LINUX ADMINISTRATION 1 www.educlash.com
UNIT 6 2 www.educlash.com
CHAPTER 1 : CONFIGURING A WEB SERVER Introducing Apache Apache Web server is the most popular Web server in the world creating a low-cost and stable Web server Apache features Apache„s true standout features are its speed, configurability, stability, and rich feature set benchmark studies have shown Apache to be faster than many other Web servers, including commercial servers Apache is also both easy to configure and easy to reconfigure. Apache is easily extensible using Dynamic Shared Objects (DSOs), more commonly known as modules. Apache uses a binary database format for authenticating users„ requests for password-protected Web pages. Apache supports virtual hosts, also known as multi-homed servers, which enables a single machine to provide Web services for multiple domains or IP addresses (or hostnames). Apache enables administrators to define multiple directory index files the server can return index.html, index.htm, index.php, or execute a script named index.cgi Another boon for Web server administrators is Apache„s rich support for server logging. Apache automatically adjusts to the capabilities of connected Web clients, a process called content negotiation. 3 www.educlash.com
HOW WEB SERVERS WORK www.educlash.com
INSTALLING APACHE yum install httpd Now configure your system to start Apache at boot time... systemctl enable httpd.service start Apache systemctl start httpd.service or system http restart www.educlash.com
CONFIGURING APACHE Apache’s startup process Apache starts, either during system boot or when invoked after boot using the init script Init script(/etc/rc.d/init.d/httpd ) It reads 3 files /etc/httpd/conf/httpd.conf /etc/httpd/conf/srm.conf /etc/httpd/access.conf Configuring global Apache behavior Apache configuration file, Cont……….. www.educlash.com
GLOBAL CONFIGURATION DIRECTIVES Directive Description Defines the top level directory for Apache‘s configuration files and log files (including errorlogs) ServerRoot /etc/httpd PidFile /var/run/httpd.pid Defines the file containing the PID of the masterserver process Defines the maximum time in seconds Apache waits for packet send and receive operations to complete Timeout 300 Permits multiple requests on the same connection, speeding up delivery of HTML documents KeepAlive On MaxKeepAliveRequests 100 Sets the number of requests permitted per Connection Sets the number of seconds permitted to elapse between requests from the same client on the same connection when KeepAlive is On KeepAliveTimeout 15 Determines the combination of IP address and port on which Apache Listen [ipaddress:]80 listens for connections; multiple Listen directives may be used www.educlash.com
Each <Directory ></Directory> block configures access information for the named directory (or directories) and its subdirectories The first block sets the default permissions for all directories www.educlash.com
CONFIGURING VIRTUAL SERVERS Directive Description <Virtual Host ipaddr[:port]> directives </VirtualHost> Defines a virtual host whose IP address is addr (listening on port, if specified); directives are one or more of the directives listed previously and override the directives listed for the defaultserver NameVirtualHost ipaddr[:port] Defines the IP address addr (listeningon port, if specified) for a name-based virtual host ServerName fqdn Sets the name of the virtual server to the FQDN fqdn ServerAlias altname Enables the virtual server to respond to one or more alternate host names altname when used with name-based virtual hosts www.educlash.com
Virtual servers are primarily used to support multiple domains on a single system Example: www.educlash.com
CONFIGURING APACHE FOR SSI SSI, or server-side includes, are specially-formatted statements placed in HTML documents and evaluated by the server before the server sends the document to a client. Enabling SSI The Options Include directive instructs Apache to process files it serves for SSI directives. 11 www.educlash.com
Once configured. restart httpd service Service httpd restart www.educlash.com
TESTING THE CONFIGURATION Create file in /var/www/html with extension .shtml use chmod +x *.shtml command for making file executable www.educlash.com
CGI SCRIPTS CGI, the Common Gateway Interface, is a protocol that defines a standard method enabling Apache (well, any Web server) to communicate with external programs. These programs are known as CGI scripts or CGI programs. CGI is much like SSI, but CGI scripts are more flexible than SSI and provide additional functionality that SSI cannot. CGI is a Web-based interface is used to execute programs and display the results in a near real- time environment. www.educlash.com
CONFIGURE CGI add the following directive to httpd.conf: ScriptAlias /cgi-bin/ “/var/www/cgi-bin” cgi-bin access /var/www/cgi-bin 1. Now navigate to /var/www/cgi-bin directory 2. Create test.pl file 3. use chmod +x *.pl command for making file executable open browser http://localhost/cgi-bin/test.pl 15 www.educlash.com
OUTPUT www.educlash.com
CREATING A SECURE SERVER WITH SSL A secure Web server consists of two components: SecureSockets Layer (SSL) protocol SSL provides encrypted communications and handles authentication needs between a Web browser and your Web server. 2. digital certificate from a Certificate Authority (CA). A CA provides a generally accepted digital certificate and provides an additional level of authentication for your Web server because the CA guarantees that your Web server is, in fact, your Web server and not someone else„s.(Avoid frauds) www.educlash.com
TO CREATE A SECURE WEB SERVER, YOU MUST HAVE AT LEAST THE FOLLOWING four packages installed: apache — Provides the Apache Web server. mod_ssl — Installs the mod_ssl Apache loadable module, which provides strong encryption for Apache and gives Apache the ability to use SSL and its companion protocol, Transport Layer Security (TLS). openssl — Implements the SSL and TLS protocols and a general purpose encryption library. mm — Enables multiple instances of Apache to share state information. www.educlash.com
GENERATING THE ENCRYPTION KEY If you installed Apache during the initial Red Hat Linux installation a temporary key and a test certificate were automatically generated To make yours server a secure server your must generate your own key and create or obtain a certificate that properly identifies your server. www.educlash.com
GENERATING KEY AND CERTIFICATE Remove the temporary key and certificate files generated during the installation: # cd /etc/httpd/conf # rm ssl.key/server.key # rm ssl.crt/server.crt Create your own key file: /usr/bin/openssl genrsa 1024 > ssl.key/server.key You should see output that resembles the following: Generating RSA private key, 1024 bit long modulus ..................++++++ .......++++++ e is 65537 (0x10001) Enter PEM pass phrase: Type a password or pass phrase and press Enter. When prompted, retype the password or pass phrase to verify that it is correct: Execute the following command to ensure that permissions are correctly set on the key file: # chmod go-rwx /etc/httpd/conf/ssl.key/server.key www.educlash.com
GENERATING A SELF-SIGNED CERTIFICATE Execute the following commands: # cd /etc/httpd/conf # make testcert You should see output resembling the following: umask 77 ; \ /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: Enter the password you created in the previous section to confirm your identity After your password is accepted, the certificate generation process prompts you for additional information. Restart the server after generating the certificate using the following command: # /etc/rc.d/init.d/httpd restart www.educlash.com
TESTING THE SELF-SIGNED CERTIFICATE KEY /etc/httpd/conf/ssl.key/server.key CERTIFICATE /etc/httpd/conf/ssl.crt/server.crt To test the new certification, point your Web browser at your server„s home page using the URL https://your.web.server/. If you are not using a certificate from a CA follow the instructions provided by your browser to accept the certificate Once the browser accepts the certificate, you will see your default home page. Secure server uses port 443(for ssl) www.educlash.com
CHAPTER 2 : SYSTEM ADMINISTRATION updating system Use up2date agent Type up2date command in commandline and follow instructions Up2date agent also shows notification about packages just like “windows update” www.educlash.com
SHOULD YOU UPGRADE TO A NEW KERNEL? rebuilding the kernel is required in order to support new hardware that is not supported, or that is poorly supported, by your system„s existing kernel. Should you upgrade to a new kernel? Strictly speaking, no. That is, it is rarely necessary to do so. The kernel provided with Red Hat Linux supports the vast majority of existing PC hardware. www.educlash.com
UPGRADING VERSUS CUSTOMIZING upgrading the kernel and customizing the kernel refer to two different procedures, although both require recompiling and installing the kernel. Customizing the kernel refers to reconfiguring an existing kernel source code tree, recompiling it, installing the new kernel, and booting it. Upgrading the kernel means obtaining an updated version of the kernel source code, either the complete source tree (now over 21MB) or one or more patches ―Patching the kernel‖, followed by reconfiguring, recompiling, installing, and booting the new kernel. 25 www.educlash.com
UPGRADING WITH A RED HAT KERNEL RPM 1. Use a Web server to download the kernel RPM files from Red Hat's FTP server (the next section explains the details). If you want to rebuild the kernel, you have to download the kernel-source RPM corresponding to the new version of the kernel. Install the RPMs by using the rpm -i command. Create a new, initial RAM disk by running the /sbin/mkinitrd command. Reconfigure GRUB to boot the new kernel. 5. Try out the new kernel by rebooting the system. www.educlash.com
STEPS Installing the Kernel RPMs Making a New, Initial RAM Disk rpm -ivh kernel*.rpm Making a New, Initial RAM Disk /sbin/mkinitrd /boot/initrd-2.4.20-2.48.img Reconfiguring GRUB edit the /etc/grub.conf title Red Hat Linux (NEW) root (hd0,0) kernel /vmlinuz-2.4.20-2.48 ro root=/dev/hda2 initrd /initrd-2.4.20-2.48.img REBOOT www.educlash.com
MOST COMMON ADMINISTRATIVE TASKS useradd — Create user login accounts userdel — Delete user login accounts usermod — Modify user login accounts passwd — Set or change account passwords chsh— Set or change a user‟s default shell chage — Modify password expiration information www.educlash.com
The User Database Files /etc/passwd Adding a new user Useradd test1 Removing a user userdel -r test1 modifying account of user usermod Options of usermod l to change the login name of the user account L to lock the account so the user can„t log in p to change the password for the account U to unlock the account so that the user can log in change password of the user passwd 29 www.educlash.com
Change finger information of user Change user’s shell chsh -s /bin/ksh test1 Change finger information of user finger test1 (show finger information ) chfn test1 (change user information ) www.educlash.com
USING LINUX GROUPS User accounts are great for controlling security for individual users, but they aren„t so good at allowing groups of users to share resources To accomplish this, the Linux system uses another security concept, called groups Group permissions allow multiple users to share a common set of permissions for an object on the system, such as a file, directory, or device Group maintaining file /etc/group www.educlash.com
assigning user to groups Modifying groups Creating new groups groupadd group1 assigning user to groups usermod -G group1 redhat Modifying groups groupmod -n group2 group1 This command will replace group1 with group2 www.educlash.com
UPGRADING SOFTWARE PACKAGES Use yum installer to update software packages yum update [packagename] yum update samba* www.educlash.com
THANK YOU 34 www.educlash.com