分類: SELinux

參考網站：
Linux ． 無限: 在 CentOS7/RHEL7 上架設 Proftpd Server

1. 安裝 EPEL 套件庫
# yum install epel-release
# yum update

2. 安裝 Proftpd Server 相關套件
# yum install proftpd proftpd-ldap proftpd-mysql proftpd-utils

3. 防火牆設定
# firewall-cmd –permanent –add-service=ftp
# firewall-cmd –reload
或
# iptables -A INPUT -p tcp –syn -m state –state NEW –dport 21 -j ACCEPT
[@more@]
4.
# cp /etc/proftpd.conf /etc/proftpd.conf.$(date +%F)

# yum install openssl

# openssl req -x509 -newkey rsa:1024 -keyout /etc/proftpd.d/proftpd.key -out /etc/proftpd.d/proftpd.crt -nodes -days 3650
Generating a 1024 bit RSA private key
……….++++++
……++++++
writing new private key to ‘/etc/proftpd.d/proftpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:FTP Server
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

4. 啟動 Proftpd Serve，並設定開機時啟動
# systemctl start proftpd.service
# systemctl enable proftpd.service

LightSquid 是一個可以分析 Squid Proxy Server 瀏覽記錄的程式，可以讓管理者更加了解 Proxy Server 的使用狀況。
LightSquid 官方網站：http://lightsquid.sourceforge.net/
1. 下載 LightSquid
 # wget –no-check-certificate https://downloads.sourceforge.net/project/lightsquid/lightsquid/1.8/lightsquid-1.8.tgz -P /var/www

2. 解壓縮
# tar xvzf /var/www/lightsquid-1.8.tgz

3. 搬移目錄
# mv /var/www/lightsquid-1.8 /var/www/lightsquid[@more@]
4. 更改設定檔 /var/www/lightsquid/lightsquid.cfg
# sed -i ‘s@/var/www/html@/var/www@’  /var/www/lightsquid/lightsquid.cfg

5. 檢查設定
# cd /var/www/lightsquid
# ./check-setup.pl
LightSquid Config Checker, (c) 2005-9 Sergey Erokhin GNU GPL

no: CGI.PM found, please install
no: GD.PM found, please install or set $graphreport=0 to disable

# yum install perl-CGI perl-GD

# ./check-setup.pl
LightSquid Config Checker, (c) 2005-9 Sergey Erokhin GNU GPL

LogPath   : /var/log/squid
reportpath: /var/www/lightsquid/report
Lang      : /var/www/lightsquid/lang/zh_tw
Template  : /var/www/lightsquid/tpl/base
Ip2Name   : /var/www/lightsquid/ip2name/ip2name.simple

all check passed, now try access to cgi part in browser

6. 處理 SELinux 權限
# chcon -R system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/lightsquid

7. 建立 /etc/httpd/conf.d/lightsquid.conf
# vim /etc/httpd/conf.d/lightsquid.conf
Alias /lightsquid /var/www/lightsquid
ScriptAlias /lightsquid/ /var/www/lifgtsquid/
<Directory /var/www/lightsquid/>
DirectoryIndex index.cgi
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>

8. 處理 SELinux 權限
# chcon -R system_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d

9. 重新啟動 Web Server
# systemctl restart httpd.service

10. 加入工作排程
# crontab -e
0 1 * * * /usr/sbin/squid -k rotate > /dev/null 2>&1
30 1 * * * /var/www/lightsquid/lightparser.pl access.log.0 > /dev/null 2>&1

參考網站：
SQUID Transparent Proxy (HTTP+HTTPs)
設定SQUID 成為 HTTP/HTTPS 代理伺服器及啟動 ICAP client功能
Jedi Linuxer: 利用 Squid 代理伺服器(Proxy)分析 HTTPS 連線內容
Configure Squid as HTTP and HTTPS Transparent Proxy
Configure squid-3.3 in transparent mode on CentOS 7 with SSL bum – Notes Wiki

CentOS 7.x x64
NAT Client：192.168.1.0/24
NAT Server：192.168.1.254
1. 安裝 perl-Crypt-OpenSSL-X509 套件
# yum install perl-Crypt-OpenSSL-X509 –enablerepo=epel

2. 初始化 Squid SSL DB
# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
Initialization SSL db…
Done[@more@]
3. 改變擁有者及群組
# chown -R squid.squid /var/lib/ssl_db

4. 如果有開啟 SELinux
# chcon -R -u system_u -t squid_conf_t /var/lib/ssl_db

5. 修改 /etc/squid/squid.conf
    僅列出特別修改的地方
# vim /etc/squid/squid.conf
http_port 3130
http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid
shutdown_lifetime 1 second

6. 使用 OpenSSL 來建立 Squid 憑證
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
# vim /etc/pki/tls/openssl.cnf
default_days    = 1365                  # how long to certify for

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = TW
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Yilan

localityName                    = Locality Name (eg, city)
localityName_default            = TouCheng

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Elementary School

# we can do this but it is not needed normally 🙂
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Proxy Server

commonName                      = Common Name (eg, your name or your server’s hostname)
commonName_default              = proxy.test.ilc.edu.tw
commonName_max                  = 64

emailAddress                    = test@gmail.com
emailAddress_max                = 64

7. 建立目錄
# mkdir /etc/squid/ssl_cert

8. 改變目錄擁有者及群組
# chown -R squid.squid /etc/squid/ssl_cert

9. 切換目錄
# cd /etc/squid/ssl_cert

10. 建立 Server Key，按 Enter 鍵即可
# openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
Generating a 1024 bit RSA private key
………………………………………..++++++
………++++++
writing new private key to ‘myca.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:
Common Name (eg, your name or your server’s hostname) [proxy.test.ilc.edu.tw]:
test@gmail.com []:

11. 建立 Windows Client Key
# openssl x509 -in myca.pem -outform DER -out myca.der

12. 修改防火牆設定
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 80 -j DNAT –to 192.168.1.254:3128
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 443 -j DNAT –to 192.168.1.254:3129

1. 安裝及修改完 OpenVPN，要啟動時，卻出現錯誤
 # systemctl start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See “systemctl status openvpn@server.service” and “journalctl -xe” for details.

2. 檢查 OpenVPN 服務狀態
# systemctl status openvpn@server.service
● openvpn@server.service – OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 二 2016-08-16 11:31:37 CST; 5min ago
  Process: 1883 ExecStart=/usr/sbin/openvpn –daemon –writepid /var/run/openvpn/%i.pid –cd /etc/openvpn/ –config %i.conf (code=exited, status=1/FAILURE)
 Main PID: 1845 (code=exited, status=0/SUCCESS)

 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
 8月 16 11:31:37 xxxxx.sytes.net openvpn[1883]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
 8月 16 11:31:37 xxxxx.sytes.net openvpn[1883]: Use –help for more information.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: openvpn@server.service: control process exited, code=exited status=1
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: Unit openvpn@server.service entered failed state.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: openvpn@server.service failed.
[@more@]3. 另外一種檢查方式
# journalctl -xe
— Unit openvpn@server.service has begun starting up.
 8月 16 11:31:37 xxxxx.sytes.net openvpn[1883]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
 8月 16 11:31:37 xxxxx.sytes.net openvpn[1883]: Use –help for more information.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: openvpn@server.service: control process exited, code=exited status=1
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
— Subject: Unit openvpn@server.service has failed
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
—
— Unit openvpn@server.service has failed.
—
— The result is failed.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: Unit openvpn@server.service entered failed state.
 8月 16 11:31:37 xxxxx.sytes.net systemd[1]: openvpn@server.service failed.
 8月 16 11:31:37 xxxxx.sytes.net polkitd[1816]: Unregistered Authentication Agent for unix-process:1878:1286078 (system bus name :1.37, object path /

看訊息似乎是無法開啟 /etc/openvpn/server.conf 設定檔

4. 檢查 /etc/openvpn/server.conf 檔案是否存在
# ls -l /etc/openvpn/server.conf
-rw-r–r–. 1 root root 10441  8月 16 11:30 /etc/openvpn/server.conf

5. 檔案正常存在，因為這一台 Server 有開啟 SELinux，所以檢查檔案的屬性
# ls -lZ /etc/openvpn/server.conf*
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 /etc/openvpn/server.conf
-rw-r–r–. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/server.conf.20160816

6. 修改屬性
# chcon -t openvpn_etc_t /etc/openvpn/server.conf

7. 再檢查一次
# ls -lZ /etc/openvpn/server.conf*
-rw-r–r–. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/server.conf
-rw-r–r–. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/server.conf.20160816

8. 啟動 OpenVPN 服務
# systemctl start openvpn@server.service
# systemctl status openvpn@server.service
● openvpn@server.service – OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since 二 2016-08-16 11:49:11 CST; 10s ago
  Process: 1934 ExecStart=/usr/sbin/openvpn –daemon –writepid /var/run/openvpn/%i.pid –cd /etc/openvpn/ –config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 1935 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           mq1935 /usr/sbin/openvpn –daemon –writepid /var/run/openvpn/server.pid –cd /etc/openvpn/ –config server.conf

 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: GID set to nobody
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: UID set to nobody
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: Listening for incoming TCP connection on [undef]
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: TCPv4_SERVER link local (bound): [undef]
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: TCPv4_SERVER link remote: [undef]
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: MULTI: multi_init called, r=256 v=256
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: IFCONFIG POOL LIST
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: MULTI: TCP INIT maxclients=10 maxevents=14
 8月 16 11:49:11 xxxxx.sytes.net openvpn[1935]: Initialization Sequence Completed

因為 /etc/openvpn/server.conf 是我直接複製別台修改好的設定檔，所以才會出現這樣的問題，也提醒自己使用 SELinux 應該注意的事項。

1. 安裝 Samba Server
# yum install samba

2. 修改設定檔 /etc/samba/smb.conf
# cat /etc/samba/smb.conf | grep -E -v ‘^#|^;’
[global]
        workgroup = HOME
        server string = Samba Server Version %v

        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50

        security = user
        passdb backend = tdbsam

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        valid users = %S
        veto files=/.*

[@more@]3. 測試設定檔
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[homes]”
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = HOME
        server string = Samba Server Version %v
        security = USER
        log file = /var/log/samba/log.%m
        max log size = 50
        idmap config * : backend = tdb

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        veto files = /.*
        browseable = No

4. 建立使用者 Samba 密碼
# /usr/bin/pdbedit -a t850008
new password:
retype new password:
Unix username:        t850008
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1562595748-815096285-1647261660-1000
Primary Group SID:    S-1-5-21-1562595748-815096285-1647261660-513
Full Name:
Home Directory:       \localhostt850008
HomeDir Drive:
Logon Script:
Profile Path:         \localhostt850008profile
Domain:               LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 23:06:39 CST
Kickoff time:         Wed, 06 Feb 2036 23:06:39 CST
Password last set:    Wed, 29 Jun 2016 09:06:19 CST
Password can change:  Wed, 29 Jun 2016 09:06:19 CST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

5. SELinux 在 Samba Server 上設定
# setsebool -P samba_enable_home_dirs on
如果有另外分享的目錄
# semanage fcontext -a -t samba_share_t ‘/sharedpath(/.*)?’
# restorecon -RFvv /sharedpath

6. 設定開機時啟動 Samba Server
# systemctl enable smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.
# systemctl enable nmb
Created symlink from /etc/systemd/system/multi-user.target.wants/nmb.service to /usr/lib/systemd/system/nmb.service.

7. 啟動 Samba Server
# systemctl start smb
# systemctl start nmb

8. 檢查是否有正常啟動
# netstat -an | grep -E ‘:137|:138|:139|:445’
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp6       0      0 :::139                  :::*                    LISTEN
tcp6       0      0 :::445                  :::*                    LISTEN
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*

1. 安裝 vsftpd FTP Server
# yum install -y vsftpd

2. 修改設定檔 /etc/vsftpd/vsftpd.conf
# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=No
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
idle_session_timeout=600
data_connection_timeout=120
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES
listen=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

pasv_enable=YES
pasv_min_port=5000
pasv_max_port=6000
use_localtime=YES[@more@]3. 讓 root 可以登入
# sed -i ‘s/root/#root/’ /etc/vsftpd/ftpusers
# sed -i ‘s/root/#root/’ /etc/vsftpd/user_list

4. 限制使用者不能切換到其它目錄，root 可以
# echo root > /etc/vsftpd/chroot_list

5. SELinux 在 vsftpd FTP Server 上的設定
# setsebool -P ftp_home_dir  on
# setsebool -P allow_ftpd_full_access  on

6. 設定開機時啟動
# # systemctl enable vsftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/vsftpd.service to /usr/lib/systemd/system/vsftpd.service.

7. 啟動 vsftpd FTP Server
# systemctl start vsftpd

8. 檢查 FTP Server 是否有正常啟動
# netstat -ant | grep :21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN

關於 chroot 使用者的另一種做法
1. 修改 /etc/vsftpd/vsftpd.conf 設定檔
# grep ‘chroot’ /etc/vsftpd/vsftpd.conf | grep -v ‘^#’
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES

2. 建立要 chroot 的使用者
# awk -F: ‘{if ($3>999) print $1}’ /etc/passwd | grep -v nfsnobody > /etc/vsftpd/chroot_list
或
# awk -F: ‘{if ($3>999&&$3<60000) print $1}’ /etc/passwd > /etc/vsftpd/chroot_list

1. 安裝 vsftpd FTP Server
# yum install -y vsftpd

2. 修改設定檔 /etc/vsftpd/vsftpd.conf
# grep -v ^# /etc/vsftpd/vsftpd.conf
anonymous_enable=No
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
pasv_enable=YES
pasv_min_port=5000
pasv_max_port=6000
use_localtime=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES[@more@]3. 讓 root 可以登入
# sed -i ‘s/root/#root/’ /etc/vsftpd/ftpusers
# sed -i ‘s/root/#root/’ /etc/vsftpd/user_list

4. 限制使用者不能切換到其它目錄，root 可以
# echo root > /etc/vsftpd/chroot_list

5. SELinux 在 vsftpd FTP Server 上的設定
# setsebool -P ftp_home_dir  on
# setsebool -P allow_ftpd_full_access  on

6. 設定開機時啟動
# chkconfig –level 3 vsftpd on

7. 啟動 vsftpd FTP Server
# service vsftpd start

8. 檢查 FTP Server 是否有正常啟動
# netstat -ant | grep :21
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN

9. 防火牆設定
# iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 5000:6000 -j ACCEPT

1. 搜尋 Samba 套件
# yum search samba | grep ^samba
samba-client.x86_64 : Samba client programs
samba-common.i686 : Files used by both Samba servers and clients
samba-common.x86_64 : Files used by both Samba servers and clients
samba-doc.x86_64 : Documentation for the Samba suite
samba-glusterfs.x86_64 : Samba VFS module for GlusterFS
samba-swat.x86_64 : The Samba SMB server Web configuration program
samba-winbind.x86_64 : Samba winbind
samba-winbind-clients.i686 : Samba winbind clients
samba-winbind-clients.x86_64 : Samba winbind clients
samba-winbind-krb5-locator.x86_64 : Samba winbind krb5 locator
samba4-client.x86_64 : Samba client programs
samba4-common.x86_64 : Files used by both Samba servers and clients
samba4-devel.x86_64 : Developer tools for Samba libraries
samba4-libs.x86_64 : Samba libraries
samba4-python.x86_64 : Samba Python libraries
samba4-test.x86_64 : Testing tools for Samba servers and clients
samba4-winbind.x86_64 : Samba winbind
samba4-winbind-clients.x86_64 : Samba winbind clients
samba4-winbind-krb5-locator.x86_64 : Samba winbind krb5 locator
samba.x86_64 : Server and Client software to interoperate with Windows machines
samba-domainjoin-gui.x86_64 : Domainjoin GUI
samba-winbind-devel.i686 : Developer tools for the winbind library
samba-winbind-devel.x86_64 : Developer tools for the winbind library
samba4.x86_64 : Server and Client software to interoperate with Windows machines
samba4-dc.x86_64 : AD Domain Controller placeholder package.
samba4-dc-libs.x86_64 : AD Domain Controller libraries placeholder package.
samba4-pidl.x86_64 : Perl IDL compiler

2. 安裝 Samba 4
# yum install -y samba4[@more@]3. 修改 /etc/samba/smb.conf 設定檔
# cat /etc/samba/smb.conf | grep -E -v ‘^#|^;’
[global]
        workgroup = HOME
        server string = Samba Server Version %v
        # log files split per-machine:
        log file = /var/log/samba/log.%m
        # maximum size of 50KB per log file, then rotate:
        max log size = 50

        security = user
        passdb backend = tdbsam

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
        valid users = %S
        create mode = 0664
        directory mode = 0775
        veto files=/.*/

4. 測試設定檔
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[homes]”
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = HOME
        server string = Samba Server Version %v
        security = USER
        log file = /var/log/samba/log.%m
        max log size = 50
        idmap config * : backend = tdb

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0664
        directory mask = 0775
        veto files = /.*/
        browseable = No

5. 建立使用者 Samba 密碼
# /usr/bin/pdbedit -a t850008
new password:
retype new password:
Unix username:        t850008
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1562595748-815096285-1647261660-1000
Primary Group SID:    S-1-5-21-1562595748-815096285-1647261660-513
Full Name:
Home Directory:       \localhostt850008
HomeDir Drive:
Logon Script:
Profile Path:         \localhostt850008profile
Domain:               LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 23:06:39 CST
Kickoff time:         Wed, 06 Feb 2036 23:06:39 CST
Password last set:    Wed, 29 Jun 2016 09:06:19 CST
Password can change:  Wed, 29 Jun 2016 09:06:19 CST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

6. SELinux 在 Samba Server 上的設定
# setsebool -P samba_enable_home_dirs on
# chcon -R -t samba_share_t /home/homework
# chcon -R -t samba_share_t /home/share

7. 啟動 Samba Server
# /etc/init.d/smb start
# /etc/init.d/nmb start

8. 檢查 Samba Server 是否有正常啟動
# netstat -an | grep -E ‘:137|:138|:139|:445’
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN
tcp        0      0 :::445                      :::*                        LISTEN
tcp        0      0 :::139                      :::*                        LISTEN
udp        0      0 0.0.0.0:137                 0.0.0.0:*
udp        0      0 0.0.0.0:138                 0.0.0.0:*

9. 設定開機時啟動 Samba Server
# chkconfig –level 3 smb on
# chkconfig –level 3 nmb on

10. 防火牆上的設定
防火牆設定 設定內部網路 IP 192.168.1.0/24
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m tcp -p tcp –dport 445 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 445 -j ACCEPT

1. 進行備份學生帳號及密碼
# tar cvjfp /Backup/Stu_account.tar.bz2 /etc/passwd /etc/shadow /etc/group /etc/gshadow
2. 學生檔案備份
# tar cvjfp /Backup/Stu.tar.bz2 /etc/samba/smb.conf /home/s0990 /home/s0100 /var/lib/samba/private
3. 資料還原
# tar xvjfp /Backup/Stu.tar.bz2 -C /[@more@]4. 處理 Samba 與 SELinux 之間的安全性設定
# getsebool -a | grep samba
bacula_use_samba –> off
samba_create_home_dirs –> off
samba_domain_controller –> off
samba_enable_home_dirs –> on
samba_export_all_ro –> off
samba_export_all_rw –> off
samba_load_libgfapi –> off
samba_portmapper –> off
samba_run_unconfined –> off
samba_share_fusefs –> off
samba_share_nfs –> off
sanlock_use_samba –> off
use_samba_home_dirs –> off
virt_use_samba –> off
# setsebool -P samba_enable_home_dirs on
# chcon -R -t samba_share_t /home/s0990
# chcon -R -t samba_share_t /home/s0100

5. 防火牆設定
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m tcp -p tcp –dport 445 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state –state NEW -m udp -p udp –dport 445 -j ACCEPT

Moodle 官方網站：http://moodle.org
因為新版本 Moodle 2.7.x 只能在 PHP 5.4.4 版本上安裝，所以只能在 CentOS 7.x  上安裝

下載 Moodle 2.7.2+
# wget -P /var/www/html https://download.moodle.org/download.php/direct/stable27/moodle-latest-27.tgz
下載正體中文語系
# wget -P /var/www/html https://download.moodle.org/download.php/direct/langpack/2.7/zh_tw.zip
[@more@]解壓縮 Moodle 2.7.2+
# tar xvzf /var/www/html/moodle-latest-27.tgz -C /var/www/html

建立存放 Moodle 課程目錄
# mkdir /var/www/moodledata
解壓縮正體中文語系
# unzip /var/www/html/zh_tw.zip -d /var/www/moodledata
改變目錄的擁有者
# chown -R apache:apache /var/www/moodledata
處理 SELinux 的問題
# chcon -R -t httpd_sys_rw_content_t /var/www/moodledata

安裝缺少的 PHP 模組

# yum install php-xmlrpc php-soap php-intl php-ldap
# yum install php-pecl-zendopcache –enablerepo=remi
重新啟動 Apache Web Server
# systemctl restart httpd

完成安裝