Mujahid Jaleel - My Life, My Blog: linux

Showing posts with label linux. Show all posts

Wednesday, 24 October 2018

How to Setup a MariaDB Server v10.2 in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup MariaDB Database Server v10.2.17 in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: test
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Database: MariaDB
Database Version: 10.2.17
Setup iocage Jail

Install MariaDB

root@test:~ # pkg install mariadb102-server

MariaDB Configuration

Choose the configuration file from template for Database server eg: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf

root@test:~ # cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Enable MariaDB Server to start on boot

root@test:~ # sysrc mysql_enable="yes"

Start MariaDB Server

root@test:~ # service mysql-server start

Configure and Secure MariaDB Server for production

root@test:~ # mysql_secure_installation

Enter current password for root (enter for none): [Press Enter]

Set root password? [Y/n]: y

Remove anonymous users? [Y/n]: y

Disallow root login remotely? [Y/n]: y

Remove test database and access to it? [Y/n]: y

Reload privilege tables now? [Y/n]: y

Test Login of 'root' user

root@test:~ # mysql -u root -p

Test SQL Queries

MariaDB [(none)]> select user,host,password from mysql.user;

MariaDB [(none)]> show databases;

MariaDB [(none)]> exit;

Helpful Commands

Search for package
root@test:~ # pkg search mariadb

Resource Links

How to Setup Emby Media Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup Emby Media Server in an iocage Jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: emby
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/movies
Emby Server Version: 3.5.3.0
Setup iocage Jail

Create a Dataset on FreeNAS and Set Permissions

Create dataset 'movies' on FreeNAS as windows type

Set dataset 'movies' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Mount Dataset in Emby Jail with Read/Write Permissions

root@fn:~ # iocage fstab -a emby /mnt/tank/movies /mnt/movies nullfs rw 0 0

Installation

Login/Console into Emby Jail

root@fn:~ # iocage console emby

Go to https://emby.media/freebsd-server.html to look up the instructions and release version on how to install the latest emby package.

Install Dependency packages for Emby Server

root@emby:~ # pkg install mono libass fontconfig freetype2 fribidi gnutls iconv opus samba48 sqlite3 libtheora libva libvorbis webp libx264 libzvbi

Install Emby Server

root@emby:~ # pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/3.5.3.0/emby-server-freebsd_3.5.3.0_amd64.txz

Create group 'media' with gid:8675309 in the emby jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'emby' user to the 'media' group on the emby jail as a member. This will make sure emby has group read/write permissions to the 'movies' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the emby jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@emby:~ # pw groupadd -n media -g 8675309

Add user 'emby' to group 'media'

root@emby:~ # pw groupmod media -m emby

Enable Emby to run at boot

root@emby:~ # sysrc emby_server_enable="YES"

Start Emby Service

root@emby:~ # service emby-server start

Run Emby Server Setup Wizard

Open your web browser and visit http://[IP ADDRESS]:8096 to run the Emby Server setup wizard.

Resource Links

Emby Media Server: https://emby.media
FreeBSD Installation: https://emby.media/freebsd-server.html

Tuesday, 23 October 2018

How to Setup an OpenVPN Client with IPFW in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure an OpenVPN Client in an Transmission iocage jail on FreeNAS 11.1 with IPFW to implement a VPN Killswitch.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
VPN Service Provider: Trust Zone VPN (https://trust.zone)
Setup iocage Jail
Firewall: IPFW

OpenVPN Pre-Setup Tasks

Allow Jail To Create TUN Network Devices

OpenVPN Client needs to create a TUN interface in order to establish a secure encrypted connection. According to the default iocage jail security settings (rule 4), it doesn't allow the jail to create a tun network interface device. Because of that, the OpenVPN client won't be able to create and establish a VPN Tunnel to your choice of a VPN Service Provider. So, in order for it to be able to do that, you would need to allow the devfs rule 4 to be able to create a tun device network interface for the OpenVPN. And the way to do that is to create a 'preinit' task on the FreeNAS to run the following command on reboot on the FreeNAS server.

devfs rule -s 4 add path 'tun*' unhide

Reboot FreeNAS.

Download OpenVPN files from your VPN Provider

Download the necessary files from your VPN service provider. I downloaded and copied the *.ovpn and userpass.txt files from my vpn provider (trust.zone) to the (/usr/local/etc/openvpn/) directory, create the directory if it does not exist. Make sure all the certificates, keys and settings are listed in the (trust_zone_vpn.ovpn) file and the 'auth-user-pass' setting in the trust_zone_vpn.ovpn is set to point at 'userpass.txt'.The 'userpass.txt' file has your VPN account's username and password listed in it. You will need this for OpenVPN to auto login when the jail start/restart.

root@transmission:~ # mkdir -p /usr/local/etc/openvpn

Setup OpenVPN Client

Install the openvpn package

root@transmission:~ # pkg install openvpn

Set the location of the openvpn config file

root@transmission:~ # sysrc openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Enable OpenVPN to start on boot

root@transmission:~ # sysrc openvpn_enable="YES"

Create a symbolic link 'openvpn.conf' to your trustzone.ovpn settings file

root@transmission:~ # ln -s /usr/local/etc/openvpn/trust_zone_vpn.ovpn /usr/local/etc/openvpn/openvpn.conf

Before starting the openvpn service, first check and note down your public IP.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

Start the openvpn service

root@transmission:~ # service openvpn start

Wait a minute for the openvpn service to start and establish a connection. Check to see if the TUN device has been assigned a different IP.

root@transmission:~ # ifconfig

Then check the public IP again. It should be different to the public IP you checked earlier before you started the openvpn service.

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

If the vpn tunnel is not created or established or the public IP remains the same as before, then something went wrong. Check the messages log file. Look for the line where it says "openvpn[####]: Initialization Sequence Completed". The line "openvpn[####]: Initialization Sequence Completed" indicates the connection was successful and established.

root@transmission:~ # tail -f -n 30 /var/log/messages

Setup VPN Killswitch with IPFW

Create directory to hold the ipfw startup script(s)
root@transmission:~ # mkdir -p /usr/local/etc/ipfw

Create startup script for ipfw rules
root@transmission:~ # ee /usr/local/etc/ipfw/ipfw_rules

---------File "/usr/local/etc/ipfw/ipfw_rules"---------------
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 10.0.0.0/24 uid transmission
$cmd 00102 allow all from 10.0.0.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission
--------------End of File-------------------------------------------

Enable IPFW to start on boot
root@transmission:~ # sysrc firewall_enable="YES"

Set the startup script for ipfw rules
root@transmission:~ # sysrc firewall_script="/usr/local/etc/ipfw/ipfw_rules"

Start the IPFW service
root@transmission:~ # service ipfw start

Note: Although, the listed IPFW rules above implements a VPN killswitch. But, the major disadvantage of these rules is that it also prevents the access to the web admin GUI interface of Transmission from the LAN for Torrent administration when VPN tunnel is active. If anyone can write better IPFW rules that would implement a VPN killswitch without losing access to the web interface of Transmission, then let me know.

On my personal setup, instead of placing the OpenVPN and the Firewall rules to implement a VPN killswitch within the Jail itself, I have placed the VPN client on my pfSense router and configured the firewall rules on the pfSense router for my Transmission jail accordingly. I will probably write up a tutorial on how to do that on a separate post.

Helpful Commands

Check your Public IP

root@transmission:~ # host myip.opendns.com resolver1.opendns.com

.....or.....

root@transmission:~ # curl https://wtfismyip.com/text

.....or.....

root@transmission:~ # curl ifconfig.me

Create a Symbolic link

root@transmission:~ # ln -s /path/to/source/file /path/to/new/link/file

Watch/Monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30 /var/log/messages

Resource Links

https://forums.freenas.org/index.php?resources/fn11-1-iocage-jails-plex-tautulli-sonarr-radarr-lidarr-jackett-ombi-transmission-organizr.58/
Transmission (https://transmissionbt.com)
Trust Zone VPN (https://trust.zone)

Thursday, 11 October 2018

How to Setup BitTorrent Client Transmission iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم

Abstract

Tutorial on how to setup and configure a Bit Torrent Transmission Client in an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites

OS: FreeNAS 11.1-U6
FreeNAS Host: fn
FreeNAS Network Interface: igb0
FreeNAS IP: 10.0.0.2
FreeNAS Subnet Mask: 24
Jail Container: iocage
iocage Version: 1.0 Alpha
Jail Release: 11.1-RELEASE
Jail Name: transmission
Jail Network Interface: vnet0
Jail Network Config: DHCP
Jail Default Route: 10.0.0.1
IP Version: IPv4
Bridge Network Interface: bridge0
DNS 1: 10.0.0.1
Domain: example.com
ZPool Volume: tank
Dataset: /mnt/tank/torrents
Setup iocage Jail

Instructions

1. Create an iocage Jail with VNET configured by DHCP

iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

root@fn:~ # iocage create -n "transmission" -r 11.1-RELEASE defaultrouter="10.0.0.1" vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" host_hostname="transmission" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

2. Create Dataset and then mount inside the Jail

Create a user (eg:mujahid) as member of the media (gid:8675309) group that will have group access to the 'torrents' dataset on FreeNAS.

Create a dataset 'torrents' on the FreeNAS volume as type 'Windows'.

Create a torrent watch directory(watch_dir) for transmission within the 'torrents' dataset. When any torrent file is copied into this directory, transmission will read the file and add to its queue for downloading. This is optional if you don't need to create a torrent watch directory.

root@fn:~ # mkdir -p /mnt/tank/torrents/watch_dir

Create a torrent downloads directory(downloads) for transmission within the 'torrents' dataset. This is the directory transmission will use to save the downloaded files.

root@fn:~ # mkdir -p /mnt/tank/torrents/downloads

Set dataset 'torrents' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.

Create a windows share for the 'torrents' dataset on FreeNAS, So the FreeNAS user 'mujahid' can access the 'downloads' directory contents.

Mount the dataset '/mnt/tank/torrents/downloads' on FreeNAS into "Transmission" jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/downloads /mnt/downloads nullfs rw 0 0

Mount dataset '/mnt/tank/torrents/watch_dir' on FreeNAS into transmission jail with read/write access.

root@fn:~ # iocage fstab -a transmission /mnt/tank/torrents/watch_dir /mnt/watch_dir nullfs rw 0 0

3. Install and Configure Transmission client in iocage jail

root@fn:~ # iocage console transmission

Install the transmission package

root@transmission:~ # pkg install transmission-daemon

Create group 'media' with gid:8675309 in the transmission jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'transmission' user to the 'media' group on the transmission jail as a member. This will make sure transmission has group read/write permissions to the 'torrents' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the transmission jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309

root@transmission:~ # pw groupadd -n media -g 8675309

Add user 'transmission' to group 'media'

root@transmission:~ # pw groupmod media -m transmission

Enable transmission to start on boot

root@transmission:~ # sysrc transmission_enable="YES"

Set the transmission auto file permissions and ownership check to 'No'. Because, when the transmission service starts, it resets the user and group ownership of the FreeNAS dataset 'torrents' to the default jail user and group "root:wheel", which we don't want because the user won't be able to access the downloads share directory contents.

root@transmission:~ # sysrc transmission_chown="NO"

Set the download directory for transmission

root@transmission:~ # sysrc transmission_download_dir="/mnt/downloads"

Set the torrents watch directory for transmission.

root@transmission:~ # sysrc transmission_download_dir="/mnt/watch_dir"

Start and then stop the transmission service to create a '/usr/local/etc/transmission/home/settings.json' file with default settings.

root@transmission:~ # service transmission start && service transmission stop

Edit the 'settings.json' file to change the transmission configurations with the following settings

root@transmission:~ # ee /usr/local/etc/transmission/home/settings.json

{

"port-forwarding-enabled": false,

.......

"rpc-whitelist": "127.0.0.1, 10.0.0.*", # Only for internal network clients to access

.......

"speed-limit-up-enabled": true,

.......

"trash-original-torrent-files": false, # Do not save torrent files

"umask": 2, # Make downloads directory group read writable

.......

"watch-dir": "/mnt/watch_dir", # Watch directory for *.torrent files

"watch-dir-enabled": true # Watch directory enabled

}

Start transmission service

root@transmission:~ # service transmission start

Go to http://[IP]:9091/transmission/web to check if the transmission web-gui is accessible.

Helpful Commands

Remove user from group

root@transmission:~ # pw groupmod media -d transmission

Show Group members

root@transmission:~ # pw groupshow media

watch/monitor a log file in real-time up to 30 lines

root@transmission:~ # tail -f -n 30/var/log/messages

Links and Resources

Sunday, 30 October 2016

How to install and configure Certbot in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install and configure certbot within a FreeNAS Jail.
Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Certbot Version: 0.9.3
Apache has already been installed.
Apache Version: 2.4.23
Apache Webroot directory: /usr/local/www/apache24/data
SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem
Apache is bound to port 80 and 443.
Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
Email: info@example.com (required to recover lost account details from certbot).

Instructions

- Install certbot
# pkg install py27-certbot

- Configure domain
# certbot certonly
Follow installer instructions
domain: www.example.com
webroot: /usr/local/www/apache24/data
email: info@example.com

- Test certs renewal
# certbot renew --dry-run

- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet

- Force cert renewal with current issue date
# certbot renew --quiet --force-renewal

- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096

- Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443

- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(144) SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
(154) SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
(175) #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"

- Reload Apache config after certs renewal
# apachectl -k graceful

- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful

- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.

- Links

Friday, 28 October 2016

How to install a secure Wordpress CMS in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install a secure Wordpress CMS on a FreeNAS 9.10.1 Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Database Server Name: db.example.com
Database Type and Version: MariaDB v10.1.18
Database Server IP: 10.0.0.57
Database Username: n7if835 (random generated)
Database Password: TunTeR3MPzqHy1KD (should be randomly generated)
Database Name: n7if835 (random generated)
Database Table Prefix: 24686nj9po7_ (should be randomly generated)
Database Server has SSL configured and enabled.
Apache has already been installed.
php56 and the necessary extensions are already installed.
Apache Webroot directory: /usr/local/www/apache24/data/
Apache 'AllowOverride' set to 'All'
Wordpress Version: 4.6.1

Instructions

Environment Setup

- Create a database 'n7if835' with username 'n7if835' with all privileges (Data, Structure, and Administration) and password 'TunTeR3MPzqHy1KD'

- Enable mod_rewrite module in apache by editing the file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(177) LoadModule rewrite_module libexec/apache24/mod_rewrite.so

- Install package wget to download wordpress archive
# pkg install wget

Install and Configure Wordpress

- Download wordpress from http://wordpress.org/latest.tar.gz
# cd /tmp
# wget http://wordpress.org/latest.tar.gz
- Unzip archive /tmp/latest.tar.gz
# tar xvf latest.tar.gz

- Copy /tmp/wordpress/ contents to webroot directory /usr/local/www/apache24/data/
# cp -Rfv /tmp/wordpress/* /usr/local/www/apache24/data/

- Goto https://www.example.com/ via web browser and follow the installation instructions.

- Enter the following Database details:
Database Name: n7if835
Username: n7if835
Password: TunTeR3MPzqHy1KD
Database Host: db.example.com
Table Prefix: 24686nj9po7_

- Copy the generated code by wordpress installer into the file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php

- Click on the 'Run the Install' button and that will create the necessary database tables.

- Enter the following Site details:
Site Title: www.exampl.com
Username: webmin2001 (for security reasons don't use anything like 'admin')
Password: (Enter strong password)
Your Email: (your email address for this wordpress admin account)

- Enable Direct File System access by wordpress
# chmod -Rv 775 /usr/local/www/apache24/data/wp-content
- Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(40) /** If you don't want to use FTP to add/delete/update plugins/themes then define this option. **/
(41) define('FS_METHOD','direct');

- Test by deleting and adding a plugin or theme.

Securing Wordpress

- Enable DB SSL Connection by Wordpress
Edit File /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(43) /** Force Wordpress to use SSL connection to Database **/
(44) define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);

- Goto https://www.example.com/phpmyadmin via web browser and change the following details:
Username: n7if835 SSL setting from 'REQUIRE NONE' to 'REQUIRE SSL'.
Remove Administration Privileges for user n7if835

- Disable file editing for editing plugins and themes.
Edit file /usr/local/www/apache24/data/wp-config.php
# vi /usr/local/www/apache24/data/wp-config.php
(46) /** Disable File Editing **/
(47) define('DISALLOW_FILE_EDIT', true);

- Force SSL Logins and SSL Admin Access
# vi /usr/local/www/apache24/data/wp-config.php
(49) /** Force SSL Logins **/
(50) define('FORCE_SSL_LOGIN', true);
(51)
(52) /** Force SSL Admin Access **/
(53) define('FORCE_SSL_ADMIN', true);

- Delete files 'license.txt' and 'readme.html' in the wordpress root directory and also 'install.php' in wp-admin directory because they are possible site security holes.
# rm -v /usr/local/www/apache24/data/license.txt
# rm -v /usr/local/www/apache24/data/readme.html
# rm -v /usr/local/www/apache24/data/wp-admin/install.php

- Make the file /usr/local/www/apache24/data/wp-config.php only readable by user and group
# chmod 440 /usr/local/www/apache24/data/wp-config.php

- Move the file /usr/local/www/apache24/data/wp-config.php up one directory to prevent web users access.
# mv /usr/local/www/apache24/data/wp-config.php /usr/local/www/apache24/wp-config.php

- Disable php functions that are not needed (good practice if website is on a shared host).
# vi /usr/local/etc/php.ini
(303) disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

- Turn off expose_php in php.ini
# vi /usr/local/etc/php.ini
(363) expose_php = Off

- Disable opening urls as files
# vi /usr/local/etc/php.ini
(831) allow_url_fopen = Off

- Create .htaccess file in the wordpress root directory and write the following to prevent web directory browsing, user enumeration, includes directory access, hotlinking of images, and users from reading the wp-config file.
# vi /usr/local/www/apache24/data/.htaccess
(1) Options -Indexes +FollowSymLinks
(2)
(3) <IfModule mod_rewrite.c>
(4) RewriteEngine On
(5) RewriteBase /
(6)
(7) # Enable Permalinks to work
(8) RewriteRule ^index\.php$ - [L]
(9) RewriteCond %{REQUEST_FILENAME} !-f
(10) RewriteCond %{REQUEST_FILENAME} !-d
(11) RewriteRule . /index.php [L]
(12)
(14) # Prevent user enumeration
(15) RewriteCond %{QUERY_STRING} ^author=([0-9]*)
(16) RewriteRule .* https://www.example.com/? [L,R=302]
(17) RewriteRule ^wp-admin/includes/ - [F,L]
(18)
(19) # Prevent includes directory access
(20) RewriteRule !^wp-includes/ - [S=3]
(21) RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
(22) RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
(23) RewriteRule ^wp-includes/theme-compat/ - [F,L]
(24)
(25) # Disable hotlinking of images with forbidden or custom image option
(26) RewriteCond %{HTTP_REFERER} !^$
(27) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
(28) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
(29) RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/example [NC]
(30) RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
(31)
(32) # Disable XMLRPC
(33) RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
(34)
(35) # Restrict access to plugins and themes php files from unauthorised users
(36) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
(37) RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
(38) RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
(39) RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
(40) RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
(41) RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
(42)
(43) # Prevent Script injections
(44) RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
(45) RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
(46) RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
(47) RewriteRule ^(.*)$ index.php [F,L]
(48) </IfModule>
(49)
(50) # Protect wp-config.php from user access
(51) <files wp-config.php>
(52) Require all denied
(53) </files>

- Prevent execution of php scripts in the uploads directory
# vi /usr/local/www/apache24/data/wp-content/uploads/.htaccess
(1) # Disable php file execution
(2) <files *.php>
(3) Require all denied
(4) </files>

Thursday, 27 October 2016

How to install phpMyAdmin on a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install phpMyAdmin on a FreeNAS Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Apache has already been installed.
php56 is already installed.
Restrict Access only to local LAN (10.0.0.0/24).

Instructions

- First install php extensions required for phpMyAdmin.

# pkg install php56-session php56-json php56-mbstring php56-zip php56-gd php56-openssl php56-curl php56-ctype php56-bz2 php56-mcrypt php56-zlib

- Install and Configure phpMyAdmin for Database Web Administration

# pkg install phpmyadmin

- Create phpMyAdmin configuration file /usr/local/etc/apache24/Includes/phpmyadmin.conf

# vi /usr/local/etc/apache24/Includes/phpmyadmin.conf

(1) Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"

(2)

(3) <Directory "/usr/local/www/phpMyAdmin/">

(4) Options None

(5) AllowOverride Limit

(6)

(7) Require local

(8) Require ip 10.0.0.0/24

(9) </Directory>

- Reload Apache Configurations

# service apache24 graceful

- Configure phpMyAdmin to connect with Database

Goto http://10.0.0.56/phpmyadmin/setup via web browser.

Click the button 'New server' and add a new server settings.

After configuring settings for the database server connection, click the 'Display' button.

- Copy the php code generated into the file /usr/local/www/phpMyAdmin/config.inc.php

# vi /usr/local/www/phpMyAdmin/config.inc.php

- Goto http://10.0.0.56/phpmyadmin via web browser and Login to phpmyadmin with your database username and password.

How to Install Apache webserver in a FreeNAS Jail

بسم الله الرحمن الرحيم

Abstract

A tutorial to install the Apache webserver in FreeNAS 9.10 Jail.
Configure and enable SSL on Apache.
Enable Virtual Hosts.
Enable and configure Apache Server Pool Management.
Configure Apache to run CGI and Perl scripts.
Install and configure php56.

Assumptions and Prerequisites

Domain: example.com
Hostname: www.example.com
System Notification Email: info@example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: www
Private IP: 10.0.0.56
Subnet Mask: 255.255.255.0/24
Server Location: Melbourne, Australia
Webserver and Version: Apache v2.4.23_1
Apache Document Root Directory: /usr/local/www/apache24/data
Apache MPM: Prefork Module
Disable Directory Browsing.
Allow Over Ride All to .htaccess files.
CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
SSL Certificate File: /usr/local/etc/ssl/certs/www.example.com.crt
SSL Key File: /usr/local/etc/ssl/private/www.example.com.key

Instructions

- Install Apache2.4
# pkg install apache24

- Configure Apache settings
Edit file /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(214) ServerAdmin info@example.com
(222) ServerName www.example.com
(260) Options -Indexes +FollowSymLinks
(267) AllowOverride All

- Set Server Defaults for Production Server
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(505) Include etc/apache24/extra/httpd-default.conf
Edit /usr/local/etc/apache24/extra/httpd-default.conf
# vi /usr/local/etc/apache24/extra/httpd-default.conf
(55) ServerTokens Prod

Enable apache to run and start on boot.
# sysrc apache24_enable="yes"
Start Apache Server
# service apache24 start

- Generate Self-Signed Certificate Authority, Server Certificate and Key.

Enable SSL

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(89) LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
(144) LoadModule ssl_module libexec/apache24/mod_ssl.so
(513) Include etc/apache24/extra/httpd-ssl.conf
Edit /usr/local/etc/apache24/extra/httpd-ssl.conf
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(52) #SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
(53) #SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
(65) SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
(66) SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
(124) DocumentRoot "/usr/local/www/apache24/data"
(125) ServerName www.example.com:443
(126) ServerAdmin info@example.com
(127) ErrorLog "/var/log/httpd-error.log"
(128) TransferLog "/var/log/httpd-access.log"
(144) SSLCertificateFile "/ust/local/etc/ssl/certs/www.example.com.crt"
(154) SSLCertificateKeyFile "/usr/local/etc/ssl/certs/www.example.com.key"
(175) SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"
Reload new settings for Apache
# service apache24 graceful

Enable Virtual Hosts

- Enable Virtualhosts to redirect traffic from unecrypted port (80) to encrypted port (443).
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(496) Include etc/apache24/extra/httpd-vhosts.conf
Edit /usr/local/etc/apache24/extra/httpd-vhosts.conf
# vi /usr/local/etc/apache24/extra/httpd-vhosts.conf
(23)
(24) ServerAdmin info@example.com
(25) DocumentRoot "/usr/local/www/apache24/data"
(26) ServerName www.example.com
(27) ServerAlias www.example.com
(28) ErrorLog "/var/log/www.example.com-error_log"
(29) CustomLog "/var/log/www.example.com-access_log" common
(30) Redirect "/" "https://www.example.com"
(31)
Reload new settings for Apache
# service apache24 graceful

Enable Server Pool Management

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(478) Include etc/apache24/extra/httpd-mpm.conf
Change the number of concurrent connections for the server from 250 to 50 by editing the /usr/local/etc/apache24/extra/httpd-mpm.conf file
# vi /usr/local/etc/apache24/extra/httpd-mpm.conf
(32) MaxRequestWorkers 50
Reload new settings for Apache
# service apache24 graceful

Enable CGI and Perl Scripts

Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(162) LoadModule cgid_module libexec/apache24/mod_cgid.so
(165) LoadModule cgi_module libexec/apache24/mod_cgi.so
(260) Options -Indexes +FollowSymLinks +ExecCGI
(418) AddHandler cgi-script .cgi .pl
Reload new settings for Apache
# service apache24 graceful

- Create CGI Script to test on Server
Create file /usr/local/www/apache24/data/index.cgi
#vi /usr/local/www/apache24/data/index.cgi
(1) #!/usr/local/bin/perl
(2) print "Content-type: text/html\n\n";
(3) print "<html>\n<body>\n";
(4) print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
(5) print "CGI Test Page";
(6) print "\n</div>\n";
(7) print "</body>\n</html>\n";
Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.cgi
- Test Script in Browser

- Create Perl Script to test on Server
Create file /usr/local/www/apache24/data/index.pl
#vi /usr/local/www/apache24/data/index.pl
(1) #!/usr/local/bin/perl
(2) print "Content-type: text/html\n\n";
(3) print "<html>\n<body>\n";
(4) print "<div style=\"width: 100%; font-size: 40px; font-weight: bold; text-align: center;\">\n";
(5) print "Perl Test Page";
(6) print "\n</div>\n";
(7) print "</body>\n</html>\n";
- Change Permissions of file
# chmod 705 /usr/local/www/apache24/data/index.pl
- Test Script in Browser

Install and Enable php56

# pkg install -y php56 mod_php56 php56-mysql php56-mysqli php56-extensions
Create file php56 configuration file /usr/local/etc/apache24/includes/php56.conf
# vi /usr/local/etc/apache24/includes/php56.conf
(1) <FilesMatch "\.php$">
(2) SetHandler application/x-httpd-php
(3) </FilesMatch>
(4) <FilesMatch "\.phps$">
(5) SetHandler application/x-httpd-php-source
(6) </FilesMatch>
Reload new settings for Apache
# service apache24 graceful

- Change script preference to execute index.php over index.html
Edit /usr/local/etc/apache24/httpd.conf
# vi /usr/local/etc/apache24/httpd.conf
(281) DirectoryIndex index.php index.html
- Copy php.ini-production to php.ini
# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
- Edit file /usr/local/etc/php.ini
# vi /usr/local/etc/php.ini
(936) date.timezone = "Australia\Melbourne"
Reload new settings for Apache
# service apache24 graceful

- Create php Script to test on Server
Create file /usr/local/www/apache24/data/index.php
# vi /usr/local/www/apache24/data/index.php
(1) <html>
(2) <body>
(3) <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
(4) <?php
(5) print Date("Y/m/d");
(6) ?>
(7) </div>
(8) </body>
(9) </html>
- Test Script in Browser

- Links

http://howtounix.info/howto/self-signed-SSL-Certificate

How to install MariaDB Server in a FreeNAS Jail

بسم الله الرحمن الرحيم

Description

A tutorial to install MariaDB Server v10.1.18 on a FreeNAS 9.10.1 Jail.

Assumptions and Prerequisites

Domain: example.com
Hostname: db.example.com
OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
Container: Warden Jail
Jail Name: db
Private IP: 10.0.0.57
Subnet Mask: 255.255.255.0/24
Database Version: MariaDB v10.1.18
Database Server Type: Medium
SSL Certificates have been generated
CA Certificate File: /usr/local/etc/ssl/certs/ca.pem
SSL Certificate File: /usr/local/etc/ssl/certs/db.example.com.crt
SSL Key File: /usr/local/etc/ssl/private/db.example.com.key

Instructions

Install MariaDB
# pkg install mariadb101-server

Configure Settings
Choose Configuration file for Database server: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf
# cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf

Enable MariaDB Server to run and start on boot
# sysrc mysql_enable=yes

Start MariaDB Server
# service mysql-server start

Configure secure setup for production
# mysql_secure_installation
Set root password? [Y/n]: y
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y

Test root Login
# mysql -u root -p

Test sql queries
# select user,host,password from mysql.user;
# show databases;
# exit;

Enable SSL on MariaDB Server

# vi /usr/local/etc/my.cnf

(27) # The MariaDB server

(28) [mysqld]

(29) ssl-ca=/usr/local/etc/ssl/certs/ca.pem

(30) ssl-cert=/usr/local/etc/ssl/certs/db.example.com.crt

(31) ssl-key=/usr/local/etc/ssl/private/db.example.com.key

(32) bind-address = 10.0.0.57

(33) port = 3306

Monday, 3 October 2016

How to install Webmin in a FreeNAS Jail

بسم الله الرحمن الرحيم

Description

This is a tutorial on how to install Webmin 1.810 inside a FreeNAS 9.10.-U1 warden jail.

Assumptions and Prerequisites

OS: FreeNAS 9.10.1-U1
Webmin Version: 1.810
Jail Name: zen
DNS Name: zen.houseofjaleel.com
Domain: houseofjaleel.com
Private IP Address: 10.0.0.10
Jail has been updated to the latest packages with the command # pkg -y update && pkg -y upgrade

Instructions

1. Install Webmin

# pkg install -y webmin

2. Run the Webmin setup script

# /usr/local/lib/webmin/setup.sh

Log file directory [/var/log/webmin]: press Enter to accept default
Full path to perl (default /usr/local/bin/perl): press Enter to accept default
Web server port (default 10000): press Enter to accept default
Login name (default admin): press Enter to accept default
Login password: (set your password here)
Password again: (set you password here)
Use SSL (y/n): y

3. Enable Webmin to run and also run on boot
# sysrc webmin_enable="YES"

4. Start Webmin service
# service webmin start

Conclusion

Login to webmin via the browser with the username: admin and password you set with the setup script earlier.

If DNS is configured for the jail then you can access webmin through either of the three URLs, or just the IP.

Thursday, 11 October 2012

How To Configure Network Setting on CentOS 6.3

بسم الله الرحمن الرحيم

In the Name of Allah. The Most gracious, The Most Merciful

Synopsis:

A short tutorial on how to configure network settings on CentOS 6.3 machine.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64
Server Name: mujahid
Subnet: 192.168.1.0/24
Server IP: 192.168.1.20
Subnet Mask: 255.255.255.0
DNS IP: 192.168.1.15
Gateway IP: 192.168.1.1
Domain: houseofjaleel.com.au
Network Device/Interface: eth0
Text Editor: vi
Firewall (IPTables) is disabled.
SELinux is disabled.
'#' - Script Comment.
This machine is a Server; therefore has a fixed IP settings. It is not assigned any network settings from any DHCP or BOOTP service.

Step-by-Step Instructions:

1. Create the network configuration file /etc/sysconfig/network-scripts/ifcfg-eth0 with the following configurations and save it.

DEVICE="eth0" # Device name
HWADDR="00:0C:29:7D:A0:62" # eth0's MAC address. This may be different on your machine.
NM_CONTROLLED="no" # Settings are not controlled by the Network Manager service.
BOOTPROTO="none" # This device does not receive network settings from any dhcp service on the network.
ONBOOT="yes" # Service starts at boot time.
TYPE="Ethernet" # Device type is of Ethernet.
IPADDR="192.168.1.20" # IP Address of this Network device.
NETMASK="255.255.255.0" # Subnet Mask
GATEWAY="192.168.1.1" # IP Address to access the Internet (usually it's a Router).
DNS1="192.168.1.15" # IP Address of the machine hosting the DNS on the LAN.
DOMAIN="houseofjaleel.com.au" # Name of the Domain this server belongs to. Omit if no domain configured on Network.
IPV6INIT="no" # ipv6 is not enabled on this server machine.
USERCTL="no" # Except for root user, users can't alter network setting for this device.

Clean (without comments) version of the file /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
HWADDR="00:0C:29:7D:A0:62"
NM_CONTROLLED="no"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
IPADDR="192.168.1.20"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
DNS1="192.168.1.15"
DOMAIN="houseofjaleel.com.au"
IPV6INIT="no"
USERCTL="no"

2. Restart Network service.
# /etc/rc.d/init.d/network restart

3. Enable Network Service to start at boot time.
# chkconfig network on

4. Check to see if network settings have been loaded from the configuration file for 'eth0'.
# ifconfig

5. Disable ipv6 device driver on this server machine from loading at boot time.
# echo "install ipv6 /bin/true" > /etc/modprobe.d/disable-ipv6.conf

6. Restart server.
# reboot

7. Login as root and check network settings. It should show that there is no "inet6" setting anymore.
# ifconfig

Conclusion:

Change the "DNS1" configuration to "127.0.0.1" or "192.168.1.20", if DNS is configured on the local machine.

Use 'DNS2' to add a secondary DNS host (eg. DNS2="192.168.1.16").

IPV6 is outside of the scope of this tutorial.

Tuesday, 9 October 2012

How To Install Webmin and Usermin Via The YUM Package Manager On CentOS 6.3

Synopsis:

How To Install Webmin and Usermin via the YUM Package Manager On CentOS 6.3 x64.

Assumptions and Prerequisites:

Server IP Address: 192.168.1.11.
OS: CentOS 6.3 x64
Server Name: tyrion
Firewall (IPTables) is disabled.
YUM Repository EPEL has already been added.
SELinux is disabled.
Text Editor: Nano

Step-by-Step Instructions:

1. Create the Webmin YUM Repo File: /etc/yum.repos.d/webmin.repo with the following configurations and save it.

[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1

2. Import GPG Key from the webmin website.
# rpm --import http://www.webmin.com/jcameron-key.asc

Webmin:

1. Install the required perl module.
# yum -y install perl-Net-SSLeay

2. Install Webmin via YUM.
# yum -y install webmin

3. Edit /etc/webmin/miniserv.conf and add the following line at the end of the file to allow users only from the LAN to be able to login to Webmin.

allow=127.0.0.1 192.168.1.0/24

4. Restart the Webmin service.
# /etc/rc.d/init.d/webmin restart

Usermin:

1. Install the required perl module.
# yum --enablerepo=epel -y install perl-Net-SSLeay perl-Authen-PAM

2. Install Usermin via YUM.
# yum -y install usermin

3. Edit /etc/usermin/miniserv.conf and add the following lines at the end of the file to allow users only from the LAN to be able to login to Webmin.

allow=127.0.0.1 192.168.1.0/24
denyusers=root

4. Restart the Usermin service.
# /etc/rc.d/init.d/usermin restart

Conclusion:

Webmin:

Open browser and go to https://192.168.1.11:10000 and login as 'root'.

If you have DNS configured, then https://tyrion:10000 will also work in the browser. And if you are on the same machine, then https://localhost:10000 will also work in the browser.

Usermin:

Open browser and go to https://192.168.1.11:20000 and login as any user except root because root user has been disabled for usermin.

If you have DNS configured, then https://tyrion:20000 will also work in the browser. And if you are on the same machine, then https://localhost:20000 will also work in the browser.

How To Add Additional YUM Repositories In CentOS 6.3

Synopsis:

This is a tutorial on how to add 2 additional YUM repositories, RPMForge and EPEL on CentOS 6.3 x64.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64.
Text Editor: vi
Network is configured and server has Internet access.
Server Location: Melbourne, Australia

Step-by-Step Instructions:

RPMForge:

1. Import GPG Key for the RPMForge package.

# rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt

2. Verify RPM package with GPG Key.

# rpm -K http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

3. Install RPM package for RPMForge YUM repository.

# rpm -i http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

EPEL:

1. Import GPG Key for the EPEL package.

# rpm --import http://mirror.optus.net/epel/RPM-GPG-KEY-EPEL-6

2. Verify RPM package with GPG Key.

# rpm -K http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

3. Install RPM package for EPEL YUM repository.

# rpm -i http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

Conclusion:

After adding the RPMForge and EPEL YUM Repositories, you can install packages such as "htop" and "nano" via the YUM Package manager.

In order to add the EPEL and RPMForge Repositories for the x86(32 bit), you have to locate and install the 32 bit version from their respective mirrors.

How To Install and Configure DHCP Server on CentOS 6.3

Synopsis:

A short tutorial on how to Install and Configure a DHCP Server on CentOS 6.3 x64, listening on the "eth0" Interface only.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64.
Server Name: mujahid
DNS IP: 192.168.1.10
IPv6 is disabled.
SELinux is disabled.
Firewall (IPTables) is disabled.
Subnet: 192.168.1.0/24
Domain: houseofjaleel.com.au
Gateway (Router IP Address): 192.168.1.1
Text Editor: Nano
Dynamic DNS (DDNS) is not enabled.

Step-by-Step Instructions:

1. Install the DHCP Package via a terminal.
# yum -y install dhcp

2. Edit file /etc/dhcp/dhcpd.conf with "nano" editor and write the following configuration:

# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
# see 'man 5 dhcpd.conf'
#

# This DHCP server to be declared valid
authoritative;

# Subnet 192.168.1.0/24
subnet 192.168.1.0 netmask 255.255.255.0 {

# default gateway
option routers 192.168.1.1;

# domain name
option domain-name "houseofjaleel.com.au";

# DNS's hostname or IP address
option domain-name-servers 192.168.1.10;

# range of lease IP address
range dynamic-bootp 192.168.1.2 192.168.1.254;

# default lease time
default-lease-time 600;

# max lease time
max-lease-time 7200;

# broadcast address
option broadcast-address 192.168.1.255;

##### Reserved Hosts #####

# Router
host router {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.1;
}

# Farooq
host farooq {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.10;
}

# Tariq
host tariq {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.11
}

# Humaira
host humaira {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.12;
}

# Khalid
host khalid {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.13;
}

# Asim
host asim{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.14;
}

# Mujahid
host mujahid{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.15;
}

# Amir
host amir{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.16;
}

# Muneera
host muneera{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.17;
}

# Atif
host atif{
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.1.18;
}

} # end of Subnet 192.168.1.0/24

3. edit file /etc/sysconfig/dhcp to make sure the DHCP service is listening on the relevant Interface (eth0).

# nano /etc/sysconfig/dhcp

eg.

DHCPDARGS="eth0"

4. Start DHCP at boot.

# chkconfig dhcpd on

5. Start the DHCP service.

# /etc/rc.d/init.d/dhcpd start

How To Install and Configure DNS (Bind) on CentOS 6.3

Synopsis:

A short tutorial on how to Install and Configure a DNS service on CentOS 6.3 x64 using Webmin.

Assumptions and Prerequisites:

OS: CentOS 6.3 x64.
Server Name: tyrion
The Server [tyrion] hosts all services on the same machine (e.g. DHCP, Postfix, HTTP, and FTP).
Webmin is already installed and the DNS configuration will be done via Webmin.
The DNS for both internal (LAN) and external (WAN) IPs will be hosted on the same Server Machine.
There are no DNS Slaves.
IPv6 is disabled.
Firewall (IPTables) is disabled.
SELinux is disabled.
Subnet: 192.168.1.0/24
Domain: kingslanding.com.au
WAN IP: 110.92.81.14
Gateway (Router IP Address): 192.168.1.1
Local ISP (TPG) DNS are used as forwarders. (203.12.160.35 and 203.12.160.36)
DHCP is installed and a couple of IP addresses are reserved.
Dynamic DNS is not enabled for the DHCP Server.
Text Editor: Nano
Server Location: Melbourne, Australia.

Step-by-Step Instructions:

1. Install DNS packages. Run the following command in terminal.
# yum -y install bind bind-utils

2. Disable IPV6 for the named deamon

# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

3. Configure Bind (named) via Webmin

4. Create views "lan" and "wan". "lan" is for internal clients i.e. Private Machines. "wan" is for external clients that reside outside the router i.e. Internet.

5. Move all the zones to "lan" i.e. "Root Zone", "0", "127.0.0.1", "localhost", "localhost.localdomain".

a. Set "allow queries" to "localhost" and "192.168.1.0/24" under "Zone Defaults".

b. Add 203.12.160.35 and 203.12.160.36 to "Forwarders and Transfers".

c. Comment out "Listen on port 53 {127.0.0.1;}" because we want the 'named" service to listen on all interfaces.

d. Set "listen-on-v6 port 53" to 'none' because we are not using IPv6.

e. Set "recursion" to 'yes' because we want all devices on the LAN to be able to list all the devices listed on the DNS service.

f. Set "recursion" to 'no' only for the "wan" view because we don't want users from the Internet to find out the IP addresses of our local machines on the LAN.

6. Create Master Zone "kingslanding.com.au" of Forward type in the "lan" view with the following details:

a. Domain = kingslanding.com.au

b. Master server = tyrion.kingslanding.com.au

c. Tick "Add NS record for Master Server".

d. Enter Email address "root@kingslanding.com.au"

e. Select "Use zone template".

7. Add "Address (A)" record "kingslanding.com.au." -> 192.168.1.11

8. Add "Mail (MX)" record "kingslanding.com.au." -> "tyrion.kingslanding.com.au." with 10 priority.

9. Add "Address (A)" record "tyrion" -> 192.168.1.11

10. Add "Alias (CNAME)" record "mail" -> "kingslanding.com.au."

11. Add "Alias (CNAME)" record "www" -> "kingslanding.com.au."

12. Add "Alias (CNAME)" record "ftp" -> "kingslanding.com.au."

13. Add "Address (A)" record "jamie" -> 192.168.1.12

14. Add "Address (A)" record "tywin" -> 192.168.1.10

15. Add "Address (A)" record "cersei" -> 192.168.1.13

16. Add "Address (A)" record "joffery" -> 192.168.1.14

17. Create Master Zone "192.168.1" of Reverse type in the "lan" view with the following details:

a. Domain name / network = 192.168.1

b. Master Server = tyrion.kingslanding.com.au

c. Tick "Add NS record for Master Server".

d. Enter Email address "root@kingslanding.com.au"

e. Select "Use zone template".

18. Add "Reverse Address (PTR)" record "192.168.1.11" -> "tyrion.kingslanding.com.au."

19. Add "Reverse Address (PTR)" record "192.168.1.10" -> "tywin.kingslanding.com.au."

20. Add "Reverse Address (PTR)" record "192.168.1.12" -> "jamie.kingslanding.com.au."

21. Add "Reverse Address (PTR)" record "192.168.1.13" -> "cersei.kingslanding.com.au."

22. Add "Reverse Address (PTR)" record "192.168.1.14" -> "joffery.kingslanding.com.au."

23. Create Master Zone "kingslanding.com.au" of Forward type in the "wan" view with the following details:

a. Domain = kingslanding.com.au

b. Master server = tyrion.kingslanding.com.au

c. Tick "Add NS record for Master Server".

d. Enter Email address "root@kingslanding.com.au"

e. Select "Use zone template".

24. Add "Address (A)" record "kingslanding.com.au." -> "110.92.81.14"

25. Add "Address (A)" record "tyrion.kingslanding.com.au." -> "110.92.81.14"

26. Add "Mail (MX)" record "kingslanding.com.au." -> "kingslanding.com.au." with 10 priority.

27. Add "Alias (CNAME)" record "www" -> "kingslanding.com.au."

28. Add "Alias (CNAME)" record "ftp" -> "kingslanding.com.au."

29. Add "Alias (CNAME)" record "mail" -> "kingslanding.com.au."

30. Add "Alias (CNAME)" record "ns1" -> "kingslanding.com.au."

31. Add "Alias (CNAME)" record "ns2" -> "kingslanding.com.au."

32. Add "Alias (CNAME)" record "vpn" -> "kingslanding.com.au."

33. Create Master Zone "110.92.81.14" of Reverse type in the "wan" view with the following details:

a. Domain name / network = 110.92.81.14

b. Master Server = tyrion.kingslanding.com.au

c. Tick "Add NS record for Master Server".

d. Enter Email address "root@kingslanding.com.au"

e. Select "Use zone template".

34. Install DNS (Bind) as CHROOT
# yum -y install bind-chroot

35. Enable named (DNS) service to start at boot.
# chkconfig named on

36. Start named service
# /etc/rc.d/init.d/named start

37. Edit /etc/resolv.conf file to have the local machine use the local DNS service to resolve host names.
eg:
search kingslanding.com.au
nameserver 127.0.0.1

38. Also edit your network startup scripts, usually that's where the network configuration is written to in /etc/resolv.conf
eg. File: /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"
BOOTPROTO="none"
HWADDR="00:2B:34:01:FB:82"
NM_CONTROLLED="no"
ONBOOT="yes"
TYPE="Ethernet"
IPADDR="192.168.1.11"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"
DOMAIN="kingslanding.com.au"
DNS1="127.0.0.1"
IPV6INIT="no"
USERCTL="no"

39. Switch off DNS and DHCP on your Router. On your router, forward port 53 to 192.168.1.11 so that your DNS host provider has access to your DNS server to update it's records.

40. Restart your Network service.
# /etc/rc.d/init.d/network restart

Conclusion:

Use the "dig" tool to test the DNS service on your server.

In order to have the users from the Internet to be able to access kingslanding.com.au, you will have to have your DNS server linked to a Web and DNS hosting service provider. Personally, I use Zone Edit as my DNS hosting provider and Digital Pacific as my Web Domain Service Provider.

It takes up to 2 - 24 hours for the DNS Root servers to update their records to sync your DNS server records. So, be patient.