Core.3 Linux Procedures

Core.3 Linux Procedures.Machine Control.Audit Info

• Get Current Memory information
  • Retrieve current memory availability information.
• Get Linux and Kernel Version
  • Retrieves current linux version (Name) and Kernel information

Core.3 Linux Procedures.Machine Control.DNS

• Create HOSTS File
  • This procedure will create a new hosts file with variables and information you supply.
• Edit DNS Servers
  • Edit your DNS Servers
• Set Hostname
  • This procedure will setup your Servers/Workstations Hostname

Core.3 Linux Procedures.Machine Control.Files/Folder Control

• Change File/Folder Permissions
  • Read - Write - Execute 4 2 1
• Change Group Ownership
  • chgrp groupName folderName
• Change Ownership
  • chown userName fileFolderName
• Delete any file or any folder - Dangerous
  • This procedure will delete any file or folder without asking for permission

Core.3 Linux Procedures.Machine Control.Linux Kernel

• Create an initrd image
  • Creates an initrd image of the Linux system and names it initrd.image-#version# based on a version value you enter.

Core.3 Linux Procedures.Machine Control.Monitoring

• Get SNMP Conf file
  • Retrieve the SNMP configuration file using GET FILE

Core.3 Linux Procedures.Machine Control.Networking

• Setup DHCP Client
  • Adds entries for interface to pickup DHCP Server
• Setup Networking (1 interface)
  • This will create a new interfaces file in /etc/networking with new IP address information. This will only setup networking for the 1 single interface. Once the file has been created, the networking service will be restarted.

Core.3 Linux Procedures.Machine Control.Networking.Get DOMAIN info

• Query All Domain Information
  • Performs a full DNS lookup of a domain name you specify using DIG with the ANY (omnibus - All Domain Information) switch and retrieves the resulting log file, dig-#domain#-all.log, to the systems GetFile folder.
• Query DNS Server for Domain Details
  • Performs a DNS lookup of a domain name you specify using DIG and retrieves the resulting log file, dig-#domain#.log, to the systems GetFile folder.
• Query DNS Servers Authoritative for a Domain
  • Performs an Authoratative Name Server lookup of a domain name you specify using DIG with the NS (Authoritative DNS Servers for Domain) switch and retrieves the resulting log file, dig-#domain#-Auth.log, to the systems GetFile folder.
• Query Domain Address Records
  • Performs an Address (A) Records DNS lookup of a domain name you specify using DIG with the NS (Authoritative DNS Server for Domain) switch and retrieves the resulting log file, dig-#domain#-A.log, to the systems GetFile folder.
• Query Domain Email Servers
  • Performs an Email Servers/Mail Exchanger (MX) Records DNS lookup of a domain name you specify using DIG with the MX (Mail Exchangers for Domain) switch and retrieves the resulting log file, dig-#domain#-MX.log, to the systems GetFile folder.
• Query Statistics Including Round-Trip Time
  • Performs a DNS Statisics (including round-trip time) query of a domain name you specify using DIG and retrieves the resulting log file, dig-#domain#-stats.log, to the systems GetFile folder.
• Query the TTL for Each Resource Record
  • Performs a DNS Time To Live (TTL) query of a domain name you specify using DIG and retrieves the resulting log file, dig-#domain#-TTL.log, to the systems GetFile folder.

Core.3 Linux Procedures.Machine Control.Networking.Routing

• Get Routes
  • Retrieves current routes setup
• Trace Path to Domain/IP
  • Trace HOPS to domain/IP Address - Uses GET File to view results

Core.3 Linux Procedures.Machine Control.Reboot/Shutdown

• Reboot Linux
  • Restarts the system
• Shutdown Linux
  • Shutdown the Linux System

Core.3 Linux Procedures.Machine Control.Runlevel Control

• Custom Runlevel
  • Explanation of runlevels in Linux http://http://en.wikipedia.org/wiki/Runlevel
• Runlevel 1
  • Runlevel 1 is usually for very basic commands. This is the equivalent to "safe mode" used by Windows. This level is usually only used to asses repairs or maintenance to the system. This is a single-user mode and does not allow other users to login to the machine.
• Runlevel 2
  • Runlevel 2 is used to start most of the machines services. However, it does not start the network file sharing service (SMB, NFS). This will allows multiple users to login to the machine.
• Runlevel 3
  • Runlevel 3 is commonly used by servers. This loads all services except the X windows system. This means the system will boot to the equivalent of DOS. No GUIs (KDE, Gnome) will start. This level allows multiple users to login to the machine.
• Runlevel 4
  • Runlevel 4 is usually a "custom" level. By default it will start a few more services than level 3. This level is usually only used under special circumstances.
• Runlevel 5
  • Runlevel 5 is everything! This will start any GUIs, extra services for printing, and 3rd party services. Full multi-users support also. This runlevel is generally used on by workstations.

Core.3 Linux Procedures.Machine Control.Services Control

• Custom Services Control
  • Start, Stop and Restart any service on the System
• Restart HTTPD/Apache2
  • Restarts your Web Service HTTPD/Apache2
• Restart Networking
  • Restarts the networking daemon
• Restart NFS
  • Restarts the NFS Daemon Service
• Restart Postfix
  • Restart Postfix Email Server
• Restart SSH
  • Restart SSH Server
• Restart VMWare Tools
  • Restarts VMWare Tools

Core.3 Linux Procedures.Machine Control.User/Group Control.Groups

• Create new group
  • Uses GROUPADD to create a new group that you specify.
• Delete Group
  • Uses GROUPDEL to delete an existing group that you specify.

Core.3 Linux Procedures.Machine Control.User/Group Control.Password Control

• Change Root Password
  • Changes the root password on the system.
• Change user password
  • Asks for the username and resets the password.

Core.3 Linux Procedures.Machine Control.User/Group Control.Users

• Add New User
  • Add new Linux User
• Delete User
  • Delete User from Server/Machine

Core.3 Linux Procedures.Machine Control.Utils

• Add custom commands
  • Adds a number of aliased custom commands to the /root/.bashrc file and then executes it to make these commands go into effect. The custom commands are:

    ll = ls –l
    la = ls -A
    l = ls -CF

    NOTE   Extend the list by adding more aliased commands.

• Synchronize the System Clock
  • Installs and Syncs Clock
• Update File Database
  • Updates the Filesystem Database for using the "locate" command

Core.3 Linux Procedures.Maintenance

• Collect inode usage statistics
  • Check inode usage.
• Force Logical File System Check (FSCK) at Next Reboot
  • Forces an FSCK to run at next reboot.
• Get Disk Usage
  • Generates a Disk Usage listing using DF, writes results to the agent procedure log and retrieves the results to the systems Get File folder.
• Linux Weekly Maintenance
  • Performs a number of routine maintenance tasks on Linux machines including time sync, apt-get repository cleanup, package upgrades/updates and disk checks and performance statistics.
• Remove User Adobe Flash/Macromedia Permanent Objects
  • Removes User Adobe Flash and Macromedia permanent objects.
• Remove User Temporary Files
  • Removes temporary files (i.e. *~) from the current users home folder.

Core.3 Linux Procedures.Process Control.Get All Processes with PID

• Retrieves all processes with Process ID, uses the GET FILE feature to retrieve the results

• Get process Tree
  • Generates a TREE of Parent and Child processes - uses GET FILE feature to retrieve the results.
• Kill Process
  • The variable with the correct PID will be used to kill the outline process
• Locate a file
  • This will use the locate function in Kaseya to search for files as specified and use the GET FILE Feature to retrieve the results

Core.3 Linux Procedures.Setup/Configs.Backup Servers

• MySQL Backups With AutoMySQLBackup On Ubuntu 9.10
  • Postfix Install required before installing AutoMySQLBackup - Postfix is required http://sourceforge.net/projects/automysqlbackup/ http://www.mysql.com/
• Ubuntu Server 9.04 Bacula Bweb GUI
  • Not tested----

Core.3 Linux Procedures.Setup/Configs.CRM Servers.SugarCRM

• Full LAMP Server install required before installing SugarCRM - MySQL, Apached, PHP - Once the script has completed please run the following: http://Server IP Address/sugarcrm

Core.3 Linux Procedures.Setup/Configs.DNS

• Setup Chrooted DNS Server
  • Configures BIND to run in a chrooted environment

Core.3 Linux Procedures.Setup/Configs.Email Server

• (2) Configure Postix Email Server
  • Configure the Postfix Email Server
• (2.1) Configure SMTP-AUTH
  • Configure Secure SMTP authentication using SASLAUTHD
• (3) Create the certificates for TLS
  • Generates TLS Certificates
• (4) Configure Postfix for TLS
  • Configures TLS Secure Keys for using Postfix
• (5) Configure SASLAUTHD to work with Chrooted Postfix
  • Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
• (6) Install Courier-IMAP/Courier-POP3
  • Install and configure IMAP and POP3 using courier - ... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary): vim /etc/courier/imapd.cnf vim /etc/courier/pop3d.cnf
• (7) Configure Maildir
  • Configures Maildir for email messages and user mailboxes

Core.3 Linux Procedures.Setup/Configs.FTP Servers

• Configure Proftpd
  • Configures the Proftpd Server - Remember to install the software first

Core.3 Linux Procedures.Setup/Configs.MySQL Server

• MySQL Server Installation
  • Install MySQL Server and set root password

Core.3 Linux Procedures.Setup/Configs.NFS.NFS Client

• Install and config for NFS Client
  • NFS Setup for Client machines to mount drives as exported/shared by the Server

Core.3 Linux Procedures.Setup/Configs.NFS.NFS Server

• Install and Setup NFS Server
  • Installs and configures NFS Server with the HOME directory and 1 optional Shared with Clients

Core.3 Linux Procedures.Setup/Configs.Security.AppArmor

• Disable AppArmor
  • AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it

Core.3 Linux Procedures.Setup/Configs.Security.iptables - Linux Firewall.Forward Rules

• Deny Access to a Specific Subnet
  • Denies access to a subnet you specify by adding appropriate iptables firewall rules.
• Forward Traffic (DNAT)
  • Allows DNAT forwarding of a particular TCP port to the internal server. You specify the public interface, public address, internal server address, and port, and the procedure adds tha appropriate iptables firewall rules.

Core.3 Linux Procedures.Setup/Configs.Security.iptables - Linux Firewall.Global Rules (REJECT, ACCEPT)

• # Forwarding Traffic (DROP ALL)
  • Reject all traffic from the forwarding chain
• # Incoming Traffic (ALLOW ALL)
  • Allow all incoming traffic through the INPUT chain
• # Incoming Traffic (DROP ALL)
  • REJECT all incoming traffic
• # Outgoing Traffic (ALLOW ALL)
  • Allow all traffic from your internal network out
• # Outgoing Traffic (DROP ALL)
  • Reject all internal traffic from exiting the firewall
• _### NB! - Enable Routing - NB! ###_
  • Enable Routing and NAT for iptables - Important for traffic to be processed through the firewall
• Don't Accept ICMP Redirect Messages
  • Configures system to not accept ICMP redirects.
• Don't Send ICMP Redirect Messages
  • Configures system to not send ICMP redirects.
• Drop ICMP echo-request Messages Sent to Broadcast or Multicast Addresses
  • Configures system to drop ICMP echo-request messages sent to broadcast or multicast addresses.
• Drop Source Routed Packets
  • Configures system to drop source routed packets.
• Enable Logging
  • Enables iptables firewall event logging.
• Enable Source Address Spoofing Protection
  • Enables Source Address Spoofing Prtection on system.
• Enable TCP SYN cookie protection from SYN floods
  • Enable TCP SYN Cookie Protection from SYN Floods on system.
• Flush All Chains
  • This will flush all iptables rules - Dangerous, use at own risk!
• Log Packets with Impossible Source Addresses
  • Enables logging of packets with impossible source addresses on system.

Core.3 Linux Procedures.Setup/Configs.Security.iptables - Linux Firewall.Inbound Rules

• Allow CUSTOM Port Inbound
  • Allows you to enter an interface, protocol and TCP/UDP port you would like added to the iptables firewall rules.
• Allow DNS Inbound
  • Allows inbound DNS traffic by adding appropriate iptables firewall rules. Applies not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
• Allow FTP Inbound
  • Allows inbound FTP traffic by adding appropriate iptables firewall rules.
• Allow ICMP Inbound
  • Allows inbound ICMP traffic by adding appropriate iptables firewall rules. iptables is configured to allow the firewall to send ICMP echo-requests (pings) and in turn, accept the expected ICMP echo-replies.
• Allow IMAP Inbound
  • Allows inbound IMAP traffic by adding appropriate iptables firewall rules.
• Allow IMAPS Inbound
  • Allows inbound IMAPS traffic by adding appropriate iptables firewall rules.
• Allow Kaseya Inbound
  • Allows inbound Kaseya traffic by adding appropriate iptables firewall rules.
• Allow Loopback interface
  • Allows inbound Loopback interface traffic by adding appropriate iptables firewall rules.
• Allow MySQL
  • Allows inbound MySQL traffic by adding appropriate iptables firewall rules.
• Allow Network to Access Firewall
  • eth1 is directly connected to a private network using IP addresses from the 192.168.1.0 network. All traffic between this network and the firewall is simplistically assumed to be trusted and allowed. Further rules will be needed for the interface connected to the Internet to allow only specific ports, types of connections and possibly even remote servers to have access to your firewall and home network.
• Allow POP3 Inbound
  • Allows inbound POP3 traffic by adding appropriate iptables firewall rules.
• Allow POP3S Inbound
  • Allows inbound POP3S traffic by adding appropriate iptables firewall rules.
• Allow SMTP Inbound
  • Allows inbound SMTP traffic by adding appropriate iptables firewall rules.
• Allow SSH Inbound
  • Allows inbound SSH traffic by adding appropriate iptables firewall rules.
• Allow Traffic from Localhost
  • Allow inbound traffic from the Localhost address by adding appropriate iptables firewall rules.
• Allow WWW Inbound
  • Inbound packets destined for ports 80 and 22 are allowed thereby making the first steps in establishing a connection. It isn't necessary to specify these ports for the return leg as outbound packets for all established connections are allowed. Connections initiated by persons logged into the Web server will be denied as outbound NEW connection packets aren't allowed.
• Allow Established Sessions Inbound
  • Allow inbound traffic from established connections by adding appropriate iptables firewall rules.
• Block IP Address
  • Block an IP Address you specify from entering your network via the public interface.
• Block IRC Inbound
  • Block inbound IRC traffic by adding appropriate iptables firewall rules.
• Block Network
  • Block an entire network from accessing your network
• List all iptables Rules
  • This will pipe all iptables rules to /var/tmp/iptables.log and the GET procedure will upload this to the server for review
• Restart IPTables
  • Restart IPTables firewall
• Save iptables Rules
  • Tested on Ubuntu

Core.3 Linux Procedures.Setup/Configs.Security.iptables - Linux Firewall.Outbound Rules

• # Allow Kaseya Outbound
  • Allows outbound Kaseya traffic by adding appropriate iptables firewall rules.
• Allow CUSTOM Port Outbound
  • Allow a custom port from your internal network to access the outside world
• Allow DNS Outbound
  • The following statements will apply not only for firewalls acting as DNS clients but also for firewalls working in a caching or regular DNS server role.
• Allow Established Connections Outbound
  • Allows all established connections with ACK back.
• Allow FTP Outbound
  • Allows outbound FTP traffic by adding appropriate iptables firewall rules.
• Allow ICMP Packets Outbound
  • Allows outbound ICMP packets by adding appropriate iptables firewall rules.
• Allow IMAP Outbound
  • Allows outbound IMAP traffic by adding appropriate iptables firewall rules.
• Allow IMAPS Outbound
  • Allows outbound IMAPS traffic by adding appropriate iptables firewall rules.
• Allow Loopback Interface
  • Allows outbound Loopback traffic by adding appropriate iptables firewall rules.
• Allow MySQL Outbound
  • Allows outbound MySQL traffic by adding appropriate iptables firewall rules.
• Allow POP3 Outbound
  • Allows outbound POP3 traffic by adding appropriate iptables firewall rules.
• Allow POP3S Outbound
  • Allows outbound POP3S traffic by adding appropriate iptables firewall rules.
• Allow SMTP Outbound
  • Allows outbound SMTP traffic by adding appropriate iptables firewall rules.
• Allow SSH
  • Allows outbound SSH traffic by adding appropriate iptables firewall rules.
• Allow WWW
  • Allows outbound WWW traffic by adding appropriate iptables firewall rules.
• Deny Access to a Specific Outbound IP Address with Logging
  • Denies access with logging to an outbound IP address you specify by adding appropriate iptables firewall rules.
• FLUSH OUTBOUND Rules
  • Flushes iptables OUTBOUND rules. Dangerous, use at own risk!
• Run all OUTBOUND Rules
  • Applies all OUTBOUND rules with ability to optionally flush all OUTBOUND rules first.

Core.3 Linux Procedures.Setup/Configs.Security.iptables - Linux Firewall.Postrouting Rules

• Allow routing for private network through Firewall
  • You'll notice that the private network is a non-public routed IP network. This requires address translation at a router with a public IP address or nothing on the public network will be able to return packets to the private network. Address translation is easily enabled with iptables. The addresses that are being translated are the "source" of sessions so the mode is called Source NAT (SNAT):

Core.3 Linux Procedures.Setup/Configs.Security.SELinux

• Disable SELinux after reboot
  • This will disable SELinux for good and after the first reboot
• Disable SELinux Immediately
  • Disables SELinux for the current logged in runlevel. This will not be configured to be disabled after reboot.

Core.3 Linux Procedures.Setup/Configs.Shell Control

• Change The Default Shell
  • /bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash

Core.3 Linux Procedures.Setup/Configs.Web Servers.Apache2

• Enable Modules
  • Apache modules (SSL, rewrite, suexec, include, and WebDAV):
• Install Apache2
  • Uses APT-GET to install Apache2 web server, CHKCONFIG to set for automatic startup, and starts Apache daemon.
• Install PHPMyAdmin
  • Be sure to change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory /usr/share/phpMyAdmin/> stanza):

Core.3 Linux Procedures.Setup/Configs.Web Servers.Scripting

• Install PHP5
  • Install PHP5 for Apache 2

Core.3 Linux Procedures.Software Control.Applications

• Install CHKCONFIG
  • Installs CHKCONFIG package. This package enables you to start a specific daemon package on system boot.
• Install CHKCONFIG Simple
  • Uses APT-GET to install CHKCONFIG.
• Install Common needed packages
  • This will install commonly needed packages for Ubuntu. binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
• install SNMP
  • This will install SNMP which allows you to monitor Linux Servers. Remember to set your SNMP Community String
• Install Software
  • Prompts the user for the software package name that needs to be installed, and then uses APT-GET to install that package.
• Install software from Image List
  • This allows you to to PIPE ( | ) a list of software to the apt-get install command which will install all missin software from the list. You have to create the list first! NB (Look in Software Updates/Upgrades Folder for the create image list procedure
• Install SSH
  • Install the SSH Server for remote access
• Install VIM
  • This installs VIM which is an easy to use text file editor for LInux
• Install vim-nox
  • The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
• Install XPDF
  • PDF Reader for Linux

Core.3 Linux Procedures.Software Control.apt-get

• Autoclean apt-get
  • apt-get autoclean removes only package files that can no longer be downloaded.
• Clean apt-get repository
  • Removes everything except lock files from /var/cache/apt/archives/ and /var/cache/apt/archives/partial/. Thus, if you need to reinstall a package APT should retrieve it again
• Install Software
  • Prompts the user for the software package name that needs to be installed, and then uses APT-GET to install that package.
• Remove Software
  • Removes the Package as prompted by the procedure

Core.3 Linux Procedures.Software Control.DNS

• Install Bind9
  • DNS Server for linux

Core.3 Linux Procedures.Software Control.Email Servers

• Download Zimbra Email
  • This will download the Zimbra email collaboration suite for Linux.

Core.3 Linux Procedures.Software Control.File Server

• Install Quota
  • This will install the quota application needed for Quota control on specific folders. It is strongly recommended that you edit your /etc/fstab file manually as this can break your server and not mount any filesystem. Here is an example of a working fstab with quota enabled:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>

proc            /proc           proc    nodev,noexec,nosuid 0       0

/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1

# /boot was on /dev/sda1 during installation

UUID=a8f37dcf-5836-485c-a451-3ae2f0f47720 /boot           ext2    defaults        0       2

/dev/mapper/server1-swap_1 none            swap    sw              0       0

/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

• Set Quota on
  • Enable quota management for File Servers

Core.3 Linux Procedures.Software Control.FTP Servers

• Install Proftpd
  • This will install the Proftp Server for Linux

Core.3 Linux Procedures.Software Control.iptables (Firewall)

• Install iptables
  • Uses APT-GET to install iptables firewall.

Core.3 Linux Procedures.Software Control.Management Software

• Download Webmin
  • Webmin is a GUI used for full management of Linux using your Web Browser

Core.3 Linux Procedures.Software Control.Repository's

• Enable Multiverse Repository
  • This will add the sources to the source.list file. It will not recreate the file.
• Enable Universe Repository
  • This procedure will add these repository's sources to the source.list file. It will not recreate the file.
• Update Repository's
  • Updates all packages - Run this after you added the Repo's

Core.3 Linux Procedures.Software Control.System

• Install NTP Daemon
  • It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

Core.3 Linux Procedures.Software Control.Updates/Upgrades

• Create Image List of Installed Software
  • Create image list of installed software
• Full System Update
  • Updates all system packages
• Upgrade Packages
  • Use this procedure to upgrade packages within the same distribution
• Upgrade to New Release
  • Upgrades your Linux Distro to the latets available version - You will see a Reboot Request on the desktop when finished
• Linux Package Updates/Upgrades
  • Performs a Full System Update and Upgrades all Installed Packages