Disable IPV6 in Cent OS 6/RHEL 6

 In Linux some application doesn’t support IPv6 and due to this IPv6 application creates problem. You can disable IPv6 in RHEL 6 and Cent OS 6 by making following entries.

1.      Append following line at the end of /etc/sysctl.conf file.

#  vi /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1

2.      Run sysctl –p to reload kernel parameter.

3.      Append following lines in /etc/sysconfig/network file.

#    vi /etc/sysconfig/network

IPV6INIT=no

NETWORKING_IPV6=no

4.      Reboot the system using command reboot.

Mounting CD and ISO Images in Linux

1.    Mounting ISO image in Linux

ISO stands International Organization for Standardization, which has defined the format of disk images. The file with extension of ISO contains disk image. The images of most of Operating systems come in .iso format which could be downloaded from Internet.

If you have downloaded an ISO image of Linux or another OS, typically you burn it into CD/DVD to view the content of ISO image. Here we have defined the steps to mount the ISO image in Linux system.

          SYNTAX:

          # mount –o loop /path/of/iso_file/mount_point

Example:

Run as root user:

# mkdir /mnt/linux_os

     # mount –o loop /download/rhel5_x86_64.iso /mnt/linux_os

2.    Mount the CD Drive in Linux

Mostly in Linux system CD mounts automatically on /root/Desktop and icon displays on Desktop of Linux machine. Sometime CD is not displayed on system; In that case we have to mount CD manually. Here we define the steps to mount the CD in Linux system.

             SYNTAX:

           # mount –t iso9660 /dev/cdrom /mount_point

            Example:

          Run as root user:

          #mkdir /mnt/linux

          #mount –t iso9660 /dev/cdrom /mnt/linux

Search a String in File in Linux

If you want to search a particular string in file and want to display the file name. You can refer following Linux commands.

1.    Using grep command recursively search a string.

“grep” command  is very useful command to search the string in files under directory.

# grep –r “string” /path/of/directory

If you want to ignore case sensitiveness use “-i” option with grep command.

# grep –ir “string” /path/of/directory

Example:

[root@paragtesting etc]# grep -ir "nameserver" /etc

/etc/jwhois.conf:       # Catch ARIN nameserver records

/etc/rc1.d/K87named:       if [ -z "$named_c_option" ] && [ -r ${ROOTDIR}/etc/named.caching-nameserver.conf ]; then

/etc/rc1.d/K87named:           named_conf='/etc/named.caching-nameserver.conf';

/etc/cron.daily/0logwatch:   print "           (saves  a  nameserver address-to-name lookup).\n";

/etc/rc4.d/K87named:       if [ -z "$named_c_option" ] && [ -r ${ROOTDIR}/etc/named.caching-nameserver.conf ]; then

/etc/rc4.d/K87named:           named_conf='/etc/named.caching-nameserver.conf';

/etc/rc0.d/K87named:       if [ -z "$named_c_option" ] && [ -r ${ROOTDIR}/etc/named.caching-nameserver.conf ]; then

/etc/rc0.d/K87named:           named_conf='/etc/named.caching-nameserver.conf';

/etc/init.d/named:         if [ -z "$named_c_option" ] && [ -r ${ROOTDIR}/etc/named.caching-nameserver.conf ]; then

/etc/init.d/named:             named_conf='/etc/named.caching-nameserver.conf';

/etc/services:nameserver        42/tcp          name            # IEN 116

/etc/services:nameserver        42/udp          name            # IEN 116

The above command will display the filename and lines in files which contain “string”. If you want to display only filename which contain those string use “-l” option with grep command.

#grep –lir “string” /path/of/directory

Example:

[root@paragtesting etc]# grep -lr "nameserver" /etc

/etc/jwhois.conf

/etc/rc1.d/K87named

/etc/selinux/targeted/modules/active/file_contexts

/etc/selinux/targeted/modules/active/base.linked

/etc/selinux/targeted/modules/active/base.pp

/etc/selinux/targeted/modules/active/file_contexts.template

/etc/selinux/targeted/contexts/files/file_contexts

/etc/cron.daily/0logwatch

/etc/rc4.d/K87named

/etc/rc0.d/K87named

/etc/init.d/named

/etc/services

2.    Find Command:  Recursively search all files for a string.

“find” command is recommend because of speed and ability to deal with filenames that contain spaces. You can use following command with using find to search all files for a particular string in Linux system.

i)             find /path/of/dir  -type f -exec grep -l "string" {} \;

Example:

[root@arogyadbt etc]# find /etc -type f -exec grep -l "prefer-life-time" {} \;

/etc/dhcp6s.conf

ii)            find /path/of/dir  -type f | xargs  grep -l "string"

Example:

[root@arogyadbt etc]# find /etc -type f | xargs  grep -l "prefer-life-time"

/etc/dhcp6s.conf

iii)           find /path/of/dir -type f -print0 | xargs -0 grep –I “string”

Example:

[root@arogyadbt etc]# find /etc -type f -print0 | xargs -0 grep -i "prefer-life-time"

/etc/dhcp6s.conf:#    prefer-life-time 130;

/etc/dhcp6s.conf:#            prefer-life-time 90;

/etc/dhcp6s.conf:#            prefer-life-time 100;

/etc/dhcp6s.conf:#            prefer-life-time 60;

Linux Integration with Active Directory

Linux systems can be authenticated with Windows Active Directory. Here I define the exact steps for configuring Linux servers with Active Directory. Here I am using “example.com” domain name and “dc01.example.com” hostname of Active Directory Server.

Follow the following steps to integrate Linux system with Active Directory. In this scenario Linux systems will be authenticated by AD domain users.

1. On Linux machine configure hosts file to enter the AD domain server entry to resolve their name.

#vim /etc/hosts

10.226.1.1 dc01 dc01.example.com

2. /etc/resolv.conf

Search example.com

nameserver 10.226.1.1

2. Configure the NTP on Linux Server.

Open file /etc/ntp.conf and make following entry.

#vim /etc/ntp.conf

server 10.226.1.1

restrict 10.226.1.1 mask 255.255.255.255 nomodify notrap noquery

3. Restart NTP Service.

#service ntpd restart

#chkconfig ntpd on

4. KERBROS CONFIGURATION : (/etc/krb5.conf)

Remove all entries in /etc/krb5.conf and add following entries in this file.

[libdefaults]

 default_realm = EXAMPLE.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 forwardable = yes

[realms]

 EXAMPLE.COM = {

  kdc = dc01.example.com

  kdc = *

  admin_server = dc01.example.com

  kdc = EXAMPLE.COM

        }

[domain_realm]

 example.com = example.com

 .example.com = example.com

  

[appdefaults]

   pam = {

   ticket_lifetime                 = 36000

   renew_lifetime                 = 36000

   forwardable                     = true

   proxiable                         = false

   retain_after_close             = false

   minimum_uid                   = 0

   debug                             = false

   }

[logging]

   default                           =  FILE:/var/log/krb5libs.log

   kdc                                = FILE:/var/log/kdc.log

  admin_server                   = FILE:/var/log/kadmind.log

5. Verify your Kerberos configuration by trying to get a Kerberos ticket for an Active Directory user.

# kinit <username>@EXAMPLE.COM

Password for <username>@EXAMPLE.COM:

# klist -5

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: <username>@EXAMPLE.COM

Valid starting     Expires            Service principal

11/07/06 13:58:31  11/07/06 23:58:31  krbtgt/ EXAMPLE.COM @ EXAMPLE.COM

Note: It's very important that the kerberos domain is specified using ALL-UPPERCASE characters.  After the test, destroy the ticket by running the kdestroy command.

6. SMB Configuration: (/etc/samba/smb.conf)

Add the following steps in /etc/samba/smb.conf file to communicate with AD using winbind.

[global]

   workgroup = EXAMPLE

   password server = EXAMPLE.COM

   realm = EXAMPLE.COM

   security = ads

   idmap uid = 16777216-33554431

   idmap gid = 16777216-33554431

   template homedir = /home/%D/%U

   template shell = /bin/bash

   winbind use default domain = true

   winbind offline logon = true

   encrypt passwords = true

   idmap backend = rid

   passdb backend = tdbsam

Except these entries comment out all other parameters.

7. JOIN to Domain:

Join the Linux System using Administrator password of AD.

# net ads join -U Administrator

Administrator's password:

Using short domain name -- EXAMPLE

Joined 'SystemName' to realm 'EXAMPLE.COM'

NOTE:  # net ads join –U Administrator –d 10

The above cmd will display the configuring procedure (verbose mode).

8. NSSWITCH Configuration

Configure the Name Service Switch library by editing /etc/nsswitch.conf. The lines beginning with passwd: and group: needs to be changed into the following:

passwd:       files winbind

shadow:      files winbind

group:        files winbind

Verify that you can do lookups for single AD users and groups using the getent command as below:

# getent passwd <username>

testuser:x:12580:10000:testuser:/home/DOMAIN/<username>:/bin/bash

# getent group <username>

<groupname>:x:10222:<username>

If wbinfo -g and wbinfo -u works, but getent passwd <username> and/or getent group <username> fails to produce expected results, the problem is probably located in the NSS library rather than in the Winbind setup.

9.       Restart Winbind Service on Linux Server

# /etc/init.d/winbind restart

# chkconfig winbind on

10. Check the AD Integration with Linux is ok.

# net ads testjoin

Join is OK

# wbinfo –t

It will test the trust relationship between the machine and the domain

# wbinfo -u

wbinfo -u should return a list of users from your domain

# wbinfo -g

wbinfo -g should return a list of groups from your domain

11. PAM Configuration

The Pluggable Authentication Modules (PAM) subsystem must now be configured to allow users to authenticate to Active Directory. Common to most Linux distributions is that the configuration files for PAM reside in the directory /etc/pam.d./system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_fprintd.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_winbind.so cached_login use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    pam_winbind.so cached_login use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0022

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

Clear Memory Cache on Linux Server

By default the Linux OS has a very efficient memory management process that should be freeing any cached memory on the machine that it is being run on. However when it comes to Cached memory the Linux OS may at times decide that the Cached memory is being used and is needed which can lead to memory related issues and ultimately rob your server of any potentially free memory. To combat this you can force the Linux OS to free up and stored Cached memory

1. Connect via shell using a program such as Putty
2. At the shell prompt type crontab -e <enter> as this will allow you to edit cron jobs for the root user.
   • If you are not familiar with vi (linux editor) you press "i" to insert text and once done hit "esc" and type ":wq" to save the file.
3. Scroll to the bottom of the cron file using the arrows key and enter the following line:
0 * * * * /root/clearcache.sh
4. Create a file in '/root' called 'clearcache.sh' with the following content:
#!/bin/sh
sync; echo 3 > /proc/sys/vm/drop_caches
5. Once you have saved this file, the job is complete!

Every hour the cron job will run this command and clear any memory cache that has built up.

Disable SELinux in Linux

When you install Linux in your system, SELINUX is by default enabled in system. SELINUX is the very useful security feature in Linux. But if you are not aware the usage of SELINUX in Linux then I will advice to disable it in Linux.

The SELinux will enforce security policies including the mandatory access controls defined by the US Department of Defense using the Linux Security Module (LSM) defined in the Linux Kernel. Every files and process in the system will be tagged with specific labels that will be used by the SELinux. You can use ls -Z and view those labels as shown below.

[root@paragtesting ~]# ls –Z  /etc

drwxr-xr-x  root   root     system_u:object_r:etc_t:s0       acpi

-rw-r--r--  root   root     system_u:object_r:adjtime_t:s0   adjtime

drwxr-xr-x  root   root     system_u:object_r:etc_t:s0       alchemist

-rw-r--r--  root   root     system_u:object_r:etc_aliases_t:s0 aliases

-rw-r-----  root   smmsp    system_u:object_r:etc_aliases_t:s0 aliases.db

drwxr-xr-x  root   root     system_u:object_r:etc_t:s0       alsa

drwxr-xr-x  root   root     system_u:object_r:etc_t:s0       alternatives

To disable SELinux in Linux you can use 4 Methods.

1.    Disable SELinux Temporarily

To disable SELinux temporarily you have to modify the /selinux/enforce file as shown below. Please note that this setting will be gone after the reboot of the system.

# cat /selinux/enforce

1

# echo 0 >  /selinux/enforce

# cat /selinux/enforce

0

In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, it is just a slightly easier command than the above.

# setenforce 0

Method 2: Disable SELinux Permanently

The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it.

In Fedora Core and Red Hat Enterprise, edit /etc/sysconfig/selinux and you will see some lines like this:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=permissive

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

Following are the possible values for the SELINUX variable in the /etc/sysconfig/selinux file

§  enforcing – The Security Policy is always Encoforced

§  permissive - This just simulates the enforcing policy by only printing warning messages and not really enforcing the SELinux. This is good to first see how SELinux works and later figure out what policies should be enforced.

§  disabled - Completely disable SELinux

 
Following are the possible values for SELINUXTYPE variable in the /etc/sysconfig/selinux  file. This indicates the type of policies that can be used for the SELinux.

§  targeted - This policy will protected only specific targeted network daemons.

§  strict - This is for maximum SELinux protection.

Method 3: Disable SELinux from the Grub Boot Loader

If you can’t locate /etc/sysconfig/selinux  file on your system, you can pass disable SELinux by passing it as parameter to the Grub Boot Loader as shown below.

[root@paragtesting selinux]# cat /boot/grub/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,0)

#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00

#          initrd /initrd-version.img

#boot=/dev/sda

default=0

timeout=5

splashimage=(hd0,0)/grub/splash.xpm.gz

hiddenmenu

title Red Hat Enterprise Linux Server (2.6.18-308.el5)

        root (hd0,0)

        kernel /vmlinuz-2.6.18-308.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet selinux=0

        initrd /initrd-2.6.18-308.el5.img

 You can check status of Enforcing mode by using command getenforce.

[root@paragtesting modules]# getenforce

Disabled