Showing posts with label servers. Show all posts
Showing posts with label servers. Show all posts

Apr 22, 2013

Setup a RedHat PXE server

You need to have following packages and services installed and running.
vsftpd
dhcpd
xinetd
tftpd
tftpd-server
system-config-netboot
Note: It is better to switch off IPTables untill you complete the hole process.

First mount the RHEL DVD to the system.

Then install the vsftpd system. I will use the vsftpd-* package in the RHEL6 instalation DVD.
# cd /media/rhel6/Packages
# yum localinstall vsftpd-* -y
Then start the service and switch it on at the startup
# service vsftpd start
# chkconfig vsftpd on
This will install the vsftp on the system. In the installation it will create a directory in "/var/ftp/pub". We can create the OS installation repository on this location. It is the public folder of our FTP server.
mkdir /var/ftp/pub/rhel6
I copy the full image to that location so we can use a FTP connection to do the installation.
cp -r /media/rhel6/* /var/ftp/pub/rhel6
Change a repo to use that location as a local repository
# vim /etc/yum.repos.d/local.repo
on that;
[localrepo]
name= local repository
baseurl=ftp://192.168.0.10/pub/rhel6
gpgcheck=0
Then install the tftp service
# yum install -y tftp* xinetd*
Then you need to install the "system-config-netboot" package.
# wget http://mirrors.kernel.org/centos/5/os/x86_64/CentOS/alchemist-1.0.36-2.el5.x86_64.rpm
# wget http://mirrors.kernel.org/centos/5/os/x86_64/CentOS/system-config-netboot-0.1.45.1-5.el5.noarch.rpm
# wget http://mirrors.kernel.org/centos/5/os/x86_64/CentOS/system-config-netboot-cmd-0.1.45.1-5.el5.noarch.rpm
"system-config-netboot" depends on "alchemist-" package and it depends on "python-abi" package. Then again "python-abi" requires python-2.4 to install it, but RHEL6 almost have the latest python-2.6. So we install the "alchemist-" with --nodeps flag.
# rpm -ivh alchemist-1.0.36-2.el5.x86_64.rpm --nodeps
# rpm -ivh system-config-netboot-*
tftpd-server create this "/tftpboot/linux-install/" directory. Now we need to edit this "/etc/xinetd.d/tftp" file to point the tftpboot path to this automatically created directory.
# vim /etc/xinetd.d/tftp
on that file;
...
server_args = -s /tftpboot # change the original "/var/lib/tftpboot" to "/tftpboot"
...
Now run this command to generate the PXE boot item
pxeos -a -i "RedHat EL 6" -p FTP -D 0 -s 192.168.0.10 -L /pub/rhel6 RHEL6
This command will create a directory called as "/tftpboot/linux-install/RHEL6".

Then restart the xinetd and tftp services.
# service xinetd restart
# chkconfig xinetd on
# chkconfig tftp on
Now you need to install the DHCP service. This will forward the tftp server details to the required server.
# yum install dhcp -y
Then edit the dhcp configurations file.
# vim /etc/dhcp/dhcpd.conf
on that file;
option domain-name-servers  192.168.0.1;
allow bootp;
allow booting;

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.100 192.168.0.200;
  option routers 192.168.0.1;
}

next-server 192.168.0.50; # name of your TFTP server
filename "linux-install/pxelinux.0"; # name of the boot loader program
Then restart the dhcp serice.
# service dhcpd restart
# chkconfig dhcpd on

Put a kickstart configurations file in the ftp pub location "/var/ftp/pub/ks.cfg".
# vim /tftpboot/linux-install/pxelinux.cfg/default
and add the kernel parameter (ks=ftp://192.168.0.10/pub/ks.cfg) for the kickstart file.
...
label 1
  kernel RHEL6/vmlinuz
  append initrd=RHEL6/initrd.img ramdisk_size=16000 method=ftp://192.168.0.10/pub/rhel6 ip=dhcp ks=ftp://192.168.0.10/pub/ks.cfg

Jan 15, 2013

Set proxy settings on apt

Apt is the default package manager in most debian distributions including Ubuntu. If the system in behind a proxy and a firewall, systems administrator need to set proxy settings on the system in order to connect that system to the Internet. Systems administrator can user the method that I describe in a previous post to set proxy settings on the system. But apt will not use that settings when it try to connect to the Internet. Therefore, systems administrator need to set those proxy settings in its configurations file. To do that;

You need to edit the '/etc/apt/apt.conf ' file or if that file does not exist, you need to add a new file in '/etc/apt/apt.conf.d/01proxy'

Then you need to add the following line to one of these files.

Acquire::http::Proxy "http://[proxy server ip]:[proxy listening port]";


You need root level privileges to do this task. After editing the you can run a "apt-get update" command to update the apt database.

Jan 9, 2013

Install Key Management Service (KMS)

In windows, when ever you install a new software you need to activate it with Microsoft over the internet. In a large network doing that is a hard work. Most of the time large organizations use 'Volume License' when they purchase Microsoft products. Then managing those volume license is another problem. We can use this Key Management Service to handle this problem.

First of all you need to get the KMS key from your "Microsoft Volume License Service Center". Assume that we are going to install KMS in a windows server 2008 R2 which is almost in the domain and logged in as a domain administrator. (If not, you need to add a DNS entry to the DNS server manually) Then you need to locate the KMS key "Windows Server 2008 Std/Ent KMS B".

Then log in to that server and try to change the product key to this KMS B key by doing this.
Right click on "My Computer" -> Properties. Click on 'Change Product Key" link. It will open another window. You can add the "KMS B" key in to that and continue it.It will give a warning saying that "You have entered a Key Management Service Key ... ". Click on OK on that.

Then you need to open the KMS port on the local firewall to the domain.To do that, open the windows firewall and select "Allow programs to communicate through windows firewall" and set the "Key Management Service" tick. Then press OK button to save the changed settings.

Now you have almost install the KMS. To verify the installation we can type;

nslookup -type=srv _vlmcs._tcp

in a client machine. If it gives the correct IP/domain address of the KMS installation system you have successfully install the key management service for your network.

Now you can use these (http://technet.microsoft.com/en-us/library/ff793421.aspx) KMS dummy keys to active other clients using this installed KMS service.

Note: You have to have at least the minimum number of computers of virtual instances to use this service. We can get those activation thresholds details from: http://technet.microsoft.com/en-us/library/ff793434.aspx



Jan 6, 2013

Schedule tasks in Linux using cron

Cron is used to schedule tasks in Linux/Unix systems. It needs to runs as a daemon on the system. In most systems crond (cron daemon) is available and configured to run at the startup by default. You can check it by using;

ps -ef  | grep cron

If it is not running at the startup, start the daemon

service crond start

and set it to start at the system startup.

chkconfig crond on

Then you can do scheduling. If you view the '/etc/crontab' file you can get all the information needed to provide to automate an execution of a command.

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed

You can run these commands as ether root or a normal user. Type 'crontab -e' to add/edit crons. If you type 'crontab -e' as a normal user, it will open a user specific cron list. If you need to schedule a task which require admin privileges, you need to login as root and type the 'crontab -e'.

Do a task in every 15 min.

*/15 * * * * root /usr/bin/command

or

0,15,30,45 * * * *  root /usr/bin/command

There are some more keywords you can when scheduling tasks. Those are;

@reboot
@yearly or @annually
@monthly
@weekly
@daily or @midnight
@hourly

You can use it like this;

@reboot  /root/scripts/mystartup.sh

You can modify a command to log the output of the execution to a specific file by;

@reboot  /root/scripts/mystartup.sh  >>/var/log/mystartupcron.log 2>&1

Note: Try to use absolute paths when editing commands in crontab.

Jan 4, 2013

Deny Youtube in office hours using Squid proxy

We can use Squid-cache as a internet access controlling system. In this post I will show you how to configure squid-cache to do access controlling on youtube.com website.

You need to edit the '/etc/squid/squid.conf' file to these changes.

First we need to defined our local network (eg : 192.168.2.0/24 ). To do that we can edit the 'acl localnet src * ' line in the config file to;

acl localnet src 192.168.2.0/24

Then we assume that we need to block youtube access within working hours to all uses in the network. Therefore, we need to set the working hours in the configurations file. This configuration should come soon after defining 'Safe_ports'.

acl officehours time M T W H F 8:00-17:00

Now you can give the host name of the host machine by;

visible_hostname proxy.domain.com

If anyone need to access youtube within office hours we need to have a option for that. For an example, we can set a youtbe allowed IP range and/or some individual IP addressed like this.

acl allowyoutube src 192.168.2.21-192.168.2.40
acl allowyoutube src 192.168.2.75
acl allowyoutube src 192.168.2.65

Now we can block youtube to all users except special users by setting;

acl youtube dstdomain .youtube.com
http_access deny CONNECT youtube !allowyoutube officehours
http_access deny youtube !allowyoutube officehours

# deny access to not safe and non-ssl ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# allow only local network
http_access allow localnet
http_access deny all

Then restart the squid service  and see the logs on ' /var/log/squid/ ' for more information.

Jan 2, 2013

A Simple Centralized Log Server Using Rsyslog

Logs are very useful when it comes to forensic operations. But most of the systems keep all the logs on the same host machine. But keeping logs in the same host machine is not very useful. Because hacker can destroy all the log on that vulnerable host.

Therefor we use a secure centralized log server to collect all the logs. All the systems and devices on the network will send a copy of each log entry to this centralized log server.

In this post I'm going to setup a simple centralized log using rsyslog. Most of the Linux system have this rsyslog installed by default. You just need to edit some configuration files.

In this setup we have a centralized log server (the server) and a client (simulate a system or a device on the network). First I config the server part and then I will move to the client part.

Server :-

Edit the
/etc/rsyslog.conf
to enable the UDP module and rsyslog to listen on UDP port 514.

# provides UDP syslog reception. For TCP, load imtcp.
$ModLoad imudp

# For TCP, InputServerRun 514
$UDPServerRun 514


Then you need to restart the rsyslog service.
service syslogd restart

Now the rsyslog on that host will work as the centralized log server.

Check the firewalls, iptables and SELinux settings and allow the UDP port 514 to receive data from other devices on the network.

You can use
tcpdump -i eth0 port 514
to see all incoming syslog data.


Client :-

You need to edit the same file on the other client in order to forward logs to the centralized log server.

*.* @192.168.1.1:514

In this ' *.* ' means all the logs, a single '@' sign means to use UDP protocal and the server IP and the listning port of the centralized log server.

After editing the configurations file you need to restart the rsyslog.


View collected logs:-

By default all the forwarded logs are append to the message log in the centralized server. You can view those message by viewing the
/var/log/message
log.

Note:-
As logs are in plain text, forwarding it using UDP/TCP is not a good practice.
Add filters and try to manage logs without just logging all into a single file.
Do proper log rotation.
Use log correlation mechanisms to take proactive decisions.

Nov 25, 2011

Login error when installing MSSQL 2008

I try to instal MSSQL 2008 server on Windows XP SP3.
Installation is fine but at the end it prompts an error like this.

"           ' ' is not a valid login or you do not have permission.               " 

I use "NT Authentication\System" and I add the current user to the SQL server administrators section.

Then I read some forums and found my "user name" and "pchost name" are same. It appears like "myname\myname". It may be the issue. I created a new admin user with a different name and try to re-install the server again.

There were no errors. Finally I realize, if I try the default Administrator account to install SQL server it will not create an unnecessary account.

My opinion is :-

  • Remove the SQL server.
  • Log out from the user.
  • Then press two times Alt+Ctrl+Del.
  • Then type "administrator" as the username and press enter (If you have setup the password to the administrator account you need to give it.)
  • Start the installation.
  • Use NT Authentication\System.
  • Give a password to the SA (default) account.
  • Add current user.
  • And continue.