittabon the right side of the hostcolumn.The nextscreenisof the picture below.
  • 29. 28 Selectthe hostimage andthe host OS thenselectthe BasicTaskstab on the leftside of the page.Thisis the nextpage youwill see:
  • 30. 29 Selectthe Deploytab,youshouldgeta confirmationthatthe Taskhas Started.Now we go back to the bare machine andrebootit.You will againcome upto the FOG selectionpage. Nowhighlightthe QuickImage line andhitenter.Yourmachine shouldnow beginloadingthe image fromthe FOG server. That’s it,once the image isloadedyoucan work awayon yournew system.
  • 31. 30 Chapter 6 Here we are going to install and configure Samba You will needafreshupdatedCentOS7systemtobeginwith.Youwill alsoneedafresh Windows7 install ona separate machine orVM. In thisinstance we are usingan IPof 192.168.1.2 whichisalsothe same systemasour DNS.This will be the Sambaserver.Be sure that SeLinux isdisabled. The Windows7 clientwill use the DHCPIPassignedtoit. Installing Samba Log in intoyourCentOSsystem,opencommandwindowandlogintoroot.Nexttype inthis command: yum install samba* -y Configuring an anonymous share Firstcreate a directorybyrunningthiscommand: mkdir -p /samba/anonymous_share chmod -R 0777 /samba/anonymous_share Noweditthe conf file: vi /etc/samba/smb.conf Make the changesas needed: ` ## Add the following lines under [global] section ## unix charset = UTF-8 dos charset = CP932 ## Change the windows default workgroup ## workgroup = WORKGROUP ## Uncomment and set the IP Range ## hosts allow = 192.168.1.0 ## Uncomment ## max protocol = SMB2 ## Uncomment, and change the value of 'Security' to 'user' ## security = user ## Add the following line ## map to guest = Bad User ## Add the following lines at the bottom ## [Anonymous share] path = /samba/anonymous_share writable = yes
  • 32. 31 browsable = yes guest ok = yes guest only = yes create mode = 0777 directory mode = 0777 Nowsave and exitthe conf.file Now it istime to start the SambaService andEnable iton reboot: systemctl start smb systemctl start nmb systemctl enable smb systemctl enable nmb Testthe systembyrunningthiscommand: testparm As longas there are nowerrors youare goodto go. You now need to configurethe firewall so that it will allow the Samba default ports through the firewall. Interthe followingcommandsinorder: firewall-cmd --permanent --add-port=137/tcp firewall-cmd --permanent --add-port=138/tcp firewall-cmd --permanent --add-port=139/tcp firewall-cmd --permanent --add-port=445/tcp firewall-cmd --permanent --add-port=901/tcp Nowrestartthe firewall withthe followingcommand: firewall-cmd --reload Accessing the Shared folder Log intoyour WindowsClient.Inthe startmenuclickon the RUN feature.WhenRUN opens type inthe SambaserverIPlike so: 192.168.1.2, youshouldnow be able to accessthe Samba Share file.
  • 33. 32 To see whatshare filesthere are youcanrun thiscommandon the Samba server: ls -l /samba/anonymous_share/ Creating secured shareon Samba Server Thisis where youwill create yoursecuredfolders,eitherfora single userorfor a certaingroup of users.Firstoff you’re goingtocreate a usernamedcom1 forinstance anda groupcalled firewall,youdothat byusingthiscommand: useradd -s /sbin/nologin com1 groupadd security Nextassignyouruserto the securitygroupand setthe passwd: usermod -a -G security com1 smbpasswd -a com1 Now create a newshare,we will call thisone “sshare”thensetthe permissionstothatshare: mkdir /samba/share chmod -R 0755 /samba/sshare chown -R com1:security /samba/sshare Time to editthe sambaconfigurationfileagain: vi /etc/samba/smb.conf Addthe followinglinestothe bottomof the configurationfile: [sshare] path = /samba/sshare writable = yes browsable = yes guest ok = no
  • 34. 33 valid users = @security Save and logout of the configuration folder.Now runa quicktestto make sure everythingis workingproperly: testparm Time to go to the Windowsclient“com1”and checkfor the “sshare”folder,double clickthe sshare folder.Youwill be promptedtoenterausername and passwd,enter“com1” forthe user and thenthe passwdthat yousetfor com1. You have nowinstalledandconfiguredSamba. My current set up is as follows: The share name is: /etc/samba/linux-share withR0777 properties To access the sharedfoldersgoto RUN and enter centos Group name is: linuxp User; com1 Passwd;HJAMyers User;com2 Passwd;HJAMyers Path= /samba/secure_share Validusers=@linuxp
  • 35. 34 Chapter 7 How to install and UseSquid Squidisa proxyservice sothat youcan blockwebsite frombeingaccessedbycompany computer.Itis literallyawaytosensorthe internetona local platform. Let usfirststart by installingsquidbyloggingintothe commandpromptasroot, now issue this command: yum install squid Nowconfigure squidbygoingintothe configurationfile: vi /etc/squid/squid.conf The nextpicture isan example of aconfigurationfile: You can add sitestobe bannedfromviewingonyournetworkbyaddingthemin the configurationfile.
  • 36. 35 We nowwill openaport inthe firewall sothatsquidcan getthroughwithoutissue.Inthe commandpromptissue thiscommandto openport3128: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT Nowit istime to restartthe squidservice byissuingthisnextcommand: service squid restart Make sure the squidservice isgoingtostart everytime youstart the serverbyissuingthis command: chkconfig squid on To see the usersactivity youcan issue thiscommand: tail -f /var/log/squid/access.log Nowgo to a clientpc andlog on.Go to the browserandundertoolslookforsettingsorinternet optionslike so:
  • 37. 36 Thenopenthe proxysettings like thatinthe redbox above. Once in the settingsturnonproxysettingsandenterthe IPaddressof the squidserverandthe port numberthatwe openedtothe firewall earlier,whichisport3128 as seeninthe next picture below: Back up configis /etc/squid/squid.conf.org.back The configfile is/etc/squid/squid.conf Thisroutesall internettrafficthroughthe squidserverandisnow restrictedbywhatever settingsyouhave inthe squid.conf file.
  • 38. 37 Chapter 8 Once you have suricatainstalledrunthe sudovi /etc/suricata/suricata.yaml cmd.Thisiswhere youwill setsuricata upto run. 1st goto HOME_NET and change the IPaddressto yourdomainaddress. 2nd scroll downtodefault-rule-pathandmake notof the cmd for lateruse; /usr/local/etc/suricata/rules 3rd scroll down to default-log-dirandchange that to ; /var/log/suricata/ 4th as youscroll throughmake sure you change all area dealingwithyourNICandchange the names 5th scroll to the host-os-policy:insertyourclientIPsinthe correspondingOSlines 6th scroll to the threading:andmake sure the set-cpu-affinity:no thensetdetect-thread-ratio:1.5 Then exitthe configfile.Nextinput sudo/usr/local/bin/suricata –list-runmodesthisgivesyouall the run modesthatyou can run withsuricata. Nowto start Suricatago to command line andenter; /usr/local/bin/suricata–c /etc/suricata/suricata.yaml–i ens192 –init-errors-fatal Thiswill startthe engine.Yourscreenshouldlook like this; Once the engine isrunningfora while youcanhit ctrl-Cto stopthe engine,whenstoppedthe screen shouldlooksimilartobelow. Dependingonhowlongyouletitrun will determine the amountof packetsthatwere sentout.
  • 39. 38 To check the logfilesenterthe followingcommand; tail –f var/log/suricata/eve.json youshouldgeta screenthat lookslike this; For more informationonhowtouse the manyservicesonSuricatago to https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide
  • 40. 39 Chapter 9 Installing and configuring Tripwire Before installingTripwire firsthave aCentOS7 systemwithupdatescompletedandhave SeLinux disabled. Opena commandpromptand log intoroot.Now opena browserwindow andgoto tripwire.org and downlodthe latestversion.The downloadwillbe intar so youwill have toun-tar itwiththe followingcommands: tar xvzf tripwire-2.3-47.i386.tar.gz rpm -ivh tripwire-2.3-47.i386.rpm Nextissue thiscommandtoexecute the instillationshell script: /etc/tripwire/twinstall.sh Tripwireconfiguration The defaultpoliciesare inthislocation: /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt Nowgenerate the initial databaseusingthiscommand: /usr/sbin/tripwire -m i Thisnextcommandwill preventalarge numberof false alarms.The false alarmsoccur any time there isa discrepancyinthe defaultpolicyandthe local system’scurrentconfiguration.Toshow a listof these alarmsenterthiscommand: /usr/sbin/tripwire -m c | grep Filename >> twtest.txt Next,usingthe followingcommandeditthe policyfile bycommentingoutordeletingthe filenameslistedinthe twtest.txt: /etc/tripwire/twpol.txt Finalizing the Configuration Whenever the file is edited, the policy needs to be reinstalled and the database recreated. We do this by using the following commands: /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt
  • 41. 40 /usr/sbin/tripwire -m i We are now readyto delete the cleartextversionsof the Tripwire policyandconfigfiles. We will accomplishthisbe usingthe followingcommand: rm /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt If for some reasonyouneedto restore the clearversionagain,youcando so by usingthis command: /usr/sbin/twadmin -m p > /etc/tripwire/twpol.txt How to schedule a nightly analysis Firstcreate a shell script,the file will be “runtw.sh”inthe /usr/local/bindirectory. The command isas follows: !/bin/sh /usr/sbin/tripwire -m c | mail -s "Tripwire Report from apache" root@localhost Nowschedule the scripttorun nightlyat1:01am by addingthisline: 1 1 * * * /usr/local/bin/runtw.sh root crontab byusingthiscommand: crontab –e The tripwire systemwillnowgenerate areporteverynightat1:01am and sendthemtothe systemadminonthe status of the systems.
  • 42. 41 Sources Apache- https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache- mysql-php-lamp-stack-on-centos-7 Bacula- https://www.digitalocean.com/community/tutorials/how-to-install-bacula-server-on- centos-7 DHCP- https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-dhcp.html DNS- https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private- network-dns-server-on-centos-7 Fog- https://wiki.fogproject.org/wiki/index.php/Installation_on_CentOS_7 Samba- https://www.unixmen.com/install-configure-samba-server-centos-7/ SeLinux- https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sec-sel-enable- disable.html Squid- http://www.liquidweb.com/kb/how-to-install-squid-caching-proxy-on-centos-7/ Suricata- https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation Tripwire- https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect- server-intrusions-on-an-ubuntu-vps