Professional Documents
Culture Documents
LinuxCBT EL-5 Edition Notes
LinuxCBT EL-5 Edition Notes
Features:
1. 2.6x kernel (2.6.18)
a. 'uname -a' returns OS/Kernel information
Note: 'uname -a' returns the following useful info:
1. OS - Linux
2. Fully Qualified Domain Name (FQDN)
3. Kernel version - 2.6.18...
a. 2.6 = major version
b. .18 = minor version
c. anything else after the minor version indicates that the kernel was patched by
the distributor
4. Date and time that the kernel was compiled
b. Advanced Platform
b1. supports unlimited physical CPUs
b2. supports unlimited virtual guests
###Kickstart Configurator###
Features:
1. Hands-free, automated installation
2. Scripted installation
3. Script can be used on multiple systems
###FTP INSTALLATION###
Steps:
1. Create FTP user account on FTP server
a. 'useradd -s /bin/false -d /srv/wwwlinuxcbt.com linuxinstall'
b. 'passwd linuxinstall'
2. Confirm FTP connectivity as the user 'linuxinstall'
11. Arrow keys (up and down) navigates through your command history
12. BASH supports tab completion:
a. type unique characters in the command and press 'Tab' key
13. You can copy and paste in GNOME terminal windows using:
a. left button to block
b. right button to paste OR Ctrl-Shift-v to paste
14. ls - lists files and directories
a. ls / - lists the contents of the '/' mount point
b. ls -l - lists the contents of a directory in long format:
Includes: permissions, links, ownership, size, date, name
c. ls -ld /etc - lists properties of the directory '/etc', NOT the contents of
'/etc'
d. ls -ltr - sorts chronologically from older to newer (bottom)
e. ls --help - returns possible usage information
f. ls -a - reveals hidden files. e.g. '.bash_history'
Note: files/directories prefixed with '.' are hidden. e.g. '.bash_history'
b. cp -v 456.txt testRH5/
Pipes '|':
Features: Connects the output stream of one command to the input stream of a
subsequent command
###Command Chaining###
Features:
1. Permits the execution of multiple commands in sequence
2. Also permits execution based on the success or failure of a previous command
1. cat 123.txt ; ls -l - this runs first command, then second command without
regards for exit status of the first command
2. cat 123.txt && ls -l - this runs second command, if first command is successful
3. cat 1234.txt && ls -l
Gzip:
Includes:
1. gzip - compresses/decompresses files
2. gunzip - decompresses gzip files
Tasks:
1. compress '1million.txt' file using gzip
a. gzip -c 1million.txt > 1million.txt.gz
Bzip2:
Note: Anchors are RegEx characters (meta-characters). They're used to match at the
beginning and end of lines
8. rpm -qa | grep grep - searches the package database for programs named 'grep'
9. rpm -qa | grep -i xorg | wc -l - returns the number of pacakges with 'xorg' in
their names
Note: Most, if not all, Linux programs log linearly, which means one line after
another, from the earliest to the current
###Awk###
Features:
1. Field/Column processor
2. Supports egrep-compatible (POSIX) RegExes
3. Can return full lines like grep
4. Awk runs 3 steps:
a. BEGIN - optional
b. Body, where the main action(s) take place
c. END - optional
5. Multiple body actions can be executed by separating them using semicolons. e.g.
'{ print $1; print $2 }'
6. Awk, auto-loops through input stream, regardless of the source of the stream.
e.g. STDIN, Pipe, File
Usage:
1. awk '/optional_match/ { action }' file_name | Pipe
2. awk '{ print $1 }' grep1.txt
Note: Use single quotes with awk, to avoid shell interpolation of awk's variables
4. awk '/linux/ { print } ' grep1.txt - this will print ALL lines containing
'linux'
6. awk '{ if ($2 ~ /8/) print }' /var/log/messages - this will print the entire
line for log items for the 8th
7. awk '{ print $3 }' /var/log/messages | awk -F: '{ print $1}'
Usage:
1. sed [options] 'instruction[s]' file[s]
2. sed -n '1p' grep1.txt - prints the first line of the file
3. sed -n '1,5p' grep1.txt - prints the first 5 lines of the file
4. sed -n '$p' grep1.txt - prints the last line of the file
5. sed -n '1,3!p' grep1.txt - prints ALL but lines 1-3
6. sed -n '/linux/p' grep1.txt - prints lines with 'linux'
7. sed -e '/^$/d' grep1.txt - deletes blank lines from the document
8. sed -e '/^$/d' grep1.txt > sed1.txt - deletes blank lines from the document
'grep1.txt' and creates 'sed1.txt'
Note: Generally, to create new files, use output redirection, instead of allowing
sed to write to STDOUT
###Perl###
Features:
1. Parses text
2. Executes programs
3. CGI - Web forms, etc.
4. Supports RegExes (Perl and POSIX)
5. etc.
Task:
1. Print 'Hello World' to STDOUT
a. perl -c helloworld.pl - checks the syntax of the script
b. perl helloworld.pl - executes the script
c. chmod +x helloworld.pl && ./helloworld.pl
###System Utilities###
Features:
1. Process listing
2. Free/available memory
3. Disk utilization
1. ps - process status/listing
a. ps -ef or ps -aux
6. vmstat - reports on: processes, memory, paging, block I/O, traps, CPU activity
a. vmstat
b. vmstat -p /dev/hda1 - returns partitions stats for /dev/hda1 (/boot)
###User/Group Management###
Features:
1. The ability to control users and groups
Primary tools:
1. useradd - used to add users and modify group membership
2. system-config-users
Task:
1. Create a user named 'student1' using 'useradd'
Note: Default user settings derive from: /etc/login.defs
a. useradd student1
b. set password for user 'student1': passwd student1
username:shadow_reference:uid:gid:Description(GECOS):$HOME:$SHELL
Note: /etc/passwd is a world-readable file
Note: /etc/shadow now stores passwords in encrypted form
Note: /etc/shadow is NOT world-readable
Fields in /etc/shadow:
student1:$1$XSFMv2ru$lfTACjN.XxaxbHA0EkB4U0:13891:0:99999:7:::
1. username:
2. encrypted_password:
3. Days_since_Unix_epoch_password_was_changed (01/01/1970)
4. Days before password may be changed
5. Days after which the password MUST be changed
6. Days before password is to expire that user is warned
7. Days after password expires, that account is disabled
8. Days since Unix epoch, that account is disabled
9. Reserved field (currently unused)
Groups:
1. groupadd - adds new group
2. groups - lists groups on the system: /etc/group
/etc/group - maintains group membership information
Task: Create a 'sales' group and add 'linuxcbt' and 'student1' as members
1. groupadd sales
2. usermod -G sales linuxcbt
3. usermod -G sales student1
Note: use 'ls -l' to examine permissions or GUI application like 'Nautilus'
-rwxrwxr-x 1 linuxcbt linuxcbt 681 Jan 13 11:31 regextest.pl
Task:
1. Manipulate file permissions using 'chmod'
a. chmod -x regextest.pl
chmod +/- u+x file - updates owner's execute permissions on the file
chmod +/- o+x file - updates other's execute permissions on the file
chmod +/- g+x file - updates group's execute permissions on the file
Task:
Update 'regextest.pl' so that owner and group owner may modify the file
SETUID:
Features:
1. ability to execute file as owner
chmod 4760 regextest.pl - this will ensure that the perl script always executes as
the user 'linuxcbt'
-rwsrw---- 1 linuxcbt sales 787 Jan 13 16:08 regextest.pl
's' in the execute position means that the program will execute as that user
SETGID:
Features:
1. Ability to enforce permissions to a directory structure
mkdir /sales
chmod 2775 /sales
chgrp:
Permits updating of group permissions
Sticky Bit:
Features:
1. Ability to ensure that users cannot delete others' files in a directory
chmod 3777 /sales - ensures that /sales will not lose files from incorrect users
Task:
1. Set '/sales' using sticky bit and test
a. chmod 3777 /sales && ls -ld /sales OR chmod 777 /sales && chmod +t /sales
###Symlinks###
Features:
1. Provides shortcuts to files (including directories)
2. Provides hard links to inode (file system) locations
Soft Links:
1. ln -s source_file target
a. ln -s ./regextest.pl lastscript.pl
Note: Soft links may span multiple file systems/hard drives
Note: Symlink count is NOT increased when using soft links
Note: With soft links, if you change the name or location of the source file, you
will break ALL of the symlinks (soft)
Hard Links:
Features:
1. The ability to reference the same inode/hard drive location from multiple
places within the same file system
a. ln source target
ln regextest.pl ./testhardregextest.pl - creates a hard link
###Quotas###
Features:
1. Limits disk usage (blocks or inodes)
2. Tied to file systems (set on a per file system basis)
3. Can be configured for users and groups
6. Report on usage
a. repquota -a - this reports on usage
Note: The blocks are measured in 1K increments. i.e. 20000 blocks is roughly 20MB
Steps:
1. Identify available storage
a. 'fdisk -l' - returns connected storage
Steps:
1. Identify current swap space
a. swapon -s - enumerates partitions and/or files, which constitute swap storage
b. free -m
5. update /etc/fstab
a. /dev/sdb2 swap swap defaults 0 0
Task:
1. Improve system performance by distributing swapping to /dev/sdb2
a. swapon /dev/sdb2
b. swapoff /dev/sda6
c. disable /dev/sda6 via /etc/fstab
Task:
1. Create 512MB swap file
a. dd if=/dev/zero of=/home1/swapfile1 bs=1024 count=524288
b. mkswap /home1/swapfile1 - overlays swap file system
c. swapon /home1/swapfile1 - makes swap space avaialable to the kernel
2. Ensure that when the system reboots, the swapfile is made avialable to the
kernel
a. nano /etc/fstab - /home1/swapfile1 swap swap defaults 0 0
Note: Volume groups join: physical volumes (PVs) and Logical Volumes (LVs)
Note: Be certain to update: /etc/fstab so that volumes are mounted when the system
reboots
Note: You may resize file systems online if the following are met:
1. 2.6x kernel series
2. MUST be formatted with ext3
Note: Check disk utilization prior to shrinking to reduce the risk of losing data
###RAID###
Features:
1. The ability to increase availability and reliability of data
Tasks:
1. Create a RAID-1 Device (/dev/md0..n)
a. fdisk /dev/sdb - to create usable raw partitions
b. partprobe /dev/sdb - to force a kernel update of the partition layout of the
disk: /dev/sdb
b. mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb5 /dev/sdb6
c. cat /proc/mdstat - lists active RAID (md) information
d. mke2fs -j /dev/md0 - overlays a file system on the RAID device
e. mount /dev/md0 /raid1
f. update: /etc/fstab
Note: use 'mdadm --query /dev/md0' to get information about a RAID device
'rpm'
Query:
1. rpm -qa - dumps all installed packages
2. rpm -qa | wc -l - this dumps all packages and provides a count
3. rpm -qa | grep -i nano
4. rpm -qi nano - dumps info. about the 'nano' package as it's recorded in the
local RPM database
5. rpm -qf /usr/bin/nano - dumps package membership info. for the 'nano' file
6. rpm -qpi http://192.168.75.100/RH5/i386/Server/dhcp-3.0.5-7.el5.i386.rpm -
dumps info. about the uninstalled 'dhcp' package, which resides on the repository
7. rpm -ql package_name - returns all included files
Verify:
1. rpm -Va - verifies ALL packages on the system, returning info. only if there
are discrepancies from the original installation
SM5....T /usr/bin/nano
Removal:
1. rpm -ev *.rpm - removes a pacakge
Note: removal process considers dependencies and will complain if the removal will
break 1 or more packages. To get around this, use '--nodeps' option with 'rpm -ev
--nodeps *.rpm'
###YUM Configuration###
Features:
1. The ability to centralize packages (updates)
Note: Ensure that about 3GBs are available for the yum respository
Yum Usage:
1. Search for packages
a. 'yum search gftp'
3. Remove Package
a. 'yum -y remove gftp'
###Cron - Scheduler###
Features:
1. Scheduler
2. Rules (Cron entries) are based on times:
a. minute (0-59)
b. hour (0-23)
c. day of the month (1-31)
d. month (1-12)
e. day of the week (Sun,Mon,Tue, etc. OR 0-7)
f. command to execute (shell, perl, php, etc.)
3. Wakes up every minute in search of programs to execute
4. Reads cron entries from multiple files
5. Maintains per-user and system-wide (/etc/crontab) schedules
/etc:
cron.d/
cron.deny - denies cron execution by user
cron.monthly/ - runs jobs monthly
cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily
cron.hourly/ - runs jobs hourly
crontab - contains system-wide schedules
Note: '*' wildcard in a time column means to run for all values
Per-user Crontabs:
Stored in: /var/spool/cron
Task:
1. Create a cron entry for the user 'student1'
a. su student1
b. crontab -e
c. create an entry, minus the name of the user
System-wide Crontab:
Stored in: /etc/crontab
Task:
1. Create a cron entry in: /etc/crontab
###SysLogD###
Features:
1. Handles logging
2. Unix Domain Sockets (/dev/log)
3. Internet Sockets (UDP:514)
4. Ability to log to local and remote targets
2. Targets
a. file - /var/log/messages
b. tty - /dev/console
c. remote hosts - @IP_ADDR_of_REMOTE_HOST
Task:
1. Enable UDP logging for remote Cisco gateway (192.168.75.1)
a. netstat -nul | grep 514 - reveals UDP:514 listener
b. nano /etc/sysconfig/syslog
b1. 'SYSLOGD_OPTIONS="-r"'
c. restart syslog and confirm UDP:514 listener
c1. confirm using 'netstat -nul | grep 514'
d. Configure the router using facility 'local0' and level 'info'
e. configure /etc/syslog.conf to accept 'local0.info'
f. restart or reload 'syslog'
###Log Rotation###
Features:
1. Rotation of logs based on criteria
a. size
b. age (daily, weekly, monthly)
2. Compression
3. Maintain logs for a defined period
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
PING:
Features:
1. ability to communicate with hosts using ICMP
a. PING sends ICMP echo-requests
b. PING expects to receive ICMP echo-replies
3. ping -c 3 192.168.75.199
4. ping -c 3 -i 3 192.168.75.199 - delays PINGs to 3 seconds apart
TELNET:
Features:
1. Great for basic TCP port diagnosis
Task:
1. Connect to TCP ports on various hosts
a. telnet 192.168.75.100 22
b. telnet www.linuxcbt.com 80
NETSTAT:
Features:
1. Provides network connection information from /proc/net/*
Task:
1. Return useful information for various protocols
a. netstat
b. netstat -a - returns all protocols/sockets
c. netstat -ntlp - returns all TCP LISTENERS without name resolution
d. netstat -nulp - returns all UDP lISTENERS without name resolution
ARP:
Features:
1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP addresses
Task:
1. Examine MAC addresses using: ifconfig and arp
a. ifconfig - returns our local MAC addresses
Link encap:Ethernet HWaddr 00:02:B3:98:41:08
b. arp -a - returns MAC to IP mappings
Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP address
(v6/v4) to a MAC address.
Note: If a one or more routers separate the communicating hosts, then the MAC
address of the default router's (gateway's) interface is stored by each client
Network Support:
1. Boot system into a multi-user mode
2. /etc/modprobe.conf - contains alias and reference to module(s) to be loaded in
order to provide networking
3. Linux decides if the interface is DHCP or static by viewing the contents of:
a. /etc/sysconfig/network - networking=yes|no, IPv6_Support, Default Gateway,
etc.
b. /etc/sysconfig/network-scripts/ifcfg-eth0 - contains ifup, ifdown, and ifcfg-
* scripts
c. /etc/init.d/network - main service
Note: Either update your net configuration manually from the shell, or using the
'system-config-network*' tools to avoid losing settings
IPv4 Aliases:
1. ifconfig eth0:1 192.168.75.11
2. ifconfig eth0:2 10.168.76.11
IPv6 Config:
Features:
1. Auto-configured by default gateway (router)
2. fe80:: - link-local address (loopback/local subnet address)
3. 2002:: - 6to4 address, that can be configured based on IPv4 embedded address,
using HEX notation
###Kernel Upgrade###
Features:
1. Provision of updated/patched kernel
Task:
1. Update the kernel
a. use 'uname -a' to reveal current version
b. use 'rpm -qa | grep -i kernel' - to reveal installed version
c. cat /etc/grub.conf -> /boot/grub/grub.conf - "" ""
Install:
a. rpm -ivh kernel-2.6.18-53.el5.i686.rpm
Note: This will update GRUB (/boot/grub/grub.conf)
Note: Will also place the new kernel in the /boot file system
/usr/sbin/ntsysv:
Usage:
1. ntsysv - manages services in the current run-level
2. ntsysv 35 - manages services for run-levels 3 & 5
Chkconfig Usage:
1. chkconfig --list ntpd - returns run-level environment for 'ntpd'
Note: items listed as 'off' have K (kill) scripts
Note: items listed as 'on' have S (start) scripts
Note: When controlling services using 'chkconfig', reference the name of the
service as it's specified in: /etc/init.d
NTP Strata:
Features:
1. The ability to denote clock accuracy based on on stratum
2. With Stratum level 1 being the most accurate, as an NTP server at this level is
connected to an external time service (GPS, Radio, etc.)
Task:
1. Synch against internal NTP server
a. /etc/ntp.conf
a1. server 192.168.75.100
b. service ntpd start - this starts the 'ntpd' service
c. chkconfig ntpd on
d. ntpq -np - this queries the running 'ntpd' server
Note: NTP synchronization is hierarchical. Thus, if we synch against a stratum 3
clock, we become a stratum 4 clock
Note: Ideally, you should supply your: /etc/ntp.conf file with at least 3 clocks
for:
1. Accuracy
2. Redundancy
Tasks:
1. Install TFTP client
a. yum -y install tftp
2. Install TFTP server
a. yum -y install tftp-server
Note: this also install 'xinetd' dependency
Tasks:
1. Install 'vsftpd'
a. yum -y install vsftpd
###LFTP###
Features:
1. Sophisticated FTP client
2. Provides connectivity:
a. FTP
b. HTTP/HTTPS
c. SFTP(SSHv2)
3. Interactive and non-interactive client
4. Supports scripting
5. Reads system-wide (/etc/lftp.conf) and per-user config files (~/.lftprc)
6. Behaves like the BASH shell
a. Command history
b. Permits execution of background jobs. Use CTRL-Z to background.
c. Tab completion
7. Supports mirroring (forward and reverse) of content
8. Supports FTP retransmit/reconnect from where you left off
9. Supports bookmarks of sites
10. Supports escape to shell using '!command' e.g. '!bash'
11. Supports the execution of BASH programs '!command' e.g. '!ps -ef'
Usage:
1. lftp - enters interactive mode
a. 'set -a' - reveals all variables
2. lftp linuxcbt@192.168.75.199
###Telnet Server###
Features:
1. Shell interface on remote system
2. Binds to TCP:23
Caveat:
1. Clear-text based application (credentials are transmitted in the clear)
2. By default, 'root' is NOT permitted access via telnet-server - /etc/securetty
Requirements:
1. xinetd - installed automatically via yum
Tasks:
1. Connect to both systems from either system using 'telnet' client
a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the user
authenticates successfully
Note: By default, telnet-server reads and dislplays the contents of: /etc/issue
Tasks:
1. Install DHCP server
a. yum -y install dhcp
###BIND DNS###
Features:
1. Name-to-IP address mapping
2. Name resolution for DNS clients
3. Caching-only server (Default)
4. Primary DNS server
5. Slave server
6. Replication of DNS database information between servers
7. Dynamic DNS updates
8. Provides numerous client tools: nslookup, dig, host
Tasks:
1. Installation of BIND on the remote system: linuxcbtserv4
a. yum -y install bind
Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL
values for the various records associated with the zone
Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools
such as: Web browser, GFTP, LFTP, nslookup, dig, host, etc.
Note: DNS is organized into an inverted tree, with '.' representing the root of the
DNS tree. e.g.
dig mail1.linuxgenius.com.
- . = root
- .com = top level
- .linuxgenius = second level
-mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if
desired in any standard Internet application (web browser, FTP client, wget,
nslookup, dig, host, etc.)
Tasks:
1. Create internal zone named 'linuxcbt.internal'
a. modify /etc/named.conf to include the new zone
zone "linuxcbt.internal" {
type master;
#allow-update { key ddns_key; };
file "linuxcbt.internal.db";
};
Reverse Zones:
Features:
1. The ability to resolve a name, given an IPv4 or IPv6 address
Tasks:
1. Define an IPv4 reverse zone for the local subnet:
a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
b. Update: /etc/named.conf
c. Create zone file in: /var/named
d. Update configuration
e. Restart named
f. test using 'dig -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets
Note: IPv6 reverse zone names are in nibble format, with ALL zeros expanded for the
network prefix portion of the address, which is usually 64-bits in length
2. /var/named/zone_file
a. Include entries using the last 64-bits or IPv6 host part
d.a.a.4.b.1.e.f.f.f.e.5.a.0.2.0 IN PTR linuxcbtmedia1.linuxcbt.internal.
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host,
expanding all zeros
b. Create PTR record based on the reverse, nibble-format of the address
Tasks:
1. Export a directory on the server using: /etc/exports
a. /path_to_directory IP_ADDR(rw)
b. /nfs1 192.168.75.10(rw)
c. mkdir /nfs1
d. start NFS server - 'service nfs start'
e. Confirm export(s) - 'exportfs -v'
Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs
2. Export /nfs2
a. Create entry in /etc/exports
b. Update current exports using: exportfs -a
###AutoFS###
Features:
1. Automatically mounts file systems (NFS, local, SMBFS, etc.) upon I/O request
Requirements:
1. autofs-*rpm must be installed
Task:
1. Create an automount for /shares, which will mount /nfs1 & /nfs2
a. update /etc/auto.master - '/shares /etc/auto.shares'
b. cp /etc/auto.misc /etc/auto.shares
c. update the rules in /etc/auto.shares
d. Create AutoFS tree: /shares/
e. Restart the autofs service
f. Unmount: /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
g. Test access to AutoFS controlled directory
g1. 'ls -l /shares/nfs1'
###Samba ###
Features:
1. Provides Windows features (file & print) on Linux | Unix
Clients:
1. findsmb - finds SMB hosts on the network
2. smbtree - equivalent to Network Neighborhood/My Network Places (prints
workgroups, hosts, and shares)
3. smbget - similar to 'wget', in that, it will download files from the remote
share
a. smbget -u dean smb://linuxcbtwin1/mtemp/20070524_SAN_Allocations.ods
Samba Server:
/etc/samba/smb.conf - primary config file
Note: Ultimately, users must authenticate to the local Linux file system
Task:
1. Install SWAT
a. yum -y install samba-swat
b. nano /etc/xinetd.d/swat - set 'disable = no'
c. service xinetd restart
d. netstat -ntl | grep 901
Winbind:
Features:
1. Windows AD integration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication
Requirements:
1. krb5-* packages
2. Properly configured Kerberos environment:
a. /etc/krb5.conf
[libdefaults]
default_realm = AD2.LINUXCBT.INTERNAL
[realms]
AD2.LINUXCBT.INTERNAL = {
kdc = linuxcbtwin3.ad2.linuxcbt.internal
admin_server = linuxcbtwin3
}
[domain_realm]
.linuxcbtwin3.ad2.linuxbt.internal = AD2.LINUXCBT.INTERNAL
Steps:
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Samba server's DNS to point to ADS server
a. /etc/resolv.conf
b. /etc/hosts - including a pointer to the ADS server (linuxcbtwin3)
4. Join AD domain:
a. 'net ads join -U administrator'
5. Confirm AD membership using: 'Active Directory Users & Computers' Tool
b. /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Task1:
1. Authenticate using ADS, as 'administrator' from Windows box
2. Create a user named 'linuxcbt' in AD
3. Create shared directory on the Samba box, and provide access (Share it)
Tasks:
1. Install Apache 2.2x
a. httpd*rpm
2. Explorer: /etc/httpd/conf/httpd.conf
Note: Every directory, outside of the 'DocumentRoot' should have at least one:
<Directory> directive defined.
Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as 'apache' and can only see
files/directories that 'apache:apache' can see
Tasks:
1. Create IP Based Virtual Hosts
a. ifconfig eth0:1 192.168.75.210
b. Configure the Virtual Host:
<VirtualHost 192.168.75.210>
ServerAdmin webmaster@linuxcbtserv4.linuxcbt.internal
ServerName site1.linuxcbt.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site1.linuxcbt.internal.access.log combined
ErrorLog logs/site1.linuxcbt.internal.error.log
</VirtualHost>
<VirtualHost 192.168.75.199:80>
ServerAdmin webmaster@linuxcbtserv4.linuxcbt.internal
ServerName site3.linuxcbt.internal
DocumentRoot /var/www/site3
<Directory /var/www/site3>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site3.linuxcbt.internal.access.log combined
ErrorLog logs/site3.linuxcbt.internal.error.log
</VirtualHost>
Requirements:
1. httpd
2. openssl
3. mod_ssl
4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs
a. also used to create a self-signed certificate
Tasks:
1. Install the requirements
a. mod_ssl - module for Apache, which provides SSL support
yum -y install mod_ssl
/etc/httpd/conf.d/ssl.conf - includes key SSL directives
Note: For mutliple SSL sites, copy the: /etc/httpd/conf.d/ssl.conf file to distinct
files, that match your distinct IP-based VHosts
###MySQL###
Features:
1. DBMS Engine
2. Compabtible with various front-ends:
a. Perl
b. PHP
c. ODBC
d. GUI Management
Tasks:
1. Install MySQL Client & Server
a. yum -y install mysql
Note: mysql command-line options ALWAYS override global (/etc/my.cnf), and/or local
(~/.my.cnf) configuration directives
###Postfix MTA###
Features:
1. Message Transfer Agent (MTA)
2. Modular (SpamAssAssin)
3. Drop-in replacement for Sendmail, as it provides a 'sendmail' binary
Tasks:
1. Install Postfix
a. yum -y install postfix
Features:
1. Mail retrieval using standard protocols
2. Common package: dovecot
3. Supports both: mbox (/var/spool/mail/usernam) & Maildir formats
4. Supports SSL: POP3S & IMAPS
Tasks:
1. Install dovecot
/etc/dovecot.conf - primary config file
/etc/pki/dovecot/dovecot-openssl.cnf - SSL config
E-mail flow: mutt -> sendmail -> Postfix queue -> remote system -> POP3|IMAP
Tasks:
1. Install Squirrelmail with support via Apache
a.Download from squirrelmail.org - *.bz2
b. Confirm the MD5SUM
c. Copy the *.bz2 file to the Apache server
d. yum -y install php php-imap - installs PHP support for Apache/IMAP
e. mkdir /var/www/mail
f. Extract Squirrelmail to: /var/www/mail
g. Optionally, create symlink named 'mail' to point to Squirremail version
h. Create the Apache Virtual Host
<VirtualHost 192.168.75.199:80>
ServerAdmin webmaster@mail.linuxcbt.internal
ServerName mail.linuxcbt.internal
DocumentRoot /var/www/mail
<Directory /var/www/mail>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
CustomLog logs/mail.linuxcbt.internal.access.log combined
ErrorLog logs/mail.linuxcbt.internal.error.log
</VirtualHost>
i. Restart Apache
j. Configure SquirrelMail defaults: /var/www/mail/mail/config/conf.pl
k. Create 'attach' and 'data' directories for SquirrelMail:
/var/local/squirrelmail/{data,attach}
l. Update permissions so SquirrelMail may write to 'data' and 'attach'
directories: chown -R apache.apache /var/local/squirrelmail
k. Setup DNS
l. Attempt to access SquirrelMail
http://mail.linuxcbt.internal/mail
http://mail.linuxcbt.internal/mail/src/configtest.php
Note: If SELinux is enabled, use 'setsebool...' to allow httpd to connect to IMAP
and SMTP ports. Consult: /var/log/messages
Tasks:
1. Install Squid Proxy server
a. yum -y install squid
2. Start Squid, and ensure that it starts when the system reboots
a. service squid start
b. chkconfig --level 35 squid on
5. Deny 192.168.75.10, but allow ALL other users from the local subnet
a.
acl_lan_bad_users src 192.168.75.10
http_access deny acl_lan_bad_users
###SELinux Intro###
Features:
1. Restricts access by subjects (users and/or processes) to objects (files)
2. Provides Mandatory Access Controls (MACs)
3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))
4. Stores MAC permissions in extended attributes of file systems
5. SELinux provides a way to separate: users, processes (subjects), and objects,
via labeling, and monitors/controls their interaction
6. SELinux is integrated into the Linux kernel
7. Implements sandboxes for subjects and objects
8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons
and one sandbox (unconfined_t) for everything else
9. SELinux is implemented/enabled by RH5, by default
10. Operates in the following modes:
a. Permissive - permission is always granted, but denials are logged in:
/var/log/messages
b. Enforcing - strictly enforces 'targeted' policy rules
c. Disabled - Only DACs are applied
11. Operating modes can be applied upon startup or while the system is running
Tasks:
1. Disable SELinux upon boot-up on LINUXCBTSERV4
a. nano /etc/grub.conf
a1. Update 'kernel' line to reflect: selinux=0
Note: If files(objects) lose their SELinux context, there are multiple ways to
relabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to the
'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running
Note: The 'targeted' policy assigns ALL other subjects and objects to the
'unconfined_t' domain
Note: The default SELinux 'targeted' policy, using MACs, binds subject domains:
i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'
Usage:
1. gpg --list-keys - this enumerates keys in ~/
2. gpg --gen-key - generates a PKI keypair for the current user
###OpenSSHv2###
Features:
1. Provides data encryption services based on PKI - Confidentiality
2. Primarily used to protect the transport layer
3. Encrypted shell sessions, file transfers
4. Password-less logins
5. Port forwarding - Pseudo-VPN
SSH Clients:
/etc/ssh/ssh_config - shared system-wide config file for SSH clients
a. ssh-keygen -t rsa
Task:
1. Setup Password-less logins using SSH
###IPTables###
Features:
1. Firewall for Linux
2. Interface to Netfilter, which is loaded by the kernel
3. Operates primarily @ layers 3 & 4 of the OSI model
4. Modular
5. Provides Network Address Translation (NAT)
6. IPTables can also access other layers (2, 5-7), with modules
Note: Each table, includes chains, which include Access Control Entries (ACEs)
Usage:
1. iptables -L
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
b. iptables -A INPUT -j DROP
###IPv6 IPTables###
Features:
1. Firewall for IPv6
/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file
Usage:
1. ip6tables -L
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
b. ip6tables -A INPUT -j DROP
###NMap###
Features:
1. Port/Reconnaissance Scanner
2. Hosts & device detection
3. Service detection
4. OS Fingerprinting
5. Multi-target scanning
6. Produces various reports
Tasks:
1. Download and install the latest version of NMap - nmap.org
a. wget http://download.insecure.org/nmap/dist/nmap-4.53-1.i386.rpm
b. rpm -Uvh nmap-4.53-1.i386.rpm
Usage:
1. Scan the localhost for open ports
a. nmap -v localhost
3. OS Fingerprinting scan
a. nmap -v -O 192.168.75.199
4. Reporting
a. nmap -v -oN filename.txt 192.168.75.1 - normal output
b. nmap -v -oX filename.xml 192.168.75.1 - XML output
###Nessus###
Features:
1. Vulnerability Scanner
2. Port Scanner
3. Host | Device detection
4. Can be used to scan NETBIOS (Windows|Samba) servers
5. Profiles (Scan Policies) for target scans, with specific exploits to query
6. Reporting
7. Client/Server enabled; multiple clients may use the central Nessus server
8. Client support for Windows, Linux, etc.
9. Runs as a service, awaiting inbound PenTest requests
10. Penetration testing tool
11. Nessus can be automated
12. Supports plug-ins for vulnerability signatures
13. Supports parallel scanning of targets
Tasks:
1. Download Nessus from nessus.org and install
2. Register nessus using 'nessus-fetch', with provided code
a. /opt/nessus/bin/nessus-fetch --register A65E-5116-4D76-FCD5-FF2A
3. Install Nessus Client and Explore the interface
a. rpm -Uvh NessusClient*
Note: Nessus will auto-update its plug-ins after registration, every 12-hours
###Snort NIDS###
Features:
1. Network Intrusion Detection System (NIDS)
2. Packet Sniffer
3. Packet Logger - logs using TCPDump format
Tasks:
1. Download and install Snort NIDS
a. snort.org
b. Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-
2.8.0.2.tar.gz.md5
c. Import GPG key used to sign the current release of Snort
d. gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz
Requirements:
1. gcc - C compiler
2. make - creates binaries
3. libpcre - Provides access to Perl Compatible RegExes
4. mysql-devel* - provides access to MySQL
5. libpcap* - provides the TCPDump, packet capture library
Note: Snort drops less packets when run in binary logging mode than in verbose,
dump-to-screen, mode
4. Download the latest Snort rules file and extract to: /etc/snort/rules