EXTRAS

iptables

systemctl stop iptables

Did not seem to remove the rules, and as a point reference I could to get to websmin on port 10000.

Yet iptables would appear to be inactive.

systemctl status iptables
iptables.service - IPv4 firewall with iptables
  Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
  Active: inactive (dead) since Wed 2014-11-12 10:20:28 NZDT; 2s ago
 Process: 25912 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
 Process: 25736 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 25736 (code=exited, status=0/SUCCESS)

An iptables -L still showed rules as active. So:

iptables --flush
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now I can browse to webmin on port 10000.

SSL Apache, https

This is a very useful page for making your webserver https.

This is done with a self signed certificate, which is still secure, but visitors to your site will get a warning, but none the less you are still safe.

http://wiki.centos.org/HowTos/Https from where the following was shamelessly plagiarized.

This guide will explain how to set up a site over https. The tutorial uses a self signed key so will work well for a personal website or testing purposes. This is provided as is so proceed at your own risk and take backups!

1. Getting the required software

For an SSL encrypted web server you will need a few things. Depending on your install you may or may not have OpenSSL and mod_ssl, Apache's interface to OpenSSL. Use yum to get them if you need them.

yum install mod_ssl openssl

Yum will either tell you they are installed or will install them for you.

mkdir /home/strider/setup/https -p
cd /home/strider/setup/https

2. Generate a self-signed certificate

Using OpenSSL we will generate a self-signed certificate. If you are using this on a production server you are probably likely to want a key from Trusted Certificate Authority, but if you are just using this on a personal site or for testing purposes a self-signed certificate is fine. To create the key you will need to be root so you can either su to root or use sudo in front of the commands

# Generate private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Copy the files to the correct locations
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

[attachment:ArtWork/WikiDesign/icon-admonition-alert.png] WARNING: Make sure that you copy the files and do not move them if you use SELinux. Apache will complain about missing certificate files otherwise, as it cannot read them because the certificate files do not have the right SELinux context.

If you have moved the files and not copied them, you can use the following command to correct the SELinux contexts on those files, as the correct context definitions for /etc/pki/* come with the bundled SELinux policy.

restorecon -RvF /etc/pki

Then we need to update the Apache SSL configuration file

vi +/SSLCertificateFile /etc/httpd/conf.d/ssl.conf

Change the paths to match where the Key file is stored. If you've used the method above it will be

SSLCertificateFile /etc/pki/tls/certs/ca.crt

Then set the correct path for the Certificate Key File a few lines below. If you've followed the instructions above it is:

SSLCertificateKeyFile /etc/pki/tls/private/ca.key

Quit and save the file and then restart Apache

/etc/init.d/httpd restart

All being well you should now be able to connect over https to your server and see a default Centos page. As the certificate is self signed browsers will generally ask you whether you want to accept the certificate. Firefox 3 won't let you connect at all but you can override this.

3. Setting up the virtual hosts

Under Centos 7 it easiest to set up all virtual hosts as separate files in /etc/http/conf.d

As I was using this server as an email server using Horde I did the following:

emacs /etc/httpd/conf.d/ssl.conf

Changed

DocumentRoot "/var/www/horde"
ServerName wash.backup.geek.nz:443

Just as you set VirtualHosts for http on port 80 so you do for https on port 443. A typical VirtualHost for a site on port 80 looks like this

<VirtualHost *:80>
       <Directory /var/www/vhosts/yoursite.com/httpdocs>
       AllowOverride All
       </Directory>
       DocumentRoot /var/www/vhosts/yoursite.com/httpdocs
       ServerName yoursite.com
</VirtualHost>

To add a sister site on port 443 you need to add the following at the top of your file

NameVirtualHost *:443

and then a VirtualHost record something like this:

<VirtualHost *:443>
       SSLEngine on
       SSLCertificateFile /etc/pki/tls/certs/ca.crt
       SSLCertificateKeyFile /etc/pki/tls/private/ca.key
       <Directory /var/www/vhosts/yoursite.com/httpsdocs>
       AllowOverride All
       </Directory>
       DocumentRoot /var/www/vhosts/yoursite.com/httpsdocs
       ServerName yoursite.com
</VirtualHost>

Restart Apache again using

/etc/init.d/httpd restart

4. Configuring the firewall

You should now have a site working over https using a self-signed certificate. If you can't connect you may need to open the port on your firewall. To do this amend your iptables rules:

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/service iptables save
iptables -L -v

5. Force https use

Did two things to make this happen but did not test to see what one was doing it.

In my case the / [root] of the web server does not hold anything so I added this file to the / index.php

<?php
header ("Location:  https://kaylee.backup.geek.nz/horde" );
exit();
?>

This redirects all http://kaylee.backup.geek.nz requests to https://kaylee.backup.geek.nz/horde

I also added this file at the webs server root

.htaccess

RewriteEngine on
RewriteCond %{SERVER_PORT} !443$
RewriteRule ^(.*)$ https:/kaylee.backup.geek.nz:443/$1 [R=301,L]

Except this does not seem to be working, I will have to revisit this and try.

<VirtualHost ip:80>
  ServerName www.company.com

  RedirectMatch permanent ^(.*)$ https://www.company.com$1
</VirtualHost>

<VirtualHost ip:443>
  ServerName www.company.com

  Include vhosts.d/includes/ssl.conf

  # assumes you want to proxy everything on this vhost to jboss:8009
</Location>

SSL NameCheap

https://www.ssls.com

Having purchased a SSL certificate from SSLs.com you need to create and activate it.

Creating your servers CSR

This is a semi-useful page from ssls.com: CSR Generation

cd /etc/ssl/cert
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

1. myserver.key : Is your private key
2. server.csr: is used to generate your ssl certificate from https://www.ssls.com
3. Substitute with names of your own and fill the answers. I suggest that you use the email address of admin@ or webmaster@
4. Back at https://www.ssls.com/cert-activation.html, enter the text of the csr file in to the "Enter CSR:" box.
5. The dropdown option of "Select Web Server" for me is Apache + OpenSSL
6. NEXT
7. Choose the Approver email address, I use the same one as I set above.
8. NEXT
9. Fill out the Specify SSL Contact information
10. Click : Process Certificate

You should get

Congratulations! You have completed the activation. 
To complete the certificate issue process, the certificate request needs to be approved by the Approver. 
In a short while, an email will be sent to the selected approval email which will contain instructions on how to approve the certificate.

So go check the emails

You will receive a mail with a Comodo Security Services <noreply_support@comodo.com> with a link and a passcode, go to the link and enter the passcode.

In a few minutes you will receive another emails with a zip file.

1. Unzip the contents of the zip file in to /etc/ssl/cert directory
2. In your account with ssls.com: Go to My Account -> My SSLs, click the ID of the certificate we are dealing with.
3. This opens a new page.
4. Click on the Blue Download Certificate.
5. This gives you CRT file for your site and a bundle.crt file. We will need this in a minute.
6. Copy the bundle.crt to /etc/ssl/cert as yourdomainname.ca-bundle

Now we need to edit (in my case)

emacs /etc/httpd/conf.c/ssl.conf

We need to have

SSLEngine on

Then

SSLCertificateKeyFile /etc/ssl/cert/server.key 

(what ever you called it previously, the private key)

SSLCertificateFile /etc/ssl/cert/yourDomainName.crt

(provided by ssls.com)

SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle

Now restart apache

Surf to https://yourdomainname and the padlock should be valid

SSL NameCheap

https://www.ssls.com

Having purchased a SSL certificate from SSLs.com you need to create and activate it.

Webmin

http://www.webmin.com/

yum install perl-Net-SSLeay.x86_64 perl-Encode-Detect.x86_64

The current version 1.900:

export WEBMIN=webmin-1.900-1.noarch.rpm

cd /home/strider
wget http://prdownloads.sourceforge.net/webadmin/$WEBMIN

rpm -ihv $WEBMIN
firewall-cmd --permanent --zone=public --add-port=10000/tcp
firewall-cmd --reload

Automatic starting on reboot.

/etc/init.d/webmin status
/etc/init.d/webmin stop
ntsys

Un-astrix webmin

systemctl start webmin
systemctl enable webmin

NFS

Network File System

Grub Order

List current items

awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg

To see a different default other than 0 (first line)

grub2-set-default 2

the grub menu from 0 to 1, 2, 3

NTP

yum install ntp

systemctl status ntpd
systemctl start ntpd
systemctl enable ntpd

To run the Time and Date Properties Tool as a text-based application, use the command timeconfig. Also add the following.

Should work out of the box

/bin/cat << EOF >> /etc/ntp/step-tickers
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
EOF

systemctl restart ntpd

timedatectl set-timezone Pacific/Auckland
date

FTP

yum install vsftpd ftp

and

/bin/cat << EOF >> /etc/vsftpd/vsftpd.conf
chroot_local_user=YES
EOF

Finally

systemctl start vsftpd
systemctl enable vsftpd

gives

ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'

firewall-cmd --zone=public --add-service=vsftpd --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-all

Test connection. If you get

500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

then you can either

chmod a-w /home/theuserinquestion

Or to /etc/vsftpd/vsftpd.conf add

allow_writeable_chroot=YES

The first option would be best.

VNC with Tiger

Was vncserver, now tigervnc-server

YUM

yum groupinstall "GNOME Desktop"

yum install vnc-server tigervnc-server tsclient pixman pixman-devel libXfont xorg-x11-fonts-Type1

Create the VNC user accounts. I have a standard user I use for this.

systemd

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service

emacs /etc/systemd/system/vncserver@:1.service

Replace <USER>

ExecStart=/sbin/runuser -l <USER> -c "/usr/bin/vncserver %i"
PIDFile=/home/<USER>/.vnc/%H%i.pid

With the users name for the vnc session

ExecStart=/sbin/runuser -l auser -c "/usr/bin/vncserver %i"
PIDFile=/home/auser/.vnc/%H%i.pid

Firewall

firewalld

ls -lah /lib/firewalld/zones/

Gives a list of the zones for your firewalld configuration.

An example of adding a rule

firewall-cmd --permanent --zone=public --add-port=5905/tcp
firewall-cmd --reload

iptables

iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 5901 -j accept

Save and restart the firewall.

/sbin/iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables restart

Setup the user

Switch to the user setup above.

su auser
cd ~

vncserver

You will require a password to access your desktops.

Password:
Verify:
xauth:  file /home/admin/.Xauthority does not exist

New 'server.somewhere.co.nz:1 (admin)' desktop is server.somewhere.co.nz:1

Creating default startup script /home/admin/.vnc/xstartup
Starting applications specified in /home/admin/.vnc/xstartup
Log file is /home/admin/.vnc/server.qualchem.co.nz:1.log

daemon & services

Back as root.

systemctl daemon-reload

Found this needful.

systemctl stop vncserver@:1.service

Then because of

ls /tmp/.X1-lock

Needed to

rm /tmp/.X1-lock

As well as

ls /tmp/.X11-unix/X1

and

rm /tmp/.X11-unix/X1

Start the VNC service as root.

systemctl start vncserver@:1.service

I have found at time that a PID is still present that sops me from starting vnc,

ps aux|grep vnc

found

admin    13557  3.1  0.9 200152 31504 pts/5    Sl   17:38   0:07 
  /usr/bin/Xvnc :1 -desktop localhost.localdomain:1 (admin) -auth  
  /home/admin/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth 
  /home/admin/.vnc/passwd -rfbport 5901 -fp catalogue:/etc/X11/fontpath.d -pn

from a lack of a stopping the vncserver as admin

kill -9 13557

Enable it on system startup as root.

systemctl enable vncserver@:1.service

Now start VNC

systemctl start vncserver@:1.service

And see if you can vnc in.

issues

Do not use /etc/sysconfig/vncservers THIS FILE HAS BEEN REPLACED BY /lib/systemd/system/vncserver@.service

Use KDE not Gnome

To use KDE a you desktop, change /home/user/.vnc/xstartup

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
exec /etc/X11/xinit/xinitrc

to

#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
#exec /etc/X11/xinit/xinitrc
startkde &

Restart the session.

Resolutions

So where is resolutions set?

/etc/systemd/system/vncserver@:1.service

emaEdit the systemd file Change

ExecStart=/sbin/runuser -l admin -c "/usr/bin/vncserver %i"

to

ExecStart=/sbin/runuser -l admin -c "/usr/bin/vncserver %i -geometry 1280×1024"

Well that did not work. Tried may combinations but the VNCserver never displayed in any of the options I used. My way around this was to the screen resolution in the session manually. Save, restarted the server, and it remembered the display settings.

Oh no! Something has gone wrong

Could not get a GUI up. The problem was an incompatibility with the nvidia drivers and tiger.

yum groupinstall "MATE Desktop"
cd /home/<user>/.vnc
emacs xstartup

Add to

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
OS=`uname -s`

this extra line

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
/usr/bin/mate-session
OS=`uname -s`

Restart and now try to connect.

systemctl restart vncserver@:1.service

Will not start

The first start failed. Tried to start again, still failed. Killed all vnc instances. Still can not start. Looked at journalctl -xn, still complaining about

Warning: server.qualchem.co.nz:1 is taken because of /tmp/.X1-lock. 

Looked at:

ll /tmp/.X1-lock
-r--r--r-- 1 admin admin 11 Nov 19 08:12 /tmp/.X1-lock

Removed this file: /tmp/.X1-lock and also /tmp/.X11-unix/X1 This was the time of the very first start as user auser. Deleted this file

systemctl start vncserver@:1.service

Working!

STILL Will not start

Even after doing the above on another server, VNC not starting with an error that a session already exists. Even after a a systemcrl stop.

ps aux|grep vnc

Found and killed the vnc PID

PUTTY

Using_Putty

Windows 10 & Centos 7

Best to do with is with a fresh install and not an upgrade.

• Install Windows 10 on to half of the HD, mine was a 500GB, so I needed up with two partitions.

/dev/sda1   *        2048     1026047      512000    7  HPFS/NTFS/exFAT
/dev/sda2         1026048   409602047   204288000    7  HPFS/NTFS/exFAT

• And the rest of the 500GB disk free.
• Make sure you can boot in to Windows 10.
• Click on 'start'
• Power off the pc by:
• Shift Click Restart
• This will open up options and you want to do a restart that gives access to boot options.
• Reboot and boot to DVD with your Centos 7 DVD.
• Install Centos 7 to the rest of your hard drive.

You will not reboot in to Centos with no options for Windows 10.

/dev/sda1   *        2048     1026047      512000    7  HPFS/NTFS/exFAT
/dev/sda2         1026048   409602047   204288000    7  HPFS/NTFS/exFAT
/dev/sda3       409602048   410626047      512000   83  Linux
/dev/sda4       410626048   976773167   283073560    5  Extended
/dev/sda5       410628096   976773119   283072512   8e  Linux LVM

At this point,

grub2-mkconfig > /dev/null 

Gave me

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-123.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-123.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e3171f8a7d6e465c8b8a760c10ae207d
Found initrd image: /boot/initramfs-0-rescue-e3171f8a7d6e465c8b8a760c10ae207d.img

No Windows partition found.

Next install epel

wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
rpm -ihv epel-release-7-11.noarch.rpm

Install ntsf-3g

yum install ntfs-3g

Now

grub2-mkconfig > /dev/null 

Found

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-123.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-123.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-e3171f8a7d6e465c8b8a760c10ae207d
Found initrd image: /boot/initramfs-0-rescue-e3171f8a7d6e465c8b8a760c10ae207d.img
Found Windows Recovery Environment (loader) on /dev/sda1
done

Lets create a new grub loader

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.old
grub2-mkconfig -o /boot/grub2/grub.cfg   

Reboot and boot in to Windows 10

Notes

On this first reboot, I had a choice of either Centos 7 or Windows.

With Windows, I was asked how I wanted to start Widows 10. Just press Enter to do a normal restart.

On the next reboot, after choosing Windows 10, it started as normal.

On a reboot choosing Centos 7 started it as normal.

Windows 7 as Default

Edit the file /etc/default/grub

Change the line

GRUB_DEFAULT=saved

to

GRUB_DEFAULT="Windows 7 (loader) (on /dev/sda1)"

The value to add is determined by looking at the menuentry lines in /boot/grub2/grub.cfg

Choose the menuentry that you would like to be default.

To make this change active run the command

grub2-mkconfig -o /boot/grub2/grub.cfg

You will see this change the next time you reboot.

OR

https://wiki.centos.org/HowTos/Grub2

To list all the menu entries that will be displayed at system boot, issue the following command:

awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
CentOS Linux 7 (Core), with Linux 3.10.0-229.14.1.el7.x86_64
CentOS Linux 7 (Core), with Linux 3.10.0-229.4.2.el7.x86_64
CentOS Linux 7 (Core), with Linux 3.10.0-229.el7.x86_64
CentOS Linux 7 (Core), with Linux 0-rescue-605f01abef434fb98dd1309e774b72ba

Or alternatively:

grep "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2

The default entry is defined by the GRUB_DEFAULT line in the /etc/default/grub file. However, if the GRUB_DEFAULT line is set as saved, the parameter is stored in the /boot/grub2/grubenv file. It may be viewed by:

grub2-editenv list
saved_entry=CentOS Linux (3.10.0-229.14.1.el7.x86_64) 7 (Core)

The /boot/grub2/grubenv file cannot be manually edited. Use the following command instead:

grub2-set-default 2
grub2-editenv list
saved_entry=2

Note that the first entry in the output of the awk command, above, is index number 0.

Now reboot the system.

Just IMAP

YUM

yum install dovecot.x86_64 dovecot-mysql dovecot-devel

Setting up dovecot

Three file setting changes needed:

emacs /etc/dovecot/dovecot.conf

protocols = imap pop3 lmtp
listen = *

emacs /etc/dovecot/conf.d/10-ssl.conf

ssl = yes

ssl_cert_file = /etc/pki/tls/certs/fqdn.crt
ssl_key_file = /etc/pki/tls/certs/fqdn.key

emacs /etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no
auth_mechanisms = plain login

emacs /etc/dovecot/conf.d/10-ssl.conf

ssl = no

Start and enable

systemctl restart dovecot
systemctl status dovecot
systemctl enable dovecot