RHCE "Cheat Sheet

"
This document attempts to provide answers to all study points on the RHCE and RHCT Exam
Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an
attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your
own risk.
Note: Study points last updated on 2009-08-11. This list may become out of date without notice
(especially after I pass the test ).
updated by Dino Conti on 2010-06-25

Table of Contents
RHCE "Cheat Sheet"............................................................................................................................1
Testing Environment with Sun VirtualBox......................................................................................4
Prerequisite skills for RHCT and RHCE.........................................................................................4
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view,
and investigate files and directories............................................................................................4
use grep, sed, and awk to process text streams and files.............................................................4
use a terminal-based text editor, such as vim or nano, to modify text files................................4
use input/output redirection........................................................................................................4
understand basic principles of TCP/IP networking, including IP addresses, netmasks, and
gateways for IPv4 and IPv6........................................................................................................5
use su to switch user accounts.....................................................................................................5
use passwd to set passwords.......................................................................................................5
use tar, gzip, and bzip2................................................................................................................5
configure an email client on Red Hat Enterprise Linux..............................................................5
use text and/or graphical browser to access HTTP/HTTPS URLs.............................................5
use lftp to access FTP URLs.......................................................................................................5
HELP in RHEL5.........................................................................................................................5
RHCT skills.....................................................................................................................................6
Troubleshooting and System Maintenance.................................................................................6
boot systems into different run levels for troubleshooting and system maintenance.............6
diagnose and correct misconfigured networking....................................................................6
diagnose and correct hostname resolution problems..............................................................6
configure the X Window System and a desktop environment...............................................6
add new partitions, filesystems, and swap to existing systems..............................................7
partitions............................................................................................................................7
filesystems.........................................................................................................................7
swap...................................................................................................................................8
use standard command-line tools to analyze problems and configure system.......................8
Installation and Configuration....................................................................................................8
perform network OS installation............................................................................................8
implement a custom partitioning scheme...............................................................................8
configure printing...................................................................................................................8
configure the scheduling of tasks using cron and at...............................................................9
cron....................................................................................................................................9
at/batch...............................................................................................................................9
attach system to a network directory service, such as NIS or LDAP...................................10
configure autofs....................................................................................................................10

add and manage users, groups, quotas, and File Access Control Lists................................10
users......................................................................................................................................11
groups...................................................................................................................................11
quotas...............................................................................................................................11
Access Control Lists........................................................................................................12
configure filesystem permissions for collaboration.............................................................12
install and update packages using rpm.................................................................................12
properly update the kernel package......................................................................................13
configure the system to update/install packages from remote repositories using yum or pup
..............................................................................................................................................13
create yum repository from installation DVD.................................................................13
modify the system bootloader..............................................................................................14
implement software RAID at install-time and run-time.......................................................14
use /proc/sys and sysctl to modify and set kernel run-time parameters...............................14
use scripting to automate system maintenance tasks............................................................15
configure NTP for time synchronization with a higher-stratum server................................15
RHCE skills...................................................................................................................................15
Troubleshooting and System Maintenance...............................................................................15
use the rescue environment provided by first installation CD.............................................15
diagnose and correct boot failures arising from bootloader, module, and filesystem errors15
grub errors........................................................................................................................16
kernel errors.....................................................................................................................16
diagnose and correct problems with network services (see Installation and Configuration
below for a list of these services).........................................................................................16
add, remove, and resize logical volumes..............................................................................17
diagnose and correct networking services problems where SELinux contexts are interfering
with proper operation...........................................................................................................17
Installation and Configuration..................................................................................................18
HTTP/HTTPS.......................................................................................................................19
install...............................................................................................................................19
selinux..............................................................................................................................19
start at boot......................................................................................................................19
basic config......................................................................................................................19
host-based security...........................................................................................................20
user-based security...........................................................................................................20
verify service functionality..............................................................................................20
SMB......................................................................................................................................20
install...............................................................................................................................20
selinux..............................................................................................................................21
start at boot......................................................................................................................21
basic config......................................................................................................................21
host-based security...........................................................................................................22
user-based security...........................................................................................................22
verify service functionality..............................................................................................22
NFS.......................................................................................................................................23
install...............................................................................................................................23
start at boot......................................................................................................................23
basic config......................................................................................................................23
host-based security...........................................................................................................23
user-based security...........................................................................................................23
verify service functionality..............................................................................................23
FTP.......................................................................................................................................24

install...............................................................................................................................24
selinux..............................................................................................................................24
start at boot......................................................................................................................24
basic config......................................................................................................................24
host-based security...........................................................................................................24
user-based security...........................................................................................................24
verify service functionality..............................................................................................24
Web proxy............................................................................................................................24
install...............................................................................................................................24
selinux..............................................................................................................................24
start at boot......................................................................................................................25
host-based security...........................................................................................................25
parental control with blocklist.........................................................................................25
user-based security...........................................................................................................25
verify service functionality..............................................................................................25
SMTP....................................................................................................................................26
to enable masquerading in sendmail................................................................................26
install...............................................................................................................................27
start at boot......................................................................................................................27
basic config......................................................................................................................27
host-based security...........................................................................................................28
user-based security...........................................................................................................28
verify service functionality..............................................................................................28
IMAP, IMAPS, and POP3....................................................................................................28
install...............................................................................................................................28
start at boot......................................................................................................................28
basic config......................................................................................................................28
create custom ssl cert: .....................................................................................................28
host-based security...........................................................................................................28
user-based security...........................................................................................................29
verify service functionality..............................................................................................29
SSH.......................................................................................................................................29
install...............................................................................................................................29
start at boot......................................................................................................................29
Generate Public / Private key pair...................................................................................29
user-based security...........................................................................................................29
host-based security...........................................................................................................29
verify service functionality..............................................................................................29
DNS (caching name server, slave name server)...................................................................30
install...............................................................................................................................30
start at boot......................................................................................................................30
basic config......................................................................................................................30
host-based security...........................................................................................................31
user-based security...........................................................................................................31
verify service functionality..............................................................................................31
NTP......................................................................................................................................31
install...............................................................................................................................31
start at boot......................................................................................................................31
host-based security...........................................................................................................31
user-based security...........................................................................................................31
verify service functionality..............................................................................................31
configure hands-free installation using Kickstart.................................................................32

.............................................................................................................................................................................................. as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams: use standard command line tools (e...............................................................................................................33 use PAM to implement user-level restrictions........................................ and investigate files and directories use grep..................................run reboot Prerequisite skills for RHCT and RHCE Candidates should possess the following skills......32 NAT............................... and awk to process text streams and files use a terminal-based text editor......................................................................34 unable to log in.........32 packet filtering............................... rm...........so example.... remove.... tail.......................................................... to modify text files use input/output redirection operator description > redirect STDOUT to a file 2> redirect STDERR to a file &> redirect all output to a file 2>&1 redirect all output to a pipe • use » to append instead of overwrite .......................................34 tcp_wrappers.................................................................. ls......... mv..............34 Testing Environment with Sun VirtualBox install guest additions: yum install gcc kernel-devel sh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86..................... such as vim or nano.....33 pam_listfile.....................32 use iptables to implement packet filtering and/or NAT.......................................................................................................................................................................34 Additional Notes....................32 setup for router to internet.............................................................33 module documentation..........................34 Troubleshooting......... sed...................... view........................... cat.................................33 module configuration................... cp...................................................................) to create.....implement logical volumes at install-time..................................g................................................................ etc....................

tgz # compress (tar/bzip) tar cvjf <file>.<user> use passwd to set passwords passwd <user> use tar. and gateways for IPv4 and IPv6 use su to switch user accounts su . netmasks.tbz configure an email client on Red Hat Enterprise Linux echo "message" | mail <email> -s "subject" mail <email> -s "subject" < <file> use text and/or graphical browser to access HTTP/HTTPS URLs • elinks • lynx use lftp to access FTP URLs HELP in RHEL5 man <command> man -k <command> search for specific word in manuals makewhatis create manuals database command --info /usr/share/doc/<service or package> installed documentation /usr/share/doc/Deployment-Guide all the manual . and bzip2 # compress (tar/gzip) tar cvzf <file>.understand basic principles of TCP/IP networking.tgz <directory> # extract (tar/gzip) tar xvzf <file>.tbz <directory> # extract (tar/bzip) tar xvjf <file>. including IP addresses. gzip.

4. 7. 3. 5.sysinit • emergency skips all rc and init scripts diagnose and correct misconfigured networking 1. 4. 2.conf check /etc/resolv.System > Documentation > Deployment Guide elinks /var/www/manual/ Apache Documentation RHCT skills Troubleshooting and System Maintenance RHCTs should be able to: boot systems into different run levels for troubleshooting and system maintenance append the desired runlevel to grub's kernel line: • 1-5 runs appropriate rc and init scripts • single only runs rc. check /etc/sysconfig/network check /etc/sysconfig/network-scripts/ifcfg-<interface> service network restart chkconfig network on ifconfig ping <localhost ip> netstat -r ping <default gateway> ping 4. 9. 6. 2.conf check /etc/hosts dig @<dns server> google. 8.2. 3.com redhat network config tool: system-config-network configure the X Window System and a desktop environment install x: yum groupinstall "x window system" • init respawns /etc/X11/prefdm -nodaemon to keep x running in runlevel 5 • startx to start manually xfs is supposedly required for x windows (even though i can run x fine without it…): .2. check /etc/nsswitch.2 redhat network config tool: system-config-network diagnose and correct hostname resolution problems 1.

<ext2|ext3> mkfs -t ext3 /dev/sda5 mkfs -t ext3 -L home-drive /dev/sda5 label filesystems: e2label <partition> <label> blkid list UUID and Labels of partitions . edit /etc/sysconfig/desktop: DISPLAYMANAGER=<GNOME|KDE|XDM> DESKTOP=<GNOME|KDE> add new partitions. and swap to existing systems partitions manage partitions: fdisk <device> n m p t d w q partprobe new partition menu print partition table toggle partition type delete partition write changes to disk quit make kernel aware of new partitions ( try also partprobe /dev/sda ) filesystems make filesystems: mkfs.xinitrc ~.service xfs on chkconfig xfs on x environment config: • • • • • /etc/sysconfig/desktop /etc/X11/xinit/xinitrc /etc/X11/xinit/Xclients ~/./Xclients redhat display config tool: system-config-display [--reconfig] install gnome desktop: yum groupinstall "gnome desktop environment" switchdesk allows you to change your desktop environment: yum install switchdesk switchdesk if switchdesk is not available. filesystems.

quotas Installation and Configuration RHCTs must be able to: perform network OS installation at boot prompt: linux askmethod implement a custom partitioning scheme configure printing printing support is provided by cups: service cups start chkconfig cups on .rw / swap note that it's possible to create a swap file instead of a partition: dd if=/dev/zero of=<file> bs=1024 count=<size> format the file/partition: mkswap <partition|file> nano -w /etc/fstab swapon -va cat /proc/swaps use standard command-line tools to analyze problems and configure system • check for full filesystems.manage filesystem settings: tune2fs <partition> dumpe2fs <partition> mkdir /test mount -t ext3 /dev/sda5 /test mount -o acl /dev/sda5 /test mount with ACL support user created filesystems edit /etc/fstab to make mount permanent /dev/sda5 /test ext3 defaults 0 0 check fstab with mount -a command if recovering /etc/fstab during recovery operation you need to mount read/write: mount -o remount.

allow does not exist. 3. 2. only root allowed empty /etc/cron. everyone allowed except users in /etc/at. if /etc/at.deny if neither exists. if /etc/cron. at/batch make sure at is installed and running: yum install at service atd start chkconfig atd on 1.allow exists.deny is ignored) if /etc/cron. 2.allow does not exist. only root allowed empty /etc/at.redhat printer config tool: system-config-printer web config tool: http://localhost:631 printing via command line: # print lpr <file> # view print queue lpq # remove print job lprm <job number> configure the scheduling of tasks using cron and at cron make sure vixie cron is installed and running: yum install vixie-cron service crond start chkconfig crond on 1. 4. everyone allowed except users in /etc/cron. 4.deny means all users allowed (default) edit your cron jobs: crontab -e crontab format: <minute> <hour> <day of month> <month> <day of week> <command> 24 13 * * * /home/user/script /etc/crontab has additional user field before command.deny means all users allowed (default) # add jobs at now + 1 hour at> <command> . only these users are allowed (/etc/at. only these users are allowed (/etc/cron.allow exists.deny if neither exists. 3.deny is ignored) if /etc/at.

at 09:00 2009-07-23 at> <command> batch at> <command> # list jobs atq remove jobs atrm <job> attach system to a network directory service. local /test/user ⇒ remote example:/home/user ( this method can be used to automount home directories) test automounting: ls /test/blah ls /test/user # redhat defaults ls /net/<hostname> ls /misc/cd add and manage users.test create /etc/auto.conf: automount: files nis define an autofs-controlled mountpoint called test by adding the following to /etc/auto.com:/pub/something 2.test: blah example. quotas. groups.master: /test /etc/auto.com:/pub/something * example:/home/& 1. and File Access Control Lists redhat user/group config tool: system-config-users . local /test/blah ⇒ remote example. such as NIS or LDAP redhat config tools: system-config-authentication authconfig-tui required packages for nis: yum install ypbind portmap required packages for ldap: yum install nss-ldap openldap configure autofs make sure the autofs service is running: service autofs start chkconfig autofs on ensure the following line in /etc/nsswitch.

defs groups /etc/group file format: groupname:password:gid:members command line group management: groups <user> groupadd <user> groupmod <user> groupdel <user> grpck gpasswd -a group <user> quotas install quota package : yum install quota add fs options to /etc/fstab: usrquota.users /etc/passwd file format: username:password:uid:gid:gecos:homedir:shell /etc/shadow file format: username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire command line user management: useradd <user> usermod <user> usermod -aG accounts <username> chage <user> chage -M 30 user add user to group and keep all other group memberships set password to expire in 30 days userdel <user> pwck • default account expiration settings in /etc/login.grpquota remount device mount -o remount <mount point> init quota database: quotacheck -cugm <device> enable/disable quotas .

3. 2. create new group add users to group chown folder to root.acl <mount point> manage acls: # set acls setfacl -m [d:]u:<user>:<r|w|x|-> <file> setfacl -m [d:]g:<group>:<r|w|x|-> <file> setfacl -m u:user:--. 4.rpm this is also required for Samba Group shares .quotaon <device> quotaoff <device> edit quotas edquota -u <user> edquota -g <group> edit grace time edquota -ut <user> edquota -gt <group> check/report quotas quota <user> repquota -aug Access Control Lists install acl package yum install acl add fs options to /etc/fstab: acl remount device: mount -o remount.<group> chmod folder to 2770 (g+s) install and update packages using rpm # install rpm -ivh <package>./shared/to/secret-file remove all access to file # get acls getfacl <file> # remove acls setfacl -x u:<user> <file> setfacl -x g:<user> <file> setfacl --remove-all <file> setfacl --remove-default <file> configure filesystem permissions for collaboration 1.

# update rpm -Uvh <package>.rpm # remove rpm -e <package> # query by file name rpm -qf <full path to file> # verify a file rpm -Vf > <full path of file> # verify status of all packages rpm -Va > /tmp/rpmverify rpm -qi package get info on installed package while inside the rescue environment.com/centos/ enabled=1 create yum repository from installation DVD umount /media/RHEL_5.g. use the –root option to specify the real location of your root file system (e.repos.e.$basearch .d/ [id] name=my repo baseurl=http://example.4\ i386\ DVD/Server/ .rpm # freshen rpm -Fvh <package>.Debug baseurl=file:/mnt/cdrom/Server/ #baseurl=file:///media/RHEL_5. check /boot/grub/grub. properly update the kernel package 1. mounting read-only [root@mail ~]# cd /mnt/cdrom/Server/repodata [root@mail yum.4\ i386\ DVD/ [root@mail ~]# mkdir /mnt/cdrom [root@mail ~]# mount /dev/cdrom /mnt/cdrom/ mount: block device /dev/cdrom is write-protected.repo [rhel-cd] name=Red Hat Enterprise Linux $releasever .d]# cat rhel-cd.conf for proper configuration configure the system to update/install packages from remote repositories using yum or pup yum config goes in /etc/yum. rpm -ivh <kernel package>) rather than an update 2. always do an install (i.repos. –root=/mnt/sysimage).

use /proc/sys and sysctl to modify and set kernel run-time parameters config is in /etc/sysctl.conf • see examples in /usr/share/doc/grub-*/menu.ext3 /dev/md0 don't forget to configure /etc/fstab appropriately.conf # search through parameters sysctl -a | grep <whatever> # apply changes from config file immediately .lst implement software RAID at install-time and run-time to start. we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”) create raid device: mdadm --create /dev/md0 --level=<0|1|4|5|6|10> --raid-devices=<num> <device list> fail disk in array: mdadm /dev/md0 -f <device> remove disk from array: mdadm /dev/md0 -r <device> add disk to array: mdadm /dev/md0 -a <device> stop array: mdadm --stop /dev/md0 check raid status: mdadm --detail /dev/md0 cat /proc/mdstat format works as usual: mkfs.enabled=1 gpgcheck=0 #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release yum search nmap system-config-packages during installation ) ( this will now display package groups available modify the system bootloader • production config is in /boot/grub/grub.

ntp. 3.conf synchronization configuration example: server 0.pool.org server 2. mbr /boot/grub/grub.sysctl -p use scripting to automate system maintenance tasks configure NTP for time synchronization with a higher-stratum server redhat config tool: system-config-date • config is in /etc/ntp.d .d/rc*. module.sysinit /etc/rc.pool.pool.ntp. and should be able to: use the rescue environment provided by first installation CD linux rescue • • • when working in non-chrooted rescue mode: mount /dev/hdc /mnt/source (to access install files on the cd/dvd) rpm commands should use the –root=/mnt/sysimage option manually make /dev and /proc available in chrooted mode: mount -o bind /dev /mnt/sysimage/dev mount -o bind /proc /mnt/sysimage/proc diagnose and correct boot failures arising from bootloader. 5.org server 1.d/rc. 6.ntp. 2.org apply changes: service ntpd restart chkconfig ntpd on verify changes: ntpq -p RHCE skills Troubleshooting and System Maintenance RHCEs must demonstrate the RHCT skills listed above. and filesystem errors check in order: 1. 4.conf /etc/fstab /etc/inittab /etc/rc.

you can specify an alternative one: dumpe2fs <partition> fsck -b <block#> <partition> diagnose and correct problems with network services (see Installation and Configuration below for a list of these services) see what's listening on what port: netstat -ntaupe .7.0) grub> setup (hd0) grub> quit to password protect grub : grub-md5-crypt to create md5 password hash copy and paste this into /boot/grub/grub.d/init.d/* 8.d/rc.conf are relative to the root option) • check for missing files in kernel and/or initrd lines kernel errors • missing/corrupt initrd file results in: kernel panic .conf ( 2 options – protect editing of GRUB during boot or protect selection of kernel image – for testing ) recreate initrd: mkinitrd <filename> <kernel version> fix corrupt filesystem: fsck <partition> if fsck is unable to locate a superblock.local grub errors • in general. /etc/rc. type find /grub/stage1 at the grub command line ( remember that all file names in grub. use the last line before the error message to see where grub error'd out • to find correct value for root option.not syncing: vfs: unable to mount root fs on unknown-block • invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory reinstall grub to mbr: grub-install <device> or grub grub> find /grub/stage1 grub> root (hd0. /etc/rc.

and resize logical volumes redhat lvm config tool: yum install system-config-lvm system-config-lvm create physical volume: pvcreate <device> create volume group: vgcreate <name> <pv device> [pv device] extend volume group: vgextend <name> <pv device> create logical volume: lvcreate --size <size>M --name <lv name> <vg name> extend logical volume: lvextend --size <size>M <device> resize2fs <device> shrink logical volume: resize2fs <device> <size>M lvreduce --size <size>M <device> remove logical volume: lvremove <device> lvm vgchange -ay lvm lvs activate lvm Volume Groups in Rescue Mode use these commands to check lvm in rescue mode lvm vgs lvm pvs lvm vgsan lvm pvscan lvm lvscan mkdir /mnt/sysimage mount /dev/VolGroup00/LogVol00 /mnt/sysimage mount /dev/sda1 /mnt/sysimage/boot mount root partition mount boot partition from here you can resize LVM partitions or reinstall grub diagnose and correct networking services problems where SELinux contexts are interfering with proper operation. enable/disable selinux in /etc/sysconfig/selinux: SELINUX=enforcing SELINUXTYPE=targeted . remove.add.

*)?' restorecon -vvFR /www/data/html restore default context Installation and Configuration RHCEs must demonstrate the RHCT-level skills listed above. For each of these services. smb for such problems ) list security contexts: ls -Z <file> change security contexts: # using reference (copy contexts from existing known-good file) chcon -R --reference <old file> <new file> # manual chcon -R -u <user> <file> chcon -R -t <type> <file> use semanage fcontext to survive a relabel of filesystem ( especially when changing SELinux from ON to OFF to ON ) semanage fcontext -a -t public_content_t '/www/data/html(/.log | less launch gui browser: sealert -b list selinux booleans: getsebool -a set selinux boolean: setsebool -P <boolean> = <0|1> make persistent SELinux changes (check ftp. http. RHCEs must be able to: • • • • • install the packages needed to provide the service configure SELinux to support the service configure the service to start when the system is booted configure the service for basic operation Configure host-based and user-based security for the service .install selinux troubleshooter: yum install setroubleshoot service setroubleshoot start chkconfig setroubleshoot on install selinux management tool: yum install policycoreutils-gui list selinux errors: sealert -a /var/log/audit/audit. nfs. and they must be capable of configuring the following network services.

etc.pem #SSLCertificateFile /etc/pki/tls/certs/localhost.d/ssl. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers.crt make testcert. 80 and 443). self-signed ssl cert: cd /etc/pki/tls/certs rm localhost.key . use this # directive to point at the key file.) SSLCertificateKeyFile /etc/pki/tls/certs/dino.crt # Server Private Key: # If the key is not combined with the certificate.conf change following lines to point to new certificate : SSLCertificateFile /etc/pki/tls/certs/dino.HTTP/HTTPS install yum install httpd mod_ssl httpd-manual selinux make new DocumentRoot match default DocumentRoot ( apache will serve files from): this applies to any directory that chcon -R --reference /var/www /www start at boot chkconfig httpd on basic config • requirements for ~user/ directories: • UserDir directive • chmod 701 the user's home directory • change security context on the user's UserDir • requirements for . two separate VirtualHost *:<port> sections are needed to do this.pem edit /etc/httpd/conf.htaccess file usage: • AllowOverride All directive • requirements for name-based virtual hosts: • NameVirtualHost *:80 and NameVirtualHost *:443 directives • each virtual host requires appropriate ServerName and ServerAlias directives • a single virtual host cannot span multiple ports (i.e.pem #SSLCertificateKeyFile /etc/pki/tls/private/localhost.

com </Directory> hosts are denied by default and must be explicitly allowed: <Directory /var/www/html> Order allow.0.0/255.allow Deny from 192.255.168.168.255.0 Allow from goodguys.example.0/255.example.0 Deny from badguys.com </Directory> user-based security create web password file: htpasswd -c /etc/httpd/webusers testuser1 htpasswd /etc/httpd/webusers testuser2 create web group file (/etc/httpd/webgroups): testgroup: testuser1 testuser2 allow access by group: <Directory /var/www/html> AuthType Basic AuthName "top secret area" AuthUserFile /etc/httpd/webusers AuthGroupFile /etc/httpd/webgroups Require group testgroup </Directory> verify service functionality test http/https: elinks <http|https>://<hostname>/[path] SMB install yum install samba samba-client .deny Allow from 192.check virtual host config: httpd -D DUMP_VHOSTS host-based security firewall config: protocol ports tcp 80. 443 hosts are allowed by default and must be explicitly denied: <Directory /var/www/html> Order deny.255.255.0.

selinux allow samba to share home directories: setsebool -P samba_enable_home_dirs=1 mark a directory as shareble with samba: chcon -R -T samba_share_t <directory> start at boot chkconfig smb on basic config redhat samba config tool: yum install system-config-samba system-config-samba set workgroup/domain: workgroup = <workgroup> security modes: # connections check local pwdb (default) security = user # member server on a domain.example. uses pwdb on a dc security = domain workgroup = EXAMPLE # member server on an ad domain using kerberos.com # used when samba was not capable of being a domain member server (DO NOT USE) security = server encrypt passwords = yes password server = <netbios name of dc> # each share requires a password (DO NOT USE) security = share share options: [<share name>] # path for share path = <path> # share is visible browseable = <yes|no> # rw enabled writeable = <yes|no> # this is a shared printer printable = <yes|no> . uses pwdb on a dc security = ads realm = EXAMPLE.COM password server = kerberos.

168. 445 udp 137.0.0.0.200:shared-folder /mnt/share -o user=<user> fstab example: //<hostname>/<share> <mountpoint> 0 0 cifs user=<username>.1 192.3. 138 hosts allow/deny can be used per-server or per-share: hosts allow = 127.0/24 hosts deny = 0.# all users connecting to this share use <group> as their primary group group = <group name> join domain: net rpc join -U root mount -t cifs 192.0.0/24 192.cifs and umount.pass=<password> mount. or be translated via /etc/samba/smbusers): smbpasswd -a <username> # enable/disable account: smbpasswd -e <username> smbpasswd -d <username> # remove account: smbpasswd -x <username> service smb reload may be needed after account changes share access: valid users = <user1> @<group1> • share access is also controlled by unix file permissions verify service functionality list shares: smbclient -L <hostname> -U <username> browse shares: smbclient //<hostname>/<share> -U <username> .0.2.168.168.0/0 user-based security account maintenance: # add account (local linux account must exist first.cifs need to be chmod'ed u+s in order to be used by non-root users host-based security firewall config: protocol ports tcp 139.

] activate new exports: /etc/init..d/nfs restart host-based security edit /etc/sysconfig/nfs and restart nfs to set static ports firewall config: # see ports rpcinfo -p open ports 111.test allow/deny statements for a host: testparm /etc/samba/smb. 2049 and rpc ports defined in /etc/sysconfig/nfs host based security is intrinsic to the format of the exports file user-based security use standard file permissions verify service functionality list exports: showmount -e <host> .conf <hostname> <ip address> NFS install yum install portmap nfs-utils start at boot chkconfig chkconfig chkconfig chkconfig portmap on nfs on nfslock on netfs on basic config redhat config tool: yum install system-config-nfs system-config-nfs format of /etc/exports: <mountpoint> <host>(<options>) [<host>(<options>) ..

but was not needed in my testing): setsebool -P squid_connect_any=1 .0.conf verify service functionality test ftp: ftp <server> Web proxy install yum install squid selinux allow squid to connect to the network (this is recommended. user-based security • allow/deny controlled via /etc/vsftpd/user_list ( users in /etc/vsftpd/ftpusers are always denied via pam) • default allow/deny is configured by userlist_deny statement in vsftpd.168.FTP install yum install vsftpd selinux allow local users to log in and cd into home directories: setsebool -P ftp_home_dir=1 start at boot chkconfig vsftpd on basic config host-based security • use iptables with -[!]s option firewall config: protocol ports tcp 21 ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config tcp_wrappers example: vsftpd : 192.

0/24 192.2.quake.168.168.com .start at boot chkconfig squid on host-based security firewall config: protocol ports tcp 3128 Edit /etc/squid/squid.1.com acl block-words url_regex sex cunt penis movies http_access deny block-sites http_access deny block-words http_access allow our_networks user-based security Install ncsa_auth htpasswd /etc/squid/passwd username create username / password file Edit /etc/squid/squid.0/23 acl block-sites dstdomain .0/23 http_access allow our_networks parental control with blocklist acl our_networks src 192.2.168.hotmail.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users verify service functionality test proxy: HTTP_PROXY=<server>:3128 elinks .0/24 192.lan allow access from local networks: acl our_networks src 192.1.yahoo.conf visible_hostname www.168.

mc MASQUERADE_AS(`mydomain.lan admin@example.0.0 RELAY allow relay from local LAN edit /etc/mail/local-host-names example.SMTP Using Sendmail yum install sendmail sendmail-cf edit /etc/mail/sendmail.cf : make -C /etc/mail edit /etc/mail/access Connect:192.0.com')dnl FEATURE(masquerade_envelope)dnl FEATURE(masquerade_entire_domain)dnl MASQUERADE_DOMAIN(localhost)dnl MASQUERADE_DOMAIN(localhost.Addr=127.com')dnl build new sendmail.168.lan edit /etc/mail/virtualusertable cikku@test.com domains hosted on our server quake.mc dnl DAEMON_OPTIONS(`Port=smtp.com virtual users mappings /etc/aliases root: admin tony: mark run newaliases to build new file to enable masquerading in sendmail edit /etc/mail/sendmail.localdomain)dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl MASQUERADE_DOMAIN(mydomain.1.lan)dnl aliases to other accounts . Name=MTA')dnl LOCAL_DOMAIN(`example.

<hostname2>.. .cf file ( make -C /etc/mail ) check mail passing through : /var/log/maillog check /var/spool/mail to see mailboxes install yum install postfix alternatives --config mta service sendmail stop start at boot chkconfig postfix on basic config listen on public interfaces: inet_interfaces = all specify all destination hostnames/domains: mydestination = <hostname1>.MAILER(smtp)dnl MAILER(procmail)dnl rebuild sendmail. specify origin domain: myorigin = $mydomain local aliases in /etc/aliases ( dont forget to run newaliases to apply changes): <alias>: <user1>[. user2] virtual aliases in /etc/postfix/virtual ( changes): dont forget to run postmap /etc/postfix/virtual to apply <virtual alias>: <user> enable virtual aliases: virtual_alias_maps = hash:/etc/postfix/virtual outbound address rewriting in /etc/postfix/generic ( /etc/postfix/generic to apply changes): dont forget to run postmap <outbound alias>: <user> enable outbound aliases: smtp_generic_maps = hash:/etc/postfix/generic ..

pem /etc/pki/dovecot/certs/dovecot. 110.pem /etc/pki/dovecot/private/dovecot. 993 . and POP3 install yum install dovecot start at boot chkconfig dovecot on basic config enable protocols: protocols = imap imaps pop3 pop3s create custom ssl cert: nano -w /etc/pki/dovecot/dovecot-openssl.sh service dovecot restart or mv /etc/pki/dovecot/certs/dovecot.pem. 995. IMAPS.orig cd /etc/pki/tls/certs/ make dovecot.pem cp dovecot.pem.pem /etc/pki/dovecot/certs/ cp dovecot.host-based security • use iptables with -[!]s option firewall config: protocol ports tcp 25 user-based security use smtp auth? verify service functionality test smtp: telnet <server> 25 IMAP.pem /etc/pki/dovecot/private/ host-based security use iptables with -[!]s option protocol ports tcp 143.cnf /usr/share/doc/dovecot-*/examples/mkcert.orig mv /etc/pki/dovecot/private/dovecot.

pub server_IP send public key and install in server ssh-keygen -p create password for ssh keys to be used user-based security allow/deny user access: AllowUsers user1 user2 user3@example.ssh/id_rsa.com host-based security • use ipchains with -[!]s option firewall config: protocol ports tcp 22 tcp_wrappers example: sshd : 192. verify service functionality test logging in: ssh <user>@<server> .0/24 --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.com DenyUsers user4 user5 user6@example.168.0.0/24 --dport 25 -j ACCEPT user-based security use pam_listfile in /etc/pam.-A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.168.0.168.d/dovecot verify service functionality test mailbox acess: mutt -f <imap|imaps|pop|pops>://<user>@<server> SSH install yum install openssh-server start at boot chkconfig sshd on Generate Public / Private key pair ssh-keygen -t rsa create public / private keys for user ssh-copy-id -i .0.

200 New > View > name: External > From ACL : any to ACL : any Once saved all other settings are migrated into the View.168.DNS (caching name server.caching-nameserver.conf Now start editing DNS Server options > right click on DNS Server > EDIT add Forwarders > Ipv4 > 192.lan Zone Type : master go on quake.conf caching-only nameserver: • edit listen-on directives (comment out to listen on all interfaces) • edit allow-query directives (comment out allow queries from everyone) • edit match-clients and match-destinations directives to allow recursive queries from other hosts slave nameserver: • get slave example from /usr/share/doc/bind-*/sample/etc/named. basic config copy sample config: cp -a /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.0.MX.lan > right click > Add > A.PTR records check DNS resolution with dig or nslookup open IPTABLES ports 53 UDP and TCP. slave name server) install yum install bind-chroot caching-nameserver system-config-bind start at boot chkconfig named on setup bind with system-config-bind make sure there is no file /var/named/chroot/etc/named. Right click on DNS Server or View > Add Zone > Class : Internet Origin Type : Forward quake.CNAME.conf .conf system-config-bind this will ask to create new named.

user-based security N/A verify service functionality test query: dig @<server> <domain> test zone transfer: dig @<server> <domain> axfr NTP install yum install ntp start at boot chkconfig ntpd on host-based security firewall config: protocol ports udp 123 allow other servers to sync with us: restrict 192.168.168.1.0 mask 255.0/16.0 nomodify notrap user-based security N/A verify service functionality show peers: ntpq -p RHCEs must also be able to: .host-based security firewall config: protocol ports tcp 53 udp 53 allow-query example: allow-query { 192. }. localnets.255.255.0.

validate kickstart file 4.168.cfg ks=nfs:example. the following method seems to be the best way to go: 1.0.ip_forward = 1 to test from another machine: ip route replace default via <ip address> inbound dnat: iptables -t nat -A PREROUTING -p <tcp/udp> --dport <destination port> -j DNAT --to-dest <private server>:<port> outbound dnat: iptables -t nat -A OUTPUT -p <tcp/udp> --dport <destination port> -j DNAT --todest <private server>:<port> . ftp. make installation tree available 2.com:/ks. nfs) 5.cfg implement logical volumes at install-time use iptables to implement packet filtering and/or NAT do not use system-config-securitylevel. use bootable media and supply appropriate kernel parameter ks=floppy:/ks.cfg ks=http://example. as it will overwrite your custom iptables rules. make changes in /etc/sysconfig/iptables to load conntrack modules 2. make kickstart file available • bootable diskette (place in top level directory) • bootable cdrom (place in top level directory) • network (http.d/iptables restart to apply changes packet filtering packet filtering example: -A <chain> -p <tcp/udp> -m <tcp/udp> [-s[!] <source address>] --dport <destination port> -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -s 192.0/24 --dport 631 -j ACCEPT NAT enable ip forwarding in /etc/sysctl.cfg ks=cdrom:/ks.com/ks. create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator) 3.ipv4.configure hands-free installation using Kickstart yum install system-config-kickstart 1.conf: net. run /etc/init.

) control flag description required must pass.g.168. account etc. continue testing on failure auth . etc. verifies password.masquerading: iptables -t nat -A POSTROUTING -o <outbound interface> -j MASQUERADE snat: iptables -t nat -A POSTROUTING -j SNAT --to-source <public server>:<port> setup for router to internet Check Deployment guide chapter for IPTABLES syntax Setup RH Firewall with default settings using eth0 to Internet while eth1 to LAN.) verifies that access is allowed (e.conf and set net.d • /etc/security <module interface> <control flag> <module name> <module arguments> module interface description user authentication (e.188. etc.133:80 iptables-save > /etc/sysconfig/iptables Add extra rules to the RH-FIREWALL-1 ACCEPT / DENY statements use PAM to implement user-level restrictions module documentation • /usr/share/doc/pam-*/txts module configuration • /etc/pam. expired account?.g. set group membership or kerberos tickets. vi /etc/sysct. logging. check group membership.ipv4.ip_forward = 1 add following rules from CLI: iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192. mount home dir.) password handles password changes session manages user sessions (e. create mailbox.g.

etc. /etc/hosts. /bin/false. stop testing on failure failure is ignored.allow 2. return success at this point pass or failure is irrelevant include another file pam_listfile.? root user and PermitRootLogin no in /etc/ssh/sshd_config? root user and terminal not listed in /etc/securetty? non-root user and /etc/nologin exists? check pam_listfile restrictions .so example allow/deny users if listed in /etc/special: auth required pam_listfile. allow by default searching stops on first match Troubleshooting unable to log in • • • • • • • password wrong or expired? account locked? shell set to /sbin/nologin. but if passing so far.so onerr=success item=user sense=<allow|deny> file=/etc/special Additional Notes tcp_wrappers file format: <daemon list> : <client list> [except <client list>] [: <option>] search order: 1.requisite sufficient optional include must pass.deny 3. /etc/hosts.

Sign up to vote on this title
UsefulNot useful