DNS

Forwarder  is a pointer for anything that is not resolved of where to looks for and
query
– ISP DNS server
○ The next chain of the command is then the Root Hint Servers (mainly
13 of these)
○ Root-servers.org
○ Start at the .coms .edu .net and go all the way back down through the
list
– Berkley internet name domain
– Named  named daemon (for linux)
BIND
– named.conf
– .zone files are your zones that you have created (example.com.zone file)
– need a forward and a reverse zone setup
– /var/named/chroot/etc
– local time file needs protected as well as the key file
○ reverse would be good to have in case of log files and you can see
names
○ main config file that is to be used
○ need to have a forward lookup zone
 this zone queries and resolves ip to name server
 reverse lookup is name to ip
– dig
○ shows zone transfer
 forward lookup zone and transfers it to another machine (the
secondary)
 the dig command can give you servers, machines, (all records
including (a-record == is a host record))
 ns shows you the name server /is
 cname = alias
 people use cnames instead of using a new host a record just for
ease of access
 mx record is for the mail exchange servers
 PTR records are for pointer record to the cname (reverse lookup
function)
 http://en.wikipedia.org/wiki/List_of_DNS_record_types
 SRV records (Microsoft creates these for you automatically for
active directory)
○ lookup host records
– updating the DNS records dynamically
○ windows default to this being on
 dhcp clients will update the dns records
○ linux has more steps
 Need to edit DNS config file
 ddns
 – named.conf file starting point to help edi t this file
○ listen-on port can be different (ex 53
○ allow-update (who you want to allow updates form )…this could be the
whole subnets (or just a server can be listed)
○ need to setup our zone (very end of config file)
○ zone “group3.com” (
 Type master:
 file “/var/named/db.instructor.com”; ----this is a flat text file, you
want this to be set to named
• look at named.conf for file location
• file needs filled out specifically
 );
○ zone “254.10.10.in-addr.arpa” (
 type master:
 file “var/named/db.10.10.254.rev”;
 ----this is your reverse lookup zone
• this is also a flat text file that needs to be edited and
created
– just type hostname on your box and you will get your DNS name record

More DNS

insert an ip address
ifconfig eth0 10.10.10.10 netmask 255.255.255.0
ifconfig to verify
need to edit the
/etc/named.conf (main config file that needs to be configured)
/var/named/<forward zone>
/var/named/<reverse lookup zone>
..more on paper

cd /var/named
nano 10.10.10.0.forward.zone
– first line must contain the start of authority
○ cpt224.com. IN SOA ns1. webmaster.cpt224.com. (
200901881:
10800:
650:
3800: )
cpt224.com. IN NS ns1.
<host records> ns1.cpt224.com IN A 10.10.10.10
<name server is web server> www IN CNAME ns1.cpt224.com
<could insert more host records>

create reverse zone (ip to name)

nano 10.10.10.0-reverse.zone
----config is the same

<start of authority-address reversed> 10.10.10.in-addr.arpa. IN SOA ns1.

webmaster.cpt224.com. (
2009021801:
38400:
5600:
5000:
4350: )

<name server> 10.10.10.in-addr.arpa. IN NS ns1.

<PTR records for the a records> 10.10.10.10.in-addr.arpa. IN PTR
ns1.cpt224.com.

/etc/resolve.conf
put in your name servers here
nameserver <ip>
2 zones are now created

cd /etc/

nano named.conf
has config information needed to togle for the zones to work right

on
listen on port 53 enter the ip address of the DNS server
listen on port 53 ( 10.10.10.10: );
allow –query (10.10.10.0/24; };

need to add the zones to named.conf file

zone “cpt224.com” {---name of the domain

type master;
file “/var/named/10.10.10.0-forward.zone”; don’t need to list the full file
path since already there
};
zone “10.10.10.in-addr.arpa” { ---other zone-reverse
type master;
file “/var/named/10.10.10.0-reverse.zone”;
};

every single zone need put in this file (may need a slave)

now need to start/restart service

/etc/init.d/named status
service named start

<errors>

###after the zones are setup you need to setup the zone transfer list and
allow specific server to transfer zone lists. right click on the DNS and
allow a transferrable master server

##check the /etc/resolv

on the primary dns server you need to

– go to the zones
– /var/named
– add these 4 lines to the forward zone
○ _ldap._tcp.instructor.com IN SRV 0 0 389 ns2.instructor.com. (the
ns2.instructor.com is the win2k3 server—the secondary dns server )
○ _kerberos._tcp.instructor.com. IN SRV 0 0 88 ns2.instructor.com.
○ _ldap._tcp.dc._msdcs.instructor.com IN SRV 0 0 389 ns2.instructor.com.
○ _kerberos._tcp.dc._msdcs.instructor.com IN SRV 0 0 88
ns2.instructor.com.
○

Jailing
– confine people to a certain area
– creates a false root (can be used with ftp(changing directories wouldn’t work
that way)
– want a jail in a certain directory
○ mkdir myjail (recommend chroot/named/)
○ cd myjail
○ need to trick the user by creating the file system
○ sudo mkdir var, etc, lib, usr, bin, sbin……
○ can also use the command “which”
 tells you where that command is located at also to copy
○ now that you have dependencies you need to create files
○ when copying the file you should do the –p to preserve the permissions
of the files
○ sudo cp /bin/bash bin/
  this is the executable only
○ sudo ldd /bin/bash
 now need to put these files in your jail
○ sudo cp /lib/libtinfo.so.5
 now do this for the other ones
○ ldd /bin/pwd
 some libraries may be shared between the commands
○ sudo chroot myjail/
 now have a command prompt of your jailed folder
○ sudo cp /etc/passwd myjail/etc (would nwant to make this up and
delete the accounts you don’t need in there
○ should do this for every service that you are running
○ need to have root priv to get out of the jail but
 run in the jail as a none root user – if you run as root and have
root privs you can get out
 restrict
 make sure that root owns all the files as possible
○ can all be scripted by jailkit (ccdc)
–

DHCP

can be setup through webmin

scope is the availability of ip addys that can be given out

– with a given netmask to specify the range
– default gateway
– can add dns information
○ we would have to for the reverse and forward lookups
– domain name
– can setup reservations
○ statically sets the addy with the mac address of that machine
– can setup exclusions
○ never gives out those set addresses
– to find the address or find what to give out it will ping the address before
handing out
○ also uses the aging/leasing to find out what is available
– half way through the release time it will renew the lease time
– 8 hours is descent
○ normal workday
– in a windows client you can do a checkmark for windows to update it’s host
record when the ip changes
– linux has a client that can also do this (update A record)
– dhcp daemon
○ dhcpd.conf
○ /etc/init.d/dhcpd start
○ read the new configuration file in the conf file
 ○ max release time is where the machine did not ask for a renewel so the
max is actually how long the release is reserved for
– edit the /etc/dhcpd.conf file
○ get a sample dhcp config file
○ must have an interface on that subnet for the dhcp server to run
○ /etc/init.d/dhcp3-server restart
○ /etc/dhcp3/dhcpd.conf file

apt-get install dhcp3

after installing dhcp3 server we had to edit the configuration

– nano /etc/dhcp3/dhcpd.conf file
– edited the file as shown in the picture
-After the file was edited the server was restarted with
-/etc/init.d/dhcp3-server restart

ssh

rpm –q openssh (comes installed by default on the fedora box)

to check and see if it is running you can do a

ps aux | sshd

*some services may not startup automatically

chkconfig (allows you to start services automatically)

– chkconfig named on (turns on automatically)

ls /etc/ssh
– ssh config files
○ settings for the host
– sshd_config file is for the server
○ can change the port to help secure ssh
○ listenaddress = is where it will listen to connect (default to listen to
every single port)
○ can also specify what keys to use
○ login grace time (how long to login before getting kicked out)
○ permit root login (not a great idea for security)
○ max number of authorization time (max till kicked)
○ x11 tunelling (some graphical applications through ssh )
○ there is a banner field you can enter it here
○ can login as a specific user with ssh <users@ip>
– ssh config file is on the client side confiduration
– not a bad idea to jail ssh (ssh also supports secure ftp, so this could be a risk
in it’s self)
– both keys are stored into the host
○ /etc/ssh/ssh_host_rsa_key.pub

– besides freesshd for windows you can use openssh with cygwin.com to
emulate linux environment and get ssh to work right with it

/etc/init.d/ssh restart (restarts the sshd server)

apt-get install sshd

nano /etc/ssh/sshd_config

ssh-keygen –t rsa –b 2048

do this for every user you want to login as
create passphrase

this generates pub and priv keys

need to be stored in .ssh folder in user’s home directory (auto created)
-.pub is public files
-then in the sshd_config file
-ssh looks for the .ssh/authorized_keys file
cp id_rsa.pub authorized_keys

now on the windows machine you need to copy down the private key
(that’s what is used to identify ) to the window’s box

need to convert the key to a putty formatted private key

-use putty gen
-file, load private key, enter the passphrase, need to resave it out
-need to open up putty
-under connection, ssh, auth—insert private key, check session
and enter in the username, and port number

same thing as the cygwin

need to uncomment the keyauth in the ssh config file

NTP client

ntpdate <server addy>

sets client to the server addy

IIS - Information Internet Service

provides support for FTP and web services

requires ASP.net sometimes for some web hosting files

under the IIS control panel (has it’s own control panel)

– can manage multiple things off of the web server

– comes standard with the default web site
○ comes up with page under construction
– IIS*.htm (default page to load by default)
– right click on the (local computer) – then click on all tasks then restart IIS
– https assumes port 443 for ssl
– Under the performance tab can rate limit the bandwidth upstreamed/hogged
○ website connections can also be limited to
– home directory tab (selects that were your web page files are stored –need to
change this for security)
○ can also set the permissions on what they can do
– Under the documents tab you can select the order of what webpage to load
first on the server (which one to look for first)
– Custom Errors
 ○ common error messages
○ can edit these error for custom
– directory security (can edit who access the website )
○ anon people can access this
○ a default user is created by default IUSER that is anon user
 if turned off people have to authenticate to use the webpage
 digest authentication is like the cisco webpage
• people who are using it on the intranet can access it
locally
• any external need to be authenticated to be able to use
the webpage
– under secure communications under the directory service tab you can select
to require ssl
– some webpages do not and others do require the www ..setting somewhere?

Web site and blog creation

XAMPP and

wordpress
phpnuke
junebug/joomblah
noodle
--all similar to drupal

after unraring xampp

click on the setup_xampp.bat file to install

now the control center is here

xampp-control.exe

click on that for the control console

now can start apache just by clicking start === /etc/init.d/httpd start in linux or
service httpd start

now should have

http://127.0.0.1/xampp/splash.php on your local machine

can click on your language to see notes

if done in fedora it is very similar

– can now change the content

-can’t do ssl right away from a linux bot
with apache the config files (same for linux and windows)
– httpd.conf
○ main config file for apache
○ located in xamp folder, apache, conf, file httpd.conf
○ use wordpad to edit this
– webpage and content is located on /var/www
– /etc/httpd/conf in linux
– same file name same contents

-if any changes are made you need to restart the service to apply the changes

now that we have drupal pulled down cut it and paste it

C:\MY_cm_website\xampp\htdocs there
– drupal uses mysql to store content information
– so need to configure that as well
E:\Classes\Server Integration\Apache_Stuff\drupal-6.9
INSTALL.mysql.txt
tells this how to do

– don’t need apache to get mysql to work but it needs a package that is
included
– start mysql
– now in cmd prompt
– go here C:\MY_cm_website\xampp\mysql\bin
○ now type
 mysqladmin -u root create drupaldb
 xammpp – does not have root password
 not same root user as the linux system
• root user for mysql database
 this creates the database
○ give permission from a database to a user
 give some users permission to that database
• mysql –u root
• now type mysql> GRANT SELECT, INSERT, UPDATE,
DELETE, CREATE, DROP, INDEX, ALTER ON drupaldb.* TO
'cisco'@'localhost' IDENTIFIED BY 'cisco2009';
• Query OK, 0 rows affected (0.03 sec)
○ GRANT TELLS what to do
○ type quite
 now need to edit the httpd.conf fiel
– DocumentRoot "C:/MY_cm_website/xampp/htdocs/drupal"
–
• restart apacheand now you have drupal running
 now need to go
 C:\MY_cm_website\xampp\htdocs\drupal\sites\default
 make two copies of
• this file default.settings.php
• change the copy file
 ○ rename to settings.php
○ now click try again on the webpage
•

to install apache in ubuntu you need

-apt-get install apache2
apt-get install mysql-server

---mysql-client-5.0
---mysql-server-5.0
installed
---server root password is group3pwnsu

could wget http://superb-west.dl.sourceforge.net/sourceforge/xampp/xampp-

linux-1.7.tar.gz

need to apt-get this

http://voxel.dl.sourceforge.net/sourceforge/xampp/lampp-1.1.tar.gz
Joomla (runs on apache and hosts two website under one webserver)

under the httpdconf file

----under document root is is pointing to xamp/htdocs --- both drupal and joomla is
there (each separate folders)

– in that file toward the bottom there is a # Virtual hosts

○ then include conf/extra/httpd-vhosts
– can create 2 types of hosts name or ip based
○ our package only does named base
– under the virtual hosts file you can use
○ <VirtualHost *:80>
 ServerAdmin
○ check reference sheet for the wrest
– now you have to enable nameVirtualhost *:80

– Now you need a way to resolve the name to an ip addy

– can use a local type of resolution for this

○ edi thte host file to

 127.0.0.1 site1drupal
 127.0.0.1 site2drupal
• these are what is from the vhosts file
– Now doing this on my own
○ need to shut off apache and keep mysql running
○ need to create a database for joomla
 open up command prompt and then
• C:\MY_cm_website\xampp\mysql\bin go here
• type mysqladmin -u root create joomlabd
• also can refer to documentation to help configure this
• refer to the tutuorial paper that is already printed out

to create the CNAME for apache

apache IN CNAME <dns host record for the fedora server FQDN)
-

Certificates

stuff to do
----
ubuntu
---install apache
-----new labs are on webct
------each need to install a 2k3 server – rich needs to do a enterprise root CA, others
are subordinate (lab 7 setup) also install IIS on the subordinates (name them
win2k3-X)
------------have main DC with secure web server running
------service locator records are created on the server by default when you promote
the machine (If it is a secondary zone then it is a read-only without the SRV records
– can’t join a PC to the domain)
---------so need to do this for the fedora box

on the primary dns server you need to

– go to the zones
– /var/named
– add these 4 lines to the forward zone
○ _ldap._tcp.instructor.com IN SRV 0 0 389 ns2.instructor.com. (the
ns2.instructor.com is the win2k3 server—the secondary dns server )
○ _kerberos._tcp.instructor.com. IN SRV 0 0 88 ns2.instructor.com.
○ _ldap._tcp.dc._msdcs.instructor.com IN SRV 0 0 389 ns2.instructor.com.
○ _kerberos._tcp.dc._msdcs.instructor.com IN SRV 0 0 88
ns2.instructor.com.
○
○ now for the global files are not setup –which needs this

$ttl 38400
group3.com. IN SOA group3-Fedora10. fake.fake.com. (
1232999249
10800
3600
604800
38400 )
group3.com. IN NS group3-Fedora10.
Win2k3.group3.com. IN A 10.10.3.150
Win2k3-2.group3.com. IN A 10.10.3.152
Win2k3-3.group3.com. IN A 10.10.3.153
Win2k3-4.group3.com. IN A 10.10.3.154
Win2k3-5.group3.com. IN A 10.10.3.155
Ubuntu.group3.com. IN A 10.10.3.200
WinXP.group3.com. IN A 10.10.3.10
Kubuntu.group3.com. IN A 10.10.3.11
Fedora10.group3.com. IN A 10.10.3.100
www.group3.com. IN A 10.10.3.200
mail.group3.com. IN MX 1 10.10.3.100

_ldap._tcp.group3.com. IN SRV 0 0 389 Win2k3.group3.com.

_kerberos._tcp.group3.com. IN SRV 0 0 88 Win2k3.group3.com.
_ldap._tcp.dc._msdcs.group3.com. IN SRV 0 0 389 Win2k3.group3.com.
_kerberos._udp.group3.com. IN SRV 0 0 88 Win2k3.group3.com.
_kerberos._tcp.dc._msdcs.group3.com. IN SRV 0 0 88 Win2k3.group3.com.
_kpasswd._tcp.group3.com. IN SRV 0 0 464 Win2k3.group3.com.
_kpasswd._udp.group3.com. IN SRV 0 0 464 Win2k3.group3.com.
_ldap._tcp.gc._msdcs.group3.com. IN SRV 0 0 3268 Win2k3.group3.com.
_gc._tcp.group3.com. IN SRV 0 0 3268 Win2k3.group3.com.
apache on ubuntu ------check the pdf file in the config file

– /var/www/index.html file for ubuntu