Technology-Leadership FAQ
June 8, 2010 Fix syslogd write permission denied on SE Linux targeted enforcing RHL 5.3

Under RedHat SE Linux targeted enforcing mode, init.d scripts do not have the correct context to read all files in the /etc directory. This apparently breaks various capabilities of syslogd, including ability to write log messages to files other than /var/log/messages.

To fix it, change context with:
chcon -c system_u:object_r:etc_t /etc/init.d/syslog

May 13, 2010 Linux ldap authentication with Active Directory: avoid hanging your server

The internet is a wonderful place for information. However, most sites you visit employ bots that steal other web pages. This is a problem because bots steal any page, whether the content is accurate or not.

At tlc faq, we do not run bots to steal web pages, esp. since so many pages on the internet are bogus and wrong. Starting with bogus / wrong information, when seeing documentation on ldap configuration on linux, do NOT enter nsswitch.conf entries on RHL systems, like so:

passwd: files ldap
group: files ldap
shadow: files ldap

These entries are unnecessary and will break your server!

ldap.conf, ldap.secret, a certificate file, and user accounts is all you need on the RedHat Linux server. You may need some pam.d file and/or pam.conf tweaks, but not always.

The information in the ldap.conf, like ‘rootbinddn’ and ‘cn’ is provided by the AD administrator.

April 21, 2010

Easy Linux server iptables configuration

To enable your local, internal firewall on your Linux server, you need to run a couple of commands as root:

# chkconfig iptables on

# service iptables start

Add a policy to the interface. Let’s say it is a bonded interface called bond0.  This policy will reject all inbound and forward traffic on bond0, except ping (icmp) and connections on port 22, the ssh port.  Create a file called iptables, and place it in /etc/sysconfig/ and add the following content:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-bond0-INPUT – [0:0]
-A INPUT -j RH-Firewall-bond0-INPUT
-A FORWARD -j RH-Firewall-bond0-INPUT
-A RH-Firewall-bond0-INPUT -i bond0 -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state NEW -m udp -p udp –dport 22 -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -j REJECT –reject-with icmp-host-prohibited
COMMIT

Restart iptables service:

# service iptables restart

View your new policy:

# iptables -L

That’s it. Enjoy!
 

April 20, 2010
Configure vsftpd for xinetd in SE Linux

Add your users to /etc/vsftpd/user_list

Run setsebool -P ftp_home_dir 1

Create/Modify the /etc/xinetd.d/vsftpd file with correct information

Modify the /etc/vsftpd/vsftpd.conf file, and comment out “LISTEN=YES”

Create /etc/pam.d/ftp file – you will need to know the path to your pam libraries and the file names in it.

If you need more information on any of the files above, use a search engine to get details on specific entries and formats for each of the files above.