1. Explain the concept to allow services through firewalls..

→After an installation of Red Hat Enterprise Linux, the firewall is configured by

default, and not many services are allowed through the firewall
*The simplest way to allow specific services through & the firewall is by
selecting them using the Trusted Services option in system-config- firewall.
This interfaces offers a list of commonly used services.
• Allowing basic services through the Firewall:
1. From the GNOME graphical interface, select System > Administration >
Firewall. Review the warning that tells you that all current configurations will
be overwritten, and dick Close. Also, enter the root password of prompted.
2. from the list of trusted services, select DNS, FTP, SSH, and WWW and click
Close Apply to save the configuration
3. Close system-config-firewall, and open a shell prompt.
4. Type chkconfig I grep iptables. This command will display the current status
of the iptables service in the runlevels on your server. It should read as follows:
[root@hn/~]# chkconfig Igrep iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on
6:off
5. If the iptables service that implements your firewall isn't listed as being on in
runlevels 2, 3, 4, and 5, use chkconfig iptables on to enable it.
6 Type service iptables status. This command shows that the current status of
iptables is enabled.
7. Type iptables -1 -v. You'll see a list that displays all of the firewall rules.
5. Explain procedure for creating Self-signed Certificates.
• To begin, you need to store the certificates that you are going to create
• You can do this in the home directory of user root if you want them to be well
protected, or else you can put the certificates in the directory /etc/pki/tls,
which exists for this purpose by default.
• Within this directory, you need four subdirectories to store the certificates:
certs, newcerts, private, and crl.
• To create a certificate for or your CA server, you can use the configuration file
that you'll find in /etc/pki/openssl.cnf.
facilitate • This file contains default settings that are used to facilite the
creation of new certificates.
• Using this file makes creating certificates easier, all default values that are
specified here don't have to be used on the command line..
• After checking the default values you want to use in can start creating your
own self-signed certificate. openssl.cnf, you
• The following command allows you to create a certificate that usese 1024-bit
RSA key with a validity of 10 years:
openssl req -newkey rsa: 1024 -x509 -days 3650.
• In the previous & code snippet, you can see that openssl is used as the
master command.
• req is the command that is used to generate a certificate-signing
request. • With that request, a new key is created with an RSA length of 1024
bits in which x509 and a validity of 10 years is used
• When creating a certificate that is to be used for a CA, it's a good idea to
choose a long validity period.
• Another way of creating a self-signed certificate is by using the genkey
command.
This command provides a text user interface that guides the user through the
process of creating a certificate.
6. Explain GPG file encryption and decryption. • GPGI is commonly used to
encrypt files.
• GPG file encryption and decryption:
1. Open a shell, and use su - linda to become user linda
2. As linda, copy the file /etc/hosts to your home directory using cp /etc/hosts
~.
3. Use gpg --listkeys to list the keys currently imported in linda- 's environment,
and note the exact name of the user lisa
4. Encrypt the file using gpg -e hosts. When the user account & requested,
enter the exact name of user lisa you found it in the previous step of this
exercise. Next press Enter on- an empty line to complete the encryption
procedure.. as
5. Use cp ~/hosts.gpg /tmp to copy the gpg file to the timp directory where lisa
can see and read it..
6. Use exit to log out. become user tia lisa. as linda, and now use SL -Ipada to
7. As lisa, use gpg -d /tmp/hosts.gpg to decrypt the hosts file.
Q7). Explain process of creating and managing GPG keys.
• Creating GPG keys:
1. If they don't exist already, create two users named lisa and linda, and give
them the password password:
2. Log in to the graphical interface as user linda, and use gp門 gpg --gen-key to
create a GPG key pair. Accept all default values, and assign the password
'password 12' to the private key. When the gen-key program tells you to
generate entropy, use Is -R/ a couple of times to get you through the procedure
faster.
3. Repeat step 2 for user lisa, and use the same parameters.
Managing GPG keys:
nlaxa
Once the keys have been created, there are some management tasks of which
you must be aware.
- To begin, you can generate an overview of all the keys that are imported to
your account.
To see the keys that are currently available, use gpg --list-keys. This command
will show you at least your own GPG keys. However, after using GPG for some
time, it will also list the
GPG keys of other users you have imported. When using the gpg --list-key
command, you see only public keys assigned to your go account.
- If you want to check your private key, you -keys instead. can use gpg--list-
secret
- This command is useful if you're encountering problems and you. want to
make sure that a correctly. private key has been installed
10. Explain process of setting up Samba server.
• Setting up a Samba Server:
1. Use mkdir /sambafples to create a directory on the Linux file- system.
2 Use chmod 777 /sambafiles to grant the appropriate permissions to the
/sambafiles share. It's not the most elegant way to to set security, but it's not
local Linux security that matters here.
3. As root, use yum -y install samba samba-common samba-dient to install all
the required samba server packages.
4. Open the file /etc/samba/smb.conf with an editor. Locate the workgroup
parameter, and change it to workgroup = MYSAMBA.
5. Go to the bottom of the configuration file, and add the following share
configuration:
[sambafiles]
comment = samba files.
path = /sambafiles
writeable = yes
valid user = lucy, linda, lori
6. Use user add lucy to create 6. a user account for user lucy. Don't set the
password, because Samba users don't need a on the Linux system. password
7. Use smbpasswd -a lucy to create Samba user lucy.
8. Use service smb restart to (re) start the Samba service and chk config smb on
to make sure that it starts when the
server boots. 9. Use smbclient -1 //localhost. This will show you the current
Samba server parameters, and you'll see that the share you just created is
listed. The smbclient -1 command will show a login prompt that you can ignore.
Do this by pressing Enter twice.
Q3. Explain setting up a Primary DNS Server.
• Setting up a Primary DNS Server:
1. Make sure that the bind package is installed on your host computer.
2. Open the /etc/named.conf file, and make sure the following parameters are
included:
*directory is set to /var/named
*listen-on port 53 is set to any
*allow-query is set to any
*forwarders contains the IP address of your Internet provider's DNS name
server
*dns-sec validation is set to no
3. Open the /etc/named.rfc 1912. zones file, and create a definition for the com
domain.
4. Create a file /var/named/example.com, and give it contents. Change it to
match the hostnames in your environment.
5. Make sure that the DNS se resolver in /etc/resolv.conf is set to your own DNS
server.
6. Dig Use dig your host.example.com, and verify that your DNS server gives
the correct information from your DNS database.
4. Explain setting up a DHCP server.
Setting up a DHCP server:
1. Start the virtual machine, and open a root shell. from the root shell, use the
command yum -y dhcp to install the DHCP server.
2. Open the file /etc/dhcp/dhcpd.conf with an editor, and give it the following
contents. Make sure that the names and IP addresses) used in this example
match your network:
option domain-name "example.com";
option domain-name-servers YOUR.DNS, SERVERNAME. HERE,
default-lease-time 600;
max-lease-time 1800;
subnet 192.168.100.0 netmask 255.255.255.0 {
. range 192.168.100.10 192.168.100. 20;
. options routers 192.168.100.1;
}
3. Start the DHCP server by using the command service dhcpd start, and enable
it using chkconfig dhcpd on.
4. Start the second virtual machine. Make sure that the netword card is set to
get an IP address from a DHCP server. After starting it, verify that the DHCP
server has indeed handed out an IP address.
10. Explain generic parameters of Apache configuration file.
→An important directive is Server Root.
*This defines the root of the configuration directory.
*On Red Hat Enterprise Linux, by default the server root is set to /etc/httpd
• It is important to be aware of this because other filenames that are
referenced later in the configuration file are all relative to the server root
directory.
• An example is the Pidfile. which is set to run/httpd.pid
• Another important parameter in the beginning of the configuration file is the
listen parameter.
*In this example, it directs httpd to listen at port 80.
*Because no specific IP addresses are mentioned, it will bind to port 80 on all
IP addresses that are available.
• You can include a specific IP address if you want httpd to bind to just that one
and to no other IP addresses.
*The neat list of generic parameters & a bit lower in the httpd.conf file
•These are the parameters User and Group, which specify the user and group
that should be used to run the Apache server
*Apache is normally started as root, and once started, will run as this user and
group with fewer privileges.
• By default, both are set to apache
*The most important thing to remember here is that Apache should never offer
its services as root!
•Another important directive is the Document Root.
• This specifies where Apache should look for its content.
• Documents that are stored in the DocumentRoot are default. served by
default
*The standard behaviour on Red Hat Enterprise Linux is to show the contents
of the index.html file that is created in the DocumentRoot
11. Explain various modes in Apache.
• Apache can be started in two different modes: the prefork mode and the
worker mode
• The prefork mode is the default mode.
• In this mode, a master httpd process is started, and this master process will
start different httpd servers.
*As an alternative, the worker mode can be used
• In this mode, one httpd process is active, and it uses different thread to serve
client requests.
• Even If the worker mode is a bit more efficient with regards to resource
usage, some modules cannot handle it, and therefore the prefork mode is used
as default.
*However, if you need the best performance that httpd. and you don't use
modules that are incompatible with worker made it's a good idea to use worker
mode instead. can offer
• Worker mode can be configured to serve more simultaneous p processes
• To change the default mode that Apache uses, you can modify the HTTPD
parameter, in /etc/sysconfig/httpd.
• To use the worker mode, you have to start the /usr/sbin/httpd. worker binary
instead of /usr/sbin/httpd
• To accomplish this, just remove the pound sign in front of the example 19ne
in /etc/sysconfig/httpd and restart the httpd process using service httpd
restart.
• for both modes, you can set some performance parameters:
-Start Servers
- MinSpare Servers
-Min Spare Threads
-Max Spare Servers and MaxSpare Threads
-ServerLimit
-Max Clients
-Max Request Per Child
12. Explain various directory options and directory restrictions in Apache.
→• The administrator can also set different options on an Apache web. server.
• These options are used to define how the contents of a directory on the
httpd server should be presented to users who access that directory.
• The Directory Index directive can be used to specify that other files. should
also be considered.
• If this is the case, it will show the contents of this file, and if not, a list of files
in the directory is shown.
• To modify this behavior, the Directory Index and Options directives con be
used.
•By default, the Directive Index directive specifies that Apache should look for
a file with the name index.html or index.html.var
• The Options directive within a directory definition can further fine-tune the
options that are used to display the contents of a directory.
• You can also use Options to determine which server features Die are available
in a particular directory.
• A useful argument for the Options directive is Indexes.
• If you use this option, you will see a list of files in the directory If no
index.html is available.
*Related to this option is followsymlinks.
• This option will ensure that symbolic links are followed if they ex in the
document directory.
• In a directory served by Apache, some basic restrictions can be used.
*First, there is the AllowOverride directive.
•This directive is related to the .htaccess file that administrate can use to
restrict access to a given directory
•Another basic way to handle access restrictions by using the Order directive.
•With this directive, you'll specify the order in which allow and deny
commands are used.
• The order is not defined by how the rules appear in your configuration file
but by how you've used the Order directive.
• The default order is deny and then allow..