###Features of Red Hat Enterprise v6### Features: 1. Current Release: 6 2. Based on 2.6.x kernel 3. Supports graphical and text-based installations a. Graphical installer is more feature-rich than text-based installer 4. Downloadable via: HTTP from redhat.com a. Available as trial and/or subscription 5. Installable from: a. Local media: CDs, DVDs (1-DVD ISO image), USB b. Network: HTTP, NFS, FTP c. PXE - Network Installation 6. Virtualization - KVM 7. EXT4 - Default FS for new installations a. Also works with: /boot due to GRUP support 8. Disk encryption, including root (/) file system 9. Platforms: a. x86(32-bit) b. x86_64 (AMD64 & Intel64) c. IBM Power d. System z System Requirements: 1. 1GHz P4 processor - preferably dual core or better 2. 1GB RAM - preferably 4GB or better 3. 3GB Storage for - minimum installation 4. 5GB storage for - full installation 10. Compatibility cupport for older programs (compat* RPMS) Note: These are libraries to ensure the operation of older programs Note: This ensures that certified applications continue to run 11. Anaconda auto-formats disk with: a. '/boot' b. '/' - root c. '/home' (if >= 50GB of storage are available) d. 'swap' 12. Anaconda & running system use: NetworkManager to auto-configure networking a. Uses DHCP by default b. Requires minimum intervention 13. Anaconda (installer) still supports absolute control over variables a. i.e. network settings may be specified during installation ##Prep Installation (HTTP) Server### Features: 1. Easy access to ISO image contents Tasks: 1. Mount ISO image in web-accessible directory on: 192.168.75.101/LinuxCBT/EL-6 /Misc/RHEL6/ Note: Boot ISO image may be downloaded from redhat.com or created from DVD ISO i mage: 2. Reboot server and supply the following boot string: a. Press 'Tab' to edit boot option b. 'linux repo=http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6 resolution=800x6 00 ip=192.168.75.20 netmask=255.255.255.0 gateway=192.168.75.1 dns=192.168.75.10
1' ###Basic Linux Skills### Features: 1. A number of key commands Tasks: 1. 'tty' - reveals connected terminal a. '/dev/pts/0' - psuedo-terminal 1 Note: Terminals are either real (console) or fake (pseudo) Note: SSH and GUI terminals are pseudo Note: Physical console terminals are real (tty?) 2. 'whoami' - reveals currently-logged-in user 3. 'w & who' a. 'who -a' - reveals ALL users and their processes b. 'w' - reveals currently-logged-in user and processes, etc. 4. 'pwd' - prints working directory of full path from '/' root of file system 5. 'cd' - changes directory a. 'cd ..' - moves one level up in the directory tree b. 'cd .' - current directory c. 'cd /' - moves using absolute path d. 'cd ~' - changes to currently-logged-in user's $HOME e. 'cd with tab-completion' - shortens navigation time Note: Use Tab-completion with BASH shell commands to shorten navigation time 6. 'ls' - lists directories/files a. 'ls' - lists current directory in short form b. 'ls -l' - lists "" in long form c. 'ls -l /' - lists '/' in long form d. 'ls -al' - lists current directories entries including hidden items e. 'ls -l .Xauthority .ssh/' - lists multiple items f. 'ls -ltr' - sorts with most recent at the bottom 7. 'touch' - creates zero-byte file or updates timestamp on pre-existing file 8. 'echo' - echoes information to a default of STDOUT a. 'echo "This is a test" ' 9. 'cat' - concatenates (brings together) content a. 'cat test.txt' Note: '$?' var contains the exit status of the most recently executed command b. 'cat test.txt test2.txt > test3.txt' 10. 'id' - returns: UID, GID, GROUPS, SELinux Context (if enabled) 11. 'mkdir' - creates new directories a. 'mkdir temp' 12. 'rm' - removes file(s)/directory(ies) - removes recursively a. 'rm -rf temp*' b. 'rm -rf temp[34]' - removes a range of items using Regular Expression (RegE x) - Character-Class 13. 'which' - searches current $PATH for executable a. 'which cat' && 'which ls' 14. 'echo $PATH' - reveals the current $PATH 15. Redirection: a. '' - OUTPUT - clobbers target file c. '>>' - APPEND - appends to target file if it exists and creates it if it do esn't Examples: a. 'cat test.txt' - reads the file 'test.txt' as STDIN (Standard INPUT) Note: However, most commands will wait for keyboard input if no input file is sp ecified i.e. b. 'cat ' - waits on STDIN for input Note: Use: 'CTRL-D' to quit STDIN from keyboard
Note: 'cat -' does the same as: 'cat' b. 'cat test.txt > helloworld.txt' - bypasses STDOUT (Standard OUTPUT) c. 'cat test.txt >> helloworld.txt' - "" but APPENDS to target file 16. Linux | UNIX Pipes - connects output stream of command a to input stream of command b a. 'cat /var/log/messages | less' - pipes output of 'cat...' into 'less' b. 'cat /var/log/messages | grep kernel | less' - parses '/var/log/messages' for keyword 'kernel' then pipes the output to 'less' to display one pageful at a time Note: When piping, STDIN becomes the content of the pipe 17. Command Chaining a. 'cat /var/log/messages | grep kernel | wc -l' b. 'rm -rf temp* ; ls -l' - runs both commands independently Note: Command Chaining is not dependent upon the exit status of the most-recentl y executed command 18. Command Dependency: AND || OR a. 'rm -rf temp* || ls -l' - run 'ls -l' if 'rm -rf temp*' fails b. 'rm -rf temp* && ls -l' - run 'ls -l' if and only if 'rm -rf temp*' works 10. Command History - built-in command (BASH) a. 'history' Note: BASH maintains a number of variables per shell a. 'OLDPWD' - updated as you navigate the directory tree b. 'LOGNAME' c. 'SHELL' etc. 11. 'export' exports vars a. 'export PATH=$PATH:/tmp' -appends '/tmp' to current shell's PATH 12. 'more' - similar to 'less' 13. 'cp' - copies data a. 'mkdir temp && cp -v test.txt temp/ && ls -l temp/' 14. 'mv' - moves data a. 'mv test.txt temp/ && ls -l . && ls -l temp/ && echo $?' Note: In scripts, prefix exit status with meaningful text: i.e. 'echo "EXIT STATUS: " $? ' Note: BASH Shell allows simple navigation using: a. 'CTRL-a' - takes you to the beginning of the line b. 'CTRL-e' - takes you to the end of the line c. 'CTRL-b' - back one character d. 'CTRL-f' - forward one character 15. 'dmesg' - Kernel Ring Buffer - Pre-Syslog a. '/var/log/dmesg' - 'dmesg' Note: Also contains how the most recent invocation of the kernel took place (com mand-line) b. 'dmesg | grep -i 'command line' ' - returns current kernel command line 16. a. b. 17. 18. a. 19. 20.
'head & tail' - Returns header and footer of text documents 'head /var/log/messages' - returns first 10 lines 'tail /var/log/messages' - returns last 10 lines 'file' - returns the type of data stored in a file 'ps' - lists processes 'ps' -lists processes for current user 'top' - dynamic 'ps', 'free', 'uptime', 'vmstat' 'free' - memory allocation - RAM & SWAP
21. 'uptime' - shows system uptime and load average 22. 'df' - shows disk allocation and mount point a. 'df -h' - human-readable format Note: '-h' often means human-readable for many commands 23. 'cat /proc/cpuinfo' - enumerates detected CPUs Note: '/proc' is a virtual (in-RAM) FS which houses system statistics Note: System utilities read from: /proc to display values: i.e. 'free', 'top', e tc. 24. 'uname' - enumerates kernel version 25. 'seq' - generates a sequence of numbers - useful with looping in the $SHELL ###Compression Utilities### Features: 1. de/Compression of content 2. 'gzip/gunzip' 3. 'bzip2/bunzip2' 4. 'zip/unzip' 5. 'tar' Tasks: 1. 'gzip' a. 'gzip -c 1million.txt ' - redirects compressed file to STDOUT b. 'gzip -c 1million.txt > 1million.txt.gz' - redirects compressed output to f ile c. 'gzip -l 1million.txt.gz' - returns compression statistics d. 'zcat 1million.txt.gz' - dumps (catenates) the contents of 1million.txt.gz to STDOUT e. 'gunzip 1million.txt.gz' - overwrites, with permission, the original file f. 'gunzip -c 1million.txt.gz > 1million.txt2' Note: Typical compressed file online resembles: 'filename.tar.gz' 2. 'bzip2' a. 'bzip2 -c 1million.txt > 1million.txt.bz2' b. 'bunzip2 -c 1million.txt.bz2 > 1million.txt3' - redirects source c. 'bzcat 1million.txt.bz2' - dumps original content to STDOUT 3. 'zip & unzip' a. 'zip 1million.txt.zip 1million.txt' b. 'unzip 1million.txt.zip' - attempts to overwrite original file c. 'zcat 1million.txt.zip' 4. 'tar' a. 'tar b. 'tar c. 'tar d. 'tar e. 'tar
- creates archives -cvf temp.tar temp/' - creates an archive without compression -tvf temp.tar' - enumerates contents of tarball -cvzf temp.tar.gz temp/' - creates Tar - Gzip image -cvjf temp.tar.bz2 temp/ temp2/' - create Tar - Bzip2 image -xvf temp.tar.gz' - extracts file, recreating hierarchy
Note: 'du' - shows disk utilization for directory hierarchy a. 'du -ch' - returns storage of hiearchy from current directory, below b. 'du -chs' -returns total storage sans individual items ###Checksums### Features: 1. Integrity checks on content (files) 2. Included tools:
a. b. c. d.
'md5sum' - 128-bit 'sha1sum' - 160-bit 'sha256sum' - 256-bit 'sha512sum' - 512-bit
Tasks: 1. 'md5sum' a. 'md5sum 1million.txt' - returns string that is unique to its content b. 'md5sum 1million.txt2' - returns the same string because the content are id entical c. Alter content in various files and compare MD5SUMs Note: A single bit differential will cause the checksum to vary 2. 'sha1sum' a. 'sha1sum 1million.txt' Note: Backticks are used to support shell-based command-substitution i.e. 'rpm -qf `which sha1sum`' OR 'rpm -qf $(which sha1sum)' b. 'sha1sum 1million* > 1million.txt.sha1sums' c. 'sha1sum -c 1million.txt.sha1sums' - confirm SHA1SUMs wholesale 3. 'sha256sum' - 256-bit a. 'sha256sum 1million* > 1million.txt.sha256sums' b. 'sha25sum --quiet -c 1million.txt.sha25sums' - quietly checks ALL sums Note: Returns error if 1 or more fail 4. 'sha512sum' - 512-bit a. 'sha512sum 1million* > 1million.txt.sha512sums' Note: If file changes during checksum calculation, then its checksum will be inc orrect, resulting in confirmation failures ###GREP### Features: 1. Processes lines using regular expressions (normal and metacharacters) 2. Returns entire lines when keyword is matched 3. Searches are case-sensitive, by default (use: '-i' to enable case-insensitiv ity) 4. Shares regular expressions with: Awk & Sed Tasks: 1. Create file with content 2. Peform queries a. 'grep "Linux" grep.test.txt' - returns ALL matches for the case: 'Linux' b. 'grep -i "linux" grep.test.txt' - returns ALL cases of the word: 'linux' c. 'grep "2" grep.test.txt' - returns ALL lines containing the number 2 3. Metacharacters a. 'grep "2011$" grep.test.txt' - returns lines that terminate with: '2011' Note: '$' means to search for content @ the end of the line b. 'grep "^Linux" grep.test.txt ' - returns lines beginning with: 'Linux' - ca se-sensitive c. 'grep -i "^Linux" grep.test.txt ' - returns lines beginning with: 'Linux' case-insensitive Note: '^' & '$' are anchor tags d. 'grep "L.*" grep.test.txt ' - searches for 'L' followed by any characters e. 'grep '^L.*' grep.test.txt ' - searches for 'L' where begins the line, etc. Note: '.*' - means 0 or more matches f. 'grep -i '^L.*CBT$' grep.test.txt - searches where 'L' begins the line and
'CBT' ends the line g. 'grep -i '^L.*CBT $' grep.test.txt ' - searches where 'L' begins the line a nd ' ' ends the line h. 'grep -i '^L.*CBT.* $' grep.test.txt' - searches where 'L' begins the line and ' ' ends the line with variations between i. grep -i '[Red|2011]' grep.test.txt' - uses character classes 4. Parse system log a. 'grep -i '^Jan b. 'grep -i '^Jan c. 'grep -i '^Jan rches for both: 'Jan
9' /var/log/messages-20110109 ' 7' /var/log/messages-20110109 | grep -i 'kernel' ' [89]' /var/log/messages-20110109 | grep -i 'kernel' ' - sea 8' and 'Jan 9'
###Awk### Features: 1. Field Processor 2. Supports grep-style (POSIX) regular expressions 3. Default field-delimiter is whitespace 4. Stores fields (columns) into tokens, which then become accessible during pro cessing 5. Loops over input one line at a time 6. Will accept input from: file or STDIN or pipe Tasks: 1. awk '{ print $0 }' grep.test.txt - prints each line in its entirety 2. awk '{ print $1 }' grep.test.txt - prints column #1 from each line 3. awk '{ print $2 }' grep.test.txt - prints column #2 from each line 4. awk '{ print $2,$1 }' grep.test.txt - prints column #1 then #2 5. awk '/Red/ { print $0}' grep.test.txt - prints ALL columns where line includ es 'Red' 6. awk '/Red/ { print $1,"-",$2,"-",$3}' grep.test.txt - prints ALL columns, wi th transformations, where line includes 'Red' 7. awk '{ if ($2 ~ /2011/) print $0 }' grep.test.txt - prints ALL columns of re cords containing '2011' in the second column 8. awk '/2011$/ { print $0 }' grep.test.txt - prints lines ending in: '2011' 9. awk '/2011$/ { print $0 }' - waits on STDIN for input 10. grep 2011 /var/log/messages | awk '/2011$/ { print $0 }' - accepts a pipe 11. awk '{ if ($2 ~ /9/) print $3,$4,$5,$6 }' /var/log/messages - prints columns $3-$6 where colum 2 = '9' ###Sed (Stream Editor)### Features: 1. Stream Editing 2. Manipulate text at any point 3. Instructions may be specified on command line or via file 4. Supports POSIX Regular Expressions (Grep & Awk) Tasks: 1. 'sed 2. 'sed 3. 'sed 4. 'sed 5. 'sed 6. 'sed 7. 'sed 8. 'sed 9. 'sed 10. 'sed
-n -n -n -n -n -n -n -n -n -n
'1p' grep.test.txt ' - prints the first line of the file '2p' grep.test.txt ' - prints the second line ... '$p' grep.test.txt ' - prints the last line ... 4,13p grep.test.txt ' - prints lines 4 - 13 ... '1!p' grep.test.txt ' - prints ALL but line 1 '1,3!p' grep.test.txt ' - prints ALL but lines 1-3 -e '/2011/p' grep.test.txt ' - prints lines containing '2011' -e '/2011$/p' grep.test.txt ' - prints lines ending with '2011' -e '/^2011/p' grep.test.txt ' - prints lines beginning with '2011' -e '/^2011$/p' grep.test.txt ' - prints lines starting & ending with
'2011' 11. 'sed -n -e '/[0-9]/p' grep.test.txt - prints lines containing numbers 12. 'sed -n -e '/^[0-9][0-9][0-9][0-9]$/p' grep.test.txt' - prints lines contain ing 4 juxtaposed numbers 13. 'sed -n -e '/^[0-9]\{4\}$/p' grep.test.txt ' - returns lines containing 4 ju xtaposed numbers that begin and end the line 14. 'sed -n -e '/^Red/,/Linux/p' grep.test.txt - extracts a range of lines from string: '^Red' to 'Linux' 15. 'sed -n -e '/^Red/,+2p' grep.test.txt' - extracts line with 'Red' and 2 othe rs 16. 'sed -e '/^$/d' grep.test.txt' - deletes blank lines 17. 'sed -e '/^$/d' grep.test.txt > grep.test.txt2' - deletes blank lines and sa ves results 18. 'sed -i.bak -e '/^$/d' grep.test.txt' - deletes blank lines in-place and arc hives original(source) file 19. 'sed -n -e 's/2010/2011/p' grep.test.txt ' Note: '-n' suppresses non-matching lines ###Perl### Features: 1. All-purpose scripting environment Tasks: 1. Exploring Perl Environment a. 'perl -e 'print "Hello World\n;"' - prints 'Hello World' to STDOUT b. ' perl -e 'print "Hello World\n";' -e 'print "Learning about the magic of P erl\n"; ' -w ' c. ' perl -e '$fname = "Deano"; $lname = "Davis"; print "$fname $lname\n"; ' w 2. Write simple script Note: All shell scripts should include a shebang header: i.e. '#!/path/to/script _engine' a. create simple script b. check for errors - 'perl -c name_of_script' c. flag script executable: 'chmod +x perl_script_1.pl' ###User & Group Management### Features: 1. GUI 2. TUI - Text User Interface tools Tasks: 1. 'system-config-users' - create additional users and evaluate Note: If user's $SHELL is set to: '/sbin/nologin' the user will not be able to o btain a shell, nor will 'root' be able to 'su' as that user: i.e. 'adm', 'daemon ', 'bin', etc. Note: System accounts typically are present in the process listing sans TTY beca use they do not need a $SHELL Note: Regular users who are defined with: '/sbin/nologin' as their $SHELL may no t access the system via a $SHELL. i.e. via 'SSH' or 'Telnet', however, they may access the system via an appropriate daemon. i.e. 'FTPD' Note: Defaults are assigned to new accounts, including, but not limited to: 1. $SHELL = /bin/bash 2. $HOME = /home/$USER 2. $SHELL Tools a. 'groupadd linuxcbt4' b. 'useradd -d /home/linuxcbt4 -s /bin/bash -g linuxcbt4 linuxcbt4'
c. 'passwd linuxcbt4' Note: Account information, by default, is stored in: a. '/etc/passwd' - general account data: username, uid, gid, $HOME, $SHELL, ref erence to shadow b. '/etc/shadow' - password and policy data Sample '/etc/shadow' entry: linuxcbt:$CqvB.$o4lwrI5pS2Ovh6IgyA9w3FDwGi9wJjEXYcbot6o5NsjahpEQK5GzHz8ccj7pX3rn Pq2ozE7fwQEchJmEZB8T8/:14981:0:99999:7::: d. '/etc/shadow': d1. login name d2. encrypted password d3. Days since Unix epoch, password was last changed d4. Days before password may be changed d5. Days after which password must be changed d6. Days before password is to expire that user is warned d7. Days after password expires that account is disabled d8. Days since Unix epoch, that account is disabled d9. Reserved Note: 'usermod' - basic: /etc/passwd changes Note: 'chage' - /etc/shadow policy changes 3. Use 'chage' to alter account policy for users a. 'chage -M 10 linuxcbt4 && chage -l linuxcbt4' b. 'chage -M 3 -m 1 linuxcbt3 && chage -l linuxcbt3' 4. Explore: '/etc/login.defs' a. Contains account policy settings b. Modify defaults to company policy 5. Test policy changes by creating new account a. 'groupadd linuxcbt5 && useradd -g linuxcbt5 -d /home/linuxcbt5 -s /bin/bash linuxcbt5 && chage -l linuxcbt5' 6. 'userdel' a. 'userdel -r linuxcbt5' - removes user, group, $HOME, $MAIL traces ###File Types - Permissions### Features: 1. Classification of files 2. Permissions Tasks: 1. Classification of files a. Use: 'ls -l' to expose file properties '-rw-rw-r--. 1 linuxcbt linuxcbt 6888896 Jan 7 16:46 1million.txt' '-' -> standard file 'drwxr-xr-x. 2 linuxcbt linuxcbt 4096 Jan 7 11:14 Desktop' 'd' -> directory Note: RHEL6 uses color templates for classifying files: 'black' -> standard file 'blue' -> directory 'red' -> compressed file 'green' -> executable Note: The color pattern is subject to change, so don't always rely upon it 'crw-------. 1 root root 4, 1 Jan 7 11:31 tty1' 'c' -> character device 'lrwxrwxrwx. 1 root root 15 Jan 7 11:03 stdin -> /proc/self/fd/0'
'l' -> symbolic link 'brw-rw----. 1 root disk 8, 0 Jan 7 11:03 sda' 'b' -> block (storage) device - i.e. hard drive, USB stick, etc. 2. Permissions a. Represented by 9-rightmost bits in 10-bit permissions block '-rw-rw-r--. 1 linuxcbt linuxcbt 6888896 Jan 7 16:46 1million.txt' 'rw-' - owner bits - 2,3,4 = 4+2 = 6 'rw-' - group owner bits - 5,6,7 = 4+2 = 6 'r--' - other/everyone bits - 8,9,10 = 4+0 = 4 Permissions Values: 'r' = 4 = read 'w' = 2 = write 'x' = 1 = execute b. Use 'chmod' to influence permissions on file objects - it changes the octal mode c. Default permissions are inherited from the $UMASK var d. 'chmod 666 e. 'chmod u-w tent e. 'chmod o-w o the content f. 'chmod g-w tent
/tmp/1million.txt' /tmp/1million.txt' - removes owner's ability to write to the con /tmp/1million.txt' - removes other/everyone's ability to write t /tmp/1million.txt' - removes group's ability to write to the con
'drwxrwxr-x. 2 linuxcbt linuxcbt 4096 Jan 7 17:23 temp' Default directory permissions is octal: 775 g. h. i. j. k.
'chown 'chmod 'chmod 'chown 'chgrp
linuxcbt /tmp/1million.txt && ls -l /tmp/1million.txt' o-r /tmp/1million.txt && stat /tmp/1million.txt' 600 /tmp/1million.txt && stat /tmp/1million.txt' linuxcbt:linuxcbt /tmp/1million.txt && stat /tmp/1million.txt' linuxcbt /tmp/1million.txt && stat /tmp/1million.txt'
3. SETUID/SETGID/STICKY Bit a. 'chmod 4755 perl_script_1.pl' - causes script to always run as user/owner Note: permission will reflect: '4755' with 'rws' Note: The 's' replaces the 'x' for the owner to indicate SETUID b. 'mkdir /projectx && chmod 2755 /projectx' - causes files created in directo ry to inherit group permissions b1. 'chmod g=s /projectx' b2. 'groupadd projectx' b3. 'chown linuxcbt:projectx /projectx' b4. 'chmod 2775 /projectx && stat /projectx' c. '/tmp' -> example of sticky bit - leading value of: '3' c1. 'chmod 3777 /tmp' || 'chmod +t /tmp' - sets sticky bit on object ###Symbolic Links### Features: 1. Two types a. 'symlinks' - soft - facilitate intra/inter-file-system links a1. based on file names in the file system, NOT inodes
b. 'hard links' - hard - facilitate intra-file-system links b1. based on inodes, NOT file names Tasks: 1. Symlinks - shortcuts a. 'ln -s /tmp/1million.txt ./tmp.1million.txt' lrwxrwxrwx. 1 linuxcbt linuxcbt 17 Jan 11 11:56 tmp.1million.txt -> /tmp/1mill ion.txt Creates a link to the actual file name Note: Soft-links do NOT increment the link counter returned by 'ls -l' || 'stat' Note: So long as the source file name and directory location remain unchanged, t he soft-links will work 2. Hardlinks - shortcuts to inodes - may not span (go across) file systems a. 'ln /tmp/1million.txt /projects/hard.1million.txt' - increments the link co unter b. 'ls -li filename' - reveals inode Note: permissions apply to ALL linked (hard & soft) files ###Quota Implemenation### Features: 1. Limit storage consumption per user/group 2. Based on: disk block usage or inode usage 3. Imposed in 2 stages (thresholds): soft & hard a. Soft limit: may be execeeded for up to the grace period b. Hard limit: may never be execeeded under any circumstance Requires: 1. 'quota*' RPM 2. Must associates file system(s) with quota management: user and/or group Steps: 1. Enable in: '/etc/fstab' a. 'defaults,usrquota,grpquota' - impose on: '/home' 2. Remount the file system: '/home' Note: Effect quota management during single-user / installation modes to avoid d isconnects in service a. 'mount -o remount /home' - remounts the file system Note: Optional methods of remounting the file system include: umount/mount OR re boot the system b. 'mount' - reflects whether or not: 'usrquota', 'groupquota' options have be en enabled 3. Create quota database files and generate disk usage table - defines baseline a. 'quotacheck -cug /home' - applies user and group quotas Note: 'quotacheck' should be run in: Single-user mode OR when the system reboots to facilitate: read-only remount of target file system b. Use: '-m' option to override 4. Check defined quota database: a. 'quotacheck -amvug' - checks quotas - forces check 5. Assign quota policies per user and/or group: a. 'edquota linuxcbt4' - uses default editor ($EDITOR) 6. Run 'quotacheck -avugm' to update stats 7. Run 'repquota /home' to show FS-wide usage report 8. Use: 'edquota -t' to modify grace period a. 'edquota -T linuxcbt4'
9. Use: 'quotaon ...' - to enter production mode a. 'quotaon -vug /home' - enters production mode b. 'quotaon -p /home' - echoes current quota status Note: Default grace period is 7-days 10. Attempt to write data beyond soft limit grace period ###Provision Partitions & File Systems### Features: 1. Ability to provision additional storage Tools: 1. 'fdisk' 2. 'parted' 3. 'mke2fs' - ext2,ext3,ext4 FSs Storage Hierarchy: Disk -Partition(s) -File System(s) Tasks: 1. Enumerate available storage: a. 'fdisk -l' - enumerates disks and partitions b. 'parted -l' - "" 2. Provision additional storage: a. Select disk: /dev/sdb b. 'parted /dev/sdb' c. 'mkpart primary 1 10GB' d. 'mke2fs -t ext4 -j /dev/sdb1' - overlays EXT4 FS on: /dev/sdb1 e. 'mkdir /temp10G1' f. 'mount /dev/sdb1 /temp10G1 && mount' g. Create content in new repository 3. Repeat process on the same disk 4. Make partitions available across reboots: a. '/etc/fstab' 5. Unmount both partitions and re-mount via: '/etc/fstab' a. 'umount /temp10G1 && umount /temp10G2 && mount' b. 'mount -a' - reads the contents of: '/etc/fstab' Note: Paritioning is typically handled during installation and/or within runleve l 1 ###Provision Swap Space### Features: 1. Generates additional virtual memory 2. Temporary fix for RAM-shortage. Permanent fix is to add more RAM. 3. Requires no system downtime 4. Works with dedicated partitions 5. Works with existing file systems 6. Works across disks, consequently improving performance Tasks: 1. Define swap partition and provision a. 'fdisk /dev/sdb' - create partition and set to type '82' with 't' option
b. 'mkswap /dev/sdb3' - i.e. similar to: 'mke2fs' Note: If necessary, reboot the system after using: 'fdisk' or 'parted' to provis ion new swap partition c. 'swapon -s' displays current swap devices d. 'swapon -v /dev/sdb3' - enables swapping on specific device e. 'swapoff /dev/sdb3' - disables swapping on specific device: /dev/sdb3 2. Define swap storage on existing file system a. 'dd if=/dev/zero of=/swapfile1G bs=1024 count=1048576' - generates a file that we can overlay a swap file system on of size: 1G b. 'mkswap /swapfile1G' c. 'swapon -v /swapfile1G' ###Logical Volume Managment (LVM)### Features: 1. Volume sets - aggreate storage from disparate sources 2. Resize storage on-the-fly 3. Provision storage as necessary Tasks: 1. LVM Storage Hierarchy Logical Volume - configure file system at this level - Volume Groups - represents one or more physical volumes - Physical Volumes: (i.e. /dev/sdb4, /dev/sdc3, etc.) - partition, using fdi sk or parted: LVM type (8e) 2. Create LVM Storage Hierarchy - 6-Steps a. Create LVM partitions on available disks a1. 'parted /dev/sdb' a2. 'mkpart primary start end' a3. 'set partition_num lvm on' a4. 'reboot' b. 'pvcreate /dev/sdb4 /dev/sdc3' - create physical LVM volumes from partitio ns b1. 'pvdisplay' c. 'vgcreate volgroupvar /dev/sdb4 /dev/sdc3' - allocates both volumes to the volume group d. 'lvcreate -L 5GB -n logvolvar volgroupvar' e. 'mke2fs -t ext4 -j /dev/volgroupvar/logvolvar' - overlays EXT4 FS on LVM v olume f. 'mkdir /lvmvar1 && mount /dev/volgroupvar/logvolvar /lvmvar1' g. Update: '/etc/fstab' for persistence 3. Resize LVMs a. 'lvresize -L 6GB /dev/volgroupvar/logvolvar' b. 'resize2fs /dev/volgroupvar/logvolvar 6G' c. 'lvresize -L 4GB /dev/volgroupvar/logvolvar' d. 'resize2fs /dev/volgroupvar/logvolvar 4G' Note: Reductions will likely return errors resulting in re-provisioning of the F S 4. Rename Logical Volume a. 'lvrename volgroupvar logvolvar logvolopt' - renames volume, NOT volume gro up b. 'lvresize -L 6GB /dev/volgroupvar/logvolopt' - restores to 6GB 5. Rename Volume Group a. 'vgrename volgroupvar volgroupopt' - renames the volume group
b. update: '/etc/fstab' - to reflect volume group name change 6. Assign more partitions(storage) to LVM a. 'parted /dev/sdc' b. 'mkpart primary 16.1GB 26.1GB' c. 'set 4 lvm on' d. 'pvcreate /dev/sdc4' - assigns LVM partition to LVM management e. 'vgextend volgroupopt /dev/sdc4' - extends volume group: 'volgroupopt' f. 'lvresize -L 15GB /dev/volgroupopt/logvolopt' - online resize g. 'resize2fs /dev/volgroupopt/logvolopt 15G' - online resize 7. LVM GUI a. 'system-config-lvm' b. 'ssh -X
[email protected]' - redirects X.org session back to local GUI c. Extend storage of: '/dev/volgroupopt/logvolopt' to: 16GB Note: GUI will send appropriate commands to system to: a. Resize logical volume (logvolopt) b. Resize EXT4 FS to appropriate size 8. Recreate LVM hierarchy a. Unmount any partitions tied to: '/dev/sd[bc]' b. 'parted /dev/sdb' - remove partitions & create new LVM partitions c. 'init 6' - reboot d. Use: 'system-config-lvm' to create volume group from: '/dev/sdb1' & '/dev/s dc1' e. Create logical volume: 'logvolopt' f. Mount at: '/opt' ###RAID### Features: 1. Data spread across 2 or more disk/partitions 2. Redundancy - recover from catastrophy 3. Levels: 0,1,4,5,6,10 Tasks: 1. RAID0 - volume set creation i.e. LVM a. Create multiple partitions: /dev/sd[bc][5-8] - of type '83' || 'linux' b. 'init 6' - reboot c. 'mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb5 /dev/sdc5' d. 'mke2fs -t ext4 -j /dev/md0' e. 'mkdir /raid0 && mount /dev/md0 /raid0' f. 'nano /etc/fstab' 2. RAID1 - mirroring - halves the storage a. 'mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdb6 /dev/sdc6' b. 'mke2fs -t ext4 -j /dev/md1' c. 'mkdir /raid1 && mount /dev/md1 /raid1' 3. RAID5 - striping with parity - sacrifices the equivalent of 1-drive(partitio n) a. 'mdadm --create /dev/md2 --level=5 --raid-devices=4 /dev/sdb7 /dev/sdb8 /de v/sdc7 /dev/sdc8' b. 'mke2fs -t ext4 -j /dev/md2' c. 'mkdir /raid5 && mount /dev/md2 /raid5 && seq 1000000 > /raid5/1million.txt && ls -l /raid5' d. nano /etc/fstab e. test auto-mount during system initialization
###RAID Management### Features: 1. Create 2. Assemble: assembles pre-existing array(s) 3. Manage: Use to fail devices to take them offline 4. Monitor: E-mail, run processes, etc. 5. Misc: '--query', '--detail', '--examine'(individual RAID components' Tasks: 1. 'cat /proc/mdstat' - enumerates currently-available RAID-arrays (sets) 2. 'mdadm --query /dev/md[0-2]' - returns information about the 3 arrays: 0-2 3. Publish RAID array as a read-only volume a. 'umount /dev/md0' - unmounts the RAID array b. 'mdadm -o /dev/md0' - flags, in the superblock, the array: /dev/md0 as Read -Only c. 'mount /dev/md0 /raid0' d. 'mount' 4. Publish RAID array as a read-write volume a. 'umount /dev/md0' - unmounts the RAID array b. 'mdadm -w /dev/md0' - flags, in the superblock, the array: /dev/md0 as Read -Write c. 'mount /dev/md0 /raid0' d. 'mount' 5. Stop RAID volume for management purposes a. 'mdadm --manage --stop /dev/md0' - facilitates offline management Note: Stopping/deactivating the array will remove its '/dev/md?' entry Note: There are multiple ways to reassemble RAID arrays: 1. command-line: 'mdadm -A /dev/md0 /dev/sdb5 /dev/sdc5' - restarts (reassemble s) '/dev/md0' from its component parts 2. '/etc/mdadm.conf' - associates DEVICES & ARRAYS and management/notification info. a. 'DEVICE /dev/sdb[5678] /dev/sdc[5678]' b. 'ARRAY /dev/md0 devices=/dev/sdb5,/dev/sdc5' 6. Other options: a. 'mdadm -D /dev/md[0-2] - enumerates info. about ARRAYS b. 'mdadm -E /dev/sd[bc][78] - enumerates info. about the 4 partions on the 2 drives: /dev/sd[bc] ###Package Management with RPM### Features: 1. Compression of packages 2. SHA-256 hashes are used to sign packages 3. RPM DB: '/var/lib/rpm' - tracks installed packages, attributes of package fi les, etc. 4. 5-Modes of operations: a. Install b. Uninstall c. Upgrade d. Query e. Verify 5. Caveat: Does NOT auto-resolve dependencies: Use 'yum' 6. Caveat: RPM does NOT track non-RPM programs/apps: i.e. '*.tar.gz' || '*.tar. bz2' Tasks: 1. Query
a. 'rpm -qa' - dumps ALL installed packages (RPMs) b. 'rpm -qa | grep grep' - 'grep-2.6.3-2.el6.i686' 'grep' - main name of package '2.6.3-2' - package version 'el6.i686' - RedHat Version & Platform c. 'rpm -qi grep' - returns metadata about 'grep' package d. 'rpm -ql grep' - enumerates the contents of the package: 'grep' e. 'rpm -qf /bin/grep' - enumerates the file's package membership f. 'rpm -qd grep' - enumerates the included documentation g. 'rpm -qc lftp' - enumerates a package's configuration file(s) h. 'rpm -qpi http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Server/Packages/un ix2dos-2.2-35.el6.i686.rpm' 2. Verify - Verifies file system contents against installed package in RPM DB Note: Returns: '.' per test performed if the test passed Note: If test fails, one of the following will be returned: 5(MD5), S(file size), L(symlink), T(mod time), D(device), M(mode), ?(unreadable file), U(user), G(group) a. 'rpm -Vvf /bin/grep' - compares: /bin/grep to 'grep' RPM b. 'mv /bin/grep /bin/grep.original && touch /bin/grep' SM5....T. /bin/grep 3. Install - Works if package does NOT exist on the system a. 'rpm -ivh http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Server/Packages/un ix2dos-2.2-35.el6.i686.rpm' 4. Upgrade - Installs and/or Upgrades a. 'rpm -Uvh http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Server/Packages/do s2unix-3.1-37.el6.i686.rpm' b. 'rpm -Uvh --replacepkgs http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Serv er/Packages/grep-2.6.3-2.el6.i686.rpm' 5. Uninstall a. 'rpm -e grep' - checks dependencies and warns where appropriate 6. Import RedHat RPM GPG Key to confirm package signatures: a. 'rpm --import ###YUM### Features: 1. Package management 2. Auto-dependency resolution 3. Ability to specify multiple package sources Tasks: 1. Mirror 'Packages' directory on local system a. 'lftp http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Packages/' b. 'mirror -v' 2. Run 'createrepo' against: '/var/www/html/RHEL6' - creates sub-directory: 're podata' and various DB files to serve packages to 'yum' clients a. Confirm that 'createrepo' RPM is installed b. 'createrepo /var/www/html/RHEL6' - queries ALL 2679 packages and generates a SQLlite DB and ancillary files beneath: 'repodata' dir 3. Setup first 'yum' client: localhost a. '/etc/yum.repos.d/linuxcbtserv2.repo' '[linuxcbtserv2]
name=linuxcbtserv2 baseurl=http://192.168.75.21/RHEL6 ' 4. Search & Install packages: a. 'rpm -e dos2unix unix2dos' - removes both packages b. 'yum search unix2dos' - searches for package c. 'yum info unix2dos' - returns/dumps/enumerates package metadata d. 'yum install unix2dos' - installs the package once e. 'yum reinstall unix2dos' - reinstalls package. i.e. '--replacepkgs' with 'r pm' f. 'yum -y reinstall unix2dos' - assumes yes when prompted g. 'yum history' - returns usage history. i.e. BASH Shell history h. 'yum -y erase unix2dos dos2unix' - assumes yes and removes both packages i. 'yum deplist lftp' - dependencies and their providers are returned j. 'yum localinstall dos2unix-3.1-37.el6.i686.rpm' - Note: The entire file nam e is indicated 5. Define: 'linuxcbtserv1' as a 'yum' client of 'linuxcbtserv2 6. Define: 'linuxcbtserv1' as a 'yum' server a. 'lftp http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/Packages/' b. 'mirror -v' c. Confirm that 'createrepo' RPM is installed d. 'createrepo /var/www/html/RHEL6' - queries ALL 2679 packages and generates a SQLlite DB and ancillary files beneath: 'repodata' dir 7. Define: 'linuxcbtserv2' as a 'yum' client of 'linuxcbtserv1 Note: This configuration will provide YUM server redundancy via: 2-repo files pe r 'yum' client '[linuxcbtserv1] name=linuxcbtserv1 baseurl=http://192.168.75.20/RHEL6 ' 8. Test YUM redundancy by enabling/disabling HTTPD(Apache) on both systems and installing/uninstalling packages ###PackageKit### Features: 1. GUI for package management 2. Front-end to YUM 3. Supports YUM plug-ins Tasks: 1. Explore Interface ###Cron### Features: 1. Job Scheduler a. minutely b. hourly c. daily d. monthly
e. yearly Note: Fields: a-e are specified as per the order above in appropriate config. fi le 2. Assumes computer is always on unlike: anacron 3. Maintains: global and per-user schedules 4. /var/spool/cron - stores crontabs for: /etc/passwd users or LDAP or otherwis e 5. Checks ALL config files every minute, including: /etc/anacrontab 6. Supplies 'crontab' utility to manage jobs 7. Runs in ALL multi-user modes. Does NOT execute in: Single-User (1) mode Tasks: 1. Analyze current cron setup a. 'ps -ef | grep cron' b. '/etc/crontab' 2. Define system-wide job a. '*/1 * * * * linuxcbt
/usr/bin/uptime >> /home/linuxcbt/uptime.stat'
3. Define per-user job a. 'crontab -e' - run as user principle: 'linuxcbt' 4. Manipulate 'linuxcbt's' job as 'root' a. 'crontab -e -u linuxcbt' - run as 'root' - edits user's job(s) b. 'crontab -l -u linuxcbt' - run as 'root' - lists user's job(s) 4. Restrict Cron-access a. '/etc/cron.allow' - add 'linuxcbt to list - User MUST be on the list in ord er to submit jobs to 'cron' b. '/etc/cron.deny' - add 'linuxcbt2' to list ###Anacron### Features: 1. Runs jobs once per day during an allowed interval 2. Assumes computer is NOT always on, unlike: Cron 3. Facilitates delays in starting jobs - reduces resource contention 4. Maintains one schedule: '/etc/anacrontab' 5. Requires little-to-no intervention; handled by the system Tasks: 1. Examine: '/etc/anacrontab'
###'at' and 'batch'### Features: 1. One-off job schedulers 2. 'at' runs based on time schedule 3. 'batch' runs based on system-utilization stats: default < 0.8 for load avera ge Tasks: 1. Use 'at' to run jobs a. 'at 15:58' b. 'at 16:01' c. 'at -f at.job.1 16:02' d. 'at now + 1 day' - runs job 1-day from now (time submitted to job-queue) 2. Use 'batch' to run jobs
a. 'batch' - supply instructions on STDIN Note: 'batch' accepts no command-line options Note: 'at' runs the jobs on behalf of 'batch' Note: 'batch' is simply a special invocation of 'at'
###Syslog### Features: 1. Logs daemon information 2. Logs remotely 3. Accepts, if configured, logs from remote hosts: i.e. routers, switches, fire walls, content switches, Linux hosts, etc. 4. Supports: Unix Domain Sockets (/dev/log) 5. Supports: Internet Sockets: (UDP:514) and/or (TCP:514) 6. Runs in ALL multi-user levels: 2-5 Tasks: 1. Exploration of environment a. '/etc/rsyslog.conf' - primary config file b. '/etc/sysconfig/rsyslog' - ancillary config file, containing startup option s 2. '/etc/resyslog.conf' - exploration Selector(s) *.info;mail.none;authpriv.none;cron.none
Action(s) /var/log/messages
# The authpriv file has restricted access. authpriv.*
/var/log/secure
3. Configure UDP:514 routing of messages from Cisco Router a. '/etc/rsyslog.conf' - uncomment UDP section b. Setup selector in: '/etc/rsyslog.conf' b1. 'local4 /var/log/cisco/ciscorouter.log' c. Create: '/var/log/cisco' - 'mkdir /var/log/cisco' d. Configure router to log, via UDP, to our RHEL-6 Server 'Jan 18 17:09:49 192.168.75.1 12987: 012457: Jan 18 17:10:44.123 EST: %SYS-6-LOG GINGHOST_STARTSTOP: Logging to host 192.168.75.21 port 514 started - CLI initiat ed ' Note: Syslog ALWAYS includes a: timestamp & hostname/IP prefix & message Note: Syslog supports a number of levels (0-7): Debug(0), info, notice, warning, error, critical, alert, emerg(7) Note: Syslog supports a variety of facilities: a. MAIL b. AUTH c. LOCAL0-7 4. Configure TCP:514 routing of messages from Cisco Router a. '/etc/rsyslog.conf' - uncomment TCP section b. Update router configuration ###Log Rotation### Features: 1. Management of logs
2. Reduction/control of size of log files 3. Config files: '/etc/logrotate.d' 4. Primary config file: '/etc/logrotate.conf' 5. Auto-includes files in: '/etc/logrotate.d' into main config file: '/etc/logr otate.conf' 6. Rotates based on criteria: time || size-based '/etc/logrotate.d' - entry /var/log/httpd/*log { missingok notifempty sharedscripts delaycompress postrotate /sbin/service httpd reload > /dev/null 2>/dev/null || true endscript } Tasks: 1. Update 'logrotate' to handle: '/var/log/cisco/*log' - '/etc/logrotate.d/sysl og' 2. Create separate file to handle: '/var/log/cisco/*log' - '/etc/logrotate.d/ci sco' 3. Update directives to rotate based on size-based criteria ###Common Network Utilities### Features: 1. Determine if remote host is up/available: 'ping' 2. Determine if local/remote service is available: 'telnet' 3. Determine network sockets stats/connections: 'netstat' 4. View L2 information: 'arp' 5. View path taken by packets to remote system: 'traceroute' 6. Hostname-to-IP and reverse resolution: 'nslookup', 'dig' 7. Learn more information about and IP and/or block: 'whois' Tasks: 1. Explore Packet Internet Groper (PING) a. 'rpm -qf `/bin/ping`' - member of 'iputils' package b. 'ping -c 3 192.168.75.1 -s 32' - sends 32-bytes + 8-bytes (ICMP overhead) c. 'ping -c 3 -i 3 192.168.75.1' - sends 3-packets of 56-bytes, every 3-second s to target Note: PING may be blocked by L3 devices on your network and/or the Internet 2. Telnet - Don't use for TTY access to remote host. Use SSH. Use Telnet to tes t port-accessiblity. a. 'telnet 192.168.75.1 22' - Install if necessary using 'yum install telnet' 3. Netstat - reveals TCP:UDP:Unix Sockets - '/proc/net' a. 'netstat -a' - dumps ALL sockets with: service/port and hostname resolution b. 'netstat -an' - same as above, but suppresses name resolution c. 'netstat -ntl' - suppresses name resolution, shows ONLY TCP sockets, and li steners d. 'netstat -ntlp' - same as above, includes programs bound to ports Note: 'Use '-p' option as root to reveal ALL programs' Note: ':::514' - means that port is bound to ALL IPv6 addresses configured on th e host Note: '0.0.0.0:514' - means that port is bound to ALL IPv4 addresses configured on the host
e. ' netstat -i' f. 'netstat -nulp' - returns ALL UDP listeners g. 'netstat -rn' - returns kernel routing table 4. ARP - Address Resolution Protocol a. 'arp -a || arp -e' Note: ARP is usually self-managing. 5. Traceroute - follows path taken by packets across the network (Intra/Interne t) a. 'traceroute 192.168.75.1' b. 'traceroute www.linuxcbt.com' 6. 'nslookup' a. 'nslookup www.linuxcbt.com' DNS client tools use: '/etc/resolv.conf' to determine which DNS servers to query 7. 'dig' a. 'dig www.linuxcbt.com' b. 'dig -x 71.6.195.206' - performs a reverse lookup c. 'dig linuxcbt.com mx' 8. 'whois' - Finds IP/domain ownership information a. 'whois linuxcbt.com' ###IPv4 Configuration### Features: 1. DHCP 2. Static 3. Virtual (Sub) Interfaces - supports single physical connected to multiple lo gical i.e. 192.168.75.0/24 && 192.168.76.0/24 && 10.0.0.0/30 Tasks: 1. Explore key: Directories & Files a. '/etc/sysconfig/network' - system-wide settings: i.e. hostname, gateway, en abled|disabled b. '/etc/sysconfig/networking' - 'system-config-network' tool controls this di rectory. Don't edit manually. c. '/etc/hosts' - local name DB - should contain a record for the localhost: i .e. 'localhost.localdomain' 192.168.75.21 linuxcbtserv2.linuxcbt.internal linuxcbtserv2 # Added by Netwo rkManager 127.0.0.1 localhost.localdomain localhost ::1 linuxcbtserv2.linuxcbt.internal linuxcbtserv2 localhost6.localdomain6 localhost6 Note: Add hosts to: '/etc/hosts', for which you cannot or should not resolve via DNS d. '/etc/sysconfig/network-scripts' d1. Interface configuration files - describes up/down config of interfaces: i .e. eth0 d2. Control files - describes how interfaces are to be brought: up/down - scr ipts d3. Network function files - contain key network information required for the stack d4. 'ifup-eth' - brings up ethernet interfaces: i.e. 'eth0', 'eth1', etc.
d5. 'ifdown-eth' - brings down ethernet interfaces: i.e. 'eth0', 'eth1', etc. e. 'ifconfig' - enumerates configuration of interfaces Note: At minimum, a routeable, connected system has at least 2 interfaces: 1. 'lo' - loopback - 127.0.0.1 2. 'eth0' - Ethernet0 - Your Routeable IP/Net e1. 'ifconfig' eth0
Link encap:Ethernet HWaddr 00:11:11:A2:A2:D0 inet addr:192.168.75.21 Bcast:192.168.75.255 Mask:255.255.255.0 inet6 addr: 2002:4687:db25:2:211:11ff:fea2:a2d0/64 Scope:Global inet6 addr: fe80::211:11ff:fea2:a2d0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14048921 errors:0 dropped:0 overruns:0 frame:0 TX packets:9107918 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:469081450 (447.3 MiB) TX bytes:4022814991 (3.7 GiB)
lo
Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4698 errors:0 dropped:0 overruns:0 frame:0 TX packets:4698 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:7374035 (7.0 MiB) TX bytes:7374035 (7.0 MiB)
e2. 'ifconfig eth0:1 192.168.75.22 netmask 255.255.255.0' e2.1. 'ping -c 3 -I 192.168.75.22 192.168.75.21' - sources traffic as: 192.16 8.75.22 e3. 'ifconfig eth0:2 192.168.75.23 netmask 255.255.255.0' e4. Preserve changes across system restart/ 'NetworkManager' service restart e4.1. 'cp -v /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-eth0:1' f. 'ifcfg eth0:3 add 192.168.75.24/24' - Does duplicate address detection & se nds ARP to hosts on the same Net as the interface f1. 'ifcfg eth0:1 delete 192.168.75.22/24' - removes the sub-interface f2. 'ifconfig eth0:3 del 192.168.75.24' - removes the sub-interface ###IPv6 Configuration### Features: 1. Self-configuring - Prefix (/64), is auto-derived from Router 2. Can be configured via: Neighbor discovery auto-config by router, DHCPv6, Sta tically(manually) Tasks: 1. 'less /etc/sysconfig/network-scripts/ifup-ipv6' - peruse config 2. Peruse Router Config 2a. '2002:4687:DB25:2:21A:2FFF:FEE3:F240' 2002:4687:DB25:2 - left-most 64-bits describes the subnet: /64 prefix - globally unique :21A:2FFF:FEE3:F240 - right-most 64-bits describes the host. Includes 48-bit uni que MAC address 3. PING6 various devices
a. 'ping6 -c 3 -I eth0 2002:4687:DB25:2:21A:2FFF:FEE3:F240' b. 'ping 2002:4687:db25:2:211:11ff:fea2:a2d0' - from the router, PING6 RHEL-6 box 4. Use browser to access Apache via: IPv6 a. 'http://[2002:4687:db25:2:211:11ff:fea2:a2d0]/' - escape IPv6 address with '[]' || use: '/etc/hosts' || DNS Note: IPv6 is auto-configured, by default, so long as Router or DHCPv6 provides a usable prefix. Note: Update host configuration: i.e. '/etc/hosts' and/or DNS to reflect name-to -IPv6 mappings Note: Test with desired applications: i.e. 'ssh', 'http client', etc. ###Very Secure File Transfer Protocol Daemon (VSFTPD)### Features: 1. Anonymous (Default) and user-based FTP sessions 2. SSL support (provided by SSH) no need for VSFTPD 3. Does not permit 'root' or 'service accounts' access, by default 4. Does not currently support IPv4 & IPv6 simultaneously with the same daemon. Tasks: 1. Install using: 'yum' 2. Enable 'vsftpd' in multi-user runlevels a. 'chkconfig vsftpd on' 3. Start 'vsftpd' and explore access 4. Disable Anonymous access 5. Test local user access and update SELinux configuration a. 'getsebool -a | grep ftp' - dumps FTP-related SELinux booleans b. 'setsebool -P ftp_home_dir=1' Note: RHEL6 enables SELinux in 'enforcing' mode, requiring a slight change to th e booleans to permit VSFTPD or any FTPD daemon to transition user into their: $H OME directory 6. Enable Dual-Logging a. 'dual_log_enable=yes' 7. Enable server time for display of files/directories a. 'use_localtime=yes' Note: 'man vsftpd.conf' for useful directives that apply to your application ###LFTP### Features: 1. Interactive (Shell-like) & Non-interactive modes 2. Scriptable 3. Servers supported: FTP, FTPS, SSH(SFTP), HTTP, etc. 4. Mirroring of content: forward (download) & reverse (upload) 5. Regular expressions 6. Job Engine Tasks: 1. Use 'lftp' to connect to VSFTPD a. 'lftp localhost' && 'open -u linuxcbt' Note: LFTP batches authentication commands and submits when control-channel comm ands such as 'ls' are received ---- Connecting to localhost (127.0.0.1) port 21 - (no connection) FEAT - (traffic from client to server)
2. Use 'lftp' to connect and mirror content a. 'mirror temp*' - forward mirror - downloads content from server to client b. 'mirror -Rv *' - reverse mirror - puts content on server from client 3. Run external commands with: '!command' a. '!bash' - launches an instance of BASH SHELL from within 'lftp' b. 'exit' - returns to 'lftp' 4. Test rate-limiting with 'vsftpd' a. 'local_max_rate=10000' - B/s (Bytes per second) 5. Job Management - Backrounding a. Use: 'CTRL-Z' to background jobs b. Use: 'jobs' to view progress of jobs c. Use: 'fg job_num' to foreground a specific job 6. Explore LFTP environment a. '/etc/lftp.conf' - system-wide config file 7. Connect using 'lftp' to: SSH & HTTP servers a. 'lftp http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6' b. 'lftp -u linuxcbt sftp://192.168.75.101' ###Curl### Features: 1. Non-interactive file transfers with: HTTP|FTP|Telnet|etc. 2. Default downloads to STDOUT 3. Like 'wget' Tasks: 1. 'curl http://192.168.75.101/LinuxCBT/EL-6/Misc/RHEL6/EULA' - dumps content o f target file to STDOUT Note: This can be useful when used with pipes, etc. 2. Create multiple files on HTTP server and download, one-shot, with 'curl' a. 'for i in `seq 5`; do seq 1000000 > file$i.txt; done' - execute on target H TTP server b. 'curl -O http://192.168.75.101/LinuxCBT/EL-6/Misc/file[1-5].txt' - download s file1..file5.txt to local system 3. Create files on multiple HTTP servers and aggregate with 'curl' a. 'curl -O http://192.168.75.{101,21}/LinuxCBT/file[1-5].txt' 4. Rate-Limit a. 'curl -O --limit-rate 1000k http://192.168.75.101/LinuxCBT/file[1-5].txt' ###Rsync### Features: 1. Network Copies 2. Optionally, local copies 3. Ability to synchronize content quickly: i.e. staging -> production sites 4. Uses SSH as a conduit 5. Requires 'rsync' on client/server systems 6. Non-interactive client 7. Syntax is similar to: 'scp' Tasks: 1. 'rsync -av SRC DST'
2. 'rsync -av --delete SRC DST' - removes superfluous content on DST (reverse m irror) ###TFTPD### Features: 1. Fast, UDP-based file transfers 2. Unreliable, however, in a LAN-connected environment, it is rather reliable 3. Update devices that function as TFTP clients: Cisco devices (routers, switch es, firewalls, etc.) 4. Managed via: 'XINETD' Tasks: 1. Install 'tftp-server' RPM a. 'yum search tftp && yum -y install tftp-server' '/var/lib/tftpboot' - directory where TFTPD-served content lives '/etc/xinetd.d/tftp' - primary, XINETD-controlled, config file - enable/disable TFTPD here '/usr/sbin/in.tftpd' - binary (daemon) - invoked by XINETD when necessary 2. Enable TFTP Server (TFTPD) a. '/etc/xinetd.d/tftp' b. 'service xinetd start' c. 'netstat -nul ' - ensure that: 'UDP:69' is listening and controlled by: 'xi netd' 3. Backup Cisco Router Configuration a. 'ssh
[email protected]' b. 'cp running-config tftp://192.168.75.21/linuxcbtrouter1.config' Note: '/var/lib/tftpboot/' - root indicated in above URI, NOT the root (/) of th e Linux FS c. 'touch /var/lib/tftpboot/linuxcbtrouter1.config && chmod 666 /var/lib/tftpb oot/linuxcbtrouter1.config' d. Attempt to backup the configuration 4. Restore Cisco Router Configuration a. 'copy tftp://192.168.75.21/linuxcbtrouter1.config running-config' Note: Sometimes, the restoration will generate errors. Check for accuracy 5. Use TFTP client to move data Note: SFTP/SCP/FTPS are preferred, however, TFTP client may be convenient Note: TFTP client is both: interactive & non-interactive a. 'tftp -v 192.168.75.21' 6. Overwrite TFTP Server data from rogue client: a. 'ssh 192.168.75.101 && tftp -v 192.168.75.21 -c put linuxcbtrouter1.config' Note: Best practice suggests that you should run TFTPD only when/if necessary. D isable when not needed and, flag files in: '/var/lib/tftpboot' to restrictive pe rmissions: i.e. 'chmod 644 /var/lib/tftpboot/*' ###TELNETD### Features: 1. Clear-text means of accessing a TTY (PTY) across the wire 2. XINETD-controlled 3. Does NOT allow 'root' to access TTY via Telnet: '/etc/securetty' 4. Reads, as a banner, '/etc/issue.net | /etc/issue' 5. Reads, post-login, '/etc/motd' - publish useful info. here Note: contents of: '/etc/motd' are also read by: SSHD 6. Assigns pseudo-terminals akin to: SSHD , however, they are flagged as unencr
ypted Tasks: 1. Install a. 'yum -y install telnet-server' 2. Examine Configuration a. '/etc/xinetd.d/telnet' 3. Use Telnet Server a. 'telnet 192.168.75.21' b. 'su ' - switches context to 'root' Note: Be very careful when using 'su' with 'telnet' due to clear-text exposure o f passwords Note: Loopback connections do NOT traverse the wire. It's ALL virtual (local). I t's relatively safe. c. 'telnet 192.168.75.21' - exposes session to switch-port (network) 4. Disable Telnet Server a. '/etc/xinetd.d/telnet' - set 'disable = yes' b. 'service xinetd restart' c. 'netstat -ntl | grep 23' - confirm whether TELNETD is still listening to: T CP:23 d. 'netstat -ant | grep 23' - search for stale/existing sockets Note: TELNETD does NOT facilitate SSH functions/features such as: 1. File Transfers: i.e. 'scp', 'sftp' 2. PKI: i.e. public key/private keypairs 3. Remote commands via command-line (one-off) 4. Pseudo-VPNs ###Network Time Protocol Daemon### Features: 1. Time synchronization 2. Multiple sources 3. Supports symmetric keys for time sync with other, controlled(trusted), serve rs 4. Multiple strata are supported in a hierarchy: a. Strata range: 1(most accurate)-16(least accurate) Note: Most accurate means that the stratum level 1 server has access to an exter nal clock (GPS, radio, etc.) 5. NTP will NOT set your system's clock if it is skewed (off) by 1000 or more s econds 6. If '-g' invocation option is used, '1000s' skew is overridden 7. NTP is dynamic in its calculations; always adjusting the values surrounding target NTP servers Tasks: 1. Explore configuration a. '/etc/ntpd.conf' - primary config file 2. Start service a. 'service ntpd start' 3. Query NTPD a. 'ntpq -np' Note: Clocks labeled at: stratum 16 are considered unreliable Note: NTP uses: UDP:123 for source and destination ports 4. Sync Cisco Router a. 'sh ntp ass'
b. 'ntp server 192.168.75.21' 5. Sync Windows Server a. 'rdesktop 192.168.75.105' 6. Sync Debian Server with RedHat server & vice versa Note: Configure NTP to sync with 3 or more clocks ###Add Network Interfaces to Hosts### Features: 1. On-the-fly NIC provisioning Tasks: 1. Explore NIC layout on: 'linuxcbtserv2' a. 'ifconfig -a' - enumerates detected NICs - named: 'ethn' b. 'ethtool eth1' c. Explore: '/etc/sysconfig/network-scripts/ifcfg*' - search for device script s c. 'nm-applet' - configure 'eth1' with static address Note: 'nm-applet' will create: '/etc/sysconfig/network-scripts/ifcfg-eth1' scrip t Note: This will ensure that the interface is resumed upon reboot/runlevel-switch 2. Explore NIC layout on: 'linuxcbtserv1' a. 'ifconfig -a' Note: The presence of an IPv6 link-local address: 'fe80::' means that the link i s connected to another device: i.e. switch, host, etc. b. 'ethtool eth1' && 'ethtool eth2' c. 'system-config-network' d. Enumerate 'ifcfg-eth1' script from both locations: ls -li /etc/sysconfig/{networking/devices,network-scripts}/ifcfg-eth1 1055028 -rw-r--r--. 3 root root 180 Jan 22 11:24 /etc/sysconfig/networking/devic es/ifcfg-eth1 1055028 -rw-r--r--. 3 root root 180 Jan 22 11:24 /etc/sysconfig/network-scripts/ ifcfg-eth1 Note: Now both: 'linuxcbtser1' and 'linuxcbtserv2' are both configured to allow DHCP configuration on their private subnet 'linuxcbtserv2' - DHCP Server 'linuxcbtserv1' - DHCP Client Note: Ensure that interface script file contains: 'ONBOOT=yes' directive to ensu re that the OS brings the interface up when rebooting (init 6) and/or switching run-levels ###DHCPD### Features: 1. Auto-configuration of IP client(s) 2. Includes all sorts of settings: IPv4, IPv6, DNS, NTP, NIS, etc. 3. DHCP is an UDP application (UDP:67) Tasks: 1. Reconfigure 'eth1' to use: '/27' a. 'nano /etc/sysconfig/network-scripts/ifcfg-eth1' 'PREFIX=27' 2. Install DHCP a. 'yum -y install dhcp' b. 'rpm -ql dhcp' /etc/dhcp - container for DHCPD configuration
/etc/dhcp/dhcpd.conf - IPv4 config /etc/dhcp/dhcpd6.conf - IPv6 config /var/lib/dhcpd - container for leases /var/lib/dhcpd/dhcpd.leases - IPv4 leases /var/lib/dhcpd/dhcpd6.leases - IPv6 leases 3. Configure scope for: '192.168.76.0/27' - facilitates 2**5 -2 hosts 192.168.76.0 - Network address 192.168.76.1-30 - Usable 192.168.76.31 - Broadcast Address Note: Alter DHCPD to log using a different facility: i.e. 'local6' because boot messages are logged via: 'local7' 4. Start/invoke 'eth1' interface on: 'linuxcbtserv1' Note: This will launch the 'dhclient' process, which will request configuration via DHCP a. 'ifup eth1' inet addr:192.168.76.1 Bcast:192.168.76.31 Mask:255.255.255.224 '.224' = '/27' '/24' = '.0' '/25' = '.128' '/26' = '.192' '/27' = '.224' 5. Configure a reservation to ensure that: 'linuxcbtserv1' is ALWAYS served the same address a. 'nano /etc/dhcp/dhcpd.conf' Note: DHCPD follows the DORA process: D - Discovery (Client) O - Offer (Server) R - Request (Client) A - Acknowledgement (Server) ###Service Management### Features: 1. Start|Stop|Adjust runlevels of services 2. Three tools are available a. 'chkconfig' - shell b. 'ntsysv' - TUI c. 'system-config-services' - GUI Tasks: 1. 'chkconfig' - manages both: 'SYSV' & 'XINETD' a. 'chkconfig' - enumerates ALL services b. '--list vsftpd' - enumerates runlevel information for service: 'vsftpd' Note: '/etc/init.d' - services repository c. '--level 2 vsftpd off' d. '--level 2345 vsftpd off' e. 'chkconfig vsftpd on | off' - synonmy for run-levels 2-5 f. 'chkconfig tftp on' - enables XINETD-controlled service: 'tftp' Note: XINETD-controlled services are automatically enabled|disabled by 'chkconfi g' Note: However, SYSV-controlled services are NOT automatically started|stopped Note: Use 'service service_name start|stop' to control service
2. 'ntsysv' - defaults to managing services in the current run-level Manages both: 'SYSV' & 'XINETD' services a. 'ntsysv --level 35' - influences ONLY the levels specified on the CLI Note: 'ntsysv' will NOT change the other, unspecified, run-levels 3. 'system-config-services' - GUI - Manages: 'SYSV' & 'XINETD' services ###BIND DNS### Features: 1. Standard naming system manager 2. Name-to-IP resolution 3. IP-to-Name resolution 4. Client utilities are auto-installed: 'bind-utils*'RPM 5. Caching-only server 6. Primary server 7. Secondary server 8. Reverse zones 9. IPv6 zones 10. Operates as non-privileged user: 'named' 11. Default configuration binds to: UDP:53 on IPv4|6 loopback (remote queries wi ll fail) 12. Load-balancing is provided in a proper configuration of: 2 or more authorita tive servers Tasks: 1. Explore Caching-only configuration a. Key files: '/etc/logrotate.d/named' - logrotate entry '/etc/named.conf' - zone definition file '/etc/named.rfc1912.zones' - loopback forward | reverse zones for: IPv4|6 '/etc/rc.d/init.d/named' - INIT script: use with: 'chkconfig' | 'service' '/var/named' - container for zones: IPv4|6 forward and/or reverse '/var/named/data' - logfile repository '/var/named/slaves' - slave-replication data (this server is slave to other serv er(s)) '/var/named/dynamic' - DDNS 2. Start and Explore Caching-only Server a. 'chkconfig named on && service named start && ps -ef | grep named' b. 'dig @localhost www.linuxcbt.com' c. Ensure that server binds to ALL IP addresses and allows recursion from ALL 3. Primary Server Configuration - Primary (go-to) authoritative server for a zo ne Note: Primary servers tend to have: writable copies of zones, whereas secondary servers tend to have read-only copies of zones due to replication of zone(s) fro m primary server a. Define primary zone for: 'linuxcbt.internal' a1. '/etc/named.conf' - define zone here a2. '/var/named/linuxcbt.internal' - create zone file with records a3. 'service named reload' - reload | restart service a4. 'dig @localhost www.linuxcbt.internal' zone "linuxcbt.internal" IN { type master; file "linuxcbt.internal";
allow-update { none; }; }; Note: TTLs can be defined: a. per-file and/or per DNS record Note: DNS records/zones cached by authoritative servers always reflect the full TTL of the zone/record b. Extend the primary zone with more records of various types: 'linuxcbt.inte rnal' c. Add another mail server d. Define primary zone: 'linuxcbt.external' on host: 'linuxcbtserv1' zone "linuxcbt.external" IN { type master; file "linuxcbt.external"; allow-update { none; }; }; 4. Secondary Server Configuration Note: Any DNS server can play the role of secondary for one or more zones a. Make: 'linuxcbtserv1' secondary for the zone: 'linuxcbt.internal' a1. Define 'linuxcbtserv1' as an NS server in the primary configuration a2. Setup slave (secondary) zone on: 'linuxcbtserv1' zone "linuxcbt.internal" IN { type slave; masters { 192.168.75.21; }; #file "linuxcbt.external"; allow-update { none; }; }; Note: Above entry caches the zone in-memory: b. Make: 'linuxcbtserv2' secondary for the zone: 'linuxcbt.external' Note: Repeat steps above zone "linuxcbt.external" IN { type slave; masters { 192.168.75.20; }; #file "linuxcbt.external"; allow-update { none; }; }; c. Committ changes to master zones d. Save secondary files to disk 5. Reverse Zones Resolves: IP-to-Name a. Write a reverse zone for: '192.168.75.0/24' subnet zone "75.168.192.in-addr.arpa" IN { type master; file "192.168.75.zone"; allow-update { none; }; }; b. 'dig @localhost -x 192.168.75.21' - returns forward (PTR) names 6. IPv6 Entries: Forward & Reverse Records a. Insert forward records for connected hosts linuxcbtserv2 IN AAAA 2002:4687:db25:2:211:11ff:fea2:a2d0 linuxcbtbuild1 IN AAAA 2002:4687:db25:2:211:11ff:fe5b:7053 linuxcbtserv1 IN AAAA 2002:4687:db25:2:211:43ff:fe5a:bce5 linuxcbtrouter1 IN AAAA 2002:4687:DB25:2:21A:2FFF:FEE3:F240
b. Query using 'dig' IPv6 AAAA records b1. 'dig @192.168.75.21 linuxcbtrouter1.linuxcbt.internal AAAA' Note: Forward: IPv6 records need not be fully expanded Note: Reverse: IPv6 records MUST be expanded fully when describing the zone c. Construct Reverse Zone for: '2002:4687:db25:2/64' - Network ID: /64 prefix zone "2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" IN { type master; file "2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.reverse"; allow-update { none; }; }; Note: ::1 is the IPv6 loopback address, which really means: ALL zeroes terminati ng with 1 5.e.c.b.a.5.e.f.f.f.3.4.1.1.2.0 IN PTR linuxcbtserv1.linuxcbt.internal. 0.d.2.a.2.a.e.f.f.f.1.1.1.1.2.0 IN PTR linuxcbtserv2.linuxcbt.internal. 3.5.0.7.b.5.e.f.f.f.1.1.1.1.2.0 IN PTR linuxcbtbuild1.linuxcbt.internal. 0.4.2.f.3.e.e.f.f.f.F.2.A.1.2.0 IN PTR linuxcbtrouter1.linuxcbt.internal. Note: When writing IPv6 reverse addresses, expand ALL zeroes that are truncated in the addresses. ###Samba - Clients### Features: 1. Lan Manager/NETBIOS-like support for Linux | Unix Tasks: 1. Install/Explore Samba Client Package: a. '/usr/bin/findsmb' - finds Samba hosts on your subnet b. 'smbtree' - equivalent to 'My Network Places' - Prints workgroups, hosts, a nd shares WORKGROUP \\MACBOOK1 Dean Davis's MacBook \\MACBOOK1\IPC$ IPC Service (Dean Davis's MacBoo k) LINUXGENIUS \\LINUXCBTBUILD1 linuxcbtbuild1 server \\LINUXCBTBUILD1\lj2100 lj2100 \\LINUXCBTBUILD1\print$ Printer Drivers \\LINUXCBTBUILD1\IPC$ IPC Service (linuxcbtbui ld1 server) AD \\LINUXCBT2K8 \\LINUXCBT2K8\SYSVOL Logon server share \\LINUXCBT2K8\NETLOGON Logon server share \\LINUXCBT2K8\IPC$ Remote IPC \\LINUXCBT2K8\C$ Default share \\LINUXCBT2K8\ADMIN$ Remote Admin Note: In order to reveal Active Directory shares, you must supply authentication credentials c. 'smbclient' - Connects to shares and facilitates file transfers - interacti ve app. c1. 'smbclient -U administrator //linuxcbt2k8/c$' Domain=[AD] OS=[Windows Server (R) 2008 Standard 6002 Service Pack 2] Server=[Wi ndows Server (R) 2008 Standard 6.0]
d. 'smbget' - like 'wget' - downloads files from SMB shares, non-interactively d1. 'smbget -u administrator smb://linuxcbt2k8/temp2/DB_Backup_ALL_messages_t ables.only' e. 'smbtar' - Backs-up SMB shares to TAR archive e1. 'smbtar -s linuxcbt2k8 -x temp2 -u linuxcbt -t temp2.tar.`date +%F` -p pa ssword && gzip -c temp2.tar.`date +%F` > temp2.tar.`date +%F`.gz' Note: This will create TARball then gzipped file ###Samba Server### Features: 1. NETBIOS | SMB | CIFS Server 2. Emulates Windows 3. Implemented as 2 daemons: 'nmbd'(NETBIOS naming) & 'smbd'(file serving) 4. Creates one log-file per connected host 5. Linux | Unix security (/etc/{passwd,shadow}) permissions are used to grant a ccess to shares Tasks: 1. Install 'samba' package 2. Explore default configuration: a. '/etc/samba/smb.conf' - monolithic configuration file Note: Within the context of: SELinux, consult: /etc/samba/smb.conf for more info rmation on lifting restrictions Note: '/etc/samba/smb.conf' - arranged, largely, into 2 sections: global & share s b. '/etc/samba/smbusers' - Samba Server translation accounts DB. Used when not using AD mode. 3. Change configuration and start service a. 'nano /etc/samba/smb.conf' - make changes: i.e. default workgroup b. 'service smb start && chkconfig smb on && service nmb start && chkconfig nm b on' c. 'netstat -ntlp ' - TCP:139(SMB), TCP:445 (CIFS) are controlled by: 'smbd' d. 'netstat -nulp' - UDP:137(NMB), UDP:138(NMB) - NETBIOS Naming 4. Implement User Security and test connectivity and ability read/write content ###Winbind Configuration### Features: 1. Active Directory Integration 2. Precludes the maintenance of multiple user accounts DBs Steps: 1. Install 'samba-winbind' - 'yum install samba-winbind' 2. Edit: '/etc/security/pam_winbind.conf' 3. Confirm the presence of Kerberos: 'rpm -qa | grep krb5' 4. Edit: '/etc/krb5.conf' - with appropriate ADS realm 5. Edit: '/etc/hosts' - with server information for ADS box 6. Edit: '/etc/nsswitch.conf' - controls default resolver 7. Edit: '/etc/pam.d/system-auth' - general system authentication 8. Edit: '/etc/samba/smb.conf' - include Winbind-related directives '/etc/samba/smb.conf' - directives security = ads idmap uid = 10000-20000
idmap gid = 10000-20000 template shell = /bin/bash template homedir /home/%D/%U 8. 'net ads join -U administrator' 9. Start Winbind: 'service winbind start' 10. Configure service to auto-start in SYSV levels: 2-5 a. 'chkconfig winbind on' 11. 'wbinfo -u'
###Apache Configuration### Features: 1. HTTPD Server Tasks: 1. Explore the configuration a. 'rpm -qa | grep httpd' 'httpd-tools' - useful tools b. '/etc/httpd' - top-level config directory c. '/etc/httpd/conf/httpd.conf' - main Apache config file d. '/etc/httpd/conf.d' - add-on configuration files e. '/etc/logrotate.d/httpd' - managed by LogRotate f. '/etc/sysconfig/httpd' - startup parameters Note: Apache launches its initial process as: 'root' Note: Subsequent Apache processes are launched as: 'apache' Note: HTTP clients (mobile(iPhone|Droid), browser on the desktop) connect to non -privileged processes running as user: 'apache' Note: One reason why Apache need 'root' privileges is to be able to bind to well -known ports (s' - status code returned to client - 200-500-related errors '%b' - size of content returned to client '%{Referer}' - Contains IP of sending host '%{User-Agent}' - Type of HTTP client: i.e. Droid, iPhone, Safari, IE, Fire etc.
2002:4687:db25:2:211:11ff:fea2:a2d0 - - [26/Jan/2011:09:27:35 -0500] "GET /icons /apache_pb2.gif HTTP/1.1" 304 - "http://[2002:4687:db25:2:211:11ff:fea2:a2d0]/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100827 Red Hat/3.6. 9-2.el6 Firefox/3.6.9" Note: You may log traffic using multiple LogFormats simultaneously to separate f iles ###Apache Virtual Hosts### Features: 1. Two types supported: a. IP-Based - one site per IP address b. Host Header Names - multiple sites per IP address Tasks: 1. Configure IP-based Virtual Hosts Note: The 'default host' is a catch-all for all undefined Virtual Hosts a. 'httpd -S' - enumerates virtual host(s) configuration ServerAdmin
[email protected] ServerName site1.linuxcbt.internal DocumentRoot /var/www/site1.linuxcbt.internal DirectoryIndex index.ggg Order allow,deny Allow from all Note: By not placing a default document, Aapache served us the default page 2. Configure Host-Header Virtual Hosts a. 'NameVirtualHost 192.168.75.22:80' ###MySQL### Features: 1. RDBMS 2. May be administered via: shell, web browser (PHPMyAdmin), or GUI Tasks: 1. Explore current environment: a. 'rpm -qa | grep mysql && yum search mysql' 2. Install MySQL Server a. 'yum -y install mysql-server' 3. 'rpm -ql mysql-server' '/var/lib/mysql' - DATA directory '/var/log/mysqld.log' - log file
'/var/run/mysqld' - PID directory 4. 'rpm -ql mysql' - enumerates common user-binaries: i.e. 'mysqldump', 'mysqla dmin', 'mysql', etc. '/usr/bin/mysql' - terminal monitor client - facilitates client/server communica tions interface with MySQLD back-end 5. 'rpm -ql mysql-libs' - reveals: '/etc/my.cnf' - system-wide config file a. '/etc/my.cnf' - read by clients and mysqld server 6. Start 'mysqld' - ' service mysqld start' Note: By default, 'root' password is undefined /usr/bin/mysqladmin -u root password 'abc123' /usr/bin/mysqladmin -u root -h linuxcbtserv2.linuxcbt.internal password 'new-pas sword' Note: MySQL represents users as: user@host : i.e. 'root@localhost', 'root@linuxc btserv2.linuxcbt.internal' Note: Default configuration permits anonymous connections sans password 7. Change passwords within terminal monitor: a. 'set password for 'root'@'linuxcbtserv2.linuxcbt.internal' = password('abc1 23'); b. 'set password for 'root'@'127.0.0.1' = password('abc123'); c. 'flush privileges;' - required after permissions changes 8. Remove anonymous users: a. 'DELETE FROM mysql.user WHERE user = ''; ' b. 'flush privileges;' 9. MySQL reads a hierarchy of config files upon invocation: a. '/etc/my.cnf' - system-wide file b. '$HOME/.my.cnf' - user-wide file c. Command Line Interface (CLI) 10. Create an addressbook DB: a. 'create database addressBook;' b. 'create table contacts ( `fname` char(20), `lname` char(20), `bus_phone1` c har(20), `email` char(30), PRIMARY KEY (`email`) ); c. 'INSERT INTO contacts VALUES ('Dean','Davis','888-573-4943','info@LinuxCBT. com' ); d. 'INSERT INTO contacts (fname,lname,bus_phone1) VALUES ('Diana','Mckenzie',' 888-573-4943'); e. 'update contacts set email = '
[email protected]' where fname = 'Diana';' f. 'delete from contacts where email = '
[email protected]'; ' ###PHP### Features: 1. Dynamic web programming/content generation Tasks: 1. Ensure pre-requisites are in-place a. 'rpm -qi php-mysql' b. 'yum -y install php-mysql' Note: Confirm connection configuration prior to executing script a. Change script to use routed address b. Check SELinux booleans
b1. 'getsebool -a | grep httpd' - ensure that HTTPD 'can' connect to 'db' c. Revert script to use: 'loopback' address after rectifying SELinux problems d. Confirm whether SELinux vars for 'mysql' influences Apache's ability to sour ce outbound connections to MySQL d1. The lone 'httpd' variable controls Apache's ability to connect to MySQL ###Network File System### Features: 1. Transparent access to remote file systems 2. Support for NFS versions: 2(nfs),3(default,nfs),4(nfs4) 3. Supports both: TCP (default) & UDP 4. Relies upon the RPC portmapper service, which dynamically allocates ports Caveat: Dynamic ports don't always work well with firewalls 5. Auto-transfers UID/GID information from client to server Tasks: 1. Explore tools like: 'showmount' 2. Start service and explore network stats a. 'service nfs start && chkconfig nfs on' b. 'netstat -ntlp ' - search for 'rpc*' Note: 'rpcbind' - is the RPC manager, which dynamically allocates ports for NFSrelated services: quotad, statd, mountd, lockmgr, etc. 3. Export directory to remote clients a. '/etc/exports' - share directories via NFS here a1. '/projectx *(rw)' - (rw) export to ALL NFS clients that have IP access to our host a2. 'exportfs -v' - dumps current exports and permissions a3. 'showmount --exports linuxcbtserv2' - dumps exports of host: 'linuxcbtser v2' b. Mount '/projectx' on remote system a. 'mount -t nfs linuxcbtserv2.linuxcbt.internal:/projectx /projectx' Note: Default mounts are 'root' squashed. This means that when remote clients mo unt exports, 'root's I/O is equated to: 'nfsnobody' (anonymous) c. Re-export: '/projectx' as Read-Only a. 'nano /etc/exports' ###SELinux### Features: 1. Mandatory Access Controls (MACs) 2. Standard Linux | Unix permissions are based on: Discretionary Access Control s (DACs) i.e. -rw-rw-r--. 1 linuxcbt linuxcbt 2129783 Jan 7 17:06 temp.zip 3. A sophisticated labeling system is applied to: subjects & objects 4. Subjects -> users and/or processes 5. Objects -> Files 6. SELinux via MACs: provides a way to separate: users, processes, and objects via labeling and monitors/controls their interaction via: Advanced Vector Cache (AVC) 7. Labels are known as types, which create the silos around: subjects & objects 8. DACs are checked prior to MACs 9. SELinux is enabled in 'enforcing' mode 10. SELinux operates in 3 modes: disabled (DAC), enabled(DAC/MAC), enforcing(DAC /MAC/Enforced)
11. Log information: '/var/log/audit/audit.log' - AVC logs here - Denials 12. Policy information is defined in the: 'targeted' policy Tasks: 1. Explore common tools a. 'sestatus -v' - displays current status b. 'setenforce 0|1(permissive|enforcing) modes' c. '/etc/sysconfig/selinux' - primary config file d. '/selinux' - '/proc'-like FS (Virtual) - maintains SELinux information e. 'setsebool ' - sets boolean values for SELinux - use '-P' to make changes p ersistent across reboots f. '-Z' - Use with common commands: i.e. 'ls', 'ps', 'id' g. Use: 'restorecon -R /var/www/html' - resets ALL files to proper type Note: 'restorecon' is necessary if files are moved about the FS and have incorre ct contexts 2. Switch SELinux mode to: 'permissive' and evaluate with Apache->MySQL a. 'setenforce 0' - sets SELinux to 'permissive' b. 'setsebool httpd_can_network_connect_db off' - disables Apache's ability t o talk to MySQL c. 'setenforce 1' - sets SELinux to 'enforcing' d. Try to invoke Apache->MySQL session: fails 3. Move and Copy content and evaluate Note: Moves will preserve SELinux file Note: Copies will NOT preserve SELinux object (file) will inherit the SELinux d by the SELinux 'targeted' policy.
SELinux context changes (object) context file (object) context. In this case, the context of the target directory as define
4. Relabel full FS of remote server a. 'touch /.autorelable && reboot' Note: More files means more time to reboot
###NMap### Features: 1. Port Scanning 2. Host | Device detection 3. Service Detection 4. OS Fingerprinting 5. Multi-target scanning Tasks: 1. Install 'Nmap' 2. Explore the package a. '/usr/bin/nmap' - primary binary b. '/usr/share/nmap/nmap-services' - translates well-known ports to service na mes c. '/usr/share/nmap/nmap-protocols' - translates IP protocols to names 3. Use NMap a. 'nmap -v 192.168.75.0/24' Note: As 'root' user, 'nmap' executes 'TCP:SYN' scans - half-open connections Note: As non-privileged user, 'nmap' executes 'TCP:CONNECT' scans - full connect ions b. Perform service scan b1. 'nmap -v -sV target'
Note: Leftmost 24-bits of MAC address represent the vendor, the rightmost 24-bit s represent the unique NIC ###IPTables### Features: 1. IPv4 Firewall - User-space tool 2. Typically manipulates layers 3&4 of the OSI model a. Layer-3 - Routing (IPv4 | IPv6) - Source and/or Destination filtering b. Layer-4 - Transport (TCP | UDP | ICMP) - Source and/or Destination port fil tering Tasks: 1. Explore the current configuration a. '/sbin/iptables' - key binary for managing firewall rules b. '/sbin/iptables-restore' - restores rules after reboot and/or flush c. '/sbin/iptables-save' - archives current rule-set and counters d. 'iptables -L' - enumerates the default table: 'FILTER' Note: IPTables maintains a number of tables: FILTER (Default), NAT, Mangle Note: Each table maintains a number of chains. Note: A chain is simply a list of firewall (filtration) rules FILTER: -INPUT - Traffic destined to one of the interfaces governed by the host and so urced by an external host (party) -FORWARD - Traffic destined to be routed through the host -OUTPUT - Traffic sourced by OUR host, destined to a remote host 2. Write INPUT chain rules to filter traffic & test a. 'iptables -A INPUT -s 192.168.75.105 -p TCP --dport 22 -j DROP' b. 'iptables -R INPUT 2 -p tcp --dport 22 -j DROP' 3. Write OUTPUT chain rule to restrict outbound TCP:25 a. 'iptables -A OUTPUT -p tcp --dport 25 -j DROP' ###IP6Tables### Features: 1. Management of IPv6 filtering Tasks: 1. Explore configuration a. '/sbin/ip6tables ' - primary binary 2. Usage a. 'ip6tables -L' Note: With both IPv4 & IPv6, the default policy is 'ACCEPT', which may be switch ed to: 'DENY', which will require explicit rules allowing traffic 3. Write IPv6 Rules a. 'ip6tables -A INPUT -p tcp --dport 22 -j LOG --log-level debug' b. 'ip6tables -A INPUT -p tcp --dport 22 -j DROP' ###TCPDump### Features: 1. Packet Capturing 2. Layers 2-7 of OSI 3. Driven by Three Qualifiers
a. Type - host|net|port b. Dir - src, dst, src or dst, src and dst c. Proto - ip, tcp, udp, arp, etc. 4. Supports BPFs 5. Uses promiscuous mode to intercept traffic not bound for local system Tasks: 1. Explore configuration a. '/usr/sbin/tcpdump' 2. Usage a. 'tcpdump -v ' - dumps traffic to STDOUT 13:48:06.854768 IP (tos 0x0, ttl 64, id 34654, offset 0, flags [DF], proto TCP ( 6), length 1500) linuxcbtserv2.linuxcbt.internal.5902 > 192.168.75.14.63276: Flags [.], cksum 0x3402 (correct), seq 27453037:27454485, ack 615, win 108, options [nop,nop,TS val 446941871 ecr 385595866], length 1448 b. 'tcpdump -i eth0' - binds to indicated interface c. 'tcpdump -D ' - enumerates the interfaces d. 'tcpdump -i eth0 -w filename' e. 'tcpdump -r tcpdump.full.log.2011-01-28' f. 'tcpdump -e tcpdump -r tcpdump.full.log.2011-01-28' - dumps link-level head er - L2 13:56:09.105343 00:25:4b:a9:ba:3e (oui Unknown) > 00:11:11:a2:a2:d0 (oui Unknown ), ethertype IPv4 (0x0800), length 66: 192.168.75.14.63276 > linuxcbtserv2.linux cbt.internal.5902: Flags [.], ack 9101188, win 65535, options [nop,nop,TS val 38 5600686 ecr 447424118], length 0 g. 'tcpdump -A -r tcpdump -r tcpdump.full.log.2011-01-28' - L3-L7 h. 'tcpdump -e -A -r tcpdump -r tcpdump.full.log.2011-01-28' - dumps L2-L7 i. 'tcpdump -n -e -A -r tcpdump -r tcpdump.full.log.2011-01-28' - dumps L2-L7, suppresses name resolution (hosts and/or services) 3. Use BPFs to filter traffic a. 'tcpdump -w tcpdump.bpf.sans.vnc.1 not port 5902' b. 'tcpdump -w tcpdump.bpf.sans.vnc.1 not tcp and port 5902' - Filters all bu t TCP and TCP:5902 c. 'tcpdump -w tcpdump.bpf.sans.vnc.1 not tcp port 5902' - Filters out TCP:5902 ###Apache SSL/TLS### Features: 1. Secure communications for web services 2. TCP:443 - https 3. Multiple SSL/TLS sites can be bound to the same IP address so long as you us e distinct TCP ports. i.e. TCP:443, TCP:4443, TCP:444 4. SSL/TLS will read both: private and public (certificate) keys from the same file Note: Simply reference the same file with private and certificate directives Requires: 1. HTTPD - Apache 2. 'openssl' - SSL/TLS library 3. 'mod_ssl' - Apache Module 4. 'crypto-utils' - includes 'gen-key' Tasks: 1. Exploration of current setup a. 'rpm -ql mod_ssl'
/etc/httpd/conf.d/ssl.conf - first virtual host, and, default SSL server /usr/lib/httpd/modules/mod_ssl.so - SSL/TLS Module b. 'rpm -ql crypto-utils' '/usr/bin/genkey' - useful in generating various types of certificates: i.e. s elf-signed, CSRs, etc. c. 'rpm -ql openssl' '/etc/pki' - hierarchy of public key encryption files '/usr/bin/openssl' - key OpenSSL binary used to generate certificates, etc. 2. Explore the default SSL site a. '/etc/httpd/conf.d/ssl.conf' 3. Use 'tcpdump' to enumerate clear-text and SSL/TLS-protected traffic a. 'tcpdump -vv -Ae tcp port 80 or 443' b. 'curl http://192.168.75.21' - initiates HTTP clear-text communications c. 'curl -k https://192.168.75.21' - initiates HTTPS encrypted communications 4. Generate new usage keys for default site a. 'genkey linuxcbtserv2.linuxcbt.internal' 5. Update: '/etc/httpd/conf.d/ssl.conf' with new SSL keypair a. Replace cert/private key lines with pointers to new files 6. Generate usage keys for: 'site1.linuxcbt.internal' a. '/etc/pki/tls/certs/make-dummy-cert' - works faster than 'gen-cert' ###VSFTPD with SSL### Features: 1. Implicit SSL -> TCP:990 2. Explicit SSL -> TCP:21 3. Encryption of: a. Control Channel b. Data Channel Tasks: 1. Explore Current Configuration a. Use LFTP to force SSL connection '~/.lftprc' 'set ftp:ssl-force yes' 'set ftp:ssl-protect-data yes' 2. Use 'tcpdump' to sniff clear-text traffic 3. Setup VSFTPD server with SSL support a. 'ssl_enable=yes' - This will require local logins (non-anonymous users) to use SSL/TLSv1 b. 'ssl_tlsv1=yes' (Default) c. 'rsa_cert_file=/etc/pki/tls/certs/linuxcbtserv2.linuxcbt.internal.crt' - Th is will allow VSFTPD to read both: private & public keys from the same file d. 'rsa_private_key_file=/etc/pki/tls/certs/linuxcbtserv2.linuxcbt.internal.ke y' - Set this if the private key exists in a separate file e. 'openssl ciphers -v' Defaul Cipher: 'DES-CBC3-SHA' 'openssl ciphers -v | grep 'DES-CBC3-SHA' DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 f. 'service vsftpd restart' - restart for SSL settings to take effect 4. Test SSL/TLS connectivity from various FTP clients a. 'lftp linuxcbt@localhost' - this will generate a certificate mismatch
b. 'lftp
[email protected]' - this works 5. Test clear-text FTP connection a. 'nano ~/.lftprc' 6. Configure VSFTPD to support both: SSL/TLS and Clear-text connections a. 'force_local_logins_ssl=no' b. 'force_local_data_ssl=no' 7. Windows with FileZilla a. Try both clear-text and FTP Explicit SSL connections ###Tighten Configuration### Features: 1. Improves your security posture 2. Publish only necessary services 3. Reduces risk/exposure to mal clients Tasks: 1. Identify IPv4 unnecessary addresses a. 'ifconfig -a' b. 'eth0:1' & 'eth0:2' c. 'ifcfg eth0:1 del 192.168.75.22 && ifcfg eth0:2 del 192.168.75.23' 2. Disable: 'eth1' a. 'ifcfg eth1 stop' 3. Reconnaissance Scan a. 'nmap -v -sS -sU localhost' PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp open shell 2049/tcp open nfs 3306/tcp filtered mysql 4443/tcp open pharos 5902/tcp open vnc-2 53/udp open domain 67/udp open|filtered dhcps 69/udp open|filtered tftp 111/udp open rpcbind 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 514/udp open|filtered syslog 2049/udp open nfs 5353/udp open|filtered zeroconf 4. Define system baseline a. SSHD b. HTTPD c. DNS d. SYSLOGD
e. f. g. h. i.
NTPD FTPS - Explicit-mode FTP w/SSL/TLS MySQL - bound to loopback VNC SMTP - bound to loopback - Default
4. 'netstat -ntulp' - enumerate TCP & UDP listeners 5. Bind MySQL to: loopback a. 'nano /etc/my.cnf' b. 'bind=127.0.0.1' c. 'service mysqld restart' 6. Disable 'rpcbind' a. 'service rpcbind stop && chkconfig rpcbind off && chkconfig --list rpcbind' b. 'netstat -ntlp | grep 111' 7. Disable 'NFS' a. 'service nfs stop && chkconfig nfs off && netstat -ntlp | grep 2049' 8. Disable 'Samba' a. 'service smb stop && chkconfig smb off && netstat -ntlp | grep 445' b. 'service nmb stop && chkconfig nmb off && netstat -nulp | grep 137' c. 'service winbind stop && chkconfig winbind off' 9. Disable 'DHCPD' a. 'chkconfig dhcpd off && service dhcpd stop' 10. Disable 'TFTPD' a. 'chkconfig tftp off' - this disables & stops the XINETD-controlled service 11. Configure VSFTPD to use SSL/TLS ONLY a. 'nano /etc/vsftpd/vsftpd.conf' b. 'force_local_logins_ssl=yes' c. 'force_local_data_ssl=yes' d. Use 'lftp' to confirm that VSFTPD permits SSL/TLSv1 connections ONLY e. Ensure that LFTP is configured to NOT use SSL to see whether or not the ser ver will permit non-SSL/TLSv1 connections 12. Restrict SSHD to users: 'root' & 'linuxcbt' a. '/etc/ssh/sshd_config' b. 'AllowUsers root linuxcbt' c. 'service sshd restart' d. Test SSH connectivity as allowed and disallowed users 13. Restrict SSHD to non-privileged user: 'linuxcbt' & 'linuxcbt2' a. 'AllowUsers linuxcbt linuxcbt2' 14. Post-Reconnaissance Check a. 'nmap -v -sU -sS localhost' b. 'nmap -v -sU -sS 192.168.75.21' - execute from a remote host c. 'nmap -v -6 2002:4687:db25:2:211:11ff:fea2:a2d0' - execute IPv6 remote recon naissance ===================== LinuxCBT_EL-6_Edition_Notes2 2011-08-04 10:14:25??:linux linuxCBT ????,????,???????????????? ???? ????????????????????http://williamherry.blog.51c to.com/924679/630835 ###Common Network Utilities###
#Features: 1. Determine if remote host is up/available: 'ping' 2. Determine if local/remote service is available: 'telnet' 3. Determine network sockets stats/connections: 'netstat' 4. View L2 information: 'arp' 5. View path taken by packets to remote system: 'traceroute' 6. Hostname-to-IP and reverse resolution: 'nslookup', 'dig' 7. Learn more information about IP and/or block: 'whois' Tasks: 1. Explore Packet Internet Grouper (PING) a. 'rpm -qf `/bin/ping`' - member of 'iputils' package b. 'ping -c 3 192.168.0.254 -s 32' sends 32-bytes + 8-bytes (ICMP overhead) c. 'ping -c 3 -i 3 192.168.0.254' - sends 3-packats of 56-bytes, every 3-secon ds to target Note: PING may be blocked by L3 devices on your network and/or the Internet 2. Telnet - Don't use for TTY access to remote host. Use SSH. Use Telnet to tes t port-accessibility a. 'telnet 192.168.74.1 22' - Install if necessary using 'yum install telnet' 3. Netstat - reveals TCP:UDP:Unix sockets - '/proc/net' a. 'netstat -a' - dumps ALL sockets with: service/port and hostname resolution b. 'netstat -an' - same as above, but suppresses name resolution c. 'netstat -ntl' - suppresses name resolution, shows ONLY TCP sockets, and li steners d. 'netstat -ntlp' - same as above, includes programs bound to ports Note: Use '-p' option as root to reveal ALL programs Note: ':::514' - means that ports bound to ALL IPv6 addresses configured on the host Note: '0.0.0.0:514' - means that ports bound to ALL IPv4 addresses configured on the host e. 'netstat -i' f. 'netstat -nulp' - returns ALL UDP listeners g. 'netstat -rn' - returns kernel routing table 4. ARP - Address Resolution Protocol a. 'arp -a || arp -e' Note: ARP is usually self-managing. 5. Traceroute - follows path taken by packets across the network (Intra/Interne t) a. 'traceroute 192.168.75.1' b. 'traceroute www.linuxcbt.com' 6. 'nslookup' a. 'nslookup www.linuxcbt.com' DNS client tools use: '/etc/resolv.conf' to determine which DNS servers to query 7. 'dig' a. 'dig www.linuxcbt.com' b. 'dig -x 71.6.195.206' - performs a reverse lookup c. 'dig linuxcbt.com mx' 8. 'whois' - Finds IP/domain ownership information a. 'whois linuxcbt.com'
###IPv4 Configuration
Features: 1. DHCP 2. Static 3. Virtual (Sub) Interfaces - supports single physical connected to multiple lo gical i.e. 192.168.75.0/24 && 192.168.76.0/24 && 10.0.0.0/30 Tasks: 1. Explore key: Directories & Files a. '/etc/sysconfig/network' - system-wide settings: i.e. hostname, gateway, en abled|disabled b. '/etc/sysconfig/networking' - 'system-config-network' tool controls this di rectory, Don't edit manually. c. '/etc/hosts' - local name DB - should contain a record for the localhost: i .e. 'localhost.localdomain' 127.0.0.1 ::1
localhost localhost.localdomain localhost4 localhost4.localdomain4 localhost localhost.localdomain localhost6 localhost6.localdomain6
Note: Add hosts to '/etc/hosts', for which you cannot or should not resolve via DNS d. '/etc/sysconfig/network-scripts' d1. Interface configuration files - describes up/down config of interfaces: i .e. eth0 d2. Control files - describes how interfaces are to be brought: up/down - scr ipts d3. Network function files - contain key network information required for the stack d4. 'ifup-ethx' - brings up ethernet interfaces: i.e. 'eth0', 'eth1', etc. d5. 'ifdown-ethx' - brings down ethernet interfaces: i.e. 'eth0', 'eth1', etc . e. 'ifconfig' - enumerates configuration of interfaces Note: At minumum, a routeable, connected system has at least 2 interfaces: 1. 'lo' - loopback - 127.0.0.1 2. 'eth0' - Etnernet0 - Your Routeable IP/Net e1. 'ifconfig' eth0
lo
Link encap:Ethernet HWaddr 00:21:86:94:CA:BE inet addr:192.168.0.23 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::221:86ff:fe94:cabe/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:255885 errors:0 dropped:0 overruns:0 frame:0 TX packets:143724 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:234119225 (223.2 MiB) TX bytes:15969698 (15.2 MiB) Memory:fe200000-fe220000 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:40823 errors:0 dropped:0 overruns:0 frame:0 TX packets:40823 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:130967469 (124.9 MiB) TX bytes:130967469 (124.9 MiB)
e2. 'ifconfig eth0:1 192.168.75.22 netmask 255.255.255.0' e2.1. 'ping -c 3 -I 192.168.74.22 192.168.75.21' - sources traffic as: 192.1 68.75.22 e3. 'ifconfig eth0:2 192.168.75.23 netmask 255.255.255.0' e4. Preserve changes across system restart/ 'NetworkManager' service restart e4.1. 'cp -v /etc/sysconfig/network-scripts/ifcfg-eth0 ifcfg-eth0:1' f. 'ifcfg eth0:3 add 192.168.75.24/24' - Does duplicate address detection & se nds ARP to hosts on the same Net as the interface f1. 'ifcfg eth0:1 delete 192.168.75.22/24' - removes the sub-interface f2. 'ifconfig eth0:2 del 192.168.75.23' - removes the sub-interface ###IPv6 Configuration### Features: 1. Self-configuring - Prefix (/64), is auto-derived from Router 2. Can be configured via: Neigbor discovery auto-config by router, DHCPv6, Stat ically (manually) Tasks: 1. 'less /etc/sysconfig/network-scripts-ifup-ipv6' - peruse config 2. Preuse Router Config a. '2002:4687:DB25:2:21A:2FFF:FEE3:F240' 2002:4687:DB25:2 - left-most 64-bits describes the subnet: /64 prefix - globally unique :21A:2FFF:FEE3:F240 - right-most 64-bits describes the host. Includes 48-bit uni que MAC address 3. PING6 various devices a. 'ping6 -c 3 -I eth0 2002:4687:DB25:2:21A:2FFF:FEE3:F240' b. 'ping 2002:4687:DB25:2:21A:2FFF:FEE3:F240' - form the router , PING6 RHEL-6 box 4. Use browser to access Apache via: IPv6 a. 'http://[2002:4687:DB25:2:21A:2FFF:FEE3:F240]/' - escape IPv6 address with '[]' || use /etc/hosts' || DNS Note: IPv6 is auto-configured, by default, so long as Router or DHCPv6 provides a usable prefix. Note: Update host configuration: i.e. '/etc/hosts' and/or DHS to reflect name-to -IPv6 mappings Note: Test with desired applications: i.e. 'ssh', 'http client', etc. ###Very Secure File Transfer Protocol Caemon (VSFTPD)### Features: 1. Anonymous (Default) and user-based FTP sessions 2. SSL support (provided by SSH) no need for VSFTPD 3. Does not permit 'root' access, by default 4. Does not currently support IPv4 & IPv6 simultaneously with the same daemon Tasks: 1. Install using: 'yum' 2. Enable 'vsftpd' in multi-user runlevels
a. 'chkconfig vsftpd on' 3. start 'vsftpd' a. 'service vsftpd start' 4. Disable Anonymous access 5. Test local user access and update SELinux configuration a. 'getsebool -a | grep ftp' - dumps FTP-related SELinux booleans b. 'setsebool -P ftp_home_dir=1' Note: RHEL6 enables SELinux in 'enforcing' mode, requiring a slight change to th e booleans to permit VSFTPD or any FTPD daemon to transition user into their: $H OME directory 6. Enable Dual-Loggin a. 'dual_log_enable=YES' 7 Enable server time for display of files/directories a. 'use_localtime=YES' Note: 'man vsftpd.conf' for usefull directive that apply to your application ###LFTP### Features: 1. Interactive (Shell-like) & Non-interactive modes 2. Scriptable 3. Servers supported: FTP, FTPS, SSH(SFTP), HTTP, etc. 4. Mirroring of content: forward (download) & reverse (upload) 5. Regular expressions 6. Job Engine Tasks: 1. Use 'lftp' to connect to VSFTPD a. 'lftp localhost' && open -u 'linuxcbt' Note: LFTP batches authentication commands and submits when control-channel comm ands such as 'ls' are received =====================
============== LinuxCBT_EL-6_Edition_Notes(3) 2011-08-04 10:49:43??:linux linuxCBT e. day of the week (Sun, Mon, Tue, etc. OR 0-7) f. command to execute (shell, perl, php, etc.) 3. Wakes up every minute in search of programs to execute 4. Reads cron entries from multiple files 5. Maintains per-user and system-wide (/etc/crontab /etc: cron.d/ cron.deny - denies cron executinb by user cron.monthly/ - runs jobs monthly cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily cron.hourly/ - runs jobs hourly crontab - contains system-wide scheduers Note: '*' wildcard in a time column means to run for all values Per-user Crontabs: Stored in: /var/spool/cron Task: 1. Create a cron entry for the user 'student1' a. 'su student1' b. 'crontab -e' c. create an entry, minus the name of the user Note: 'crontab -l' enumerates per-user cront entries System-wide Crontab: Stored in: /etc/crontab Task: 1. Create a cron entry in: /etc/crontab Note: 'crontab -l -u username' - enumerates per-usercron entries ###SyslogD### Features: 1. Handles logging 2. Unix Domain sockets (/dev/log) 3. Internet Sockets (UDP:514) 4. Ability to log to local and remote targets Implented as 'sysklogd' package Primary configure file: /etc/syslog.conf Standard syslog.conf file contains: 1. Rules a. facilities -> applications/daemons/network device/etc. b. levels -> Importance of message Range: 0-7 7 = emergency 6 = alert 5 = critical 4 = error 3 = warning 2 = notice 1 = info 0 = debug (more information) 2. Targets a. file - /var/log/messages b. tty - /dev/console c. remotes host - @IP_ADDR_of_REMOTE_HOST '*' = catchall/wildcard to mean any facilities or level '.none' = exclusion rule
'man syslog.conf' to learn about the support facilities.levels Task: 1. Enable UDP logging for remote Cisco gateway (192.168.75.1) a. netstat -nul | grep 514 - reveals UDP:514 listener b. nano /etc/sysconfig/syslog b1. 'SYSLOGD_OPTIONS="-m 0 -r" c. restart syslog and confirm UDP:514 listener c1. 'service syslog restart' c2. 'netstat -nul | grep 514' d. Configure the router using facility 'local0' and level 'info' e. configure /etc/syslog.conf to accept 'local0.info' f. restart or reload 'syslog' ###Log Rotation### Features: 1. Rotation of logs based on criteria a. size b. age (daily, weekly, monthly) 2. Compression 3. Maintain logs for a defined period /etc/logrotate.conf - primary (global) config file for all logs - can be overriden by context-sensitive files. i.e. apache run 'man logrotate' to get help paper /etc/logrotate.d - directory for logs to be rotated -httpd - used to rotate Apache logs /var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true endscript } Task: Setup rotation rule for Cisco log 1. Create entry in: /etc/logrotate.d based on /etc/logrotate.d/syslog 2. Modified the entry to rotate based on new criteria 3. Rotated using 'logrotate /etc/logrotate.conf' Note: Force using 'logrotate -f /etc/logrotate.conf' ###Common Network Utilities### Features: 1. Useful for basic troubleshooting
PING: Features: 1. ability to communicate with hosts using ICMP a. PING sends ICMP echo-requests b. PING expects to receive ICMP echo-replies
Task: PING some hosts and evaluate the output 1. 'ping localhost (127.0.0.1)' 2. 'ping -c 3 localhost' - sends 3 ICMP echo-requests Note: 'ping localhost' performs name resolution using /etc/hosts Note: '/etc/hosts' stores static name-to-IP mappings Note: 127.0.0.0/8 is full-reserved to the loopback adapter of ALL IPv4 hosts 3. 'ping -c 3 192.168.75.199' 4. 'ping -c 3 -i 3 192.168.75.199' - delays PINGs to 3 seconds apart Note: PING defaults to a standard 1-sedond interval Note: Firewall(s) may block ICMP traffic, causing PING to fail TELNET: Features: 1. Great for basic TCP port diagnosis Task: 1. Connect to TCP ports on various hosts a. 'telnet 192.168.75.100 22' b. 'telnet www.linuxcbt.com 80' NETSTAT: Features: 1. Provides network connection informationfrom /proc/net/* Task: 1. Return useful information for various protocols a. 'netstat' b. 'netstat -a' - returns all protocols/sockets c. 'netstat -ntlp' - returns all TCP LISTENERS without name resolution d. 'netstat -nulp' - returns all UDP LISTENERS without name resolution Note: netstat use /etc/services to translate ports to names Note: '0.0.0.0:514' - this means that Syslog will accept traffic to any of the d efined IP addresses/interfaces on the system e. 'netstat -ntp' - returns established connections (sockets) f. 'netstat -rn' - returns the route tables ARP: Features: 1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP Task: 1. Examine MAC addresses using: ifconfig and arp a. 'ifconfig' - returns our local MAC addresses HWaddr 08:00:27:CF:4C:DB b. 'arp -an' - returns MAC to IP mappings Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP addr ess(v6/v4) to a MAC address Note: If a one or more routers seqarate the communicating hosts, then the MAC ad dress of the default router's (gateway's) interface is stored by each client ###IPv4 Configuration $ Network Settings### Network Support:
1. Boot system into a mulit-user mode 2. /etc/modprobe.conf - contains alias and reference to module(s) to be loaded in order to provide networking 3. Linux decides if the interface is DHCP or static by viewing the contents of: a. /etc/sysconfig/network - networking=yes|no, IPv6_Support, Default Gateway, etc. b. /etc/sysconfig/network-scripts/ifcfg-eth0 - contains ifup, ifdown, and ifcf g-* scripts c. /etc/init.d/network - main service service network status - checks networking system-config-network-* - network interface configuration Note: Either update your net configuration manually from the shell, or using the 'system-config-network' tools to avoid losing setttings /etc/resolv.conf - DNS configuration file /etc/hosts - static list of hosts IPv4 Aliases: 1. ifconfig eth0:1 192.168.75.11 2. ifconfig eth0:2 10.168.76.11 Note: To ensure that aliases persist do the following: 1. cp /etc/sysconfig/network-scripts/ifcfg-eth0 ./ifcfg-eth0:1 2. Modify ifcfg-eth0:1 to reflect aliased IP Note: Aliases do NOT work dDHCP interfaces ifconfig eth0:2 del 10.168.76.11 - removes the virtual interface IPv6 Config Features: 1. Auto-configured by default gateway (router) 2. fe80:: - link-local address (loopback/local subnet address) 3. 2002:: - 6to4 address, that can be configured based on IPv4 embedded address , using HEX notation ping6 -I eth0 fe80::a00:27ff:fecf:4cdb traceroute6 - used to trace routes on IPv6 networks ### Kernel Upgrade ### Features: 1. Provision of updated/patched kernel Task: 1. Update the kernel a. use 'uname -a' to reveal current version b. use 'rpm -qa | grep -i kernel' - to reveal installed version c. cat /etc/grub.conf -> /boot/grub/grub.conf 2. Proper installation method is as follows: a. 'rpm -ivh kernel*.rpm' - install a separate version Note: Install the following kernel packages if necessary: a. kernel-devel* - if module compilation is necessary b. kernel-headers* - if recompilation is necessary
Install: a. rpm -ivh kernle-2.6.18-53.el5.i686.rpm Note: This will update GRUB (/boot/grub/grub.conf) Note: Will also place the new kernel in the /boot file system Examine traces in: a. /boot b. /boot/grub/grub.conf 3. Remove traces of former kernel using 'rpm -e [--nodeps]' a. rpm -e kernel-2.6.18-8.el5 - remove older version b. rpm -e --nodeps kernel-headers-2.6.18-8.el5 - force remove ignoring depende ncies c. rpm -e kernel-devel-2.6.18-8.el5 4. Install new 'kernel-headers' and 'kernel-devel' packages using YUM a. yum -y install kernel-headers b. yum -y install kernel-devel 5. Confirm that the 3 'kernel-*' packages are installed: a. rpm -qa | grep -i kernel Note: Removal of older kernel-* packages cleans up: a. /boot b. /boot/grub/grub.conf (menu.lst)
###Runlevel Service Management Tools### Features: 1. The ability to indicate desired runlevels for services 2. Service /usr/sbin/ntsysv Usage: 1. 'ntsysv' - manages services in the current run-level 2. 'ntsysv --level 35' - manages service for run-levels 3 & 5 Note: ntsysv nor chkconfig starts|stops services /sbin/chkconfig Chkconfig Usage 1. chkconfig --list ntpd - returns run-level environment for 'ntpd' Note: items listed as 'off' have K (kill) scripts Note: items listed as 'on' have S (start) scripts 2. 3. 4. 5.
'chkconfig 'chkconfig 'chkconfig 'chkconfig
--level 3 ntpd off' - creates a K(kill) script in run-level 3 --level 35 ntpd off' ntpd on' - enables 'ntpd' in levels 2-5 ntpd off' - disables 'ntpd' in levels 0-6
Note: Use 'chkconfig' from the shell or a script Note: Use 'ntsysv' from the shell in interactive mode Note: When controlling services using 'chkconfig', reference the name of the ser vice as it's specified in: /etc/init.d system-config-services - GUI tools to manage services
###Network Time Protocol (NTP) Implementation### Features: 1. The ability to synch your system's clock 2. Also can be used to synch other clocks 3. Implemented as: 'ntp-4.2...rpm' package 4. Is hierarchial, using strata levels to denote time accuracy /etc/ntp.conf - primary configuration NTP Strata: Features: 1. The ability to denote clock accuracy based on stratum 2. With stratum level 1 being the most accurate, as an NTP server at this level s is connected to an external time service (GPS, Radio, etc.) Use: www.ntp.org - to located public NTP clocks at various starta Task: 1. Synch against internal NTP server a. /etc/ntp.conf a1. service 192.168.75.100 b. service ntpd start - this starts the 'ntpd' service c. chkconfig ntpd on d. ntpq -np - this queries the running 'ntpd' server Note: NTP synchronization is hierarchical. Thus, if we synch against a stratum 3 clock, we become a stratum 4 clock 2. Prove that 'linuxcbtserv4' is indeed a stratum 4 clock a. /etc/ntp.conf - of 'linuxcbtserv4' a1. service 192.168.75.199 Note: Ideally, you should supply your: /etc/ntp.conf file with at least 3 clocks for: 1. Accuracy 2. Redundancy ###Trivial File Transfer Protocol Daemon (TFTPD)### Features: 1. Fast, connectionless (UDP), file transfers 2. Often used to move files to and fro networked systems (VOIP Phones, PXE conf igurations, Router/Firewall/Switch configurations, etc.) Note: Implemented as 2 components: 1. Client - tftp-*rpm Tasks: 1. Install TFTP client a. yum -y install tftp 2. Install TFTP server a. yum -y install tftp-server Note: this also install xinetd dependency 3. Configure and start 'tftp' via 'xinetd' a. /etc/xinetd.d/tftp - modify this file prior to starting 'TFTPD' Note: TFTPD listens to UDP:69, by default Note: use 'netstat -nulp | grep 69' to check if it's running
4. Copy Cisco Router configuration to TFTP server a. 'copy running-config tftp://192.168.75.199' b. 'setsebool -P tftpd_disable_trans=1' - disables SELinux for TFTPD c. '/etc/init.d/xinetd restart' - restart XINETD d. 'chmod 666 linuxcbtrouter1.config' - to permit TFTPD to write 5. Use 'tftp' client to download 'linuxcbtrouter1.config' file a. 'tftp 192.168.75.199 -c get linuxcbtrouter1.config' ###Very Secure File Transfer Protocol Daemon (VSFTPD)### Feateres: 1. FTPD 2. Chroot jail 3. anonymous and local-user auth 4. Rate-limiting Task: 1. Install 'vsftpd' a. yum -y install vsftpd 2. Start the server a. service vsftpd start b. netstat -ntlp | grep 21 3. Configurate service to start when system boots into multi-user runlevel a. chkconfig vsftpd on b. chkconfig --list vsftpd 4. connect to the FTPD service: a. Use web browser, which defaults to anonymous b. Use standard FTP client, as anonymous c. setsebool -P ftp_home_dir=1 d. service vsftpd restart - for changes to take effect 5. Chroot jail local users & disable 'anonymous' access a. chroot_local_user=YES - this jails users b. service vsftpd restart - for changes to take effect c. test connectivity as 'anonymous' and 'non-anonymous' users 6. Enable IPv6 listener: a. listen_ipv6=YES - DO NOT USE WITH 'listen=YES(IPv4)' 7. Restrict 'non-anonymous' user's transfer rate a. local_max_rate=1000 - restricts connections to 1000/bps (1K/s) ###LFTP### Features: 1. Sophisticated FTP client 2. Provides connectivity: a. FTP b. HTTP/HTTPS c. SFTP(SSHv2) 3. Interactive and non-interactive mode 4. Supports scripting 5. Reads system-wide (/etc/lftp.conf) and per-user config file (~/.lftprc) 6. Behaves like the BASH shell a. Command history b. Permits execution of backgroud jobs, Use CTRL-Z to background
7. 8. 9. 10. 11.
Supports Supports Supports Supports Supports
mirroring (forward and reverse) of content FTP retransmit/reconnect bookmarks of sites escape to shell using '!command' e.g. '!bash' the execution of BASH programs '!command' e.g. '!ps -ef'
Usage: 1. lftp - enters interactive mode a. 'set -a' - reveals all variables 2. 'lftp
[email protected]' 3. 'mget -c' - continues downloads 4. 'mput -c' - continues uploads 5. 'lftp -u linuxcbt,abc123 sftp://192.168.75.199' - Connects to SFTP server 6. mirror -v mirrors - mirrors a remote directory named 'mirror' to the local s ystem ###Telnet Server### Features: 1. Shell interface on remote system 2. Binds to TCP:23 Caveat: 1. Clear-text based application (credentials are transmitted in the clear) 2. By default, 'root' is NOT permitted access via telnet-server - /etc/securett y Requirements: 1. xinetd - installed automatically via yum Install Telnet Server: 1. yum -y install telnet-server 2. nano /etc/xinetd.d/telnet - change 'disable = yes' to disable = no' 3. service xinetd restart - effects changes Tasks: 1. Connect to both systems from either system using 'telnet' client a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the u ser authenticates successfully Note: TCP|UDP are 16-bit based: 2**16, OR 0-65535 Note: ptys are assigned sequentially, by default 2. Enable 'root' login via telnet a. mv /etc/securetty /etc/securetty.disabled Note: By default, telnet-server reads and displays the contents of: /etc/issue Note: Wherever/whenever possible opt for SSH in place of Telnet Server
###Dynamic Host Cconfiguration Protocol Daemon### Features: 1. Provides automatic configuration of IPv4 clients
a. b. c. d. e. f.
IPv4 address Subnet mask Default gateway DNS Servers NTP Servers WINS Servers
2. Leases the addresses and related information based on predefined values: a. 1 day b. 1 week c. 1 month 3. DHCP uses UDP protocol and layer-2 information to request/assign addresses 4. DHCP Process -DORA a. Discovery - client broadcasts on the local subnet for a DHCP server b. Offer - returned by the DHCP server c. Request - formal address request by client d. Acceptance - Acknowledgement occurrs Note: DHCPD records leases in: /var/lib/dhcpd/dhcpd.leases Tasks: 1. Install DHCP server a. yum -y install dhcp 2. Configure: /etc/dhcpd.conf - primary config file 3. Set service up to start when system boots a. chkconfig dhcpd on 4. Disable service on 192.168.75.100 box a. rcdhcpd stop 5. Start service on localhost a. service dhcpd start 6. Setup DHCP reservation a. Requires the MAC address of the client (00:0C;29:B5:16:92) b. Requires the 'fixed-address' - IPv4 address to map to the MAC address c. Optional 'option-* are supported between host { } block d. service dhcpd restart - restart to effect changes ###BIND DNS### Features: 1. Name-to-IP address mapping 2. Name resolution for DNS clients 3. Caching-only server (Default) 4. Primary DNS server 5. Slave server 6. Replication of DNS database information between servers 7. Dynamic DNS updates 8. Provides numerous client tools: nslookup, dig, host Tasks: 1. Installation of BIND of the remote system: linuxcbtserv4 a. yum -y install bind 2. Setup service to auto-start at boot
a. chkconfig --level 35 named on - enables the service in runlevels: 3,5 3. Configure a default, caching-only, named.conf file a. rpm -ql bind - to see samples b. cp /usr/share/doc/bin*/sample/* to /etc/* and /var/named/ c. Modify /etc/named.conf - disable DDNS_KeyGen sections d. Start the server -service named start 4. Query the server a. dig @localhost www.linuxcbt.com a1. Returns: question, answer, authoritative DNS servers, query time b. nslookup www.linuxcbt.com OR nslookup - server 127.0.0.1 - www.linuxcbt.com Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL value for the various record associated with the zone c. host www.linuxcbt.com - also preforms a lookup Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup too ls such as: Web browser, GFTP, LFTP, nslookup, dig, host, etc. d. dig linuxcbt.com MX - queries the domain for mail exchangers Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g. dig mail1.linuxgenius.com -- . = root -- .com = top level -- .linuxgenius = second level -- mail = third level Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.) 4. Start 'named' as a caching-only DNS server (Default) a. service named start b. dig @192.168.75.199 www.linux.com' - forces a caching-only lookup query
Primary & Secondary Zones: Features: 1. Ability to service zones b. Authoritative support for a zone Tasks: 1. Create internal zone name 'linuxcbt.internal' a. modify /etc/named.conf to include the new zone zone "linux.internal" IN { type master; file "linux.internal.db"; allow-update { none; }; }; b. create the corresponding zone file c. restart named d. test resolution of DNS primary zone Note: Install 'caching-nameserver*' for Caching-only DNS server 2. Create a slave (Secondary) server
a. b. c. d. e. f.
yum -y install bind copy sample files from primary server to secondary server modify /etc/named.conf and set 'linuxcbt.internal' zone to slave start named service ' service named start chkconfig --level 35 named on Update: /var/named/linux.internal.db to reflect new name server
3. Create a primary zone on the 'secondary" server a. Create a zone for: linuxcbt.external - in /etc/named.conf b. copy/create 'linuxcbt.external.db' zone file c. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.external Forware IPv6 REcords: Implemented primarily as AAAA records
Test IPv6 resolution using: 1. ping6 linuxcbtrouter1.linuxcbt.internal 2. dig @192.168.75.10 linuxcbtrouter1.linuxcbt.internal Reverse Zones: Features: 1. The ability to resolv a name, given an IPv4 or IPv6 address Tasks: 1. Define an IPv4 reverse zone for the local subnet: a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf b. Update: /etc/named.conf c. Create zone file in: /var/named d. update configuration e. restart named:wq f. test using 'dig @192.168.75.1 -x 192.168.75.1' Note: Reverse zones are built from the prefix in IPv4 subnets IPv6 Reverse Zone: Requirements: 1. /etc/named.conf entry zone "3.0.0.0.3.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" IN { type master; file "named.ip6.local"; allow-update { none; }; }; Note: IPv6 reverse zone names are in nibble fromat, with ALL zeros expanded for the network prefix portion of the address, which is usually 64-bits in length 2002:4689:db23:3:202:b3ff:fe98:4104/64 2002:4689:db23:3:202:b3ff:fe98:4108 2. /var/named/zone_file a. Include entries using the last 64-bits or IPv6 host part 4.0.1.4.8.9.e.f.f.f.3.b.2.0.2.0
IN
PTR
rhel5-1.linux.internal.
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host, expa nding all zeros b. Create PTR record based on the reverse, nibble-format of the address Test using dig a. dig -x @192.168.75.1 2002:4689:db23:3:202:b3ff:fe98:4108
###Network File System (NFS)### Features: 1. Transparent access to remote file systems 2. Installed by default 3. Uses RPC for communications Tasks: 1. Export a directory on the server using: /etc/exports a. /path_to_directory IP_ADDR(rw/ro) b. /nfs1 192.168.75.10(rw) c. mkdir /nfs1 d. start NFS server - 'service nfs start' e. Confirm export(s) - 'exportfs -v' Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs 2. Export /nfs2 a. Create entry in /etc/exports b. Update current exports using: exportfs -a 3. Mount both exports on a remote system a. mount -t nfs 192.168.75.199:/nfs1 /nfs1 b. mount -t nfs 192.168.75.199:/nfs1 /nfs2 4. Allow local 'root' user the ability to write to /nfs1 export a. /etc/exports: (rw, no_root_squash) 5. Setup mount points so that they're available upon reboot a. /etc/fstab b. Umount and confirm that NFS mount points will be available when the client system changes runlevels ( reboots, starts, etc.) - 'mount -a' showmount -a 192.168.75.199 - shows mounts on this system (connected NFS clients ) 6. Attempt to mount /nfs1 and /nfs2 from an unauthorized system a. Fails because client's IP does not match server's /etc/exports b. Update server's /etc/exports to allow additionial hosts/subnet/etc. c. exportfs -a - to update the export table
###AutoFS### Features: 1. Automativally mounts file systems (NFS, local, SMBFS, etc.) upon I/O request Requirements: 1. autofs-*rpm must be installed /etc/auto.master -primary configuration file /etc/
- also contains mount points and their mappings /etc/sysconfig/autofs - default setartup directives Note: AutoFS must be running in order to auto-mount directories Task: 1. Create an automount for /shares, which will mount /nfs1 & /nfs2 a. update /etc/auto.master - '/shares /etc/auto.shares' b. cp /etc/auto.misc /etc/auto.shares c. update the rules in /etc/auto.shares d. Create AutoFS tree: /shares/ e. Restart the autofs service f. Umount /nfs1 & /nfs2 if necessary Note: Do NOT auto-mount directories that are already mounted g. Test access to AutoFS controlled directory g1. 'ls -l /shares/nfs1' Note: syntax for auto-mount files is as follows: [] nfs1 -fstype=nfs 192.168.75.199:/nfs1 ###Samba### Features: 1. Provides windows features (file & print) on Linux | Unix /etc/samba/smb.conf - primary config file Clients 1. findsmb - finds SMB hosts on the network 2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workg roups, hosts, and shares) 3. smbget - similar to 'wget', in that, it will download file from the remote s hare a. smbget -u dean smb://linuxcbtwin1/mtemp/20070504.test 4. smbclient - interactive (FTP-like) utility to connect to shares - permits up loads/ downloads from shares a. smbclient -U dean //linuxcbtwin2/mtemp b. mget file* - downloads file(s) c. mput file* - uploads file(s) 5. smbtar - backs-up smb shares to a TAR archive a. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.tar Samba Server: /etc/samba/smb.conf - primary config file SWAT manages /etc/samba/smb.conf Samba Server Modes: 1. User a. One Samba-defined user is required per Linux user b. Authentication of users is handled by Sambe server 2. Server/Domain (PDC/BDC) a. Authentication is handled by the Windows NT/2K/2K3/2K8 server b. Still requires a local Samba-defined user accounts database 3. ADS - Active directory
a. authentication is handled by Active Directory 2. When used with Winbind, locally-defined Samba users are NOT required Note: Ultimately, users must authenticate to the local Linux file system Task: 1. Install SWAT a. yum -y install samba-swat b. nano /etc/xinetd.d/swat - set 'disable = no' c. service xinetd restart d. netstat -ntl | grep 901 /etc/samba/smbpasswd maps Windows users to /etc/passwd 2. Install rdesktop and connect to Windows XP to test connectivity to Samba a. yum -y install rdesktop Winbind: Features: 1. Windows AD intergration 2. Avoids having to define users in 2 places: Windows, Linux 3. Uses Kerberos for authentication Requirements: 1. krb5-* packages 2. Properly configured Kerberos environment: a. /etc/krb5.conf [libdefaults] default_realm = AD2.LINUXCBT.INTERNAL [realms] AD2.LINUXCBT.INTERNAL = { kdc = linuxcbtwin3.linuxcbt.internal admin_server = linuxcbtwin3 } [domain_realm] .linuxcbtwin3.ad2.linuxcbt.internal = AD2.LINUXCBT.INTERNAL Steps: 1. Update: /etc/krb5.conf 2. Update Samba configuration to use ADS authentication 3. Update Sambe server's DNS to point to ADS server a. /etc/resolv.conf b. /etc/hosts - including a pointer to ADS server (linuxcbtwin3) 4. Join AD domain: a. 'net ads join -U administrator' 5. Confirm AD membership using: 'Acrive Directory Users & computers' Tool 6. Setup Winbind to authenticate using ADS: a. /etc/pam.d/system-auth - account & auth settings auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so' account sufficient /lib/security/pam_winbind.so b. /etc/nsswitch.conf passwd: files winbind
group: files winbind c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000 Use SWAT to update idmap settings for 'uid & gid' Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH, Telnet, mingetty, etc., change 'Template Shell' directive to a valid shell, i.e. /bin/bash d. Create 'Template homedir' $D (Domain) directory beneath '/home' mkdir /home/LINUXGENIUS 7. Test Winbind Integration using: wbinfo a. wbinfo -u - this enumerates users in AD b. wbinfo -g - this enumerates groups in AD c. ssh into LINUXCBTSERV1 (Winbind) as ADS user Task1: 1. Authenticate using ADS, as 'administrator' from Windows box 2. Create a user named 'linuxcbt' in AD 3. Create shared directory on the Samba box, and provide access (Share it)
###Apache Web Server### Features: 1. WWW Web Server 2. Modular Tasks: 1. Install Apache 2.2x a. httpd*.rpm /etc/httpd - top-level configuration container on RH5 /etc/httpd/conf - primary configuration directory /etc/httpd/conf/httpd.conf - primary Apache configuration file /etc/httpd/conf.d - drop in configuration directory, read by Apache upon startup 2. Explorer: /etc/httpd/conf/httpd.conf a. HTTPD run as: apache:apache b. Apache maintains, always, a 'main' server, which is independent of Virtual Hosts. This server is a catch-all for traffic that doesn't match any of the defi ned virtual hosts. c. directove governs file system access Note: The primary Apache process runs as 'root', and has access to the full file system. Homever, directive restricts the web-user's view of the fil e system d. Test access to '.ht*' file from web root e. Errorlog logs/error_log - default error log file for ALL hosts f. logs/access_log - default log file for default server Note: Every directory, outside of the 'DocumentRoot' should have at least one: < Directory> directive defined. 3. Start Appache and continue to explore
a. service httpd start root 2861 1 0 13:16 apache 2863 2861 0 13:16 apache 2864 2861 0 13:16 apache 2865 2861 0 13:16 apache 2866 2861 0 13:16 apache 2867 2861 0 13:16 apache 2868 2861 0 13:16 apache 2869 2861 0 13:16 apache 2870 2861 0 13:16
? ? ? ? ? ? ? ? ?
00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00
/usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd
Note: Parent Apache runs as 'root' and can see the entire file system Note: However, children processes run as "apache" and can only see files/ direct ories that 'apache:apache' can see 4. Create an Alias for content outside of the web root (/var/www/html) a. Alias /testalias1 /var/www/testalias1 AllowOverride None Options None Order allow,deny Allow from all 5. Ensure that Apache will start when the system boots a. chkconfig --level 35 httpd on && chkconfig --list httpd Virtual Hosts Configuration: Features: 1. Ability to share/serve content based on 1 or more IP addresses 2. Supports 2 modes of Virtual Hosts: a. IP Based - one site per IP address b. Host header names - multiple sites per IP address Tasks: 1. Create IP Based Virtual Hosts a. ifconfig eth0:1 192.168.75.210 b. Configure the Virtual Host: ServerAdmin
[email protected] ServerName site1.linux.internal DocumentRoot /var/www/site1 Order allow,deny Allow from all CustomLog logs/site1.linux.internal.access.log combined ErrorLog logs/site1.linux.internal.error.log c. Create: /var/www/site1 and content d. Update: /etc/httpd/conf/httpd.conf with VHost information 2. Create Name-based Virtual Hosts using the primary IP address a. /etc/httpd/conf/httpd.conf:
NameVirtualHost 192.168.75.199:80 ServerAdmin
[email protected] ServerName site3.linux.internal DocumentRoot /var/www/site3 Order allow,deny Allow from all CustomLog logs/site3.linux.internal.access.log combined ErrorLog logs/site3.linux.internal.error.log
###Apache with SSL Support### Features: 1. Sccure/Encrypted communications Requirements: 1. httpd 2. openssl 3. mod_ssl 4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs a. also used to create a sself-signed certificate Tasks: 1. Install the requirements a. mod_ssl - module for Apache, which provides SSL support yum -y install mod_ssl /etc/httpd/conf.d/ssl.conf - includes key SSL directives b. crypto-utils - provies /usr/bin/genkey 2. Generate SSL usage keys using: genkey a. genkey site1.linuxcbt.internal - creates text-gui interface 3. Update /etc/httpd/conf.d/ssl.conf to reference the new keys (public/private) 4. Restart the HTTPD server a. service httpd restart b. httpd -S 5. Test HTTPS connectivity a. https://192.168.75.199 Note: For mutliple SSL sites, copy the: /etc/httpd/confid/ssl.conf file to disti nct file, that match your distinct IP-based VHosts ###MySQL### Features: 1. DBMS Engine 2. Compabtible with various frout-ends: a. Perl b. PHP c. ODBC d. GUI Management Tasks:
1. Install MySQL Client & Server a. yum -y install mysql /etc/my.cnf - primary config file /usr/bin/mysql - primary client used to interact with the server /usr/bin/mysqladmin - primary admin utility to returns sueful info, and perform admin tasks from the shell =================
