Mujahid Jaleel - My Life, My Blog: how to

Showing posts with label how to. Show all posts

Wednesday, 24 October 2018

How to Setup a MariaDB Server v10.2 in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup MariaDB Database Server v10.2.17 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB
Database Version: 10.2.17
Setup iocage Jail

Install MariaDB

root@test:~ # pkg install mariadb102-server

MariaDB Configuration

Choose the configuration file from template for Database server eg: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf

root@test:~ # cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Enable MariaDB Server to start on boot

root@test:~ # sysrc mysql_enable="yes"

Start MariaDB Server

root@test:~ # service mysql-server start

Configure and Secure MariaDB Server for production

root@test:~ # mysql_secure_installation

Enter current password for root (enter for none): [Press Enter]

Set root password? [Y/n]: y

Remove anonymous users? [Y/n]: y

Disallow root login remotely? [Y/n]: y

Remove test database and access to it? [Y/n]: y

Reload privilege tables now? [Y/n]: y

Test Login of 'root' user

root@test:~ # mysql -u root -p

Test SQL Queries

MariaDB [(none)]> select user,host,password from mysql.user;

MariaDB [(none)]> show databases;

MariaDB [(none)]> exit;

Helpful Commands

Search for package
root@test:~ # pkg search mariadb

Resource Links

How to Setup NGINX Web Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup NGINX Web Server with PHP72 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
NGINX Version: 1.14.0_12
Web Directory: /usr/local/www/html
PHP Version: 7.2
Certificate File Name and Location: /usl/local/etc/ssl/test.crt
Certificate Key File Name and Location: /usr/local/etc/ssl/test.key
Setup iocage Jail

NGINX

Install NGINX

root@test:~ # pkg install nginx

Install Output

Enable NGINX to start on boot

root@test:~ # sysrc nginx_enable="yes"

Start NGINX Server

root@test:~ # service nginx start

Check to see what ports NGINX is listening on

root@test:~ # sockstat -4 -6 | grep nginx

NGINX Running Success

NGINX Loads Default Page

PHP72

Install PHP72

root@test:~ # pkg install php72 php72-extensions

Create Web Directory

root@test:~ # mkdir -p /usr/local/www/html

Edit NGINX main configuration file to set php as server side script

root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . . .

02: user www;
. . . . . . . . . . . .

42: server_name test;
. . . . . . . . . . . .

49: root /usr/local/www/html;

50: index index.php index.html index.htm;
. . . . . . . . . . . .

70: location ~ \.php$ {

71: root /usr/local/www/html;

72: fastcgi_pass 127.0.0.1:9000;

73: fastcgi_index index.php;

74: fastcgi_param SCRIPT_FILENAME $request_filename;

75: include fastcgi_params;

76: }
. . . . . . . . . . . .

Create php.ini file from copying the php production file template

root@test:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Configure php.ini

root@test:~ # ee /usr/local/etc/php.ini

672: post_max_size = 10M

776: cgi.fix_pathinfo=0

825: upload_max_filesize = 10M

939: date.timezone = "Australia/Melbourne"

Enable PHP-FPM to start on boot

root@test:~ # sysrc php_fpm_enable="yes"

Start the PHP-FPM Service

root@test:~ # service php-fpm start

Check to see what ports PHP-FPM is listening on

root@test:~ # sockstat -4 -6| grep php-fpm

PHP-FPM Running Success

Create a php file to check if php works

root@test:~ # echo "<?php phpinfo(); ?>" | tee /usr/local/www/html/phpinfo.php

Restart NGINX

root@test:~ # service nginx restart

Go to http://test/phpinfo.php to check if php script works.

PHP Page Load Success

Setup HTTPS / SSL / TLS Service

In order to enable the HTTPS service on NGINX, we would need a SSL Certificate and Key. There are more than one way to acquire these certificate and key.

Self-Signed Certificate and Key
Webhosting Provider
Let's Encrypt / Certbot / Acme

Once you have acquired the certificate files, then copy them in the following directory.

Certificate File Name and Location: '/usl/local/etc/ssl/test.crt'
Key File Name and Location: '/usr/local/etc/ssl/test.key'

Certificate and Key File Location

Edit '/usr/local/etc/nginx/nginx.conf' file to define the location of those certificates.
root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . .
22: http {
. . . . . . . . . . .
40: server {
. . . . . . . . . . .
84: } # End of http server block
. . . . . . . . . . .
123: # HTTPS Server
124: server {
125: listen 443 ssl;
126: server_name test;
127:
128: ssl_certificate /usr/local/etc/ssl/test.crt;
129: ssl_certificate_key /usr/local/etc/ssl/test.key;
130
131: ssl_session_cache shared:SSL:1m;
132: ssl_session_timeout 5m;
133:
134: ssl_ciphers HIGH:!aNULL:!MD5;
135: ssl_prefer_server_ciphers on;
136:
137: root /usr/local/www/html;
138:
139: location / {
140: index index.php index.html index.htm;
141: }
142:
143: location ~ \.php$ {
144: fastcgi_param HTTPS on;
145: fastcgi_pass 127.0.0.1:9000;
146: fastcgi_index index.php;
147: fastcgi_param SCRIPT_FILENAME $request_filename;
148: include fastcgi_params;
149: }
150: } # End of https server block
. . . . . . . . . . .
153:} # End of http block

HTTPS Server Block

Restart NGINX and PHP-FPM Service
root@test:~ # service nginx restart ; service php-fpm restart

Go to https://test/phpinfo.php to check if the certificate work.

Certificate works

Observations

When using Self-Signed Certificates, make sure your Internet browser recognises the Certificate Authority that issued the certificate and key.

Helpful Commands

Check NGINX configuration settings and syntax

root@test:~# nginx -t

Resource Links

NGINX
PHP

Thursday, 11 October 2018

How to Create and Configure an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to create and configure an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP | STATIC
Jail IP: 10.0.0.3
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/share

Instructions

List iocage Commands

root@fn:~ # iocage

Activate iocage zpool volume

Set iocage to use the default volume, use the following command.
root@fn:~ # iocage activate
or
Set iocage to use a zpool volume if more than one exist on the FreeNAS
iocage activate [zpool]
root@fn:~ # iocage activate tank

Fetch/Download a Release Image

Fetch a release which will be used to create a jail.

Fetch a release from a list
root@fn:~ # iocage fetch

Fetch a release by name
iocage fetch -r [RELEASE IMAGE NAME]
root@fn:~ # iocage fetch -r 11.1-RELEASE

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and DHCP

Command Example: iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

The following command creates a jail "test" from the "11.1-RELEASE" image with the following jail properties enabled, vnet/vimage network stack, Start on boot, and dhcp.

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and Static IP Configuration

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="vnet[N]|[IP]/[Mask]" defaultrouter="[IP]" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" ip4_addr="vnet0|10.0.0.3/24" defaultrouter="10.0.0.1" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

Create a Jail with a Shared IP

Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="[IF]|[IP]/[MASK]" defaultrouter="[IP]" vnet="off" allow_raw_sockets="1" boot="on" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE ip4_addr="igb0|10.0.0.100/24" defaultrouter="10.0.0.1" vnet="off" allow_raw_sockets="1" boot="on" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

List Jails, Releases, and Plugins

List all Jails
root@fn:~ # iocage list

List all downloaded Releases
root@fn:~ # iocage list -r

List all available Templates
root@fn:~ # iocage list -t

List Remote Plugins
iocage list -PR
or
iocage list --plugins --remote

List Installed Plugins
iocage list -P
or
iocage list --plugins

Start, Stop, or Restart a Jail

Start a Jail

iocage start [JAIL NAME]

root@fn:~ # iocage start test

Stop a Jail

iocage stop [JAIL NAME]

root@fn:~ # iocage stop test

Restart a Jail

iocage restart [JAIL NAME]

root@fn:~ # iocage restart test

Configure a Jail

Set Jail Property

iocage set [PROPERTY]="[ARG]" [JAIL NAME]

root@fn:~ # iocage set notes="This is a test jail." test

Get Jail Property

iocage get [PROPERTY] [JAIL NAME]

root@fn:~ # iocage get notes test

Get All Properties of a Jail

iocage get all [JAIL NAME]

root@fn:~ # iocage get all test

Delete/Destroy a Jail

iocage destroy [JAIL NAME]

root@fn:~ # iocage destroy test

Rename a Jail

iocage rename [OLD JAIL NAME] [NEW JAIL NAME]

root@fn:~ # iocage rename test test2

Log in to a Jail

iocage console [JAIL NAME]

root@fn:~ # iocage console test

Run a command inside a Jail

iocage exec [JAIL NAME] "[COMMAND]"

root@fn:~ # iocage exec test "ls -lfa /etc"

Mount Dataset inside a Jail as Read Only

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs ro 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs ro 0 0

Mount Dataset inside a Jail as Read and Write

iocage fstab -a [JAIL NAME] /source/folder /destination/folder/in/jail nullfs rw 0 0

root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs rw 0 0

List Jail Mount Entries

iocage fstab -l [JAIL NAME]

root@fn:~ # iocage fstab -l test

Edit Jail Mount Entries

iocage fstab -e [JAIL NAME]

root@fn:~ # iocage fstab -e test

Remove a Jail Mount Entry

iocage fstab -r [JAIL NAME] [INDEX]

root@fn:~ # iocage fstab -r test 0

Create Jail Snapshot

iocage snapshot -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapshot -n "Recent Upgrade" test

List Jail Snapshots

iocage snaplist [JAIL]
root@fn:~ # iocage snaplist test

Remove/Delete Jail Snapshot

iocage snapremove -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapremove -n "Recent Upgrade" test

Rollback Jail to a Snapshot

iocage rollback -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage rollback -n "Recent Upgrade" test

Observations

DNS Resolver

When you create a Jail in iocage and skip to define the 'resolver' property, the iocage uses the host system's (in this case the FreeNAS host) default DNS settings defined in the '/etc/resolv.conf'.

If your FreeNAS has been configured as a Domain Controller, it resets the DNS setting in the '/etc/resolv.conf' to point to itself. Example: "nameserver 127.0.0.1". Incidentally, the iocage jail DNS is also set to 127.0.0.1. As a result, all the DNS queries within the jail fail because the jail points to itself as a nameserver where a name service does not exits. So, in order for the jail's DNS to work, we will need to manually define the resolver property for the jail.

And if you have a complicated network setup, like a switch with multiple VLANs. You will also need to define the 'defaultrouter' and 'interfaces' property so that the vnet interface is linked to the correct bridge interface and the bridge interface is link to the correct VLAN interface.

Helpful Commands

Check iocage version
root@fn:~ # iocage -v

iocage Help command
root@fn:~ # iocage --help

List all zpools on the FreeNAS
root@fn:~ # zpool list

Delete Release
iocage destroy -r [RELEASE NAME]
root@fn:~ # iocage destroy -r 11.0-RELEASE

Links and Resources

Friday, 11 November 2016

How to Install and Setup Samba4 DC in a FreeNAS 9.10 Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install Samba 4.3 as an Active Directory Domain Controller in a FreeNAS 9.10 Jail.
Configure and enable SSL for Samba's LDAP backend.

Assumptions and Prerequisites

Domain: example.com
Hostname: dc.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: dc
Private IP: 10.0.0.58
Subnet Mask: 255.255.255.0/24
Main Router IP: 10.0.0.1
DNS Forwarder IP: 10.0.0.1 (main router)
Service: Samba 4.3.11
DNS: Internal Samba DNS
NTP Host IP: 10.0.0.1 (main router)
CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
SSL Certificate File: /usr/local/etc/ssl/certs/dc.example.com.crt
SSL Key File: /usr/local/etc/ssl/private/dc.example.com.key

Instructions

Pre-installation setup

- Edit file /etc/rc.conf and change hostname to dc.example.com.
# vi /etc/rc.conf
(7) hostname="dc.example.com"

- Edit file /etc/hosts file and change the 10.0.0.58 -> dc.example.com dc
# vi /etc/hosts
(14) 127.0.0.1 localhost localhost.localdomain dc
(15) 10.0.0.58 dc.example.com dc

Installation

- Install samba43. Don't install samba44 or a newer version of samba than 4.3 because the newer versions doesn't come with ntvfs option anymore. i.e no --use-ntvfs option for zfs.
# pkg install samba43

- Provision Samba as an Active Directory Domain Controller
# samba-tool domain provision --use-ntvfs --use-rfc2307 --interactive
Realm [EXAMPLE.COM]: (press Enter)
Domain [EXAMPLE]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) [10.0.0.1]: (press Enter)
Administrator password: (enter password)
Retype password: (re-enter password)

Query Result:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-458877043-2880298934-1173284452

- Edit the /etc/resolv.conf file for host dns to point to the samba DNS.
# vi /etc/resolv.conf
(1) search example.com
(2) domain example.com
(3) nameserver 127.0.0.1

- Create symbolic links for the kerberos keytab and config files in the /usr/local/etc directory.
# ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/krb5.conf
# ln -s /var/db/samba4/private/dns.keytab /usr/local/etc/krb5.keytab

- Enable samba to run and also start at boot
# sysrc samba_server_enable="YES"

- Start samba server
# service samba_server start

Test Samba Server

- Verify LDAP Service DNS Record
# host -t SRV _ldap._tcp.example.com
Query Result: _ldap._tcp.example.com has SRV record 0 100 389 dc.example.com.

- Verify Kerberos Service DNS Record
# host -t SRV _kerberos._udp.example.com
Query Result: _kerberos._udp.example.com has SRV record 0 100 88 dc.example.com.

- Verify Domain Controller DNS Record
# host -t A dc.example.com
Query Result: dc.example.com has address 10.0.0.58

- Test Kerberos Authentication
# kinit administrator@EXAMPLE.COM
# klist
Query Result:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@EXAMPLE.COM

Issued Expires Principal
Nov 6 21:16:46 2016 Nov 7 07:16:46 2016 krbtgt/EXAMPLE.COM@EXAMPLE.COM

- Test Samba File Server
# smbclient -L localhost -U%
Query Result:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]
Server Comment
--------- -------

Workgroup Master
--------- -------

- Test Samba User Logon
# smbclient //localhost/netlogon -Uadministrator
Query Result:
Enter administrator's password:
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.3.11]
smb: \>

- List Domain Users
# wbinfo -u | sort

- List Domain Groups
# wbinfo -g | sort

Enable SSL for LDAP Backend

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

- Edit file /usr/local/etc/smb4.conf to configure SSL certs
# vi /usr/local/etc/smb4.conf
(13) tls enabled = yes
(14) tls cafile = /usr/local/etc/ssl/certs/ca.pem
(15) tls certfile = /usr/local/etc/ssl/certs/dc.example.com.crt
(16) tls keyfile = /usr/local/etc/ssl/private/dc.example.com.key

- Restart samba server
# service samba_server restart

Samba Administration

- Download and Install Remote Server Administration Tools (RSAT) for Administration for Windows

Sunday, 30 October 2016

How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install and configure certbot within a FreeNAS Jail.
Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Certbot Version: 0.9.3
Apache has already been installed.
Apache Version: 2.4.23
Apache Webroot directory: /usr/local/www/apache24/data
SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem
Apache is bound to port 80 and 443.
Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
Email: info@example.com (required to recover lost account details from certbot).

Instructions

- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
domain: www.example.com
webroot: /usr/local/www/apache24/data
email: info@example.com

- Test certs renewal
# certbot renew --dry-run

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

- Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096

- Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(144) SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
(154) SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
(175) #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links

Friday, 28 October 2016

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Database Server Name: db.example.com
Database Type and Version: MariaDB v10.1.18
Database Server IP: 10.0.0.57
Database Username: n7if835 (random generated)
Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
Database Name: n7if835 (random generated)
Database Table Prefix: 24686nj9po7_ (should be randomly generated)
Database Server has SSL configured and enabled.
Apache has already been installed.
php56 and the necessary extensions are already installed.
Apache Webroot directory: /usr/local/www/apache24/data/
Apache 'AllowOverride' set to 'All'
Wordpress Version: 4.6.1

Instructions

Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(177) LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
Database Name: n7if835
Username: n7if835
Password: TunTeR3MPzqHy1KD
Database Host: db.example.com
Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
Site Title: www.exampl.com
Username: webmin2001 (for security reasons don't use anything like 'admin')
Password: (Enter strong password)
Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(40) /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
(41) define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(43) /** Force Wordpress to use SSL connection to Database **/
(44) define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(46) /** Disable File Editing **/
(47) define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
(49) /** Force SSL Logins **/
(50) define('FORCE_SSL_LOGIN', true);
(51)
(52) /** Force SSL Admin Access **/
(53) define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
(303) disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
(363) expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
(831) allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
(1) Options -Indexes +FollowSymLinks
(2)
(3) <IfModule mod_rewrite.c>
(4) RewriteEngine On
(5) RewriteBase /
(6)
(7) # Enable Permalinks to work
(8) RewriteRule ^index\.php$ - [L]
(9) RewriteCond %{REQUEST_FILENAME} !-f
(10) RewriteCond %{REQUEST_FILENAME} !-d
(11) RewriteRule . /index.php [L]
(12)
(14) # Prevent user enumeration
(15) RewriteCond %{QUERY_STRING} ^author=([0-9]*)
(16) RewriteRule .* https://www.example.com/? [L,R=302]
(17) RewriteRule ^wp-admin/includes/ - [F,L]
(18)
(19) # Prevent includes directory access
(20) RewriteRule !^wp-includes/ - [S=3]
(21) RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
(22) RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
(23) RewriteRule ^wp-includes/theme-compat/ - [F,L]
(24)
(25) # Disable hotlinking of images with forbidden or custom image option
(26) RewriteCond %{HTTP_REFERER} !^$
(27) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
(28) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
(29) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
(30) RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
(31)
(32) # Disable XMLRPC
(33) RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
(34)
(35) # Restrict access to plugins and themes php files from unauthorised users
(36) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
(37) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
(38) RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
(39) RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
(40) RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
(41) RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
(42)
(43) # Prevent Script injections
(44) RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
(45) RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
(46) RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
(47) RewriteRule ^(.*)$ index.php [F,L]
(48) </IfModule>
(49)
(50) # Protect wp-config.php from user access
(51) <files wp-config.php>
(52) Require all denied
(53) </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
(1) # Disable php file execution
(2) <files *.php>
(3) Require all denied
(4) </files>

Thursday, 27 October 2016

How to install phpMyAdmin on a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install phpMyAdmin on a FreeNAS Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Apache has already been installed.
php56 is already installed.
Restrict Access only to local LAN (10.0.0.0/24).

Instructions

- First install php extensions required for phpMyAdmin.

# pkg install php56-session php56-json php56-mbstring php56-zip php56-gd php56-openssl php56-curl php56-ctype php56-bz2 php56-mcrypt php56-zlib

- Install and Configure phpMyAdmin for Database Web Administration

# pkg install phpmyadmin

- Create phpMyAdmin configuration file /usr/local/etc/apache24/Includes/phpmyadmin.conf

# vi /usr/local/etc/apache24/Includes/phpmyadmin.conf

(1) Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"

(2)

(3) <Directory "/usr/local/www/phpMyAdmin/">

(4) Options None

(5) AllowOverride Limit

(6)

(7) Require local

(8) Require ip 10.0.0.0/24

(9) </Directory>

- Reload Apache Configurations

# service apache24 graceful

- Configure phpMyAdmin to connect with Database

Goto http://10.0.0.56/phpmyadmin/setup via web browser.

Click the button 'New server' and add a new server settings.

After configuring settings for the database server connection, click the 'Display' button.

- Copy the php code generated into the file /usr/local/www/phpMyAdmin/config.inc.php

# vi /usr/local/www/phpMyAdmin/config.inc.php

- Goto http://10.0.0.56/phpmyadmin via web browser and Login to phpmyadmin with your database username and password.

How to Install Apache webserver in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install the Apache webserver in FreeNAS 9.10 Jail.
Configure and enable SSL on Apache.
Enable Virtual Hosts.
Enable and configure Apache Server Pool Management.
Configure Apache to run CGI and Perl scripts.
Install and configure php56.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
System Notification Email: info@example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Server Location: Melbourne, Australia
Webserver and Version: Apache v2.4.23_1
Apache Document Root Directory: /usr/local/www/apache24/data
Apache MPM: Prefork Module
Disable Directory Browsing.
Allow Over Ride All to .htaccess files.
CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
SSL Certificate File: /usr/local/etc/ssl/certs/www.example.com.crt
SSL Key File: /usr/local/etc/ssl/private/www.example.com.key

Instructions

- Install Apache2.4
# pkg install apache24

- Configure Apache settings
Edit file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(214) ServerAdmin info@example.com
(222) ServerName www.example.com
(260) Options -Indexes +FollowSymLinks
(267) AllowOverride All

- Set Server Defaults for Production Server
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(505) Include etc/apache24/extra/httpd-default.conf
Edit /usr/local/etc/apache24/extra/httpd-default.conf
# vi /usr/local/etc/apache24/extra/httpd-default.conf
(55) ServerTokens Prod

Enable apache to run and start on boot.
# sysrc apache24_enable="yes"
Start Apache Server
# service apache24 start

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

Enable SSL

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(89) LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
(144) LoadModule ssl_module libexec/apache24/mod_ssl.so
(513) Include etc/apache24/extra/httpd-ssl.conf
Edit /usr/local/etc/apache24/extra/httpd-ssl.conf
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(52) #SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
(53) #SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
(65) SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
(66) SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
(124) DocumentRoot "/usr/local/www/apache24/data"
(125) ServerName www.example.com:443
(126) ServerAdmin info@example.com
(127) ErrorLog "/var/log/httpd-error.log"
(128) TransferLog "/var/log/httpd-access.log"
(144) SSLCertificateFile "/ust/local/etc/ssl/certs/www.example.com.crt"
(154) SSLCertificateKeyFile "/usr/local/etc/ssl/certs/www.example.com.key"
(175) SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"
Reload new settings for Apache
# service apache24 graceful

Enable Virtual Hosts

- Enable Virtualhosts to redirect traffic from unecrypted port (80) to encrypted port (443).
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(496) Include etc/apache24/extra/httpd-vhosts.conf
Edit /usr/local/etc/apache24/extra/httpd-vhosts.conf
# vi /usr/local/etc/apache24/extra/httpd-vhosts.conf
(23)
(24) ServerAdmin info@example.com
(25) DocumentRoot "/usr/local/www/apache24/data"
(26) ServerName www.example.com
(27) ServerAlias www.example.com
(28) ErrorLog "/var/log/www.example.com-error_log"
(29) CustomLog "/var/log/www.example.com-access_log" common
(30) Redirect "/" "https://www.example.com"
(31)
Reload new settings for Apache
# service apache24 graceful

Enable Server Pool Management

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(478) Include etc/apache24/extra/httpd-mpm.conf
Change the number of concurrent connections for the server from 250 to 50 by editing the /usr/local/etc/apache24/extra/httpd-mpm.conf file
# vi /usr/local/etc/apache24/extra/httpd-mpm.conf
(32) MaxRequestWorkers 50
Reload new settings for Apache
# service apache24 graceful

Enable CGI and Perl Scripts

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(162) LoadModule cgid_module libexec/apache24/mod_cgid.so
(165) LoadModule cgi_module libexec/apache24/mod_cgi.so
(260) Options -Indexes +FollowSymLinks +ExecCGI
(418) AddHandler cgi-script .cgi .pl
Reload new settings for Apache
# service apache24 graceful

- Create CGI Script to test on Server
Create file /usr/local/www/apache24/data/index.cgi
#vi /usr/local/www/apache24/data/index.cgi
(1) #!/usr/local/bin/perl
(2) print "Content-type: text/html\n\n";
(3) print "<html>\n<body>\n";
(4) print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
(5) print "CGI Test Page";
(6) print "\n</div>\n";
(7) print "</body>\n</html>\n";
Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.cgi
- Test Script in Browser

- Create Perl Script to test on Server
Create file /usr/local/www/apache24/data/index.pl
#vi /usr/local/www/apache24/data/index.pl
(1) #!/usr/local/bin/perl
(2) print "Content-type: text/html\n\n";
(3) print "<html>\n<body>\n";
(4) print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
(5) print "Perl Test Page";
(6) print "\n</div>\n";
(7) print "</body>\n</html>\n";
- Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.pl
- Test Script in Browser

Install and Enable php56

# pkg install -y php56 mod_php56 php56-mysql php56-mysqli php56-extensions
Create file php56 configuration file /usr/local/etc/apache24/includes/php56.conf
# vi /usr/local/etc/apache24/includes/php56.conf
(1) <FilesMatch "\.php$">
(2) SetHandler application/x-httpd-php
(3) </FilesMatch>
(4) <FilesMatch "\.phps$">
(5) SetHandler application/x-httpd-php-source
(6) </FilesMatch>
Reload new settings for Apache
# service apache24 graceful

- Change script preference to execute index.php over index.html
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(281) DirectoryIndex index.php index.html
- Copy php.ini-production to php.ini
# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
- Edit file /usr/local/etc/php.ini
# vi /usr/local/etc/php.ini
(936) date.timezone = "Australia\Melbourne"
Reload new settings for Apache
# service apache24 graceful

- Create php Script to test on Server
Create file /usr/local/www/apache24/data/index.php
# vi /usr/local/www/apache24/data/index.php
(1) <html>
(2) <body>
(3) <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
(4) <?php
(5) print Date("Y/m/d");
(6) ?>
(7) </div>
(8) </body>
(9) </html>
- Test Script in Browser

- Links

http://howtounix.info/howto/self-signed-SSL-Certificate

Sunday, 21 October 2012

How To Batch Convert/Transcode Videos Using VLC Media Player

بسم الله الرحمن الرحيم

In the Name of Allah. The Most gracious, The Most Merciful

Synopsis:

This is a tutorial on how to Transcode and Convert Video Files into MP4 (MPEG-4) format with 1024kbps bitrate using the H.264 Video Codec and the MP3 Audio Codec.

Assumptions and Prerequisites:

OS: Microsoft Windows 7
VLC Media Player (Version: 2.0.2) is already installed.
Type of Videos: Home Movies.
User Level: Administrator
Scripting Language: Visual Basic Script (VBS)
Working Folder: D:\VLC
Script File Path and Name: D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs
Source Folder: D:\VLC\Source
Target Folder: D:\VLC\Target
VLC Program Path: C:\Program Files (x86)\VideoLAN\VLC
Video Bitrate: 1024kbps
Video Container: MP4
Video Codec: H.264
Audio Codec: MP3
Audio Bitrate: 128kbps
Audio Channels: 2 (Stereo)
Audio Sample Rate: 44100Hz (CD Quality)

Instructions:

1. Download the VLC Script Directory from here and save it on your Computer.

2. Extract the "VLC.rar" file to any Directory of your choice. eg. "D:"

3. Copy the Videos you want to transcode/convert into the "D:\VLC\Source" Folder.

4. Right-Click on "D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs" file and select "Run with Command Prompt".

5. The new transcoded files will be saved in the Target Folder.

Conclusion:

When the Transcoding is in progress, the VLC Media player window will stay open but no video output will be available and then close after the video has been transcoded. And this will repeat for each video transcoding.

When the Transcoding has been completed, you should see all the video files converted in the Target Folder. Any non-video files (eg. *.JPG) available in the Source Folder will be copied to the Target Folder without any change. When you have verified the files in the Target Folder, you can then go on and delete everything underneath the Source Folder.

If you aspire for a better video quality, then increase the Video Bitrate(strBitrate) in the D:\VLC\vlc.batch.transcode.videos.to.mp4.vbs file before Transcoding. If you increase the Video Bitrate more than 1024kbps, then you would end up with a larger file size with no significant increase in Video quality and that would defeat the purpose of Transcoding these video files. For home movies recorded with a typical Sony Cybershot or a Canon DSLR camera, the 1024kbps bitrate strikes the perfect balance between quality and smaller file size for the video.

If this Post made your life a lot easier, then please leave a small donation as a token of your appreciation. :-)

Thursday, 11 October 2012

How To Configure Network Setting on CentOS 6.3

بسم الله الرحمن الرحيم

In the Name of Allah. The Most gracious, The Most Merciful

Synopsis:

A short tutorial on how to configure network settings on CentOS 6.3 machine.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64
Server Name: mujahid
Subnet: 192.168.1.0/24
Server IP: 192.168.1.20
Subnet Mask: 255.255.255.0
DNS IP: 192.168.1.15
Gateway IP: 192.168.1.1
Domain: houseofjaleel.com.au
Network Device/Interface: eth0
Text Editor: vi
Firewall (IPTables) is disabled.
SELinux is disabled.
'#' - Script Comment.
This machine is a Server; therefore has a fixed IP settings. It is not assigned any network settings from any DHCP or BOOTP service.

Step-by-Step Instructions:

1. Create the network configuration file /etc/sysconfig/network-scripts/ifcfg-eth0 with the following configurations and save it.

DEVICE="eth0" # Device name
HWADDR="00:0C:29:7D:A0:62" # eth0's MAC address. This may be different on your machine.
NM_CONTROLLED="no" # Settings are not controlled by the Network Manager service.
BOOTPROTO="none" # This device does not receive network settings from any dhcp service on the network.
ONBOOT="yes" # Service starts at boot time.
TYPE="Ethernet" # Device type is of Ethernet.
IPADDR="192.168.1.20" # IP Address of this Network device.
NETMASK="255.255.255.0" # Subnet Mask
GATEWAY="192.168.1.1" # IP Address to access the Internet (usually it's a Router).
DNS1="192.168.1.15" # IP Address of the machine hosting the DNS on the LAN.
DOMAIN="houseofjaleel.com.au" # Name of the Domain this server belongs to. Omit if no domain configured on Network.
IPV6INIT="no" # ipv6 is not enabled on this server machine.
USERCTL="no" # Except for root user, users can't alter network setting for this device.

Clean (without comments) version of the file /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
HWADDR="00:0C:29:7D:A0:62"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
IPADDR="192.168.1.20"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
DNS1="192.168.1.15"
DOMAIN="houseofjaleel.com.au"
IPV6INIT="no"
USERCTL="no"

2. Restart Network service.
# /etc/rc.d/init.d/network restart

3. Enable Network Service to start at boot time.
# chkconfig network on

4. Check to see if network settings have been loaded from the configuration file for 'eth0'.
# ifconfig

5. Disable ipv6 device driver on this server machine from loading at boot time.
# echo "install ipv6 /bin/true" > /etc/modprobe.d/disable-ipv6.conf

6. Restart server.
# reboot

7. Login as root and check network settings. It should show that there is no "inet6" setting anymore.
# ifconfig

Conclusion:

Change the "DNS1" configuration to "127.0.0.1" or "192.168.1.20", if DNS is configured on the local machine.

Use 'DNS2' to add a secondary DNS host (eg. DNS2="192.168.1.16").

IPV6 is outside of the scope of this tutorial.

Tuesday, 9 October 2012

How To Install Webmin and Usermin Via The YUM Package Manager On CentOS 6.3

Synopsis:

How To Install Webmin and Usermin via the YUM Package Manager On CentOS 6.3 x64.

Assumptions and Prerequisites:

Server IP Address: 192.168.1.11.
OS: CentOS 6.3 x64
Server Name: tyrion
Firewall (IPTables) is disabled.
YUM Repository EPEL has already been added.
SELinux is disabled.
Text Editor: Nano

Step-by-Step Instructions:

1. Create the Webmin YUM Repo File: /etc/yum.repos.d/webmin.repo with the following configurations and save it.

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

2. Import GPG Key from the webmin website.
# rpm --import http://www.webmin.com/jcameron-key.asc

Webmin:

1. Install the required perl module.
# yum -y install perl-Net-SSLeay

2. Install Webmin via YUM.
# yum -y install webmin

3. Edit /etc/webmin/miniserv.conf and add the following line at the end of the file to allow users only from the LAN to be able to login to Webmin.

allow=127.0.0.1 192.168.1.0/24

4. Restart the Webmin service.
# /etc/rc.d/init.d/webmin restart

Usermin:

1. Install the required perl module.
# yum --enablerepo=epel -y install perl-Net-SSLeay perl-Authen-PAM

2. Install Usermin via YUM.
# yum -y install usermin

3. Edit /etc/usermin/miniserv.conf and add the following lines at the end of the file to allow users only from the LAN to be able to login to Webmin.

allow=127.0.0.1 192.168.1.0/24
denyusers=root

4. Restart the Usermin service.
# /etc/rc.d/init.d/usermin restart

Conclusion:

Webmin:

Open browser and go to https://192.168.1.11:10000 and login as 'root'.

If you have DNS configured, then https://tyrion:10000 will also work in the browser. And if you are on the same machine, then https://localhost:10000 will also work in the browser.

Usermin:

Open browser and go to https://192.168.1.11:20000 and login as any user except root because root user has been disabled for usermin.

If you have DNS configured, then https://tyrion:20000 will also work in the browser. And if you are on the same machine, then https://localhost:20000 will also work in the browser.

How To Add Additional YUM Repositories In CentOS 6.3

Synopsis:

This is a tutorial on how to add 2 additional YUM repositories, RPMForge and EPEL on CentOS 6.3 x64.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64.
Text Editor: vi
Network is configured and server has Internet access.
Server Location: Melbourne, Australia

Step-by-Step Instructions:

RPMForge:

1. Import GPG Key for the RPMForge package.

# rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

2. Verify RPM package with GPG Key.

# rpm -K http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

3. Install RPM package for RPMForge YUM repository.

# rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

EPEL:

1. Import GPG Key for the EPEL package.

# rpm --import http://mirror.optus.net/epel/RPM-GPG-KEY-EPEL-6

2. Verify RPM package with GPG Key.

# rpm -K http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

3. Install RPM package for EPEL YUM repository.

# rpm -i http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Conclusion:

After adding the RPMForge and EPEL YUM Repositories, you can install packages such as "htop" and "nano" via the YUM Package manager.

In order to add the EPEL and RPMForge Repositories for the x86(32 bit), you have to locate and install the 32 bit version from their respective mirrors.

How To Install and Configure DHCP Server on CentOS 6.3

Synopsis:

A short tutorial on how to Install and Configure a DHCP Server on CentOS 6.3 x64, listening on the "eth0" Interface only.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64.
Server Name: mujahid
DNS IP: 192.168.1.10
IPv6 is disabled.
SELinux is disabled.
Firewall (IPTables) is disabled.
Subnet: 192.168.1.0/24
Domain: houseofjaleel.com.au
Gateway (Router IP Address): 192.168.1.1
Text Editor: Nano
Dynamic DNS (DDNS) is not enabled.

Step-by-Step Instructions:

1. Install the DHCP Package via a terminal.
# yum -y install dhcp

2. Edit file /etc/dhcp/dhcpd.conf with "nano" editor and write the following configuration:

# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
# see 'man 5 dhcpd.conf'
#

# This DHCP server to be declared valid
authoritative;

# Subnet 192.168.1.0/24
subnet 192.168.1.0 netmask 255.255.255.0 {

# default gateway
option routers 192.168.1.1;

# domain name
option domain-name "houseofjaleel.com.au";

# DNS's hostname or IP address
option domain-name-servers 192.168.1.10;

# range of lease IP address
range dynamic-bootp 192.168.1.2 192.168.1.254;

# default lease time
default-lease-time 600;

# max lease time
max-lease-time 7200;

# broadcast address
option broadcast-address 192.168.1.255;

##### Reserved Hosts #####

# Router
host router {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.1;
}

# Farooq
host farooq {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.10;
}

# Tariq
host tariq {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.11
}

# Humaira
host humaira {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.12;
}

# Khalid
host khalid {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.13;
}

# Asim
host asim{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.14;
}

# Mujahid
host mujahid{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.15;
}

# Amir
host amir{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.16;
}

# Muneera
host muneera{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.17;
}

# Atif
host atif{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.18;
}

} # end of Subnet 192.168.1.0/24

3. edit file /etc/sysconfig/dhcp to make sure the DHCP service is listening on the relevant Interface (eth0).

# nano /etc/sysconfig/dhcp

eg.

DHCPDARGS="eth0"

4. Start DHCP at boot.

# chkconfig dhcpd on

5. Start the DHCP service.

# /etc/rc.d/init.d/dhcpd start