Sunday, 11 November 2012

Installation and configuration of a DNS server in Windows Server 2008

Installation and configuration of a DNS server Using Windows Server 2008


Why we need a DNS Server in LAN (Local Area Network):

You must know importance of DNS server can be judge from the fact that without DNS, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on WINS for name resolution on local area networks and some have little or no experience with DNS. Steven Warren explains how to install, configure, and troubleshoot a Windows Server 2008 DNS server.

I don't want to go in other details but as many of you are probably aware, the Domain Name System (DNS) is now the name resolution system of choice in Windows (any Microsoft or non Microsoft server). Without it, computers would have a very tough time communicating with each other. However, most Windows administrators still rely on the Windows Internet Name Service (WINS) for name resolution on local area networks and some have little or no experience with DNS. If you fall into this category, read on. We'll explain how to install, configure, and troubleshoot a Windows Server 2008 DNS server.

Installation Step by Step

You can install a DNS server from the Control Panel or when promoting a member server to a domain controller (DC) (Figure A). During the promotion, if a DNS server is not found, you will have the option of installing it.
 
Figure-A

 
                 
To install a DNS server from the Control Panel, follow these steps:
  • From the Start menu, select | Control Panel | Administrative Tools | Server Manager.
  • Expand and click Roles (Figure B).
  • Choose Add Roles and follow the wizard by selecting the DNS role (Figure C).
  • Click Install to install DNS in Windows Server 2008 (Figure D).

Figure B


 
 
Expand and click Roles

Figure C

 

 

DNS role

Figure D


 
Install DNS

DNS console and configuration

After installing DNS, you can find the DNS console from Start | All Programs | Administrative Tools | DNS. Windows 2008 provides a wizard to help configure DNS.
When configuring your DNS server, you must be familiar with the following concepts:
  • Forward lookup zone
  • Reverse lookup zone
  • Zone types
A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse lookup zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy to configure and will allow for your Windows Server 2008 Server to have full DNS functionality.
When selecting a DNS zone type, you have the following options: Active Directory (AD) Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database information in AD and allows for secure updates to the database file. This option will appear only if AD is configured. If it is configured and you select this option, AD will store and replicate your zone files.
A Standard Primary zone stores the database in a text file. This text file can be shared with other DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply creates a copy of the existing database from another DNS server. This is primarily used for load balancing.
To open the DNS server configuration tool:
  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Highlight your computer name and choose Action | Configure a DNS Server... to launch the Configure DNS Server Wizard.
  3. Click Next and choose to configure the following: forward lookup zone, forward and reverse lookup zone, root hints only (Figure E).
  4. Click Next and then click Yes to create a forward lookup zone (Figure F).
  5. Select the appropriate radio button to install the desired Zone Type (Figure G).
  6. Click Next and type the name of the zone you are creating.
  7. Click Next and then click Yes to create a reverse lookup zone.
  8. Repeat Step 5.
  9. Choose whether you want an IPv4 or IPv6 Reverse Lookup Zone (Figure H).
  10. Click Next and enter the information to identify the reverse lookup zone (Figure I).
  11. You can choose to create a new file or use an existing DNS file (Figure J).
  12. On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no dynamic updates.
  13. If you need to apply a DNS forwarder, you apply it on the Forwarders window. (Figure K).
  14. Click Finish (Figure L)

Figure E


 
 

Figure F


 
 

Forward lookup zone

Figure G

 

 

Desired zone

Figure H


 

IPv4 or IPv6

Figure I

Reverse lookup zone

Figure J


Choose new or existing DNS file

Figure K

 


Forwarders window

Figure L

 
 
 
Now installation is finished. From here we will start configuring DNS server for connectivity of your client and other services to resolve naming.

Managing DNS records

You have now installed and configured your first DNS server, and you're ready to add records to the zone(s) you created. There are various types of DNS records available. Many of them you will never use. We'll be looking at these commonly used DNS records:
  • Start of Authority (SOA)
  • Name Servers
  • Host (A)
  • Pointer (PTR)
  • Canonical Name (CNAME) or Alias
  • Mail Exchange (MX)

Start of Authority (SOA) record

The Start of Authority (SOA) resource record is always first in any standard zone. The Start of Authority (SOA) tab allows you to make any adjustments necessary. You can change the primary server that holds the SOA record, and you can change the person responsible for managing the SOA. Finally, one of the most important features of Windows 2000 is that you can change your DNS server configuration without deleting your zones and having to re-create the wheel (Figure M).

Figure M

 

 

 Change configuration

Name Servers

Name Servers specify all name servers for a particular domain. You set up all primary and secondary name servers through this record.
To create a Name Server, follow these steps:

  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Expand the Forward Lookup Zone.
  3. Right-click on the appropriate domain and choose Properties (Figure N).
  4. Select the Name Servers tab and click Add.
  5. Enter the appropriate FQDN Server name and IP address of the DNS server you want to add.

Figure N



 

Name Server

Host (A) records

A Host (A) record maps a host name to an IP address. These records help you easily identify another server in a forward lookup zone. Host records improve query performance in multiple-zone environments, and you can also create a Pointer (PTR) record at the same time. A PTR record resolves an IP address to a host name.
To create a Host record:

  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Expand the Forward Lookup Zone and click on the folder representing your domain.
  3. From the Action menu, select New Host.
  4. Enter the Name and IP Address of the host you are creating (Figure O).
  5. Select the Create Associated Pointer (PTR) Record check box if you want to create the PTR record at the same time. Otherwise, you can create it later.
  6. Click the Add Host button.
    7.  

Figure O

 

 
 
 
 
 
 
 
 
 
 

To ad a Host (A) record

Pointer (PTR) records

A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse queries. As you saw in Figure H, you have the option of creating a PTR record when creating a Host record. If you did not choose to create your PTR record at that time, you can do it at any point.
To create a PTR record:

  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Choose the reverse lookup zone where you want your PTR record created.
  3. From the Action menu, select New Pointer (Figure P).
  4. Enter the Host IP Number and Host Name.
  5. Click OK.
    6.  

Figure P

 

 

New Pointer

Canonical Name (CNAME) or Alias records

A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for a single host. For example, an Alias record can have several records that point to a single server in your environment. This is a common approach if you have both your Web server and your mail server running on the same machine.
To create a DNS Alias:

  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
  3. From the Action menu, select New Alias.
  4. Enter your Alias Name (Figure Q).
  5. Enter the fully qualified domain name (FQDN).
  6. Click OK.
    7.  

Figure Q


 

Alias Name

Mail Exchange (MX) records

Mail Exchange records help you identify mail servers within a zone in your DNS database. With this feature, you can prioritize which mail servers will receive the highest priority. Creating MX records will help you keep track of the location of all of your mail servers.
To create a Mail Exchange (MX) record:

  1. Select DNS from the Administrative Tools folder to open the DNS console.
  2. Expand the Forward Lookup Zone and highlight the folder representing your domain.
  3. From the Action menu, select New Mail Exchanger.
  4. Enter the Host Or Domain (Figure R).
  5. Enter the Mail Server and Mail Server Priority.
  6. Click OK.

Figure R


 

Host or Domain

Other new records

You can create many other types of records. For a complete description, choose Action | Other New Records from the DNS console (Figure S). Select the record of your choice and view the description.

Figure S


 

Create records from the DNS console

Troubleshooting DNS servers

We will not going in depth to tell you about troubleshooting perhaps troubleshooting DNS servers, the nslookup utility will become your best friend. This utility is easy to use and very versatile. It's a command-line utility that is included within Windows 2008. With nslookup, you can perform query testing of your DNS servers. This information is useful in troubleshooting name resolution problems and debugging other server-related problems. You can access nslookup (Figure T) right from the DNS console.

Figure T


 
 
Thanks for reading, must your inputs regarding my this blog post ....
Your comments will encourage me to explore more and improve contents to help others for their problems. Fee free to write me on arsalanh2000@gmail.com or twitter: arsalanh2000

Don't forget to click Follow or rate my blog ... 
 
 
Posted by at No comments:
Labels: ,

Saturday, 31 March 2012

How to secure a LAMP server on CentOS or RHEL

LAMP is a software stack composed of Linux (an operating system as a base layer), Apache (a web server that "sits on top" of the OS), MySQL (or MariaDB, as a relational database management system), and finally PHP (a server-side scripting language that is used to process and display information stored in the database).
 
In this article we will assume that each component of the LAMP stack is already up and running, and will focus exclusively on securing the LAMP server(s). We must note, however, that server-side security is a vast subject, and therefore cannot be addressed adequately and completely in a single article.
 
In this post, we will cover the essential must-do's to secure each part of the stack.

Securing Linux

Since you may want to manage your CentOS server via ssh, you need to consider the following tips to secure remote access to the server by editing the /etc/ssh/sshd_config file.
 
1) Use key-based authentication, whenever possible, instead of basic authentication (username + password) to log on to your server remotely. We assume that you have already created a key pair with your user name on your client machine and copied it to your server.
 
1
2
3
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

2) Change the port where sshd will be listening on. A good idea for the port is a number higher than 1024:
 
1
Port XXXX
3) Allow only protocol 2:
1
Protocol 2

4) Configure the authentication timeout, do not allow root logins, and restrict which users may login, via ssh:
1
2
3
LoginGraceTime 2m
PermitRootLogin no
AllowUsers gacanepa

5) Allow only specific hosts (and/or networks) to login via ssh:
In the /etc/hosts.deny file:
1
sshd: ALL

In the /etc/hosts.allow file:
1
sshd: XXX.YYY.ZZZ. AAA.BBB.CCC.DDD

where XXX.YYY.ZZZ. represents the first 3 octets of an IPv4 network address and AAA.BBB.CCC.DDD is an IPv4 address. With that setting, only hosts from network XXX.YYY.ZZZ.0/24 and host AAA.BBB.CCC.DDD will be allowed to connect via ssh. All other hosts will be disconnected before they even get to the login prompt, and will receive an error like this:
 

 
(Do not forget to restart the sshd daemon to apply these changes: service sshd restart).
We must note that this approach is a quick and easy -but somewhat rudimentary- way of blocking incoming connections to your server. For further customization, scalability and flexibility, you should consider using plain iptables and/or fail2ban.

Securing Apache

1) Make sure that the system user that is running Apache web server does not have access to a shell:
# grep -i apache /etc/passwd
If user apache has a default shell (such as /bin/sh), we must change it to /bin/false or /sbin/nologin:
# usermod -s /sbin/nologin apache
The following suggestions (2 through 5) refer to the /etc/httpd/conf/httpd.conf file:
2) Disable directory listing: this will prevent the browser from displaying the contents of a directory if there is no index.html present in that directory.
Delete the word Indexes in the Options directive:
1
2
3
4
5
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
Should read:
1
Options None
In addition, you need to make sure that the settings for directories and virtual hosts do not override this global configuration.
Following the example above, if we examine the settings for the /var/www/icons directory, we see that "Indexes MultiViews FollowSymLinks" should be changed to "None".
<Directory "/var/www/icons">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<Directory "/var/www/icons">
    Options None
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
Before After
3) Hide Apache version, as well as module/OS information in error (e.g. Not Found and Forbidden) pages.
1
2
ServerTokens Prod # This means that the http response header will return just "Apache" but not its version number
ServerSignature Off # The OS information is hidden
4) Disable unneeded modules by commenting out the lines where those modules are declared:
TIP: Disabling autoindex_module is another way to hide directory listings when there is not an index.html file in them.
5) Limit HTTP request size (body and headers) and set connection timeout:
DirectiveContextExample and meaning
LimitRequestBody server config, virtual host, directory, .htaccess Limit file upload to 100 KiB max. for the uploads directory:
1
2
3
<Directory "/var/www/test/uploads">
   LimitRequestBody 102400
</Directory>
This directive specifies the number of bytes from 0 (meaning unlimited) to 2147483647 (2GB) that are allowed in a request body.
LimitRequestFieldSize server config, virtual host Change the allowed HTTP request header size to 4KiB (default is 8KiB), server wide:
1
LimitRequestFieldSize 4094
This directive specifies the number of bytes that will be allowed in an HTTP request header and gives the server administrator greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks.
TimeOut server config, virtual host Change the timeout from 300 (default if no value is used) to 120:
1
TimeOut 120
Amount of time, in seconds, the server will wait for certain events before failing a request.
For more directives and instructions on how to set them up, refer to the Apache docs.

Securing MySQL Server

We will begin by running the mysql_secure_installation script which comes with mysql-server package.
1) If we have not set a root password for MySQL server during installation, now it's the time to do so, and remember: this is essential in a production environment.
The process will continue:
 
2) Remove the anonymous user:
3) Only allow root to connect from localhost:
4) Remove the default database named test:
5) Apply changes:

6) Next, we will edit some variables in the /etc/my.cnf file:
1
2
3
4
[mysqld]
bind-address=127.0.0.1 # MySQL will only accept connections from localhost
local-infile=0 # Disable direct filesystem access
log=/var/log/mysqld.log # Enable log file to watch out for malicious activities

Don't forget to restart MySQL server with 'service mysqld restart'.
Now, when it comes to day-to-day database administration, you'll find the following suggestions useful:
  • If for some reason we need to manage our database remotely, we can do so by connecting via ssh to our server first to perform the necessary querying and administration tasks locally.
  • We may want to enable direct access to the filesystem later if, for example, we need to perform a bulk import of a file into the database.
  • Keeping logs is not as critical as the two things mentioned earlier, but may come in handy to troubleshoot our database and/or be aware of unfamiliar activities.
  • DO NOT, EVER, store sensitive information (such as passwords, credit card numbers, bank PINs, to name a few examples) in plain text format. Consider using hash functions to obfuscate this information.
  • Make sure that application-specific databases can be accessed only by the corresponding user that was created by the application to that purpose:
To adjust access permission of MySQL users, use these instructions.
First, retrieve the list of users from the user table:
gacanepa@centos:~$ mysql -u root -p
 
Enter password: [Your root password here]
mysql> SELECT User,Host FROM mysql.user;

 
Make sure that each user only has access (and the minimum permissions) to the databases it needs. In the following example, we will check the permissions of user db_usuario:
mysql> SHOW GRANTS FOR 'db_usuario'@'localhost';
 
You can then revoke permissions and access as needed.

Securing PHP

Since this article is oriented at securing the components of the LAMP stack, we will not go into detail as far as the programming side of things is concerned. We will assume that our web applications are secure in the sense that the developers have gone out of their way to make sure that there are no vulnerabilities that can give place to common attacks such as XSS or SQL injection.
1) Disable unnecessary modules:
We can display the list of current compiled in modules with the following command: php -m

And disable those that are not needed by either removing or renaming the corresponding file in the /etc/php.d directory.
For example, since the mysql extension has been deprecated as of PHP v5.5.0 (and will be removed in the future), we may want to disable it:
# php -m | grep mysql
# mv /etc/php.d/mysql.ini /etc/php.d/mysql.ini.disabled
 

2) Hide PHP version information:
# echo "expose_php=off" >> /etc/php.d/security.ini [or modify the security.ini file if it already exists]
 

3) Set open_basedir to a few specific directories (in php.ini) in order to restrict access to the underlying file system:
 

4) Disable remote code/command execution along with easy exploitable functions such as exec(), system(), passthru(), eval(), and so on (in php.ini):
 
1
2
3
allow_url_fopen = Off
allow_url_include = Off
disable_functions = "exec, system, passthru, eval"

Summing Up

1) Keep packages updated to their most recent version (compare the output of the following commands with the output of 'yum info [package]'):
The following commands return the current versions of Apache, MySQL and PHP:
# httpd -v
# mysql -V (capital V)
# php -v

Then 'yum update [package]' can be used to update the package in order to have the latest security patches.
 
2) Make sure that configuration files can only be written by the root account:
# ls -l /etc/httpd/conf/httpd.conf
# ls -l /etc/my.cnf
# ls -l /etc/php.ini /etc/php.d/security.ini

3) Finally, if you have the chance, run these services (web server, database server, and application server) in separate physical or virtual machines (and protect communications between them via a firewall), so that in case one of them becomes compromised, the attacker will not have immediate access to the others. If that is the case, you may have to tweak some of the configurations discussed in this article. Note that this is just one of the setups that could be used to increase security in your LAMP server.

Referred from Open source article ....
Posted by at No comments:
Labels: , , , , , , , ,

Thursday, 1 March 2012

How to install LAMP stack (Apache, MariaDB/MySQL and PHP) on CentOS

 
 LAMP stack is a popular server-side software stack which is used to build and run dynamic web sites and web applications on Linux platforms. The LAMP stack is composed of Apache (as an HTTP server), MariaDB or MySQL (as a database backend), and PHP, Perl or Python (as a server-side programming language), and hence the acronym "LAMP." Other variants of the LAMP stack exist, such as LEMP (nginx, MySQL, PHP), LAPP (Apache, PostgreSQL, PHP), LLPR (Lighttpd, PostgreSQL, Ruby on Rails), and so forth.
 
 
 

 
In this tutorial, I describe how to install and set up the LAMP stack with Apache, MariaDB/MySQL and PHP on CentOS server. This tutorial is applicable to CentOS 6 as well as CentOS 7 platforms.

Step One: Apache HTTP Server

As the first step, let's install Apache HTTP server on CentOS. We will also do basic configuration for Apache server afterwards, such as adding Apache service to auto-start list, and opening an HTTP port in the firewall.

Install Apache HTTP Server

$ sudo yum install httpd

Start Apache HTTP Server and Configure Firewall

On CentOS 6.0 and 7.0:
$ sudo systemctl start httpd
$ sudo systemctl enable httpd
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
$ sudo firewall-cmd --reload
On CentOS 6:
$ sudo service httpd start
$ sudo chkconfig httpd on
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo service iptables save

Test Apache HTTP Server

To test the installation, check if httpd daemon is up and running successfully.
On CentOS 7 or onward:
$ sudo systemctl status httpd
 
 
On CentOS 6:
$ sudo service httpd status 
httpd (pid  2069) is running...
After confirming the status of httpd, open a web browser, and go to http://<web-server-ip-address> to see if you can load the default Apache web page. The screenshot below shows the default Apache web page on CentOS 6 (192.168.1.8) and CentOS 7 (192.168.1.11).
 
Note that the default document root directory of httpd is /var/www/html on both CentOS 6 and 7. Let's move on to the next step.

Step Two: MariaDB/MySQL

The next step is to set up a database backend for the LAMP stack, for which we have two choices: MySQL and MariaDB. While CentOS/RHEL 6 ships with MySQL server/client packages, CentOS/RHEL 7 moves away from MySQL, and instead offers MariaDB, a community-developed fork of MySQL, as a default database.
 
Below is how to install MariaDB/MySQL server, and set it up to start automatically upon boot.
On CentOS 7:
$ sudo yum install mariadb-server
$ sudo systemctl start mariadb
$ sudo systemctl enable mariadb
On CentOS 6:
 
Install MySQL server/client package, and start MySQL server as follows. 
$ sudo yum install mysql-server
$ sudo service mysqld start
$ sudo chkconfig mysqld on
 
As MariaDB and MySQL are compatible with each other in terms of APIs and command-line usage, the LAMP stack can be configured and operated pretty much the same way regardless of whether you choose MariaDB or MySQL.
 
As a security precaution, run the following add-on script which is included in the MariaDB/MySQL server package.
 
$ sudo mysql_secure_installation
 
 
This script will reconfigure the database server for server hardening purposes. For example, it will change (empty) root password, remove anonymous user, disallow remote root login, and remove a default test database.

Step Three: PHP

The last step in setting up the LAMP stack is to install PHP, a server-side scripting language which is responsible for creating dynamic web pages for users. At a minimum, the LAMP stack requires the following two packages installed.
 
$ sudo yum install php php-mysql
 
The php package adds PHP support to Apache HTTP server, and the php-mysql package allows PHP applications to access MariaDB/MySQL server. Besides those two required packages, there are many other useful PHP modules you can install depending on your requirements. For example:
  • php-gd: needed for image processing in PHP applications.
  • php-odbc: needed for ODBC database access in PHP applications.
  • php-pecl-memcache: needed when setting up Memcached caching daemon.
  • php-pgsql: needed for PostgreSQL database access in PHP applications.
  • php-snmp: needed for querying SNMP-managed devices in PHP applications.
  • php-xml: needed for parsing XML in PHP applications.
  • php-soap: needed to support SOAP protocol in PHP applications.
  • php-xmlrpc: needed to support XML-RPC protocol in PHP applications.
 
You can get a full list of available PHP modules by running:
$ yum search php-
 
Next, let's change the default timezone used by PHP applications. You will need to find out your timezone by using tzselect command.
 
$ tzselect
 
 
After you answer a series of questions, the tzselect will print out your timezone string (e.g., "America/New_York"). Open /etc/php.ini file with a text editor, and add the following line.
date.timezone = "America/New_York"
Don't forget to restart httpd after installing PHP.
 
On CentOS 7:
$ sudo systemctl restart httpd
 
On CentOS 6:
$ sudo service httpd restart
Finally, let's check whether PHP is working properly. For this, use the following command, and check if the output of phpinfo() shows up correctly.
 
$ php -r "phpinfo();" | more
 
Once you verify PHP command-line output, let's create a test PHP file as follows, and verify that the PHP file is loaded successfully by Apache HTTP server.
$ sudo vi /var/www/html/test.php
1
<?php phpinfo(); ?>
 
Go to http://<web-server-ip-address>/test.php in your web browser. You should see the following output.
 
Now you have successfully set up the LAMP stack!
 
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)