Professional Documents
Culture Documents
4. Boot Loaders
4.1 Concepts
1. Invocation
o BIOS loads the first stage boot loader from the drive's MBR.
o BIOS loads another boot loader which then loads the first stage boot loader
from a partition's boot sector.
The first stage boot loader is also known as Initial Program Loader
(IPL). It must be less than 512 bytes in size, so it is fairly limited.
It's primary job is to load a more functional boot loader (a.k.a. the
second stage boot loader).
2. Configuration
o Install the first stage of the boot loader on the MBR. It can then be
configured to pass control to any desired operating system.
o Install the first stage of the boot loader in the boot sector of a partition.
Another boot loader is then installed on the MBR. This other boot loader
must be configured to pass control to the Linux boot loader.
4.2 Lilo
1. Configuration File
o /etc/lilo.conf
Sample File:
prompt # Present lilo prompt so user can interact with lilo
timeout=50 # Timeout in milliseconds to wait for user
interaction
default=linux # Default image to boot
boot=/dev/hda6 # Specifies boot device (Location to install
primary boot loader)
# To install in the MBR, specify /dev/hda
map=/boot/map # Location of map file
install=/boot/boot.b # Location of Second stage boot loader
password=some_passwd # A password required to boot
restricted # Password only required if options are entered at
boot prompt
message=/boot/message # Text message or splash screen (PCX) that
will be displayed at boot time.
linear
# Image definition
image=/boot/vmlinuz-2.4.7-10 # Specifies location of the virtual
memory compressed kernel
label=linux
initrd=/boot/initrd-2.4.7-10.img # Initial RAM Disk
read-only
root=/dev/hda9 # Location of root file system
o -v - Verbose
4. Errors
The 'LILO' prompt itself can be used to help diagnose boot related
errors. The number of letters presented at the LILO prompt can
indicate the success or failure of the boot loader.
o L = First stage boot loaded and started. Usually indicates disk problems or
invalid options in /etc/lilo.conf.
o LI =Second stage boot loaded from /boot, but /etc/lilo.conf has invalid
parameters or /boot/boot.b was moved without re-running /sbin/lilo.
o LIL = Second stage loader started, but the descriptor table can't be loaded
due to a bad disk or invalid parms in /etc/lilo.conf.
5. Limitations
/sbin/lilo
7. Uninstalling LILO
When LILO overwrites an existing boot sector, it saves a copy of
the original boot sector in /boot. The name of the original boot
sector will be boot.MMmm where 'MM' is the major device number
and 'mm' is the minor device number. So, the original boot sector
from /dev/hda will be /boot/boot.0300.
The original boot sector is actually 512 bytes in length, but the
remaining bytes after 446 are part of the partition table and we
don't want to overwrite that in case it's changed.
4.3 Grub
1. Features
o Can boot from multiple file systems including ext2/3, Reiserfs, FAT, minix,
and FFS
2. Configuration File
o /boot/grub/grub.conf
Sample Configuration
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this
file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hdb5
# initrd /initrd-version.img
#boot=/dev/hdb
default=0 # Default to First definition for booting
timeout=10 # Time in seconds to wait for user
interaction
splashimage=(hd1,0)/grub/splash.xpm.gz # Splash Screen
password --md5 $1$簋饋菎$Z.............. # Password protection
To enter menu editing mode, select and entry and press 'e'. This
will allow you to modify an existing boot setup and pass options
to the kernel as well as init.
The GRUB command line allows you to create boot commands
that don't exist in your grub.conf file. You can also run diagnostic
tests and view the contents of files on your file systems.
o (hd1,3) - Fourth partition on the 2nd hard drive detected by the BIOS
/sbin/grub-install /dev/hda
6. Multi-disk scenario
/sbin/grub
root (hd1,0)
5. Boot up
5.1 Steps
1. BIOS loads first stage boot loader from the first sector of available disks (floppy,
hard drive, cd-rom, etc.)
2. First stage boot loader then loads the second stage boot loader.
3. Second stage boot loader allows user to choose what kernel to boot.
1. Mounts /proc.
6. Configure PnP.
5.2 /etc/inittab
This file contains information needed by init to configure the system.
Entries in the file have a specific format:
id:runlevel:style:command to run
1. id - A 1-4 character field the creates a unique identifier for the entry.
o wait - Process is started once when the specified runlevel is entered. Init
will wait for it to finish before proceeding.
o once - Process will be executed once when the specified runlevel is entered.
o bootwait - Same as boot, except init will wait for it to complete before
continuing.
o sysinit - Process executed during boot before any boot or bootwait entries.
o powerwait - Process executed when power goes down. Init waits for it to
complete.
2. Server = 3
3. Custom with X = 5
4. Custom w/o X = 3
6. Service Management
2. xinetd services
3. init services
o Configured in /etc/inittab.
or
service httpd restart
2. xinetd services
To start vsftp:
chkconfig vsftp on
3. init services
o Defaults:
4. shell - /bin/bash.
o Options:
o -u - userid
o -g - primary group
o -s - shell
o -d - home directory
o -c - comment (Commonly used to specify full name)
o -m - make the home directory if it doesn't already exist
o -M - don't create the user's home directory regardless of the defaults
o -G - a list of supplementary groups that the user will belong to (separate
with commas)
o -n - don't create a group with the same name as the user
o -r - create a system account (uid < UID_MIN in /etc/login.defs)
o -D - displays defaults if no other options are given
o -b - change default home (when used with -D)
o -g - change default group (when used with -D)
o -s - change default shell (when used with -D)
o
o Copies the contents of /etc/skel into user's home directory to setup the
default user environment.
o Can specify a password with useradd using the -p option, but recommend
using /usr/bin/passwd to set the user's password.
o Example - To add user "steve" using all of the defaults and set his
password, type:
o useradd steve
o passwd steve
o
2. redhat-config-users
o GUI
2. redhat-config-users
o Options.
userdel -r steve
2. redhat-config-users
o Defaults:
o Options:
o -g - groupid
o -r - create a system group (gid < GID_MIN in /etc/login.defs)
o -f - exit with an error if group already exists
o
groupadd jedi
2. redhat-config-users
o Options:
o -g - new groupid
o -n - new group name
o
o Options: None
groupdel Jedi
2. redhat-config-users
o /etc/profile
1. System wide environment setup for Bourne type shells (ksh, sh,
bash, etc.)
3. Executes /etc/profile.d/*.sh
o /etc/bashrc
1. System wide functions and aliases for Bourne type shells (ksh, sh,
bash, etc.)
o /etc/csh.login
1. System wide environment setup for C type shells (ksh, sh, bash,
etc.)
3. Executes /etc/profile.d/*.csh
o /etc/csh.cshrc
1. System wide functions and aliases for C type shells (ksh, sh, bash,
etc.)
2. Per User
3. /etc/skel
This directory contains all of the default setup files that get
copied to a users home directory when they are created.
o w - Uses /var/run/utmp to report who is logged in. Also displays if the user
is idle and the last command executed by the user.
o tty - Displays the terminal that the tty command was executed on.
o Allow limitations to be set on the number of files and disk space used.
o ext2, ext3, and reiser file systems only (reiser supported as of RH 7.1).
o Enabled at boot time by rc.sysinit for any file system that has usrquota or
grpquota listed in it's options field.
o /etc/fstab
1. Exist in the root of each file system in which quotas are configured.
or
quotacheck -avug
Options:
-a - scan all file systems with quotas enabled in /etc/fstab
-v - verbose
-g - scan for group quotas
-u - scan for user quotas
3. Modifying quotas
o Users
edquota -u steve
o Groups
edquota -g users
o Prototypes
4. Enabling/Disabling Quotas
o To enable:
quotaon -aug
o To disable:
5. Limits
o Soft
o Hard
Only used if grace periods are in effect, otherwise they are
ignored and soft limits are used to enforce file system
limits.
o Grace Periods
6. Reporting
The first line shows quota information for all users and groups for all file systems.
The second line shows user quota information for the / file system. The third line
shows quota information for user steve on all file systems.
7. Quota Conversion
Converts old quotas in the /home file system to the new quotas.
Note that the old quotas used quota.user and quota.group instead
of aquota.user and aquota.group.
Since NFS maps remote users to local users, set the quotas on the
local users that you plan to map the remote users to.
8. Network Administration
8.1 Utilities
1. ifconfig
Example:
2. route
Example:
route add -net 10.20.30.40 netmask 255.255.255.248 eth0
route add -net 10.20.30.48 netmask 255.255.255.248 gw 10.20.30.41
3. arp
arp is used to administer the arp cache. It can view, add, and
delete entries in the cache.
arp
o Add an entry:
o Delete an entry:
arp -d 192.168.33.15
4. ping
Examples:
ping 192.168.1.12
ping -b 192.168.1.0
The first line pings a single host, 192.168.1.12. The second line performs a
broadcast ping to all hosts on the 192.168.1.0 network.
5. traceroute
Example:
traceroute 192.168.10.100
This will print a line for each hop in-between the local and remote
host (192.168.10.100) as well as a line for the final destination up
to a maximum of 30 hops.
6. netstat
o Routing tables.
o Network connections.
o Multicast memberships.
Examples:
netstat -i # Display interface statistics
netstat -lpe # Display all listening sockets and the programs that own them
netstat -r # Display routing information
netstat -ape # Show all listening and non-listening sockets
7. netconfig
o TUI based.
8. redhat-config-network
9. ifup / ifdown
ifup eth0
8.2 Configuring Interfaces
1. Configuration files
o network
Options:
NETWORKING=yes
HOSTNAME=localhost.localdomain
The first option enables networking, and the second sets the host name. A
default gateway can also be specified here using the "GATEWAY=" option,
but it is usually specified in the "ifcfg-<device>" scripts for devices now.
o network-scripts/ifcfg-<device>
19. For a device using a statically assigned IP, it will look similar to
this.
20. DEVICE=eth0
21. BOOTPROTO=static
22. ONBOOT=yes # Start at boot up?
23. IPXPRIMARY_802_2="no"
24. IPXACTIVE_802_2="no"
25. IPXPRIMARY_802_3="no"
26. IPXACTIVE_802_3="no"
27. IPXPRIMARY_ETHERII="no"
28. IPXACTIVE_ETHERII="no"
29. IPXPRIMARY_SNAP="no"
30. IPXACTIVE_SNAP="no"
31. TYPE=Ethernet
32. USERCTL=no # Allow users to control this interface?
33. NETWORK=192.168.33.0
34. BROADCAST=192.168.33.255
35. PEERDNS=no # Should we modify /etc/resolv.conf if
using msdns?
36. IPADDR=192.168.33.50
37. GATEWAY=192.168.33.1 # Default Gateway
38. NETMASK=255.255.255.0
39.
2. Manual Configuration
3. GUI Configuration
o static-routes
For example:
o network-scripts/ifcfg-<device>
2. Manual Configuration
3. GUI Configuration
o /etc/hosts format:
o IP address Host Name Aliases
o
Example:
127.0.0.1 localhost
192.168.1.1 gateway.somedomain.com gateway gate gw
192.168.1.20 somehost.somedomain.com somehost some
192.168.1.25 otherhost.somedomain.com otherhost
o /etc/resolv.conf
Format:
nameserver 192.168.1.2
nameserver 192.168.1.3
domain somedomain.com
search somedomain.com otherdomain.com
2. NIS
COMPLETE ME!
3. LDAP
COMPLETE ME!
9.1 Date/Time
1. redhat-config-time
o GUI based.
o Select timezone.
2. timeconfig
o TUI based.
o Select timezone.
3. date
o CLI based.
4. hwclock
o Can sync the hardware clock to the system clock and vice-versa.
o Hardware clock used at boot up to set system clock, then never used again
during normal operation.
o TUI based.
2. kbdrate
Sets the repeat rate to 30 characters per second (the max) and a
repeat delay of 250 ms (lowest possible).
9.3 Mouse
1. mouseconfig
o TUI or CLI
o CLI Options:
o --modifyx # Modify X configuration file
o --device <dev> # Specify device to use for mouse
o --noprobe # No automatic probing is done
o --emulthree # Enable 3 button emulation
o --kickstart # Forces mouseconfig to run in non-interactive mode and
o # probe for as much information about the mouse as possible
o
2. Xconfigurator
9.4 Sound
1. sndconfig
o TUI based.
o Options:
o --noprobe # Prevent probing of PnP cards
o --noautoconfig # Allow user to choose settings for card
o
Note: The following is taken from the sysconfig.txt file provided in Red
Hat's initscripts (version 6.40) package. Obsolete options have been
removed.
/etc/sysconfig/authconfig
USEHESIOD=no
Whether or not the hesiod naming service is in use. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USELDAP=no
Whether or not LDAP is used as a naming service. If not set,
authconfig examines the passwd setting in /etc/nsswitch.conf.
USENIS=no
Whether or not NIS is in use. If not set, authconfig examines
the passwd setting in /etc/nsswitch.conf.
USEKERBEROS=no
Whether or not Kerberos is in use. If not set, authconfig examines
the settings in /etc/pam.d/system-auth.
USELDAPAUTH=no
Whether or not LDAP is being used for authentication. If not set,
authconfig examines the settings in /etc/pam.d/system-auth. Note
that this option is separate from USELDAP, and that neither implies
the other.
USEMD5=no
Whether or not MD5-based hashing should be used when setting passwords.
If not set, authconfig examines the settings in /etc/pam.d/system-auth.
This option affects authentication using both local files and LDAP.
USESHADOW=no
Whether or not shadow passwords are in use. If not set, authconfig
checks for the existence of /etc/shadow.
USESMBAUTH=no
Whether or not SMB authentication is in use. If not set, authconfig
examines the settings in /etc/pam.d/system-auth.
/etc/sysconfig/autofsck
does not normally exist; if it does, it can influence a choice
whether or not to fsck after a crash
AUTOFSCK_TIMEOUT=5
Number of seconds to wait for console user to make a choice
AUTOFSCK_DEF_CHECK=no
If the user does not respond, choose whether or not to fsck
/etc/sysconfig/clock:
UTC=true indicates that the clock is set to UTC; anything
else indicates that it is set to local time
ARC=true on alpha only indicates the ARC console's
42-year time offset is in effect; otherwise the normal
Unix epoch is assumed
ZONE="filename" indicates the zone file under /usr/share/zoneinfo
that /etc/localtime is a copy of, for example:
ZONE="US/Eastern"
/etc/sysconfig/desktop:
DESKTOP=GNOME|KDE|AnotherLevel
This determines the display manager started by /etc/X11/prefdm
/etc/sysconfig/init:
BOOTUP=<some boot up mode>
BOOTUP=color means new (as of RH6.0) boot display.
BOOTUP=verbose means old style display
Anything else means new display, but without ANSI-formatting
LOGLEVEL=<a number>
Sets the initial console logging level for the kernel.
The default is 7. 8 means everything (including debugging);
1 means nothing except kernel panics. syslogd will override
this once it starts.
RES_COL=<a number>
Column of the screen to start status labels at. Defaults to 60
MOVE_TO_COL=<a command>
A command to move the cursor to $RES_COL. Defaults to nasty
ANSI sequences output by echo -e.
SETCOLOR_SUCCESS=<a command>
A command to set the color to a color indicating success.
Defaults to nasty ANSI sequences output by echo -e setting
the color to green.
SETCOLOR_FAILURE=<a command>
A command to set the color to a color indicating failure.
Defaults to nasty ANSI sequences output by echo -e setting
the color to red.
SETCOLOR_WARNING=<a command>
A command to set the color to a color indicating warning.
Defaults to nasty ANSI sequences output by echo -e setting
the color to yellow.
SETCOLOR_NORMAL=<a command>
A command to set the color to 'normal'. Defaults to nasty
ANSI sequences output by echo -e.
PROMPT=yes|no
Set to 'no' to disable the key check for interactive mode.
/etc/sysconfig/keyboard:
KEYTABLE=<keytable file>
for example: KEYTABLE="/usr/lib/kbd/keytables/us.map"
KEYBOARDTYPE=sun|pc
on SPARC only, sun means a sun keyboard is attached on /dev/kbd,
pc means a PS/2 keyboard is on ps/2 port.
/etc/sysconfig/mouse:
MOUSETYPE=microsoft|mouseman|mousesystems|ps/2|msbm|logibm|atibm|
logitech|mmseries|mmhittab
XEMU3=yes|no (emulate three buttons with two buttons whenever
necessary, most notably in X)
DEVICE=<a device node> (the device of the mouse)
NETWORKING_IPV6=yes|no
Enable or disable global IPv6 initialization
IPV6FORWARDING=yes|no
Enable or disable global forwarding of incoming IPv6 packes
on all interfaces.
Note: Actual packet forwarding cannot be controlled per-device.
IPV6INIT=yes|no
Enable or disable IPv6 configuration for all interfaces.
Use with caution!
IPV6_AUTOCONF=yes|no
Sets the default for device-based autoconfiguration.
Default: yes if IPV6FORWARDING=no, no if IPV6FORWARDING=yes
IPV6_ROUTER=yes|no
Sets the default for device-based Host/Router behaviour.
Default: yes if IPV6FORWARDING=yes, no if IPV6FORWARDING=no
IPV6_AUTOTUNNEL=yes|no
Controls automatic IPv6 tunneling.
For example:
For example:
sit1 2000::/3
sit1 3ffe::/16
adds routes through virtual tunnel sit1
/etc/sysconfig/routed:
SILENT=yes|no
EXPORT_GATEWAY=yes|no
/etc/sysconfig/rawdevices:
This is used for setting up raw device to block device mappings.
It has the format:
<rawdev> <major> <minor>
<rawdev> <blockdev>
For example:
/dev/raw/raw1 /dev/sda1
/dev/raw/raw2 8 5
/etc/sysconfig/pcmcia:
PCMCIA=yes|no
PCIC=i82365|tcic
PCIC_OPTS=<socket driver (i82365 or tcic) timing parameters>
CORE_OPTS=<pcmcia_core options>
CARDMGR_OPTS=<cardmgr options>
/etc/sysconfig/amd:
ADIR=/.automount (normally never changed)
MOUNTPTS='/net /etc/amd.conf' (standard automount stuff)
AMDOPTS= (extra options for AMD)
/etc/sysconfig/tape:
DEV=/dev/nst0
Tape device. Use the non-rewinding one for these scripts.
For IDE tapes you use /dev/ht#, where # is the number of the tape
drive you want to use (usually ht0).
ADMIN=root
Person to mail to if the backup fails for any reason
SLEEP=5
Time to sleep between tape operations. Some drives need a bit
more than others, but 5 seems to work for 8mm, 4mm, and DLT
BLOCKSIZE=32768
This worked fine for 8mm, then 4mm, and now DLT. An optimal
setting is probably however much data your drive writes at one
time.
SHORTDATE=$(date +%y:%m:%d:%H:%M)
A short date string, used in backup log filenames.
DAY=$(date +log-%y:%m:%d)
This is used for the log file directory.
DATE=$(date)
Regular date string, used in log files.
LOGROOT=/var/log/backup
Root of the logging directory
LIST=$LOGROOT/incremental-list
This is the file name the incremental backup will use to store
the incremental list. It will be $LIST-{some number}.
DOTCOUNT=$LOGROOT/.count
For counting as you go to know which incremental list to use
COUNTER=$LOGROOT/counter-file
For rewinding when done...might not use.
BACKUPTAB=/etc/backuptab
The file in which we keep our list of backup(s) we want to make.
/etc/sysconfig/sendmail:
DAEMON=yes|no
yes implies -bd (i.e., listen on port 25 for new mail)
QUEUE=1h
given to sendmail as -q$QUEUE
-q option is not given to sendmail if /etc/sysconfig/sendmail
exists and QUEUE is empty or undefined.
/etc/sysconfig/i18n
LANG= set locale for all categories, can be any two letter ISO
language code
LC_CTYPE= localedata configuration for classification and conversion
of characters
LC_COLLATE= localedata configuration for collation (sort order) of
strings
LC_MESSAGES= localedata configuration for translation of yes and no
messages
LC_NUMERIC= localedata configuration for non-monetary numeric data
LC_MONETARY= localedata configuration for monetary data
LC_TIME= localedata configuration for date and time
LC_ALL= localedata configuration overriding all of the above
LANGUAGE= can be a : separated list of ISO language codes
LINGUAS= can be a ' ' separated list of ISO language codes
UNIMAP= any SFM (screen font map, formerly called Unicode mapping
table - see consolechars(8))
/usr/bin/consolechars -f $SYSFONT --sfm $UNIMAP
USE_DMA=1
Set this to 1 to enable DMA. This might cause some
data corruption on certain chipset / hard drive
combinations. USE WITH CAUTION AND BACKUP.
This is used with the "-d" option
MULTIPLE_IO=16
Multiple sector I/O. a feature of most modern IDE hard drives,
permitting the transfer of multiple sectors per I/O interrupt,
rather than the usual one sector per interrupt. When this feature
is enabled, it typically reduces operating system overhead for disk
I/O by 30-50%. On many systems, it also provides increased data
throughput of anywhere from 5% to 50%. Some drives, however (most
notably the WD Caviar series), seem to run slower with multiple mode
enabled. Under rare circumstances, such failures can result in
massive filesystem corruption. USE WITH CAUTION AND BACKUP.
This is the sector count for multiple sector I/O - the "-m" option
EIDE_32BIT=3
(E)IDE 32-bit I/O support (to interface card). USE WITH CAUTION.
LOOKAHEAD=1
Enable drive read-lookahead (safe)
EXTRA_PARAMS=<anything>
Add any extra parameters you want to pass to hdparm here.
/etc/sysconfig/network-scripts/ifup:
/etc/sysconfig/network-scripts/ifdown:
These scripts take one argument normally: the name of the device
(e.g. eth0). They are called with a second argument of "boot"
during the boot sequence so that devices that are not meant to
be brought up on boot (ONBOOT=no, see below) can be ignored at
that time.
/etc/sysconfig/network-scripts/init.ipv6-global:
Not really a public file. Contains different basic settings that
are set from /etc/rc.d/init.d/network at different stages of
network initialization.
/etc/sysconfig/network-scripts/network-functions:
Not really a public file. Contains functions which the scripts use
for bringing interfaces up and down. In particular, it contains
most of the code for handling alternative interface configurations
and interface change notification through netreport.
/etc/sysconfig/network-scripts/network-functions-ipv6:
Not really a public file. Contains functions which the scripts use
for bringing IPv6 on interfaces up and down, like addresses, routes,
forwarding handling and static or automatic tunneling.
/etc/sysconfig/network-scripts/ifcfg-<interface-name> and
/etc/sysconfig/network-scripts/ifcfg-<interface-name>:<alias-name>:
Base items:
NAME=<friendly name for users to see>
Most important for PPP. Only used in front ends.
DEVICE=<name of physical device (except dynamically-allocated PPP
devices where it is the "logical name")>
IPADDR=
NETMASK=
GATEWAY=
ONBOOT=yes|no
USERCTL=yes|no
BOOTPROTO=none|bootp|dhcp
MTU=
PEERDNS=yes|no
modify /etc/resolv.conf if peer uses msdns extension (PPP only) or
DNS{1,2} are set, or if using pump or dhcpcd. default to "yes".
DNS{1,2}=<ipaddress>
provide DNS addresses that are dropped into the resolv.conf
file if PEERDNS is not set to "no".
FIREWALL_MODS=yes|no
modify firewall to attempt to allow DNS through. Defaults to 'yes'.
PPP/SLIP items:
PERSIST=yes|no
MODEMPORT=<device, say /dev/modem>
LINESPEED=<speed, say 115200>
DEFABORT=yes|no (tells netcfg whether or not to put default
abort strings in when creating/editing the chat script and/or
dip script for this interface)
(meaningless with WVDIALSECT)
PPP-specific items
WVDIALSECT=<list of sections from wvdial.conf to use>
If this variable is set, then the chat script (if it
exists) is ignored, and wvdial is used to open the
PPP connection.
DEFROUTE=yes|no (set this interface as default route? yes is default)
DEBUG=yes|no (defaults to yes)
turns on/off pppd and chat (if used) debugging.
ESCAPECHARS=yes|no (simplified interface here doesn't let people
specify which characters to escape; almost everyone can use
asyncmap 00000000 anyway, and they can set PPPOPTIONS to
asyncmap foobar if they want to set options perfectly)
HARDFLOWCTL=yes|no (yes imples "modem crtscts" options)
PPPOPTIONS=<arbitrary option string; is placed last on the
command line, so it can override other options like asyncmap
that were specified differently>
PAPNAME=<"name $PAPNAME" on pppd command line> (note that
the "remotename" option is always specified as the logical
ppp device name, like "ppp0" (which might perhaps be the
physical device ppp1 if some other ppp device was brought
up earlier...), which makes it easy to manage pap/chap
files -- name/password pairs are associated with the
logical ppp device name so that they can be managed
together.
REMIP=<remote ip address, normally unspecified>
MTU=
MRU=
DISCONNECTTIMEOUT=<number of seconds, default currently 5>
(time to wait before re-establishing the connection after
a successfully-connected session terminates before attempting
to establish a new connection.)
RETRYTIMEOUT=<number of seconds, default currently 60>
(time to wait before re-attempting to establish a connection
after a previous attempt fails.)
RETRYCONNECT=yes|no (defaults to yes)
If this is yes, then we will re-run pppd if it exits with a
"connect script failed" status. Otherwise, only one attempt
is made to bring up the connection. Note that some connect
scripts (for example, wvdial) might do their own retries (such
as BUSY or NO DIALTONE conditions).
MAXFAIL=<number>
If this is set, this will cause ppp-watch to exit after
the specified number of attempts.
DEMAND=yes|no
Switches on demand-dialing mode using pppd's "demand" option.
IDLETIMEOUT=600
The amount of time the link needs to be inactive before pppd will
bring it down automatically.
BOOTTIMEOUT=30
The amount of time to wait at boot before giving up on the
connection.
5. Verify that ext2 is either compiled into the kernel or create an initial
ramdisk so it can be loaded as a module at boot time.
6. Verify that the file systems are indeed mounted as ext3 by checking
/proc/mounts.
5. Monitor Permissions
o Tripwire
File Size
User
Group
Permissions
3. Configuration
Run /etc/tripwire/twinstall.sh
1. Configuration
1. Format
2. # There must be at least one TAB separating the two entries
below:
3. facility.priority log location
4.
5. Facilities
2. Priorities
3. Example Configuration
4. mail.info /var/log/mail # Log all mail messages of priority
info or greater
5. daemon.=emerg /var/log/emerg # Log all daemon messages
with a priority of emergency
6. lpr.=!notice /var/log/lpr # Log all lpr messages where the
priority isn't of notice level
7.
2. Log Rotation
o Basic setup and log rotation of the default system logs are configured in
/etc/logrotate.conf.
3. Logwatch
o Runs daily.
o Creates a daily report that is e-mail to the user specified (root by default).
o Nice Value - Affects the priority of a job. Can be altered using nice/renice
commands.
3. Examples:
4. nice +10 find / -name xyz # Give find command a lower priority
than normal
5. renice -10 `pidof X` # Give X server a higher priority
6.
o Jobs - Jobs excuted at the shell prompt normally run in the foreground.
This prevents you from executing other commands from the same shell
until the command returns. You can force jobs to run in the background by
placing an "&" after the command.
The two 'tar' commands will execute in the background and 'top' will be
executed in the foreground.
8. kill - You can also use job numbers with the kill command instead
of process ids.
9. kill %4 # Kill background job number 4
10.
10.1 Installation
-i # Install a package.
-U # Upgrade existing package or install if it doesn't already exist.
-e # Remove a package.
-F # Freshen. Only upgrade package if it's already installed.
-v # Print verbose information
-h # Use a hash mark (#) to indicate progress
--nodeps # Don't perform a dependency check when installing or upgrading a
package
--replacefiles # Install package even if it overwrites existing files
--replacepkgs # Install package even if it's already installed
--oldpackage # Install package even if it's older than the one installed
--force # Combination of --replacefiles, --replacepkgs, and --oldpackage
Examples:
rpm -ivh groff-1.17.1-3.i386.rpm # Install groff from local file sytsem
rpm -Uvh groff-1.17.2-3.i386.rpm # Upgrade groff from local file system
rpm -e groff # Remove groff
# Install groff from anonymous ftp server
rpm -ivh ftp://somehost.com/rpms/groff-1.17.1-3.i386.rpm
10.2 Verification
--checksig <package> # Verify md5 and gpg signatures.
-K <package> # Same as --checksig.
--nogpg # Don't verify gpg signature (must be used with --checksig).
-V <package> # Verify installed files against package info and report changes.
-Va # Verify all packages
10.3 Query
-q <package> # Returns package version.
-qf <file> # Returns name of package that owns file.
-ql <package> # Returns list of files own by package.
-qi <package> # Returns package info.
-qpi <package> # Returns info of uninstalled package
-qpl <package> # Returns list of files in an uninstalled package
/usr/src/redhat:
• SPECS - Holds the spec files which describe how to build the rpm.
11. PCMCIA
11.1 Support
PCMCIA support is currently included in the kernel, but it's better
supported by the kernel modules located at http://pcmcia-
cs.sourceforge.net
2. cardctl
o Commands:
7. eject - Notifies all drivers that this card will be ejected and then cuts
power.
8. insert - Notify all drivers that a card has just been inserted.
3. PCMCIA drivers
12. RAID
12.1 Overview
Stands for Redundant Array of Inexpensive Disks or Redundant Array of
Independent Disks. It uses multiple disks to increase performance
and/or reduce the chances of data loss due to hardware failure.
o No Redundancy
2. Mirroring (RAID 1)
Sample file:
### RAID 1
raiddev /dev/md0
raid-level 1 # Mirroring
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
device /dev/hda3
raid-disk 0
device /dev/hdb3
raid-disk 1
device /dev/hde5
raid-disk 2
device /dev/hdc4
spare-disk 0
### RAID 5
raiddev /dev/md1
raid-level 5 # Data and parity striping
nr-raid-disks 3 # Number of disks to use
nr-spare-disks 1 # Hot standby in case another fails
persistent-superblock 1 # Required for auto detection
chunk-size 32 # In KB
parity-algorithm right-symmetric
device /dev/sda1
raid-disk 0
device /dev/sdb3
raid-disk 1
device /dev/sdc5
raid-disk 2
device /dev/sdd4
spare-disk 0
"-R" is used to set RAID related options for the file system. Stride is the
number of blocks per chunk. In the previous examples we are using a
32K chunk size with a 4K block size, so stride has to be 8 (4K * 8 =
32K).
1. left-asymmetric
2. right-asymmetric
3. left-symmetric
4. right-symmetric
13.1 Overview
1. Monitor and control system battery on laptops.
2. Can be used on workstations to implement "standby" and "suspend" power modes.
2. apm
13.3 Options
Specified in /etc/sysconfig/apmd
14. Kernel
14.1 Types
1. Monolithic
2. Modular
2. Dependencies
3. Managing
o Viewing
o lsmod
o cat /proc/modules
o
o Loading
o modprobe tulip # Load a single module
o modprobe -t net \* # Load all modules in "net" category
o modprobe \* # Load all modules
o
o Unloading
o modprobe -r 3c503 # Unload 3c503 module
o rmmod -r 3c503 # Unload 3c503 module and all of it's dependencies
o
o kernel-headers
o kernel-source
o dev86
o make
o glibc-devel
o cpp
o binutils
o gcc
2. Installation steps
3. cd /usr/src
4. bzcat linux-2.4.17.tar.bz | tar xvf -
5. cd linux
6. make config | make menuconfig | make xconfig
7. make dep
8. make clean
9. make bzImage
10. make modules (if modular kernel)
11. make modules_install (if modular kernel)
12. cp System.map /boot/System.map-2.4.17
13. cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.17
14. cp .config /boot/config-2.4.17
15. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel
configuration
16. Update LILO or GRUB
17. Reboot into new kernel
18. new-kernel-pkg
NOTE: If you are using lilo, you will have to manually update it's configuration
file.
o kernel
o mkinitrd
o SysVinit
o initscripts
3. Optional Packages
o kernel-headers
o kernel-source
o kernel-doc
o kernel-debug
4. Install Steps
5. rpm -Uvh mkinitrd-<version>.rpm # If necessary
6. rpm -Uvh SysVinit-<version>.rpm # If necessary
7. rpm -Uvh initscripts-<version>.rpm # If necessary
8. rpm -Uvh kernel-headers-<version>.rpm # Optional
9. rpm -Uvh kernel-source-<version>.rpm # Optional
10. rpm -ivh kernel-<version>.rpm --force
11. rpm -ivh kernel-pcmcia-cs-<version>.rpm --force # For laptops
12. mkinitrd /boot/initrd-<version> <kernel version> # Depending on kernel
configuration
13. Update LILO or GRUB
14. Reboot into new kernel
compiled kernel
For those times where you need to add a new driver to a modular
kernel, you can just compile the needed module and install it without
recompiling the entire kernel. Just follow these steps:
cd /usr/src/linux
make config | make menuconfig | make xconfig
(Choose the driver as a module)
make dep
make modules
make modules_install
depmod -a
You should now be able to use the new module.
15. PAM
15.1 Files
1. Configuration files located in /etc/pam.d.
2. account
Account based restrictions (time of day, tty, host, etc.) a.k.a. login
restrictions.
3. session
4. password
This test must pass in order for the overall check to succeed. The
remaining tests are still performed even if this one fails.
2. requisite
This test must pass in order for the overall check to succeed.
However, unlike 'required', no other tests are performed if this
one fails.
3. sufficient
This test doesn't have to pass for the overall check to succeed.
However, if it does pass, it grants immediate access. If it's failed,
the remaining tests are still performed as with 'required'.
4. optional
The above will allow a user to login via sshd if they are listed in the
/etc/sshd_users file. The options specified have the following meanings:
o item=user - This states that we are testing or verifying the user's login
name.
o sense=allow - This means that if the user is found in the file specified,
this test succeeds. This will allow the user access if all other PAM tests
succeed as well. The other possible option for "sense" is "deny".
o file=/etc/sshd_users - This specifies the file that will contain the list of
users (one per line) that are allowed to access sshd.
3. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for
Sunday.
4. login;*;bilbo|frodo;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is
specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule
applies to all days except Sunday.
3. Users in the group jedi are only allowed to login from a local terminal:
4. -:jedi:ALL EXCEPT LOCAL
16.1 Overview
1. Cron & at provides a way to schedule tasks.
2. Packages
1. User crontabs
o Stored as /var/spool/cron/<user>
2. System crontabs
o /etc/crontab
o /etc/cron.d
o /etc/cron.hourly
o /etc/cron.daily
o /etc/cron.weekly
o /etc/cron.monthly
3. Crontab Format
4. <minute> <hour> <day of month> <month> <day of week> <command to
execute>
Valid values:
Minute - 0-59
Hour - 0-23
Day of Month - 1-31
Month - 1-12 *or*
- Jan, Feb, Apr, etc.
Day of Week - 0-7 (0 or 7 = Sunday) *or*
- Sun, Mon, Tue, Wed, Thu, Fri, Sat
Can specify comma separate lists and ranges for each parameter but only in a
numeric format (e.g. 1-5 is ok for day of week, but not Mon-Fri).
# To execute foo every 5 minutes.
0,5,10,15,20,25,30,35,40,45,50,55 * * * * foo
# - OR -
*/5 * * * * foo
# Executes bar during the bottom of every hour
# during working hours on week days.
30 8-5 * * 1-5 bar
16.3 At Jobs
1. "at" jobs are configured from the command prompt. No crontab style files.
2. At uses the existing environment that the "at" command was executed in to run the
specified command(s) at the indicated time. This typically makes at jobs
easier/quicker to setup than crontab jobs because the environment is already
configured for the job.
3. Examples
4. at 8:00 am March 12 # Execute specified commands at 8:00 am on March
12th
5. at now +3 hours # Execute specified commands 3 hours from now
6. at 9:30 pm -f ~/cmds # Execute commands in the ~/cmds file at 9:30 pm
After specifying a time, the user is prompted for the commands to execute unless
the "-f" option is used to specify a file containing the commands to execute.
7. Managing At Jobs
o batch - Execute specified command when system load levels are low
enough to permit it.
16.4 Access Control
1. /etc/cron.allow
2. /etc/cron.deny
3. /etc/at.allow
4. /etc/at.deny
17. Sendmail
17.1 Packages
1. sendmail
2. sendmail-cf
3. sendmail-doc
2. /etc/mail/sendmail.mc
o sendmail.mc options:
o define('confDEF_USER_ID',"8:12") # Specifies user (8) and group
(12) to run sendmail as
o OSTYPE('linux') # Imports OS specific information
o undefine('UUCP_RELAY') # Disable UUCP relaying
o undefine('BITNET_RELAY') # Disable bitnet relaying
o define('confAUTO_REBUILD') # Rebuild /etc/aliases
automatically
o define('confTO_CONNECT','1m') # Set time limit for SMTP
connections to 1 minute
o define('confTRY_NULL_MX_LIST',true) # If no mx record exists,
contact host directly
o define('confDONT_PROBE_INTERFACES,true) # ????
o define('PROCMAIL_MAILER_PATH','/usr/bin/procmail') # Specify location
of procmail
o FEATURE('smrsh','/usr/sbin/smrsh') # Specify location of sendmail
restricted shell
o
o ### Enable virtusertable, mailertable, and access and specify their
locations:
o ###
o FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
o FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
o FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
o
o FEATURE(redirect) # ???
o FEATURE(always_add_domain) # Append local hostname to
locally delivered e-mail
o FEATURE(use_cw_file) # Read aliases to use from
/etc/mail/local-host-names
o FEATURE(local_procmail) # Use procmail as the local MDA
o
o FEATURE('blacklist_reipients') # Allows e-mail to be blocked
based on destination
o FEATURE('accept_unresolvable_domains') # Accept e-mail even if the
reverse lookup of
o # the sender's domain doesn't work
o FEATURE('rbl') # Iplements Realtime Blackhole List to
fight spam.
o FEATURE('relay_based_on_MX') # Automatically allow relaying if
sendmail server
o # is listed as the target domain's MX record.
o # This appears to only work if the hostname is
set
o # to the same value as the MX record.
o FEATURE(domaintable) # Enable use of domaintable
o FEATURE(mailertable) # Enable use of mailertable
o
o ### The following sets a "smart host" that all of your mail will be
relayed through.
o define(SMART_HOST,mail.yourdomain.com)
o
o ### The following line tells sendmail to only listen on the localhost
interface.
o DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
o
o ### The following 3 allow a host to masquerade as another host.
Useful for hiding
o ### internal machine names from the outside world. Note that any
user specified in
o ### an "EXPOSED_USER" (e.g. root), will not have their e-mail address
masqueraded.
o MASQUERADE_AS(yourdomain.net) # Specifies domain to use in
FROM and envelope addresses.
o FEATURE(allmasquerade) # Turn on masquerading for all e-
mail
o FEATURE(masquerade_envelope) # Masquerade the envelope
address also
o
o Contains aliases for e-mail addresses. For example, it allows you to send
mail destined for user 'daemon' to 'root'.
o Example /etc/aliases:
o daemon: root # Messages sent to user daemon are
redirected to root
o root: steve # Messages sent to root are redirected to
steve
o webmaster: steve bob sue # Messages sent to webmaster are
redirected to steve, bob and sue
o steve@foo.com: bob # This entry is invalid unless the local
host name is foo.com
o # or foo.com is listed in /etc/mail/local-host-names
o
o Example /etc/mail/access:
o localhost.localdomain RELAY #
o localhost RELAY ### These 3 permit the localhost to relay
o 127.0.0.1 RELAY #
o
o 10.22 REJECT # Reject mail from any host with an IP that
starts with 10.22
o nobody@ REJECT # Rejects any mail addressed to user
'nobody' regardless
o # of the domain it's sent to.
o foo.com OK # Accept mail from foo.com (not for relaying)
even
o # if other rules might reject it
o bar.com REJECT # Reject all mail from bar.com and send
message to sender
o foobar.com DISCARD # Like REJECT, except sender doesn't
receive a message
o
o # The following sends the specfied RFC error code back to the sender
along with the
o # message specified after it.
o someone.com 550 We don't accept your mail.
o
o After editing /etc/mail/access, you must regenerate /etc/mail/access.db by
going into /etc/mail and typing make.
o Example /etc/mail/mailertable
o foo.net smtp:bar.net # Forward mail addressed to foot.net to
bar.net
o foobar.net smtp:[192.168.1.20] # Forward mail addressed to
foobar.com to the host at 192.168.1.20
o
o Allows you to map multiple virtual domains and users to other addresses.
o Example /etc/mail/virtusertable:
o webmaster@foo.com steve # Mail sent to webmaster@foo.com
is redirected to local user steve
o postmaster@bar.com steve@foo.com # Mail sent to
postmaster@bar.com is redirected to steve@foo.com
o
o @somedomain.com joe@foo.com # Mail addressed to _any_ user
at somedomain.com is redirected
o # to joe@foo.com
o @foobar.com %1@bar.com # Mail addressed to a user at
foobar.com is redirected to the same
o # user at barr.com.
o
8. /etc/mail/local-host-names
o This file must contain the sendmail server's machine name and any aliases.
Sendmail must be restarted after changing this file in order for it to take
effect.
o Example:
o foo.com
o bar.com
o foobar.com
o
Specifies that foo.com, bar.com, and foobar.com are all local domains.
9. /usr/share/sendmail-cf/cf/
10. /etc/mail/helpfile
11. /etc/mail/statistics
2. Masquerades their mail domain as the mail domain of the smart host.
3. Example:
o The DH line specifies which host all local e-mail traffic should be
forwarded to. Change it to:
o DHmail.somedomain.com
o
o The DM specifies what the client should masquerade as. Change it to:
o DMsomedomain.com
o
2. debug mode
To enable debug mode, run sendmail with the "-d" option and
specify a debug # after it.
5. Hostname Problems
18. Apache
18.1 Defaults
1. Configuration File: /etc/httpd/conf/httpd.conf
5. User: apache
6. Group: apache
9. MinSpareServers 5
10. MaxSpareServers 10
11. StartServers 8
2. MaxSpareServers
3. StartServers
4. MaxClients
5. MaxRequestsPerChild
ErrorLog /var/log/httpd/error_log
2. Access Log
UserDir public_html
3. Anything placed in the public_html directory can be accessed through the web if
permissions allow Apache to access it.
4. In order to visit a user's "public_html" directory, specify ~user after the base URL:
www.somedomain.com/~steve
5. AllowOverride Options:
o None
o Authconfig
o FileInfo
o Indexes
o Limit
o Options
o order
1. allow,deny
2. deny,allow
3. mutual-failure
o deny from
o Examples
o <Directory /var/www/html>
o order allow,deny # In this case, no one would be granted
access
o allow from 199.151.220 # because denys are processed after
allows.
o deny from All
o <Directory>
o <Directory /var/www/html>
o order deny,allow # In this case, only those hosts in the
199.151.220.0/24
o allow from 199.151.220 # network will be allowed in.
o deny from All
o <Directory>
o
18.6 Authentication
1. User/password database
Only use the "-c" option when you create the file. After that,
leave it off. Otherwise you will wipe out your existing
password file.
2. Authentication Type
4. Authentication Requirements
The above example allows any valid user ("valid-user" must be in all lower case)
to access this directory. Valid meaning that the user is defined in
/var/www/passwd.
If only certain users are allowed to access this directory, you can
specify them instead of "valid-user":
In this case, only users bob, sue, and steve will be allowed to
access this directory.
18.7 CGI
1. Defining a directory for CGI scripts
o ScriptAlias
http://www.somehost.com/cgi-bin/cgi-test
o ExecCGI
A directory can also be specified as containing cgi scripts by
specifying Options ExecCGI within a <Directory> directive or
an .htaccess file.
o Recommend specifying a separate document root, error log, and script alias
for each virtual host.
o Example:
o <VirtualHost 192.168.1.10>
o ServerName www.somedomain.com
o ServerAdmin webmaster@somedomain.com
o DocumentRoot /var/www/www.somedomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.somedomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.somedomain.com/error_log
o CustomLog /var/log/httpd/www.somedomain.com/access_log
combined
o <Directory /var/www/www.somedomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
2. Name Based
o Example:
o NameVirtualHost 192.168.1.11
o <VirtualHost 192.168.1.11>
o ServerName www.someotherdomain.com
o ServerAlias www1.someotherdomain.com
o ServerAdmin webmaster@someotherdomain.com
o DocumentRoot /var/www/www.someotherdomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.someotherdomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.someotherdomain.com/error_log
o CustomLog /var/log/httpd/www.someotherdomain.com/access_log
combined
o <Directory /var/www/www.someotherdomain.com/html>
o Options Indexes Includes
o order deny,allow
o Allow from All
o </Directory>
o </VirtualHost>
3. Troubleshooting
o If accessing any of the defined named based virtual hosts always causes the
default virtual host to be viewed, verify that the names specified for each
virtual host (ServerName) are correct.
18.9 SSL
1. mod_ssl
2. Encryption Configuration
1. Use openssl
19. BIND
19.1 Overview
1. BIND 9
5. Packages
6. Ports
o 53 UDP - DNS queries
7. redhat-config-bindconf
o Sample named.conf
o options {
o directory "/var/named"; // Working directory of server
o allow-query { any; }; // Specify which hosts are allowed to
query this server
o allow-transfer { 192.168.1.0/24; }; // Specify hosts that are allowed
to receive zone
o // transfers from this server
o recursion yes; // Enable recursive queries
o allow-recursion {192.168.1.0/24; }; // Specify which hosts can
perform recursive queries.
o version "Surely you must be joking"; // Set version reported by ndc
and when querying
o // version.bind in the chaos class
o };
o
o // The following controls who can access this server using rndc.
o // Bind to 127.0.0.1 and allow only localhost access.
o controls {
o inet 127.0.0.1 allow { localhost; } keys { rndckey; };
o };
o
o zone "." IN { // Hints file containing root servers
o type hint;
o file "named.ca";
o };
o
o zone "localhost" IN {
o type master;
o file "localhost.zone";
o allow-update { none; };
o };
o
o zone "0.0.127.in-addr.arpa" IN {
o type master;
o file "named.local";
o allow-update { none; };
o };
o
o zone "xyz.com" IN { // Forward lookup zone for xyz.com
o type master; // This is a master zone
o file "db.xyz.com"; // Zone information stored in
/var/named/db.xyz.com
o allow-update { none; };
o };
o
o zone "zyx.com" IN { // Forward lookup zone for zyx.com
o type master; // This is a master zone
o file "db.zyx.com"; // Zone information stored in
/var/named/db.zyx.com
o allow-update { none; };
o };
o
o zone "somedomain.com" IN { // Forward lookup zone for
somedomain.com
o type slave; // This is a slave zone
o file "db.somedomain.com"; // Optional for slave zones. If set, a
copy of the zone
o // information is kept locally on disk under
/var/named.
o };
o
o include "/etc/rndc.key"; // Private key used for secure remote
administration
o
See the end of the named.conf man page for more configuration examples.
SECURITY NOTE:
2. /etc/nsswitch.conf
o Not part of BIND, but must be setup correctly in order for local processes
to use BIND for host resolution.
o Partial example:
o hosts: files dns
o networks: files
o protocols: files nisplus
o
The "hosts" line specifies that we should first check our local files (e.g.
/etc/hosts for hostname resolution before consulting DNS services. The
"networks" line states that only our local files (e.g. /etc/networks) should
be consulted for network information. The "protocols" line says we should
first consult our local files (e.g. /etc/protocols) for protocol information,
and then consult nisplus services if it isn't found in our local files.
3. /etc/hosts
o Not part of BIND, but must be setup correctly in order for host resolution
to work.
4. /etc/resolv.conf
o Not part of BIND, but must be setup correctly in order for host resolution
to work.
2. Uses DNS root servers or another name server known as a forwarder to resolve
DNS queries.
3. To create a Forwarding Name Server, put the following line in the "options"
section of the /etc/named.conf file:
4. forwarders { 192.168.1.20; };
5. If you want BIND to only use it's forwarders to resolve hosts and not the root name
servers, put the following line in the "options" section of the /etc/named.conf file:
6. forward only;
The "forwarders" option specifies which DNS or DNS servers queries should be
forwarded to for resolution.
19.4 Zones
1. Overview
o Specified in /etc/named.conf.
o "IN" after zone name is optional (see sample named.conf above for
example).
2. Master Zones
o Example:
o zone "somedomain.com" {
o type master;
o file "db.somedomain.com";
o allow-transfer { 192.168.3.4; };
o };
o
3. Slave Zones
o Provides backup service to "masters".
o Example:
o zone "somedomain.com" {
o type slave;
o masters { 192.168.1.50; };
o file "db.somedomain.com";
o };
o
o masters - Specifies the DNS server that is the "master" of this domain.
o - Not required for slave. If specified, indicates the name of the local file
file
where the zone information is kept.
o When a slave server starts, it checks the serial number for the zone on them
master. If it's been updated, the slave performs a zone transfer to get the
latest information. If it hasn't, and the slave has the zone on disk (e.g. the
file directive was used), it will load the information directly from disk
reducing network traffic.
o Zone name is created by reversing the octets in the network portion of the
IP address and appending .in-addr.arpa to it.
o Example:
o zone "1.168.192.in-addr.arpa" {
o type master;
o file "db.1.168.192.in-addr.arpa";
o };
o
o zone "0.0.127.in-addr.arpa" { # Loopback zone
o type master; # Should NEVER be a slave
o file "db.0.0.127.in-addr.arpa";
o };
o
5. Root Zone
o Example:
o zone "." {
o type hint;
o file "named.ca"; # Contains root DNS servers
o }
o
o Used when a query isn't resolvable by any of the other configured zones.
6. Zone Delegation
o Example. In the zone file for somedomain.com, put the following entries:
o support.somedomain.com. IN NS ns.support.somedomain.com.
o ns.support IN A 192.168.44.10
o
o development.somedomain.com IN NS
ns.development.somedomain.com.
o ns.development IN A 192.168.45.10
o
o These are known as "glue" records that help queries go from one name
server to another.
o domain/@ - Optional. If left blank, defaults to the same value as the last
resource record. @ represents the domain name specified in
/etc/named.conf for the zone. Otherwise, any name specified will have the
domain appended to it unless it ends in a ".".
3. Character Restrictions
o Example:
o @ 1D IN SOA ns root (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
o @ 1D IN SOA ns.somedomain.com. root.somedomain.com. (
o 2002011201 ; serial
o 3H ; refresh
o 15M ; retry
o 1W ; expire
o 1D ) ; minimum
o
Both of the above two sample SOA RR are identical when the $ORIGIN is
somedomain.com. The name server specified in the SOA record must be a
machine with an A record. You cannot use machine named defined by a
CNAME record in the SOA record.
Component Definitions:
2. refresh - How often the slave servers should check the serial
number on the master for changes.
4. expire - How long a slave should use it's DNS information without
a refresh from the master.
86400 = 24H = 1D
5. Name Server (NS)
o Every zone must have at least the master name server specified.
o Example:
o @ IN NS ns1.somewhere.com.
o somewhere.com. IN NS ns2.somewhere.com.
o IN NS ns3.somewhere.com.
o
All 3 lines refer to the same domain. The @ in the first line refers to the
origin (specified by the zone directive in /etc/named.conf. The second line
explicitly states the domain (notice the trailing ".") The third line doesn't
specify the domain or an @ so it defaults to the domain in the RR above it.)
6. Address (A)
o Example:
o ns1.somewhere.com. IN A 192.168.20.10 # FQDN specified. Notice
trailing "."
o ns2 IN A 192.168.20.11 # FQDN isn't required. In the last 4
lines,
o ns3 IN A 192.168.20.12 # somedomain.com. is appended
to ns2, ns3,
o www IN A 192.168.20.15 # www, and mail
o mail IN A 192.168.20.20
o
o Example:
o pop IN CNAME mail
o imap IN CNAME mail
o
In this case, both pop and imap refer to the "mail" address (A) record in the
previous example.
8. Pointer (PTR)
o Requires a priority be specified right after the "MX" but before the
hostname. The lower the number, the higher the priority.
o Example:
o @ IN MX 5 mail.somewhere.com. ### Highest priority
o somewhere.com. IN MX 10 mail2.somewhere.com.
o IN MX 15 mail3.somewhere.com. ### Lowest priority
o
o Generally not a good idea to give out any host information due to security
concerns.
o Example:
o mail IN HINFO i686 Linux-2.4.18
o www IN HINFO i686 Linux-2.4.17-pre2
o
20. DHCP
20.1 Overview
1. Provides dynamic configuration and network information to hosts.
o IP address.
o DNS servers.
o Gateways.
o Domain name.
4. Superset of bootp.
6. Packages
o Server - dhcpd.
7. Ports
Example:
# Global Options (can also be specified for a specific subnet)
option nis-domain "secret_nis_domain"; # Set NIS domain
option domain-name "somedomain.com"; # Domain name assigned
to client
option domain-name-servers 192.168.1.20, 192.168.1.21; # DNS servers for
domain
option netbios-name-servers 192.168.1.19; # WINS server
# Specifies host that the initial boot file should be loaded from
next-server boot-server;
# Default gateway
option routers 192.168.1.1;
# Static configuration - The host with the stated MAC address will
# always receive the IP address stated below.
host enterprise
{
hardware ethernet 00:0a:cc:3a:1c:42;
fixed address 192.168.1.11
}
}
2. /var/lib/dhcp/dhcpd.leases
o Default client.
o Common usage:
o /sbin/dhcpcd -n -H eth0
o
o -H = Force dhcpcd to set the hostname of the host to the hostname
option
o supplied by the DHCP server.
o -n = If dhcpcd is already running send it an ALRM signal to cause it to
o attempt to renew it's lease.
o eth0 = Interface to configure.
o
2. pump
o Common usage:
o /sbin/pump --lookup-hostname -i eth0
o
o --lookup-hostname = Get hostname and domain name from DNS
o -i = Specifies interface to configure
o
Next Previous Contents Next Previous Contents
21.1 Pieces
1. X Server
2. X Clients
3. X Protocol
o TUI based.
2. xf86config
o Character based.
o Xconfigurator recommended over this for exam.
3. SuperProbe
o Part of XFree86.
o Laptops - http://linux-laptop.net
21.5 Files
1. X Configuration
5. ~/.Xresources -
6. ~/.Xkbmap -
7. ~/.xmodmap -
o /etc/X11/
o /usr/X11R6/
1. bin/ - X binaries
2. lib/
modules/ - X server extensions/modules.
2. /etc/X11/X
o XFree 4.X
o XFree 3.X
3. Causes all x-clients to display with common features (title bar, minimize &
maximize buttons, etc.)
2. Handles authentication.
o xdm - /usr/bin/xsession
o kdm - /usr/bin/kwm
o gdm - /usr/bin/gnome-session
21.10 Starting X
1. startx
o /usr/X11R6/bin/startx
Basic Operation
if exists (~/.xinitrc)
client = ~/.xinitrc
else
client = /etc/X11/xinit/xinitrc
if exists (~/.xserverrc)
server = ~/.xserverrc
else
server = /etc/X11/xinit/xserverrc
# Authorization setup
xauth add $display_name . $magic_cookie
o /etc/X11/xinit/xinitrc
o if exists (/etc/X11/Xresources)
o xrdb -merge /etc/X11/Xresources
o if exists (~/.Xresources)
o xrdb -merge ~/.Xresources
o
o if exists (/etc/X11/Xkbmap)
o setxkbmap `cat /etc/X11/Xkbmap`
o if exists (~/.Xkbmap)
o setxkbmap `cat ~/.Xkbmap`
o
o if exists (/etc/X11/Xmodmap)
o xmodmap /etc/X11/Xmodmap
o if exists (~/.Xmodmap)
o xmodmap ~/.Xmodmap
o
o execute any scripts in /etc/X11/xinit/xinitrc.d/
o
o if exists (~/.Xclients)
o exec ~/.Xclients
o else if exists /etc/X11/init/Xclients
o exec /etc/X11/init/Xclients
o else
o exec fvwm2
o
o /etc/X11/xdm/xsession
Basic Operation
execute any scripts in /etc/X11/xinit/xinitrc.d/
if exists (~/.xsession)
exec ~/.xsession
else if exists (~/.Xclients)
exec ~/.Xclients
else if exists (/etc/X11/xinit/Xclients
exec /etc/X11/xinit/Xclients
else
exec xsm
Where name is in the format of family:name. Family can be one of the following:
inet(default),dnet,nis,krb,local.
xhost + # Grant access from everywhere
xhost - # Revoke access from everywhere
xhost +server.domain.com # Grant access from server.domain.com
xhost -server.domain.com # Revoke access from server.domain.com
xhost +local:bob # Allow local user bob access
o Per client:
export DISPLAY=server.domain.com:0.0
o On local.xyz.com:
xhost +remote.xyz.com
o On remote.xyz.com:
o export DISPLAY=remote.xyz.com:0.0
o xterm
o
4. SSH
21.12 Troubleshooting X
1. Startup Problems
o X starts, but window manager doesn't.
1. Check .xinitrc file to see if the window manager is exec'd at the end.
o X won't start.
2. Mouse Problems
o Run mouseconfig.
o Verify that the user can log successfully from a virtual terminal.
o Rename the user's window manager configuration files and try again.
22. FTP
22.1 Packages.
1. anonftp
2. wu-ftpd
o Configuration files.
o Documentation.
2. /etc/ftpusers
List of users that are not allowed to use ftp. This file is
deprecated in RH 7.X. Use deny-uid/deny-gid in /etc/ftpaccess
instead.
3. /etc/ftphosts
4. /etc/ftpconversions
Specify file conversions that are to be performed by the ftp
server. It's commonly used to automatically compress and/or
decompress files on the fly for transfer.
5. /etc/ftpgroups
FINISH ME
6. /etc/xinetd.d/wu-ftpd
7. /etc/pam.d/ftp
22.3 Operation
1. Started by xinetd.
o User uses "anonymous" for login and their e-mail address for a password.
2. Real
o Can upload files to any directory where the unix file permissions permit it.
3. Guest
o Requires setup.
o User only has access to the directories within the chroot'd environment.
1. Put /bin/false in /etc/shells so it's recognized as a valid shell by the ftp server.
2. Change steve's shell to /bin/false. Use chsh or edit /etc/passwd directly.) This
prevents the user from logging in via normal means (telnet, ssh, etc.).
3. Edit /etc/passwd and append "/./" (without quotes) to the end of steve's home
directory.
Change:
steve:x:500:500::/home/steve:/bin/false
To:
steve:x:500:500::/home/steve/./:/bin/false
groupadd -r ftpchroot
10. Edit /etc/group and add user steve to the ftpchroot group.
11. Try to ftp to the server as user steve and see if it worked.
This states that any user who has a home directory of /var/ftp (e.g. anonymous
users), allow uploads into the incoming directory, but don't let them create
directories. Change the ownership too user root, group root with permissions 0400
so anonymous ftp users can't read the file.
3. Configure /etc/ftpaccess
4. virtual 192.168.1.10 root /var/virtualftp/somedomain.com
5. virtual 192.168.1.10 banner /var/virtualftp/somedomain.com/banner.msg
6. virtual 192.168.1.10 logfile /var/log/virtualftp/somedomain.com/xferlog
7. virtual 192.168.1.10 allow *
Note: The above directories will need to be created if they don't already exist.
The "root" option specifies the root path for the virtual ftp server.
The "banner" options specifies the location of the file containing
the banner message that is displayed at login. The "logfile"
options specifies where transfers should be logged to. The "allow"
option allows all users to login to the virtual ftp server. You could
also specify specific users to allow.
23.1 Overview
1. Packages
2. /etc/printcap.local
3. /etc/lpd.conf
4. /etc/lpd.perms
23.3 Utilities
1. printconf-gui/printconf-tui
2. lpc
o Disable/enable printers.
o lpc start bj200 # Start a single printer
o lpc stop bj200 # Stop a single printer
o lpc start all # Start all printers
o
o Reprint a job.
o lpc redo bj200 7 # Reprint job 7 on printer bj200
o
3. lpr
4. lpq
5. lprm
6. checkpc
2. Samba
o Name of shared print service. This must include the server name (e.g.
//server1/bj200ex not bj200ex)
o User name to connect to the print share with (usually nobody or guest).
o The workgroup name of the Samba server providing the print service.
3. Novell
o server name/ip.
o printer name.
24.1 Overview
1. File sharing service.
3. Packages:
o nfs-utils
Provides:
3. rpciod -
o portmap
4. Ports
o The other NFS related services vary in the port numbers they use. Clients
contact portmap to find out the port number the other RPC services use.
5. Required Services
1. portmap
2. nfs
o NFS Client
1. portmap
2. nfslock
24.2 Configuration
1. /etc/exports
o Format:
o <directory> <host or network>(options) <host or
network>(options) ......
o
It is critical that there not be any spaces between the host/network and it's
options.
o Example:
o # Allow all hosts in the somewhere.com domain to mount /var/ftp/pub
read-only
o
o /var/ftp/pub *.somewhere.com(ro)
o
o
o # Allow all hosts to mount /var/www/html read-only and allow certain
hosts
o # mount it read-write
o
o /var/www/html *(ro) 192.168.1.0/255.255.255.0(rw) 192.168.2.10(rw)
o
o
o # Allow certain hosts to mount /usr read-only and another read-write as
root
o
o /usr 172.16.0.0/255.255.0.0(ro) 172.16.1.10(rw,no_root_squash)
o
o
o # Allow access to /usr/local by everyone, but only as the anonymous
user
o
o /usr/local *(ro,all_squash,anonuid=100,anongid=100)
o
o Restrictions
2. /etc/fstab
o Example:
o server:/usr /usr nfs user,soft,intr,rsize=8192,wsize=8192 0 0
o
If the default autofs setup is used, whenever someone accesses /misc/ftp, the
remote NFS share on 192.168.1.20 will be automatically mounted. The options
specified in the /etc/auto.misc have the same meaning as when they are used in
/etc/fstab.
o Example Usage:
o exportfs -r # Refresh the share listing after modifying /etc/exports.
o # This MUST be done in order for your changes to take effect.
o exportfs -v # Display a list of shared directories
o exportfs -a # Exports all shares listed in /etc/exports
o
o # To export a filesystem not in /etc/exports
o exportfs 192.168.1.0/255.255.255.0:/tmp
o
o # Unexport a filesystem
o exportfs -u 192.168.1.0/255.255.255.0:/tmp
o
2. showmount
o Does not require that any local NFS services be running in order to use it.
o Example Usage:
o showmount -e 192.168.1.67 # Shows available shares on host
192.168.1.67
o showmount -a 192.168.1.67 # Shows the clients connected to host
192.168.1.67
o # and the shares they have mounted.
o
3. rpcinfo
o Example Usage:
o rpcinfo -p 192.168.1.77 # Display list of RPC services running on
192.168.1.77
o
25.1 Overview
1. Central information database
2. Can provide user, group, name resolution, home directory, and authentication
information.
3. Packages
o ypserv - Provides the ypserv and yppasswdd daemons. ypserv provides the
NIS service and yppasswdd allows the user to change their password and
possibly their shell and GECOS information (see below).
o ypbind - Provides ypbind daemon that is used by clients to connect to an
NIS server.
4. Ports
Assigned by portmap.
6. Topology
o Multiple slave servers are allowed. This provides fault tolerance and load
sharing.
7. Limitations
1. Broadcast
2. /etc/yp.conf
2. Configuration
o Use authconfig to configure the client machine to use NIS. You must
specified the following:
o Configure /etc/nsswitch.conf.
Make sure that "nis" is listed for any information that will be
stored in NIS. For example:
passwd: files nis # Check for users in the local system file first, then
NIS
shadow: files nis # Same as above, only for the users' passwords
hosts: files nis dns # Check the local files, then NIS, then DNS for host
information
o ypmatch - Used to print the value of one or more keys in an NIS map.
For example, to print and entry for user steve in the passwd
file:
ypmatch steve passwd
This will set your domain name at bootup. To set it now, use the
domainname command:
domainname somedomain
SECURITY NOTE: The domain specified should not be the same as your
DNS domain. NIS domains should be kept secret in order to improve
security. If an NIS domain is known and the NIS server can be reached, any
client can connect to the domain.
o Master Servers
1. Make sure the host name has been changed to something other than
localhost.localdomain. This can cause problems for slave servers if
it's not changed.
2. Specify the networks that are allowed to connect to the NIS server
in /var/yp/securenets.
A few options:
NOPUSH=true # Set to false if you have slave servers
MERGE_PASSWD=true # Should we merge the shadow file with
the password file?
MERGE_GROUP=true # Should we merge the gshadow file with
the group file?
MINUID=500 # Lowest uid to include in the NIS map
MINGID=500 # Lowest gid to include in the NIS map
This does not appear to be a critical error. The NIS map is still
created.
If you only want to include login and group
information in your NIS map, you could use the
following instead of ypinit:
make passwd shadow group
Any time you change information on the master server that affects
the NIS map, you must re-run the "make" command. User
passwords are the exception to this rule. They are updated
automatically.
o Slave Servers
7. Execute ypinit:
8. /usr/lib/yp/ypinit -s <masterserver>
9.
2. Replication
o ypxfr issimilar to yppush except that it transfers the NIS map from the
NIS server to the localhost. It is usually invoked by ypinit or ypserver.
3. Debugging
6. Restart autofs.
26. LDAP
26.1 Overview
1. Distributed directory service.
3. Packages
4. Ports
o slurpd - ???
5. Terminology
o BaseDN - A server is responsible for all DNs that are within it's BaseDN.
Example BaseDN:
o dc=somedomain, dc=com
o
o Migration
$DEFAULT_MAIL_DOMAIN
$DEFAULT_BASE
4. Change the ownership of the ldap database files so slapd can access
them:
5. chown -R ldap:ldap /var/lib/ldap
6.
o Configuration
2. Access
Highly Configurable.
o Utilities include:
2. GUI
2. Configuration
o /etc/ldap.conf - Configuration file for nss ldap. Note that this is different
from the client configuration file /etc/openldap/ldap.conf.
Common Entries:
host 192.168.1.5 # LDAP server
base dc=xyz,dc=com # Base DN of database
binddn cn=binduser,dc=xyz,dc=com # DN to bind to the server with.
Default is anonymous access.
bindpw super_secret # Password for user to bind with
rootbinddn cn=root,dc=xyz,dc=com # DN to bind to the server with
when the unix uid is 0.
# Password is stored in /etc/ldap.secret in
plaintext (mode 600)
ssl # Use TLS instead of plaintext communication
The rootbinddn is the DN used to attach to the LDAP database when the
userid = 0. It must be set to a DN with proper permissions (typically the
rootdn specified in /etc/openldap/slapd.conf) in order for root to update
user accounts using command line utilities like passwd, chsh, etc.
3. Troubleshooting
27. Samba
27.1 Overview
Samba provides SMB/CIFS services to clients. The smbd daemon
performs authentication, authorization, file, and print sharing services.
The nmbd daemon can act as a netbios name server as well as a WINS
server.
1. Packages
o samba-common
o samba-client
o samba
Contains the server side files.
o samba-swat
2. Ports
o smbd
o nmbd
27.2 Configuration
1. /etc/samba/smb.conf
o Sections
1. global
2. homes
3. printers
2. Global Configuration
o User/Password Options
1. Encrypted Passwords
OR
smbadduser steve:steve # <unix user>:<nt user>
smbpasswd -u steve
The user must exist in the user system password files before adding
them to the smbpasswd file. The default file created will be the
password file specified by the smb passwd file option in
/etc/samba/smb.conf.
2. username level
3. password level
# chat string
passwd chat = *New*password* %n\n *Retype*new*password*
%n\n *passwd:*all*au$ # chat string
o workgroup
o netbios name
o Restricting Hosts
The hosts allow options allows you to specify which hosts are
allowed to use the Samba service.
hosts allow = 192.168.1. 192.168.2. 192.168.3.20
o Printer Options
o printcap name = /etc/printcap # Specify printer definition file
o load printers = yes # Make all defined printers available to users
o printing = lprng # Specifies printing system used
o
o guest account
o WINS support
The second option is required and defaults to "host lmhosts wins bcast". It
specifies which order to access the various resources for netbios name
resolution.
6. wins - Query the host specified in the wins server option to resolve
the IP address.
o Authentication Methods
3. server - Samba validates the user using the server specified by the
password server parameter. The user must still be defined on the
unix system.
o Logging Options
o log file = /var/log/samba/%m.log
o max log size = 0
o
The first options specifies that an individual log will be kept for each
machine(%m) that connects to the server. The second options specifies a
size limit to put on the log file (zero = unlimited).
o Browser Options
o local master = yes # Allow Samba to participate in master browser
elections
o os level = 35 # The higher the level, the better chance of winning
the election
o preferred master = yes # Causes Samba to force an election upon
startup
o domain master = yes # Allows Samba to collate browse lists between
subnets
o
o Domain Options
o domain logons = yes # Causes Samba to become a domain logon
server for Windows 95 machines.
o
o public
o browseable
o writable
o printable
o group
Specifies the unix file permission bits that will always be set
on any file created in this directory by Samba.
o directory mode
o write list
o path
o guest ok/public
o Special shares
1. [printers]
2. [homes]
3. [netlogon]
Specifies the netlogon directory for Domain Logons
4. Example Shares
27.3 Utilities
1. testparm
2. testprns
3. smbclient
4. nmblookup
5. smbmount
The credentials option specifies the file that contains the username/password pair
to use. Make sure this file is protected adequately. The credentials file should
contain:
username = steve
password = mypassword
Windows Clients
1. Windows 95 OSR2+ and Windows 98
Add a DWORD value with the name of EnablePlaintextPassword. Set it's value to
0x01.
2. Windows NT
Domain Controller
1. Make sure Samba is only PDC on network.
4. Set the following options in the [global] section of your smb.conf file:
5. [global]
6. workgroup = MYGROUP
7. domain logons = yes
8. security = user
9. os level = 34
10. local master = yes
11. preferred master = yes
12. domain master = yes
13.
14. [netlogon]
15. comment = Domain Logon Service
16. path = /var/samba/logon
17. public = no
18. writeable = no
19. browsable = no
20. NT Clients
If you have NT clients on your network, you must also add the
following option:
encrypted passwords = yes
NT client also require a trust account. Trust accounts allow the machine to log in to
the PDC and become a member of the domain. Use the following steps to setup a
trust account on the Samba server for the NT client:
o Add a unix system account for the machine. The logon name will always
end in a "$". Your /etc/password entry should look similar to:
o endor$:x:1000:1000:Trust Account:/dev/null:/dev/null
o
The "-m" specifies it's a machine trust account. The default password will
be set to the netbios name of the machine. The NT client should log into the
PDC asap so it can change the default password.
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = lprng
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /home/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/local/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
28. Squid
28.1 Overview
1. HTTP and FTP caching proxy server.
4. Only recognizes HTTP on the client side, but will use both FTP and HTTP on the
server side.
6. Ports
o For accelerator mode, clients will typically connect to TCP port 80.
28.2 Configuration
1. /etc/squid/squid.conf
Configuration example:
# Proxy ICP
# Host Name Type Port Port
cache_peer parentcache.xyz.com parent 3128 3130
cache_peer childcache1.xyz.com sibling 3128 3130
cache_peer childcache2.xyz.com sibling 3128 3130
o Access Control Lists - Squid has very extensive ACLs for control access.
o Cache initialization.
29. INND
29.1 Overview
1. Provides Network News Transport Protocol (NNTP) service.
4. Package: inn
29.2 Configuration
1. /etc/news/
o inn.conf
o incoming.conf
o newsfeeds
The colon is the field delimiter used above. The format of that above line
is:
sitename[/exclude,exclude,...]:pattern,pattern,...
[/distrib,distrib,..]:flag,flag,...:param
Options:
1. sitename - Names the site to which this feed relates. It can be called
anything you want and does not have to be the domain name of the
site.
4. param - Meaning varies depending on the feed type. When the feed
type is "file" as in the example above, it specifies the file to write an
entry to when an article is received. If not an absolute path, it is
relative to the "pathoutgoing" option in inn.conf.
2. Run inncheck to correct any permissions problems and catch any configuration
file errors.
o Use inncheck.
o telnet to port 119 and see if a banner comes up with (posting allowed).
30. NTP
30.1 Overview
1. Network Time Protocol
o Each server is at a certain stratum. The lower the stratum, the closer it is to
an external source of UTC.
o A stratum 2 server gets its time from a stratum 1 server. A stratum 3 gets it
from a stratum 2, and so on and so on.
o NTP never runs a system clock backwards, but can slow it down if it's
running too fast.
o When NTP is first started, it starts to compute the frequency of the clock on
the computer it's running on. It usually takes a day or so for NTP to
determine the error or "drift" of the local clock. This "drift" is stored in a
local file so it doesn't have to be recomputed if NTP is restarted.
2. Packages
ntp
3. Port
UDP 123
30.2 Configuration
1. /etc/ntp.conf
o Example:
o server rackety.udel.edu
o server umd1.umd.edu
o server lilben.tn.cornell.edu
o
o driftfile /etc/ntp/drift
o
The "server" keyword is used to indicate the servers that should be used to
synchronize to UTC. This host can receive synchronization from one of the
listed servers, but cannot provide it to them.
31. PPP
31.1 Overview
1. Point-to-Point Protocol.
3. Packages
o ppp - Provides pppd daemon and other tools necessary to setup a ppp client
or server.
o rp-pppoe - Required for ADSL connections that run PPP over Ethernet.
3. Configuration Steps:
o Edit /etc/wvdial.conf and specify the phone number, login name, and
password that's needed to login to your ISP. Uncomment the 3 lines that
already exist for this purpose and fill in the necessary information.
2. Configure mgetty to listen on your serial port. In /etc/inittab put the an entry
similar to the following:
3. ppp0:35:respawn:/sbin/mingetty ttyS0
4. Then, you must tell mgetty to perform automatic PPP negotiation. Put the
following line in /etc/mgetty+sendfax/login.conf:
5. /AutoPPP/ - - /usr/sbin/pppd auth -chap +pap login
32. OpenSSH
32.1 Overview
1. Replaces insecure network communication applications.
4. Packages
5. Ports
o sshd - TCP 22
32.2 Configuration
1. /etc/ssh/
Sample options:
Port 22 # Port to bind to
Protocol 2,1 # Protocol versions and order to use
them in.
#ListenAddress 0.0.0.0 # Bind to all addresses.
ListenAddress 192.168.1.20 # Bind to a specific interface.
HostKey /etc/ssh/ssh_host_key # Specify Host key files
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768 # Size of server key for SSHv1
protocol
LoginGraceTime 600
KeyRegenerationInterval 3600 # How often server key is
regenerated in SSHv1 protocol
PermitRootLogin no # Don't allow root to login directly
IgnoreRhosts yes # Ignore .rhost files
IgnoreUserKnownHosts yes # Ignore user's known_hosts
files.
StrictModes yes # Tells sshd to check file modes and
ownerhsip of
# user files before allowing login
X11Forwarding yes # Permit X11 Forwarding
X11DisplayOffset 10 # Specifies which display to use
when forwarding
Default configuration:
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Protocol 2,1
# Cipher blowfish
# EscapeChar ~
by sshd
1. password - Sent securely through encrypted tunnel.
2. Public Key - Put public key in /.ssh/authorized_keys on remote host. Private key
is then used to authenticate user with remote host.
3. Kerberos
4. s/key
5. SecureID
32.6 Keys
1. Generate with ssh-keygen.
2. ssh-keygen -b 1024 # Generate 1024 bit RSA key for SSHv1 protocol
3. ssh-keygen -t dsa -b 1024 # Generate a 1024 bit DSA key for SSHv2 protocol
4. ssh-keygen -t rsa -b 1024 # Generate a 1024 bit RSA key for SSHv2 protocol
5. Key Location:
33. Security
o Special keywords
1. ALL - Can be used to represent all clients and/or all services. For
example, to deny access to every service from all clients, place the
following in /etc/hosts.deny
2. ALL:ALL
3.
10. PARANOID - All hosts where the forward and reverse lookups do
not match.
3. tcpd
o The tcpd program checks permissions and launches the specified service if
access is permitted.
4. libwrap
o Many programs in Red Hat Linux are compiled against libwrap. These
include:
o sendmail
o slapd
o sshd
o stunnel
o tcpd
o xinetd # This includes all services executed by xinetd
o gdm
o gnome-session
o ORBit
o portmap
o
5. Options
o Can be used to execute a command when a rule match occurs. For example,
to e-mail root a warning message every time someone tries to telnet in from
cracker.org, put the following in /etc/hosts.deny:
o in.telnetd: .cracker.org : spawn echo \
o "login attempt from %c to %s" | \
o mail -s "Telnet login warning" root
o
o Variable replacements:
o %c - client information (user@host)
o %s - service information (service@host)
o %h - client's hostname or IP address if hostname is unavailable
o %p - The server process id
o
6. Example Setup
o /etc/hosts.allow
o /etc/hosts.deny
o TCP Wrappers are checked first. If TCP Wrappers permits access, then
xinetd's access controls are checked.
2. Access Controls
NOTE: - If both only_from and no_access are specified, the one that is
more specific wins. In this case no_access wins because it specifies a
specific host within the 192.168.1.0/24 network.
33.3 IPCHAINS
1. Overview
o Format:
o ipchains [action] [chain] [options] [target]
o ipchains -A input -i eth0 -p tcp -s 192.168.1.20 -d 0.0.0.0 -j
ACCEPT
o
2. Capabilities
o Actions
o -A = Append rule to end of chain
o -I = Insert rule at beginning of chain
o -D = Delete existing rule in chain
o -N = Create new chain
o -X = Delete a chain (user defined only)
o -P = Set default policy for chain (ACCEPT, DENY, or REJECT)
o -F = Flush all rules in a chain
o -L = List existing rules (can specify a specific chain)
o
o Options
o -i = Interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o Can also include the source port for tcp/udp (192.168.1.20 80)
o -d = Same as -s, only for the destination address
o -y = Matches a packet that has only the SYN flag set (First step in TCP
handshake)
o -l = Log the packet
o
o --source-port = Specify a source port without a source address
o --destination-port = Specify a destination port without a destination
address
o
o Targets
o DENY = Drop packet without sending any sort of response to the
source
o REJECT = Drop packet, but send the source an ICMP error message
o ACCEPT = Accept the packet
o <CHAIN> = Specify a user defined chain to jump to for further
processing
o
3. Examples
4. # Set the default Policies to DENY
5. ipchains -P input DENY
6. ipchains -P output DENY
7. ipchains -P forward DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: --destination-port 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work
13. ipchains -A output -i eth0 -p tcp --source-port 80 -d 0.0.0.0 1024: -j ACCEPT
14.
15. # Allow outgoing connections to other web servers
16. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 80 -j ACCEPT
17. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 81 -j ACCEPT
18. ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 443 -j ACCEPT
19.
20. # We must now allow TCP packets back in on ports >= 1024 to complete the
connection. However,
21. # we don't want to allow any packet through with the SYN flag set since that
would indicate
22. # someone is trying to make a connection to us.
23. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80 --destination-port 1024: -j
ACCEPT
24. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 81 --destination-port 1024: -j
ACCEPT
25. ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 443 --destination-port 1024: -j
ACCEPT
26.
27. # Allow external access to our DNS services.
28. ipchains -A input -i eth0 -p udp --destination-port 53 -j ACCEPT
29. ipchains -A output -i eth0 -p udp --source-port 53 -j ACCEPT
30.
31. # If you leave out a source (-s) or destination(-d) address it's like specifying
0.0.0.0
32. # for it.
33.
34. #
35. # MASQUERADING
36. #
37. # In these examples, eth0 is the external interface on the firewall, and eth1 is
the
38. # internal interface.
39.
40. # Set Masquerade Timeouts
41. # Set a 2 hour (7200 sec) time out for TCP session timeouts
42. # Set a 15 second timeout for TCP/IP traffic after a FIN is received
43. # Set a 3 minute (180 sec) time out for UDP traffic
44. /sbin/ipchains -M -S 7200 15 180
45.
46. # Set up the Masquerading
47. # Remember that the default policy is set to DENY above. Otherwise we would
set it here.
48. /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ
1. Connection Tracking.
2. Rate Limiting.
4. Many more filtering options: All TCP flags, MAC addresses, user,
etc.
5. Improved logging.
o Format
o iptables [table] [action] [chain] [options]
[target]
o iptables -t filter -A INPUT -m state --state NEW -p tcp -s
192.168.1.0/24 -j ACCEPT
o
2. Capabilities
o Table - Specifies which table the chain applies to: nat, filter, or mangle/
o Options
o -i = Input interface (eth0, eth1, lo)
o -o = Output interface (eth0, eth1, lo)
o -p = Protocol (udp,tcp,icmp, or the protocol number)
o -s = Source address of packet (192.168.1.20, 192.168.1.0/24, etc.)
o -d = Same as -s, only for the destination address
o -m = Specify an extension module to load (e.g. -m state). This must be
the first option
o specified if it is used
o
o --sport = Source port
o --dport = Destination port
o
o Targets
o # 3 Default Targets
o DROP = DROP the packet without returning an indication that it was
dropped to the source
o ACCEPT = Accept the packet
o <CHAIN> = A user defined chain
o
o # Additional Targets provided by modules:
o LOG = Log the packet
o REJECT = Reject the packet and send the source a user defined
response (defaults to an icmp
o error message)
o
o Connection Tracking
2. Packet STATES:
3. NEW = A new connection
4. ESTABLISHED = Packet is part of an existing connection
5. RELATED = Packet is related to an existing connection (e.g.
ICMP error messages)
6. INVALID = Packet doesn't belong to any other connection
7.
3. Examples
4. # Set the default Policies to DENY
5. iptables -P INPUT DENY
6. iptables -P OUTPUT DENY
7. iptables -P FORWARD DENY
8.
9. # Allow all incoming tcp connections on interface eth0 to port 80 (www)
10. iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024: --dport 80 -j ACCEPT
11.
12. # We must also allow packets back out in order for the connection to work
since we aren't
13. # using connection tracking
14. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0.0.0.0 --dport 1024: -j ACCEPT
15.
16. # Allow outgoing connections to all ports, and use connection tracking so
17. # we don't have to create rules to allow us to receive the packets coming back.
18. iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
19. -o eth0 -p tcp --sport 1024: -j ACCEPT
20. iptables -A INPUT -m state --state ESTABLISHED,RELATED \
21. -i eth0 -p tcp --dport 1024: -j ACCEPT
22.
23. # Allow external access to our DNS services, and keep state on the connection.
24. iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
25. -i eth0 -p udp --dport 53 -j ACCEPT
26. iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \
27. -o eth0 -p udp --sport 53 -j ACCEPT
28.
29. # Redirect all incoming traffic that hits port 8080 to port 80 on a web server
30. # in our internal LAN
31. iptables -t nat -A PREROUTING \
32. -p tcp -i eth0 --dport 8080 \
33. -j DNAT --to 192.168.1.10:80
34.
35. # Source NAT
36. iptables -t nat -A POSTROUTING \
37. -o eth0 -s 192.168.1.0/24 \
38. -j SNAT --to-source $EXTERNAL_IP_ADDRESS
39.
40. # Allow ICMP echo requests, but limit them to 1 per second. A burst of 3 will
allow
41. # a burst of up to 3 ICMP packets before the rate limiting kicks in.
42. iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
43. -m state --state NEW,ESTABLISHED \
44. -m limit --limit 1/s --limit-burst 3 \
45. -j ACCEPT
46.
47. iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT
34.1 Overview
1. Keeps track of user processes.
2. Originally intended as a way to keep track of resources in order to bill
departments/users for their usage.
3. Packages
psacct
Examples:
ac # Print total connection time.
ac -dp # Give daily (-d) connection totals by person (-p)
ac --complain # Print out any problems in wtmp file (time-warps, missing
records, etc.)
Examples:
sa # Print information about all commands in the process accounting file
sa -u # Print command information by user
Examples:
lastcomm # Display all commands executed on system
lastcomm rm # Display information about all invocations of the 'rm' command
35. Kickstart
35.1 Overview
1. Kickstart provides a way to do automated installations.
2. The Kickstart configuration file (ks.cfg) answers all the questions that are normally
asked during a normal install.
o Language Selection
o Mouse Configuration
o Keyboard Selection/Configuration
o Disk Partitioning
o Network Configuration
o Firewall Configuration
o Package Selection
4. Packages
o Command Section
o %package Section
2. mkkickstart
3. ksconfig
o ks.cfg file must be accessible from NFS, FTP, HTTP, or Samba (although
I've only been able to get it to work when the ks.cfg file is on NFS).
2. Local
2. When SYSLINUX installation screen comes up, specify one of the following
options:
o ks=floppy dd - When ks.cfg is located on the floppy and you need a driver
disk.
o By default, it is assumed that the ks.cfg file will be on the same server as
the DHCP/BOOTP server. To specify a different server for the ks.cfg file,
specify the following in the /etc/dhcpd.conf file:
o filename "/path/to/ks.cfg"
o next-server <hostname or IP>
o
If the path specified in the "filename" clause ends with a "/", then the file
that is looked for is: "/specified/path/<IP>-kickstart" where <IP> is the IP
address of the machine making the request.
2. If you don't wish to use DHCP to specify the location of the kickstart file, you can
specify one of the options listed above to point to the location of the ks.cfg file.
3. To install from NFS, the following directive must be used in the ks.cfg file right
after the "install" directive:
4. nfs --server <server> --dir <dir>
5. To install from HTTP or FTP, the following directive must be used in the ks.cfg
file right after the "install" directive:
6. url --url http://<server>/path
7. url --url ftp://<server>/path
36.1 Overview
1. Mail processor.
4. Package: procmail
5. Flags
6. Special characters
o :
o *
o !
o Pipe (|)
37.1 Overview
1. Package
o imap
2. Ports
37.2 Setup
1. Executed by xinetd.
38.1 Overview
1. Why use it?
2. Packages
o gnupg - Used to insure integrity and encrypt files (e.g. data, e-mail, etc.)
o OpenSSH - A secure replacement for ftp, telnet, rsh, rlogin, etc. Covered
elsewhere.
2. One-Way Hashes
o One-Way hashes take input of any length and created a fixed length output
string known as a fingerprint.
o If any part of the input data changes, it will create a different fingerprint.
o "One-way" means you can't recreate the original data from the fingerprint.
3. Symmetric Encryption
o The same key is used to both encrypt and decrypt the data.
o Utilities that use symmetric encryption: passwd (traditional unix), gpg, and
openssl.
4. Asymmetric Encryption
o Standard Operation
2. The Recipient then publishes public key P and keeps private key S a
secret.
o Digital Signatures
4. Detached Signatures
1. This can be used so that only the Recipient can decrypt a message,
while at the same time verifying that it was sent by the Sender.
2. Process:
1. Country
2. Province or State
3. Organization Name
4. Common Name
5. E-mail
Period of validity.
4. The one-way has is then encrypted with the CA's private key
creating a detached digital signature.
4. Viewing Keys
5. gpg --list-keys # View public keys
6. gpg --list-secret-keys # View private keys
You will be prompted for the filename to use for the output of the decryption
process.
o Long Way
o openssl req -new -newkey rsa:1024 -nodes -x509 -keyout ~/key -out
~/cert
o echo >> ~/key
o cat ~/cert >> ~/key
o echo >> ~/key
o mv ~/key /usr/share/ssl/certs/give_me_a_name.pem
o rm ~/cert
o
o Short Way
o cd /usr/share/ssl/certs
o make give_me_a_name.pem
o
39. stunnel
39.1 Overview
1. Provides encryption services for applications without modifying the application.
3. Packages
stunnel
39.2 Configuration
1. Create stunnel.pem
2. # Generate private key and certificate
3.
4. openssl req -new -newkey rsa:1024 -nodes -x509 -keyout /tmp/key -out
/tmp/cert
5.
6. # Create stunnel.pem
7.
8. echo >> /tmp/key
9. cat /tmp/cert >> /tmp/key
10. echo >> /tmp/key
11. rm /tmp/cert
12. mv /tmp/key /usr/share/ssl/certs/stunnel.pem
13. chmod 600 /usr/share/ssl/certs/stunnel.pem
-OR-
cd /usr/share/ssl/certs
make stunnel.pem
This starts stunnel in daemon mode (-d) and causes it to listen on port 993 of
interface 192.168.1.20. Incoming connections received on port 993 are then
redirected to port 143.
You will need to use "localhost.143" as the service name in /etc/hosts.allow and
/etc/hosts.deny.
The first line says that pop3.somedomain.com hosts our pop3 account and that we
will contact it using the pop3 protocol. The second line states that the user account
on the pop3 server is steve and our local account is gandalf. The last line contains
our password for the pop3 account.
Use the "-v" option to cause fetchmail to be more verbose during mail retreival.
This document will in no way prepare you for the RHCE exam by itself.
You need a lot of hands on experience. I recommend taking some of Red
Hat's excellent training courses. If you live in or near Denver, consider
yourself lucky. The instructor there is excellent in my opinion.
Since I have now taken the exam, I will not be making any updates to
this study guide except to correct errors. If you find an error in any of
the information provided in this study guide, please report it to me per
the instructions at the top of this document.
41.3 Copyright
This document is copyright(c) 2002 Steve Bremer. I've gathered this
information from various sources including but not limited to:
1. The Manuals that come with Red Hat Linux.
2. Red Hat Certified Engineer Linux Study Guide 2nd Edition from Global
Knowledge (with the aide of Syngress Media, Inc. and Osborne McGraw-Hill)
3. Materials provided by Red Hat in their excellent training courses that I've taken.
5. Man pages.
I've always tried to give credit where credit is due if I've copied
anything directly out of one of the above mentioned documents. If you
noticed any place where I've failed to do so, please contact me via e-
mail.