Monday, November 9, 2015

How Install/Configure a Relay Host

How Install/Configure a Relay Host

Purpose

This document describes how to install/configure a Relay Host server.

Target Audience

This document is intended for use by Systems Administrators who wish to install and configure a Relay host server.

Prerequisites

Hardened Linux 6 system

Installing a new Relay Host server

Install the required packages


# yum install postfix

Configuring the Relay Host

# vi         /etc/postfix/main.cf

Uncomment:
inet_interfaces = all

Comment:
inet_interfaces = localhost

Edit the following:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, yourdomain.com
local_recipient_maps =
mynetworks = 10.120.22.0/16, 10.110.22.0/16


Edit /etc/postfix/main.cf and add these lines at the bottom,

transport_maps = hash:/etc/postfix/transport
smtp_generic_maps = hash:/etc/postfix/generic

Create a file named transport in /etc/postfix and add the following text,
*  smtp:smtp.youremailserver.com

Remember to swap “smtp.youremailserver.com” for the address of your email server.

Now create a file named generic and add the following:
@hostFQDN    hostname@domain.com

Now we need to compile those files using the postmap command,
# postmap /etc/postfix/transport
# postmap /etc/postfix/generic

Restart postfix and you should find all mails will be redirected to your email server.

On the client side, add the following:
relayhost = [an.ip.add.ress]
#  service postfix restart

Notes:
To see all mails in the current queue:
# mailq

To flush the mail queue run:
# postfix flush

To get the maximum queue lifetime
#  postconf maximal_queue_lifetime
maximal_queue_lifetime = 5d

To get the message size limit
# postconf message_size_limit
message_size_limit = 10240000

Start the Postfix Daemon

# service postfix start
# chkconfig postfix on

Finishing up


You have now successfully configured a new Relay Host server. 
Posted by at No comments:

How Install/Configure a new Proxy server

HOW Install/Configure a new Proxy server


Purpose

This document describes how to install/configure a Proxy server.

Target Audience

This document is intended for use by Systems Administrators who wish to install and configure a Proxy server.

Prerequisites

Hardened Linux 6 system.

Installing a new Proxy server

Install the required packages

# yum install squid
# vi /etc/squid/squid.conf
Change the http_port to 8080

Start the Proxy Daemon

# service squid start
# chkconfig squid on

Finishing up


You have now successfully configured a new Proxy server. 
Posted by at No comments:

Sunday, November 8, 2015

How Install/Configure a new NTP server

Purpose

This document describes how to install/configure an NTP server.

Target Audience

This document is intended for use by Systems Administrators who wish to install and configure an NTP server.

Prerequisites

Hardened Linux 6 system

Installing a new NTP server

Install the required packages


# yum install ntp

# vi /etc/ntp.conf

// If the system is using the IPV4 not IPV6, comment the following lines:

#restrict -6 default kod nomodify notrap nopeer noquery
#restrict -6 ::1

Add your preferred external time servers.
For me, I comment the default time servers and I add the following:

server time.nist.gov

Make sure that your /etc/sysconfig/ntpd has the following line:

OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid -g"

Start the NTP Daemon


# service ntpd start
# chkconfig ntpd on

Test the sync to the external NTP server


To print a list of the peers known to the server as well as a summary of their state:

# ntpq –p

Search for “*”, * = current time source

Manual Sync the system


# ntpdate  -bs  time.nist.gov

Finishing up

You have now successfully configured a new NTP server.


Posted by at No comments:

How install and harden a new Linux server.


Purpose

This document describes how to add a RHEL or Oracle Linux servers to any test/production environment.

Target Audience

This document is intended for use by Systems Administrators who wish to install and harden Linux servers.

Prerequisites

Install the OS and choose the appropriate layout and correct hostname.

Adding a new Linux server

Network Configurations


Add the Name server to your resolv.conf configuration file.
# vi /etc/resolv.conf
Nameserver  <IP>

Configure your NIC.
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# service network restart
# ping google.com              //For testing

VMTools Installation

 For virtual machines, so the following: 

# cd
# mkdir VMTools
# mount /dev/cdrom /mnt/
# cp -a /mnt/VMwareTools-x.x.x.tar.gz VMTools/
# umount /dev/cdrom
# cd VMTools/
# tar   xzvf   VMwareTools-x.x.x.tar.gz
# cd vmware-tools-distrib/
#./vmware-install.pl

Disable SELinux

To make your life easy :)

#  vi /etc/sysconfig/selinux

NTP Configuration


# vi /etc/ntp.conf
# ntpdate -bs ntp01. domainname.com
# service ntpd start
# chkconfig ntpd on

Register the system


# uln_register --proxy=proxy.domainname.com:8080

# export http_proxy=http:// proxy.domainname.com:8080                         //Not required only if you faced a problem connecting to ULN
# export https_proxy=http:// proxy.domainname.com:8080                      
# uln_register --proxy= proxy.domainname.com:8080

Update the system


# yum update

Apply the security scripts

 Security scripts will be uploaded separately.

# cp -a scripts/ /root/
# cd /root/scripts/
# chmod u+x *
#./script1.sh
#./script2.sh
#./script3.sh
#./script4.sh
#./script6.sh
#./script7.sh
#./script8.sh
#./script9.sh

LDAPS Configuration

 Will attach samples of the configuration files later.
# yum install openldap openldap-clients nss-pam-ldapd krb5-libs
# cd /etc
# scp krb5.conf nsswitch.conf pam_ldap.conf sudo-ldap.conf sudoers nslcd.conf client:/etc/          
# cd /etc/pam.d
# scp login  password-auth-ac  system-auth-ac              client:/etc/pam.d
# cd /etc/openldap/certs/
# scp ca.pem client:/etc/openldap/certs/
# certutil -A -n "CA Certificate" -t "CT" -i ca.pem -d .
# service nslcd start
# sudo su - your_ldap_user

Auto create Home Directories


# vi /etc/pam.d/sshd
# session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022

Log Configuration


Add your log server to /etc/rsyslog.conf  
# service rsyslog restart

Mail Configuration

 Add the relay host:
# vi /etc/postfix/main.cf      
# service postfix restart

Add the system admin contact email


# vi /root/.forward


Tripwire Installation


# yum install gcc-c++
# cd /opt/
# tar xjvf /root/Server/tripwire-x.x.x-src.tar.bz2
# cd tripwire-x.x.x-src/
# vi policy/twpol-Linux.txt
Comment the following:
/usr/local/sysinfo
 /usr/X11R6/lib
 /etc/mail/statistics
 /var/lost+found
 /cdrom
 /floppy
 /initrd
 /home/lost+found
/etc/sysconfig/hwconf

#./configure
# make
# make install 
# tripwire --init

# cd /root/Server/
# cp tripwire /etc/cron.daily/
# ls -l /etc/cron.daily/
# chmod +x /etc/cron.daily/tripwire

Proxy Configuration


# vi /etc/wgetrc                     //To add the proxy
# vi /etc/profile                      //Add the following
PS1='\u@\h:\w\$ '
PS2='> '

Stop iptables services (Put all rules on the main firewall)


# service iptables stop
# service ip6tables stop
# chkconfig iptables off
# chkconfig ip6tables off

# reboot

Finishing up


You have now successfully hardened and configured a new Linux server. 
Posted by at No comments:
Subscribe to: Posts (Atom)