Just random mumbling: CentOS 7

Showing posts with label CentOS 7. Show all posts

Tuesday, March 10, 2015

Configure OpenVPN on CentOS 7 part 1

after doing steps from

http://wowmoron.blogspot.in/2015/02/make-your-lan-connections-eth0eth1-from.html

I faced some issues to connect internet

so

nano /etc/sysconfig/network-scripts/ifcfg-eth0

change
GATEWAY0="192.168.28.2"

to

GATEWAY="192.168.28.2"

save and exit

yum install epel-release

systemctl stop firewalld

systemctl disable firewalld

yum install iptables-services

systemctl enable iptables

systemctl start iptables

systemctl status iptables

systemctl stop iptables(stopping it to get the openvpn running first and then later enable and configure it)

yum install openvpn

cd /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/

ls

server.conf should be there

cp server.conf /etc/openvpn/

cd /etc/openvpn

nano server.conf

find the line

;push "redirect-gateway def1 bypass-dhcp"

uncomment the line by removing the first semicolon

then find 2 lines starting with

;push "dhcp-option DNS 208...

and

;push "dhcp-option DNS 208...

uncomment them by removing ;

make them look like

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

then find the lines

;user nobody
;group nobody

uncomment those lines by removing ;

save and exit

yum install easy-rsa

mkdir -p /etc/openvpn/easy-rsa/keys

cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

cd easy-rsa

ls will show you the vars file

nano vars

ctrl+w

find KEY_COUNTRY

make this section look like this

export KEY_COUNTRY="IN"
export KEY_PROVINCE="WB"
export KEY_CITY="Kolkata"
export KEY_ORG="Sourav"

export KEY_EMAIL="root@server1.sourav.com"
export KEY_OU="Sourav"

save and exit

source ./vars

run the script clean-all in the easy-rsa folder to clear any existing script

./clean-all

now run the script one by one

./build-ca

this script will prompt you to give input such as country code,just press enter and it will take the default values already wrote on the vars file,the default

values will be shown in square brackets will will take over if enter pressed with no inout

when asked for common name just put the server name on which vpn is being is being configures,in my case it is server1

now run another script

./build-key-server $( hostname )

take the default values by pressing enter

for challenge password give a challenge password

then just press y for signing the certificate

then press another y to commit

then run

./build-dh

now to go the keys folder

cd keys

ls will show you the keys

cp ca.crt server1.sourav.com.crt server1.sourav.com.key dh2048.pem /etc/openvpn/

cd ../.. to go to the openvpn folder

ls will show you the necessary key files and server.conf

now type

restorecon -Rv /etc/openvpn

to recursively restoring the security context of selinux

Now create a symbolic link by typing

ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service

now

nano server.conf

ctrl+w

find server.crt

in my case

make it look like this

ca ca.crt

cert server1.sourav.com.crt

key server1.sourav.com.key

dh dh2048.pem

save and exit

now to forcefully enable (make it available after reboot) openvpn through systemd

systemctl -f enable openvpn@server.service

systemctl start openvpn@server.service

check the status of openvpn service

systemctl status openvpn@server.service

Sourav Bhattacharya

Linux Faculty for 7 years

Sunday, February 22, 2015

Make your lan connections eth0,eth1 from ens33 etc in CentOS 7

yum -y install ftp nano net-tools #(net-tools for ifconfig)

go to /etc/hostname

server1.sourav.com

go to /etc/hosts

the file is like this

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

make it look like

127.0.0.1 server1.sourav.com localhost localhost.localdomain localhost4 localhost4.localdomain4
::1       server1.sourav.com localhost localhost.localdomain localhost6 localhost6.localdomain6

now ifconfig command shows the interface as ens33,I want to make the two lan adapter as eth0 and eth1

nano /etc/default/grub

find this line

GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/swap vconsole.font=latarcyrheb-sun16 rd.lvm.lv=centos/root crashkernel=auto vconsole.keymap=us rhgb quiet"

and make it look like that

GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/swap vconsole.font=latarcyrheb-sun16 rd.lvm.lv=centos/root crashkernel=auto vconsole.keymap=us rhgb quiet net.ifnames=0 biosdevname=0"

save and exit

reboot

ifconfig eth0 down

ifconfig eth1 down

and

ifconfig eth0 up

will do the managing for you

run this command

grub2-mkconfig -o /boot/grub2/grub.cfg

reboot

run ifconfig

you will see the network adapters as eth0 and eth1

cd /etc/sysconfig/network-scripts/

mv ifcfg-ens33 ifcfg-eth0

nano ifcfg-eth1

DEVICE="eth1"

NAME="eth1"

IPADDR=10.10.0.1

delete the gate way and dns

delete the uuid

get the proper mac address for ethernet adapter2

BOOTPROTO="static"

ONBOOT="yes"

Del PEERROUTES,PEERDNS,DEFROUTE portions on eth1

save and exit

systemctl stop NetworkManager

systemctl disable NetworkManager

systemctl restart network

now you are fine

For more information

http://unix.stackexchange.com/questions/81834/how-can-i-change-the-default-ens33-network-device-to-old-eth0-on-fedora-19

Tuesday, February 17, 2015

php mcrypt not found solved and install and enable curl

sudo apt-get install php5-mcrypt
sudo ln -s /etc/php5/conf.d/mcrypt.ini /etc/php5/mods-available
sudo php5enmod mcrypt
sudo service apache2 restart

install and enable curl extension

sudo apt-get install curl libcurl3 libcurl3-dev php5-curl

Monday, February 9, 2015

Samba 4 Active Directory Domain Controller on CentOS 7 part 1

Configure active directory domain controller on CentOS 7

# nano /etc/sysconfig/network-scripts/ifcfg-ens33

Change the highlighted sections

TYPE=Ethernet

BOOTPROTO=static

DEFROUTE=yes

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_PEERDNS=yes

IPV6_PEERROUTES=yes

IPV6_FAILURE_FATAL=no

NAME=ens33

UUID=84c05b0f-7a4f-477b-80ca-758fbddf39d9

ONBOOT=yes

HWADDR=00:0C:29:5D:DD:7D

IPADDR0=192.168.28.150

PREFIX0=24

GATEWAY0=192.168.28.2

DNS1=192.168.28.150

nano /etc/sysconfig/network

HOSTNAME=server1.sourav.com

DNS1=192.168.28.150

SEARCH=sourav.com

Restart Network

# systemctl restart network

Disable SELINUX:

# vi /etc/selinux/config

Set SELINUX to disabled

SELINUX=disabled

Turn off IPTables

systemctl disable iptables

systemctl stop iptables

Set DNS:

# nano /etc/resolv.conf

Add these two lines

search sourav.com

nameserver 192.168.28.150

Run Updates

# yum update –y

Install prerequisite packages

All at once

# yum install glibc glibc-devel gcc python*

python-devel libacl-devel krb5-workstation

krb5-libs pam_krb5 bind-utils wget man ntp -y

Or one at a time

# yum install glibc –y

# yum install glibc-devel –y

# yum install gcc -y

# yum install python* -y

# yum install python-devel -y

# yum install libacl-devel -y

# yum install krb5-workstation -y

# yum install krb5-libs -y

# yum install pam_krb5 -y

# yum install bind-utils -y

# yum install wget -y

# yum install man -y

# yum install ntp -y

Make and Change to samba-master directory

# mkdir /samba-master

# cd /samba-master

Remove any previous Versions of Samba

# yum remove samba* -y

Download latest stable version of Samba

(currently 4.1.12)(for me only this version worked)

# wget http://www.samba.org/samba/ftp/stable/samba-4.1.12.tar.gz

Un gzip the samba files

# tar –xzf samba-4.1.12.tar.gz

Change to the 0folder that the Samba files went into

cd samba-4.1.12

Complile and Install Samba

# ./configure –-enable-selftest --enable-debug

# make

# make install

Edit Path

nano /etc/profile.d/custom.sh

Add these two lines and save

export PATH=$PATH:/usr/local/samba/sbin

export PATH=$PATH:/usr/local/samba/bin

chmod +x /etc/profile.d/custom.sh

Restart Server

# shutdown now -r

Provision Domain

# /usr/local/samba/bin/samba-tool domain provision

(Just type enter to accept the default values,

the password should be complex alphanumeric

otherwise an error will arise)

Add Samba to startup

# vi /etc/rc.d/rc.local

Add the following line and save

/usr/local/samba/sbin/samba

chmod +x /etc/rc.d/rc.local

Restart Server

# shutdown now -r

Verify Samba Version

# /usr/local/samba/sbin/samba -V

# /usr/local/samba/bin/smbclient --version

Verify Domain Info

# /usr/local/samba/bin/smbclient -L localhost -U%

Check DNS Forwarder

# vi /usr/local/samba/etc/smb.conf

Verify DNS forwarder is set to your Internet DNS IP

dns forwarder = 192.168.28.2

Verify your DNS Settings for Linux

# vi /etc/resolv.conf'

Verify your nameserver is set to your AD Servers IP Address

(The IP of the Server we just setup)

search sourav.com

nameserver 192.168.28.150

Verify DNS setting on you network interface

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Verify you DNS1 is set to your AD Servers IP Address

(The IP of the Server we just setup)

DNS1="192.168.28.2"

#MUST CHANGE THIS TO

YOUR HOST IP ADDRESS!!

Verify DNS is Working by Issuing the

following commands

# host -t SRV _ldap._tcp.sourav.com.

# host -t SRV _kerberos._udp.sourav.com.

# host -t A server1.sourav.com.

Setup Kerberos

# mv /etc/krb5.conf /etc/krb5.conf.orig

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

# vi /etc/krb5.conf

Verify it look like this and has your domain info

[libdefaults]

default_realm = SOURAV.COM

dns_lookup_realm = false

dns_lookup_kdc = true

Restart Server

# shutdown now -r

Test Kerberos

# kinit administrator@SOURAV.COM

# klist

Start NTP and set it to run on startup

systemctl start ntpd

systemctl enable ntpd

Source://https://www.youtube.com/watch?v=CJrKkMCnXP0

Sourav Bhattacharya

Linux Faculty/Enthusiast for 7 years

Kolkata

Friday, February 6, 2015

ifconfig not found,use nmcli d and set the IP Adress on CentOS 7

By default on the core minimal configuration of CentOS Server ifconfig is not present

you have to install net-tools rpm from the dvd under the Packages folder to get ifconfig

use nmcli d to see the available network cards

from GUI mode(if GUI is available ) use the command

nmtui

to set the ip

vi /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s17
UUID=7f1aff2d-b154-4436-9497-e3a4dedddcef
ONBOOT=no
HWADDR=00:0C:29:A1:B5:D6
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

For DHCP
Find the below lines in config File.
BOOTPROTO=none
ONBOOT=no

and replace with

BOOTPROTO=dhcp
ONBOOT=yesNow Restart network service by typing below command.

systemctl restart network

For Static IP.
Find the below lines in config File.
BOOTPROTO=none
ONBOOT=no

and replace with

BOOTPROTO=static
ONBOOT=yes

And add the below lines at the end of the file.

IPADDR=192.168.28.51
NETMASK=255.255.255.0
GATEWAY=192.168.28.50
DNS1=192.168.28.50

File will look like below after changes.
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s17
UUID=f0c5b37d-299a-43cb-b74b-618bb252d129
ONBOOT=yes
HWADDR=00:0C:29:B1:C5:BB
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPADDR=192.168.28.51
NETMASK=255.255.255.0
GATEWAY=192.168.28.50
DNS1=192.168.28.50

Now Restart network service by typing below command.
systemctl restart network

you can use /etc/sysconfig/network file for hostname and DNS .
HOSTNAME=server1.sourav.com
DNS1=192.168.0.50
DNS2=4.2.2.2
SEARCH=sourav.com

DHCP with MAC-Binding on CentOS 7

mount -o loop /dev/cdrom /media

cd /media/Packages

rpm -ivh dhcp.....rpm

nano /etc/dhcp/dhcpd.conf

rpm -ivh

#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page

# create new

option domain-name "sourav.com";

option domain-name-servers 192.168.28.150 ;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.28.255;

option routers 192.168.28.50;

default-lease-time 600;

max-lease-time 7200;

subnet 192.168.28.0

netmask 255.255.255.0
{

range dynamic-bootp 192.168.28.190 192.168.28.195;

}
host client{
option host-name "client.sourav.com";
hardware ethernet 00:0c:29:ff:5b:64;
fixed-address 192.168.28.192;
}

save and exit

systemctl start dhcpd

systemctl enable dhcpd

start the client

nano /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=84c05b0f-7a4f-477b-80ca-758fbddf39d9
ONBOOT=yes
HWADDR=00:0C:29:5D:DD:7D

save and exit

systemctl restart network

go to dhcp server

you should see the leased ip on

nano /var/lib/dhcpd/dhcpd.leases

and if you type

systemctl status dhcpd

you should see if it is running including the lease information

Tuesday, February 3, 2015

Apache with SSL,HTTPS configuration on CentOS 7

sudo yum install httpd
sudo systemctl enable httpd.service
sudo yum install mod_ssl
sudo mkdir /etc/httpd/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

    openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
    req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.
    -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.
    -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
    -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
    -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
    -out: This tells OpenSSL where to place the certificate that we are creating.
Then you have to fill up like this
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example
Organization Name (eg, company) [Default Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:webmaster@example.com
Then
sudo nano /etc/httpd/conf.d/ssl.conf
Find the section that begins with . We need to make a few changes here to ensure that our SSL certificate is correctly applied to our site.
First, uncomment the DocumentRoot line and edit the address in quotes to the location of your site's document root. By default, this will be in /var/www/html, and you don't need to change this line if you have not changed the document root for your site. However, if you followed a guide like our Apache virtual hosts setup guide, your site's document root may be different.
DocumentRoot "/var/www/example.com/public_html"

Next, uncomment the ServerName line and replace www.example.com with your domain name or server IP address (whichever one you put as the common name in your certificate):
ServerName www.example.com:443
Find the SSLCertificateFile and SSLCertificateKeyFile lines and change them to the directory we made at /etc/httpd/ssl:
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key
sudo apachectl restart

sudo apachectl restart

Source:https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-apache-for-centos-7

Monday, February 2, 2015

Install Webmin on CentOS 7

nano /etc/yum.repos.d/webmin.repo
[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1
rpm --import http://www.webmin.com/jcameron-key.asc
yum install webmin -y
chkconfig webmin on
service webmin start
firewall-cmd --permanent --add-port=10000/tcp
rom another pc go tohttp://192.168.28.150:10000
log in as root

Vsftpd with SSL-TLS on CentOS 7

after installing vsftpd you have to perform
setsebool -P ftp_home_dir=1

sudo mkdir /etc/ssl/private

To create the certificate and the key in a single file, we can use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

go to /etc/vsftpd/vsftpd.conf
comment the line
anonymous_enable=YES
uncomment the line
chroot_local_user=YES
add the line

dual_log_enable=YES
At the end add those lines
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
save the file
firewall-cmd --permanent --add-port=21/tcp
firewall-cmd --permanent --add-port=21/udp
firewall-cmd --permanent --add-port=20/tcp
firewall-cmd --permanent --add-port=20/udp
firewall-cmd --permanent --add-service=ftp
firewall-cmd --reload
service vsftpd restart
chkconfig vsftpd on