Sunday, January 13, 2002

Linux

In this paper, I will cover security precautions, file server, printer server for Windows, Macintosh running on Linux. Then I will do the DHCP services. I will draft the services I plan to implement for this server, the files that need to be configured during deployment.
The security I will need to do this will be putting this hardware in a server closet. I should remove floppy and DVD-ROMs in the workstation computers. Go into the Award Phoenix bios and disable the USB ports so that it is impossible to boot off them. I should add a GRUB password. The nohup updateb & command by itself will keep services running in the background as the administrator closes the terminal. With the Plymouth installer (replaced RHGB since Fedora 9), check encrypt with file system to activate encrypting file system. I can use the Sudo command to kill processes without having to use su to switch to root account. The su command could compensate security of your server. I should reduce the number of network services for my company to prevent buffer overruns. The nmap –sT server1 command will list any services running on the server. You can detect crackers with intrusion detection system (IDS) programs, including Advanced Intrusion Detection Environment, Integrity Checking Unity, PortSentry, Snort, Linux Intrusion Detection System, and Simple WATCHer. AIDE would be an alternative to tripwire with added functionality. ICU will work with AIDE to check for integrity. PortSentry monitors traffic on ports to see if it has been probed. LIDS will modify the Linux kernel to increase process and file security so the system would detect a breach. Simple WATCHer monitors log files and alerts administrators. Physical securities I will endorse are locked doors with security badge access to the server room, server cages, and electronic access control for every room that is IT related. For encrypting file system, the IT department needs either Truecrypt or EcryptFS. If Truecrypt is the decision, then Truecrypt will encode an encrypting file system. On the other hand, EncryptFS will store metadata of each file if there is no hardware encryption. EncryptFS is stackable. Truecrypt has AES, Serpent and Twofish algorithms with RIPEMD-160, SHA-512 and Whirlpool hashes. Finally, I would add a Cisco firewall up to it and add CipherOpics CyperEngine for the router so all outgoing information is encrypted. (Linux+, pg 674-676, 680-81, 2006) (Truecrypt, 2009) (EncryptFS, 2009) (Devx, 2008) (routers, 2008) (phoronix, 2008)
For firewall services, Fedora 10 has a Red Hat firewall application under the System , Administration in the upper left hand corner of Gnome. The first list you see is called trusted services and you check the proper ones like IPP, DNS, Samba, Samba Client, The next list is trusted miscellaneous ports. Don't forget to set Default configuration to Server, because desktop is highlighted on first execution. There is a ICMP filter in Firewall Configuration to send error messages. You can create a blacklist in it easily. Older versions of Linux have IPtables where you can set up which IP addresses pass thru and drop the rest IF the administrator wishes to have access to the 192.168.1.0 network. He/she needs to add iptables –f. Next line: Iptables –P FORWARD Drop, Third line: iptables –a FORWARD –s 192.168.1.0/24 –j ACCEPT. Now that network is accessed, but all other networks are blocked. (Linux+, pg 672-673, 2006)
For the print server, I would use common UNIX printing system (CUPS), because it is newer than some others and allows a computer to act as a print server. Fedora uses CUPS as default print system. In Gnome it is managed by the CUPS manager and taskbar where you can delete print jobs. KDE Print is a CUPS front end too.
To create a CUPS server, first use the Lpstat command to see if any print servers are available which there aren’t, but this command is handy if there are print servers available. To create a print job use lp –d printer1 /etc/inittab. The –d will specify the distribution printer.
More options of lp
Description(Linux+, pg 477, 2006)
-d
Destination
-I
Specifies the ID to modify
-n
Number of pages
-o
Sides – sets if it should be two-sided short edge or two-sided long edge
-q
Specifies the print job priority.

More options of lpstat
Description (Linux+, pg 478, 2006)
-a
Displays a list of all printers that are accepting jobs
-d
Displays the default destination printer
-o printer name
Displays the print jobs in the print queue
-p
Displays a list of printers that are enabled
-r
Shows whether the cups daemon is running
-t
Shows all information about printers and their print jobs
Other commands are cancel followed by the IDs to remove jobs. (Cancel p1-1 p1-2) To remove all jobs there is the –u command. I can restrict users with the lpadmin command. (lpadmin –u allow:root, user1 –u deny:all –d printer 1) The Lpr command is used to print documents to the queue. The lpq is to view the print documents in progress. The lprm command is to remove print jobs. (Linux+, pp 474-478, 2006)
If you need an user interface, there is the Printer Configuration Tool in Linux. Use it to browse queues of CUPS origin. Secondly, in the ‘Add a queue name’ dialog box, add the name of the printer (printer1) and short description. Thirdly, click Forward button to specify the queue type of the new printer and the administrator will select CUPS (IPP) from the drop down menu. Fourthly, use raw print queue (you can try postscript later, but first try raw print queue for compatibility). Click Finished. Finally, click on the new option such as “Printer 1” in Printer Configuration tool and when sharing properties named window comes up, select “This queue is available to all other computers” in the Queue tab. Check the box where it says Automatically find remote shared queues in the General Tab. (Linux+, pg 480-482, 2006)
To allow Windows to be compatible with CUPS, you must install Adobe driver from their website. I will be using the Adobe driver for this paper. To use the CUPS driver, go to Add Printer in Control Panel and select Connect to a Printer on the Internet option. When you see a textbox, copy and paste the URL of printer queue such as http://hostname:/631/printers/Printername. Don’t use Generic PostScript Printer, but browse for the /etc/cups/ppd/PrinterQueneName.ppd. To add Windows support for CUPS, you must install the extracted cups-windows-6.0-1.i386.rpm driver to the /usr/share/cups/drivers directory and cups-windows-6.0-1.x86-64.rpm 64-bit drivers to the /usr/share/cups/drivers/ directory. The Windows cups can be downloaded off of http://www.cups.org/software.php. All Windows machines Windows 2000 or above will be backwards-compatible with CUPs post script. Apple had CUPS integrated into MAC OS 10 since 2002. (Owlfish, 2003) (Linux+, pg 478-483, 2006) (CUPS, 2009)
Linux users are supposed to go in Printer Configuration box and select the Printer 1 Queue available. In Windows, click on Add Printer in Control Panel than go down to option “connect to a printer on the Internet.” Use the URL http://hostname:631/printers/RawPrinterQuetename. When completed, the administrator will be able to have print server in windows from a Linux OS. (Owlfish, 2003)
To connect MAC OS 10 to a print server, first select the Print & Fax pane in the System Preferences. Secondly, in MAC OS 10.4, it is only a + icon, but in MAC OS 10.3, there is a Set up Printer at the top of the Window. Thirdly, IN Mac OS 10.3, click the IP Printing from the drop down menu whereas in MAC OS 10.4, click on IP Printer in the Print Browser window. Fourthly, both MAC OS 10.3 and 10.4, select the IPP Option. Fifthly, type in the hostname. Sixth, you’re supposed to type in the Queue field, the IP address. (RIT, 2006) (Danka, 2002)
The Samba file server supports Windows and MAC OS 10. Samba file server will allow Windows users to drag and drop files on a Linux server. Since Fedora 8, Samba is packaged with the OS. First, the administrator has to enable network activity to the SAMBA server. Enable the Ethernet device in Network Configuration Tool. Secondly, the administrator needs to update firewall settings so the Samba server is trusted. In Fedora, click on Security level in System Settings or “system-config-securitylevel”. Aft wards select the Ethernet card so it is a trusted device. Thirdly, configure the Service Configuration so that smb is enabled. Fourthly, logins should be configured. To do this, create user logins using the Gnome User Manager too. There is also a shortcut command, system-config-users. Add users as you need and then think about what directories you will need to access in the SAMBA server. Fifthly, I will need to configure a SAMBA server. This can be done by opening SAMBA inside Server Settings. This will make changes to a file called smb.conf in /etc/samba. From the menu, choose Server Settings than Samba. When the application loads, please press the preference menu and server settings. Use the Windows workgroup name. The authentication mode should be user if the logins are Microsoft ADS. Sixthly, you must add users to it with the Preference menu and the Samba user item. Eighth, add a shared folder by clicking on the add button using the SAMBA services configuration window with one shared directory. Ninth, the administrator will reboot the SAMBA services by clicking from the menu, System Services, Server Settings, and then Services submenu to open Service Configuration window. From there is a restart icon. In the tenth step, the administrator will be in Windows. This can be accessed by the Start menu, run command. Type in \\linuxserver.test.org (plan A) or \\10.2.2.3 (the ip address is plan B). The eleventh step should be signing in with one of the names created in SAMBA in the Server login Window. Once this is done, there should be a SAMBA window in there. (reallylinux, 2006) (Linux+, pg 664 -665, 2006)
To connect a MAC OS 10 PC to a SAMBA Linux server, the user needs to hit Apple key + K key to bring up a server address dialog box. Secondly, the user will need to type in smb://10.2.2.3 in the textbox. Third, you select your SMB mount. Fourth, the user will add the Windows Workgroup name which doubles as Samba workgroup name in the first box, and your username and password in the second and third textboxes. To disconnect from Samba, you should press CTRL+Click (mouse) and then click on Eject text on the dropdown menu of *directory in question*. (techrepublic, 2008) (Linux+, pg 664 -665, 2006)
The server will need Apache web server to host a web site listing company information. Apache is the most popular web server in the world. Apache web server has been included with Fedora for at least 2 years now so it should be on my Installation DVD. If Apache is already installed I would type in the terminal, rpm –q httpd. If some like http-1.7.1-7.2.fc10 shows up in the terminal than Apache is already installed. The administrator should have included it from the installation DVD, but if for some reason he/she wants the latest version, I found how to install and configure Apache web server. In the terminal, you should type su – install http. Launch to see the status of the Apache web server type su - /sbin/service httpd status in the terminal. To start Apache when the system boots add /sbin/chkconfig –level 3 httpd on. (howtoforge, 2008) (Linux+, pg 663, 2006) (Techotopia, 2007)
Now I am about to configure the Apache server for the domain name. Open up a text editor such as Gedit in Linux and edit the httpd.conf file in the etc/httpd directory. First type ServerAdmin webmaster@myexample.com with serverAdmin as your real name. Next, type in Servername myexample.com with the server name as the real name. Afterwards define where the web site files are going to be located with the documentroot command. An example would be DocumentRoot /var/www/myexample.com. I would create a html file with Open Office or Gedit and save as index.html in the /var/www/Myexample.com directory. The final step would be restart the server by using su - /sbin/service httpd restart. (howtoforge, 2008) (Linux+, pg 663, 2006) (Techotopia, 2007)
Commands for Apache
Description (Linux+, pg 663, 2006)
Listen 80
Specifies that the Apache daemon will listen to HTTP on port 80.
Servername server1.class.com
Specifies that the name of the local server is server1.class.com
DocumentRoot “/var/www/html”
Specifies that the document root directory is /var/www/html
Directoryindex index.html
Specifies that the index.html file in the document root directory will be sent to clients
Errorlog /var/log/httpd/error_log
Specifies that all Apache daemon messages will be written to the /va/log/httpd/error_log file.
MaxClients 150
Sets the maximum number of simultaneous requests to 150.
User apache
Specifies that the Apache daemon will run as a apache local user account
Group Apache
Specifies that the Apache daemon will run as a apache group user account

To get DHCP operating in Fedora 10, the packages should already be on the installation DVD and otherwise go to the URL http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/x86_64/os/Packages/ and search for DHCP-4.0.0-30.fc10.x86_64.rpm and dhclient-4.0.0-30.fc10.x86_64.rpm. Secondly, the next set of directions is if for any reason the DHCP files weren’t installable from the installation DVD or that version is too outdated. Third, you type $./configure $make. Fourth type in $ sudo make install in the terminal. . Fifth, once the DCHP program is compiled in GCC, now I should type in sudo cp server/dhcp.conf /etc. Sixth, you must configure the settings to match my system settings. Seventh, for help on configuration options, type in man dhcp-options in the terminal. Eighth, in the terminal type in sudo touch /var/lib/dhcp/dhcp.leases to get your configure checked for human errors. Ninth, the administrator is allowed to activate DHCP by typing in the terminal: $ sudo chkconfig --level 35 dhcpd on. Finally, the administrator will need to restart the DHCP by typing in the terminal: $ /etc/init.d/dhcp restart. (askdavidtaylor, 2006) (Linux+, pg 662, 2006)
After all this, the server and workstations should be secure and ready to go. I did Windows, MAC OS 10, and Linux to the Fedora print servers, I logged Windows, Linux, and MAC OS 10 to the file server.

No comments:

Post a Comment