LinuxCBT_EL-5_Edition_Notes.

txt ###LinuxCBT EL-5 Edition### Focuses on: RedHat Enterprise v5x Successor to LinuxCBT EL-4 Edition, which succeeds LinuxCBT Classic Edition Features: 1. 2.6x kernel (2.6.18) a. 'uname -a' returns OS/Kernel information Note: 'uname -a' returns the following useful info: 1. OS - Linux 2. Fully Qualified Domain Name (FQDN) 3. Kernel version - 2.6.18... a. 2.6 = major version b. .18 = minor version c. anything else after the minor version indicates that the kernel was patched by the distributor 4. Date and time that the kernel was compiled 2. Supports multiple versions: a. Basic - Red Hat Enterprise Linux Server a1. supports 2 physical (Socket) CPUs a2. Up to 4 virtual guests b. Advanced Platform b1. supports unlimited physical CPUs b2. supports unlimited virtual guests Note: Virtualization limits pertain to the virtualization technology included with Red Hat Enterprise Linux. NOT third-party software (VMWare) 3. Supports the following platforms: a. Intel 32/64-bits b. AMD 32/64-bits c. IBM - POWER and z-series, S/390 Note: Memory limitation is based on hardware Note: Common uses of the various versions of RHEL 1. RHEL Basic Version a. File & Print b. Web server c. Infrastructure server (DHCP, DNS, Proxy, etc.) 2. RHEL Advanced Version a. Application server (Apache Tomcat, JBOSS, Weblogic, WebSphere, etc.) b. Database server (MySQL, PostgreSQL, Oracle, Ingres, etc.) c. Clustering ###Kickstart Configurator### Features: 1. Hands-free, automated installation 2. Scripted installation 3. Script can be used on multiple systems Note: 'system-config-kickstart' is NOT installed by default Steps: 1. Open previously created 'anaconda-ks.cfg' file and modify 2. Define partitions accordingly 3. Confirm settings Page 1

LinuxCBT_EL-5_Edition_Notes.txt 4. Publish the 'ks.cfg' file to HTTP server 5. Install server using the following at the main menu: 'linux ks=http://192.168.75.100/ks.cfg' Note: The following can be used to boot a kickstart installation: 1. boot.iso CD-ROM 2. First CD-ROM of the RH5 installation set 3. The DVD-ROM of the RH5 installation set 4. USB Pen/Stick - diskboot.img (use dd)

###FTP INSTALLATION### Steps: 1. Create FTP user account on FTP server a. 'useradd -s /bin/false -d /srv/wwwlinuxcbt.com linuxinstall' b. 'passwd linuxinstall' 2. Confirm FTP connectivity as the user 'linuxinstall' 3. Reboot server with 'boot.iso' CD and type 'linux askmethod' ###BASIC LINUX COMMANDS### 1. tty - reveals the current terminal 2. whoami - reveals the currently logged-in user 3. which - reveals where in the search path a program is located 4. echo - prints to the screen a. echo $PATH - dumps the current path to STDOUT b. echo $PWD - dumps ths contents of the $PWD variable c. echo $OLDPWD - dumps the most recently visited directory 5. set - prints and optionally sets shell variables 6. clear - clears the screen or terminal 7. reset - resets the screen buffer 8. history - reveals your command history a. !690 - executes the 690th command in our history b. command history is maintained on a per-user basis via: ~/.bash_history ~ = users's $HOME directory in the BASH shell 9. pwd - prints the working directory 10. cd - changes directory to desired directory a. 'cd ' with no options changes to the $HOME directory b. 'cd ~' changes to the $HOME directory c. 'cd /' changes to the root of the file system d. 'cd Desktop/' changes us to the relative directory 'Desktop' e. 'cd ..' changes us one-level up in the directory tree f. 'cd ../..' changes us two-levels up in the directory tree 11. Arrow keys (up and down) navigates through your command history 12. BASH supports tab completion: a. type unique characters in the command and press 'Tab' key 13. You can copy and paste in GNOME terminal windows using: a. left button to block b. right button to paste OR Ctrl-Shift-v to paste 14. ls - lists files and directories a. ls / - lists the contents of the '/' mount point b. ls -l - lists the contents of a directory in long format: Includes: permissions, links, ownership, size, date, name c. ls -ld /etc - lists properties of the directory '/etc', NOT the contents of '/etc' d. ls -ltr - sorts chronologically from older to newer (bottom) Page 2

LinuxCBT_EL-5_Edition_Notes.txt e. ls --help - returns possible usage information f. ls -a - reveals hidden files. e.g. '.bash_history' Note: files/directories prefixed with '.' are hidden. e.g. '.bash_history' 15. a. b. c. cat cat cat cat - catenates files 123.txt - dumps the contents of '123.txt' to STDOUT 123.txt 456.txt dumps both files to STDOUT 123.txt 456.txt > 123456.txt - creates new catenated file

16. mkdir - creates a new directory a. mkdir testRH5 - creates a 'testRH5' directory 17. cp - copies files a. cp 123.txt testRH5/ By default, 'cp' does NOT preserve the original modification time b. cp -v 456.txt testRH5/ 18. mv - moves files a. mv 123456.txt testRH5/ - moves the file, preserving timestamp 19. rm - removes files/directories a. rm 123.txt b. rm -rf 456.txt - removes recursively and enforces 20. a. b. c. touch touch touch touch - creates blank file/updates timestamp test.txt - will create a zero-byte file, if it doesn't exist 123456.txt - will update the timestamp -t 200801091530 123456.txt - changes timestamp

21. stat - reveals statistics of files a. stat 123456.txt - reveals full attributes of the file 22. find - finds files using search patterns a. find / -name 'fstab' Note: 'find' can search for fields returned by the 'stat' command 23. alias - returns/sets aliases for commands a. alias - dumps current aliases b. alias copy='cp -v' ###Linux Redirection & Pipes### Features: 1. Ability to control input and output Input redirection '<': 1. cat < 123.txt Note: Use input redirection when program does NOT default to file as input Output redirection '>': 1. cat 123.txt > onetwothree.txt Note: Default nature is to: 1. Clobber the target file 2. Populate with information from input stream Append redirection '>>': 1. cat 123.txt >> numbers.txt - creates 'numbers.txt' if it doesn't exist, or appends if it does 2. cat 456.txt >> numbers.txt Page 3

LinuxCBT_EL-5_Edition_Notes.txt Pipes '|': Features: Connects the output stream of one command to the input stream of a subsequent command 1. cat 123.txt | sort 2. cat 456.txt 123.txt | sort 3. cat 456.txt 123.txt | sort | grep 3 ###Command Chaining### Features: 1. Permits the execution of multiple commands in sequence 2. Also permits execution based on the success or failure of a previous command 1. cat 123.txt ; ls -l - this runs first command, then second command without regards for exit status of the first command 2. cat 123.txt && ls -l - this runs second command, if first command is successful 3. cat 1234.txt && ls -l 4. cat 123.txt || ls -l - this runs second command, if first command fails 24. more|less - paginators, which display text one-page @ a time 1. more /etc/fstab 2. less 1thousand.txt 25. seq - echoes a sequence of numbers a. seq 1000 > 1thousand.txt - creates a file with numbers 1-1000 26. su - switches users a. su - with no options attempts to log in as 'root' 27. head - displays opening lines of text files a. head /var/log/messages 28. tail - displays the closing lines of text files a. tail /var/log/messages 29. wc - counts words and optionally lines of text files a. wc -l /var/log/messages b. wc -l 123.txt 30. file - determines file type a. file /var/log/messages ###Tar, Gzip, Bzip2, Zip### Features: 1. Compression utilities (gzip, bzip2, zip) 2. File rollers (the ability to represent many files as one) Gzip: Includes: 1. gzip - compresses/decompresses files 2. gunzip - decompresses gzip files Tasks: 1. compress '1million.txt' file using gzip a. gzip -c 1million.txt > 1million.txt.gz Page 4

txt . f.txt.txt .tar path/ .dumps the contents of gzip files to STDOUT Bzip2: 1. less 1million. The ability to parse lines based on text and/or RegExes 2. grep 5.tar.txt. zip 1million.txt.txt Note: zip differs slight from gzip and bzip2 in that the destination file (resultant zip file) is specified before the source 3.uses '$' anchor to anchor searches at the end of Note: Anchors are RegEx characters (meta-characters). c. tar -czvf 1million.txt -i 'linux$' grep1.creates a non-compressed archive 2.gz . tar -tzvf 6. grep lines 4.txt Note: gzip auto-dumps to STDOUT.bz2 .txt.gz .txt. Searches case-sensitively.bz2 1million.bz2 4.dumps to file. bunzip2 1million.bz2 .txt .txt -i 'linux' grep1.general usage 2.zip Tar & Gzip/Bzip2: 1.txt.bz2 1million.txt.gz . by default b. d.gz 1million.tar 1million. tar -cvf 1million. e.gz zcat 1million.txt.txt .txt.tar.txt. zip filename. tar -cvf filename. grep '[0-9]' grep1. gzip -l 1million. grep 3. They're used to match at the beginning and end of lines 6. tar/gzip document 4.creates.zip 1million. tar -cjvf 1million. and removes compressed version gzip -d 1million.returns status information gunzip 1million. Post-processor 3.creates.dumps contents to STDOUT 5.txt. Searches for the text anywhere on the line 1.tar. bzip2 -c 1million.txt.gzip .zip path/ .uses '^' anchor to anchor searches at the beginning of -i '^linux' grep1.txt. bzip2 -d 1million. requires a small overhead for itself in each file 3.LinuxCBT_EL-5_Edition_Notes.txt testRH5/. unzip 1million.txt.txt > 1million.bz2 3. tar/bzip2 document for the text file and 'testRH5' directory tree ###GREP### Features: 1.txt. tar -cjvf 1million.txt .creates.dumps the contents to STDOUT less 1million.also dumps the contents to STDOUT Zip & unzip: 1.case-insensitive search '^linux' grep1. tar/bzip2 document 5.txt .txt.returns lines containing at least 1 number Page 5 .txt Note: tar. grep lines 'linux' grep1. bzcat 1million. grep 2.bz2 Note: Bzip2 tends to outperform gzip on larger files 2. by default 4.

awk '{ print $1 }' grep1. awk '{ if ($2 ~ /8/) print }' /var/log/messages .txt 6.$2 }' grep1. regardless of the source of the stream. Multiple body actions can be executed by separating them using semicolons.searches the package database for programs named 'grep' 9.returns the number of pacakges with 'xorg' in their names 10. grep sshd messages 11.txt Note: Default input and output field separators is whitespace 4. which means one line after another. awk '/optional_match/ { action }' file_name | Pipe 2. grep '[a-z]' grep1. supports scripting using '-F' option 4. print $2 }' 6.txt 8. execute 'grep' using 'egrep' when RegExes are being used ###Awk### Features: 1. END . file Page 6 . Supports input via: STDIN. where the main action(s) take place c. STDIN. grep -C 2 sshd messages .txt .optional 5.optional b. Like Awk. Pipe. rpm -qa | grep -i xorg | wc -l . Supports RegExes (POSIX) 3. Awk. from the earliest to the current Note: Use single or double quotes to specify RegExes Also. '{ print $1. awk '{ print $3 }' /var/log/messages | awk -F: '{ print $1}' ###Sed . Faciliates automated text editing 2. grep -v sshd messages . pipe. Field/Column processor 2.performs and inverted search (all but 'sshd' entries will be returned) 12. File Usage: 1.txt 7. to avoid shell interpolation of awk's variables 3.txt Note: Use single quotes with awk. awk '/linux/ { print } ' grep1. Supports egrep-compatible (POSIX) RegExes 3. Linux programs log linearly. Awk runs 3 steps: a. Body. grep -v sshd messages | grep -v gconfd 13. awk '{ print $1. if not all.LinuxCBT_EL-5_Edition_Notes.returns 2 lines. auto-loops through input stream. rpm -qa | grep grep . Can return full lines like grep 4. BEGIN .Stream Editor### Features: 1.this will print ALL lines containing 'linux' 5.g.g. e. e.this will print the entire line for log items for the 8th 7. awk '{ if ($2 ~ /Linux/) print}' grep1. above and below matching line Note: Most.

days. hours and minutes c.combines. use output redirection.deletes blank lines from the document 8. SWAP Page 7 .this backs up the original file and creates a 'sed1.txt Usage: 1.1. ps. Free/available memory 3. sed [options] 'instruction[s]' file[s] 2. CGI .txt' 9. connected users d.txt sed -ne 's/linux/unix/p' sed1.process status/listing a. instead of allowing sed to write to STDOUT Note: Sed applies each instruction to each line ###Perl### Features: 1.pl .15 minute values 4.3!p' grep1.txt .pl 2.prints the first 5 lines of the file 4. load averaged .bak -e 's/3/4' sed1.pl && .prints the first line of the file 3. ps .txt . sed -n '1.txt . to create new files. sed -n '$p' grep1. ps -ef or ps -aux 2./helloworld. etc.5. sed -n '/linux/p' grep1. top .Web forms.returns useful system utilization information: a. 4.returns memory utilization a.prints ALL but lines 1-3 6. chmod +x helloworld.txt .txt . 11. Disk utilization 1.checks the syntax of the script b.txt' with the modifications indicated in the command Note: Generally. uptime . 10.deletes blank lines from the document 'grep1. perl helloworld.txt' and creates 'sed1. Task: 1. free and updates regulary 3. Supports RegExes (Perl and POSIX) 5. sed -e '/^$/d' grep1. current time b.LinuxCBT_EL-5_Edition_Notes.pl .txt sed -i.prints lines with 'linux' 7. Parses text 2.txt . new sed -ne 's/search/replace/p' sed1.txt > sed1.txt . sed -e '/^$/d' grep1. perl -c helloworld. Executes programs 3. free .5p' grep1. sed -n '1p' grep1. uptime. Print 'Hello World' to STDOUT a.executes the script c.txt . Parse RegExes from the command line ###System Utilities### Features: 1. RAM b. sed -n '1.prints the last line of the file 5. etc. Process listing 2. uptime .

gnome-system-monitor .GUI. The ability to control users and groups Primary tools: 1. combining most system utilities 8. runlevel . using megabytes/human readable (gigs/teray/etc.used to add users and modify group membership 2.defs a. using kilobytes b. Create a user named 'student1' using 'useradd' Note: Default user settings derive from: /etc/login. that account is disabled Days since Unix epoch. df .for human readable format 5. username: encrypted_password: Days_since_Unix_epoch_password_was_changed (01/01/1970) Days before password may be changed Days after which the password MUST be changed Days before password is to expire that user is warned Days after password expires. kill PID . df . represents current runlevel ###User/Group Management### Features: 1. memory.reports on: processes. 9.returns info. 4. CPU activity a. block I/O.LinuxCBT_EL-5_Edition_Notes. 6. ls -ltr /proc a. that account is disabled Reserved field (currently unused) 2. 8. Modify user 'student1' to have password expire after 45 days a. 7.kills the process with a given PID 10. 3. cat /proc/cpuinfo 9. 5.returns partitions stats for /dev/hda1 (/boot) 7.txt free -m . 2. set password for user 'student1': passwd student1 Default User Accounts DB: /etc/passwd student1:x:501:501::/home/student1:/bin/bash username:shadow_reference:uid:gid:Description(GECOS):$HOME:$SHELL Note: /etc/passwd is a world-readable file Note: /etc/shadow now stores passwords in encrypted form Note: /etc/shadow is NOT world-readable Fields in /etc/shadow: student1:$1$XSFMv2ru$lfTACjN. df -h .) 6.returns disk partition/mount point information a.returns runlevel information using 2 fields: a. system-config-users Task: 1. useradd student1 b. paging. traps. vmstat . useradd .XxaxbHA0EkB4U0:13891:0:99999:7::: 1. vmstat -p /dev/hda1 . usermod Page 8 . vmstat b. represents previous runlevel b.returns info.

respectively ###File Types .= 5th r = w = x = .10th bits = everyone (world) read = 4 write = 2 execute = 1 none = 0 Task: 1. Primary .maintains group membership information Task: Create a 'sales' group and add 'linuxcbt' and 'student1' as members 1.1 linuxcbt linuxcbt 681 Jan 13 11:31 regextest. usermod -G sales linuxcbt 3.used to determine effective permissions Note: use 'id' to determine the group information of user Note: Create a new shell session to realize new group membership information userdel/groupdel are used to delete users and groups.4th bits = owner's permissions read = 4 write = 2 execute = 1 none = 0 . The ability to restrict/control access to files Note: 10 bits represent permissions for files (including directories) Note: use 'ls -l' to examine permissions or GUI application like 'Nautilus' -rwxrwxr-x 1 linuxcbt linuxcbt 1st 2nd r = w = x = . usermod -G sales student1 Note: 2 types of groups exist: 1.= 8th r = w = x = .pl .7th bits = group owner's permissions read = 4 write = 2 execute = 1 none = 0 .enables execution for ALL users Page 9 .used by default for a user's permissions 2.txt Groups: 1.Symlinks### Features: 1. chmod -x regextest.pl rw = 6 or 4+2 for owner rw = 6 or 4+2 for group owner r = 4 for everyone else (world) Octal notation: 664 for file 'regexetest.adds new group 2.pl' chmod 664 regextest. Supplemental .pl bit = file type. 'd' = directory .lists groups on the system: /etc/group /etc/group .= 681 Jan 13 11:31 regextest. '-' = file. groupadd sales 2. groupadd .Permissions .pl -rw-rw-r-.removes execution for ALL users chmod 775 regextest.LinuxCBT_EL-5_Edition_Notes.pl . Manipulate file permissions using 'chmod' a. groups .

Ensure that 'regextest.pl .pl' is r by owner and noone else a.pl Note: chmod chmod chmod chmod +/.LinuxCBT_EL-5_Edition_Notes.1million.updates owner's execute permissions on the file chmod +/.pl .x +/.pl 's' in the execute position means that the program will execute as that user SETGID: Features: 1.pl && ls -l regextest.changes owner and group to 'linuxcbt:sales' Task: Update 'regextest. which represent octal values file file file chmod +/.pl SETUID: Features: 1. Ability to ensure that users cannot delete others' files in a directory drwxrwxrwt 23 root root 4096 Jan 13 15:05 /tmp/ Page 10 .pl' so that owner and group owner may modify the file a.r supports string values.u+x file . chmod 600 regextest. ability to execute file as owner chmod 4760 regextest. chown root regextest.pl' is rw by owner and noone else a.txt chgrp: Permits updating of group permissions Sticky Bit: Features: 1. chmod 660 regextest.pl .w +/.o+x file .permits changing of ownership of files a.updates group's execute permissions on the file chmod a+rwx = chmod 777 chown .this will ensure that the perl script always executes as the user 'linuxcbt' -rwsrw---.pl Note: File will now be rw by owner (linuxcbt) and 'root' 3. Ensure that 'regextest. Ability to enforce permissions to a directory structure mkdir /sales chmod 2775 /sales Create a file in the '/sales' directory as 'linuxcbt' seq 1000000 > linuxcbt.g+x file .changes ownership to 'root' b. chmod 400 regextest.txt 2.1 linuxcbt sales 787 Jan 13 16:08 regextest.updates other's execute permissions on the file chmod +/. chown linuxcbt:sales regextest.

pl lastscript.LinuxCBT_EL-5_Edition_Notes. . quotacheck -mcug / . Set '/sales' using sticky bit and test a. Enable quota support per file system in: /etc/fstab a. chmod 3777 /sales && ls -ld /sales OR chmod 777 /sales && chmod +t /sales ###Symlinks### Features: 1. if you change the name or location of the source file. Provides hard links to inode (file system) locations Soft Links: 1.user & /aquota. quotacheck -mavug 4.this will symlink (soft) to the /boot file system Note: With soft links. Provides shortcuts to files (including directories) 2.grpquota 2.sets quotas for user 'student1' export EDITOR=nano .txt /tmp . quota username quota student1 Note: place 'quotacheck -avug' in /etc/cron.pl Note: Soft links may span multiple file systems/hard drives Note: Symlink count is NOT increased when using soft links 2.pl . ln -s /home/linuxcbt/testRH5/regextest.creates a hard link ###Quotas### Features: 1.daily) Page 11 .set blocks/inodes soft_limits hard_limit edquota student1 .usrquota./regextest./testhardregextest. The ability to reference the same inode/hard drive location from multiple places within the same file system a. Assign quota policies a. use 'mount' to confirm that 'usrquota. ln source target ln regextest.*(hourly.to have edquota default to 'nano' editor 5.group b. ln -s .this creates /aquota. Limits disk usage (blocks or inodes) 2. Check quotas a. defaults.ensures that /sales will not lose files from incorrect users Task: 1.pl . Tied to file systems (set on a per file system basis) 3. Remount the file system(s) a. you will break ALL of the symlinks (soft) Hard Links: Features: 1. ln -s source_file target a. Create quota database files and generate disk usage table a. edquota username .pl .users cannot delete other user's files in '/tmp' chmod 3777 /sales . mount -o remount / b.grpquota' support are enabled 3. Can be configured for users and groups Steps to enable quota support: 1.

Mount the file system in the Linux file system hierarchy: a.txt 6. free -m 2.63 cylinders are required for 512MB f.this reports on usage Note: The blocks are measured in 1K increments.Linux Swap/Solaris h. t .this will write inodes to partition 4. fdisk /dev/sdb b.primary d. i. mkswap /dev/sdb2 Page 12 . Identify current swap space a. 20000 blocks is roughly 20MB ###Basic Provisioning of Partitions and File Systems### Features: 1. '+4096M' .committ changes to disk 3. swapon -s . Configure '/home1' to auto-mount when the system boots a. 'fdisk /dev/sdb' .e. 'n' .interacts with /dev/sdb drive b. Overlay (format) the raw partition with a file system a. 82 .to write the changes to the disk Note: use 'partprobe partition (/dev/sdb1)' to force a write to a hard drive's partition table on a running system Note: 'fdisk' creates raw partitions 3.start cylinder e. mkdir /home1 && mount /dev/sdb1 /home1 b. Report on usage a.change type g.either will reveal that /dev/sdb1 is mounted Note: lost+found directory is created for each distinct file system 5. 'fdisk -l' . 2 d. which constitute swap storage b. Create the swap file system on the raw partition: /dev/sdb2 a. w . '1' . repquota -a . nano /etc/fstab and copy and modify the '/home' entry ###Swap Partitions & Files### Features: 1.LinuxCBT_EL-5_Edition_Notes. Identify available storage a.returns connected storage 2.to indicate 4 Gigabytes f. 'p' .to add a new partition c. n c. mke2fs -j /dev/sdb1 . 500 e. Ability to provision extra storage on-the-fly Steps: 1. 'w' . +512 (cylinder 562) . Select target drive and provision swap partition a. virtual RAM for the OS Steps: 1. mount OR df -h . Extra.enumerates partitions and/or files. Create partitions on desired hard drive: a.

Volume groups a1.etc. Physical volumes (/dev/sda2. Ensure that when the system reboots. Create LVM partitions via fdisk or parted a.IDE.) b.sys in Windows NT.LinuxCBT_EL-5_Edition_Notes.. /dev/sdb2. Doesn't waste partitions Task: 1. LVM masks the underlying physical technology (ATA. /dev/sdc b. similar to pagefile. mkswap /home1/swapfile1 . Enable swapping . Create 512MB swap file a. etc. /dev/sdb. Ability to create volume sets and stripe sets 2. The ability to provision swap space based on a file. t . Create 2GB swap file a. update /etc/fstab a.) 3.this enables swapping on /dev/sdb2 5. swapon /dev/sdb2 .SATA. the swapfile is made avialable to the kernel a. File systems 3.change to type '8e' (LVM) f.SCSI. p d. +10G e. etc. fdisk /dev/sda.overlays swap file system c.PATA. Logical Volumes b1. n c.ATAPI. LVM physical volumes can be of various sizes 4. LVM represents storage using a hierarchy: a. 2. Improve system performance by distributing swapping to /dev/sdb2 a. Ability to resize volumes on the fly Note: Volume groups join: physical volumes (PVs) and Logical Volumes (LVs) 6 Steps to setup LVM: 1. dd if=/dev/zero of=/home1/swapfile2 count=2G ###Logical Volume Management (LVM)### Features: 1. if you have no available disk space to partition. w g. nano /etc/fstab .makes swap space avaialable to the kernel 2. /dev/sdb2 swap swap defaults 0 0 swapoff /dev/sdb2 . disable /dev/sda6 via /etc/fstab ###Create Swap based on File### Features: 1. swapon /home1/swapfile1 . dd if=/dev/zero of=/home1/swapfile1 bs=1024 count=524288 b. partprobe /dev/sda Page 13 . swapoff /dev/sda6 c. swapon /dev/sdb2 b./home1/swapfile1 swap swap defaults 0 0 3.disables swapping on /dev/sdb2 Task: 1.publish the swap space to the kernel a.txt 4.

Create Volume Groups using 'vgcreate' a. lvremove /dev/mapper/volgroup001-logvolusr1 c. lvresize -L 20GB /dev/volgroup001/logvolopt1 b. use 'lvdisplay' to confirm removal Resize Logical Volume: Task: Grow (resize) 'logvolopt1' to 20GB a. MUST be formatted with ext3 Page 14 . mkdir /usr1 d.will still reveal the current size d. mke2fs -j /dev/volgroup001/logvolvar1 b. lvcreate -L 10GB -n logvolusr1 volgroup001 5. vgdisplay . mke2fs -j /dev/volgroup001/logvolusr1 6. umount /usr1 b. Create Physical Volumes using 'pvcreate' a. lvrename volgroup001 logvolvar1 logvolopt1 Note: LVM is updated immediately. lvdisplay . lvdisplay . mount /dev/volgroup001/logvolvar1 /var1 c. even while volume is mounted However. Resize the file system to update the INODE table on the logical volume to account for the new storage in 'logvolopt1' 'resize2fs -f -p /dev/volgroup001/logvolopt1' Note: You may resize file systems online if the following are met: 1. vgcreate volgroup001 /dev/sda3 /dev/sdb3 /dev/sdc3 Note: Volume groups can be segmented into multiple logical volumes 4. Create File system on logical volume(s) a. mount /dev/volgroup001/logvolusr1 /usr1 Note: Be certain to update: /etc/fstab so that volumes are mounted when the system reboots 3-tiers of LVM display commands include: a. umount /var1 && mount /dev/mapper/volgroup001-logvolopt1 /opt1 c. Create one or more Logical Volumes a. Update /etc/fstab Remove Logical Volume: Task: Remove 'logvolusr1' from the logical volume pool a. mkdir /var1 b.txt 2. pvcreate /dev/sda3 /dev/sdb3 /dev/sdc3 3.physical volumes .to confirm new size of logical volume c.used to rename volumes Task: Rename 'logvolvar1' to 'logvolopt1' a. df -h . you must remount the logical volume to see the changes b.logical volumes .LinuxCBT_EL-5_Edition_Notes. Mount logical volume a.mount here Rename of Logical Volume: 1.6x kernel series 2.aggregate physical volumes c.represent raw LVM partitions b. 2. pvdisplay . lvcreate -L 10GB -n logvolvar1 volgroup001 b.volume groups . lvrename volume_group_name old new .file systems .

lvdisplay c. mke2fs -j /dev/md0 . mount /dev/md0 /raid1 f. g. umount /dev/md0 b. cat /proc/mdstat . availability 2.lists active RAID (md) information d. update: /etc/fstab Note: use 'mdadm --query /dev/md0' to get information about a RAID device Note: You may create RAID volumes/devices on a single or on multiple disks Ideally. fdisk /dev/sdb .LinuxCBT_EL-5_Edition_Notes. h. Create a RAID-1 Device (/dev/md0. mdadm --manage --stop /dev/md0 3. your RAID volumes should span multiple physical disks to improve: a.overlays a file system on the RAID device e. lvresize -L 15GB /dev/volgroup001/logvolopt1 b. Create a RAID-5 Volume fdisk /dev/sdb . partprobe /dev/sdb . c.to update the kernel's view of the partition table mdadm --create /dev/md0 --level=5 --raid-devices=3 /dev/sdb5 /dev/sdb6 /dev/sdb7 watch cat /proc/mdstat .. reliability b. e. performance c. d.to create a partition number 7 partprobe /dev/sdb . f. df -h Note: Check disk utilization prior to shrinking to reduce the risk of losing data LVM GUI Utility: system-config-lvm ###RAID### Features: 1. a.n) a. df -h d. mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb5 /dev/sdb6 c.to create usable raw partitions b. b. The ability to increase availability and reliability of data Tasks: 1. Remove the RAID-1 device a. resize2fs -f -p /dev/volgroup001/logvolopt1 Note: online shrinking is not supported e.to force a kernel update of the partition layout of the disk: /dev/sdb b.refreshes every 2 seconds Overlay a file system: mke2fs -j /dev/md0 mount /dev/md0 /raid5 Test I/O to RAID-5 device Update: /etc/fstab Page 15 .txt Task: Shrink (resize) 'logvolopt1' to 15GB a.

. about the uninstalled 'dhcp' package.rpm dumps info.5-7. rpm -qa | wc -l .rpm 2. Upgrade e.168.75.T /usr/bin/nano S(file size). T(mod time) 3. rpm -Uvh http://192.75. rpm -Uvh *.rpm .txt ###RPM### Features: 1. rpm -Fvh *.el5. rpm -ivh *.el5. M(mode or permissions).168. rpm -qa .100/RH5/i386/Server/dhcp-3.. for the 'nano' file 6.100/RH5/i386/Server/dhcp-3. MD5. rpm -ivh http://192. Install c.168. Automatically reports on unresolved dependencies 'rpm' Query: 1.el5.0. returning info. Provides package management a.rpm Upgrade (Installs or overwrites existing package): 1. rpm -Va . rpm -qi nano . rpm -ql package_name .freshens the current version of a package Page 16 .i386. rpm -qpi http://192.verifies ALL packages on the system.5-7.75. rpm -qa | grep -i nano 4. about the 'nano' package as it's recorded in the local RPM database 5. Verify 2. Auto-verifies packages using GPG. rpm -Vf /usr/bin/nano Task: Change '/usr/bin/nano' then verify SM5.returns all included files Verify: 1.i386.rpm 2. Query b. SHA1SUMs 3.rpm Freshen (Updates an existing package): Note: Will NOT install the package.0.5-7. which resides on the repository 7.100/RH5/i386/Server/dhcp-3.0. if it doesn't exist locally 1. rpm -qf /usr/bin/nano .dumps all installed packages 2. Uninstall d.dumps package membership info.. 5(MD5). only if there are discrepancies from the original installation 2.this dumps all packages and provides a count 3. rpm -Vp nano Install (Does NOT overwrite previous package): Note: Use this method to install a new version of the kernel 1.i386.LinuxCBT_EL-5_Edition_Notes.dumps info.

removes a pacakge Note: removal process considers dependencies and will complain if the removal will break 1 or more packages. php. 'yum -y install gftp' b. Setup directory structure a.conf a1. day of the week (Sun. OR 0-7) f. 'yum search gftp' 2.100/RH5/yum Note: Ensure that about 3GBs are available for the yum respository tar -cjvf yum_metadata. Install 'createrepo*rpm' 2. 'yum -y install gftp dhcp' installs 2 packages 3. rpm -ev *.) 3.com/RH5/yum' 4. Run 'createrepo /srv/www/linuxcbt.Tue. rpm -ev gftp Package Management GUI: 1. To get around this. system-config-packages ###YUM Configuration### Features: 1. day of the month (1-31) d. command to execute (shell. Publish the yum repository using HTTP 5.168. /srv/www/linuxcbt.LinuxCBT_EL-5_Edition_Notes. perl. Add/Remove Software 2. Remove Package a.bz2 repodata Yum Usage: 1.com/RH5/yum 3. use '--nodeps' option with 'rpm -ev --nodeps *. etc. /etc/yum. Search for packages a. hour (0-23) c. etc. Configure yum client to use HTTP to fetch the RPMs a.100/RH5/i386/RPM-GPG-KEY-redhat-release a.168. 'yum -y remove gftp' ###Cron .75. month (1-12) e. Install packages .txt Removal: 1.rpm .Scheduler### Features: 1.75.rpm' 2. minute (0-59) b. The ability to centralize packages (updates) Installation & Setup: 1.Mon. ###Included as our first repository on the SUSE box### [0001] name=linuxcbtsuse1 baseurl=http://192. Rules (Cron entries) are based on times: a.Requires RedHat GPG Key for RPMs rpm --import http://192. Scheduler 2. Wakes up every minute in search of programs to execute Page 17 .

enumerates per-user cron entries ###SysLogD### Features: 1. Maintains per-user and system-wide (/etc/crontab) schedules /etc: cron.conf Standard syslog.enumerates per-user cron entries System-wide Crontab: Stored in: /etc/crontab Task: 1.monthly/ .weekly/ . Reads cron entries from multiple files 5. Handles logging 2. minus the name of the user Note: 'crontab -l' . Targets a.contains system-wide schedules Note: '*' wildcard in a time column means to run for all values Per-user Crontabs: Stored in: /var/spool/cron Task: 1.runs jobs hourly crontab .runs jobs monthly cron. file .txt 4. Internet Sockets (UDP:514) 4.deny .runs jobs daily cron. Unix Domain Sockets (/dev/log) 3. Ability to log to local and remote targets Implented as 'sysklogd' package Primary configuration file: /etc/syslog. Create a cron entry in: /etc/crontab Note: 'crontab -l -u username' . b.daily/ .facilities -> applications/daemons/network device/etc.hourly/ .runs jobs weekly cron.LinuxCBT_EL-5_Edition_Notes. levels -> Importance of message Range: 0-7 7 = emergency (less information) 6 = alert 5 = critical 4 = error 3 = warning 2 = notice 1 = info 0 = debug (more information) 2. su student1 b. crontab -e c. Rules a.d/ cron./var/log/messages Page 18 .conf file contains: 1. Create a cron entry for the user 'student1' a.denies cron execution by user cron. create an entry.

Maintain logs for a defined period /etc/logrotate. confirm using 'netstat -nul | grep 514' d.none' = exclusion rule 'man syslog.pid 2>/dev/null` 2> /dev/null || true endscript } Task: Setup rotation rule for Cisco log 1. age (daily.info' f.conf to accept 'local0.d/syslog 2.e. remote hosts .used to rotate Apache logs /var/log/httpd/*log { missingok notifempty sharedscripts postrotate /bin/kill -HUP `cat /var/run/httpd.levels Task: 1. apache run 'man logrotate' /etc/logrotate.conf' to learn about the support facilities. Configure the router using facility 'local0' and level 'info' e./dev/console c. Enable UDP logging for remote Cisco gateway (192. Modified the entry to rotate based on new criteria 3. tty . monthly) 2. 'SYSLOGD_OPTIONS="-r"' c. netstat -nul | grep 514 . Rotated using: 'logrotate /etc/logrotate. Rotation of logs based on criteria a.reveals UDP:514 listener b.conf' ###Commong Network Utilities### Features: 1.1) a.d based on /etc/logrotate.@IP_ADDR_of_REMOTE_HOST '*' = catchall/wildcard to mean any facility or level '. configure /etc/syslog.primary (global) config file for all logs -can be overriden by context-sensitive files. nano /etc/sysconfig/syslog b1.d . i.168. size b. Create entry in: /etc/logrotate. Compression 3. Useful for basic troubleshooting Page 19 . weekly.LinuxCBT_EL-5_Edition_Notes. restart or reload 'syslog' ###Log Rotation### Features: 1. restart syslog and confirm UDP:514 listener c1.directory for logs to be rotated -httpd .75.conf' Note: Force using: 'logrotatate -f /etc/logrotate.conf .txt b.

netstat -ntp .0.LinuxCBT_EL-5_Edition_Notes. ARP is performed to translate the IP address (v6/v4) to a MAC address. telnet www. arp -a . Great for basic TCP port diagnosis Task: 1.75.0. ping -c 3 -i 3 192. netstat -nulp .returns established connections (sockets) f.0. Note: If a one or more routers separate the communicating hosts.returns the routing table ARP: Features: 1.0.199 . netstat -rn .this means that Syslog will accept traffic to any of the defined IP addresses/interfaces on the system e. PING sends ICMP echo-requests b. netstat -a .75.168. Examine MAC addresses using: ifconfig and arp a.0. telnet 192.returns all TCP LISTENERS without name resolution d. ability to communicate with hosts using ICMP a. netstat -ntlp . netstat b.100 22 b. Provides network connection information from /proc/net/* Task: 1.199 4.returns all protocols/sockets c. PING expects to receive ICMP echo-replies Task: PING some hosts and evaluate the output 1.0. then the MAC Page 20 . ping -c 3 192.txt PING: Features: 1. Return useful information for various protocols a.returns our local MAC addresses Link encap:Ethernet HWaddr 00:02:B3:98:41:08 b.0:514 .delays PINGs to 3 seconds apart Note: PING defaults to a standard 1-second interval Note: Firewall(s) may block ICMP traffic. Connect to TCP ports on various hosts a.com 80 NETSTAT: Features: 1. ping -c 3 localhost . Resolves layer-2 (OSI model) MAC addresses to layer-3 IP addresses Task: 1.returns all UDP lISTENERS without name resolution Note: netstat uses /etc/services to translate ports to names Note: 0.1) 2. causing PING to fail TELNET: Features: 1.sends 3 ICMP echo-requests Note: 'ping localhost' performs name resolution using /etc/hosts /etc/hosts stores static name-to-IP mappings Note: 127.linuxcbt.168.returns MAC to IP mappings Note: When 2 TCP/IP hosts communicate.0/8 is fully-reserved to the loopback adapter of ALL IPv4 hosts 3. ping localhost (127.168.75. ifconfig .

Auto-configured by default gateway (router) 2. use 'uname -a' to reveal current version b. /etc/modprobe. that can be configured based on IPv4 embedded address. or using the 'system-config-network*' tools to avoid losing settings /etc/resolv. Proper installation method is as follows: a.168.networking=yes|no.main service service network status . using HEX notation ping6 -I eth0 fe80:: traceroute6 .link-local address (loopback/local subnet address) 3. 'rpm -ivh kernel*rpm' . Boot system into a multi-user mode 2.168. ifconfig eth0:2 10. /etc/init.11 Note: To ensure that aliases persist do the following: 1.75.conf .checks networking system-config-network-* .to reveal installed version c.11 2. IPv6_Support.6to4 address.conf -> /boot/grub/grub. Modify ifcfg-eth0:1 to reflect aliased IP Note: Aliases do NOT work with DHCP interfaces ifconfig eth0:2 del 10.LinuxCBT_EL-5_Edition_Notes. etc.removes the virtual interface IPv6 Config: Features: 1. Provision of updated/patched kernel Task: 1. b.11 .conf . ifconfig eth0:1 192.76. use 'rpm -qa | grep -i kernel' .76.txt address of the default router's (gateway's) interface is stored by each client ###IPv4 Configuration & Network Settings### Network Support: 1. fe80:: ."" "" 2.used to trace routes on IPv6 networks ###Kernel Upgrade### Features: 1.168.d/network .conf .install a separate version Page 21 . Default Gateway. 2002:: . cat /etc/grub. and ifcfg-* scripts c. /etc/sysconfig/network-scripts/ifcfg-eth0 . ifdown. Update the kernel a. Linux decides if the interface is DHCP or static by viewing the contents of: a.contains alias and reference to module(s) to be loaded in order to provide networking 3.DNS configuration file /etc/hosts . /etc/sysconfig/network . cp /etc/sysconfig/network-scripts/ifcfg-eth0 .contains ifup.network interface configuration Note: Either update your net configuration manually from the shell.static list of hosts IPv4 Aliases: 1./ifcfg-eth0:1 2.

conf 3. kernel-devel-2.manages services for run-levels 3 & 5 Note: ntsysv nor chkconfig starts|stops services Chkconfig Usage: 1. chkconfig --list ntpd .6. Services are located in: /etc/init.6.lst) ###Runlevel Service Management Tools### Features: 1. Install new 'kernel-headers' and 'kernel-devel' packages using YUM: a.6.18-8.el5 .creates a K(kill) script in run-level 3 3. rpm -qa | grep kernel Note: Removal of older kernel-* packages cleans up: a. chkconfig --level 35 ntpd off 4. chkconfig ntpd on .18-53.LinuxCBT_EL-5_Edition_Notes. /boot/grub/grub.6.d /usr/sbin/ntsysv: Usage: 1.i686.if module compilation is necessary b. rpm -ivh kernel-2. kernel-2.el5 4. kernel-devel* .rpm Note: This will update GRUB (/boot/grub/grub.disables 'ntpd' in levels 0-6 Note: Use 'chkconfig' from the shell or a script Note: Use 'ntsysv' from the shell in interactive mode Note: When controlling services using 'chkconfig'.txt Note: Install the following kernel packages if necessary: a.el5' c. ntsysv 35 .el5. /boot/grub/grub. reference the name of the service as it's specified in: /etc/init.18-8.el5 . chkconfig --level 3 ntpd off . kernel-headers-2.enables 'ntpd' in levels 2-5 5.returns run-level environment for 'ntpd' Note: items listed as 'off' have K (kill) scripts Note: items listed as 'on' have S (start) scripts 2.6. chkconfig ntpd off . ntsysv . /boot b.if recompilation is necessary Install: a. kernel-headers* .force remove ignoring dependencies 'rpm -e --nodeps kernel-headers-2. yum -y install kernel-headers b.conf) Note: Will also place the new kernel in the /boot file system Examine traces in: a. The ability to indicate desired runlevels for services 2.d Page 22 .conf (menu. yum -y install kernel-devel 5. Confirm that the 3 'kernel-*' packages are installed: a.18-8.18-8.removes older version b.manages services in the current run-level 2. /boot b. Remove traces of former kernel using 'rpm -e [--nodeps]' a.

tftp-*rpm b. /etc/xinetd. Thus.conf . With Stratum level 1 being the most accurate.conf .75.100 b.168.rpm' package 4.2. service ntpd start . /etc/ntp. server 192. Accuracy 2.to start XINETD Page 23 .tftp-server* Tasks: 1. if we synch against a stratum 3 clock.conf file with at least 3 clocks for: 1. /etc/ntp.d/tftp . Install TFTP server a. we become a stratum 4 clock 2.LinuxCBT_EL-5_Edition_Notes. PXE configurations.conf a1. Redundancy ###Trivial File Transfer Protocol Daemon (TFTPD)### Features: 1..of 'linuxcbtserv1' a1. The ability to denote clock accuracy based on on stratum 2. Synch against internal NTP server a.modify this file prior to starting 'TFTPD' b. Install TFTP client a. service xinetd start . Fast. Is hierarchial.199 Note: Ideally.txt system-config-services .75. yum -y install tftp 2. etc. using strata levels to denote time accuracy /etc/ntp. file transfers 2. yum -y install tftp-server Note: this also install 'xinetd' dependency 3..ntp. Router/Firewall/Switch configurations.) Use: www. server 192. Radio. Client . Server . ntpq -np . Often used to move files to and fro networked systems (VOIP Phones.GUI tool to manage services ###Network Time Protocol (NTP) Implementation### Features: 1.to located public NTP clocks at various strata Task: 1. etc.this queries the running 'ntpd' server Note: NTP synchronization is hierarchical. as an NTP server at this level is connected to an external time service (GPS.) Note: Implemented as 2 components: a. Prove that 'linuxcbtserv4' is indeed a stratum 4 clock a. Implemented as: 'ntp-4.org . chkconfig ntpd on d.168. Configure and start 'tftp' via 'xinetd' a.this starts the 'ntpd' service c. Also can be used to synch other clocks 3. The ability to synch your system's clock 2. you should supply your: /etc/ntp. connectionless (UDP).primary configuration NTP Strata: Features: 1.

Chroot jail 3. Provides connectivity: a. FTPD 2.168.168.75.75. test connectivity as 'anonymous' and 'non-anonymous' users 6. service vsftpd restart .199 b. tftp . Use web browser.DO NOT USE WITH 'listen=YES(IPv4)' 7.config' . 'service xinetd restart' .config b. Interactive and non-interactive client 4. SFTP(SSHv2) 3. setsebool -P tftpd_disable_trans=1 . Rate-limiting Tasks: 1. local_max_rate=1000 . service vsftpd restart .199 -c get linuxcbtrouter1. 'chmod 666 linuxcbtrouter1. chkconfig --list vsftpd 4. Use standard FTP client. Configure service to start when system boots into multi-user runlevel a. Start the server a. Enable IPv6 listener: a.for changes to take effect 5.restricts connections to 1000/bps (1K/s) ###LFTP### Features: 1. tftp 192. yum -y install vsftpd 2.disables SELinux for TFTPD c. service vsftpd start b. Connect to the FTPD service: a.restart XINETD d. Copy Cisco Router configuration to TFTP server a. copy running-config tftp://192. listen_ipv6=YES . setsebool -P ftp_home_dir=1 .config' file a. Use 'tftp' client to download 'linuxcbtrouter1. Sophisticated FTP client 2.enters interactive mode Note: tftp client operates in both non-interactive and interactive modes ###Very Secure File Transfer Protocol Daemon (VSFTPD)### Features: 1. which defaults to anonymous b. anonymous and local-user auth 4. as anonymous c. HTTP/HTTPS c. Install 'vsftpd' a.this jails users b. Chroot jail local users & disable 'anonymous' access a. chroot_local_user=YES .permits users access to their home directory d. by default Note: use 'netstat -nulp | grep 69' to check if 'xinetd' is listening 4.for changes to take effect c.to permit TFTPD to write 5.LinuxCBT_EL-5_Edition_Notes. Supports scripting Page 24 . FTP b. chkconfig vsftpd on b. Restrict 'non-anonymous' user's transfer rate a.txt Note: TFTPD listens to UDP:69. netstat -ntlp | grep 21 3.

OR. mirror -v mirror/ . Tab completion 7. Reads system-wide (/etc/lftp.conf) and per-user config files (~/.continues downloads 4.75.effects changes Tasks: 1.199 .This will allocate a free pseudo-terminal. '!bash' 11./etc/securetty Requirements: 1. Behaves like the BASH shell a.168.g. Command history b. telnet 192. mget -c . if the user authenticates successfully Note: By default.Connects to SFTP server 6. Binds to TCP:23 Caveat: 1. mput -c . xinetd . Supports the execution of BASH programs '!command' e.75.abc123 sftp://192. mirror -Rv mirror/ . Connect to both systems from either system using 'telnet' client a. by default 2.installed automatically via yum Install Telnet Server: 1. Supports mirroring (forward and reverse) of content 8. lftp .168. lftp -u linuxcbt.mirrors a remote directory named 'mirror' to the local system 7. Clear-text based application (credentials are transmitted in the clear) 2.items to remote server ###Telnet Server### Features: 1. 'root' is NOT permitted access via telnet-server .enters interactive mode a.continues uploads 5.g. Supports FTP retransmit/reconnect from where you left off 9. Permits execution of background jobs.168. 0-65535 Note: ptys are assigned sequentially.LinuxCBT_EL-5_Edition_Notes.lftprc) 6. mv /etc/securetty /etc/securetty. service xinetd restart . Supports escape to shell using '!command' e. '!ps -ef' Usage: 1. Use CTRL-Z to background.199 3. yum -y install telnet-server 2.disabled Page 25 . telnet-server reads and dislplays the contents of: /etc/issue Note: TCP|UDP ports are 16-bit based: 2**16. Supports bookmarks of sites 10. lftp linuxcbt@192. 'set -a' .d/telnet .reveals all variables 2.change 'disable = yes' to 'disable = no' 3. Enable 'root' login via telnet a.75.txt 5. c. By default. nano /etc/xinetd.Reverse mirror (puts) .199 . Shell interface on remote system 2.

Discovery .client broadcasts on the local subnet for a DHCP server b.2345 4. Set service up to start when system boots a. Caching-only server (Default) 4.primary config file 3. Acknowledgement/Acceptance . NTP Servers f.LinuxCBT_EL-5_Edition_Notes. DHCP Process . rcdhcpd stop 5. host Tasks: Page 26 . Subnet mask c. Default gateway d. DHCP uses UDP protocol and layer-2 information to request/assign addresses 4. Requires the 'fixed-address' . Leases the addreses and related information based on predefined values: a. service dhcpd restart . IPv4 address b. 1 month 3.IPv4 address to map to the MAC address c. Start service on localhost: a.168. Offer . Dynamic DNS updates 8. Provides automatic configuration of IPv4 clients a. Request .Acknowledgement occurrs Note: DHCPD records leases in: /var/lib/dhcpd/dhcpd.formal address request by client d. chkconfig dhcpd on .75. 1 day b.DORA a. Install DHCP server a.conf .restart to effect changes ###BIND DNS### Features: 1. Slave server 6. Optional 'option-*' are supported between host { } block d. 1 week c.100 box a. yum -y install dhcp 2.txt Note: Wherever/whenever possible opt for SSH in place of Telnet Server ###Dynamic Host Configuration Protocol Daemon### Features: 1.returned by the DHCP server c. Replication of DNS database information between servers 7. Name resolution for DNS clients 3.leases Tasks: 1. DNS Servers e. Primary DNS server 5. Provides numerous client tools: nslookup. Requires the MAC address of the client (00:0C:29:B5:16:92) b. Name-to-IP address mapping 2. dig. Configure: /etc/dhcpd. Setup DHCP reservation a. Disable service on 192. service dhcpd start 6. WINS Servers 2.

answer. Installation of BIND on the remote system: linuxcbtserv4 a. dig @localhost www. Ability to service zones 2. host. d.db". named.to see samples b.conf file a.0. query time b.LinuxCBT_EL-5_Edition_Notes.conf controls the DNS servers that are consulted by lookup tools such as: Web browser. }. wget. FTP client.internal. dig linuxcbt.' representing the root of the DNS tree. file "linuxcbt. rpm -ql bind . Query the server a. host. e.service named start 4.com Note: The server has cached: www.server 127. Configure a default. host www.www. Authoritative support for a zone Tasks: 1.linuxcbt. etc. with '. chkconfig --level 35 named on . nslookup..com. dig.' in a DNS query is implied.linuxcbt. LFTP.disable DDNS_KeyGen sections d. dig. and may optionally be indicated if desired in any standard Internet application (web browser.linuxgenius.also performs a lookup Note: /etc/resolv.g. authoritative DNS servers. yum -y install bind Page 27 .0.linuxgenius = second level -mail = third level Note: A trailing '.linuxcbt. dig mail1. GFTP. yum -y install bind 2. Create internal zone named 'linuxcbt. etc.queries the domain for mail exchangers Note: DNS is organized into an inverted tree.5 3.internal' a. Returns: question.com .com = top level . restart named d.com.internal" { type master.txt 1. nslookup.1 . Start the server .conf .linuxcbt..com OR nslookup . = root . cp /usr/share/doc/bind*/sample/* to /etc/ and /var/named c.com a1. caching-only. Setup service to auto-start at boot a.enables the service in runlevels: 3.conf to include the new zone zone "linuxcbt. Modify /etc/named. nslookup www. evidenced by the decrementing TTL values for the various records associated with the zone c.) Primary & Secondary Zones: Features: 1.linuxcbt. b. #allow-update { key ddns_key. }. Create a slave (Secondary) server a. test resolution of DNS primary zone Note: Install 'caching-nameserver*' for Caching-only DNS server 2. . create the corresponding zone file c..com MX . modify /etc/named.

Define zone name: '75.0.6.1' Note: Reverse zones are built from the prefix in IPv4 subnets IPv6 Reverse Zone: Requirements: 1. service named start b.2. Update configuration e. 'dig @192.internal Reverse Zones: Features: 1.external 4.in-addr. /etc/named.conf b.0.0. Restart named f. c.168.10 linuxcbtrouter1.internal' zone to slave start named service . test using 'dig -x 192. Create zone file in: /var/named d.7.5.2.arpa" { type master.conf b.75.168.internal.199 www. LinuxCBT_EL-5_Edition_Notes.b. Start 'named' as a caching-only DNS server (Default) a.db to reflect new name server 3.5.linuxcbt.7.conf c.8.txt copy sample files from primary server to secondary server modify /etc/named.0.0.in /etc/named.75.b.168.4. Create a primary zone on the "secondary" server a. dig @192. which is usually 64-bits in length Page 28 .168.d.arpa' .6.75. ping6 linuxcbtrouter1. f.4. e. with ALL zeros expanded for the network prefix portion of the address.'service named start' chkconfig --level 35 named on Update: /var/named/linuxcbt.0.0. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.0. copy/create 'linuxcbt.0.forces a caching-only lookup query Forward IPv6 Records: Implemented primarily as AAAA records: linuxcbtserv1 linuxcbtserv4 linuxcbtmedia1 linuxcbtrouter1 IN IN IN IN AAAA AAAA AAAA AAAA 2002:4687:db25:3:202:b3ff:fe98:4108 2002:4687:db25:3:20c:29ff:feb5:1692 2002:4687:db25:3:20a:5eff:fe1b:4aad 2002:4687:DB25:3:21A:2FFF:FEE3:F240 Test IPv6 resolution using: 1. file "3.external. The ability to resolve a name. create a zone for: linuxcbt. Define an IPv4 reverse zone for the local subnet: a.192.reverse".ip6.arpa. }.b.ip6./etc/named.0.internal 2.linuxcbt.linuxcbt.8.2.db' zone file c.com' .conf entry zone "3.external .2. d.conf and set 'linuxcbt.d.2.2. given an IPv4 or IPv6 address Tasks: 1. Update: /etc/named. Note: IPv6 reverse zone names are in nibble format.

do the following: a. Attempt to mount /nfs1 & /nfs2 from an unauthorized system a.a.5.75.'service nfs start' e.168.'exportfs -v' Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs 2. Include entries using the last 64-bits or IPv6 host part d. Create entry in /etc/exports b. mount -t nfs 192. Mount both exports on a remote system a.e.199 . Automatically mounts file systems (NFS.168. /etc/fstab b.LinuxCBT_EL-5_Edition_Notes. SMBFS. /path_to_directory IP_ADDR(rw) b.199:/nfs2 /nfs2 4.75. Setup mount points so that they're available upon reboot a.1.2. reverse the 64-bit portion of the address that corresponds to the host. Fails because client's IP does not match server's /etc/exports b. local. Transparent access to remote file systems 2. dig -x 2002:4687:db25:3:20a:5eff:fe1b:4aad ###Network File System (NFS)### Features: 1. Update server's /etc/exports to allow additional hosts/subnet/etc.10(rw) c. Export /nfs2 a. /etc/exports: (rw. c. Uses RPC for communications Tasks: 1.f. /nfs1 192.internal.to update the export table ###AutoFS### Features: 1. Allow local 'root' user the ability to write to /nfs1 export a. Note: When creating reverse IPv6 entries for hosts.75. etc.) .txt 2. Unmount and confirm that NFS mount points will be available when the client system changes runlevels (reboots. mount -t nfs 192.) upon I/O request Page 29 .168.f.a.b.168.linuxcbt. Export a directory on the server using: /etc/exports a. starts.0 IN PTR linuxcbtmedia1. nibble-format of the address Test using dig: a. etc.'mount -a' showmount -a 192.0. expanding all zeros b.199:/nfs1 /nfs1 b.shows mounts on this system (connected NFS clients) 6. exportfs -a .e.a. Update current exports using: exportfs -a 3. Create PTR record based on the reverse. mkdir /nfs1 d.no_root_squash) 5. start NFS server .f. Installed by default 3.4. /var/named/zone_file a.75. Confirm export(s) .

primary config file SWAT manages /etc/samba/smb. smbclient .permits uploads/downloads from shares a.LinuxCBT_EL-5_Edition_Notes. mget file* .199:/nfs1 ###Samba ### Features: 1. it will download files from the remote share a.shares c.misc /etc/auto.equivalent to Network Neighborhood/My Network Places (prints workgroups.finds SMB hosts on the network 2. cp /etc/auto. One Samba-defined user is required per Linux user Page 30 .backs-up smb shares to a TAR archive a.default startup directives Note: AutoFS must be running in order to auto-mount directories Task: 1.downloads file(s) c. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.primary configuration file .uploads file(s) 5.tar Samba Server: /etc/samba/smb. hosts.txt Requirements: 1. smbclient -U dean //linuxcbtwin1/mtemp b.168. update /etc/auto.interactive (FTP-like_ utility to connect to shares . 'ls -l /shares/nfs1' Note: syntax for auto-mount files is as follows: <mount-point> [<options>] <location> nfs1 -fstype=nfs 192. Create AutoFS tree: /shares/ e.master . which will mount /nfs1 & /nfs2 a. Test access to AutoFS controlled directory g1. and shares) 3. smbtar .'/shares /etc/auto.shares' b.also contains mount points and their mappings /etc/sysconfig/autofs . User a.master . smbget . findsmb .ods 4. update the rules in /etc/auto.conf . in that. Provides Windows features (file & print) on Linux | Unix /etc/samba/smb.shares d.conf . autofs-*rpm must be installed /etc/auto. mput file* . Restart the autofs service f. smbget -u dean smb://linuxcbtwin1/mtemp/20070524_SAN_Allocations. smbtree .conf Samba Server Modes: 1.similar to 'wget'. Unmount: /nfs1 & /nfs2 if necessary Note: Do NOT auto-mount directories that are already mounted g.primary config file Clients: 1.75. Create an automount for /shares.

conf b. yum -y install samba-swat b.INTERNAL Steps: 1.LINUXCBT. Uses Kerberos for authentication Requirements: 1.place before 'pam_unix.ad2. /etc/pam. Install rdesktop and connect to Windows XP to test connectivity to Samba a. service xinetd restart d. /etc/krb5. nano /etc/xinetd.so Page 31 . 'net ads join -U administrator' 5.so' account sufficient /lib/security/pam_winbind. yum -y install rdesktop Winbind: Features: 1. /etc/resolv.so . ADS .account & auth settings auth sufficient /lib/security/pam_winbind.LINUXCBT.internal = AD2. Update: /etc/krb5. Setup Winbind to authenticate using ADS: a. users must authenticate to the local Linux file system Task: 1. When used with Winbind. netstat -ntl | grep 901 /etc/samba/smbpasswd maps Windows users to /etc/passwd 2.Active Directory a. Windows AD integration 2. Update Samba configuration to use ADS authentication 3. locally-defined Samba users are NOT required Note: Ultimately.linuxcbtwin3.linuxbt.linuxcbt. Authentication is handled by Active Directory b.d/system-auth . /etc/hosts .d/swat . Install SWAT a.INTERNAL [realms] AD2. Authentication of users is handled by Samba server 2.conf 2.conf [libdefaults] default_realm = AD2. Linux 3.LinuxCBT_EL-5_Edition_Notes. Still requires a local Samba-defined user accounts database 3. Update Samba server's DNS to point to ADS server a.txt b.INTERNAL = { kdc = linuxcbtwin3.including a pointer to the ADS server (linuxcbtwin3) 4. Server/Domain (PDC/BDC) a.ad2.set 'disable = no' c. Authentication is handled by the Windows NT/2K/2K3/2K8 server b. Properly configured Kerberos environment: a. krb5-* packages 2. Join AD domain: a.internal admin_server = linuxcbtwin3 } [domain_realm] . Avoids having to define users in 2 places: Windows.LINUXCBT. Confirm AD membership using: 'Active Directory Users & Computers' Tool 6.

Create 'Template homedir' %D (Domain) directory beneath '/home' mkdir /home/LINUXGENIUS 7.2x a.10000 . <Directory> directive restricts the web-user's view of the file system. and has access to the full file system. read by Apache upon startup 2. Note: The primary Apache process runs as 'root'. ssh into LINUXCBTSERV1 (Winbind) as ADS user Task1: 1. change the 'Template Shell' directive to a valid shell. Install Apache 2. However. Create a user named 'linuxcbt' in AD 3. /bin/bash d. mingetty.default error log file for ALL hosts f. Telnet.txt b.conf passwd: files winbind group: files winbind c. c. d. Apache maintains.e. WWW Web Server 2. i. Test Winbind Integration using: wbinfo a.primary configuration directory /etc/httpd/conf/httpd.top-level configuration container on RH5 /etc/httpd/conf . Explorer: /etc/httpd/conf/httpd. wbinfo -u . Authenticate using ADS. Page 32 . ErrorLog logs/error_log .drop-in configuration directory. etc. Configure 'idmap' 'uid & gid' mappings . <Directory> directive governs file system access.this enumerates groups in AD c.ht*' files from web root e. always.default log file for default server Note: Every directory. which is independent of Virtual Hosts. a 'main' server.LinuxCBT_EL-5_Edition_Notes. /etc/nsswitch. Test access to '.primary Apache configuration file /etc/httpd/conf.conf . Create shared directory on the Samba box. as 'administrator' from Windows box 2.conf a.this enumerates users in AD b. wbinfo -g . logs/access_log .d . This server is a catch-all for traffic that doesn't match any of the defined virtual hosts. httpd*rpm /etc/httpd . Modular Tasks: 1. HTTPD runs as: apache:apache b.20000 Use SWAT to update idmap settings for 'uid & gid' Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box using SSH. outside of the 'DocumentRoot' should have at least one: <Directory> directive defined. and provide access (Share it) ###Apache Web Server### Features: 1..

75.deny allow from all </Directory> 5. Create: /var/www/site1 and content d.access.210 b.one site per IP address b. Supports 2 modes of Virtual Hosts: a.txt 3.internal.conf: NameVirtualHost 192.internal.LinuxCBT_EL-5_Edition_Notes. Start Apache and continue a. ifconfig eth0:1 192.deny Allow from all </Directory> CustomLog logs/site1. service httpd start root 31324 1 0 10:17 apache 31326 31324 0 10:17 apache 31327 31324 0 10:17 apache 31328 31324 0 10:17 apache 31329 31324 0 10:17 apache 31330 31324 0 10:17 apache 31331 31324 0 10:17 apache 31332 31324 0 10:17 apache 31333 31324 0 10:17 to explore ? ? ? ? ? ? ? ? ? 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd /usr/sbin/httpd Note: Parent Apache runs as 'root' and can see the entire file system Note: However.199:80 <VirtualHost 192.conf with VHost information 2. Alias /testalias1 /var/www/testalias1 <Directory /var/www/testalias1> AllowOverride Non order allow.linuxcbt. Create IP Based Virtual Hosts a.error. Create Name-based Virtual Hosts using the primary IP address a.210> ServerAdmin webmaster@linuxcbtserv4.75. Ability to share/serve content based on 1 or more IP addresses 2.linuxcbt. Ensure that Apache will start when the system boots a.log </VirtualHost> c.internal DocumentRoot /var/www/site1 <Directory /var/www/site1> Order allow.168.linuxcbt.linuxcbt.log combined ErrorLog logs/site1.75. children processes run as 'apache' and can only see files/directories that 'apache:apache' can see 4.multiple sites per IP address Tasks: 1. chkconfig --level 35 httpd on && chkconfig --list httpd Virtual Hosts Configuration: Features: 1.199:80> ServerAdmin webmaster@linuxcbtserv4.internal ServerName site1.168.internal Page 33 . /etc/httpd/conf/httpd. IP Based .75. Configure the Virtual Host: <VirtualHost 192. Update: /etc/httpd/conf/httpd. Host header names .168.linuxcbt. Create an Alias for content outside of the web root (/var/www/html) a.168.

Install MySQL Client & Server a. copy the: /etc/httpd/conf. PHP c.internal DocumentRoot /var/www/site3 <Directory /var/www/site3> Order allow.internal. crypto-utils (genkey) . which provides SSL support yum -y install mod_ssl /etc/httpd/conf.linuxcbt. yum -y install mysql /etc/my.includes key SSL directives b. that match your distinct IP-based VHosts ###MySQL### Features: 1. https://192.internal. Perl b. Generate SSL usage keys using: genkey a. crypto-utils . openssl 3. Secure/Encrypted communications Requirements: 1. Update /etc/httpd/conf. Test HTTPS connectivity a. Restart the HTTPD server a.log combined ErrorLog logs/site3. httpd -S 5.provies /usr/bin/genkey 2.linuxcbt.75. mod_ssl 4.linuxcbt.error. ODBC d. genkey site1. DBMS Engine 2.linuxcbt.module for Apache. service httpd restart b.internal .d/ssl.168. also used to create a self-signed certificate Tasks: 1.primary admin utility to return useful info. Install the requirements a.deny Allow from all </Directory> CustomLog logs/site3.conf file to distinct files.log </VirtualHost> ###Apache with SSL Support### Features: 1.conf to reference the new keys (public/private) 4. and perform admin tasks from the shell Page 34 .access.d/ssl.conf .creates text-gui interface 3. Compabtible with various front-ends: a.txt ServerName site3. mod_ssl . httpd 2.199 Note: For mutliple SSL sites.cnf .LinuxCBT_EL-5_Edition_Notes.primary client used to interact with the server /usr/bin/mysqladmin . GUI Management Tasks: 1.used to generate certificates/private keys/CSRs a.d/ssl.primary config file /usr/bin/mysql .

use AddressBook. 8. Install Postfix Page 35 . service mysqld start b.user WHERE user = ''. username i. 7.email) VALUES ('Kay'. `email` char(30). 6.cnf).'Mohammed'. yum -y install mysql-server /usr/libexec/mysqld .my. `last_name` char(20). `bus_phone1` char(20). and/or local (~/.com'. mysql -u root -p Note: mysql command-line options ALWAYS override global (/etc/my. yum -y install mysql b. Delete record from 'contacts' table DELETE FROM contacts WHERE email = 'kay1@LinuxCBT. b. as it provides a 'sendmail' binary Note: Use 'system-switch-mail*' package to switch between Postfix and Sendmail Tasks: 1.e. chkconfig --level 35 mysqld on c.LinuxCBT_EL-5_Edition_Notes. DELETE FROM mysql. 5. Update a record in the 'contacts' table UPDATE contacts SET email='kay2@LinuxCBT. Install 'mysql' client on a remote system and test connectivity a.last_name.com' WHERE first_name='Kay'.com'). host i. Start MySQL server and modify perms for 'root' a. create table contacts (`first_name` char(20). 'root' b.DBMS engine 2. ###Postfix MTA### Features: 1. Create Database 'addressbook' create database AddressBook. flush privileges. Insert Data into 'contacts' table using INSERT INSERT INTO contacts (first_name. Drop-in replacement for Sendmail.e.'kay@LinuxCBT. Modular (SpamAssAssin) 3.bus_phone1.4943'. PRIMARY KEY (`email`)).cnf) configuration directives Note: MySQL Users consist of the following: a.txt b. mysqladmin -u root password abc123 3. Message Transfer Agent (MTA) 2.'888. 'localhost' A sample username is: 'root@localhost' 4.573. Secure 'anonymous' account a.

configure MTA on LINUXCBTSERV1 to listen to routable IP f1. yum -y install system-switch-mail 3.primary /etc/postfix/main. IMAP .0.contains routing rules for domains contains virtual user mappings 2.conf . Test local mail delivery a. If it fails. Install 'system-switch-mail' package a. Common package: dovecot 3. Supports SSL: POP3S & IMAPS Tasks: 1.leaves messages on server d. Implemented with PHP Page 36 .cnf .mc files to .SSL config Note: Default configuration binds to: a. system-switch-mail Note: The default Postfix configuration binds to 127. Web mail application 2. Attempt to send message from LINUXCBTSERV1 -> LINUXCBTSERV4 f. IMAPS E-mail flow: mutt -> sendmail -> Postfix queue -> remote system -> POP3|IMAP 2. Supports both: mbox (/var/spool/mail/usernam) & Maildir formats 4. yum -y install postfix /etc/postfix . make all -C /etc/mail f3. POP3 .txt a. set: inet_interfaces=all b.cf /etc/postfix/transport /etc/postfix/virtual configuration directory primary configuration file . Modular 3.LinuxCBT_EL-5_Edition_Notes. in order to updated . Install dovecot /etc/dovecot. update /etc/mail/sendmail.internal c.0.cf files ###Mail Retrieval using POP3/IMAP### Features: 1. Mail retrieval using standard protocols 2. Switch default MTA from Sendmail. Configure mail client to download messages using POP3 ###Squirrelmail (Web mail) Integration with Apache/Postfix/Dovecot### Features: 1. Configure Postfix to receive messages from remote systems a. set mydestinations = linuxcbt. Confirm directives using: 'postconf' e. Use 'mutt' to test local delivery 4.1:25 4.downloads messages to client b. service sendmail restart Note: Ensure that 'sendmail-cf*' package is installed. POP3S c. to Postfix a.primary config file /etc/pki/dovecot/dovecot-openssl.mc f2. service postfix restart d.

) Tasks: 1.conf .php Note: If SELinux is enabled.168. Install Squirrelmail with support via Apache a.linuxcbt.. service squid start b. Update permissions so SquirrelMail may write to 'data' and 'attach' directories: chown -R apache.internal. Attempt to access SquirrelMail http://mail. chkconfig --level 35 squid on Note: Ensure that ample/fast disk storage is available for: /var/spool/squid Note: Squid defaults to TCP:3128 Page 37 .primary configuration file /usr/sbin/squidclient . Confirm the MD5SUM c. Copy the *.linuxcbt.pl k. Time of day.primary log directory /var/spool/squid .bz2 b.apache /var/local/squirrelmail k. create symlink named 'mail' to point to Squirremail version h.error.cache directory containter 2.linuxcbt. Supports a wide criteria of ACLs (dstdomain.linuxcbt. Optionally.internal DocumentRoot /var/www/mail <Directory /var/www/mail> Options FollowSymLinks Order allow.internal/mail http://mail.LinuxCBT_EL-5_Edition_Notes.' to allow httpd to connect to IMAP and SMTP ports.used to test Squid Proxy server /var/log/squid . Create 'attach' and 'data' directories for SquirrelMail: /var/local/squirrelmail/{data.internal ServerName mail. Restart Apache j.199:80> ServerAdmin webmaster@mail.txt Tasks: 1. Start Squid.bz2 file to the Apache server d.access.linuxcbt.internal/mail/src/configtest. yum -y install php php-imap .primary configuration container /etc/squid/squid.Download from squirrelmail.attach} l.org .installs PHP support for Apache/IMAP e. Create the Apache Virtual Host <VirtualHost 192.deny Allow from all </Directory> CustomLog logs/mail. Efficient bandwidth usage 4. Configure SquirrelMail defaults: /var/www/mail/mail/config/conf. src_IP. Filters access to the Net 3. and ensure that it starts when the system reboots a.log </VirtualHost> i.. Install Squid Proxy server a.log combined ErrorLog logs/mail. Setup DNS l. Extract Squirrelmail to: /var/www/mail g.internal.linuxcbt. mkdir /var/www/mail f. yum -y install squid /etc/squid .75. Consult: /var/log/messages ###Squid Proxy Server### Features: 1.*. etc. Caching server 2. use 'setsebool.

dchpd 3. but denials are logged in: /var/log/messages b. but allow ALL other users from the local subnet a.permission is always granted. nano /etc/grub. to resources a. and objects.conf a1.primary startup|config file for SELinux 3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions)) 4.75. acl_lan_bad_users src 192. /etc/selinux/targeted . apache(httpd) 2.top-level container for the 'targeted' policy 4. Restricts access by subjects (users and/or processes) to objects (files) 2.displays current SELinux status. policy name 'targeted' b. ps. Update 'kernel' line to reflect: selinux=0 Note: If files(objects) lose their SELinux context.Only DACs are applied 11. acl lan_users src 192. cp. SELinux provides a way to separate: users. http_access allow lan_users 5. there are multiple ways to relabel them: 1.conf b. Configure Squid to allow LAN access through.txt 3. by default 10. id 6.75.168. Enforcing . ntpd Page 38 . and monitors/controls their interaction 6.10. Disable SELinux upon boot-up on LINUXCBTSERV4 a. chcon -R -t type file . including: a.strictly enforces 'targeted' policy rules c. nano /etc/squid/squid. Deny 192. Configure Firefox browser to use Squid Proxy server 4. sestatus . '-Z' can be applied to the following tools to obtain SELinux context info: a. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one sandbox (unconfined_t) for everything else 9. Operating modes can be applied upon startup or while the system is running SELinux Config files & Tools: 1. Permissive . Operates in the following modes: a. Disabled . ls.use to relabel objects (files) while the system is running Note: List of daemons protected by the 'targeted' SELinux policy: 1.LinuxCBT_EL-5_Edition_Notes. Implements sandboxes for subjects and objects 8. SELinux is integrated into the Linux kernel 7.168. via labeling.0/24 c. policy version '21' c.168. processes (subjects).10 http_access deny acl_lan_bad_users ###SELinux Intro### Features: 1.init will relable the system according to the 'targeted' policy 2. Operating mode: 'enforcing|permissive|disabled' 2. mv. setenforce = 0(permissive) 1(enforcing) 5. Stores MAC permissions in extended attributes of file systems 5. 'touch /. 'fixfiles' .75. Provides Mandatory Access Controls (MACs) 3.applies SELinux label to file/directory Tasks: 1. /etc/sysconfig/selinux .autorelabel && reboot' . SELinux is implemented/enabled by RH5.

gpg --encrypt -r LinuxCBT --armor sample. GPG is OpenPGP compliant Usage: 1. Public key .e.Data (Files or e-mail) are encrypted 2. 7. Compression 4. Encrypted shell sessions. 6. file transfers 4. gpg --list-keys .Confidentiality 2.dumps public key to STDOUT --import . 'httpd_t' to object types: i.generates a PKI keypair for the current user 3.txt 4. 5. binds subject domains: i. gpg --gen-key . Public Key Infrastructure (PKI) a. Provides data encryption services based on PKI .e. Password-less logins 5.gpg ###OpenSSHv2### Features: 1. Primarily used to protect the transport layer 3. named syslogd squid snmpd portmap nscd winbind Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain Note: The default SELinux 'targeted' policy. using MACs.this enumerates keys in ~/ 2. 5.Pseudo-VPN SSH Clients: /etc/ssh/ssh_config . Port forwarding .txt. scp . 8.txt using our 'LinuxCBT's' public key 4.secure. 10. copy program Page 39 .Digital signatures 3.txt .txt.used to encrypt data to a recipient b.LinuxCBT_EL-5_Edition_Notes. 6. Private key . Confidentiality . 8. 9. gpg gpg gpg gpg gpg --decrypt sample.txt sample. Integrity .used to decrypt data from a sender 5. 'httpd_config_t' Note: SELinux MACs compound Linux DACs ###OpenPGP|GNU Privacy Guard (GPG)### Features: 1.waits on STDIN for user to paste a key for import --decrypt -o sample. non-interactive. 7.asc --decrypt sample.txt.gpg --export -a .encrypts sample.shared system-wide config file for SSH clients 1.

Filter (Default) .LinuxCBT_EL-5_Edition_Notes. 5-7). which include Access Control Entries (ACEs) Usage: 1.shell-based client a. Setup Password-less logins using SSH ###IPTables### Features: 1. NAT 2. by default. includes chains.applies to traffic sourced from our system. Firewall for Linux 2. Mangle 3.saves rules to STDOUT.10 5.txt a. ssh-copy-id .txt linuxcbt@linuxcbtmedia1: b. heading outbound Tasks: 1. ssh linuxcbt@linuxcbtmedia1 "uptime" 4. scp linuxcbt@linuxcbtmedia1:testRH5/sample. update /etc/sysconfig/iptables-config to save the rules automatically /sbin/iptables .permits easy propagation of SSH pub/priv keypair a. scp sample.filters inbound/outbound traffic Note: Each table.168.restores rules to current IPTables instance /sbin/iptables-save .ssh/id_rsa. copy program a. FORWARD . or to a file IPTables includes 3 default tables. iptables -A INPUT -p tcp --dport 22 -j ACCEPT b. Operates primarily @ layers 3 & 4 of the OSI model 4.75. the rules will be applied OR. interactive. which is loaded by the kernel 3.txt sample2. ssh linuxcbt@linuxcbtmedia1 a. ssh-keygen .applies to traffic being routed through the system 3. sftp . iptables -A INPUT -j DROP Page 40 . with modules 1. FTP-like. OUTPUT . ssh-keygen -t rsa Task: 1. Provides Network Address Translation (NAT) 6. Modular 5.primary ACL modifier utility /sbin/iptables-restore . iptables -L Note: The Filter table includes 3 chains: 1. IPTables can also access other layers (2. which you cannot remove: 1. Filter inbound traffic to remote RH5 system to SSH a. Interface to Netfilter.pub root@192. sftp linuxcbt@linuxcbtmedia1 3. ssh-copy-id -i ~/. grep -i config_netfilter /boot/config* Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted. INPUT .txt 2.secure. ssh .used to generage SSH pub/priv keypair Note: Use '-v' with SSH clients to enable verbosity a.applies to traffic destined to a service that our system is bound to 2.

Port/Reconnaissance Scanner 2.rules. iptables -F OUTPUT 4. Filter . Flush ALL rules from OUTPUT chain of the Filter table a. ip6tables -A INPUT -j DROP 2.matches IPTables(IPv4) b.rules.system-wide config file /sbin/ip6tables . ip6tables -A OUTPUT -p tcp --dport 22 -j DROP 3. Firewall for IPv6 /etc/rc.d/ip6tables . OS Fingerprinting Page 41 . Mangle .rules. Flush ALL rules from OUTPUT chain of the Filter table a. iptables -A OUTPUT -p tcp --dport 22 -j DROP 3. Maintains 3 default tables: a. ip6tables-restore ip6tables. Filter outbound traffic to ANY remote SSH port a.1 ###IPv6 IPTables### Features: 1.matches IPTables(IPv4) c.1 ###NMap### Features: 1. Hosts & device detection 3. then flush rules a. then flush rules a.primary tool for administering IP6Tables /sbin/ip6tables-restore /sbin/ip6tables-save 2. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT b. Filter inbound traffic to remote RH5 system to SSH a. ip6tables -L Note: IPv6 firewall rules are administered independently of IPv4 rules Tasks: 1.1 5. iptables-restore iptables. ip6tables-save > ip6tables. iptables-save > iptables. Save rules to file. Save rules to file. ip6tables -F OUTPUT 4.1 5. Filter outbound traffic to ANY remote SSH port a. Service detection 4.LinuxCBT_EL-5_Edition_Notes. Raw Usage: 1.run-script /etc/sysconfig/ip6tables-config .txt 2. Reinstate flushed rules a.d/init.rules. Reinstate flushed rules a.

OS Fingerprinting & Service detection a.Maps MAC prefixes to companies /usr/share/nmap/nmap-services . /opt/nessus/bin/nessus-fetch --register A65E-5116-4D76-FCD5-FF2A 3.75.75. instead of the stealthy TCP-SYN mode /usr/share/nmap .75.168.normal output b.0. awaiting inbound PenTest requests 10. Vulnerability Scanner 2.1 . Penetration testing tool 11. nmap -v -A -oX 192.primary binary Note: Executing 'nmap' as non-privileged user.scan. Runs as a service. Produces various reports Tasks: 1.199 4.i386. nmap -v -O 192.168.i386.XML output 5. Nessus can be automated 12. 9. rpm -Uvh nmap-4. with provided code a. rpm -Uvh NessusClient* 4.168.75. Multi-target scanning 6.75. Install Nessus Client and Explore the interface a.rpm b.168.rpm /usr/bin/nmap .top-level container for key NMap files /usr/share/nmap/nmap-os-db .1 .0/24 ###Nessus### Features: 1. Supports plug-ins for vulnerability signatures 13. wget http://download.nmap. Linux. Port Scanner 3. Perform a PenTest of the localhost Page 42 .1 6. nmap -v -oN filename. OS Fingerprinting scan a. nmap -v -oX filename. etc.168.53-1. nmap -v -sV 192.168. Register nessus using 'nessus-fetch'.199 3. with specific exploits to query 6. Reporting a. Supports parallel scanning of targets Tasks: 1. nmap -v -A 192.org/nmap/dist/nmap-4.org and install 2. Profiles (Scan Policies) for target scans. Client/Server enabled.insecure.resolves service names to port numbers Usage: 1. Download Nessus from nessus.org a. Reporting 7. Download and install the latest version of NMap . Scan the entire network using '-A' and XML output a.OS Fingerprinting DB /usr/share/nmap/nmap-mac-prefixes .75. Scan the localhost for open ports a.75. Host | Device detection 4. Service detection scan .xml 192. Can be used to scan NETBIOS (Windows|Samba) servers 5.txt 5.53-1. nmap -v localhost 2.txt 192. causes it to operate in TCP-Connect mode. Client support for Windows.168.xml 192.attempts to resolve services to names & versions a. multiple clients may use the central Nessus server 8.LinuxCBT_EL-5_Edition_Notes.

libpcre .select.md5 c.LinuxCBT_EL-5_Edition_Notes. every 12-hours ###Snort NIDS### Features: 1. tar -xzvf snort-2. Import MySQL DB schema a.tar.8.tar. gcc.0. Evaluate results Note: Nessus will auto-update its plug-ins after registration.8.8. make. snort -v -i eth0 -l .delete.places binaries in /usr/local/ accessible location Usage . packet capture library e. d.tar. snort. libpcre. .insert.Provides access to Perl Compatible RegExes 4. libpcap* . grant insert.0. Perform a PenTest of the local network 6. etc. dump-to-screen./configure --with-mysql --enable-dynamicplugin .log.0.creates: /var/log/snort/test. c. Packet Sniffer 3.gz. make . Packet Logger . grant create.tar.creates binaries 3. grant create. mode ###Snort NIDS Setup### 1.0.gz .snort. gcc .2/schemas/create_mysql Page 43 .gz. snort -vde -i eth0 ./ tcp port 23 .checks for prerequisites.* to snort@localhost.UnixEpochDate Note: Snort drops less packets when run in binary logging mode than in verbose.creates top-level directory e2.txt 5.reveals layers 2-7 3.log -i eth0 . Extract and install (compile) Snort NIDS e1.0.2.provides the TCPDump.logs binary file in current directory with Unix Epoch suffix 2. Download and install Snort NIDS a.gz Requirements: 1. e3.0.logs using TCPDump format Tasks: 1.snort.2.2.creates binaries e4.attempts to log in: /var/log/snort 3. set password for snort@localhost=password('abc123').tar. 2.2.* to snort.reveals layers 3 & 4 of the OSI model 2. snort -b -L test.select. b.C compiler 2. Setup MySQL DB environment a. mysql-devel* .* to snort@localhost. including: mysql-devel.delete.Packet Sniffer: 1.provides access to MySQL 5.update on snort. snort -v -i eth0 .select on root. create database snort. Import GPG key used to sign the current release of Snort d.8.8. e.sig snort-2.gz' Compare to snort-2. Confirm MD5SUM: 'md5sum snort-2.update on snort. snort -vde -i eth0 tcp port 23 Usage . gpg --verify snort-2. Network Intrusion Detection System (NIDS) 2.insert.Packet Logger: 1.2. mysql -u root -p < /home/linuxcbt/temp/Snort/snort-2. snort -b -i eth0 .org b. su (as 'root') and execute 'make install' .8. make .

cd /etc/snort && tar -xzvf snortrules* 5. Setup Snort NIDS /etc/snort environment a. alert_dbname = 'snort'.conf 4. d5.LinuxCBT_EL-5_Edition_Notes.sourceforge.secureideas. $Dbtype = 'mysql'.tgz b.e.conf -D 7.8. Connect to BASE via web browser Note: Consider protecting '/base' application using HTDIGEST or basic auth Page 44 . Configure: /etc/snort/snort.php file d1.txt snort 3. Download the latest Snort rules file and extract to: /etc/snort/rules Note: Snort rules are available as follows: 1.0.net/sourceforge/adodb/adodb480.tgz . Various third-party sites: i. d6. d2. d4. MySQL . Download BASE from http://base. alert_host = 'localhost'. Configure: base_conf. $Dblib_path = "/var/www/html/adodb".NOT FREE 3.tgz Note: adodb480.output b.path to the rules 6.net d. wget http://easynews. a. Setup BASE web analysis application a. Start Snort in NIDS mode a. $BASE_urlpath = '/base'.dl.2/etc/* /etc/snort Note: Snort's primary configuration file for NIDS mode: /etc/snort/snort. mkdir /etc/snort && cp -v /home/linuxcbt/temp/Snort/snort-2. Rules . Unregistered users: release version (very old) of rules 4. d3. Bleeding Snort. tar -xzvf adodb480. Note: Ensure that your Apache instance has PHP support Note: Ensure that 'php-mysql*' package is installed 8.conf to use MySQL and rules a. etc. alert_password = 'abc123'. Registered users: with delay 2. Subscriber: no delay .provides DB-connectivity for BASE to MySQL c. snort -i eth0 -c /etc/snort/snort.

txt Page 45 .LinuxCBT_EL-5_Edition_Notes.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.