DNS Forwarder  is a pointer for anything that is not resolved of where to looks for and query – ISP DNS

server ○ The next chain of the command is then the Root Hint Servers (mainly 13 of these) ○ Root-servers.org ○ Start at the .coms .edu .net and go all the way back down through the list – Berkley internet name domain – Named  named daemon (for linux) BIND – named.conf – .zone files are your zones that you have created (example.com.zone file) – need a forward and a reverse zone setup – /var/named/chroot/etc – local time file needs protected as well as the key file ○ reverse would be good to have in case of log files and you can see names ○ main config file that is to be used ○ need to have a forward lookup zone  this zone queries and resolves ip to name server  reverse lookup is name to ip – dig ○ shows zone transfer  forward lookup zone and transfers it to another machine (the secondary)  the dig command can give you servers, machines, (all records including (a-record == is a host record))  ns shows you the name server /is  cname = alias  people use cnames instead of using a new host a record just for ease of access  mx record is for the mail exchange servers  PTR records are for pointer record to the cname (reverse lookup function)  http://en.wikipedia.org/wiki/List_of_DNS_record_types  SRV records (Microsoft creates these for you automatically for active directory) ○ lookup host records – updating the DNS records dynamically ○ windows default to this being on  dhcp clients will update the dns records ○ linux has more steps  Need to edit DNS config file  ddns

named.conf file starting point to help edi t this file ○ listen-on port can be different (ex 53 ○ allow-update (who you want to allow updates form )…this could be the whole subnets (or just a server can be listed) ○ need to setup our zone (very end of config file) ○ zone “group3.com” (  Type master:  file “/var/named/db.instructor.com”; ----this is a flat text file, you want this to be set to named • look at named.conf for file location • file needs filled out specifically  ); ○ zone “254.10.10.in-addr.arpa” (  type master:  file “var/named/db.10.10.254.rev”;  ----this is your reverse lookup zone • this is also a flat text file that needs to be edited and created just type hostname on your box and you will get your DNS name record

More DNS insert an ip address ifconfig eth0 10.10.10.10 netmask 255.255.255.0 ifconfig to verify need to edit the /etc/named.conf (main config file that needs to be configured) /var/named/<forward zone> /var/named/<reverse lookup zone> ..more on paper cd /var/named nano 10.10.10.0.forward.zone – first line must contain the start of authority ○ cpt224.com. IN SOA ns1. webmaster.cpt224.com. ( 200901881: 10800: 650: 3800: ) cpt224.com. IN NS ns1. <host records> ns1.cpt224.com IN A 10.10.10.10 <name server is web server> www IN CNAME ns1.cpt224.com <could insert more host records> create reverse zone (ip to name)

nano 10.10.10.0-reverse.zone ----config is the same <start of authority-address reversed> 10.10.10.in-addr.arpa. webmaster.cpt224.com. ( 2009021801: 38400: 5600: 5000: 4350: ) <name server> 10.10.10.in-addr.arpa. IN NS ns1. <PTR records for the a records> 10.10.10.10.in-addr.arpa. IN ns1.cpt224.com. /etc/resolve.conf put in your name servers here nameserver <ip> 2 zones are now created cd /etc/ nano named.conf has config information needed to togle for the zones to work right on listen on port 53 enter the ip address of the DNS server listen on port 53 ( 10.10.10.10: ); allow –query (10.10.10.0/24; }; need to add the zones to named.conf file zone “cpt224.com” {---name of the domain type master; file “/var/named/10.10.10.0-forward.zone”; don’t need to list the full file path since already there }; zone “10.10.10.in-addr.arpa” { ---other zone-reverse type master; file “/var/named/10.10.10.0-reverse.zone”; }; every single zone need put in this file (may need a slave) now need to start/restart service /etc/init.d/named status IN SOA ns1.

PTR

service named start <errors>

###after the zones are setup you need to setup the zone transfer list and allow specific server to transfer zone lists. right click on the DNS and allow a transferrable master server ##check the /etc/resolv on the primary dns server you need to – go to the zones – /var/named – add these 4 lines to the forward zone ○ _ldap._tcp.instructor.com IN SRV 0 0 389 ns2.instructor.com. (the ns2.instructor.com is the win2k3 server—the secondary dns server ) ○ _kerberos._tcp.instructor.com. IN SRV 0 0 88 ns2.instructor.com. ○ _ldap._tcp.dc._msdcs.instructor.com IN SRV 0 0 389 ns2.instructor.com. ○ _kerberos._tcp.dc._msdcs.instructor.com IN SRV 0 0 88 ns2.instructor.com. ○

Jailing – confine people to a certain area – creates a false root (can be used with ftp(changing directories wouldn’t work that way) – want a jail in a certain directory ○ mkdir myjail (recommend chroot/named/) ○ cd myjail ○ need to trick the user by creating the file system ○ sudo mkdir var, etc, lib, usr, bin, sbin…… ○ can also use the command “which”  tells you where that command is located at also to copy ○ now that you have dependencies you need to create files ○ when copying the file you should do the –p to preserve the permissions of the files ○ sudo cp /bin/bash bin/

○ ○ ○ ○ ○ ○ ○

 this is the executable only sudo ldd /bin/bash  now need to put these files in your jail sudo cp /lib/libtinfo.so.5  now do this for the other ones ldd /bin/pwd  some libraries may be shared between the commands sudo chroot myjail/  now have a command prompt of your jailed folder sudo cp /etc/passwd myjail/etc (would nwant to make this up and delete the accounts you don’t need in there should do this for every service that you are running need to have root priv to get out of the jail but  run in the jail as a none root user – if you run as root and have root privs you can get out  restrict  make sure that root owns all the files as possible can all be scripted by jailkit (ccdc)

DHCP can be setup through webmin scope – – – – – – – – – – – – is the availability of ip addys that can be given out with a given netmask to specify the range default gateway can add dns information ○ we would have to for the reverse and forward lookups domain name can setup reservations ○ statically sets the addy with the mac address of that machine can setup exclusions ○ never gives out those set addresses to find the address or find what to give out it will ping the address before handing out ○ also uses the aging/leasing to find out what is available half way through the release time it will renew the lease time 8 hours is descent ○ normal workday in a windows client you can do a checkmark for windows to update it’s host record when the ip changes linux has a client that can also do this (update A record) dhcp daemon ○ dhcpd.conf ○ /etc/init.d/dhcpd start ○ read the new configuration file in the conf file

max release time is where the machine did not ask for a renewel so the max is actually how long the release is reserved for edit the /etc/dhcpd.conf file ○ get a sample dhcp config file ○ must have an interface on that subnet for the dhcp server to run ○ /etc/init.d/dhcp3-server restart ○ /etc/dhcp3/dhcpd.conf file ○

apt-get install dhcp3 after installing dhcp3 server we had to edit the configuration – nano /etc/dhcp3/dhcpd.conf file – edited the file as shown in the picture -After the file was edited the server was restarted with -/etc/init.d/dhcp3-server restart

ssh rpm –q openssh (comes installed by default on the fedora box) to check and see if it is running you can do a

ps aux | sshd *some services may not startup automatically chkconfig (allows you to start services automatically) – chkconfig named on (turns on automatically) ls /etc/ssh – ssh config files ○ settings for the host – sshd_config file is for the server ○ can change the port to help secure ssh ○ listenaddress = is where it will listen to connect (default to listen to every single port) ○ can also specify what keys to use ○ login grace time (how long to login before getting kicked out) ○ permit root login (not a great idea for security) ○ max number of authorization time (max till kicked) ○ x11 tunelling (some graphical applications through ssh ) ○ there is a banner field you can enter it here ○ can login as a specific user with ssh <users@ip> – ssh config file is on the client side confiduration – not a bad idea to jail ssh (ssh also supports secure ftp, so this could be a risk in it’s self) – both keys are stored into the host ○ /etc/ssh/ssh_host_rsa_key.pub – besides freesshd for windows you can use openssh with cygwin.com to emulate linux environment and get ssh to work right with it

/etc/init.d/ssh restart (restarts the sshd server)

apt-get install sshd nano /etc/ssh/sshd_config

ssh-keygen –t rsa –b 2048 do this for every user you want to login as create passphrase this generates pub and priv keys need to be stored in .ssh folder in user’s home directory (auto created)

-.pub is public files -then in the sshd_config file -ssh looks for the .ssh/authorized_keys file cp id_rsa.pub authorized_keys now on the windows machine you need to copy down the private key (that’s what is used to identify ) to the window’s box need to convert the key to a putty formatted private key -use putty gen -file, load private key, enter the passphrase, need to resave it out -need to open up putty -under connection, ssh, auth—insert private key, check session and enter in the username, and port number same thing as the cygwin need to uncomment the keyauth in the ssh config file

NTP client ntpdate <server addy> sets client to the server addy IIS Information Internet Service

provides support for FTP and web services requires ASP.net sometimes for some web hosting files under the IIS control panel (has it’s own control panel) – – – – – – – – – can manage multiple things off of the web server comes standard with the default web site ○ comes up with page under construction IIS*.htm (default page to load by default) right click on the (local computer) – then click on all tasks then restart IIS https assumes port 443 for ssl Under the performance tab can rate limit the bandwidth upstreamed/hogged ○ website connections can also be limited to home directory tab (selects that were your web page files are stored –need to change this for security) ○ can also set the permissions on what they can do Under the documents tab you can select the order of what webpage to load first on the server (which one to look for first) Custom Errors

– –

○ common error messages ○ can edit these error for custom directory security (can edit who access the website ) ○ anon people can access this ○ a default user is created by default IUSER that is anon user  if turned off people have to authenticate to use the webpage  digest authentication is like the cisco webpage • people who are using it on the intranet can access it locally • any external need to be authenticated to be able to use the webpage under secure communications under the directory service tab you can select to require ssl some webpages do not and others do require the www ..setting somewhere?

Web site and blog creation XAMPP and wordpress phpnuke junebug/joomblah noodle --all similar to drupal after unraring xampp click on the setup_xampp.bat file to install now the control center is here xampp-control.exe click on that for the control console now can start apache just by clicking start === /etc/init.d/httpd start in linux or service httpd start now should have http://127.0.0.1/xampp/splash.php on your local machine can click on your language to see notes if done in fedora it is very similar – can now change the content -can’t do ssl right away from a linux bot

with apache the config files (same for linux and windows) – httpd.conf ○ main config file for apache ○ located in xamp folder, apache, conf, file httpd.conf ○ use wordpad to edit this – webpage and content is located on /var/www – /etc/httpd/conf in linux – same file name same contents -if any changes are made you need to restart the service to apply the changes now that we have drupal pulled down cut it and paste it C:\MY_cm_website\xampp\htdocs there – drupal uses mysql to store content information – so need to configure that as well E:\Classes\Server Integration\Apache_Stuff\drupal-6.9 INSTALL.mysql.txt tells this how to do – – – – don’t need apache to get mysql to work but it needs a package that is included start mysql now in cmd prompt go here C:\MY_cm_website\xampp\mysql\bin ○ now type  mysqladmin -u root create drupaldb  xammpp – does not have root password  not same root user as the linux system • root user for mysql database  this creates the database ○ give permission from a database to a user  give some users permission to that database • mysql –u root • now type mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON drupaldb.* TO 'cisco'@'localhost' IDENTIFIED BY 'cisco2009'; • Query OK, 0 rows affected (0.03 sec) ○ GRANT TELLS what to do ○ type quite  now need to edit the httpd.conf fiel
DocumentRoot "C:/MY_cm_website/xampp/htdocs/drupal"


  

• restart apacheand now you have drupal running now need to go C:\MY_cm_website\xampp\htdocs\drupal\sites\default make two copies of • this file default.settings.php • change the copy file

○ ○

rename to settings.php now click try again on the webpage

to install apache in ubuntu you need -apt-get install apache2
apt-get install mysql-server ---mysql-client-5.0 ---mysql-server-5.0 installed ---server root password is group3pwnsu could wget http://superb-west.dl.sourceforge.net/sourceforge/xampp/xampplinux-1.7.tar.gz

need to apt-get this http://voxel.dl.sourceforge.net/sourceforge/xampp/lampp-1.1.tar.gz

Joomla (runs on apache and hosts two website under one webserver) under the httpdconf file ----under document root is is pointing to xamp/htdocs --- both drupal and joomla is there (each separate folders) – – – in that file toward the bottom there is a # Virtual hosts ○ then include conf/extra/httpd-vhosts can create 2 types of hosts name or ip based ○ our package only does named base under the virtual hosts file you can use ○ <VirtualHost *:80>  ServerAdmin ○ check reference sheet for the wrest now you have to enable nameVirtualhost *:80 Now you need a way to resolve the name to an ip addy can use a local type of resolution for this edi thte host file to  127.0.0.1 site1drupal  127.0.0.1 site2drupal • these are what is from the vhosts file Now doing this on my own ○ need to shut off apache and keep mysql running ○ need to create a database for joomla  open up command prompt and then • C:\MY_cm_website\xampp\mysql\bin go here • type mysqladmin -u root create joomlabd • also can refer to documentation to help configure this • refer to the tutuorial paper that is already printed out ○

– – –

to create the CNAME for apache apache IN CNAME <dns host record for the fedora server FQDN)

Certificates

stuff to do ---ubuntu ---install apache

-----new labs are on webct ------each need to install a 2k3 server – rich needs to do a enterprise root CA, others are subordinate (lab 7 setup) also install IIS on the subordinates (name them win2k3-X) ------------have main DC with secure web server running ------service locator records are created on the server by default when you promote the machine (If it is a secondary zone then it is a read-only without the SRV records – can’t join a PC to the domain) ---------so need to do this for the fedora box on the primary dns server you need to – go to the zones – /var/named – add these 4 lines to the forward zone ○ _ldap._tcp.instructor.com IN SRV 0 0 389 ns2.instructor.com. (the ns2.instructor.com is the win2k3 server—the secondary dns server ) ○ _kerberos._tcp.instructor.com. IN SRV 0 0 88 ns2.instructor.com. ○ _ldap._tcp.dc._msdcs.instructor.com IN SRV 0 0 389 ns2.instructor.com. ○ _kerberos._tcp.dc._msdcs.instructor.com IN SRV 0 0 88 ns2.instructor.com. ○ ○ now for the global files are not setup –which needs this
$ttl 38400 group3.com. IN SOA group3-Fedora10. fake.fake.com. ( 1232999249 10800 3600 604800 38400 ) group3.com. IN NS group3-Fedora10. Win2k3.group3.com. IN A 10.10.3.150 Win2k3-2.group3.com. IN A 10.10.3.152 Win2k3-3.group3.com. IN A 10.10.3.153 Win2k3-4.group3.com. IN A 10.10.3.154 Win2k3-5.group3.com. IN A 10.10.3.155 Ubuntu.group3.com. IN A 10.10.3.200 WinXP.group3.com. IN A 10.10.3.10 Kubuntu.group3.com. IN A 10.10.3.11 Fedora10.group3.com. IN A 10.10.3.100 www.group3.com. IN A 10.10.3.200 mail.group3.com. IN MX 1 10.10.3.100 _ldap._tcp.group3.com. IN SRV 0 0 389 Win2k3.group3.com. _kerberos._tcp.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _ldap._tcp.dc._msdcs.group3.com. IN SRV 0 0 389 Win2k3.group3.com. _kerberos._udp.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _kerberos._tcp.dc._msdcs.group3.com. IN SRV 0 0 88 Win2k3.group3.com. _kpasswd._tcp.group3.com. IN SRV 0 0 464 Win2k3.group3.com. _kpasswd._udp.group3.com. IN SRV 0 0 464 Win2k3.group3.com. _ldap._tcp.gc._msdcs.group3.com. IN SRV 0 0 3268 Win2k3.group3.com. _gc._tcp.group3.com. IN SRV 0 0 3268 Win2k3.group3.com.

apache on ubuntu ------check the pdf file in the config file – /var/www/index.html file for ubuntu