Professional Documents
Culture Documents
5. Saving open files, flush the system cache and other necessary system maintenance
are allowed by.
Correct answer: logging off the system
6. Which directory contains configuration files that stores system and application
setting?
Correct answer: /etc
7. Which command is used to find data files, programs, directories that match the
search argument?
Correct answer: locate
8. Applications written to provide a GUI shell for Unix and Linux are called
Correct answer: x windows
9. The advantage of using NFS rather than Samba for file sharing in Linux is
Correct answer: compatibility with Windows file sharing
10. Which framework is provided for the programs to interchange information about
Linux OS?
Correct answer: Resource Definition Framework
11. To implement new application on IBM z/10. Which of the following options
need to be considered if it to be implemented in Linux?
Correct answer: Red Hat Linux does not support all the devices supported by IBM
z/OS
12. Which of the following has greater market share of Linux SW/HW environment?
Correct answer: Linux on z10
13. Which of the following commands can be run to remove all the rules in an
iptables table?
Correct answer: iptables -F
14. Which of the following is the BEST way to set up SSH(Secure Shell) for
communicating between Systems without needing passwords?
Correct answer: Use ssh-keygen for generating public-private keys.
15. How much usable space is available, when a Linux system is configured with a
RAID 5 array that consists of six 20 GB hard disk drives?
Correct answer: 100Gb
Formula: S*(N-1)
here S=size
16. Which of the following commands can be used to check for file corruption?
Correct answer: md5sum
17. Which of the following allows to secure remote command line access?
Correct answer: SSH(Secure Shell)
18. Which of the following supports for creating a Linux VPN (Virtual Private
Network)?
Correct answer: 3DES
19. Which of the following commands delete the files from the /tmp directory,
issued by non-root user?
Correct answer: su -c "rm -rf /tmp/*"
21. When a computer system is reported problems with inodes and blocks, which of
the following is the problem and its solution to rectify it?
Correct answer: The file system has become corrupt and needs to be repaired.
23. ___________ is a common tool for determining services and ports running on a
remote Linux.
Correct answer: nmap
24. For supporting new diskless client workstations, which of the following services
needs to be installed on a server?
Correct answer: PXE (Preboot eXecution Environment) and tftpd
25. Which of the following will kill the process 1010 by an administrator(logged in as
a standard user)? The process 1010 was started by the root user.
Correct answer: su -c "kill 1010"
26. Which of the following Linux commands could be used to find what processor
was detected on boot, when a laptop system is slow/
Correct answer: POST
27. How to accomplish the LILO boot configuration updation for supporting a newly
installed IDE hard drive?
Correct answer: Edit lilo.conf and run "lilo -v -v"
-----------------------------------------------------
6. The head command writes the first _____________ lines of a file to the screen.
answer: ten
16. How can we find the current value for shell variables?
answer: Set command
18. What is the default number of shell commands saved in the history list of .cshrc
file?
Correct answer: 200
19. What is the difference between linux file system and windows file system?
answer: Under Windows, the various partitions are detected at boot and assigned a
drive letter whereas Under Linux, unless you mount a partition or a device, the
system does not know of the existence of that partition or device.
22. The basic function of ______________ is to search files for lines (or other units of
text) that contain a
answer: awk
23. Which of the following below is/are true for Date command?
answer: It can work w/o arguments
------------------------------------------
1. Echo is used to Display message on screen. Which of the following options below
should be used with echo to not output the trailing newline?
answer: -n
answer: True
3. Which command is most useful when you want not only to send some data down
a pipe, but also to save a copy?
Answer: tee
5. When trying to compare two files using cmp, if the files differ; what is the output?
answer: tells the first byte and line number where they differ
answer: ping
answer: False
9. Which of the following are valid functions of Red Hat Package Manager?
12. In _____________ state of a process, the process will be terminated and the
information will still be available in the process table.
Answer: Zombie
13. Which system call is used to bias the existing property of process?
answer: bias()
answer: readline
answer: False
20. The ______________ file contains all the information of users on your system
Answer: /etc/passwd
21. Which directory is used to write messages when kernel is loading? answer:
/var/log/messages
22. Which command is used to report on the status of the quotas that have set
including the amount of allocated space and amount of used space?
answer: repquota -a
23. Linux Supports Virtualized File Systems Like RAID.
answer: True
answer: Root
25. Using CHMOD if we want to give ALL permissions to a user, which mode is
used?
answer: 777
--------------------------------------------------------------
1. What is the default UID when we are creating first user.(useradd)?
A: The first user created by root will always have a UID 500.
User ID=uid. The uid of root is 0.
UID from 1 to 499 is reserved for system services such as tha user apache,nagios,etc.
TROUBLESHOOTING GUIDE
# dig your-domain.com
# nslookup gw.isp.com
# more /etc/resolv.conf
5) For networking troubleshooting, make sure your ip address configuration is right,
gateway, routine, hostname etc all configured. Here is list of tools on RedHat Linux
to verify or modify information:
Hostname verification or setup tools
hostname : To get hostname of server.
hostname –s : To get FQDN hostname of server
more /etc/sysconfig/network : To setup hostname and networking can enabled or
disabled.
dnsdomainname : List or setup domainname.
more /etc/hosts :Make sure at least localhost entry do exist.
Ethernet configuration tools
ifconfig : To see running network card information.
ifconfig eth0 up|down : To enable|disable network interface
service network reload|restart|stop|start : To reload (after changed made in ip config
file)|restart|stop|start network interface with all properties.
route|netstat –rn : To print routing table
ping ip-address : To see if host is alive or dead
more /etc/modules.conf : To see your network card configuration alias for eth0 exists
or not.
lsmod : To list loaded modules (read as drivers), here you need to see that eth0
module is loaded or not, if not loaded then use insmod to insert (load) driver.
dhclient : Dynamic Host Configuration Protocol Client, run this if your Ethernet card
is not getting ip from DHCP box on startup; this command does by default shows
useful information.
To see if service blocked because of access control
iptables –n –L : To list all iptable rules; useful to see if firewall blocks service or not.
service iptables stop|start : To start|stop iptables
more /etc/xinetd.conf
OR
more /etc/xinetd.conf/SERVICENAME = To list configuration of xinetd server. Again
useful to see if firewall xinetd based security blocks service or not (xinetd includes
host-based and time-based access control)
more /etc/hosts.allow : To see list of hosts allowed to access service.
more /etc/hosts.deny : To see list of hosts NOT allowed to access service. NOTE
first TCP wrappers (hosts.allow|hosts.deny) checked and then xinetd-based access
control checked.
more /etc/path/to/application.conf : See your application configuration file for access
control. For example smb.conf and many other applications/services got own access
control list in application. You need to check that as well.
1. Command Not Found Error: This is by far the most common error we encounter—
within our own servers, even—and we hear a lot about it from other users, as well. In
essence, this error is returned when you’ve created a digital boo-boo. If you’ve not
spelled a command correctly in the terminal, it won’t run. To correct this, check the
exact syntax of the command again. Likewise, if you haven’t installed the application
you’re trying to reach, it won’t happen: Same thing goes if you’re trying to access a
script in the wrong directory. More than likely, if you get this error, what’s at the core
of your problem is a classic ID10T problem.
2. Permission Denied: We’ll be upfront about this—we hate this error message more
than any other. This is because, more often than not, the issue involves chmod
settings, in which a file’s permissions have accidentally been set to 0, making them
un-editable even for the root user. To correct this, simply run the appropriate chmod
command to fix the file in question. If the error persists, next ensure you are in fact
the root user, or have entered the necessary root command.
3. No Route To Host: If you achieve this error message, then you’ve more or less
lost the tubing to your server. We’re talking about SSH, but it’s possible for this error
to occur in other communication areas, as well. In essence, you’ve lost connection
with your server, and your system now has no idea where to pipe your shell
commands. To correct the issue, try running traceroute with your fingers crossed and
your eyes open.
You do not have adequate permissions to execute the command
4. The easiest way to verify your permissions is to view who you are logged on to
the server as, then look at the output of ls –l:
# id
u
uid=5008(cormany) gid=330(atc) groups=110(sales),201(sshd)
#
# ls -l foo
-
-rwxrw-r-- 1 cormany atc 75 Jun 10 18:46 foo
According to the above example, you are logged in as user cormany, and the shell
script's owner is cormany with permissionsrwx (or Read, Write, and Execute). This
does not appear to be the issue, so let's move on to the next possible cause.
You do not have adequate permissions to the shell you defined inside the script to
tell the script how it and the commands inside it should be interpreted
Let's take a look inside the script:
# cat foo
#
#!/bin/ksh.new
e
echo "This is a just a test"
e
exit 0
It looks like the script is to be interpreted as a Korn shell script, according to the first
line. By looking at the permissions of the shell used, you can verify that you can
actually use it:
# ls –l /bin/ksh.new
-
-r-xr-x--- 5 bin bin 289072 May 27 19:03 /bin/ksh.new
As root, correct the file permissions to the shell you attempted to use, and try again:
Switch users to root:
# su -
r
root's Password:
Confirm that you are root and not the original user:
# id
u
uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
#
# /home/cormany/scripts/bar
T
This is another test
#
# ./bar
T
This is another test
#
# cd
#
# pwd
/
/home/cormany
#
# bar
ksh: bar: not found.
Everything worked perfectly except for when you change directories and try to
execute the script. There are typically three reasons for such an error message:
You do not have permissions to the file you are trying to execute.
The file simply does not exist or is not in the directory you think it should be in.
The file exists and is in the expected location, and you have sufficient permissions to
the file.
6.You do not have permissions to the file you are trying to execute
You know that this is not issue, as you were able to execute the script by providing
the fully qualified path as well as from the commands directory. A simple check on
the file permissions should help you discover the cause of the problem:
# ls -la ~cormany/scripts
t
total 56
d
drwxr-xr-x 2 cormany atc 512 Jun 12 08:30 .
d
drwxr-xr-x 6 cormany atc 512 Jun 10 08:21 ..
-
-rwxr-xr-x 1 cormany atc 42 Sep 06 16:20 amdc
-
-rw-rw-rw- 1 cormany atc 154 Jan 27 23:23 atc
-
-rwxr-xr-x 1 cormany atc 206 Aug 04 20:57 atc.2
-
-rwxr-xr-x 1 cormany atc 48 Jun 12 08:21 bar
-
-rwxr-xr-x 1 cormany atc 87 Feb 22 16:11 pac
At first glance, you do not even have Read permission. Let's dive into the target
directory and see what is going on:
# cd ~cormany/scripts.old/cujo
k
ksh: /home/cormany/other_scripts: Permission denied.
#
# ls -l ~cormany/scripts.old/cujo
l
ls: /home/cormany/scripts.old: The file access permissions do
What just happened here? This is yet another form of permission error. The
permissions problem may not always be on the file itself but a directory in the path to
the file to be executed:
# ls -ld ~cormany/scripts.old
d
d--------- 2 cormany atc 512 Jan 22 08:42 /home/cormany/scripts.old
Fixing the permissions on the directory path should resolve your execution issues as
long as the file in question also has adequate permissions:
# chmod 755 ~cormany/other_scripts
#
# cd ~cormany/other_scripts
#
# ls –l cujo
-
-rwxr-xr-x 1 cormany atc 48 Jan 26 08:21 cujo
7.The file simply does not exist or is not in the directory you think it should be in
Again, using the command ls to perform a quick spot check should show whether the
file is there:
# ls -l ~cormany/scripts/bar
-
-rwxr-xr-x 1 cormany atc 48 Oct 05 08:21 /home/cormany/scripts/bar
If the file did not exist in the directory you originally thought, you would receive the
following message:
# ls -l ~cormany/scripts/bar
l
ls: 0653-341 The file /home/cormany/scripts/bar does not exist.
If you think the file is somewhere in user cormany’s home directory, you could
(provided you had ample permissions) search for the file with the find command:
# find ~cormany -name "bar" -ls
1
16409 1 -rwxr-xr-x 1 cormany atc 48 Sep 06 08:06 /home/cormany/atc/bar
5
590040 1 -rwxr-xr-x 1 cormany atc 48 Sep 09 08:42 /home/cormany/test/bar
The file exists and is in the expected location, and you have sufficient permissions to
the file
The previous methods of execution have been either supplying the fully qualified
path to the command in question or sitting directly in the files directory and entering
the present working directory to execute (that is, using ./). Now that you are not in
the commands directory and are not entering the full path, let's check the value of
the PATH environment variable:
# echo ${PATH}
/
/usr/bin:/etc:/usr/sbin:/usr/ucb:/bin:/usr/bin/X11:/sbin:/usr/
java5/jre/bin:/usr/java5/bin:/usr/ushare/bin:/usr/local/bin
Aha! The directory /home/cormany/scripts is not in your path. Again, there are two
things you could do to fix this problem:
Add ~cormany/scripts to your PATH. Although this change may be easy to make,
please keep in mind that every time you add a directory to your PATH variable, you
are requesting that the shell search through yet another directory for a command. If
you add 10 directories over time, that adds 10 more directories for the shell to search
until it returns results that it could not find a file. If you still want to continue, simply
perform the following commands:
# export PATH=${PATH}:/home/cormany/scripts
#
# echo $PATH
/
/usr/bin:/etc:/usr/sbin:/usr/ucb:/bin:/usr/bin/X11:/sbin:/usr/
java5/jre/bin:/usr/java5/bin:/usr/ushare/bin:/usr/local/bin:/
home/cormany/scripts
Note: It is rarely wise to add the path to the beginning of the user's PATH variable.
Doing so could result in the execution of unwanted commands. If you feel you must
place a path at the beginning, proceed with caution.
Move (or copy) the script in question to a directory already in your PATH variable.
This can be a good solution if multiple users could benefit from the script. If this is
the case, users typically place their files in /usr/local/bin.
#
# ./bar
T
This is another test
#
# pwd
/
/home/cormany/scripts
#
# ./bar
ksh: ./bar: not found.
#
# ls -l
ls: 0653-341 The file . does not exist.
When something like this happens, it means the directory you were once working in
has been destroyed via the command rm. Simply creating a new directory with the
same name will not correct this problem, as the file descriptor is different.
More times than not, the person afflicted with this error is the same person who
caused it in another window (at least, in my case). To safeguard against such
accidents, rename the directory via the mv command. By renaming the directory, the
users in the original directory can continue to work in a different directory name, as
the file descriptor remains the same:
# ls -l
t
total 40
-
-rwxr-xr-x 1 cormany atc 42 Sep 06 16:20 amdc
-
-rw-rw-rw- 1 cormany atc 154 Jan 27 23:23 atc
-
-rwxr-xr-x 1 cormany atc 206 Aug 04 20:57 atc.2
-
-rwxr-xr-x 1 cormany atc 48 Jun 12 08:21 bar
-
-rwxr-xr-x 1 cormany atc 87 Feb 22 16:11 pac
#
# ./bar
T
This is another test
#
# pwd
/
/home/cormany/scripts
Similarly, in another session, someone renames the directory you are working in to
~cormany/scripts.20090601. Thankfully, by just moving and renaming the directory,
your work continues without issue:
# ./bar
T
This is another test
#
# pwd
/
/home/cormany/scripts.20090601
9. ./foo: /usr/bin/ls: 0403-027 The parameter list is too long.
A program has been running for months on your IBM® AIX® computer without issue.
But while the program is running, it creates a file every few minutes in the same
directory for logging. The file names begin with f. and e.. The directory is becoming
full, and the ls command is slowing down drastically on response time. That is
understandable, because the directory has so many files in it.
A few more months go by, and the AIX program continues to run consistently and
without problem. There are now 100,000 files that begin with f. and another 100,000
files that begin with e. Now, when you attempt to clean up the log directory of only
the files that begin with f., you receive the following message:
# rm ~cormany/logs/f.*
k
ksh: /usr/bin/rm: 0403-027 The parameter list is too long.
I guess you waited too long before cleaning up the files. No time like the present,
however.
When executing a command like delete, all arguments are validated and expanded
before execution. The example provided is looking for ~cormany/logs/f.*, which
expands to become 100,000 arguments to the command rm. In other words, instead
ofrm ~cormany/logs/f.*, what is actually being executed is rm ~cormany/logs/f.1
~cormany/logs/f.2 ~cormany/logs/f.3 … ~cormany/logs/f.100000.
AIX, like other UNIX and Linux operating systems, has a set size for the number of
command-line arguments and environment variables that can be used. To view the
set size in AIX, use the command getconf. Per the man page for getconf, you should
look at ARG_MAX:
# man getconf
…
ARG_MAX
Maximum length, in bytes, of the arguments for one of the exec
…
#
# getconf ARG_MAX
1
1048576
This value tells you that you have 1,048,576 bytes you can use for environment
variables and command-line arguments to execute. It looks like you exceeded that.
To resolve this issue, two options are available:
Increase the amount via smitty chgsys and change ARG/ENV list size in 4K byte
blocks or via chdev. I do not recommend changing a system-wide parameter every
time you run into this type of error out of convenience: This should be the last resort.
Rather than using the command rm with 100,000 arguments, which will fail
miserably, the command find does a much better job of removing the files:
# find ~cormany/logs –name “f.*” –exec rm {} \;
The find command searches the directory for any files beginning with f. rather than
placing the burden on the shell's command line. The find command then executes rm
on each file found, thus removing every file beginning with f.
Conclusion
After reading this article, you should have a better understanding of those common
errors you may have come across and how to resolve the problem quickly. The
errors may look simple, but when being introduced to UNIX, it is essential that you
understand the basic errors before moving ahead. Good luck on your
troubleshooting!
locate tomcat.sh
locate -i springframework
iocate/slocate
Misplaced your css file?
locate style.css | less
Not sure if it was Style.css or style.css? The ‘-i‘ flag will search case insensitive.
locate -i style.css
Locate all hidden files
locate /.
If you pass the ‘-r‘ flag to locate you can search using regular expressions.
find
find [starting point] [search criteria] [action]
So the basic usage would be:
find . -name “*.jpg”
Explination: find is the command, the dot ‘.‘ means start from the current directory,
and the -name “*.jpg” tells find to search for files with .jpg in the name. The * is a wild
card.
Find all css files in the ‘/var/www‘ directory.
find /var/www -name “*.css” -print
Find all files that are writable. This is handy when securing directories down.
find . -writable
Find Files by Size
Find all ‘.txt‘ files that are less than 100kb in size.
find . -name *.txt -size -100k -ls
Find Files over a GB in size
find ~/Movies -size +1024M
Find all files that are over 40kb in size.
find . -size +40k -ls
Find Files by Time
Find all files in ‘/etc‘ that have changed in the last 24 hours.
find /etc -mtime -1
Find Files by Owner
find . -user mark
The power comes when you want to apply an action with the search. This command
will find all css files and then remove them.
find . -name “*.css”-exec rm -rf {} \;
It is worth noting that find is recursive so be very careful when using the ‘-exec‘ flag.
You could accidentally delete all css files in your computer if you are in the wrong
directory. It is always a good idea to run find by itself before adding the -exec flag.
which
This command is useful for finding out “which” binary the system would execute if
you were to type the command out. Since some programs have multiple versions
installed the whichcommand comes in handy to tell you which version it is using and
where it is located.
which perl
/usr/bin/perl
whereis
The whereis command does the same thing as which but it will also return the path
to source and corresponding man page.
whereis perl
perl: /usr/bin/perl /usr/share/man/man1/perl.1perl.gz
PROXY SERVER
Proxy Server
------------
- Web Content Caching
- Web Filtering
- Authentication
- Bandwidth limiting
Squid
-----
the configuration file: / etc / squid / squid.conf
log file: - / var / log / squid / access.log
Name of service: squid
Structure acl:
acl
Http_access structure:
http_access ...
Example ACL
----------
1. ACL based on client IP address / source IP (src)
acl lan src 192.168.10.0/24 -> network
bozz acl src 192.168.10.123/32 -> 1 host
acl src leadership 192.168.10.200-192.168.10.250 -> IP Range
Sample http_access
------------------
http_access allow bozz |
http_access deny porn |
http_access deny fl_unduh |
http_access allow lan jam_kerja |
http_access deny all \ | /
example conversion:
cache_dir ufs / cache 2000 16 256
# Mkdir / cache
# Chown squid.squid / cache-R
# Squid-z -> create cache_dir
# Service squid start
Transparent Proxy
-----------------
Gateway and Proxy servers on one computer.
# Vim / etc / squid / squid.conf
Edit in part:
http_port 8080 transparent
---------------------------
# Service squid restart
# Iptables-t nat-A PREROUTING-i eth0-p tcp - dport 80-j REDIRECT - to-port 8080
-I eth0 -> device to the LAN
-P tcp - dport 80 -> packet with TCP protocol port 80 will go to the proxy
- To-port 8080 -> port proxy (squid)
LINUX EL5 CONFIGURATIONS
###LinuxCBT EL-5 Edition###
Focuses on: RedHat Enterprise v5x
Successor to LinuxCBT EL-4 Edition, which succeeds LinuxCBT Classic Edition
Features:
1. 2.6x kernel (2.6.18)
a. 'uname -a' returns OS/Kernel information
Note: 'uname -a' returns the following useful info:
1. OS - Linux
2. Fully Qualified Domain Name (FQDN)
3. Kernel version - 2.6.18...
a. 2.6 = major version
b. .18 = minor version
c. anything else after the minor version indicates that the kernel was patched by the distributor
4. Date and time that the kernel was compiled
b. Advanced Platform
b1. supports unlimited physical CPUs
b2. supports unlimited virtual guests
Note: Virtualization limits pertain to the virtualization technology included with Red Hat Enterprise
Linux. NOT third-party software (VMWare)
Features:
1. Hands-free, automated installation
2. Scripted installation
3. Script can be used on multiple systems
Steps:
1. Open previously created 'anaconda-ks.cfg' file and modify
2. Define partitions accordingly
3. Confirm settings
4. Publish the 'ks.cfg' file to HTTP server
5. Install server using the following at the main menu:
'linux ks=http://192.168.75.100/ks.cfg'
###FTP INSTALLATION###
Steps:
1. Create FTP user account on FTP server
a. 'useradd -s /bin/false -d /srv/wwwlinuxcbt.com linuxinstall'
b. 'passwd linuxinstall'
2. Confirm FTP connectivity as the user 'linuxinstall'
11. Arrow keys (up and down) navigates through your command history
12. BASH supports tab completion:
a. type unique characters in the command and press 'Tab' key
13. You can copy and paste in GNOME terminal windows using:
a. left button to block
b. right button to paste OR Ctrl-Shift-v to paste
Pipes '|':
Features: Connects the output stream of one command to the input stream of a subsequent
command
###Command Chaining###
Features:
1. Permits the execution of multiple commands in sequence
2. Also permits execution based on the success or failure of a previous command
1. cat 123.txt ; ls -l - this runs first command, then second command without regards for exit
status of the first command
2. cat 123.txt && ls -l - this runs second command, if first command is successful
3. cat 1234.txt && ls -l
4. cat 123.txt || ls -l - this runs second command, if first command fails
24. more|less - paginators, which display text one-page @ a time
1. more /etc/fstab
2. less 1thousand.txt
Gzip:
Includes:
1. gzip - compresses/decompresses files
2. gunzip - decompresses gzip files
Tasks:
1. compress '1million.txt' file using gzip
a. gzip -c 1million.txt > 1million.txt.gz
Bzip2:
6. tar -cjvf 1million.txt.tar.bz2 1million.txt testRH5/- creates, tar/bzip2 document for the text file
and 'testRH5' directory tree
###GREP###
Features:
1. The ability to parse lines based on text and/or RegExes
2. Post-processor
3. Searches case-sensitively, by default
4. Searches for the text anywhere on the line
Note: Anchors are RegEx characters (meta-characters). They're used to match at the beginning
and end of lines
8. rpm -qa | grep grep - searches the package database for programs named 'grep'
9. rpm -qa | grep -i xorg | wc -l - returns the number of pacakges with 'xorg' in their names
Note: Most, if not all, Linux programs log linearly, which means one line after another, from the
earliest to the current
###Awk###
Features:
1. Field/Column processor
2. Supports egrep-compatible (POSIX) RegExes
3. Can return full lines like grep
4. Awk runs 3 steps:
a. BEGIN - optional
b. Body, where the main action(s) take place
c. END - optional
5. Multiple body actions can be executed by separating them using semicolons. e.g. '{ print $1;
print $2 }'
6. Awk, auto-loops through input stream, regardless of the source of the stream. e.g. STDIN,
Pipe, File
Usage:
1. awk '/optional_match/ { action }' file_name | Pipe
2. awk '{ print $1 }' grep1.txt
Note: Use single quotes with awk, to avoid shell interpolation of awk's variables
4. awk '/linux/ { print } ' grep1.txt - this will print ALL lines containing 'linux'
6. awk '{ if ($2 ~ /8/) print }' /var/log/messages - this will print the entire line for log items for the
8th
7. awk '{ print $3 }' /var/log/messages | awk -F: '{ print $1}'
Usage:
1. sed [options] 'instruction[s]' file[s]
2. sed -n '1p' grep1.txt - prints the first line of the file
3. sed -n '1,5p' grep1.txt - prints the first 5 lines of the file
4. sed -n '$p' grep1.txt - prints the last line of the file
5. sed -n '1,3!p' grep1.txt - prints ALL but lines 1-3
6. sed -n '/linux/p' grep1.txt - prints lines with 'linux'
7. sed -e '/^$/d' grep1.txt - deletes blank lines from the document
8. sed -e '/^$/d' grep1.txt > sed1.txt - deletes blank lines from the document 'grep1.txt' and
creates 'sed1.txt'
Note: Generally, to create new files, use output redirection, instead of allowing sed to write to
STDOUT
###Perl###
Features:
1. Parses text
2. Executes programs
3. CGI - Web forms, etc.
4. Supports RegExes (Perl and POSIX)
5. etc.
Task:
1. Print 'Hello World' to STDOUT
a. perl -c helloworld.pl - checks the syntax of the script
b. perl helloworld.pl - executes the script
c. chmod +x helloworld.pl && ./helloworld.pl
###System Utilities###
Features:
1. Process listing
2. Free/available memory
3. Disk utilization
1. ps - process status/listing
a. ps -ef or ps -aux
6. vmstat - reports on: processes, memory, paging, block I/O, traps, CPU activity
a. vmstat
b. vmstat -p /dev/hda1 - returns partitions stats for /dev/hda1 (/boot)
###User/Group Management###
Features:
1. The ability to control users and groups
Primary tools:
1. useradd - used to add users and modify group membership
2. system-config-users
Task:
1. Create a user named 'student1' using 'useradd'
Fields in /etc/shadow:
student1:$1$XSFMv2ru$lfTACjN.XxaxbHA0EkB4U0:13891:0:99999:7:::
1. username:
2. encrypted_password:
3. Days_since_Unix_epoch_password_was_changed (01/01/1970)
4. Days before password may be changed
5. Days after which the password MUST be changed
6. Days before password is to expire that user is warned
7. Days after password expires, that account is disabled
8. Days since Unix epoch, that account is disabled
9. Reserved field (currently unused)
Groups:
1. groupadd - adds new group
2. groups - lists groups on the system: /etc/group
/etc/group - maintains group membership information
Task: Create a 'sales' group and add 'linuxcbt' and 'student1' as members
1. groupadd sales
2. usermod -G sales linuxcbt
3. usermod -G sales student1
Note: use 'ls -l' to examine permissions or GUI application like 'Nautilus'
Task:
1. Manipulate file permissions using 'chmod'
a. chmod -x regextest.pl
chmod +/- u+x file - updates owner's execute permissions on the file
chmod +/- o+x file - updates other's execute permissions on the file
chmod +/- g+x file - updates group's execute permissions on the file
Task:
Update 'regextest.pl' so that owner and group owner may modify the file
SETUID:
Features:
1. ability to execute file as owner
chmod 4760 regextest.pl - this will ensure that the perl script always executes as the user
'linuxcbt'
-rwsrw---- 1 linuxcbt sales 787 Jan 13 16:08 regextest.pl
's' in the execute position means that the program will execute as that user
SETGID:
Features:
1. Ability to enforce permissions to a directory structure
mkdir /sales
chmod 2775 /sales
chgrp:
Permits updating of group permissions
Sticky Bit:
Features:
1. Ability to ensure that users cannot delete others' files in a directory
chmod 3777 /sales - ensures that /sales will not lose files from incorrect users
Task:
1. Set '/sales' using sticky bit and test
a. chmod 3777 /sales && ls -ld /sales OR chmod 777 /sales && chmod +t /sales
###Symlinks###
Features:
1. Provides shortcuts to files (including directories)
2. Provides hard links to inode (file system) locations
Soft Links:
1. ln -s source_file target
a. ln -s ./regextest.pl lastscript.pl
2. ln -s /home/linuxcbt/testRH5/regextest.pl . - this will symlink (soft) to the /boot file system
Note: With soft links, if you change the name or location of the source file, you will break ALL of
the symlinks (soft)
Hard Links:
Features:
1. The ability to reference the same inode/hard drive location from multiple places within the
same file system
a. ln source target
ln regextest.pl ./testhardregextest.pl - creates a hard link
###Quotas###
Features:
1. Limits disk usage (blocks or inodes)
2. Tied to file systems (set on a per file system basis)
3. Can be configured for users and groups
6. Report on usage
a. repquota -a - this reports on usage
Note: The blocks are measured in 1K increments. i.e. 20000 blocks is roughly 20MB
Steps:
1. Identify available storage
a. 'fdisk -l' - returns connected storage
Note: use 'partprobe partition (/dev/sdb1)' to force a write to a hard drive's partition table on a
running system
4. Mount the file system in the Linux file system hierarchy:
a. mkdir /home1 && mount /dev/sdb1 /home1
b. mount OR df -h - either will reveal that /dev/sdb1 is mounted
Steps:
1. Identify current swap space
a. swapon -s - enumerates partitions and/or files, which constitute swap storage
b. free -m
3. Create the swap file system on the raw partition: /dev/sdb2
a. mkswap /dev/sdb2
Task:
1. Improve system performance by distributing swapping to /dev/sdb2
a. swapon /dev/sdb2
b. swapoff /dev/sda6
c. disable /dev/sda6 via /etc/fstab
Task:
1. Create 512MB swap file
a. dd if=/dev/zero of=/home1/swapfile1 bs=1024 count=524288
b. mkswap /home1/swapfile1 - overlays swap file system
c. swapon /home1/swapfile1 - makes swap space avaialable to the kernel
2. Ensure that when the system reboots, the swapfile is made avialable to the kernel
a. nano /etc/fstab - /home1/swapfile1 swap swap defaults 0 0
Note: Volume groups join: physical volumes (PVs) and Logical Volumes (LVs)
Note: Be certain to update: /etc/fstab so that volumes are mounted when the system reboots
Note: You may resize file systems online if the following are met:
1. 2.6x kernel series
2. MUST be formatted with ext3
Note: Check disk utilization prior to shrinking to reduce the risk of losing data
###RAID###
Features:
1. The ability to increase availability and reliability of data
Tasks:
1. Create a RAID-1 Device (/dev/md0..n)
a. fdisk /dev/sdb - to create usable raw partitions
b. partprobe /dev/sdb - to force a kernel update of the partition layout of the disk: /dev/sdb
b. mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb5 /dev/sdb6
c. cat /proc/mdstat - lists active RAID (md) information
d. mke2fs -j /dev/md0 - overlays a file system on the RAID device
e. mount /dev/md0 /raid1
f. update: /etc/fstab
Note: use 'mdadm --query /dev/md0' to get information about a RAID device
###RPM###
Features:
1. Provides package management
a. Query
b. Install
c. Uninstall
d. Upgrade
e. Verify
2. Auto-verifies packages using GPG, MD5, SHA1SUMs
3. Automatically reports on unresolved dependencies
'rpm'
Query:
1. rpm -qa - dumps all installed packages
2. rpm -qa | wc -l - this dumps all packages and provides a count
3. rpm -qa | grep -i nano
4. rpm -qi nano - dumps info. about the 'nano' package as it's recorded in the local RPM
database
5. rpm -qf /usr/bin/nano - dumps package membership info. for the 'nano' file
6. rpm -qpi http://192.168.75.100/RH5/i386/Server/dhcp-3.0.5-7.el5.i386.rpm - dumps info.
about the uninstalled 'dhcp' package, which resides on the repository
7. rpm -ql package_name - returns all included files
Verify:
1. rpm -Va - verifies ALL packages on the system, returning info. only if there are discrepancies
from the original installation
SM5....T /usr/bin/nano
Removal:
1. rpm -ev *.rpm - removes a pacakge
Note: removal process considers dependencies and will complain if the removal will break 1 or
more packages. To get around this, use '--nodeps' option with 'rpm -ev --nodeps *.rpm'
###YUM Configuration###
Features:
1. The ability to centralize packages (updates)
Note: Ensure that about 3GBs are available for the yum respository
Yum Usage:
1. Search for packages
a. 'yum search gftp'
###Cron - Scheduler###
Features:
1. Scheduler
2. Rules (Cron entries) are based on times:
a. minute (0-59)
b. hour (0-23)
c. day of the month (1-31)
d. month (1-12)
e. day of the week (Sun,Mon,Tue, etc. OR 0-7)
f. command to execute (shell, perl, php, etc.)
3. Wakes up every minute in search of programs to execute
4. Reads cron entries from multiple files
5. Maintains per-user and system-wide (/etc/crontab) schedules
/etc:
cron.d/
cron.deny - denies cron execution by user
cron.monthly/ - runs jobs monthly
cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily
cron.hourly/ - runs jobs hourly
crontab - contains system-wide schedules
Note: '*' wildcard in a time column means to run for all values
Per-user Crontabs:
Stored in: /var/spool/cron
Task:
1. Create a cron entry for the user 'student1'
a. su student1
b. crontab -e
c. create an entry, minus the name of the user
System-wide Crontab:
Stored in: /etc/crontab
Task:
1. Create a cron entry in: /etc/crontab
###SysLogD###
Features:
1. Handles logging
2. Unix Domain Sockets (/dev/log)
3. Internet Sockets (UDP:514)
4. Ability to log to local and remote targets
2. Targets
a. file - /var/log/messages
b. tty - /dev/console
c. remote hosts - @IP_ADDR_of_REMOTE_HOST
Task:
1. Enable UDP logging for remote Cisco gateway (192.168.75.1)
a. netstat -nul | grep 514 - reveals UDP:514 listener
b. nano /etc/sysconfig/syslog
b1. 'SYSLOGD_OPTIONS="-r"'
c. restart syslog and confirm UDP:514 listener
c1. confirm using 'netstat -nul | grep 514'
d. Configure the router using facility 'local0' and level 'info'
e. configure /etc/syslog.conf to accept 'local0.info'
f. restart or reload 'syslog'
###Log Rotation###
Features:
1. Rotation of logs based on criteria
a. size
b. age (daily, weekly, monthly)
2. Compression
3. Maintain logs for a defined period
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}
PING:
Features:
1. ability to communicate with hosts using ICMP
a. PING sends ICMP echo-requests
b. PING expects to receive ICMP echo-replies
3. ping -c 3 192.168.75.199
4. ping -c 3 -i 3 192.168.75.199 - delays PINGs to 3 seconds apart
TELNET:
Features:
1. Great for basic TCP port diagnosis
Task:
1. Connect to TCP ports on various hosts
a. telnet 192.168.75.100 22
b. telnet www.linuxcbt.com 80
NETSTAT:
Features:
1. Provides network connection information from /proc/net/*
Task:
1. Return useful information for various protocols
a. netstat
b. netstat -a - returns all protocols/sockets
c. netstat -ntlp - returns all TCP LISTENERS without name resolution
d. netstat -nulp - returns all UDP lISTENERS without name resolution
ARP:
Features:
1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP addresses
Task:
1. Examine MAC addresses using: ifconfig and arp
a. ifconfig - returns our local MAC addresses
Link encap:Ethernet HWaddr 00:02:B3:98:41:08
b. arp -a - returns MAC to IP mappings
Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP address (v6/v4)
to a MAC address.
Note: If a one or more routers separate the communicating hosts, then the MAC address of the
default router's (gateway's) interface is stored by each client
Network Support:
1. Boot system into a multi-user mode
2. /etc/modprobe.conf - contains alias and reference to module(s) to be loaded in order to
provide networking
3. Linux decides if the interface is DHCP or static by viewing the contents of:
a. /etc/sysconfig/network - networking=yes|no, IPv6_Support, Default Gateway, etc.
b. /etc/sysconfig/network-scripts/ifcfg-eth0 - contains ifup, ifdown, and ifcfg-* scripts
c. /etc/init.d/network - main service
Note: Either update your net configuration manually from the shell, or using the 'system-config-
network*' tools to avoid losing settings
/etc/resolv.conf - DNS configuration file
/etc/hosts - static list of hosts
IPv4 Aliases:
1. ifconfig eth0:1 192.168.75.11
2. ifconfig eth0:2 10.168.76.11
IPv6 Config:
Features:
1. Auto-configured by default gateway (router)
2. fe80:: - link-local address (loopback/local subnet address)
3. 2002:: - 6to4 address, that can be configured based on IPv4 embedded address, using HEX
notation
###Kernel Upgrade###
Features:
1. Provision of updated/patched kernel
Task:
1. Update the kernel
a. use 'uname -a' to reveal current version
b. use 'rpm -qa | grep -i kernel' - to reveal installed version
c. cat /etc/grub.conf -> /boot/grub/grub.conf - "" ""
Install:
a. rpm -ivh kernel-2.6.18-53.el5.i686.rpm
Note: This will update GRUB (/boot/grub/grub.conf)
Note: Will also place the new kernel in the /boot file system
/usr/sbin/ntsysv:
Usage:
1. ntsysv - manages services in the current run-level
2. ntsysv 35 - manages services for run-levels 3 & 5
Chkconfig Usage:
1. chkconfig --list ntpd - returns run-level environment for 'ntpd'
Note: items listed as 'off' have K (kill) scripts
Note: items listed as 'on' have S (start) scripts
Note: When controlling services using 'chkconfig', reference the name of the service as it's
specified in: /etc/init.d
NTP Strata:
Features:
1. The ability to denote clock accuracy based on on stratum
2. With Stratum level 1 being the most accurate, as an NTP server at this level is connected to
an external time service (GPS, Radio, etc.)
Task:
1. Synch against internal NTP server
a. /etc/ntp.conf
a1. server 192.168.75.100
b. service ntpd start - this starts the 'ntpd' service
c. chkconfig ntpd on
d. ntpq -np - this queries the running 'ntpd' server
Note: Ideally, you should supply your: /etc/ntp.conf file with at least 3 clocks for:
1. Accuracy
2. Redundancy
Tasks:
1. Install TFTP client
a. yum -y install tftp
2. Install TFTP server
a. yum -y install tftp-server
Note: this also install 'xinetd' dependency
Tasks:
1. Install 'vsftpd'
a. yum -y install vsftpd
3. Configure service to start when system boots into multi-user runlevel
a. chkconfig vsftpd on
b. chkconfig --list vsftpd
###LFTP###
Features:
1. Sophisticated FTP client
2. Provides connectivity:
a. FTP
b. HTTP/HTTPS
c. SFTP(SSHv2)
3. Interactive and non-interactive client
4. Supports scripting
5. Reads system-wide (/etc/lftp.conf) and per-user config files (~/.lftprc)
6. Behaves like the BASH shell
a. Command history
b. Permits execution of background jobs. Use CTRL-Z to background.
c. Tab completion
7. Supports mirroring (forward and reverse) of content
8. Supports FTP retransmit/reconnect from where you left off
9. Supports bookmarks of sites
10. Supports escape to shell using '!command' e.g. '!bash'
11. Supports the execution of BASH programs '!command' e.g. '!ps -ef'
Usage:
1. lftp - enters interactive mode
a. 'set -a' - reveals all variables
6. mirror -v mirror/ - mirrors a remote directory named 'mirror' to the local system
7. mirror -Rv mirror/ - Reverse mirror (puts) - items to remote server
###Telnet Server###
Features:
1. Shell interface on remote system
2. Binds to TCP:23
Caveat:
1. Clear-text based application (credentials are transmitted in the clear)
2. By default, 'root' is NOT permitted access via telnet-server - /etc/securetty
Requirements:
1. xinetd - installed automatically via yum
Tasks:
1. Connect to both systems from either system using 'telnet' client
a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the user authenticates
successfully
Note: By default, telnet-server reads and dislplays the contents of: /etc/issue
2. Leases the addreses and related information based on predefined values:
a. 1 day
b. 1 week
c. 1 month
3. DHCP uses UDP protocol and layer-2 information to request/assign addresses
Tasks:
1. Install DHCP server
a. yum -y install dhcp
###BIND DNS###
Features:
1. Name-to-IP address mapping
2. Name resolution for DNS clients
3. Caching-only server (Default)
4. Primary DNS server
5. Slave server
6. Replication of DNS database information between servers
7. Dynamic DNS updates
8. Provides numerous client tools: nslookup, dig, host
Tasks:
1. Installation of BIND on the remote system: linuxcbtserv4
a. yum -y install bind
Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL values for
the various records associated with the zone
Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools such as: Web
browser, GFTP, LFTP, nslookup, dig, host, etc.
Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g.
dig mail1.linuxgenius.com.
- . = root
- .com = top level
- .linuxgenius = second level
-mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any
standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.)
Tasks:
1. Create internal zone named 'linuxcbt.internal'
a. modify /etc/named.conf to include the new zone
zone "linuxcbt.internal" {
type master;
#allow-update { key ddns_key; };
file "linuxcbt.internal.db";
};
Reverse Zones:
Features:
1. The ability to resolve a name, given an IPv4 or IPv6 address
Tasks:
1. Define an IPv4 reverse zone for the local subnet:
a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
b. Update: /etc/named.conf
c. Create zone file in: /var/named
d. Update configuration
e. Restart named
f. test using 'dig -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets
Note: IPv6 reverse zone names are in nibble format, with ALL zeros expanded for the network
prefix portion of the address, which is usually 64-bits in length
2. /var/named/zone_file
a. Include entries using the last 64-bits or IPv6 host part
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host, expanding all zeros
b. Create PTR record based on the reverse, nibble-format of the address
Tasks:
1. Export a directory on the server using: /etc/exports
a. /path_to_directory IP_ADDR(rw)
b. /nfs1 192.168.75.10(rw)
c. mkdir /nfs1
d. start NFS server - 'service nfs start'
e. Confirm export(s) - 'exportfs -v'
Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs
4. Allow local 'root' user the ability to write to /nfs1 export
a. /etc/exports: (rw,no_root_squash)
###AutoFS###
Features:
1. Automatically mounts file systems (NFS, local, SMBFS, etc.) upon I/O request
Requirements:
1. autofs-*rpm must be installed
Task:
1. Create an automount for /shares, which will mount /nfs1 & /nfs2
a. update /etc/auto.master - '/shares /etc/auto.shares'
b. cp /etc/auto.misc /etc/auto.shares
c. update the rules in /etc/auto.shares
d. Create AutoFS tree: /shares/
e. Restart the autofs service
f. Unmount: /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
g. Test access to AutoFS controlled directory
g1. 'ls -l /shares/nfs1'
###Samba ###
Features:
1. Provides Windows features (file & print) on Linux | Unix
Clients:
1. findsmb - finds SMB hosts on the network
2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workgroups, hosts,
and shares)
3. smbget - similar to 'wget', in that, it will download files from the remote share
a. smbget -u dean smb://linuxcbtwin1/mtemp/20070524_SAN_Allocations.ods
Samba Server:
/etc/samba/smb.conf - primary config file
Note: Ultimately, users must authenticate to the local Linux file system
Task:
1. Install SWAT
a. yum -y install samba-swat
b. nano /etc/xinetd.d/swat - set 'disable = no'
c. service xinetd restart
d. netstat -ntl | grep 901
Winbind:
Features:
1. Windows AD integration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication
Requirements:
1. krb5-* packages
2. Properly configured Kerberos environment:
a. /etc/krb5.conf
[libdefaults]
default_realm = AD2.LINUXCBT.INTERNAL
[realms]
AD2.LINUXCBT.INTERNAL = {
kdc = linuxcbtwin3.ad2.linuxcbt.internal
admin_server = linuxcbtwin3
}
[domain_realm]
.linuxcbtwin3.ad2.linuxbt.internal = AD2.LINUXCBT.INTERNAL
Steps:
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Samba server's DNS to point to ADS server
a. /etc/resolv.conf
b. /etc/hosts - including a pointer to the ADS server (linuxcbtwin3)
b. /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Task1:
1. Authenticate using ADS, as 'administrator' from Windows box
2. Create a user named 'linuxcbt' in AD
3. Create shared directory on the Samba box, and provide access (Share it)
###Apache Web Server###
Features:
1. WWW Web Server
2. Modular
Tasks:
1. Install Apache 2.2x
a. httpd*rpm
Note: Every directory, outside of the 'DocumentRoot' should have at least one: directive defined.
Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as 'apache' and can only see files/directories that
'apache:apache' can see
4. Create an Alias for content outside of the web root (/var/www/html)
a. Alias /testalias1 /var/www/testalias1
AllowOverride Non
order allow,deny
allow from all
5. Ensure that Apache will start when the system boots
a. chkconfig --level 35 httpd on && chkconfig --list httpd
Tasks:
1. Create IP Based Virtual Hosts
a. ifconfig eth0:1 192.168.75.210
b. Configure the Virtual Host:
ServerAdmin webmaster@linuxcbtserv4.linuxcbt.internal
ServerName site1.linuxcbt.internal
DocumentRoot /var/www/site1
Order allow,deny
Allow from all
ServerAdmin webmaster@linuxcbtserv4.linuxcbt.internal
ServerName site3.linuxcbt.internal
DocumentRoot /var/www/site3
Order allow,deny
Allow from all
Requirements:
1. httpd
2. openssl
3. mod_ssl
4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs
a. also used to create a self-signed certificate
Tasks:
1. Install the requirements
a. mod_ssl - module for Apache, which provides SSL support
yum -y install mod_ssl
/etc/httpd/conf.d/ssl.conf - includes key SSL directives
Note: For mutliple SSL sites, copy the: /etc/httpd/conf.d/ssl.conf file to distinct files, that match
your distinct IP-based VHosts
###MySQL###
Features:
1. DBMS Engine
2. Compabtible with various front-ends:
a. Perl
b. PHP
c. ODBC
d. GUI Management
Tasks:
1. Install MySQL Client & Server
a. yum -y install mysql
Note: mysql command-line options ALWAYS override global (/etc/my.cnf), and/or local
(~/.my.cnf) configuration directives
Tasks:
1. Install Postfix
a. yum -y install postfix
Features:
1. Mail retrieval using standard protocols
2. Common package: dovecot
3. Supports both: mbox (/var/spool/mail/usernam) & Maildir formats
4. Supports SSL: POP3S & IMAPS
Tasks:
1. Install dovecot
/etc/dovecot.conf - primary config file
/etc/pki/dovecot/dovecot-openssl.cnf - SSL config
Note: Default configuration binds to:
a. POP3 - downloads messages to client
b. POP3S
c. IMAP - leaves messages on server
d. IMAPS
E-mail flow: mutt -> sendmail -> Postfix queue -> remote system -> POP3|IMAP
Tasks:
1. Install Squirrelmail with support via Apache
a.Download from squirrelmail.org - *.bz2
b. Confirm the MD5SUM
c. Copy the *.bz2 file to the Apache server
d. yum -y install php php-imap - installs PHP support for Apache/IMAP
e. mkdir /var/www/mail
f. Extract Squirrelmail to: /var/www/mail
g. Optionally, create symlink named 'mail' to point to Squirremail version
h. Create the Apache Virtual Host
ServerAdmin webmaster@mail.linuxcbt.internal
ServerName mail.linuxcbt.internal
DocumentRoot /var/www/mail
Options FollowSymLinks
Order allow,deny
Allow from all
i. Restart Apache
j. Configure SquirrelMail defaults: /var/www/mail/mail/config/conf.pl
k. Create 'attach' and 'data' directories for SquirrelMail: /var/local/squirrelmail/{data,attach}
l. Update permissions so SquirrelMail may write to 'data' and 'attach' directories: chown -R
apache.apache /var/local/squirrelmail
k. Setup DNS
l. Attempt to access SquirrelMail
http://mail.linuxcbt.internal/mail
http://mail.linuxcbt.internal/mail/src/configtest.php
Note: If SELinux is enabled, use 'setsebool...' to allow httpd to connect to IMAP and SMTP ports.
Consult: /var/log/messages
Tasks:
1. Install Squid Proxy server
a. yum -y install squid
2. Start Squid, and ensure that it starts when the system reboots
a. service squid start
b. chkconfig --level 35 squid on
5. Deny 192.168.75.10, but allow ALL other users from the local subnet
a.
acl_lan_bad_users src 192.168.75.10
http_access deny acl_lan_bad_users
###SELinux Intro###
Features:
1. Restricts access by subjects (users and/or processes) to objects (files)
2. Provides Mandatory Access Controls (MACs)
3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions))
4. Stores MAC permissions in extended attributes of file systems
5. SELinux provides a way to separate: users, processes (subjects), and objects, via labeling,
and monitors/controls their interaction
6. SELinux is integrated into the Linux kernel
7. Implements sandboxes for subjects and objects
8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemons and one
sandbox (unconfined_t) for everything else
9. SELinux is implemented/enabled by RH5, by default
10. Operates in the following modes:
a. Permissive - permission is always granted, but denials are logged in: /var/log/messages
b. Enforcing - strictly enforces 'targeted' policy rules
c. Disabled - Only DACs are applied
11. Operating modes can be applied upon startup or while the system is running
Tasks:
1. Disable SELinux upon boot-up on LINUXCBTSERV4
a. nano /etc/grub.conf
a1. Update 'kernel' line to reflect: selinux=0
Note: If files(objects) lose their SELinux context, there are multiple ways to relabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to the 'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running
Note: The 'targeted' policy assigns ALL other subjects and objects to the 'unconfined_t' domain
Note: The default SELinux 'targeted' policy, using MACs, binds subject domains: i.e. 'httpd_t' to
object types: i.e. 'httpd_config_t'
Usage:
1. gpg --list-keys - this enumerates keys in ~/
2. gpg --gen-key - generates a PKI keypair for the current user
3. gpg --encrypt -r LinuxCBT --armor sample.txt - encrypts sample.txt using our 'LinuxCBT's'
public key
###OpenSSHv2###
Features:
1. Provides data encryption services based on PKI - Confidentiality
2. Primarily used to protect the transport layer
3. Encrypted shell sessions, file transfers
4. Password-less logins
5. Port forwarding - Pseudo-VPN
SSH Clients:
/etc/ssh/ssh_config - shared system-wide config file for SSH clients
Task:
1. Setup Password-less logins using SSH
###IPTables###
Features:
1. Firewall for Linux
2. Interface to Netfilter, which is loaded by the kernel
3. Operates primarily @ layers 3 & 4 of the OSI model
4. Modular
5. Provides Network Address Translation (NAT)
6. IPTables can also access other layers (2, 5-7), with modules
Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted, the rules will be
applied OR, update /etc/sysconfig/iptables-config to save the rules automatically
Note: Each table, includes chains, which include Access Control Entries (ACEs)
Usage:
1. iptables -L
3. OUTPUT - applies to traffic sourced from our system, heading outbound
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
b. iptables -A INPUT -j DROP
2. Filter outbound traffic to ANY remote SSH port
a. iptables -A OUTPUT -p tcp --dport 22 -j DROP
3. Flush ALL rules from OUTPUT chain of the Filter table
a. iptables -F OUTPUT
###IPv6 IPTables###
Features:
1. Firewall for IPv6
/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file
Usage:
1. ip6tables -L
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
b. ip6tables -A INPUT -j DROP
3. Flush ALL rules from OUTPUT chain of the Filter table
a. ip6tables -F OUTPUT
Tasks:
1. Download and install the latest version of NMap - nmap.org
a. wget http://download.insecure.org/nmap/dist/nmap-4.53-1.i386.rpm
b. rpm -Uvh nmap-4.53-1.i386.rpm
Usage:
1. Scan the localhost for open ports
a. nmap -v localhost
2. Service detection scan - attempts to resolve services to names & versions
a. nmap -v -sV 192.168.75.199
4. Reporting
a. nmap -v -oN filename.txt 192.168.75.1 - normal output
b. nmap -v -oX filename.xml 192.168.75.1 - XML output
6. Scan the entire network using '-A' and XML output
a. nmap -v -A -oX 192.168.75.0.scan.xml 192.168.75.0/24
###Nessus###
Features:
1. Vulnerability Scanner
2. Port Scanner
3. Host | Device detection
4. Can be used to scan NETBIOS (Windows|Samba) servers
5. Profiles (Scan Policies) for target scans, with specific exploits to query
6. Reporting
7. Client/Server enabled; multiple clients may use the central Nessus server
8. Client support for Windows, Linux, etc.
9. Runs as a service, awaiting inbound PenTest requests
10. Penetration testing tool
11. Nessus can be automated
12. Supports plug-ins for vulnerability signatures
13. Supports parallel scanning of targets
Tasks:
1. Download Nessus from nessus.org and install
2. Register nessus using 'nessus-fetch', with provided code
a. /opt/nessus/bin/nessus-fetch --register A65E-5116-4D76-FCD5-FF2A
3. Install Nessus Client and Explore the interface
a. rpm -Uvh NessusClient*
Note: Nessus will auto-update its plug-ins after registration, every 12-hours
###Snort NIDS###
Features:
1. Network Intrusion Detection System (NIDS)
2. Packet Sniffer
3. Packet Logger - logs using TCPDump format
Tasks:
1. Download and install Snort NIDS
a. snort.org
b. Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-2.8.0.2.tar.gz.md5
c. Import GPG key used to sign the current release of Snort
d. gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz
Requirements:
1. gcc - C compiler
2. make - creates binaries
3. libpcre - Provides access to Perl Compatible RegExes
4. mysql-devel* - provides access to MySQL
5. libpcap* - provides the TCPDump, packet capture library
Note: Snort drops less packets when run in binary logging mode than in verbose, dump-to-
screen, mode
4. Download the latest Snort rules file and extract to: /etc/snort/rules