B.Sc.

(H) ANCS-2022 and SEM-V

Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Study Material
(Linux Administration-II and BNCSC502)
_____________________________________________________________________________________________

Table of Contents

Module No. Module Name Page No.

Module I Disk Quota Management 2

Module II Network Configuration 11

Module III DNS Server 24

Module IV DHCP Server 34

Module V Provide Apache HTTPD 44

web service

Module VI Mail Server 52

Module VII NFS Server 61

Module VIII Samba Server 67

Module IX Linux Firewall and SELinux 74

1
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-I: - DISK QUOTA MANAGEMENT

Why do we need disk quotas?

Disk space is a finite and shared resource (even considering the enormous increases in hard-disk technology in
recent years).

Disk quotas are needed in home directory partitions for various reasons:

 There is a limited amount of disk space that must be shared between many people.
 Some people tend to use much more disk space than they need, and far beyond what is reasonable and fair
for a shared resource.
 Sometimes processes can go out of control and produce huge amounts of data. If a disk fills up, no more
data will be able to be saved, and people will lose work; for instance, someone who has been working with
an editor may not be able to save their changes.

For these reasons and others, it is necessary for the CSL staff to manage home directory space. Disk quotas are an
equitable way of doing this.

There are two types of quotas that are set on home directories via the UNIX disk quota system: block quotas and
file quotas.

 A block quota is the limit on the actual amount of disk space that can be used by an account. This space is
measured in 1 KB blocks (1 KB = 1024 bytes or characters). All files, directories, etc., use up some number
of blocks.

A file quota is the limit on the number of files, directories, etc., that there can be for an account. This is because
each file system (eg, /home/home1/) has a finite sized inode table, and

 each file system object (such as a file or directory) uses up one inode. When this table gets filled up, no
more files can be created.

While it is not uncommon for someone to exhaust their blocks quota, it is quite unusual for anyone to use up their
file’s quota.

user@login> quota -v

Disk quotas for user (uid 12345):

Filesystem blocks quota limit grace files quota limit grace

minerva:/vol/vol0/insitu4

105301 150000 187500 7860 30000 37500

The meanings of the numbers are as follows:

blocksThe actual number of blocks used.

2
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

quota The quota for blocks; you will start getting warnings when you exceed this amount.

limit The hard quota for blocks; you cannot exceed this limit under any circumstances.

grace The amount of time you have left to get back below your blocks soft quota before UNIX starts getting
angry.

files The actual number of files (inodes) used.

quota The soft quota for files; you will start getting warnings when you exceed this amount.

limit The hard quota for files; you cannot exceed this limit under any circumstances.

grace The amount of time you have left to get back below your files soft quota before UNIX starts getting
angry.

Remember to use the -v option with the quota command. See the quota man page for more information.

Disk quotas can be configured for individual users as well as user groups. This makes it possible to manage the space
allocated for user-specific files (such as email) separately from the space allocated to

the projects a user works on (assuming the projects are given their own groups).

In addition, quotas can be set not just to control the number of disk blocks consumed but to control the number of
inodes (data structures that contain information about files in UNIX file systems). Because inodes are used to contain
file-related information, this allows control over the number of files that can be created.

The quota RPM must be installed to implement disk quotas.

Configuring Disk Quotas

To implement disk quotas, use the following steps:

1. Enable quotas per file system by modifying the /etc/fstab file.

2. Remount the file system(s).
3. Create the quota database files and generate the disk usage table.
4. Assign quota policies.
Each of these steps is discussed in detail in the following sections.

Enabling Quotas
1. Log in as root.
2. Edit the /etc/fstab file.
3. Add either the usrquota or grpquota or both options to the file systems that require quotas.

Edit /etc/fstab

3
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

For example, to use the text editor vim type the following:

# vim /etc/fstab

Add Quotas

/dev/VolGroup00/LogVol00 / ext3 defaults 11

LABEL=/boot /boot ext3 defaults 12
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 00
none /proc proc defaults 00
none /sys sysfs defaults 00
/dev/VolGroup00/LogVol02 /home ext3 defaults,usrquota,grpquota 1 2
/dev/VolGroup00/LogVol01 swap swap defaults 00...
In this example, the /home file system has both user and group quotas enabled.

Note
The following examples assume that a separate /home partition was created during the installation of Red Hat
Enterprise Linux. The root (/) partition can be used for setting quota policies in the /etc/fstab file.

Remounting the File Systems

After adding either the usrquota or grpquota or both options, remount each file system whose fstab entry has been
modified. If the file system is not in use by any process, use one of the following methods:

 Run the umount command followed by the mount command to remount the file system. See the man page
for both umount and mount for the specific syntax for mounting and unmounting various file system types.
If the file system is currently in use, the easiest method for remounting the file system is to reboot the system.

Creating the Quota Database Files

After each quota-enabled file system is remounted run the quotacheck command.

The quotacheck command examines quota-enabled file systems and builds a table of the current disk usage per file
system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk
quota files are updated.

Creating the Quota Database Files

1. Create the quota files on the file system using the following command:
# quotacheck -cug /file system
2. Generate the table of current disk usage per file system using the following command:
# quotacheck -avug

4
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Following are the options used to create quota files:

c:- Specifies that the quota files should be created for each file system with quotas enable.

u: Checks for user quotas.

g: Checks for group quotas. If only -g is specified, only the group quota file is created.

If neither the -u or -g options are specified, only the user quota file is created.

The following options are used to generate the table of current disk usage:

a: Check all quota-enabled, locally-mounted file systems

v: Display verbose status information as the quota check proceeds

u: Check user disk quota information

g: Check group disk quota information

After quotacheck has finished running, the quota files corresponding to the enabled quotas (either user or group or
both) are populated with data for each quota-enabled locally-mounted file system such as /home.

Assigning Quotas per User

The last step is assigning the disk quotas with the edquota command.

Prerequisite

 User must exist prior to setting the user quota.

Assigning Quotas per User

1. To assign the quota for a user, use the following command:

# edquota username
Replace username with the user to which you want to assign the quotas.
2. To verify that the quota for the user has been set, use the following command:
# quota username

Assigning Quotas to a user

For example, if a quota is enabled in /etc/fstab for the /home partition (/dev/VolGroup00/LogVol02 in the following
example) and the command edquota testuser is executed, the following is shown in the editor configured as the
default for the system:

Disk quotas for user testuser (uid 501):

Filesystem blocks soft hard inodes soft hard
/dev/VolGroup00/LogVol02 440436 0 0 37418 0 0

5
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

The first column is the name of the file system that has a quota enabled for it. The second column shows how many
blocks the user is currently using. The next two columns are used to set soft and hard block limits for the user on
the file system. The inodes column shows how many inodes the user is currently using. The last two columns are
used to set the soft and hard inode limits for the user on the file system.

The hard block limit is the absolute maximum amount of disk space that a user or group can use. Once this limit is
reached, no further disk space can be used.

The soft block limit defines the maximum amount of disk space that can be used. However, unlike the hard limit,
the soft limit can be exceeded for a certain amount of time. That time is known as the grace period. The grace period
can be expressed in seconds, minutes, hours, days, weeks, or months.

If any of the values are set to 0, that limit is not set. In the text editor, change the desired limits.

Change Desired Limits

For example:

Disk quotas for user testuser (uid 501):

Filesystem blocks soft hard inodes soft hard
/dev/VolGroup00/LogVol02 440436 500000 550000 37418 0 0
To verify that the quota for the user has been set, use the command:

# quota testuser
Disk quotas for user username (uid 501):
Filesystem blocks quota limit grace files quota limit grace
/dev/sdb 1000* 1000 1000 0 0 0

Assigning Quotas per Group

Quotas can also be assigned on a per-group basis.

Prerequisite

 Group must exist prior to setting the group quota.

Assigning Quotas per Group

1. To set a group quota, use the following command:

# edquota -g groupname
2. To verify that the group quota is set, use the following command:
# quota -g groupname

Assigning quotas to group

6
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

For example, to set a group quota for the user1 group, use the command:

# edquota -g user1
This command displays the existing quota for the group in the text editor:

Disk quotas for group user1 (gid 505):

Filesystem blocks soft hard inodes soft hard
/dev/VolGroup00/LogVol02 440400 0 0 37418 0 0

Modify the limits, then save the file.

To verify that the group quota has been set, use the command:

# quota -g user1

Setting the Grace Period for Soft Limits

If a given quota has soft limits, you can edit the grace period (i.e. the amount of time a soft limit can be exceeded)
with the following command:

# edquota -t
This command works on quotas for inodes or blocks, for either users or groups.

7
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-I: Disk Quota management

1. What is disk quota in Linux?
a. A limit set on the amount of available disk b. A command used to format a new disk in
space for a user or a group. the Linux filesystem.
c. A utility that displays the disk usage statistics d. A program that automatically compresses
for a particular directory. files to save disk space.
2. Which command is used to enable disk quotas on a Linux file system?
a. quotaon b. quotactl
c. diskquota d. repquota
3. For most computers, the bootstrap is stored in ________
a. RAM b. ROM
c. Cache d. Tertiary storage
4. The __________ utility provides a summary of disk space used in the pwd.
a. – du b. -fdisk
c. mkfs d. mount
5. Which command is used to edit user quotas?
a. quota b. quotaon
c. edquota d. vi
6. The file system information is stored in
a. Boot block b. Super block
c. Inode block d. Data block
7. To create a Linux partition by using fdisk, what must be the partition's system ID type?
a. 82 b. 83
c. 5 d. 4
8. Which command is used to check filesystem usage in a system?
a. mount (c) du
c. df (d) dd
9. Which among the following allows fast file system recovery?
a. Ext2 b. Caching
c. Journaling d. Sysfs
10. Which filesystem can be used to change certain kernel parameters at runtime using sysctl command?
a. Ext3 b. Ext4
c. Sysfs d. Procfs
11. Which command is used to view disk quotas for a user?
a. quota b. quotaon
c. edquota d. du
12. Which command is used to edit disk quotas for a user?
a. quota b. quotaon
c. edquota d. vi
13. Which of the following is a disk quota soft limit?
a. The maximum amount of disk space a user b. The amount of disk space a user is warned
can use. about approaching.
c. The amount of disk space a user is denied d. The amount of disk space a user is allowed
from using. to use.
14. Which of the following is a disk quota hard limit?
a. The maximum amount of disk space a user b. The amount of disk space a user is warned
can use. about approaching.

8
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

c. The amount of disk space a user is denied d. The amount of disk space a user is allowed
from using. to use.
15. The process of dividing a disk into sectors that the disk controller can read and write, before a disk can
store data is known as ____________
a. Partitioning b. Swap space creation
c. Low-level formatting d. None of the mentioned
16. The two steps the operating system takes to use a disk to hold its files are _______ and ________
a. Partitioning & logical formatting b. Swap space creation & caching
c. Caching & logical formatting d. Logical formatting & swap space creation

Question Correct Answer

Number
1. a. A limit set on the amount of available disk space for a user or a group.
2. a. quotaon
3. b. ROM
4. a. – du
5. c. edquota
6. b. Super block
7. b. 83
8. c. df
9. c. Journaling
10. d. Procfs
11. a. quota
12. c. edquota
13. b. The amount of disk space a user is warned about approaching.
14. c. The amount of disk space a user is denied from using.
15. c. Low-level formatting
16. a. Partitioning & logical formatting

SHORT ANSWER QUESTIONS

1. What are disk quotas?

2. How do I enable disk quotas on a Linux system?
3. How do I check disk quota usage?
4. How do I fix a disk quota exceeded error?
5. What are the different types of disk quotas?
6. What are the benefits of using disk quotas?
7. What is the significance of ‘edquota<username>’ command? Describe with a suitable example.
8. Describe hard space and soft space limit for both data block and inode.
9. Write down the short notes on Quota database files.
10. How can I check if disk quota is enabled on my Linux system?

LONG ANSWER QUESTIONS

1. What is disk quota in Linux, and why is it important?

2. How do I set up disk quotas for users or groups in Linux?
3. Can disk quotas be applied to specific directories or partitions?
9
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

4. How do I view the current disk quota usage for a user or group?
5. How can I enforce soft and hard limits in disk quotas?
6. What happens when a user exceeds their disk quota in Linux?
7. How can I increase or decrease disk quotas for users or groups?
8. Is it possible to exclude certain files or directories from disk quotas?
9. What are the differences between user-based and group-based disk quotas?
10. How do I generate reports on disk quota usage for users?
11. Can I set up automatic notifications when users approach their disk quota limits?
12. How can I disable or remove disk quotas from a Linux system?
13. What is aquota.user and aquota.group? How will they create?
14. What does edquota and quotacheck do in Linux? Give proper example
15. Define hard and soft space limits with example.
16. Define grace period and what is the way to change it?

10
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-II: - NETWORK CONFIGURATION

Computer Network: -

Definition: - A network is a group of two or more connected computing devices that can share resources such as
files, printers, and applications. Networks can be classified into different types based on their size, purpose, and the
technology used to connect the devices.

Types: -

 Local area networks (LANs): LANs are small networks that are confined to a single location, such as a home, office,
or school.
 Metropolitan area networks (MANs): MANs are larger networks that cover a city or metropolitan area.
 Wide area networks (WANs): WANs are the largest type of networks and can cover an entire country or even the
world.
 Personal area networks (PANs): PANs are very small networks that connect devices that are close to each other,
such as smartphones, laptops, and printers.
 Wireless networks: Wireless networks use radio waves to connect devices without the need for cables.

Understand IP Addresses

An IP address is an address used in order to uniquely identify a device on an IP network. The address is made up of
32 binary bits, which can be divisible into a network portion and host portion with the help of a subnet mask. The
32 binary bits are broken into four octets (1 octet = 8 bits). Each octet is converted to decimal and separated by a
period (dot). For this reason, an IP address is said to be expressed in dotted decimal format (for example,
172.16.81.100). The value in each octet ranges from 0 to 255 decimal, or 00000000 - 11111111 binary.
Here is how binary octets convert to decimal: The right most bit, or least significant bit, of an octet holds a value of
20. The bit just to the left of that holds a value of 21. This continues until the left-most bit, or most significant bit,
which holds a value of 27. So if all binary bits are a one, the decimal equivalent would be 255 as shown here:

11111111
128 64 32 16 8 4 2 1 (128+64+32+16+8+4+2+1=255)

Here is a sample octet conversion when not all of the bits are set to 1.
01000001
0 64 0 0 0 0 0 1 (0+64+0+0+0+0+0+1=65)

And this sample shows an IP address represented in both binary and decimal.
10. 1. 23. 19 (decimal)

11
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

00001010.00000001.00010111.00010011 (binary)

Given an IP address, its class can be determined from the three high-order bits (the three left-most bits in the first
octet). Figure 1 shows the significance in the three high order bits and the range of addresses that fall into each
class. For informational purposes, Class D and Class E addresses are also shown.

Figure 1

In a Class A address, the first octet is the network portion, so the Class A example in Figure 1 has a major network
address of 1.0.0.x - 127.255.255.x (where x can go from 0 to 255). Octets 2, 3, and 4 (the next 24 bits) are for the
network manager to divide into subnets and hosts as he/she sees fit. Class A addresses are used for networks that
have more than 65,536 hosts (actually, up to 16777214 hosts!).
In a Class B address, the first two octets are the network portion, so the Class B example in Figure 1 has a major
network address of 128.0.0.x - 191.255.255.x. Octets 3 and 4 (16 bits) are for local subnets and hosts. Class B
addresses are used for networks that have between 256 and 65534 hosts.

12
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

In a Class C address, the first three octets are the network portion. The Class C example in Figure 1 has a major
network address of 192.0.0.x - 223.255.255.x. Octet 4 (8 bits) is for local subnets and hosts - perfect for networks
with less than 254 hosts.

Network Masks

A network mask helps you know which portion of the address identifies the network and which portion of the
address identifies the node. Class A, B, and C networks have default masks, also known as natural masks, as shown
here:
Class A: 255.0.0.0
Class B: 255.255.0.0
Class C: 255.255.255.0

An IP address on a Class A network that has not been subnetted would have an address/mask pair similar to:
10.20.15.1 255.0.0.0. In order to see how the mask helps you identify the network and node parts of the address,
convert the address and mask to binary numbers.
10.20.15.1 = 00001010.00010100.00001111.00000001
255.0.0.0 = 11111111.00000000.00000000.00000000

Once you have the address and the mask represented in binary, then identification of the network and host ID is
easier. Any address bits which have corresponding mask bits set to 1 represent the network ID. Any address bits
that have corresponding mask bits set to 0 represent the node ID.

10.20.15.1 = 00001000.00010100.00001111.00000001
255.0.0.0 = 11111111.00000000.00000000.00000000
-----------------------------------
net id | host id
netid = 00001010 = 10
hostid = 00010100.00001111.00000001 = 20.15.1

Understand Subnetting

Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network. If you
do not subnet, you are only able to use one network from your Class A, B, or C network, which is unrealistic.
Each data link on a network must have a unique network ID, and every node on that link is a member of the same
network. If you break a major network (Class A, B, or C) into smaller subnetworks, it allows you to create a network
of interconnecting subnetworks. Each data link on this network would then have a unique network/subnetwork ID.

13
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Any device, or gateway, that connects n networks/subnetworks has n distinct IP addresses, one for each network /
subnetwork that it interconnects.
In order to subnet a network, extend the natural mask with some of the bits from the host ID portion of the address
in order to create a subnetwork ID. For example, given a Class C network of 192.168.5.0 which has a natural mask
of 255.255.255.0, you can create subnets in this manner:

192.168.5.0 - 11001100.00010001.00000101.00000000
255.255.255.224 - 11111111.11111111.11111111.11100000
--------------------------|sub|----

By extending the mask to be 255.255.255.224, you have taken three bits (indicated by "sub") from the original host
portion of the address and used them to make subnets. With these three bits, it is possible to create eight subnets.
With the other five host ID bits, each subnet can have up to 32 host addresses, 30 of which can actually be assigned
to a device since host ids of all zeros or all ones are not allowed (it is very important to remember this). So, with
this in mind, these subnets have been created.
192.168.5.0 255.255.255.224 host address range 1 to 30
192.168.5.32 255.255.255.224 host address range 33 to 62
192.168.5.64 255.255.255.224 host address range 65 to 94
192.168.5.96 255.255.255.224 host address range 97 to 126
192.168.5.128 255.255.255.224 host address range 129 to 158
192.168.5.160 255.255.255.224 host address range 161 to 190
192.168.5.192 255.255.255.224 host address range 193 to 222
192.168.5.224 255.255.255.224 host address range 225 to 254

Networking in Linux

1. Linux has a very strong set of networking tools and features.
2. These tools allow you to configure and manage your network, as well as troubleshoot network problems.
3. Some of the most important networking tools in Linux include:
ifconfig  
:- This command is used to configure network interfaces.
route  
:- This command is used to manage routing tables.
ip  :- This command is a newer version of ifconfig that provides more features.
ping  
:- This command is used to test network connectivity.
traceroute 
:- This command is used to trace the path of a packet through a network.
4. Linux also includes a number of networking services, such as DHCP, DNS, and SSH.

14
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

5. These services provide essential functionality for networking, such as assigning IP addresses to devices,
resolving hostnames to IP addresses, and providing secure remote access.

Network Configuration Files in Linux

In RHEL 8 (Red Hat Enterprise Linux 8), network-related configurations are primarily managed through various files
in the /etc/sysconfig/network-scripts/ directory. Below are some of the important network-related files in RHEL 8:
-

File Name Description

This file contains the hostname of the system. The hostname
/etc/sysconfig/network :-
is set as HOSTNAME=your_hostname.
For each network interface (like eth0, eth1, etc.), there is a
corresponding ifcfg file. For example,
/etc/sysconfig/network-scripts/ifcfg-eth0. These files store
the configuration for the network interfaces, including IP
address, netmask, gateway, DNS servers, and more.
DEVICE:- The name of the network interface.
BOOTPROTO: - The method used to obtain the IP address
for the interface. The possible values are dhcp, static, and
none.
IPADDR:- The IP address of the interface.
NETMASK:- The netmask of the interface.
GATEWAY:- The gateway for the interface.
/etc/sysconfig/network-scripts/ifcfg-
:- DNS1:- The primary DNS server for the interface.
<interface>
DNS2:- The secondary DNS server for the interface.
ONBOOT:- Whether the interface should be brought up at
boot time.
In addition to the ifcfg files, there are also a number of other
files in the /etc/sysconfig/network-scripts directory that
control other aspects of network configuration, such as:

ifdown: This script is used to bring down a network interface.

ifup: This script is used to bring up a network interface.

network: This script is used to initialize the network at boot

time.
This file is for the loopback interface, which is essential for
/etc/sysconfig/network-scripts/ifcfg-lo :-
internal communication on the local machine.
This file contains the DNS (Domain Name System) resolver
/etc/resolv.conf :- configuration. It specifies the DNS servers that the system
should use to resolve domain names to IP addresses.

15
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

The hosts file is used to map IP addresses to hostnames

/etc/hosts :- locally, bypassing the DNS resolution. It is commonly used for
adding static entries for local network hosts.
This directory contains scripts used by NetworkManager to
/etc/sysconfig/networking/profiles/default/ :-
manage network profiles for various network environments.
These files control access to various network services based
/etc/hosts.allow and /etc/hosts.deny :-
on IP addresses or domain names.
This file allows you to modify kernel parameters, including
/etc/sysctl.conf :-
network-related settings like TCP/IP stack configurations.
This file determines the order in which the system looks up
/etc/nsswitch.conf :- various databases, including hostnames, IP addresses, and
other network-related information.

STEPS TO CONFIGURE NETWORK IN RHEL-8

1. Identify the network interface. :- The first step is to identify the network interface that you want to
configure. You can do this by running the ifconfig command.
2. Edit the network configuration :- The next step is to edit the network configuration file for the interface.
file. The default location of the network configuration file is
/etc/sysconfig/network-scripts/ifcfg-eth0.
3. Configure the network :- The following parameters need to be configured in the network
parameters. configuration file:
DEVICE: The name of the network interface.
BOOTPROTO: The method used to obtain the IP address for the
interface. The possible values are dhcp, static, and none.
IPADDR: The IP address of the interface.
NETMASK: The netmask of the interface.
GATEWAY: The gateway for the interface.
DNS1: The primary DNS server for the interface.
DNS2: The secondary DNS server for the interface.
ONBOOT: Whether the interface should be brought up at boot time.
4. Save the network configuration Once you have configured the network parameters, you need to save
file the network configuration file.
5. Restart the network service Once you have saved the network configuration file, you need to
restart the network service. You can do this by running the following
command:
sudo service network restart
6. Test the network connection Once you have restarted the network service, you need to test the
network connection. You can do this by running the following
command:
ping 8.8.8.8
If you are able to ping the Google DNS server, then the network
connection has been successfully configured.

Here is an example of a network configuration file for a static IP address:

16
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.10
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DNS1=192.168.1.1
DNS2=8.8.8.8
ONBOOT=yes

NETWORK MANAGER OVERVIEW

NetworkManager: The default tool for managing network interfaces and connections in RHEL-8.

Components:

nmcli: Command-line tool for NetworkManager.

nmtui: Text user interface for NetworkManager.

GUI: Network settings accessible via graphical tools.

CONFIGURING NETWORK INTERFACES

Using nmcli:

Check status: #nmcli general status

Show connections: #nmcli connection show

Bring an interface up/down: #nmcli device connect/disconnect <interface>

Configure a static IP address

#nmcli connection modify <connection_name> ipv4.addresses <IP_address>/<prefix>

#nmcli connection modify <connection_name> ipv4.gateway <gateway>

#nmcli connection modify <connection_name> ipv4.dns <DNS>

#nmcli connection modify <connection_name> ipv4.method manual

#nmcli connection up <connection_name>

Using nmtui:

nmtui provides a text-based user interface for configuring and managing network connections.

NETWORK TROUBLESHOOTING

 When troubleshooting network problems, it is important to have a good understanding of the Linux networking
tools and features.
 You should also be familiar with the different types of network problems that can occur.
 Some of the most common network problems include:
17
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

o Connectivity problems: These problems prevent you from connecting to other devices on the network.
o Routing problems: These problems prevent packets from reaching their destination.
o Name resolution problems: These problems prevent you from resolving hostnames to IP addresses.
 There are a number of tools and techniques that you can use to troubleshoot network problems.
 Some of the most common tools include:
ping: This command is used to test network connectivity.

traceroute: This command is used to trace the path of a packet through a network.

netstat: This command is used to display network statistics.

tcpdump: This command is used to capture network traffic.

18
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-II: Network Configurations

1. Which among the following interacts directly with system hardware?
a. Shell b. Kernel
c. Commands d. Applications
2. How many layers are present in the Internet protocol stack (TCP/IP model)?
a. 5 b. 7
c. 6 d. 10
3. The number of layers in ISO OSI reference model is __________
a. 5 b. 7
c. 6 d. 10
4. Which of the following layers is an addition to OSI model when compared with TCP IP model?
a. Application layer b. Presentation layer
c. Session layer d. Session and Presentation layer
5. Application layer is implemented in ____________
a. End system b. NIC
c. Ethernet d. Packet transport
6. Transport layer is implemented in ______________
a. End system b. NIC
c. Ethernet d. Signal transmission
7. The functionalities of the presentation layer include ____________
a. Data compression b. Data encryption
c. Data description d. All of the above
8. Delimiting and synchronization of data exchange is provided by __________
a. Application layer b. Session layer
c. Transport layer d. Link layer
9. In OSI model, when data is sent from device A to device B, the 5th layer to receive data at B is
_________
a. Application layer b. Transport layer
c. Link layer d. Session layer
10. In TCP IP Model, when data is sent from device A to device B, the 5th layer to receive data at B
is ____________
a. Application layer b. Transport layer
c. Link layer d. Session layer
11. In the OSI model, as a data packet moves from the lower to the upper layers, headers are
_______
a. Added b. Removed
c. Rearranged d. Randomized
12. What is private IP Address range of Class A Network?
a. 10.0.0.0-10.255.255.255 b. 10.0.0.0-11.255.255.255
c. 1.0.0.0.0-1.255.255.255 d. 11.0.0.0.0-11.255.255.255
13. Which address represents a unicast address?
a. 224.1.5.2 b. FFFF.FFFF.FFFF
c. 192.168.24.58/30 d. 255.255.255.255

19
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

14. In which configuration file would you set the hostname?

a. /etc/defaults/hostname b. /etc/hosts
c. /etc/hostname d. /etc/sysconfig/network
15. /etc/sysconfig/network-scripts/ifcfg-eth0 file contains ‘PREFIX’, which refers
a. Netmask b. Multicast Address
c. Network Address d. Broadcast Address
16. What is the name of configuration file that could resolve host names to IP Address locally?
a. /etc/host b. /etc/hosts
c. /etc/host.conf d. /etc/hostname
17. What is the name of DNS client configuration file?
a. /etc/resolv b. /etc/hostname
c. /etc/resolv.conf d. /etc/hostname.conf
18. A _______ is the physical path over which a message travels.
a. Path c. Protocol
b. Medium d. Route
19. A _________ set of rules that governs data communication.
a. Protocols c. RFCs
b. Standards d. Servers
20. Three or more devices share a link in ________ connection.
a. Unipoint c. Point to point
b. Multipoint d. Simplex
21. When collection of various computers seems a single coherent system to its client, then it is
called _________
a. computer network c. networking system
b. distributed system d. mail system
22. Communication channel is shared by all the machines on the network in ________
a. broadcast network c. multicast network
b. unicast network d. anycast network
23. Bluetooth is an example of __________
a. personal area network c. virtual private network
b. local area network d. wide area network
24. A __________ is a device that forwards packets between networks by processing the routing
information included in the packet.
a. bridge c. router
b. firewall d. hub
25. The physical layer is concerned with ___________
a. bit-by-bit delivery c. application to application delivery
b. process to process delivery d. port to port delivery
26. Wireless transmission of signals can be done via ___________
a. radio waves c. infrared
b. microwaves d. all of the mentioned
27. The network layer is concerned with __________ of data.
a. bits c. packets
b. frames d. Bytes

20
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

28. Which one of the following is not a function of network layer?

a. routing c. congestion control
b. inter-networking d. error control
29. In IPv4 Addresses, classful addressing is replaced with ________
a. Classless Addressing c. Classful Advertising
b. Classful Addressing d. Classless Advertising
30. Command to configure network in linux
a. setup c. System-config-networking
b. setconfig d. ifconfig
31. Ip parameters stored in linux in the following:-
a. /etc/sysconfig/network c. /etc/sysconfig/network-scripts/ifcfg-
eth0
b. /etc/sysconfig/sysctl.conf d. /etc/host.conf
32. /etc/sysconfig/network-scripts/ifcfg-eth0 file contains “BOOTPROTO=none”, which refers
a. Static c. NFS
b. DHCP d. SMB
33. How do you rename file ‘new’ to file ‘old’?
a. mv new old b. move new old
c. cp new old d. del new old
34. Host specific configuration files are installed in
a. /etc/ directory b. /bin/ directory
c. /var directory d. /dev directory
35. What is the default mode of vi editor?
a. Command mode b. Ex mode
c. Input mode d. Insert mode
36. Which option of rmdir command will remove all directories a, b, c if path is a/b/c
a. –b b. –p
c. –o d. –t
37. Which command is used for counting words, lines and characters in a file?
a. diff b. man
c. count d. wc
38. Which editor is used by the Linux system to edit files?
a. vi b. word
c. notepad d. notepad++
39. To insert text into a file, _____ mode is used.
a. Command mode b. Ex mode
c. Insert mode d. def mode
40. To quit vi editor without saving the buffer we can use
a. :q b. :w
c. :c d. :q!
41. Which command is used to display the IP addresses assigned to all network interfaces in Linux?
a. ifconfig b. ipconfig
c. netstat d. Ip

21
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

42. Which command is used to trace the path to a remote host?

a. traceroute b. tracepath
c. ping d. netstat
43. Which command is used to display a list of all open network connections?
a. netstat b. ss
c. ifconfig d. ping
44. Which command is used to resolve a domain name to an IP address?
a. dig b. host
c. nslookup d. ping

Question
Correct Answer
Number
1. b. Kernel
2. a. 5
3. b. 7
4. d. Session and Presentation layer
5. a. End system
6. a. End system
7. d. All of the above
8. b. Session layer
9. d. Session layer
10. a. Application layer
11. b. Removed
12. a. 10.0.0.0-10.255.255.255
13. c. 192.168.24.58/30
14. d. /etc/sysconfig/network
15. a. Netmask
16. b. /etc/hosts
17. c. /etc/resolv.conf
18. b. Medium
19. a. Protocols
20. b. Multipoint
21. b. distributed system
22. a. broadcast network
23. a. personal area network
24. c. router
25. a. bit-by-bit delivery
26. d. all of the mentioned
27. c. packets
28. d. error control
29. a. Classless Addressing
30. a. setup
31. c. /etc/sysconfig/network-scripts/ifcfg-eth0
32. a. Static

22
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

33. a. mv new old

34. a. /etc/ directory
35. a. Command mode
36. b. –p
37. d. wc
38. a. vi
39. c. Insert mode
40. d. :q!
41. a. ifconfig
42. a. traceroute
43. a. netstat
44. a. dig

SHORT ANSWER QUESTIONS

1. Describe the procedure of changing hostname in Linux machine.

2. A block contains an IP address 205.16.37.39/24. What is the network address and broadcast address?
3. Describe the following paths:
(i) /etc/sysconfig/network
(ii) /etc/sysconfig/network-scripts/ifcfg-eth0
4. How do I use the ping command to test network connectivity?
5. How do I use the traceroute command to trace the path to a remote host?
6. How do I use the netstat command to display a list of all open network connections?
7. Describe the function of NetworkManager in linux.
8. Write down the differences between IPv4 & IPv6 addressing.
9. Discuss about the IPv4 address scheme along with classifications & subnet masks.

10. How do I resolve a domain name to an IP address?

LONG ANSWER QUESTIONS

1. Describe the procedure of changing hostname in Linux machine.

2. Describe the function of ‘/etc/sysconfig/network’ and ‘/etc/resolv.conf’ file.
3. What are the utilities of ‘ifdown eth0’ and ‘ifup eth0’?
4. How do you configure a static IP address on my Linux system?

23
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-III: - DNS SERVER

History of DNS

ARPANET utilized a central file hosts.txt. It contains names to addresses mapping & Maintained by SRI’s NIC
(Stanford-Research-Institute: Network-Information-Center)

Administrators email changes to NIC. NIC updates hosts.txt periodically. Administrators FTP (download) hosts.txt

As the system grew, hosts.txt had problems with:

Scalability (traffic and load)
Name collisions
Consistency

In 1984, Paul Mockapetris released the first version (RFCs 882 and 883, superseded by 1034 and 1035 …)

Introduction to DNS

A server to translate IP aliases to addresses. As you know, IP (internet protocol) works by providing every Internet
machine with a unique address as humans, we tend not to be able to remember lengthy strings of numbers so it’s
easier for us to name our machines. DNS allows us to reference machines by name and still use IP.

DNS servers exist across the Internet (globally), however, within a given domain, you might have a DNS that breaks
that domain into subdomains. For instance, NKU is a domain known by the global DNS’s but within NKU, we might
have cs.nku.edu and it.nku.edu and library.nku.edu, etc. These subdomains are known by our DNS, which then can
pass this information onto other DNS’s around the world.

DNS requests use UDP (user datagram protocol) and typically communicate over port 53 to DNS servers both request
and response are usually single UDPs.

The structure of DNS’s is tree-like. when you want to translate an IP alias to address, you ask your local DNS to
perform the lookup of the given domain. If that information is not available locally, the DNS asks its nearest neighbor
DNS, which will be one level higher. If that DNS does not have the information, it asks its next nearest neighbor
(again, one level higher). Ultimately, if no DNS has the information on the path up the tree, you get an error.

The precise location of a domain name in this hierarchy is known as a fully qualified domain name (FQDN). If the
alias has subdomains that are not known by the responding DNS, then it forwards the request to the domain’s DNS.

A DNS can act as a server to translate IP aliases and/or a cache which can merely cache previous lookups and respond
if available.

24
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

DNS Hierarchy

25
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

DNS Query:

Query means the particular request which receive by DNS server for name resolution and provide the
particular response against the request.

Types of DNS Query

Iterative Query
When one DNS server send query to the another DNS server is called iterative query

Recursive Query
When one DNS client send the request to the DNS server is called recursive query.

Recursion
This is a server-directed process to resolve an FQDN. If the server cannot resolve the FQDN with its own
information, it will send the query to other name servers. The recursion processcomprises root servers and
domain name servers.

1) The DNS client requests a name, like www.Sybex.com, from its DNS server.
2) Through the recursive process, the DNS server queries the root servers for the .comdomain name
servers.

3) The root servers give a list of name

servers for the .com domain.

4) Then the DNS server queries the

.com nameservers for Sybex.com.

5) It receives another list of name

servers for the Sybex.com domain.

6) It queries the provided name

servers for the www.Sybex.com
FQDN.

7) The Sybex.com DNS server coughs

up the IP address of the www
server to the DNS server.

8) The DNS server passes the IP address to the client.

9) Armed with the IP address, the client connects with the web server www.Sybex.com.

26
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

DNS Zone: -

DNS zone is an entity that stores the object information in to the various records. These are the following zone
types: -

Primary zone
Secondary zone
Forward lookup zone
Reverse lookup zone
Stub zone

Primary Zone: -- Primary (Master) zones, contain a read/write copy of the zone data. There could be only one
Master zone on one DNS server at a time. All the DNS records added manually or automatically, are written in this
Primary zone of the DNS server.

Secondary Zone: - The Secondary DNS zone is a read-only copy of the zone data. Most of the times Secondary
(Slave) zones are copies of Master zones.

Forward Lookup Zone and Reverse Lookup Zone: - You can use a Forward Lookup Zone to map a domain with its
IP address. On the other hand, a Reverse Lookup Zone will map an IP address to its domain records.

Stub Zone: - DNS stub zones are used to enable your DNS servers to resolve records in another domain. The
information in the stub zone allows your DNS to contact the authoritative DNS server directly.

Zone Transfer: -

A zone transfer is initiated when

 A master DNS server sends notification of zone changes to the secondary server or servers.
 The secondary server queries a master DNS server for changes to the zone file.

DNS Record Types: -

RECORD TYPES DESCRIPTION

A Record Stands for address record this record responsible for IPV4 resolution
(Name - IP)

AAAA Record Stands for address record this record responsible for IPV6 resolution
(Name - IP)
27
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Alias Record Alias (CNAME) records are created to list a secondary name for a
computer. It also referred to as canonical name.

MX Record Stands for Mail Exchange record , Which redirect mail to any user to a
designated mail host.

SRV Record Location of Service on the network which contains the following data:-
-Service (E.g. LDap)
- Target (Host that offers that service)
- Port
- Priority (Lower is preferred)
Usually crated automatically by applications.
SOA Record Stands for start of authority record. This record indicate that which
particular DNS server is authoritative for particular DNS zone.
 One per Zone
 Primary Name Server
 E-Mail of administrator
 Serial Number
 Refresh time for the zone.
PTR Record The 'pointer' record is exactly the opposite of the 'A' record;
the PTR address will give you the domain associated with a given IP
address. The PTR record is used in reverse-lookup zones for reverse DNS
searches.
NS Record NS stands for 'name server' and this record indicates which DNS server is
authoritative for that domain (which server contains the actual DNS
records). A domain will often have multiple NS records which can indicate
primary and backup name servers for that domain.

Server Types: -

Root DNS Server: - Root hints are a list of the DNS servers on the Internet that your DNS servers can use to resolve
queries for names that it does not know. When a DNS server cannot resolve a name query by using its local data, it
uses its root hints to send the query to a DNS.

Primary DNS Server: - A primary DNS server is the first point of contact for a browser, application or device that
needs to translate a human-readable hostname into an IP address. The primary DNS server contains a DNS record
that has the correct IP address for the hostname.

Secondary DNS Server: - The secondary DNS server is an authoritative server that obtains information about a zone
from the primary server via zone transfer. (RFC 2182) The secondary DNS server is therefore tied to the primary
server.

Caching Only Name Server: - Caching-only Name Server is a name server in the Domain Name System (DNS) that
can resolve name lookup requests but does not maintain its own local DNS database or zone file of resource records.

28
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

A caching-only DNS server receives queries from clients, performs the queries against other name servers, caches
the results, and returns those results to the client. It then returns subsequent queries for the specified host from
the cache instead of submitting them to an external server.

All DNS Servers cache the results of their queries. However, some DNS Servers are put

into place to provide only this caching function. The Caching-only DNS server does not contain zone
information or a zone database file. The Caching-only server only contains information based on the results of
queries that it has already performed.

In this case, the cache takes the place of the zone database file. These Caching-only DNS Servers can be set up
quickly, and are an important ally in your network and Internet securitydesign.

The caching only server uses this list to begin building its cache. It adds to the cache as it issuesiterative queries
when responding to client requests to resolve Fully Qualified Domain Namesto IP addresses. After the FQDNs
are resolved to IP addresses, this information is stored in the DNS Server cache.

Caching only servers are valuable because:

• They do not participate in zone transfer, and therefore there is no zone transfer traffic

• They can be placed on the far side of a slow WAN link and provide host name resolution for remote
offices that do not require a high level of host name resolutionsupport

• They can be implemented to provide secure host name resolution when configured asForwarders

29
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Forwarding:
This is an alternative to the recursion process. Forwarding is a lateral request to another nameserver within the
network. The forwarding server obtains a response and relays it to the originating name server.

Some important parameters: -

PARAMETER DESCRIPTION
Protocol DNS
Required RPM 1. bind-9.*
2. Caching-nameserver-*
Port No 53
Main Configuration File 1. /etc/named.conf
2. /var/named/directory (Contains DNS zone files)
Daemon named

30
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-V: DNS SERVER

1. What port does DNS listen, by default?

a. TCP 53 b. Either (a) or (c)
c. UDP 53 d. Both (a) and (c)
2. DNS database contains _______
a. Name server records b. Hostname aliases
c. Hostname-to-address records d. All of the above
3. The ____ translates internet domain and host names to IP address.
a. Domain name system b. Network time protocol
c. Routing information protocol d. Internet relay chat
4. Allow-transfer {192.168.10.10; }; here 192.168.10.10 refers
a. Master DNS b. Cache DNS
c. Slave DNS d. Both (b) and (c)
5. ‘rndc reload’ is used to
a. Transfer date and time b. Transfer hostname
c. Transfer zone file d. Transfer IP address
6. Which type of record is not stored in forward lookup zone?
a. A b. PTR
c. CNAME d. MX
7. What is the name of configuration file that could resolve host names to IP Address locally?
a. /etc/host b. /etc/hosts
c. /etc/host.conf d. /etc/hostname
8. What is the setting to tell the secondary DNS, WHEN to contact and update configuration files
in primary DNS?
a. Serial b. Refresh
c. Retry d. Expiry
9. What is the setting to tell the secondary DNS, that there was a change in primary DNS that has
to be updated?
a. Serial b. Refresh
c. Retry d. Expiry
10. What is the keyword used to define a Mail Server?
a. CNAME b. NS
c. MX d. PTR
11. What is the keyword used to define a domain alias?
a. CNAME b. NS
c. MX d. PTR
12. Which of the following statements is not true about DNS lookups?
a. Every host should be configured b. After retrieving information from another
with at least 2 DNS name servers. DNS server, the DNS server stores the
requested information in its cache.
c. If the requested data was not d. Information in the cache of a DNS server
found locally on the DNS name expires once the TTL is reached.
server, a name server of the root

31
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

domain is contacted.
13. Which resource record is used to look up the hostname for a specific IPv4 address?
a. A (iii) PTR
c. AA (iv) AAAA
14. ‘PTR’record is used in
a. Forward lookup zone b. Both (a) and (c)
c. Reverse lookup zone d. None of the above
15. Zone is defined in a ____ file of primary DNS Server
a. /etc/dns.conf b. /etc/named.conf
c. /etc/bind.conf d. /etc/named/named.conf
16. All zone related information stored in a DNS zone file that is stored in
a. /var b. /etc
c. /var/log d. /var/named

Question Number Correct Answer

1. d. Both (a) and (c)
2. d. All of the above
3. a. Domain name system
4. d. Both (b) and (c)
5. c. Transfer zone file
6. b. PTR
7. b. /etc/hosts
8. b. Refresh
9. a. Serial
10. c. MX
11. a. CNAME
12. d. Information in the cache of a DNS server expires once the TTL is reached.
13. a. A
14. c. Reverse lookup zone
15. b. /etc/named.conf
16. d. /var/named

SHORT ANSWER QUESTIONS

1. Describe the terms ‘SOA’, ‘PTR’, ‘MX’, ‘CNAME’ and ‘A’
2. Write down the short notes on DNS Zone.
3. What does BIND stands for?
4. What is the default port of BIND?
5. Which are the important configuration files for DNS server?
6. On which version of BIND you have worked?
7. What is the utility of dig command?
8. Describe the function of /etc/resolv.conf file.
9. What is the difference between A record and CNAME record in DNS?
10. How does a dns lookup query works when you type a url on browser?

32
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

LONG ANSWER QUESTIONS

1. What is zone file? What will be the entry into zone file for mapping masterdns.example.com to
192.168.10.254?
2. What is the utility of dig command? Describe the function of /etc/resolv.conf file.
3. Describe the terms ‘NS’ and ‘A’. How serial number relates both master and slave DNS server?
4. What is the utility of MAC binding? What is the utility of ‘hostname’ command?
5. Describe the features of different types of DNS Server.

33
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-IV: - DHCP SERVER

DHCP definition

DHCP stands for dynamic host configuration protocol and is a network protocol used on IP networks where a
DHCP server automatically assigns an IP address andother information to each host on the network so they
can communicate efficiently with other endpoints.

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and
other network parameters to client devices. It relies on the standard protocol known as Dynamic Host
Configuration Protocol orDHCP to respond to broadcast queries by clients.

A DHCP server enables computers to request IP addresses and networking parameters automatically from
the Internet service provider (ISP), reducing the need for a network administrator or a user to manually assign
IP addresses to all network devices. In the absence of a DHCP server, a computer or other device on the
network needs to be manually assigned an IP address, or to assign itself an APIPA address, which will not
enable it to communicate outside its local subnet.

DHCP can be implemented on networks ranging in size from home networks to large campus networks and
regional Internet service provider networks. A routeror a residential gateway can be enabled to act as a DHCP
server. Most residentialnetwork routers receive a globally unique IP address within the ISP network.

Within a local network, a DHCP server assigns a local IP address to each deviceconnected to the network.

Internet Protocol (IP) defines how devices communicate within and across local networks on the Internet. A
DHCP server can manage IP settings for devices on itslocal network, e.g., by assigning IP addresses to those
devices automatically and dynamically.

DHCP operates based on the client–server model. When a computer or other device connects to a network,
the DHCP client software sends a DHCP broadcastquery requesting the necessary information. Any DHCP
server on the network may service the request. The DHCP server manages a pool of IP addresses and
information about client configuration parameters such as default gateway, domain name, the name servers,
and time servers. On receiving a DHCP request, the DHCP server may respond with specific information for
each client, as previously configured by an administrator, or with a specific address and any other information
valid for the entire network and for the time period for which the allocation (lease) is valid. A DHCP client
typically queries for this information immediately after booting, and periodically thereafter before the
expiration of the information. When a DHCP client refreshes an assignment, it initially requests the same
parameter values, but the DHCP server may assign a new address basedon the assignment policies set by
administrators.

On large networks that consist of multiple links, a single DHCP server may servicethe entire network when aided by
DHCP relay agents located on the interconnecting routers. Such agents relay messages between DHCP clients and
DHCP servers located on different subnets.

Depending on implementation, the DHCP server may have three methods ofallocating IP addresses:

34
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Dynamic allocation
A network administrator reserves a range of IP addresses for DHCP, and each DHCP client on the LAN is
configured to request an IP address from the DHCP server during network initialization. The request-and-
grant process uses a lease concept with a controllable time period, allowing theDHCP server to reclaim and
then reallocate IP addresses that are not renewed.

Automatic allocation

The DHCP server permanently assigns an IP address to a requesting client from the range defined by the
administrator. This is like dynamic allocation,but the DHCP server keeps a table of past IP address assignments,
so that itcan preferentially assign to a client the same IP address that the client previously had.

DHCP is used for Internet Protocol version 4 (IPv4) and IPv6. While both versionsserve the same purpose.

Operation

The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It is implemented
with two UDP port numbers for its operations which are the same as for the bootstrap protocol (BOOTP). UDP
port number 67 isthe destination port of a server, and UDP port number 68 is used by the client.

DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease
acknowledgement. These stages are often abbreviated as DORA for discovery, offer, request, and
acknowledgement.

The DHCP operation begins with clients broadcasting a request. If the client and server are on.

DHCP Message Types

DORA PROCESS

1. DHCP DISCOVER
2. DHCP OFFER
3. DHCP REQUEST
4. DHCP ACK NOWLEDGEMENT

35
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

36
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

How DHCP Server assign IP to the client

D – D in the term DORA stands for the DHCP Discover packet. The DHCP Discoverpacket

is broadcasted by the DHCP client computer in order to find the available DHCPserver(s) in the network.
Since the DHCP client computer sends the DHCP Discover packet as a broadcast, all the

DHCP servers that are present in the network receive the packet and respondaccordingly.

O – O in the term DORA stands for the DHCP Offer packet. The DHCP Offer is a unicast packet that is sent
by the DHCP server who receives the DHCP Discoverpacket from the DHCP client computer. The DHCP
Offer packet contains the available IP address that the DHCP server offers to the client computer.

R – R in the term DORA stands for the DHCP Request packet. The DHCP Request isagain a unicast packet sent
by the DHCP client computer to the DHCP server who had sent the DHCP Offer packet to the client computer.
With the help of the DHCP Request packet, the DHCP client computer requests the DHCP server to assign the
offered IP address to it.

A – A in the term DORA stands for the DHCP Acknowledge packet. The DHCP Acknowledge is a unicast
packet sent by the DHCP server to the DHCP client computer acknowledging the assignment of the offered
IP address for a specificlease time.

Concept of logical port

In computer science, a logical port is a number assigned to a “logical” connection. In simpler terms, it is the
endpoint to a logical connection that describes a service in TCP/IP and UDP. There are 65,536 TCP ports and
65,536 UDP ports. We count from 0 to 65,536. By including TCP/UDP port 0, the total number becomes 65,536
ports. Port numbers are assigned to a service, which is helpful to TCP/IP in identifying what ports it must send
traffic to. For example, TCP port 80 handles http, which is unencrypted Web traffic. Therefore, whenever TCP/IP
is handling communication between a client and a Web server, it will be using TCP port 80 (orTCP port 443 for
https). The Internet Assigned Number Authority (IANA) maintainsa list of official port assignments and divides
these ports into 3 ranges:
37
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Well-Known Ports (0-1023)

The port numbers in the “well-known” port range are assigned to commonly usedprotocols or services from
ports 0 to 1023. This port range also gets its own nickname, which is “non-ephemeral ports.” The word
ephemeral means temporary. By being non-ephemeral, the well-known ports are permanent.

Port Numbers (1024-49151)

A registered port is a network port (a sub-address defined within the Internet Protocol, in the range 1024–
49151) assigned by the Internet Assigned Numbers Authority (IANA) (or by Internet Corporation for Assigned
Names and Numbers (ICANN) before March 21, 2001, or by USC/ISI before 1998) for use with a certain
protocol or application.

Port Numbers (49152-65535)

The dynamic port numbers (also known as the private port numbers) are the portnumbers that are available
for use by any application to use in communicating with any other application, using the Internet's
Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP). When one application
communicateswith another application at another host computer on the Internet, it specifies that application
in each data transmission by using its port number.

Some Well-Known Ports

Port Service name Transportprotocol

20, 21 File Transfer Protocol (FTP) TCP
22 Secure Shell (SSH) TCP and UDP
23 Telnet TCP
25 Simple Mail Transfer Protocol (SMTP) TCP
50, 51 IPSec
53 Domain Name System (DNS) TCP and UDP
67, 68 Dynamic Host Configuration Protocol (DHCP) UDP
69 Trivial File Transfer Protocol (TFTP) UDP
80 HyperText Transfer Protocol (HTTP) TCP
110 Post Office Protocol (POP3) TCP
119 Network News Transport Protocol (NNTP) TCP
123 Network Time Protocol (NTP) UDP
135-139 NetBIOS TCP and UDP
143 Internet Message Access Protocol (IMAP4) TCP and UDP
161, 162 Simple Network Management Protocol (SNMP) TCP and UDP
389 Lightweight Directory Access Protocol TCP and UDP
443 HTTP with Secure Sockets Layer (SSL) TCP and UDP
3389 Remote Desktop Protocol TCP and UDP

38
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Install DHCP Package

First install DHCP packages using yum package manager on CentOS, Red Hat systems. DHCP rpms are available
under base repositories, so we don’t need to add an extra repository.

Update /etc/sysconfig/dhcpd File

Firstly we need to set ethernet interface name as DHCPDARGS in /etc/sysconfig/dhcpd file. Edit this configuration
file and update the ethernet name.

DHCPDARGS=eth1

Configure DHCP Server

DHCP creates an empty configuration file /etc/dhcp/dhcpd.conf. Also it provides a sample configuration file at
/usr/share/doc/dhcp*/dhcpd.conf.sample, which is very useful for configuring the DHCP server.

So as a first part, copy the content of sample configuration file to the main configuration file. Sample configuration
file may be changed as perversion you have installed on your system.

Parameter Configuration

First configure the basic options which is common to all supported networks.
option domain-name "myserver.net";
option domain-name-servers ns1.myserver.net, ns2.myserver.net;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

IP Subnet Declaration

First, edit DHCP configuration file and update subnet details as per your network. For this example, we are
configuring DHCP for 192.168.1.0/24 LAN network.

subnet 192.168.1.0 netmask 255.255.255.0 {

option routers 192.168.1.254;
option subnet-mask 255.255.255.0;
option domain-search "myserver.net";
option domain-name-servers 192.168.1.1;
option time-offset -18000; # Eastern Standard Time
range 192.168.1.10 192.168.1.100;
}

Assign Static IP Address to Host

In some cases, we need to assign a fixed IP to an interface each time it requested from dhcp. We can also assign a
fixed IP on basis of MAC address (hardware ethernet) of that interface. Setup host-name is optional to set up.
39
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

host station1 {
option host-name "station1.example.com";
hardware ethernet 00:11:1A:2B:3C:AB;
fixed-address 192.168.1.100;
}

Start DHCP Service

After making all above changes, let’s start dhcp service using following commands as per your operating system
version.

Similarly, to stop and restart dhcp service use following commands.

Setup Client System

At this stage we have a running dhcp server which is ready for accepting requests and assign them a proper ip. but
to verify I have another CentOS machine running on same LAN. Now login to that client machine and edit Ethernet
configuration file.

DEVICE=eth1
BOOTPROTO=dhcp
TYPE=Ethernet
ONBOOT=yes

Make sure BOOTPROTO is set to dhcp.

Let’s restart network services on the client machine. You will get that dhcp server assigned an ip address from the
defined subnet. If you have connected to client pc from remote login, Your session can be disconnected.

40
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-IV: DHCP SERVER

1. DHCP (dynamic host configuration protocol) provides __________ to the client.
a. IP address b. Url
c. MAC address d. None of the above
2. DHCP is used for ________
a. IPv6 b. Both IPv6 and IPv4
c. IPv4 d. None of the above
3. The DHCP server _________
a. maintains a database of available IP b. grants a IP address when receives a request
addresses from a client
c. maintains the information about d. all of the above
client configuration parameters
4. IP assigned for a client by DHCP server is
a. for a limited period b. not time dependent
c. for an unlimited period d. none of the above
5. DHCP uses UDP port _________ for sending data to the server.
a. 66 b. 68
c. 67 d. 69
6. The DHCP server can provide the _______ of the IP addresses.
a. dynamic allocation b. static allocation
c. automatic allocation d. all of the above
7. DHCP client and servers on the same subnet communicate via _________
a. UDP broadcast b. TCP broadcast
c. UDP unicast d. TCP unicast
8. Which command is used to check syntax of dhcpd.conf file
a. dhcpd –t b. dhcpd -T
c. DHCPD –t d. DHCPD -T
9. How does a DHCP server dynamically assign IP address to host?
a. Addresses are allocated after a b. Addresses are assigned for a fixed period of
negotiation between the server and time. At the end of period, a new quest for
the host to determine the length of an address must be made, and another
the agreement. address is then assigned.
c. Addresses are leased to host. A d. Addresses are permanently assigned so that
host will usually keep the same the host uses the same address at all times.
address by periodically contacting
the DHCP sever to renew the lease.
10. Which command is used to start a service from runlevel?
a. chkconfig b. init
c. service d. setsebool
11. Which file is required to change the hostname of a machine?
a. /etc/hosts b. /etc/resolv.conf
c. /etc/sysconfig/network d. /etc/nsswitch.conf
12. What is the role of DHCP (Dynamic Host Configuration Protocol) in Linux-based networks?
a. It is responsible for encrypting b. It assigns static IP addresses to network
41
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

network communication. devices.

c. It dynamically assigns IP addresses d. It manages network hardware, such as
and network configuration to switches and routers.
devices on the network.
13. Which of the following is the purpose of the DHCP server?
a. To provide a central repository for b. To dynamically assign IP addresses to client
network configuration information. devices.
c. To provide a way for clients to d. All of the above.
discover the network settings.
14. How does a client device request an IP address from the DHCP server?
a. It sends a DHCPDISCOVER message. b. It sends a DHCPREQUEST message.
c. It sends a DHCPOFFER message. d. Both A and B.
15. What is the default lease time for a DHCP IP address in RHEL6?
a. 1 hour b. 6 hours
c. 24 hours d. 7 days
16. Which of the following is a DHCP option?
a. The IP address of the DHCP server. b. The subnet mask.
c. The default gateway. d. All of the above.
17. How can you configure a DHCP server in RHEL6?
a. Edit the dhcpd.conf file. b. Use the dhcpd command-line utility.
c. Both A and B. d. None of these above

Question
Correct Answer
Number
1. a. IP address
2. b. Both IPv6 and IPv4
3. d. all of the above
4. a. for a limited period
5. c. 67
6. d. all of the above
7. a. UDP broadcast
8. a. dhcpd –t
c. Addresses are leased to host. A host will usually keep the same address by periodically
9.
contacting the DHCP sever to renew the lease.
10. a. chkconfig
11. c. /etc/sysconfig/network
12. c. It dynamically assigns IP addresses and network configuration to devices on the network.
13. d. All of the above.
14. d. Both A and B.
15. c. 24 hours
16. d. All of the above.
17. c. Both A and B.

42
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

SHORT ANSWER QUESTIONS

1. What is DHCP? What information can a DHCP server provide to a host.
2. What is the configuration file of DHCP Server?
3. Describe the Scope in DHCP server.
4. How does DHCP work?
5. What are the benefits of using DHCP?
6. What are the disadvantages of using DHCP?
7. Which port does DHCP use?
8. What do you mean by an IP Lease?
9. What exactly is IP Reservation?
10. Can we assign static IP address to hosts ?

LONG ANSWER QUESTIONS

1. Write down the short notes of “DORA” process in DHCP with suitable diagram.
2. What is the utility of integrating DNS with DHCP? Describe with a suitable example.
3. What is DHCP relay?
4. What is APIPA? What is the range of APIPA address?
5. What exactly is a SUPER SCOPE?

43
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-V: - Provide Apache HTTPD web service

Introduction to Web Servers

Web Server: A web server is software that serves web content (such as HTML pages, multimedia files, etc.) to clients
(web browsers) over the HTTP protocol. It processes incoming requests from clients and delivers the requested
resources.

Apache HTTP Server: Commonly referred to as Apache, it is the most widely used web server software.
Developed and maintained by the Apache Software Foundation, it is open-source and runs on various
platforms, including Linux, Windows, and macOS.
Features of Apache HTTP Server

Open Source: Apache is free to use and modify, encouraging community contributions and improvements.

Cross-Platform: Apache can run on almost any operating system.

Extensible: Supports a wide range of modules for additional functionality, such as SSL support, URL rewriting, and
authentication.

High Performance: Capable of handling large volumes of traffic efficiently.

Security: Offers various security features to protect web applications and server infrastructure.

Basic Architecture of Apache

Core: The core of Apache handles basic functions such as managing network connections and handling requests.

Modules: Apache's functionality can be extended with modules. Some common modules include:

mod_ssl: Provides support for SSL/TLS.

mod_rewrite: Allows for URL rewriting.

mod_proxy: Enables proxy/gateway functionality.

Configuration Files: Apache's behavior is controlled by configuration files, primarily httpd.conf and additional files
in the conf.d directory.

Installing Apache on Linux

Installation Process:

On RHEL-based systems (Red Hat, CentOS, Fedora), Apache can be installed using the dnf package manager:

# sudo dnf install httpd

Configuring Apache

Main Configuration File: /etc/httpd/conf/httpd.conf

Key Directives:

ServerRoot: Specifies the directory where the server's configuration, error, and log files are stored.

44
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

DocumentRoot: The directory out of which Apache will serve files. Typically, /var/www/html.

Listen: Specifies the IP addresses and ports on which Apache will listen for incoming requests.

ServerName: The hostname and port that the server uses to identify itself.

Virtual Hosts

Virtual hosting allows Apache to serve different websites from the same server.

Configuration example for a virtual host:

<VirtualHost *:80>

ServerName www.example.com

DocumentRoot /var/www/html/example.com

ErrorLog /var/log/httpd/example.com_error.log

CustomLog /var/log/httpd/example.com_access.log combined

</VirtualHost>

Managing Apache

Systemctl Commands:

Start Apache:

# sudo systemctl start httpd

Stop Apache:
# sudo systemctl stop httpd
Restart Apache:

# sudo systemctl restart httpd

Enable Apache to start on boot:

# sudo systemctl enable httpd

Check Apache's status:

# sudo systemctl status httpd

Securing Apache

Firewall Configuration:

Allow HTTP and HTTPS traffic through the firewall:

# sudo firewall-cmd --permanent --add-service=http

# sudo firewall-cmd --permanent --add-service=https

45
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

# sudo firewall-cmd --reload

SELinux Configuration:

Adjust SELinux policies to allow Apache to function correctly:

# sudo setsebool -P httpd_unified 1

# sudo setsebool -P httpd_enable_homedirs 1

Disabling Directory Listing:

Prevent the listing of files in directories:

Options –Indexes

Restricting Access to Sensitive Files:

Prevent access to configuration and sensitive files:

<Files ".ht*">

Require all denied

</Files>

Performance Tuning

MaxClients: Controls the maximum number of simultaneous connections that Apache will handle.

KeepAlive: Enables persistent connections, reducing the overhead of establishing new connections for each
request.

Caching: Use caching mechanisms (like mod_cache) to improve response times and reduce load.

Logging and Monitoring

Log Files:

Access Log: /var/log/httpd/access_log

Error Log: /var/log/httpd/error_log

LogFormat: Customize the format of the logs to capture the required information.

Monitoring Tools: Use tools like Nagios, Zabbix, or Grafana for monitoring Apache performance and uptime.

Advanced Topics

SSL/TLS Configuration:

Secure your Apache server with SSL/TLS:

<VirtualHost *:443>

ServerName www.example.com

DocumentRoot /var/www/html/example.com
46
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/example.com.key

SSLCertificateChainFile /etc/pki/tls/certs/chain.crt

</VirtualHost>

Reverse Proxy:

Use Apache as a reverse proxy to forward requests to another server:

<VirtualHost *:80>

ServerName proxy.example.com

ProxyPass / http://backend.example.com/

ProxyPassReverse / http://backend.example.com/

</VirtualHost>

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-V: - Provide Apache HTTPD web service

1. What is the default port of HTTP and HTTPS

a. 80 and 443 b. 80 and 21

c. 443 and 80 d. 21 and 23

2. In Apache Web server, the “DocumentRoot” folder contains:-

a. Static Web page file(Which is called b. Both (a) and (b)

“WebRoot”

c. Configuration file of Apache Web server d. none of the mentioned

3. How to verify httpd.conf file to ensure no configuration syntax error

a. httpd -p b. httpd -t

c. httpd -s d. httpd -n

4. What is the default document root directory for Apache on RHEL 8?

a. /var/www/ b. /etc/httpd/

c. /usr/local/apache/ d. /var/www/html/

5. What is the main configuration file for Apache?

a. /etc/apache2/apache2.conf b. /usr/local/apache2/conf/httpd.conf

47
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

c. /etc/httpd/conf/httpd.conf d. /var/www/html/httpd.conf

6. Which directive in the Apache configuration file specifies the directory out of which the server will
serve documents?

a. ServerRoot b. DocumentRoot

c. ServerName d. Listen

7. How do you restart the Apache service on RHEL 8?

a. sudo service apache2 restart b. sudo systemctl restart httpd

c. sudo systemctl restart apache2 d. sudo service httpd restart

8. Which module is used to enable SSL/TLS support in Apache?

a. mod_rewrite b. mod_ssl

c. mod_proxy d. mod_security

9. Where are the Apache error logs typically stored?

a. /etc/httpd/logs/error_log b. /var/log/apache2/error.log

c. /var/log/httpd/error_log d. /usr/local/apache2/logs/error_log

10. Which directive is used to set the hostname and port that the server uses to identify itself?

a. ServerRoot b. ServerAlias

c. ServerAdmin d. ServerName

11. What is the command to check the status of the Apache service?

a. sudo service httpd status b. sudo systemctl status apache

c. sudo systemctl status httpd d. sudo systemctl check httpd

12. What module is cached sized used with?

a. mod_proxy b. mod_usertrack

c. mod_ssl d. mod_alias

13. What is the default extension for Apache Configuration File?

a. .con b. .txt

c. .conf d. .configuration

14. What is the location of log files for Apache Server?

a. /deck/log/httpd b. /drive/log/httpd

c. /var/log/httpd d. /location/log/httpd

48
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

15. What is the command to check the version of the Apache Server?

a. rpm –qa|grep|version http| b. rpm –qa|check http|version

c. rpm –qa|grep httpd d. rpm –qa|grep http|version

16. Does Apache act as a proxy server?

a. Cannot be determined b. Yes, using mod_proxy module

c. Yes, by default d. No

17. How do you change the default web root in Apache Server?

a. Change the DoccumentRoot in httpd.server file b. Change the DoccumentRoot in httpd.root

file

c. Change the DoccumentRoot in httpd.admin d. Change the DoccumentRoot in httpd.conf

file file

18. The most famous HTTP response error “Not Found” code is:-

a. 400 b. 405

c. 404 d. 408

19. Which log file is maintained by the Apache HTTP server?

a. Apache/logs/access.log b. Apache/logs/error.log

c. Apache/access/file.log d. Borh (a) and (b)

20. How can you allow HTTP and HTTPS traffic through the firewall on RHEL 8?

a. sudo firewall-cmd --add-service=http,https b. sudo firewall-cmd --permanent --add-

service=http

sudo firewall-cmd --permanent --add-

service=https

sudo firewall-cmd --reload

c. sudo firewall-cmd --enable http,https d. sudo firewall-cmd --open http,https

21. Which of the following directives is used to prevent the listing of files in a directory?

a. Options +Indexes b. Options -Indexes

c. AllowOverride None d. Deny from all

22. What is the purpose of the mod_rewrite module in Apache?

a. To enable SSL/TLS support b. To rewrite URLs

c. To manage proxy settings d. To handle user authentication

49
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

23. Which command is used to enable Apache to start on boot?

a. sudo chkconfig httpd on b. sudo systemctl enable apache2

c. sudo systemctl enable httpd d. sudo enable apache2

24. What is the purpose of the ProxyPass directive in Apache?

a. To enable URL rewriting b. To define document root

c. To forward requests to another server d. To set the server name

25. Which file should be edited to configure a new virtual host in Apache on RHEL 8?

a. /etc/httpd/conf/httpd.conf b. /etc/httpd/conf.d/vhost.conf

c. /var/www/html/vhost.conf d. /etc/httpd/virtual.conf

Question
Correct Answer
Number
1. a. 80 and 443
2. a. Static Web page file(Which is called “WebRoot”
3. b. httpd -t
4. d. /var/www/html/
5. c. /etc/httpd/conf/httpd.conf
6. b. DocumentRoot
7. b. sudo systemctl restart httpd
8. b. mod_ssl
9. c. /var/log/httpd/error_log
10. d. ServerName
11. c. sudo systemctl status httpd
12. a. mod_proxy
13. C. .conf
14. c. /var/log/httpd
15. c. rpm –qa|grep httpd
16. b. Yes, using mod_proxy module
17. d. Change the DoccumentRoot in httpd.conf file
18. c. 404
19. d. Borh (a) and (b)
20. b. Options -Indexes
21. b. To rewrite URLs
22. b. To rewrite URLs
23. C. sudo systemctl enable httpd
24. c. To forward requests to another server
25. b. /etc/httpd/conf.d/vhost.conf

50
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

SHORT ANSWER QUESTIONS

1. What is the purpose of the Apache HTTP Server?

2. Where is the main Apache configuration file located on RHEL 8?
3. How do you install Apache on a RHEL 8 system?
4. What command is used to start the Apache service on RHEL 8?
5. Which directive is used to specify the directory from which Apache will serve files?
6. How do you enable Apache to start automatically at boot time on RHEL 8?
7. What is the default port on which Apache listens for HTTP requests?
8. How can you test the syntax of the Apache configuration files?
9. What module is commonly used to enable SSL/TLS support in Apache?
10. Where are Apache's log files typically stored on RHEL 8?
11. How can you stop the Apache service on RHEL 8?
12. What is a virtual host in Apache?
13. How do you reload the Apache configuration without restarting the server?
14. What is the purpose of the ServerName directive?
15. Which command is used to check the status of the Apache service?

LONG ANSWER QUESTIONS

1. What is the difference between HTTP and HTTPS?

2. What are the packages required to configure Apache Web server in Linux?
3. How to secure Website hosted on Apache Web Server?
4. What is Virtual Hosting?
5. What is DocumentRoot?
6. How to verify httpd.conf file to ensure no configuration syntax error?
7. How to ensure web server is getting started after server reboot?
8. What do you understand by “DirectoryIndex”?
9. What do 200, 403 & 503 HTTP error code mean?
10. How to troubleshoot port conflict issue?

51
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-VI: - Mail Server

Introduction to Email Servers

Definition: An email server is a server that handles and delivers email over a network, typically the internet.

Types of Email Servers:

SMTP (Simple Mail Transfer Protocol): Used for sending emails.

IMAP (Internet Message Access Protocol): Used for receiving emails, allowing multiple clients to manage the same
mailbox.

POP3 (Post Office Protocol 3): Used for receiving emails, downloading emails from the server to the client.

Common Email Server Software

Postfix: A free and open-source mail transfer agent (MTA) that routes and delivers electronic mail.

Sendmail: One of the oldest and most versatile MTAs.

Exim: Another flexible mail transfer agent.

Dovecot: An open-source IMAP and POP3 server for Unix-like operating systems.

Courier: A mail transfer agent with integrated POP3 and IMAP servers.

Setting Up an Email Server Using Postfix and Dovecot on RHEL 8

Step-by-Step Guide:

1. Install Postfix and Dovecot:

# sudo dnf install postfix dovecot -y

2. Configure Postfix:

Edit the main configuration file:

# sudo vi /etc/postfix/main.cf

Set the following basic parameters:

myhostname = mail.example.com

mydomain = example.com

myorigin = $mydomain

inet_interfaces = all

inet_protocols = all

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

home_mailbox = Maildir/

52
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Start and enable Postfix:

# sudo systemctl start postfix

# sudo systemctl enable postfix

3. Configure Dovecot:

Edit the main configuration file:

# sudo vi /etc/dovecot/dovecot.conf

Set the following basic parameters:

protocols = imap pop3 lmtp

mail_location = maildir:~/Maildir

Edit the authentication file:

# sudo vi /etc/dovecot/conf.d/10-auth.conf

Enable plaintext authentication:

disable_plaintext_auth = no

auth_mechanisms = plain login

Edit the SSL configuration file:

# sudo vi /etc/dovecot/conf.d/10-ssl.conf

Set SSL parameters:

ssl = required

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

ssl_key = </etc/pki/dovecot/private/dovecot.pem

Start and enable Dovecot:

# sudo systemctl start dovecot

# sudo systemctl enable dovecot

4. Configure Firewall:

Allow SMTP and IMAP/POP3 traffic

# sudo firewall-cmd --permanent --add-service=smtp

# sudo firewall-cmd --permanent --add-service=imap

# sudo firewall-cmd --permanent --add-service=pop3

# sudo firewall-cmd --reload

53
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Understanding Email Flow

Sending Email:

MUA (Mail User Agent): The client application (like Thunderbird or Outlook) used to compose and send an email.

MTA (Mail Transfer Agent): (e.g., Postfix) routes the email to the recipient's mail server.

MDA (Mail Delivery Agent): (e.g., Dovecot) delivers the email to the recipient's mailbox.

Receiving Email:

MTA receives email: The recipient's MTA receives the email from the sender's MTA.

MDA stores email: The MDA (like Dovecot) stores the email in the recipient's mailbox.

MUA retrieves email: The recipient's MUA retrieves the email from the mailbox using IMAP or POP3.

Security Considerations

Encryption:

TLS/SSL: Use TLS/SSL to encrypt communications between email clients and servers (SMTP, IMAP, and POP3).

Authentication:

Strong Passwords: Enforce the use of strong passwords for all email accounts.

Two-Factor Authentication (2FA): Implement 2FA where possible.

Spam Filtering:

Install and configure spam filtering tools: Tools like SpamAssassin can help reduce spam emails.

Regular Updates:

Keep software up to date: Regularly update Postfix, Dovecot, and other related software to patch security
vulnerabilities.

Troubleshooting Common Issues

Email Not Being Sent:

Check Postfix logs: Look at /var/log/maillog for any errors or warnings.

Verify DNS settings: Ensure that your domain's DNS records (MX, SPF, DKIM) are correctly configured.

Email Not Being Received:

Check Dovecot logs: Review logs in /var/log/maillog.

Firewall settings: Ensure that the firewall is not blocking necessary ports (25 for SMTP, 143 for IMAP, 110 for POP3).

54
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Authentication Failures:

Verify user credentials: Ensure that the username and password are correct.

Check Dovecot authentication configuration: Ensure that the authentication settings in /etc/dovecot/conf.d/10-
auth.conf are correct.

Best Practices

Backup:

Regularly backup mail data: Ensure you have regular backups of all mail data and configurations.

Monitoring:

Monitor server performance and logs: Use tools like logwatch or Logrotate to manage and monitor log files.

User Education:

Educate users: Make sure users are aware of phishing attacks and how to handle suspicious emails.

55
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-VI: - Mail Server

1. Simple mail transfer protocol (SMTP) utilizes _________ as the transport layer protocol for electronic
mail transfer.

a. TCP b. UDP

c. DCCP d. SCTP

2. SMTP connections secured by SSL are known as _____________

a. SMTPS b. SSMTP

c. SNMP d. STARTTLS

3. SMTP uses which of the following TCP port?

a. 22 b. 23

c. 21 d. 25

4. Which one of the following protocol is not used to send and receive mail messages?

a. SMTP b. Post Office Protocol (POP)

c. Internet Message Access Protocol (IMAP) d. FTP

5. An email client needs to know the _________ of its initial SMTP server.

a. IP address b. MAC address

c. URL d. Name

6. An SMTP session may not include _______

a. Zero SMTP transaction b. One SMTP transaction

c. More than one SMTP transaction d. One HTTP transaction

7. SMTP defines _______

a. Message transport b. Message encryption

c. Message content d. Message password

8. SMTP is not used to deliver messages to ______

a. User’s terminal b. User’s mailbox

c. User’s word processor d. User’s email client

9. When the mail server sends mail to other mail servers it becomes ____________

a. SMTP server b. SMTP client

56
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

c. Peer d. Master

10. Expansion of SMTP is ________

a. Simple Message Transfer Protocol b. Simple Mail Transmission Protocol

c. Simple Message Transmission Protocol d. None of the above

11. Which of the following is an example of user agents for e-mail?

a. Microsoft Outlook b. Facebook

c. Google d. Tumblr

12. User agent does not support this ___________

a. Composing messages b. Reading messages

c. Replying messages d. Routing messages

13. Which protocol is primarily used for sending emails?

a. IMAP b. POP3

c. SMTP d. FTP

14. Where is the main configuration file for Postfix located on a RHEL 8 system?

a. /etc/postfix/main.cf b. /etc/mail/postfix.cf

c. /etc/postfix.conf d. /var/spool/postfix/main.cf

15. Which of the following is an open-source IMAP and POP3 server commonly used with Postfix?

a. Sendmail b. Exim

c. Dovecot d. Courier

16. To start the Postfix service on RHEL 8, which command is used?

a. sudo systemctl start mail b. sudo systemctl start postfix

c. sudo systemctl enable postfix d. sudo service postfix start

17. Which file should be edited to set up user authentication in Dovecot?

a. /etc/dovecot/dovecot.conf b. /etc/dovecot/conf.d/10-auth.conf

c. /etc/dovecot/authentication.conf d. /etc/dovecot/user.conf

18. What is the default port for IMAP?

a. 25 b. 110

c. 143 d. 993

19. To allow SMTP traffic through the firewall on RHEL 8, which command should be used?

57
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

a. sudo firewall-cmd --permanent --add- b. sudo firewall-cmd --permanent --add-

service=mail service=smtp

c. sudo firewall-cmd --permanent --add-port=25 d. sudo firewall-cmd --permanent --add-

service=smtps

20. Which Postfix directive specifies the domain for outgoing emails?

a. myhostname b. mydomain

c. myorigin d. inet_interfaces

21. In which directory are the email logs typically stored on a RHEL 8 system?

a. /var/log/mail b. /var/log/email

c. /var/log/postfix d. /var/log/maillog

22. Which protocol should be used to encrypt email communications?

a. FTP b. HTTP

c. SSL/TLS d. SSH

23. What command is used to reload the Postfix configuration without restarting the service?

a. sudo systemctl reload postfix b. sudo postfix reload

c. sudo systemctl restart postfix d. sudo service postfix reload

24. Which file in Dovecot configuration specifies the SSL certificate and key locations?

a. /etc/dovecot/dovecot.conf b. /etc/dovecot/conf.d/10-ssl.conf

c. /etc/dovecot/conf.d/ssl-cert.conf d. /etc/dovecot/ssl.conf

25. How can you check the status of the Postfix service on RHEL 8?

a. sudo service postfix status b. sudo systemctl check postfix

c. sudo systemctl status postfix d. sudo postfix status

26. Which command is used to generate a self-signed SSL certificate for securing email communication?

a. sudo openssl generate cert b. sudo openssl req -new -x509

c. sudo openssl genrsa d. sudo openssl sign cert

27. What does the mail_location directive in Dovecot specify?

a. The directory where mail logs are stored b. The location of the Dovecot configuration
files

c. The format and location of users' mailboxes d. The domain name for incoming emails

58
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Question
Correct Answer
Number
1. a. TCP
2. a. SMTPS
3. d. 25
4. d. FTP
5. a. IP address
6. d. One HTTP transaction
7. a. Message transport
8. c. User’s word processor
9. b. SMTP client
10. a. Simple Message Transfer Protocol
11. a. Microsoft Outlook
12. a. Microsoft Outlook
13. c. SMTP
14. a. /etc/postfix/main.cf
15. c. Dovecot
16. b. sudo systemctl start postfix
17. b. /etc/dovecot/conf.d/10-auth.conf
18. c. 143
19. b. sudo firewall-cmd --permanent --add-service=smtp
20. c. myorigin
21. d. /var/log/maillog
22. c. SSL/TLS
23. a. sudo systemctl reload postfix
24. b. /etc/dovecot/conf.d/10-ssl.conf
25. c. sudo systemctl status postfix
26. b. sudo openssl req -new -x509
27. c. The format and location of users' mailboxes

SHORT ANSWER QUESTIONS

1. What Is Smtp?
2. Explain How Does Smtp Work?
3. Explain The Smtp Basic Functions?
4. What Is The Difference Between Ports 465 And 587?
5. What is postfix?
6. What is the default port used for postfix?
7. What is the difference between Postfix & Sendmail ?
8. What is MUA?
9. What is MTA and it’s role in mailing system?
10. What are the important daemons in postfix?
11. What are the configuration files of postfix server?
12. How to restart the postfix service & make it enable across reboot?
13. What is the primary function of an SMTP server?
59
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

14. Where is the main configuration file for Postfix located?

15. Which command is used to start the Postfix service on RHEL 8?
16. What does the mydestination directive in Postfix do?
17. Which protocol is commonly used to retrieve emails from a mail server?
18. What is the purpose of the home_mailbox directive in Postfix?
19. How do you enable and start Dovecot on RHEL 8?
20. Which file in Dovecot configuration specifies the location of users' mailboxes?
21. What is the default port number for SMTP?
22. How can you check the status of the Postfix service on RHEL 8?
23. What command would you use to reload the Postfix configuration without restarting the service?
24. What does the disable_plaintext_auth directive in Dovecot control?
25. What is the function of an MDA (Mail Delivery Agent)?
26. Name a common open-source POP3 and IMAP server used with Postfix.
27. How do you allow SMTP traffic through the firewall on RHEL 8?

LONG ANSWER QUESTIONS

1. Write down the short notes on Mail Server.

2. What is the difference between POP and IMAP
3. What is Sendmail Server?
4. On Which Ports Sendmail And Sendmail With Ssl Works?
5. How To Start Sendmail Server?
6. Write down short notes on Sendmail server
7. Describe the characteristics of Postfix Server.
8. Describe the role and configuration of Dovecot in conjunction with Postfix for setting up a complete
email server.
9. Discuss the security measures that should be implemented to secure a mail server on Linux.

60
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-VII: - NFS SERVER

A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file
systems as though they are mounted locally. This enables system administrators to consolidate resources onto
centralized servers on the network.

Purpose of NFS

 NFS can be used for sharing of files remotely.

 Data can be stored on a single machine and still remain accessible to others over the network.
 Reduction of the number of removable media drives throughout the network since they can be shared.

How It Works

Currently, there are three versions of NFS. NFS version 2 (NFSv2) is older and is widely supported. NFS version 3
(NFSv3) has more features, including 64bit file handles, Safe Async writes and more robust error handling. NFS
version 4 (NFSv4) works through firewalls and on the Internet, no longer requires portmapper, supports ACLs, and
utilizes stateful operations. Red Hat Enterprise Linux supports NFSv2, NFSv3, and NFSv4 clients, and when mounting
a file system via NFS, Red Hat Enterprise Linux uses NFSv3 by default, if the server supports it.

All versions of NFS can use Transmission Control Protocol (TCP) running over an IP network, with NFSv4 requiring it.
NFSv2 and NFSv3 can use the User Datagram Protocol (UDP) running over an IP network to provide a stateless
network connection between the client and server.

When using NFSv2 or NFSv3 with UDP, the stateless UDP connection under normal conditions has less Protocol
overhead than TCP which can translate into better performance on very clean, non-congested networks. The NFS
server sends the client a file handle after the client is authorized to access the shared volume. This file handle is an
opaque object stored on the server's side and is passed along with RPC requests from the client. The NFS server can
be restarted without affecting the clients and the cookie remains intact. However, because UDP is stateless, if the
server goes down unexpectedly, UDP clients continue to saturate the network with requests for the server. For this
reason, TCP is the preferred protocol when connecting to an NFS server.

NFSv4 has no interaction with portmapper, rpc.mountd, rpc.lockd, and rpc.statd, since protocol support has been
incorporated into the v4 protocol. NFSv4 listens on the well known TCP port (2049) which eliminates the need for
the portmapper interaction. The mounting and locking protocols have been incorpated into the V4 protocol which
eliminates the need for interaction with rpc.mountd and rpc.lockd.

Required Services

Red Hat Enterprise Linux uses a combination of kernel-level support and daemon processes to provide NFS file
sharing. All NFS versions rely on Remote Procedure Calls (RPC) between clients and servers. RPC services under
Linux are controlled by the portmap service. To share or mount NFS file systems, the following services work
together, depending on which version of NFS is implemented:

o nfs — (/sbin/service nfs start) starts the NFS server and the appropriate RPC processes to service requests
for shared NFS file systems.
o nfslock — (/sbin/service nfslock start) is a mandatory service that starts the appropriate RPC processes to
allow NFS clients to lock files on the server.

61
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

o portmap — accepts port reservations from local RPC services. These ports are then made available (or
advertised) so the corresponding remote RPC services access them. portmap responds to requests for RPC
services and sets up connections to the requested RPC service. This is not used with NFSv4.

The following RPC processes facilitate NFS services:

o rpc.mountd — This process receives mount requests from NFS clients and verifies the requested file system
is currently exported. This process is started automatically by the nfs service and does not require user
configuration. This is not used with NFSv4.
o rpc.nfsd — Allows explicit NFS versions and protocols the server advertises to be defined. It works with the
Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an
NFS client connects. This process corresponds to the nfs service.
o rpc.lockd — allows NFS clients to lock files on the server. If rpc.lockd is not started, file locking will
fail. rpc.lockd implements the Network Lock Manager (NLM) protocol. This process corresponds to
the nfslock service. This is not used with NFSv4.
o rpc.statd — This process implements the Network Status Monitor (NSM) RPC protocol which notifies NFS
clients when an NFS server is restarted without being gracefully brought down. This process is started
automatically by the nfslock service and does not require user configuration. This is not used with NFSv4.
o rpc.rquotad — This process provides user quota information for remote users. This process is started
automatically by the nfs service and does not require user configuration.
o rpc.idmapd — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4
names (which are strings in the form of user@domain) and local UIDs and GIDs. For idmapd to function
with NFSv4, the /etc/idmapd.conf must be configured. This service is required for use with NFSv4.

Default port of NFS server

By default, NFS uses 2049 TCP port.

Different versions of NFS Server

Currently, there are three versions of NFS. NFS version 2 (NFSv2) is older and widely supported. NFS version 3
(NFSv3) supports safe asynchronous writes and is more robust at error handling than NFSv2; it also supports 64-bit
file sizes and offsets, allowing clients to access more than 2Gb of file data.
NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, supports
ACLs, and utilizes stateful operations. Red Hat Enterprise Linux 6.X & Centos 6.X supports NFSv2,NFSv3, and NFSv4
clients. When mounting a file system via NFS, Red Hat Enterprise Linux uses NFSv4 by default, if the server supports
it.
Configuration files of NFS server

‘/etc/exports’ is the main configuration file that controls which file systems are exported to remote hosts and
specifies options.
‘/etc/sysconfig/nfs‘ is the file through which we can fix ports for RQUOTAD_PORT, MOUNTD_PORT,
LOCKD_TCPPORT, LOCKD_UDPPORT and STATD_PORT

Different options used in /etc/exports file

Below are list of options used in /etc/exports file :

62
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

 ro: The directory is shared read only; the client machine will not be able to write to it. This is the default.
 rw: The client machine will have read and write access to the directory.
 root_squash: By default, any file request made by user root on the client machine is treated as if it is made
by user nobody on the server. (Exactly which UID the request is mapped to depends on the UID of user
“nobody” on the server, not the client.)
 no_root_squash : if this option is used , then root on the client machine will have the same level of access
to the files on the system as root on the server. This can have serious security implications, although it may
be necessary if you want to perform any administrative work on the client machine that involves the
exported directories. You should not specify this option without a good reason.
 no_subtree_check : If only part of a volume is exported, a routine called subtree checking verifies that a file
that is requested from the client is in the appropriate part of the volume. If the entire volume is exported,
disabling this check will speed up transfers.
 sync : Replies to the NFS request only after all data has been written to disk. This is much safer than async,
and is the default in all nfs-utils versions after 1.0.0.
 async : Replies to requests before the data is written to disk. This improves performance, but results in
lost data if the server goes down.
 no_wdelay : NFS has an optimization algorithm that delays disk writes if NFS deduces a likelihood of a
related write request soon arriving. This saves disk writes and can speed performance
 wdelay : Negation of no_wdelay , this is default
 nohide : Normally, if a server exports two filesystems one of which is mounted on the other, then the client
will have to mount both filesystems explicitly to get access to them. If it just mounts the parent, it will see
an empty directory at the place where the other filesystem is mounted. That filesystem is “hidden”. Setting
the nohide option on a filesystem causes it not to be hidden, and an appropriately authorised client will be
able to move from the parent to that filesystem without noticing the change.
 hide : Negation of nohide This is the default
List available nfs share on local machine & remote machine

‘showmount -e localhost’ : Shows the available shares on your local machine

‘showmount -e <Remote-server-ip or hostname>‘: Lists the available shares at the remote server.
Difference between Hard mount & Soft mount in nfs

 Soft Mount : Consider we have mounted a NFS share using ‘soft mount’ . When a program or application
requests a file from the NFS filesystem, NFS client daemons will try to retrieve the data from the NFS server.
But, if it doesn’t get any response from the NFS server (due to any crash or failure of NFS server), the NFS
client will report an error to the process on the client machine requesting the file access. The advantage of
this mechanism is “fast responsiveness” as it doesn’t wait for the NFS server to respond. But, the main
disadvantage of this method is data corruption or loss of data. So, this is not a recommended option to use.
 Hard Mount : Suppose we have mounted the NFS share using hard mount, it will repeatedly retry to contact
the server. Once the server is back online the program will continue to execute undisturbed from the state
where it was during server crash. We can use the mount option “intr” which allows NFS requests to be
interrupted if the server goes down or cannot be reached. Hence the recommended settings are hard and
intr options.

63
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

How to check iostat of nfs mount points ?

 Ans: Using command ‘nfsiostat‘ we can list iostat of nfs mount points. Use the below command :
# nfsiostat <interval> <count> <mount_point>
 <interval> : specifies the amount of time in seconds between each report. The first report contains statistics
for the time since each file system was mounted. Each subsequent report contains statistics collected during
the interval since the previ-ous report.
 <count> : If the <count> parameter is specified, the value of <count> determines the number of reports
generated at seconds apart. if the interval parameter is specified without the <count> parameter, the
command generates reports continuously.
 <mount_point> : If one or more <mount point> names are specified, statistics for only these mount points
will be displayed. Otherwise, all NFS mount points on the client are listed.

Check nfs server version

‘nfsstat -o all’ command shows all information about active versions of NFS.
Portmap: - The portmapper keeps a list of what services are running on what ports. This list is used by a connecting
machine to see what ports it wants to talk to access certain services.
Advantages of AutoFS

 Shares are accessed automatically and transparently when a user tries to access any files or directories
under the designated mount point of the remote filesystem to be mounted.
 Booting time is significantly reduced because no mounting is done at boot time.
 Network access and efficiency are improved by reducing the number of permanently active mount points.
 Failed mount requests can be reduced by designating alternate servers as the source of a filesystem.
The Role of “sync” Option for Nfs Server

If sync is specified, the server waits until the request is written to disk before responding to the client. The sync
option is recommended because it follows the NFS protocol.
Autofs

 Autofs , is auto mounting filesystem on demand like when ever you need it.
 NFS is like mounting a complete partition remotely and you will have availability of whole content of the
partition.
 But there are few advantages with autofs over nfs.
Advantages of Autofs

 Shares are accessed automatically and transparently when a user tries to access any files or directories
under the designated mount point of the remote filesystem to be mounted.
 Booting time is significantly reduced because no mounting is done at boot time.
 Network access and efficiency are improved by reducing the number of permanently active mount points.
 Failed mount requests can be reduced by designating alternate servers as the source of a filesystem.

64
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-VII: NFS SERVER

1. Following are some of the file sharing protocols
a. Telnet b. FTP
c. NFS & CIFS d. HTTP
2. File access protocols operate in which layer of the OSI model
a. Application b. Transport
c. Session d. None of the above
3. NFS & CIFS are
a. Filesystems b. Transport protocols
c. Operating systems d. File access protocols
4. NFS stands for
a. Null File System b. Network File System
c. New File System d. Netware File Server
5. Which file would you edit to mount an NFS filesystem at system boot time?
a. /etc/fstab b. /etc/vfstab
c. /etc/dfs/dfstab d. /etc/nfstab
6. Which command would mount the directory utilities from the server named linux on the local
mount point /opt/sf
a. mount -f nfs /sf:linux /opt/sf b. mount -F nfslinix:/opt/sf /sf
c. mount -F nfslinux:/sf /opt/sf d. mount /opt/sflinux:/sf
7. Which configuration file is used to define the shared directories and access permissions for an
NFS server in Red Hat Enterprise Linux 6 (RHEL 6)?
a. /etc/nfs.conf b. /etc/exports
c. /etc/nfs_exports d. /etc/share.conf
8. Which daemon is responsible for handling NFS requests on the server-side in a Linux system?
a. nfsd b. rpcbind
c. nfsd-manager d. mountd
9. The NFS servers ____________
a. Are stateless b. Save the current state of the request
c. Maybe stateless d. None of the mentioned
10. A server crash and recovery will __________ to a client.
a. Be visible b. Affect
c. Be invisible d. Harm

Question Number Correct Answer

1. c. NFS & CIFS
2. a. Application
3. d. File access protocols
4. b. Network File System
5. a. /etc/fstab
6. c. mount -F nfslinux:/sf /opt/sf
7. b. /etc/exports
8. a. nfsd

65
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

9. a. Are stateless
10. c. Be invisible

SHORT ANSWER QUESTIONS

1. What is the utility of nfs? How to share a directory using nfs?

2. Describe different daemons of NFS server.
3. What is the way to mount a NFS file system permanently? Describe with an example.
4. What are the different versions of NFS Server?
5. What are the configuration files of the NFS Server?
6. How to list available NFS share on local machine & remote machine?
7. What is the difference between soft mount and hard mount in NFS?
8. How to check NFS server version?
9. What is portmap?
10. How to reexport all the directories of “/etc/exports” file?

LONG ANSWER QUESTIONS

1. Why to use NFS?

2. What is the default port of NFS Server?
3. What are the different options used in /etc/exports file?
4. What’s the difference between NFSv2 and NFSv4?
5. What are some common applications for NFS?
6. What kind of network performance can be expected when running multiple clients over a single NFS
connection?
7. Does NFS support disk quotas?
8. Does NFS support access control lists (ACLs)?
9. What security features does NFS provide?
10. Explain the Concept of Sudo NFS in linux?

66
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-VIII: - SAMBA SERVER

Samba is the standard open source Windows interoperability suite of programs for Linux. It implements
the server message block (SMB) protocol. Modern versions of this protocol are also known as the
common Internet file system (CIFS) protocol. It allows the networking of Microsoft Windows®, Linux,
UNIX, and other operating systems together, enabling access to Windows-based file and printer shares.
Samba's use of SMB allows it to appear as a Windows server to Windows clients.

Introduction to Samba

Samba is an important component to seamlessly integrate Linux Servers and Desktops into Active
Directory (AD) environments. It can function both as a domain controller (NT4-style) or as a regular
domain member (AD or NT4-style).

What Samba can do:

 Serve directory trees and printers to Linux, UNIX, and Windows clients
 Assist in network browsing (with NetBIOS)
 Authenticate Windows domain logins
 Provide Windows Internet Name Service (WINS) name server resolution
 Act as a Windows NT®-style Primary Domain Controller (PDC)
 Act as a Backup Domain Controller (BDC) for a Samba-based PDC
 Act as an Active Directory domain member server
 Join a Windows NT/2000/2003/2008 PDC

What Samba cannot do:

 Act as a BDC for a Windows PDC (and vice versa)
 Act as an Active Directory domain controller

Server Message Block: -

 Smb stands for- server message block.
 Smb is a protocol by which a lot of pc-related machines share files and printers and other information such
as list of available files and printers.
 Operating that support smb natively include windows, os/2 and linux.

Working principle of smb protocol

The SMB protocol enables applications and their users to access files on remote servers, as well as connect to other
resources, including printers, mailslots and named pipes. SMB provides client applications with a secure and
controlled method for opening, reading, moving, creating and updating files on remote servers. The protocol can
also communicate with server programs configured to receive SMB client requests.

Known as a response-request protocol, the SMB protocol is one of the most common methods used for network
communications. In this model, the client sends an SMB request to the server to initiate the connection. When the
server receives the request, it replies by sending an SMB response back to the client, establishing the
communication channel necessary for a two-way conversation.

The SMB protocol operates at the application layer but relies on lower network levels for transport. At one time,
SMB ran on top of Network Basic Input/Output System over Transmission Control Protocol/Internet Protocol
(NetBIOS over TCP/IP, or NBT) or, to a lesser degree, legacy protocols such as Internetwork Packet Exchange or
67
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

NetBIOS Extended User Interface. When SMB was using NBT, it relied on ports 137, 138 and 139 for transport. Now,
SMB runs directly over TCP/IP and uses port 445.

Today, communications with devices that do not support SMB directly over TCP/IP require the use of NetBIOS over
a transport protocol such as TCP/IP.

Today, communications with devices that do not support SMB directly over TCP/IP require the use of NetBIOS over
a transport protocol such as TCP/IP.

Microsoft Windows operating systems (OSes) since Windows 95 have included client and server SMB protocol
support. The Linux OS and macOS also provide built-in support for SMB. In addition, Unix-based systems can use
Samba to facilitate SMB access to file and print services.

A client and server can implement different SMB dialects. If they do, the systems must first negotiate the differences
between editions before starting a session.

Advantages of Samba Server

The samba server in Linux has been considered as one of the most powerful servers that makes it easy for the other
operating systems to access the shared files and useful resources like printers. It is the open-source software which
means it will be available to you for free.

Samba Daemons and Related Services

Samba is comprised of three daemons (smbd, nmbd, and winbindd). Three services ( smb, nmb, and winbind)
control how the daemons are started, stopped, and other service-related features. These Deployment Guide
services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control
over it.

smbd
The smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible
for user authentication, resource locking, and data sharing through the SMB protocol. The

68
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

default ports on which the server listens for SMB traffic are TCP ports 139 and 445. The smbd daemon is controlled
by the smb service.

nmbd
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by
SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000,
Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows
Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137. The nmbd
daemon is controlled by the nmb service.

winbindd
The winbind service resolves user and group information received from a server running Windows NT, 2000, 2003,
Windows Server 2008, or Windows Server 2012. This makes Windows user and group information understandable
by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the
Name Service Switch (NSS). This allows Windows NT domain and Active Directory users to appear and operate as
UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled
separately from the smb service. The winbind daemon is controlled by the winbind service and does not require the
smb service to be started in order to operate. winbind is also used when Samba is an Active Directory member, and
may also be used on a Samba domain controller (to implement nested groups and interdomain trust). Because
winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is
beyond the scope of this chapter.

Smbpasswd
This allows the user to change the password used for their smb sessions.

Smb mount
This mounting programs enables mounting of server directories on a linux or unix box.

Smb status
This programs lists the current samba connections.

CIFS
Common internet file system is a protocol that basically an updated smb.

Configuration File: -
/etc/samba/smb.conf

Section of the Samba configuration file: -

smb.conf file contains three sections.

1. [global] Contains settings that determine Samba overall behavior.

2. [homes] A default share for providing a home directory for all users.
3. [printers] A default share for exporting all printers on the host via CIFS.

69
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

To connect to a Samba share from a shell prompt, type the following command:
# smbclient //hostname/sharename -U username

Samba Server Types and the smb.conf File

Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf
configuration file. Although the default smb.conf file is well documented, it does not address complex topics such
as LDAP, Active Directory, and the numerous domain controller implementations.

The following sections describe the different ways a Samba server can be configured. Keep in mind your
needs and the changes required to the /etc/samba/smb.conf file for a successful configuration.

Stand-alone Server
A stand-alone server can be a workgroup server or a member of a workgroup environment. A standalone server is
not a domain controller and does not participate in a domain in any way.

Domain Member Server

A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or
Samba) and is subject to the domain's security rules. An example of a domain member server would be a
departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the
department's clients still authenticate with the PDC, and desktop profiles and all network policy files are included.
The difference is that the departmental server has the ability to control printer and network shares.

SMB RPM

RPM DESCRIPTION
samba Base rpm for samba server.
Samba-common Include commands those required by samba server and client.
Samba-doc Provide samba documentation.
Samba-client This is am smb client program that implement a simple ftp like client on a linux or
unix box.
Samba-swat Gui interface for samba configuration.
Samba-winbind Allow interoperability between linux and windows.
Samba-domainjoin-gui Allow linux user to connect with windows workgroups and domains.

SMB PORTS

PORT NO DESCRIPTION
137 Connection port, used by nmbd daemon.
138 Data port, used by smbd daemon.
139 Used for authentication.
445(TCP) Used by mordern samba server.

70
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

SAMBA COMMANDS

COMMANDS DESCRIPTION
Smbclient Comand used to connect with samba server from samba client.
mget To download file from samba server.
mput To upload file to samba server.
bye To logout from samba server.

71
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-VIII: SAMBA SERVER

1. CIFS runs over the following protocols:

a. TCP/IP b. SNMP
c. FTP d. DNS
2. CIFS doesn’t support the following
a. Oplocks b. Unicode support
c. Batch command d. Stateless
3. CIFS is used in the following OS
a. Windows b. Netware
c. Unix d. All the above
4. CIFS was originally derived from
a. PCB b. SMB
c. NTFS d. NIS
5. CIFS authentication is done by
a. Kerberos b. Both LDAP and NTLM
c. NTLM d. Both Kerberos and NTLM
6. SMB was originally developed by
a. IBM b. 3COM
c. Microsoft d. Intel
7. RPC is used for
a. Transporting data over the b. Reporting process control
network
c. Executing program on different d. None of the above
computer
8. A file can be recognized as an ordinary file or directory by ____ symbol.
a. $ b. *
c. – d. /
9. Which of the following commands tests the syntax of the default Samba configuration file?
a. smbclient -L //localhost b. testparm //localhost
c. smbclient /etc/smb.conf d. testparm /etc/smb.conf
10. What services does the Samba smbd program provide?
a. NetBIOS lookups b. File sharing
c. WINS resolution d. Printer sharing
11. Which of the following statements are valid reasons to install Samba?
a. To provide DNS information to b. To provide WINS resolution to SMB clients
SMB clients
c. To provide file and printer sharing d. To provide file and printer sharing to SMB
to UNIX clients clients

Question
Correct Answer
Number
1. a. TCP/IP

72
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

2. d. Stateless
3. d. All the above
4. b. SMB
5. d. Both Kerberos and NTLM
6. a. IBM
7. c. Executing program on different computer
8. c. –
9. d. testparm /etc/smb.conf
10. B,d File sharing, Printer sharing
To provide WINS resolution to SMB clients, To provide file and printer sharing to SMB
11. B,d
clients

SHORT ANSWER QUESTIONS

1. Describe the advantage of samba over NFS.

2. What are the ports that Samba Server works?
3. Describe different authentication modes for Samba Server?
4. Which demons are required to start samba server?
5. How many Sections Samba Configuration File (smb.conf) Contains?
6. What is SWAT in Samba Server?
7. Explain “smbstatus” command.
8. Explain “Write list” parameter used in smb.conf.
9. Can Samba Be A Member Of More Than One Workgroup At The Same Time?
10. What is CIFS?

LONG ANSWER QUESTIONS

1. How SMB protocol works?

2. How does a workstation find its Domain Controller?
3. What are the functions of nmbd daemon?
4. What are the functions of smbd daemon?
5. What are the functions of winbindd daemon?
6. How to automate SMB share mounting during system startup?
7. How many sections samba configuration file (smb.conf) contains?

73
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

MODULE-IX: - LINUX FIREWALL AND SELINUX

Security Enhanced Linux or SELinux is a set of modifications developed by the United States National Security Agency
(NSA) to provide a variety of security policies for Linux. SELinux was released as open source at the end of 2000.
Since kernel version 2.6 it is an integrated part of Linux.

SELinux offers security! SELinux can control what kind of access users have to files and processes. Even when a file
received chmod 777, SELinux can still prevent applications from accessing it (Unix file permissions are checked first!).
SELinux does this by placing users in roles that represent a security context. Administrators have very strict control
on access permissions granted to roles.

SELinux is present in the latest versions of Red Hat Enterprise Linux, Debian, CentOS, Fedora, and many other
distributions.

selinux modes

selinux knows three modes: enforcing, permissive and disabled. The enforcing mode will enforce policies, and may
deny access based on selinux rules. The permissive mode will not enforce policies, but can still log actions that would
have been denied in enforcing mode. The disabled mode disables selinux.

getenforce
Use getenforce to verify whether selinux is enforced, disabled or permissive.

[root@rhel55 ~]# getenforce

Permissive

The /selinux/enforce file contains 1 when enforcing, and 0 when permissive mode is active.

root@fedora13 ~# cat /selinux/enforce

1root@fedora13 ~#

setenforce
You can use setenforce to switch between the Permissive or the Enforcing state once
selinux is activated.

[root@rhel55 ~]# setenforce Enforcing

[root@rhel55 ~]# getenforce
Enforcing
[root@rhel55 ~]# setenforce Permissive
[root@rhel55 ~]# getenforce
Permissive

Or you could just use 0 and 1 as argument.

[root@centos65 ~]# setenforce 1
[root@centos65 ~]# getenforce
Enforcing
[root@centos65 ~]# setenforce 0
[root@centos65 ~]# getenforce

74
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Permissive
[root@centos65 ~]#

Sestatus

You can see the current selinux status and policy with the sestatus command.

[root@rhel55 ~]# sestatus

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

Policy

Most Red Hat server will have the targeted policy. Only NSA/FBI/CIA/DOD/HLS use the
mls policy.

The targted policy will protect hundreds of processes, but lets other processes run
'unconfined' (= they can do anything).

/etc/selinux/config

The main configuration file for selinux is /etc/selinux/config. When in permissive mode, the file looks like this.
The targeted policy is selected in /etc/selinux/config.

[root@centos65 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

DAC or MAC

Standard Unix permissions use Discretionary Access Control to set permissions on files. This means that a user that
owns a file, can make it world readable by typing chmod 777 $file.

With selinux the kernel will enforce Mandatory Access Control which strictly controls what processes or threads can
do with files (superseding DAC). Processes are confined by the kernel to the minimum access they require.

75
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

SELinux MAC is about labeling and type enforcing! Files, processes, etc are all labeled with an SELinux context. For
files, these are extended attributes, for processes this is managed by the kernel.

The format of the labels is as follows:

user:role:type:(level)

We only use the type label in the targeted policy.

ls –Z

To see the DAC permissions on a file, use ls -l to display user and group owner and permissions.

For MAC permissions there is new -Z option added to ls. The output shows that file in /root have a XXXtype of
admin_home_t.

[root@centos65 ~]# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 install.log.syslog

[root@centos65 ~]# useradd -m -s /bin/bash pol

[root@centos65 ~]# ls -Z /home/pol/.bashrc
-rw-r--r--. pol pol unconfined_u:object_r:user_home_t:s0 /home/pol/.bashrc

-Z

There are also some other tools with the -Z switch:

mkdir -Z
cp –Z
ps -Z
netstat -Z

/selinux

When selinux is active, there is a new virtual file system named /selinux. (You can compare it to /proc and /dev.).

[root@centos65 ~]# ls -l /selinux/

total 0
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 access
dr-xr-xr-x. 2 root root 0 Apr 12 19:40 avc
dr-xr-xr-x. 2 root root 0 Apr 12 19:40 booleans
-rw-r--r--. 1 root root 0 Apr 12 19:40 checkreqprot
dr-xr-xr-x. 83 root root 0 Apr 12 19:40 class
--w-------. 1 root root 0 Apr 12 19:40 commit_pending_bools
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 context
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 create
-r--r--r--. 1 root root 0 Apr 12 19:40 deny_unknown
76
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

--w-------. 1 root root 0 Apr 12 19:40 disable

-rw-r--r--. 1 root root 0 Apr 12 19:40 enforce
dr-xr-xr-x. 2 root root 0 Apr 12 19:40 initial_contexts
-rw-------. 1 root root 0 Apr 12 19:40 load
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 member
-r--r--r--. 1 root root 0 Apr 12 19:40 mls
crw-rw-rw-. 1 root root 1, 3 Apr 12 19:40 null
-r--------. 1 root root 0 Apr 12 19:40 policy
dr-xr-xr-x. 2 root root 0 Apr 12 19:40 policy_capabilities
-r--r--r--. 1 root root 0 Apr 12 19:40 policyvers
-r--r--r--. 1 root root 0 Apr 12 19:40 reject_unknown
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 relabel
-r--r--r--. 1 root root 0 Apr 12 19:40 status
-rw-rw-rw-. 1 root root 0 Apr 12 19:40 user

Although some files in /selinux appear wih size 0, they often contain a boolean value. Check /selinux/enforce to see
if selinux is running in enforced mode.

[root@RHEL6 ~]# ls -l /selinux/enforce

-rw-r--r-- 1 root root 0 Apr 29 08:21 /selinux/enforce
[root@RHEL6 ~]# echo $(cat /selinux/enforce) 1

Identity

The SELinux Identity of a user is distinct from the user ID. An identity is part of a security
context, and (via domains) determines what you can do. The screenshot shows user root
having identity user_u.

[root@rhel55 ~]# id -Z
user_u:system_r:unconfined_t

Role

The selinux role defines the domains that can be used. A role is denied to enter a domain, unless the role is explicitely
authorized to do so.

Type (or domain)

The selinux context is the security context of a process. An selinux type determines what a process can do. The
screenshot shows init running in type init_t and the mingetty's running in type getty_t.

[root@centos65 ~]# ps fax -Z | grep /sbin/init

system_u:system_r:init_t:s0 1 ? Ss 0:00 /sbin/init
[root@centos65 ~]# ps fax -Z | grep getty_t
system_u:system_r:getty_t:s0 1307 tty1 Ss+ 0:00 /sbin/mingetty /dev/tty1
system_u:system_r:getty_t:s0 1309 tty2 Ss+ 0:00 /sbin/mingetty /dev/tty2
system_u:system_r:getty_t:s0 1311 tty3 Ss+ 0:00 /sbin/mingetty /dev/tty3
system_u:system_r:getty_t:s0 1313 tty4 Ss+ 0:00 /sbin/mingetty /dev/tty4
system_u:system_r:getty_t:s0 1320 tty5 Ss+ 0:00 /sbin/mingetty /dev/tty5
77
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

system_u:system_r:getty_t:s0 1322 tty6 Ss+ 0:00 /sbin/mingetty /dev/tty6

The selinux type is similar to an selinux domain, but refers to directories and files instead of processes.

Hundreds of binaries also have a type:

[root@centos65 sbin]# ls -lZ useradd usermod userdel httpd postcat postfix

-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 httpd
-rwxr-xr-x. root root system_u:object_r:postfix_master_exec_t:s0 postcat
-rwxr-xr-x. root root system_u:object_r:postfix_master_exec_t:s0 postfix
-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 useradd
-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 userdel
-rwxr-x---. root root system_u:object_r:useradd_exec_t:s0 usermod

Ports also have a context.

[root@centos65 sbin]# netstat -nptlZ | tr -s ' ' | cut -d' ' -f6-
Foreign Address State PID/Program name Security Context
LISTEN 1096/rpcbind system_u:system_r:rpcbind_t:s0
LISTEN 1208/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
LISTEN 1284/master system_u:system_r:postfix_master_t:s0
LISTEN 1114/rpc.statd system_u:system_r:rpcd_t:s0
LISTEN 1096/rpcbind system_u:system_r:rpcbind_t:s0
LISTEN 1666/httpd unconfined_u:system_r:httpd_t:s0
LISTEN 1208/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
LISTEN 1114/rpc.statd system_u:system_r:rpcd_t:s0
LISTEN 1284/master system_u:system_r:postfix_master_t:s0

You can also get a list of ports that are managed by SELinux:

[root@centos65 ~]# semanage port -l | tail

xfs_port_t tcp 7100
xserver_port_t tcp 6000-6150
zabbix_agent_port_t tcp 10050
zabbix_port_t tcp 10051
zarafa_port_t tcp 236, 237
zebra_port_t tcp 2600-2604, 2606
zebra_port_t udp 2600-2604, 2606
zented_port_t tcp 1229
zented_port_t udp 1229
zope_port_t tcp 8021

security context

The combination of identity, role and domain or type make up the selinux security context.
The id will show you your security context in the form identity:role:domain.

[paul@RHEL5 ~]$ id | cut -d' ' -f4

context=user_u:system_r:unconfined_t
78
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

The ls -Z command shows the security context for a file in the form identity:role:type.

[paul@RHEL5 ~]$ ls -Z test

-rw-rw-r-- paul paul user_u:object_r:user_home_t test

The security context for processes visible in /proc defines both the type (of the file in /proc)
and the domain (of the running process). Let's take a look at the init process and /proc/1/ .

The init process runs in domain init_t.

[root@RHEL5 ~]# ps -ZC init

LABEL PID TTY TIME CMD
system_u:system_r:init_t 1 ? 00:00:01 init

The /proc/1/ directory, which identifies the init process, has type init_t.

[root@RHEL5 ~]# ls -Zd /proc/1/

dr-xr-xr-x root root system_u:system_r:init_t /proc/1/

It is not a coincidence that the domain of the init process and the type of /proc/1/ are both
init_t.
Don't try to use chcon on /proc! It will not work.

Transition

An selinux transition (aka an selinux labelling) determines the security context that will be assigned. A transition of
process domains is used when you execute a process. A transition of file type happens when you create a file.

An example of file type transition.

[pol@centos65 ~]$ touch test /tmp/test

[pol@centos65 ~]$ ls -Z test
-rw-rw-r--. pol pol unconfined_u:object_r:user_home_t:s0 test
[pol@centos65 ~]$ ls -Z /tmp/test
-rw-rw-r--. pol pol unconfined_u:object_r:user_tmp_t:s0 /tmp/test

Extended attributes

Extended attributes are used by selinux to store security contexts. These attributes can be
viewed with ls when selinux is running.

[root@RHEL5 home]# ls --context

drwx------ paul paul system_u:object_r:user_home_dir_t paul
drwxr-xr-x root root user_u:object_r:user_home_dir_t project42
drwxr-xr-x root root user_u:object_r:user_home_dir_t project55
[root@RHEL5 home]# ls -Z
drwx------ paul paul system_u:object_r:user_home_dir_t paul
drwxr-xr-x root root user_u:object_r:user_home_dir_t project42
79
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

drwxr-xr-x root root user_u:object_r:user_home_dir_t project55

[root@RHEL5 home]#

When selinux is not running, then getfattr is the tool to use.

[root@RHEL5 etc]# getfattr -m . -d hosts

# file: hosts
security.selinux="system_u:object_r:etc_t:s0\000"

Process security context

A new option is added to ps to see the selinux security context of processes.

[root@RHEL5 etc]# ps -ZC mingetty

LABEL PID TTY TIME CMD
system_u:system_r:getty_t 2941 tty1 00:00:00 mingetty
system_u:system_r:getty_t 2942 tty2 00:00:00 mingetty

Chcon

Use chcon to change the selinux security context.

This example shows how to use chcon to change the type of a file.

[root@rhel55 ~]# ls -Z /var/www/html/test42.txt

-rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test4\
2.txt
[root@rhel55 ~]# chcon -t samba_share_t /var/www/html/test42.txt
[root@rhel55 ~]# ls -Z /var/www/html/test42.txt
-rw-r--r-- root root user_u:object_r:samba_share_t /var/www/html/test42.txt

Booleans

Booleans are on/off switches

[root@centos65 ~]# getsebool -a | head

abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on

80
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

You can set and read individual booleans.

[root@centos65 ~]# setsebool httpd_read_user_content=1

[root@centos65 ~]# getsebool httpd_read_user_content
httpd_read_user_content --> on
[root@centos65 ~]# setsebool httpd_enable_homedirs=1
[root@centos65 ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

You can set these booleans permanent.

[root@centos65 ~]# setsebool -P httpd_enable_homedirs=1

[root@centos65 ~]# setsebool -P httpd_read_user_content=1

The above commands regenerate the complete /etc/selinux/targeted directory!

[root@centos65 ~]# cat /etc/selinux/targeted/modules/active/booleans.local

# This file is auto-generated by libsemanage
# Do not edit directly.

httpd_enable_homedirs=1
httpd_read_user_content=1

IPTABLES
Introduction

All modern operating systems come equipped with a firewall – a software application that regulates network traffic
to a computer. Firewalls create a barrier between a trusted network (like an office network) and an untrusted one
(like the internet). Firewalls work by defining rules that govern which traffic is allowed, and which is blocked. The
utility firewall developed for Linux systems is iptables.

Prerequisites

 A user account with sudo privileges

 Access to a terminal window/command line (Ctrl-Alt-T, Ctrl-Alt-F2)

How iptables Work

Network traffic is made up of packets. Data is broken up into smaller pieces (called packets), sent over a network,
then put back together. Iptables identifies the packets received and then uses a set of rules to decide what to do
with them.

Iptables filters packets based on:

 Tables: Tables are files that join similar actions. A table consists of several chains.
 Chains: A chain is a string of rules. When a packet is received, iptables finds the appropriate table, then runs
it through the chain of rules until it finds a match.
 Rules: A rule is a statement that tells the system what to do with a packet. Rules can block one type of
packet, or forward another type of packet. The outcome, where a packet is sent, is called a target.

81
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

 Targets: A target is a decision of what to do with a packet. Typically, this is to accept it, drop it, or reject it
(which sends an error back to the sender).

Tables and Chains

Linux firewall iptables has four default tables. We will list all four along with the chains each table contains.

1. Filter
The Filter table is the most frequently used one. It acts as a bouncer, deciding who gets in and out of your network.
It has the following default chains:
 Input – the rules in this chain control the packets received by the server.
 Output – this chain controls the packets for outbound traffic.
 Forward – this set of rules controls the packets that are routed through the server.

2. Network Address Translation (NAT)

This table contains NAT (Network Address Translation) rules for routing packets to networks that cannot be accessed
directly. When the destination or source of the packet has to be altered, the NAT table is used. It includes the
following chains:
 Prerouting – this chain assigns packets as soon as the server receives them.
 Output – works the same as the output chain we described in the filter table.
 Postrouting – the rules in this chain allow making changes to packets after they leave the output chain.

3. Mangle
The Mangle table adjusts the IP header properties of packets. The table has all the following chains we described
above:
 Prerouting
 Postrouting
 Output
 Input
 Forward

4. Raw
The Raw table is used to exempt packets from connection tracking. The raw table has two of the chains we previously
mentioned:
 Prerouting
 Output

82
 B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

5. Security (Optional)

Some versions of Linux also use a Security table to manage special access rules. This table includes input, output,
and forward chains, much like the filter table.

Targets

A target is what happens after a packet matches a rule criteria. Non-terminating targets keep matching the packets
against rules in a chain even when the packet matches a rule.
With terminating targets, a packet is evaluated immediately and is not matched against another chain. The
terminating targets in Linux iptables are:

 Accept – this rule accepts the packets to come through the iptables firewall.
 Drop – the dropped package is not matched against any further chain. When Linux iptables drop an incoming
connection to your server, the person trying to connect does not receive an error. It appears as if they are
trying to connect to a non-existing machine.
 Return – this rule sends the packet back to the originating chain so you can match it against other rules.
 Reject – the iptables firewall rejects a packet and sends an error to the connecting device.

Basic Syntax for iptables Commands and Options

In general, an iptables command looks as follows:

sudo iptables [option] CHAIN_rule [-j target]

Here is a list of some common iptables options:

 -A --append – Add a rule to a chain (at the end).
 -C --check – Look for a rule that matches the chain’s requirements.
 -D --delete – Remove specified rules from a chain.
 -F --flush – Remove all rules.
 -I --insert – Add a rule to a chain at a given position.
83
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

 -L --list – Show all rules in a chain.

 -N -new-chain – Create a new chain.
 -v --verbose – Show more information when using a list option.
 -X --delete-chain – Delete the provided chain.

Iptables is case-sensitive, so make sure you’re using the correct options.

Configure iptables in Linux

By default, these commands affect the filters table. If you need to specify a different table, use the –t option,
followed by the name of the table.

Check Current iptables Status

To view the current set of rules on your server, enter the following in the terminal window:
sudo iptables –L

The system displays the status of your chains. The output will list three chains:

Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Enable Loopback Traffic

It’s safe to allow traffic from your own system (the localhost). Append the Input chain by entering the
following:
sudo iptables -A INPUT -i lo -j ACCEPT

This command configures the firewall to accept traffic for the localhost (lo) interface (-i). Now anything
originating from your system will pass through your firewall. You need to set this rule to allow applications
to talk to the localhost interface
.

84
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Allow Traffic on Specific Ports

These rules allow traffic on different ports you specify using the commands listed below. A port is a
communication endpoint specified for a specific type of data.

To allow HTTP web traffic, enter the following command:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

To allow only incoming SSH (Secure Shell) traffic, enter the following:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To allow HTTPS internet traffic, enter the following command:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

The options work as follows:

• -p – Check for the specified protocol (tcp).
• --dport – Specify the destination port.
• -j jump – Take the specified action.
Control Traffic by IP Address

Use the following command to ACCEPT traffic from a specific IP address.

sudo iptables -A INPUT -s 192.168.0.27 -j ACCEPT

Replace the IP address in the command with the IP address you want to allow.

You can also DROP traffic from an IP address:

sudo iptables -A INPUT -s 192.168.0.27 -j DROP

You can REJECT traffic from a range of IP addresses, but the command is more complex:

sudo iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.255 -j REJECT

The iptables options we used in the examples work as follows:

• -m – Match the specified option.
• -iprange – Tell the system to expect a range of IP addresses instead of a single one.
• --src-range – Identifies the range of IP addresses.

Dropping Unwanted Traffic

If you define dport iptables firewall rules, you need to prevent unauthorized access by dropping any traffic
that comes via other ports:

sudo iptables -A INPUT -j DROP

The -A option appends a new rule to the chain. If any connection comes through ports other than those you
defined, it will be dropped.

Delete a Rule
85
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

You can use the -F option to clear all iptables firewall rules. A more precise method is to delete the line
number of a rule.

First, list all rules by entering the following:

sudo iptables -L --line-numbers

Locate the line of the firewall rule you want to delete and run this command:

sudo iptables -D INPUT <Number>

Replace <Number> with the actual rule line number you want to remove.

Save Your Changes

Iptables does not keep the rules you created when the system reboots. Whenever you configure iptables in
Linux, all the changes you make apply only until the first restart.

To save the rules in Red-Hat based systems, enter:

sudo /sbin/service iptables save

Firewalld

Introduction to firewalld

firewalld is a dynamic firewall management tool with support for network/firewall zones that define the
trust level of network connections or interfaces. It provides a dynamically managed firewall with support
for network zones to define the trust level of network connections or interfaces. It also supports IPv4, IPv6,
ethernet bridges, and IP sets.

86
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Key Concepts

1. Zones:

 Zones are predefined sets of rules that determine the level of trust for network connections. Each
zone can have different firewall rules.

 Common zones include:

 drop: Any incoming packets are dropped without any notification.
 block: Any incoming network connections are rejected with an icmp-host-prohibited
message.
 public: For use in public areas, where you trust other computers on the network to not
harm your computer.
 external: External network, typically used with masquerading (NAT).
 dmz: Demilitarized zone, allowing limited access to certain services.
 work: For work machines, you trust most of the computers in the network.
 home: For home networks, you mostly trust the other computers.
 internal: For internal networks, you trust most of the computers in the network.
Services:

Services are predefined rules that allow specific types of network traffic. Examples include HTTP, HTTPS,
FTP, and SSH.
Rich Rules:

Rich rules provide a way to create complex rules that are not possible with simple commands. They can
match specific IP addresses, ports, and protocols and apply specific actions like logging or rejecting.
Direct Rules:

Direct rules provide a way to interact with the low-level iptables rules directly. They are useful for advanced
configurations that are not supported by firewalld’s high-level commands.

Installation and Enabling firewalld

1. Installation:

firewalld is installed by default on RHEL 8. If it’s not installed, you can install it using

# sudo dnf install firewalld

2. Starting and Enabling firewalld:

Start firewalld:

# sudo systemctl start firewalld

87
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Enable firewalld to start at boot:

# sudo systemctl enable firewalld

3. Checking Status:

Check the status of firewalld:

# sudo systemctl status firewalld

MULTIPLE CHOICE QUESTIONS AND ANSWERS

MODULE-IX: LINUX FIREWALL AND SELINUX

1. Which table do we use to alter the IP headers of the packet in iptables?
a. Filter b. Nat
c. Mangle d. Raw
2. Which command will not forward the packet and simply discards the packet silently?
a. DROP b. REJECT
c. DENY d. Both (b) and (c)
Which command sends an error message back to the source indicating a connection
3.
failure?
a. DROP b. REJECT
c. DENY d. None f these
4. Which options do we use to add rules to a specific chain in iptables?
a. –I b. –F
c. –A d. -D
5. Which options represents protocol in iptables?
a. –m b. –p
c. --dport d. --sport
6. Which options represents output interface in iptables
a. –s b. –d
c. –i d. -o
7. Which table do you use for masquerading?
a. Filter b. Nat
c. Mangle d. raw
8. Which chain do you use for natting in iptables
a. PREROUTING b. POSTROUTING
c. OUTPUT d. FORWARD
9. Which command do you use to save rules in iptables?
a. /etc/init.d/iptables save b. service iptables save
c. /etc/init.d/iptables on d. Both (a) and (b)
10. How can we restart iptables tools in Linux?
a. service iptables on b. service iptables start
c. service iptables restart d. None of these

88
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

11. To see the status of SELinux Boolean Values we use

a. setsebool b. getsebool
c. setstatus d. None of these
12. To enable SELinux Boolean Values we use
a. setsebool b. getsebool
c. setstatus d. None of these
13. To disable SELinux Boolean Values we use
a. setsebool b. getsebool
c. setstatus d. None of these
14. To view all boolean values for a httpd
a. getsebool -l | grep httpd b. getsebool -v | grep httpd
c. getsebool -a | grep httpd d. None of these
15. How can we list all Booleans in SELinux?
a. getsebool -a b. getsebool -l
c. getsebool -v d. None of these
16. Which is not SELinux modes
a. enforcing b. permissive
c. disabled d. enabled
17. To permanently disable SELinux, we use the directive
a. SELINUX=disabled b. SETSEBOOL=disabled
c. GETSEBOOL=disabled d. None of these
18. To permanently disable SELinux, we use
a. /etc/sysconfig/selinux b. /etc/sysconfig/setsebool
c. /etc/sysconfig/getsebool d. None of these
19. How can you disable SELinux temporarily
a. setenforce 0 b. echo 0 > /selinux/enforce
c. echo 0 > /dev/null d. Both (a) and (b)
To view the current status (enable or disable) and current mode (disable, permissive and
20.
enforcing) of SELinux we can use
a. setsebool b. getsebool
c. sestatus d. None of these
21. Which command is used to install firewalld on RHEL 8 if it is not already installed?
a. sudo yum install firewalld b. sudo apt install firewalld
c. sudo dnf install firewalld d. sudo pacman -S firewalld
22. What is the purpose of zones in firewalld?
a. To define the IP addresses that are allowed to b. To manage different network
connect interfaces
c. To define the trust level of network connections d. To manage user permissions
or interfaces
23. Which command is used to start the firewalld service?
a. sudo systemctl enable firewalld b. sudo systemctl start
firewalld
c. sudo firewall-cmd --start d. sudo firewall-cmd --enable
24. How can you permanently add the HTTP service to the public zone?

89
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

a. sudo firewall-cmd --zone=public --add- b. sudo firewall-cmd --

service=http zone=public --add-
service=http --permanent
c. sudo firewall-cmd --zone=public --permanent -- d. Both b and c
add-service=http
25. Which command will reload the firewalld configuration?
a. sudo firewall-cmd --reload b. sudo systemctl reload
firewalld
c. sudo firewall-cmd --refresh d. sudo systemctl restart
firewalld
26. What command is used to list all active zones in firewalld?
a. sudo firewall-cmd --list-all b. sudo firewall-cmd --get-
zones
c. sudo firewall-cmd --get-active-zones d. sudo firewall-cmd --list-
zones
To allow incoming traffic on port 8080/tcp in the public zone, which command should be
27.
used?
a. sudo firewall-cmd --zone=public --allow- b. sudo firewall-cmd --
port=8080/tcp zone=public --add-
port=8080/tcp
c. sudo firewall-cmd --zone=public --enable- d. sudo firewall-cmd --
port=8080/tcp zone=public --open-
port=8080/tcp
28. Which command is used to remove the SSH service from the public zone?
a. sudo firewall-cmd --zone=public --delete- b. sudo firewall-cmd --
service=ssh zone=public --remove-
service=ssh --permanent
c. sudo firewall-cmd --zone=public --block- d. sudo firewall-cmd --
service=ssh zone=public --disable-
service=ssh
29. Which command will display detailed information about the public zone?
a. sudo firewall-cmd --zone=public --info b. sudo firewall-cmd --
zone=public --list
c. sudo firewall-cmd --zone=public --details d. sudo firewall-cmd --
zone=public --list-all

90
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

Question
Correct Answer
Number
1. c. Mangle
2. a. DROP
3. b. REJECT
4. c. –A
5. b. –p
6. d. -o
7. b. Nat
8. b. POSTROUTING
9. d. Both (a) and (b)
10. c. service iptables restart
11. b. getsebool
12. a. setsebool
13. a. setsebool
14. a. getsebool -l | grep httpd
15. a. getsebool -a
16. d. enabled
17. a. SELINUX=disabled
18. a. /etc/sysconfig/selinux
19. b. echo 0 > /selinux/enforce
20. c. sestatus
21. c. sudo dnf install firewalld
22. c. To define the trust level of network connections or interfaces
23. b. sudo systemctl start firewalld
24. d. Both b and c
25. a. sudo firewall-cmd --reload
26. c. sudo firewall-cmd --get-active-zones
27. b. sudo firewall-cmd --zone=public --add-port=8080/tcp
28. b. sudo firewall-cmd --zone=public --remove-service=ssh --permanent
29. d. sudo firewall-cmd --zone=public --list-all

SHORT ANSWER QUESTIONS

1. Distinguish DROP and REJECT target in iptables.

2. Describe firewall in Linux system.
3. Differentiate between PREROUTING and POSTROUTING chain in iptables.
4. What are Booleans?
5. What parameter can be set at boot time to enable/disable SELinux?
6. What is the main configuration file for SELinux where the SELinux status can be changed permanently?
7. Where SELinux violation logs are generated?
8. What Is Iptables ?
9. How To Enable Iptables ?
10. How Do I Save Iptables Rules Or Settings?
11. What is the purpose of firewalld in RHEL 8?
12. How do you install firewalld on a RHEL 8 system?
13. Which command is used to start the firewalld service?
14. How can you enable firewalld to start automatically at boot?
91
B.Sc. (H) ANCS-2022 and SEM-V
Linux Administration-II (BNCSC502)
Class: - Theory
2024-25

15. What command would you use to check the status of the firewalld service?
16. How do you list all available zones in firewalld?
17. Which command lists all active zones and their associated interfaces?
18. How do you add the HTTP service to the public zone temporarily?
19. How can you reload the firewalld configuration to apply new settings?
20. What command would you use to permanently open port 8080/tcp in the public zone?
21. What does SELinux stand for?
22. How can you check the current status of SELinux on a RHEL 8 system?
23. What command is used to temporarily set SELinux to permissive mode?
24. Which configuration file is used to permanently set SELinux modes?
25. What are the three modes of operation for SELinux?
26. How do you install the SELinux troubleshooting tools on RHEL 8?
27. What is the command to list all SELinux Booleans?
28. How do you restore the default SELinux context for a specific file?
29. What is the purpose of the audit2allow tool?
30. How can you list all SELinux policies currently loaded on the system?
31. What does the -P flag do when setting an SELinux Boolean?
32. How do you add a custom SELinux policy module?
33. Which command provides detailed information about the SELinux context of a file?
34. What does the SELinux type httpd_sys_content_t typically represent?
35. How do you permanently disable SELinux on a RHEL 8 system?

LONG ANSWER QUESTIONS

1. How To List All The Rules Applied On Your System And How To Flush All Iptables Rules ?
2. What Are The Target Values In Iptables?
3. Explain the different modes of Selinux.
4. Explain about Selinux.
5. Explain the concept of DAC and MAC.
6. Explain the concept of firewalld zones and their importance. How would you change the default zone,
and what impact does this have on network security?
7. Explain the core concepts of SELinux (Security-Enhanced Linux) in RHEL 8, including the different modes
of operation and how they impact system security.
8. How does SELinux enforce security policies in RHEL 8? Explain the role of Type Enforcement (TE) and
Role-Based Access Control (RBAC) in SELinux.

92