About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • AWS Certified Solutions Architect - Associate • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Wednesday, April 24, 2013

How to install JDK-1.6 and Tomcat 7 on RHEL/CentOS?

This is a small article describes how to install JDK-1.6 and Tomcat 7 on a Linux box.

Prerequisites

1. jdk-6u39-linux-i586.bin
2. apache-tomcat-7.0.39.tar.gz

Download the files using below URLs

http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
http://tomcat.apache.org/download-70.cgi#7.0.39

According to my configuration I have downloaded both the files to /opt folder.

After downloading install JDK as shown below:


[root@cluster1 ~]# cd /opt/
[root@cluster1 opt]# ls -l

-rw-r--r-- 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Provide the execute permission to the bin file

[root@cluster1 opt]# chmod +x jdk-6u39-linux-i586.bin




[root@cluster1 opt]# ls -l jdk-6u39-linux-i586.bin
-rwxr-xr-x 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Now execute the below command to install JDK:

[root@cluster1 opt]# ./jdk-6u39-linux-i586.bin

[root@cluster1 opt]# ./jdk-6u39-linux-i586.bin
Unpacking...
        .
        .
        .

Press Enter to continue..... (Press enter key here to complete the unpacking)

Now You observe there is a folder created in /opt folder with the name jdk1.6.0_39

[root@cluster1 opt]# ll
drwxr-xr-x 8 root root     4096 Apr 24 06:23 jdk1.6.0_39
-rwxr-xr-x 1 root root 71756435 Apr 24 06:18 jdk-6u39-linux-i586.bin

Now download and install tomcat using below URL:


[root@cluster1 opt]# wget http://apache.techartifact.com/mirror/tomcat/tomcat-7/v7.0.39/bin/apache-tomcat-7.0.39.tar.gz

Now extract the tar ball using below command:

[root@cluster1 opt]# tar -zxvf apache-tomcat-7.0.39.tar.gz

Now check the folder apache-tomcat-7.0.39 in /opt directory.

[root@cluster1 opt]# ls -l
total 77824
drwxr-xr-x 9 root root     4096 Apr 24 06:25 apache-tomcat-7.0.39
-rw-r--r-- 1 root root  7831716 Apr 24 06:24 apache-tomcat-7.0.39.tar.gz

The tomcat startup and shutdown scripts are located in below paths:

Startup script path: /opt/apache-tomcat-7.0.39/bin/startup.sh
Shutdown script path: /opt/apache-tomcat-7.0.39/bin/shutdown.sh

Now one more step ahead to complete this configuration.
You need to setup Tomcat to run as a service. So create a service (file) as shown below:

[root@cluster1 opt]# vim /etc/init.d/tomcat7

#!/bin/bash
# description: Tomcat Start Stop Restart
# processname: tomcat
# chkconfig: 234 20 80
JAVA_HOME=/opt/jdk1.6.0_39/   # This is your java home path
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
CATALINA_HOME=/opt/apache-tomcat-7.0.39 # This is your tomcat home directory

case $1 in
start)
sh $CATALINA_HOME/bin/startup.sh
;;
stop)
sh $CATALINA_HOME/bin/shutdown.sh
;;
restart)
sh $CATALINA_HOME/bin/shutdown.sh
sh $CATALINA_HOME/bin/startup.sh
;;
esac
exit 0


Save and exit.

Now provide the execute permission to this service.

[root@cluster1 opt]# chmod +x /etc/init.d/tomcat7

Now Make this service to be run after restarting the Linux box as well by doing chkconfig:

[root@cluster1 opt]# chkconfig tomcat7 on
[root@cluster1 opt]# chkconfig --list tomcat7
tomcat7         0:off   1:off   2:on    3:on    4:on    5:on    6:off

Now all is set and it is the time to start your tomcat service and verify the site.

[root@cluster1 opt]# /etc/init.d/tomcat7 start
Using CATALINA_BASE:   /opt/apache-tomcat-7.0.39
Using CATALINA_HOME:   /opt/apache-tomcat-7.0.39
Using CATALINA_TMPDIR: /opt/apache-tomcat-7.0.39/temp
Using JRE_HOME:        /opt/jdk1.6.0_39/
Using CLASSPATH:       /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/bin/tomcat-juli.jar

Verify the service is running or not:

[root@cluster1 opt]# ps -ef | grep java
root      8873     1  8 07:05 pts/3    00:00:02 /opt/jdk1.6.0_39//bin/java -Djava.util.logging.config.file=/opt/apache-tomcat-7.0.39/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/apache-tomcat-7.0.39/endorsed -classpath /opt/apache-tomcat-7.0.39/bin/bootstrap.jar:/opt/apache-tomcat-7.0.39/bin/tomcat-juli.jar -Dcatalina.base=/opt/apache-tomcat-7.0.39 -Dcatalina.home=/opt/apache-tomcat-7.0.39 -Djava.io.tmpdir=/opt/apache-tomcat-7.0.39/temp org.apache.catalina.startup.Bootstrap start


We can now access the Tomcat Manager page at:

http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.


All the best.

Thursday, April 4, 2013

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)



This tutorial describes how to give users chrooted SSH and/or chrooted SFTP access on linux environment.
Using this setup, the users cannot see your whole system. Your users will be jailed in a specific directory which they will not be able to break out off.

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail.

In a typical sftp scenario when chroot sftp is not setup, if you use sftp, you can see whole file system based on the permissions assigned to you.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Non-Chroot SFTP Environment

In the following example (a typical sftp environment), user1 can sftp to the system, and view /etc folder and download the files from there:

# sftp user1@station1.example.com
user1@station1.example.com's password:
sftp> pwd
Remote working directory: /home/user1

sftp> ls
file1  abc.txt data 

sftp> cd /etc
sftp> ls -l passwd
-rw-r--r--    0 0        0            3750 Dec 29 23:09 passwd

sftp> get passwd
Fetching /etc/passwd to passwd
/etc/passwd     100% 2600     2.9KB/s   00:00

Chroot SFTP Environment

In the following example, user1 can sftp to the system, and view only the directory that you've designated for user1 to perform sftp (i.e /incoming).

When user1 tries to perform ‘cd /etc’, it will give an error message. Since SFTP is setup in an chroot environment, user1 cannot view any other files in the system.

# sftp user1@station1.example.com
user1@station1.example.com's password:
sftp> pwd
Remote working directory: /home/user1

sftp> ls
sftp> cd /etc
Couldn't canonicalise: No such file or directory

So I believe you all understood what is Chroot SFTP environment is, let us see how to configure this.

Creating a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

Create a new User or Modify an Existing User

Let us say you want to create an user user1 who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

Now create a new user and give password as shown below:

# useradd -g sftpusers -d /incoming -s /sbin/nologin user1
# passwd user1

Verify that the user got created properly or not
# grep user1 /etc/passwd
user1:x:520:520::/incoming:/sbin/nologin

If you want to modify an existing user user2 and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin user2

Configure sftp-server

Modify the the /etc/ssh/sshd_config file and comment out the below line:

# vim /etc/ssh/sshd_config
#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file
Subsystem       sftp    internal-sftp
Save and exit the file

Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp

Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers

ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for user1, this will be /sftp/user1.

ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

NOTE: The Match keyword is not supported in older versions (<5) on SSH so an upgrade of openssh will be necessary.

Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which is equivalent of your  /home directory)

# mkdir /sftp
# mkdir /sftp/user1

So, /sftp/user1 is equivalent to / for the user1. When user1 sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/user1” (and not the real / of the system). This is how the chroot works

So, under this directory /sftp/user1, create any sub directory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/user1/incoming

Setup Appropriate Permissions

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the ownership to the user, and group to the sftpusers group as shown below.

# chown user1:sftpusers /sftp/user1/incoming

Now check the permissions of the directories as shown below:

# ls -ld /sftp/user1/incoming
drwxr-xr-x 2 user1 sftpusers 4096 Apr 04 18:31 /sftp/user1/incoming

# ls -ld /sftp/user1
drwxr-xr-x 3 root root 4096 Apr 04 18:31 /sftp/user1

# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Apr 04 18:31 /sftp

Now restart sshd and check/test your Chroot SFTP configuration

# /etc/init.d/sshd restart

Now you can observe that when user1 does sftp, and does “cd /”, he can only see incoming directory.

# sftp user1@station1.example.com
user1@station1.example.com's password:

sftp> pwd
Remote working directory: /incoming

sftp> cd /
sftp> ls
incoming

When user1 transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/user1/incoming directory on the system.

Good Luck..... :)