SysAdmin - Services

Linux Foundation Certified SysAdmin (LFCS): Service Configuration

Configure a caching DNS Server

1. Install required tools

   yum install bing bind-utils
   nano /etc/named.conf

2. Edit the named.conf file in order to able to cache

   ## add any so you can use it as cache
   allow-query {localhost; any; };
   # also add the following line
   allow-query-cache {localhost; any; };

3. Check the security contexts

   cd /etc/
   ls -la named.conf
   # check 'conf_t' is on it
   ls -lZ named.conf
   # if not
   semanage fcontext -a -t named confg t /etc/named.conf
   # check security context to check 'con_t' is on it
   ls -lZ named.rfc1912.zones
   # check our configuration, to avoid typos. No news = good news
   named-checkconf /etc/named.conf
   # restart and enable it for teh next boot
   systemctl restart named
   systemctl enable named
   systemctl status
   # usually you may open port 53 for this kind of service

Maintain a DNS zone

1. Install required tools

   yum install bing bind-utils
   cat /etc/named/named.conf

2. Edit the named.conf file in order to able to cache

   ## add any so you can use it as cache
   zone "la.local" in {
    type master;
    file "la.local.zone";
   };

3. Create your zone file

   nano la.local.zone

4. Edit the file content

   # local network
   $ORIGIN la.local
   # time to live, bigger reduces number of queries
   # in seconds (10 minutes)
   $$TL 600
   
   # Start of authority resource record (SOE)
   # dnsServer primaryEmail
   @  IN SOA   dns.la.local mail.la.local(
      # serial number, to refresh the zone, always increment
      1
      # slaves servers wait this time to ask the master the time
      21600;
      # retry
      3600;
      # expire 
      604800;
      # min time to live
      86400;
   );
   
   # A records
   # webserver IN - recordType - IPADDRESS
   webserver      IN A      10.98.80
   user1client    IN A      10.9.8.25
   mail           IN A      10.9.8.150
   dns1           IN A      10.9.8.53
   # alias/canonical records(CNAME)
   www            IN CNAME  webserver
   # mail exchange record (MX)
                  IN MX     10  mail.la.local
                  IN MX     20  labackup.ca.local

Connect to network shares

• Server
  1. Install and setup nf-sutils

     yum install nfs.utils
     # create the share directory
     mkdir /share
     # set rights
     chmod -R 755 /share
     # owned by 'nfsnobody' to avoid issues
     chown  nfsnobody:nfsnobody share
     # enable and start services
     systemctl enable rpcbind
     systemctl enable nfs-server
     systmctl enable nfs-idmap
     systemctl start rpcbind
     systemctl start nfs-server
     systemctl start nfs-idmap
     # edit configuration
     nano /etc/exports

  2. Edit configuration

     # who we share with, plus rights
     /share 172.31.96.178(rw,sync,no_root_squash,no_all_squash)

  3. Reboot

     systemctl restart nfs-server

• Client
  1. Install and setup nf-sutils

     yum install nfs.utils
     # make a mount point (to mount shared)
     cd /mnt
     mkdir -p /mnt/remote
     # is it connected? - probably not
     df -h
     #mount nfs, ip:directoryToMount where to mount
     mount -t nfs 172.31.124.130:/share /mnt/remote
     # is it connected? - probably yes
     df -h
     # test it
     cd remote

Configure email aliases

• Simple POSTFIX
  1. Find configuration folder

     cd /etc/postfix
     nano aliases

  2. Configure it

     # alias: webmaster mail goes to user mail
     # webmaster will have 0 emails
     webmaster: user1
     # redirect mail to several accounts mail
     # boss will receive a copy, user1 will still get it
     user1: user1, boss    

  3. Run with the alias configuration

     sudo postalias /etc/posfix/aliases

Configure SSH servers and clients

• Classical server setup

  sudo apt install openssh-server
  # check configuration
  less /etc/ssh/sshd_config
  # create key pair
  ssh-keygen
  ## you get `id_rsa` and `id_rsa.pub`
  # copy the public key to other server
  ssh-copy-id user@remoteHost.lab.com
  # connect to the remote machine, no password needed
  ssh user@remoteHost.lab.com
  ## check keys
  # if ssh-copy-id does not work, you should add your public key here
  cat authorized_keys

• Script to copy the key manually

  # if ssh-copy-id does not work
  cat ~/.ssh/id_rsa.pub | ssh user@remoteHost.lab.com "mkdir -p  ~/.ssh && cat >>  ~/.ssh/authorised_keys"

  Root login should not be allowed
  Remember to prevent root login ia directive PermitRootLogin no

Restrict access to HTTP proxy servers

1. Install server

   cd /etc/squid
   nano squid.conf

2. Edit text file

   acl SSL_ports   port  443
   acl Safe_ports  port  80   # http
   http_access    deny    !Safe_ports
   http_access    allow   localhost manager
   # some custoom denials, '!' means no
   http_access    allow   !nomachine
   http_access    allow   !nonetwork 
   ## remember to set up the reference alias
   # a machine
   acl nonetwork src 192.168.1.0
   # a network
   acl nomachine src 192.168.1.0/24

3. Restart the squid server

Configure an IMAP and IMAPS service (and Pop3 and Pop3S!)

1. Install and configure core

   # check postfix permissions
   cat /etc/group | grep postfix
   # check mail
   cd /var/mail
   # install dovecot
   sudo apt install dovecot-core
   # check configuration
   cd /etc/dovecot/conf.d
   sudo nano 10.mail.conf

2. Edit the configuration

   mail_location =mbox:~mail:INBOX=/var/mail/%u
   # who may get access to the mail directory?
   # mail_privileged_group = mail

3. Install and configure pop3 server

   # install server
   sudo apt install dovecot-pop3 dovecot-imapd
   # check configuration
   cd /etc/dovecot/conf.d
   # imap.conf and pop3.conf were created
   cat nano 10.imap.conf
   cat nano 10.pop3.conf
   # check certificates
   cd /usr/share/dovecot
   ## script to create certificates
   /makecert.sh
   # point the right certificates
   cd /etc/dovecot/private
   # check dovecot.pem is there
   cd ../conf.d
   sudo nano 10-ssl.conf

4. Edit the configuration

   # update the SSL value
   ssl = yes
   # uncomment the keys
   ssl_cert = </etc/dovecot/dovecot.pem>
   ssl_key = </etc/dovecot/private/dovecot.pem>

5. Restart the service so everything takes effect

   sudo systemctl restart dovecot
   # check it is running
   ps aux
   # check the ports to listen to are correct
   sudo netstat -ntplu | grep dove

Configure an HTTP server

• CentOS

  1. Install and setup

     # install Apache
     yum httpd
     # install text based browser
     yum lynx
     lynx http://localhost
     # not started out-of-the-box, start apache
     systemctl httpd
     systemctl start httpd
     systemctl status
     lynx http://localhost
     # check configuration
     cd /etc/httpd
     ls -la
     # check conf, conf.d
     cd conf
     nano httpd.conf

  2. Edit the configuration

       ## load config files
       IncludeOptional conf.d/*.conf
       # virtual hosts
       IncludeOptional vhost.d/*.conf
       ``
     3. Restart
       ```bash
       # create the virtual host directory
       mkdir ../vhost.d
       systemctl restart httpd
       # check for errors
       systemctl status httpd.service

  3. Example for virtual host content
     On nano www.transapi.com_http.conf

     <VirtualHost *:80>
         ServerName www.transapi.com
         ServerAlias www
         DocumentRoot /var/www/html/transapi
     </VirtualHost>

• Debian

  1. Install and setup

     # install Apache
     sudo apt install apache2
     # install text based browser
     sudo apt install lynx
     lynx http://localhost
     service apache2 restart
     # check configuration     
     cd /etc/apache2
     ls -la
     cd conf_available/
     cd..
     # symlinks to available for enable
     cd conf-enabled/
     # something similar happens with sites
     check conf, conf.d
     cd sites-available/
     cd..
     cd sites-enabled/
     cd conf
     less apache2.conf
     # the binary is apache2ctl

  2. Helper applications for symlinks
  • a2enmod/a2dismod
  • a2ensite/a2dissite
  • a2encof/a2disconf

Configure HTTP server log files

1. Find configuration

   sudo nano httpd.conf

2. Check configuration

   # check modules
   <IfModule log_config_module>
   # LogFormat "%%%%%"" logName
   # error log is not customizable
   # access log is customizable
   # %h=host %l=login %u=user %t=dateAndTime
   # %r=firstLineOfRequest #s=finalStatus
   CustomLog "logs/access_log" combined

3. Find configuration

   cd /etc/httpd/logs
   less access.log
   nano /conf/httpd.conf

4. Change log format on configuration file

   <IfModule logio_module>
       LogFormat "Host: %h - Dateand time: %t - Requested %r" userCustom
   </IfModule>
   
   # then search for this and edit
   <IfModule log_config_module>
       customLog "logs/access_log" userCustom
   </IfModule>

5. Restart to get configuration

   systemctl restart httpd

Restrict access to a web page

1. Find the configuration

   # check access
   lynx http://localhost
   # only local browsers should view that page
   cd /etc/httpd/
   nano httpd.conf

2. Edit the configuration

   <Directory "/var/www">
       AllowOverride None
       # Allow open access:
       Require all granted
   </Directory>
      
   <Directory "/var/www/html/test/">
       Order allow,deny
       # allow from my machine - public address IPv4, IPv6
       Allow from 52.123.123.123
       # you may also allow from your private IP
       # allow from localhost at last (IPv4, IPv6)
       Allow from 127
       Allow from ::1
   </Directory>

3. Test everything went fine

   lynx http://localhost
   # you may check access logs

Configure a database server

There are many different DBs, we use MariaDB (MySQL free implementation)

1. Find the configuration

   # install
   apt-get  install mariadb-server mariadb-client
   # secure the installation
   mysql_secure_installation
   ## shell for mysql
   mysql -u root -p
   show databases;
   # you may run scripts
   create database test;
   show databases;
   use database 'test';
   exit;
   # mariadb is only the installer - the service is mysql
   systemctl status mysql

Manage and configure containers

Docker

1. Build a server in container

   # show list
   docker ps 
   # run a container, inteeractive, not on terminal
   # -p is for computerPort:containerPort 
   # -v volume directoryMachine:directoryContianer
   # imageName:version (no version = latest version)
   docker run -dit --name my-test-web -p 8080::80 -v /home/user1/webstuff:usr/local/apache2/htdocs/ httpd:2.4
   # its is live, so if I add something to webstuff after container creation, it is server too
   # stop a container
   docker stop my-test-web
   # start a container
   docker start my-test-web

2. Remove a server in container

   # remove container
   docker stop my-test-web
   docker rm my-test-web
   # remove docker image
   docker image ls
   docker image rm httpd:2.4

Manage and configure VMs

1. Install

   # install virtual machines
   yum install qemu-kvm libvirt libvirt-client libviewer
   # check your server ha hardwares virtualization options
   # intel=vmx , amd=svm
   cat /proc/cpuinfo | grep vmx
   # if you get nothing, you get none, qemu will give you software support, slower
   # install, inside VMs no 64architecture allowed
   virt-install --name=tinyalpine --cpus= 1 --memory=1024 --cdrom=alpinestandard-3.7.0-x86.iso

2. Virtual shell

   virsh list --all
   # edit setup 
   virsh edit tinyalpine
   # autostart when you start machibe
   virsh autostart tinyalpine
   # disable autostart
   virsh autostart --disable tinyalpine
   ## clone machine and change configuration
   # pause or stop before cloning
   virt-clone --original=tinyalpine --name=tiny2 --file=/var/lib/libviages/tinyalpine.qcow2