Thursday, 8 October 2015

Install Telnet Server on CentOS 7 / RHEL 7

The tutorial explains about how to install telnet server on CentOS 7 / RHEL 7 . We will also keep SELINUX on enforcing mode and use the firewalld rules.

About Telnet

Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection .
Recommended: We always recommend to use SSH because it communicates in encrypted way. Whereas telnet do not communicates in encrypted way.

Telnet Port Number

By default telnet server listens on port number 23/tcp .
To know more about telnet, read this Wikipedia link.
IMPORTANT NOTE:
By default root is not able to login via telnet. Hence, use other system user.
Diagram :
telnet server

Description about our Lab :

Operating System : CentOS 7
IP Address : 192.168.56.101 (This is also telnet server ip address)
Arch : x86_64

Install Telnet Server

Installing telnet-server is quite easy, Simply run the below command on your system terminal.
 
#yum install telnet-server

Start/Stop/Restart Telnet service

To start the telnet service on CentOS 7 / RHEL 7 use the command –
#systemctl start telnet.socket

To stop the telnet service on CentOS 7 / RHEL 7 use the command –
#systemctl stop telnet.socket

To restart the telnet service on CentOS 7 / RHEL 7 use the command –
#systemctl restart telnet.socket

To get status of the telnet service on CentOS 7 / RHEL 7 use the command –
#systemctl status telnet.socket

Check listening port by telnet

To check listening port 23 by telnet on system, use ss command –
ss -tnlp|grep 23 
 
Below given is reference from our system.It shows the port number 23 is listening.
[root@localhost ~]# ss -tnlp|grep 23 
LISTEN 0 128 :::23 :::* users:(("systemd",1,53)) 
[root@localhost ~]#

Allow telnet from firewall

We strictly recommend to use the telnet-server inside LAN only. It should not be accessible from Public network.
In below section, we are allowing source subnet 192.168.56.0/24 to access the telnet service by using firewalld command.
(Replace the 192.168.56.0/24 with your LAN network subnet or client ip address)

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.56.0/24" service name="telnet" log prefix="telnet" level="info" limit value="1/m" accept'

Access telnet-server

To access telnet-server, use the following command syntax

Syntax: Replace telnet-server-ip-address with ip address of telnet server.
telnet telnet-server-ip-address 

It will prompt for giving username and password. Use system username other than root.

sharad@linuxworld:~/Desktop$ telnet 192.168.56.101
Trying 192.168.56.101...
telnet: Unable to connect to remote host: No route to host
sharad@linuxworld:~/Desktop$ telnet 192.168.56.101
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.

Kernel 3.10.0-123.el7.x86_64 on an x86_64
localhost login: test
Password: 
Last login: Sat Dec  6 08:01:10 from ::ffff:192.168.56.1
[test@localhost ~]$
 

How configure Telnet client on Window 7

Open command prompt and run telnet command
windowclient-telnet
Error
 'telnet' is not recognized as an internal or external command, operable program or batch file.
windowclient-unrecognized-telnet
You will get error because Window 7 does not turn on telnet client service automatic. We need to start it manually.
Open control panel and click on program.
windowclient-control-pannel-program
click on turn windows features on or off
windowclient-program-window
Scroll down and check mark on Telnet client and click on OK
windowclient-checked-telnet
Now you can run telnet command. Login form normal user
windowclient-logged-in-normal-user
logout from normal user and try to login from root
windowclient-exit-from-normal-user
By default root user is not allowed to login through the terminal session
windowclient-root-fail
To allow root user Go on server system and open /etc/securetty file
server-etc-securetty
In the end of file add pts/0 and save the file
server-pts
Go back on windowclient system and try again to login from root user
windowclient-root-sucess
In this article I have configured Telnet server on RHEL7 system in LAB environment.
Posted by at No comments:
Labels: , ,

How to configure Telnet Server in RHEL6

In this article I will configure Telnet Server in RHEL 6. Telnet protocol allows you to connect to remote hosts over TCP/IP network.
Telnet was developed in 1969. Telnet was initially developed for private use where security was not primary concern. Telnet protocol has serious security issue. Security expert recommend that the use of Telnet for remote login should be discontinued under all normal circumstances.
  • Telnet Server
  • Telnet Client

Telnet Sever

Telnet server software is installed on remote host. You need to configure it before client can connect with it.

Telnet Client

Telnet client software allows you to connect telnet server. Once telnet client establishes a connection to the remote host, client becomes a virtual terminal, allowing you to communicate with the remote host from your computer.

Security issue with Telnet

  • Telnet by default does not encrypt any data sent over the connection.
  • Anyone who has access to network device located on the network between the two hosts like router, switch, hub or gateway where Telnet is being used can intercept the packets passing by and obtain login, password and whatever else is typed with a packet sniffer software.
  • Telnet protocol have no implementations that would ensure that communication is carried out between the two hosts is not intercepted in the middle.
In this tutorial I will configure telnet server in LAB environment. 
  • In RHEL Telnet is part of the xinetd daemon.
  • Telnet use plain text to transmit password.
  • root user is not allowed to connect using Telnet.
  • Command-line telnet clients are built into all major operating systems.
  • RedHat recommends you to use SSH to connect a system instead of Telnet.
  • Use Telnet in LAB environment where security is not concern.

Configure Telnet in RHEL 6

Three RPM are required to configure telnet server in linux.
  • xinetd
  • telnet-server
  • telnet-clinet
Login from root user and check required RPM. If you do not have the telnet-server or telnet packages installed, you can install them with the RPMs available from your installation media. The version numbers of the package should not matter, Red Hat Network (RHN) will always provide you with the latest version of the package.
server-rpm
Once you have the packages installed, check the /etc/xinetd.d/telnet file
server-etc-xinetd-telnet
ensure that disable = yes is changed to read disable = no.
server-telnet-file
Turn the Telnet server on using the chkconfig command.
server-chkconfig-telnet
Also check xinetd service
server-chkconfig-xinetd
You will need to restart the xinetd service.
server-xinetd-restart
As I said above root user is not allowed to login from telnet. We need to create a normal user account.
server-useradd
To connect with telnet server we need specify server IP address which you can check with ifconfig command. You should test telnet configuration before connecting from client computer.
server-testing-on-server
To terminate telnet session logout from logged in user.
server-testing-exit

Configure telnet client in RHEL6

Go on linuxclient system. linuxclient system have RHEL 6 installed and connected with our server system. Login from root and check telnet and xinetd package
linuxclient-check-rpm
check telnet service status on it if it is set to off
linuxclient-chkconfig-telnet
open configuration file of telnet
linuxclient-etc-xinetd-telnet
check telnet service is enabled make sure that disable = yes is changed to disable = no
linuxclient-telnet-config-file
restart the xinetd service
linuxclient-xinetd-restart
Check connectivity with server
linuxclient-ping
We are getting reply of ping from server so we have connectivity with server .connect with telnet server
linuxclient-telnet-unable-to-reach-host
Error
telnet:connect to address 192.168.1.1:No route to host
Telnet client is unable to connect with telnet server because firewall on server is blocking telnet connection. To solve this error Go on server
Run setup command
server-setup
select Firewall configuration
server-setup-firewall
Firewall is enabled by default
server-firewall-enabled
To disable the firewall unselect the enable
server-firewall-unchked
Ignore the warning and select OK and press enter
server-firewall-warning-ok
Select Quit and press enter to save the configuration
server-firewall-quit-to-save
restart the xinetd service
server-xinetd-restart
Now come back to linuxclient system and try to connect with telnet sever
linuxclient-telnet-sucess
This time we have successfully connected with Telnet server. To terminate telnet session logout from testuser.We have successfully configured Telnet client on RHEL 6.

How configure Telnet client on Window 7

Open command prompt and run telnet command
windowclient-telnet
Error
 'telnet' is not recognized as an internal or external command, operable program or batch file.
windowclient-unrecognized-telnet
You will get error because Window 7 does not turn on telnet client service automatic. We need to start it manually.
Open control panel and click on program.
windowclient-control-pannel-program
click on turn windows features on or off
windowclient-program-window
Scroll down and check mark on Telnet client and click on OK
windowclient-checked-telnet
Now you can run telnet command. Login form normal user
windowclient-logged-in-normal-user
logout from normal user and try to login from root
windowclient-exit-from-normal-user
By default root user is not allowed to login through the terminal session
windowclient-root-fail
To allow root user Go on server system and open /etc/securetty file
server-etc-securetty
In the end of file add pts/0 and save the file
server-pts
Go back on windowclient system and try again to login from root user
windowclient-root-sucess
In this article I have configured Telnet server on RHEL6 system in LAB environment.
Posted by at No comments:
Labels: , , ,

Configure NFS Server in RHEL6

How to configure NFS Server on RHEL6

Our first task is to install the necessary RPM. Two RPM are required for NFS server
  • nfs-utils
  • rpcbind
  • nfs-utils
This is the main RPM which provide nfs service.
  • rpcbind
NFS depends on Remote Procedure Calls(RPC) service which is controlled by rpcbind service. In earlier version of RHEL portmap service was used to map RPC program numbers to IP address port number combinations. This service is now replaced by rpcbind to enable IPv6 support.

If you do not have above RPM installed, than first install them. You can use any method to install RPM.

"NFS file server" is the primary group associated with NFS. So if you have configured yum repository than following command will install the mandatory packages[nfs-utils and nfs4-acl-tools] from that group.

#yum groupinstall " NFS file server"


Or alternatively you can use

# yum install nfs* -y

If you do not have yum repository use RPM command to install these packages. Go in the folder which contain RPM (In installation disk of RHEL6, Package folder contains all RPM ) and run following command.

#rpm -ivh nfs* --nodeps --force

#rpm -ivh rpcbind* --nodeps --force




Our second task is to verify that the NFS services are installed. This can be done form following command.
#rpm –qa nfs-utils

Verify that rpcbind package is installed.
#rpm –qa rpcbind




For this article I assume that you have both packages installed.

Following services are associated with NFS daemons. Each service have its script file stored in init.d directory.
  • /etc/init.d/nfs Main control script for NFS Daemons which control NFS services.
  • /etc/init.d/nfslock Script for lock files and the statd daemon, which locks and provides status of files those are currently in use.
  • /etc/init.d/portreserve Replacement script for the portmap which used to set up ports for RPC services.
  • /etc/init.d/rpcbind RPC program number converter.
  • /etc/init.d/rpcgssd Script for RPC-related security services.
  • /etc/init.d/rpcidmapd Configuration script used for mapping of NFS user ID to LDAP and Kerberos systems.
  • /etc/init.d/rpcsvcgssd Control script for the server side of RPC-related general security services.

You can start each script directly by following command
#/etc/init.d/[script name]

For example to start nfs service
#/etc/init.d/nfs

Or you can use service command to start / stop /restart the service
#service nfs start
 
nfs and rpcbind are the compulsory services for nfs daemons.
Make sure nfs and rpcbind scripts are active before you configure NFS server.
Start the services



Make sure that services remain on after reboot



Check the status to services it must be running





How to configure NFS client on RHEL6

Check necessary RPM




Install if you are missing them

Start the necessary services and Verify the status of services it must be running




Make sure service remain on after reboot




Check connectivity form server



How to create NFS Share

So far we have setup NFS Server and NFS client with basic configurations. Now create a NFS Share on NFS Server and mount it from NFS Client.

On Server system make a directory /nfs_share and create a test file in it




On Server /etc/exportfs defines what resources will be available for clients. /etc/exports file use following syntax to share resources


[mountpoint] [host][permissions/options]


Remember there is no space between the [host] field and the [permissions/options] field. If you include a space, you receive a syntax error.


Common Mount Permission options
rw       read/write permissions
ro        read-only permissions
insecure Allows the use of ports over 1024
sync Specifies that all changes must be written to disk before a command completes
no_wdelay Forces the writing of changes immediately
root_squash Prevents root users

NFS Host Entries

/etc/exportfs supports conventional wildcards which provide flexibility when specifying hosts.
you can use the hostname for hosts within your domain.
you need fully qualified domain name for outside hosts.
you can reference all the hosts within a specific domain.
You can use the * for the host segment, followed by the domain name for the network, such as *.example.com for all the hosts in the example.com network.


Instead of host name, You can also use single host's ip address.
you can use IP network addresses with a CNDR format
You can also use an NIS netgroup name to reference a collection of hosts. The NIS netgroup name is preceded by an @ sign.

For example following are the valid example for hosts entries
#directory host(options)
/nfs_share *(rw,sync)
/nfs_share *.example.com(rw,sync)
/nfs_share 192.168.1.10(rw,sync)
/nfs_share 192.168.1.0/255.255.255.0(rw,sync)
/nfs_share 192.168.1.0/24(rw,sync)
/nfs_share @netgroup(rw,sync)


We will share it globally with read / write options. Open /etc/exports file




add following line and save the file




Restart the NFS service




Showmount

showmount command with -e option will display shared NFS directories locally and remotely. To review the export list for a NFS server, add the name / IP address of NFS server. If this command doesn't work, communication may be blocked with a firewall.

During the exam you may face two common errors as the output of showmount -e command


On NfS server
clnt_create: RPC: Program not registered

On NFS client
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)

On server this is generated due to order of services. In exam always start /restart rpcbind service before nfs.




On client this is generated due to firewall configured on NFS server. On linuxclient system use showmount to list all NFS Share



clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)


showmount -e command returns above error on NFS client if firewall is not properly configured on NFS Server.


Configure IPTABLES rules for NFS Server.

During the RHCE6 exam you may have a iptable firewall enabled system. You should know how to allow nfs through firewall.
NFS port range

In order to allow NFS through iptable firewall we need to open following ports

TCP and UDP port 2049 for NFS.
TCP and UDP port 111 (rpcbind/sunrpc).
TCP and UDP port specified with MOUNTD_PORT="port"
TCP and UDP port specified with STATD_PORT="port"
TCP port specified with LOCKD_TCPPORT="port"
UDP port specified with LOCKD_UDPPORT="port"

NFS requires rpcbind, which dynamically assigns ports for RPC services at startup time. Dynamic ports could not be protected by iptables as these ports might change on reboot and make changes obsolete.

So you need to configure NFS services to use fixed ports.

Open /etc/sysconfig/nfs




Uncomment following directives to use default port, Or change them with desired TCP / UDP unused ports and save the file.

# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=[port-number]
# UDP port rpc.lockd should listen on. LOCKD_UDPPORT=[port-number]
# Port rpc.mountd should listen on. MOUNTD_PORT=[port-number]
# Port rquotad should listen on. RQUOTAD_PORT=[port-number]
# Port rpc.statd should listen on. STATD_PORT=[port-number]
# Outgoing port statd should used. The default is port is random STATD_OUTGOING_PORT=[port-number]


Here is the sample listing with default port number
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020



So far we have configured fix port for nfs server now let's configure firewall to allow nfs traffic.

Run setup command




Select firewall configuration



Select Customize [Make sure firewall option remain selected ]




Select NFS4




Select Forward and press enter




Select eth+ and press enter on close button




Select ok and press enter




Select Yes and press enter




Select Quit and press enter



Now open /etc/sysconfig/iptables file




Add following iptable rules


-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT

-A INPUT -m state --state NEW -m udp -p udp --dport 662 -j ACCEPT





under the rule for port 2049 and save file



NFS and SELinux

SELinux is the integral part of RHEL6 and directories shared via NFS would not work without proper changes to SELinux.

 Important SELinux Booleans for NFS
nfs_export_all_ro Allows NFS to share files and directories as read-only
nfs_export_all_rw Allows NFS to share files and directories as read/write
httpd_use_nfs Allows httpd to access NFS file systems
use_nfs_home_dirs Supports NFS home directories
samba_share_nfs Allows Samba to export NFS volumes
allow_nfsd_anon_write Allows NFS servers to modify public files
allow_ftpd_usr_nfs Allows FTP servers to use NFS for public file transfer services

During the exam Make sure the SELinux booleans are compatible, specifically nfs_export_all_ro and nfs_export_all_rw are set to on

If nfs_export_all_ro and nfs_export_all_rw Booleans are set to off change the value



Verify that the Booleans have been changed:



Restart the iptables , rpcbind, and nfs service



Now try again to run showmount -e command on NFS client



Create a /nfs_tmp directory to mount NFS share locally



Mount /nfs_share to local /nfs_tmp directory


Perform read and write operations, You can read but write will be denied.




We shared with write permission still we are getting permission denied message because default Linux file permission always over ride NFS share permission. To fix it

On Server system change file permission



On client try again to write this time it will be permitted



Now we have full file permission on nfs_share directory open /etc/exportfs file



Change rw [Read, Write] share option to ro[Read only] and save the file




Restart the nfs service

Or use the exportfs command to manually export any new resources added to the /etc/exports file.

-a Exports directories
-r Reexports directories
-u Unexports directories
-v Show verbose output


In real world I would recommended to use exportfs to manually export the directories rather than restart the service because while you restart the nfs service, you also disconnect your nfs clients as well.




On client remount the nfs_share




Try to perform write operation, This time you will get NFS share error message.




NFS Tools

During the exam following commands could be helpful for troubleshooting
mountstats Shows information about mounted NFS shares
nfsstat Shows statistics of exported resources
nfsiostat Shows statistics of NFS mounted shares.
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)