RHEL NOTES FOR RH253 ==================== Unit 2 :System Service Access Controls INIT Serial console modem /etc/inittab

rc - initialization scripts X11 respawn: co:23:respawn:/sbin/agetty -f etc/issue.serial 19200 ttyS1 /etc/init.d example: /etc/init.d/network status service network status CHKCONFIG manages services chkconfig cups on system-config-services chkconfig --list chkconfig cups --list chkconfig standalone_service on/off --> 2,3,4,5 runlevels chkconfig transient_service on/off --> xinetd chkconfig service --add/del ---> start /kill symbolic links are set or removed.

To check which initialization scripts will run: grep 'chkconfig:[[:space]][[:digit:]]\+' /etc/init.d/* XINETD /etc/xinetd.conf , /etc/xinetd.d/service

example: /etc/xinetd.d/tftp libwrap.so --> tcpwrapper library chkconfig tftp on /etc/services Access controls: Example for telnet only_from = no_access = /etc/sysconfig/files SELinux: Mandatory access control (MAC) files and process have a security context Users: user:role:type:sensitivity:category user_u:object_r:tmp_t:s0:c0 Processes: system_u system_r ls -Z, ls-Zd ps -Zax, ps -eZ chcon -t tmp_t /etc/hosts restorecon /etc/hosts chcon --reference -> used for applying security context from one object to another. chcon --reference /etc/shadow anaconda-ks.cfg strict policy -> targeted policy -> multilevel security

MODES: enforcing, permissive, disables getenforce setenfoce 0 | 1 disable 1) from GRUB : selinux=0 2) SELINUX=disabled in /etc/sysconfig/selinux system-config-securitylevel system-config-selinux errors in /var/log/audit/audit.log /var/log/messages settroubleshootd semanage fcontext -l ---> lists contexts

Unit 3 : Network Service Access Controls Routing: route -n mtr - ping + traceroute

168.0/24 -j ACCEPT -I INPUT -i lo -j ACCEPT -I INPUT -s '!' 192.1 --sport 123 -d 192. IPV6_DEFAULTGW= IPV6_DEFAULTDEV= Loopback address-> ::1 /sbin/ifup /sbin/ifdown ip -6 route add /etc/hosts.0.168.d/iptables start iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A INPUT -p icmp -j DROP -A OUTPUT -p icmp -j DROP -t fileter -A INPUT -s 192.d/network /etc/sysconfig/network --> NETWORKING_IPV6=yes /etc/sysconfig/network-scripts/ifcfg-ethx --> IPV6INIT=yes ZERO CONF --> 169.domain6 NETFILTER: Logs in klogd enable firewall: system-config-securitylevel (GUI) or lokkit (MENU) service iptables save --> will save it in /etc/sysconfig/iptables file.allow --> ALL: [::1] ping6 traceroute6 tracepath6 ip -6 host -t AAAA hostname6.0 GATEWAY OF LAST RESORT --> 192.168.254 /etc/modprobe. /etc/rc.0.0.conf alias net-pf-10 off alias ipv6 off ip -6 addr show dhcp6c DHCPV6C=yes IPV6ADDR= --> ip6v ethernet address IPV6ADDR= --> additional virtual interfaces on the primary IP.0.1 -j DROP -F INPUT --> flush all input rules -L INPUT -D INPUT 4 -I INPUT -s 192.2 --dport 1024: -j ACCEPT -I INPUT -p icmp --icmp-type echo-request -j DROP -I INPUT -p icmp --icmp-type edestination-unreachable -j ACCEPT -Z INPUT --> zeros out counters NOTE: View with iptables -vL INPUT to verify -P INPUT DROP --> sets a DROP policy for all INPUTS! Better to use a catch all RULE: . -j DROP -I INPUT -p tcp -s 192. /etc/init.d/init.254.0/24 -j ACCEPT -I OUTPUT -o eth0 -d 192.168.

168.8 -j BAD_LIST iptables -x BAD_LIST --> (Allow google.168.168.0/24 -j DROP iptables -A FORWARD -i eth0 '!' -j DROP iptables -t nat -L iptables -A FORWARD -s 192.0.99 -j ACCEPT IP) iptables -P FORWARD ACCEPT CUSTOMIZE: iptables -N BAD_LIST iptables -A FORWARD -s 192.0/24 -d (incoming) (outgoing) EXAMPLES: ========== iptables -A INPUT -s BAD_LIST -j REJECT iptabels -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -p tcp --dport 22 -j REJECT .168.233.0/24 -j DROP iptabels -I FORWARD -s 192.iptables -A INPUT -j DROP Flush NAT Tables: iptables -t nat -F iptables -A INPUT -P icmp -s 192.8 -p tcp -dport 80 -j DROP Check Network traffic using: tshark -ni eth0 host station8 CHANGE POLICY: iptables -P FORWARD DROP --> All forwards dropped! iptables -A FORWARD -s 192.0/24 -j ACCEPT iptables -A FORWARD -s -j DROP DROP WEB TRAFFIC: iptables -A FORWARD -i eth0 -s 192.0/24 -j ACCEPT ANTISPOOGING RULES: iptables -A FORWARD -i eth1 -s

ip_nat_ftp.168. tftp /etc/sysconfig/iptables-config [root@secure iptables]# more /etc/sysconfig/iptables-config|grep MODULE IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_tftp ip_nat_ftp" IPTABLES_MODULES_UNLOAD="yes" [root@secure iptables]# more /etc/sysconfig/iptables-config|grep SAVE IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. tftp.iptables -D INPUT EXAMPLES OF A BASIC FIREWALL: using connection tracking iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED.RELATED -j ACCEPT connections iptables -A INPUT -i lo -j ACCEPT --> permit established iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i rht0 -j ACCEPT --> open httpd iptables -A INPUT -m state -p udp --state NEW --dport 53 -i eth0 -j ACCEPT --> open dns iptables -A INPUT -p icmp --icmp-type echo-request -i rht0 -s 192.8/24 -m limit --limit 1/s --> limit ping to 1 iptables -A FORWARD -m random --average 50 -j DROP CONNECTION TRACKING: less /proc/net/ip/ip-conntrack states : NEW. IPTABLES_SAVE_COUNTER="no" NAT: SNAT --> for fixed IPs MASQUERADE --> for DHCP DNAT: iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 192.21 --> http dnat/snat --to-dest .INVALID iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -j DROP modules: ip_conntrack_ftp.0. RELATED.0.20 192.168. ESTABLISHED.168.0.

NIS Client-side resolvers: stub.conf --> hosts: files dns NIS and DNS domain names should be different.45-1. dig. glib functions /etc/nsswitch.45 iptables -t nat -A POSTROUTING -j SNAT --to-source 1.55 iptables -t nat -A POSTROUTING -j SNAT --to-source 1.conf dig --> nameserver in /etc/resolv. /etc/networks.200:3128 SNAT: iptables -t nat -A POSTROUTING -j SNAT --to-source 1.0.3. nslookup resolver lib: gethostbyname().45:1234-1334 MASQUERADE: (used for dial up connections. iptables -t nat -A POSTROUTING -j SNAT --to-source 1.168.o eth0 -j MASQUERADE restorecon -R /etc/sysconfig Unit 4 : DNS ========= Hostname services: /etc/hosts.200:3128 --> with destination port outbound: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192.2.conf dig +trace redhat.com .2. DNS Resolvers: host --> nameserver and search lines in /etc/resolv. DNS.iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192. host. Note that connections are not remebered across differnt connections.) iptables -t nat -A POSTROUTING .

com SOA lookup . MX.dig -t axfr example.com 192.A or NS. PTR.host -rt ns redhat.0.host -t axtr redhat.87 or dig -t ptr 87.in-addr.dig -t mx redhat.com Everything lookup . CH.168.254 host -t ixfr=serial example.com Master authority .168.com Zone transfer .123. CNAME.123.dig redhat.arpa mail exchanger lookups .com force iterative . @192.123.com 192.com reverse lookup . NOTE: NS is the referrals.host -t mx redhat.234.com.com dig +trace redhat.168. /usr/sbin/rndc /etc/init.host -r redhat.data to which domain field is mapped. A is the final answer.177.IN .132.50 MX lookup . forward lookup . HS type . SOA rdata .Resource records Fields: domain . bind-utils.234.d/named .com reverse lookup .254 or DNS: packages bind.host 209.dig -x 123. bind-chroot Daemons: /usr/sbin/named.0.0.Names ttl .host -t soa redhat.cached class .254 Using host command: delegation .dig -t soa redhat.

953 config: /var/named/chroot /etc/named.0.53. /etc/rndc.conf --> nameserver 127.conf /var/named/*.conf NOTE: Always set allow-query to localhost for troubleshooting! .caching.ports . openssl ldd `which named` |grep libwrap strings `which named`|grep hosts grep named /etc/selinux/targeted/contexts/files/file_contexts restorecon -R /var/named/chroot getsebool -a|grep named service named configtest service named start chkconfig named on Stub Resolver: /etc/resolv.key caching-nameserver.conf named.ca named.nameserver.leases bind-chroot /etc/sysconfig/named name.0.1 /etc/sysconfig/network-scripts/ifcfg-ethx --> PEERDNS=no /var/lib/dhclient/dhclient-eth0.

conf --> nameserver 1.com /var/named/chroot/var/named/redhat.3.com/zone rndc: /etc/rndc.2.1 enterprise5 localhost.slave. /etc/nsswitch.internal.broadcast /var/named/chroot/var/named/named.zone.zero /var/named/chroot/var/named/data/named.db /var/named/chroot/var/named/slaves/my.root /var/named/chroot/var/named/named.db /var/named/chroot/var/named/my.0.0.internal.rfc.localdomain localhost /etc/resolv.key /var/named/chroot/var/named/my.conf /var/named/chroot/etc/named-caching-nameserver.zones /var/named/chroot/etc/rndc.zone. dns DNS CONFIG FILES: (locations) /etc/sysconfig/named NOTE: If ROOTDIR=/var/named/chroot then the following will apply /var/named/chroot/etc/named.zone.ddns.named-checkconf -t /var/named/chroot named-checkzone redhat.zone /var/named/chroot/var/named/localhost.local /var/named/chroot/var/named/named.stats.key flush servers cache: rndc flush Named verifies key using rndc NOTE: Use rndc just like apachectl! DNS CLIENT: /etc/hosts --> 127.local /var/named/chroot/var/named/named.conf --> hosts: files.1912.internal.ip6.db /var/named/chroot/var/named/localdomain.4 (Don't forget to edit resolv.ca /var/named/chroot/var/named/named.conf /var/named/chroot/etc/named.zone /var/named/chroot/var/named/named.txt rndc dump --> dumps the database rnds stats --> statistics rndc-confgen .conf for resolution).

192. forwarders { INTERFACE }.d/dhcpd ports: 67.conf global options (additional parameters to remember) allow-transfer { localhost.conf anonymous: /var/ftp (chrooted) . }.com man -k named|grep selinux makewhatis & --> makes man pages. forward only.com @localhost DHCP: /usr/sbin/dhcpd . }.leases service dhcpd configtest /etc/sysconfig/dhcpd Unit 5 : File Sharing ============== FTP: vsftpd .0/24. IP_ADDRESS_OF_INTERFACE. 68 /etc/sdhcpd.example./etc/vsftpd/vsftpd.0.etc.conf /var/lib/dhcpd/dhcpd.init. Checking zone transfers: dig -t axfr domainx.168.com dig +norecurse stationX. In views section: match-clients { localhost.host -l egsampleisnot.example. NOTES: named.

ip_nat_ftp ======================================================== more /etc/pam.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so force revoke auth required pam_listfile.so ======================================================== Clients: lftp chkconfig vsftpd on chkconfig --list vsftpd service vsftpd start Security: anonymous_enable=YES --> SElinux context is: public_content_rw-t . never allow users in this file.d/vsftpd /va/log/xferlog tcp_wrappers. package --> vsftpd /usr/sbin/vsftpd /etc/init.d/vsftpd ports: 21. and # do not even prompt for a password. only allow users in this file # If userlist_deny=YES (default).so item=user sense=deny file=/etc/vsftpd/ft pusers onerr=succeed auth required pam_shells. ip_conntrack_ftp.d/vsftpd #%PAM-1.0 session optional pam_keyinit.Directives: allow_ftpd_anon_write allow_ftpd_use_cifs allow_fttp_use_nfs ftp_is_daemon ftp_home_directory --> activate read write access on user home: setsebool -P ftp_home_directory 1 anonymous_enable=NO anon_upload_enable=YES users: deny -> ftpusers userlist_enable=YES # If userlist_deny=NO. 20 /etc/pam.

/etc/init. rpc.nfsd. nfsstat chkconfig nfs on autofs system-config-nfs --> GUI tool Examples: options: ro. /etc/fstab. rpc.d/nfslock. rpc.111 (netstat -tulpn |grep 111 or use lsof -i:111 tcp_wrappers capable --> mountd. no_root_squash /etc/exports .0.d/nfs .lockd. service nfs ststatus mount requires portmap (rpc service) portmap nfs rpc.rpc.rw.root_squash.allow and deny files) NFS: FILES: /etc/exports.statd required for NFS ports: 2049.sync.168. /etc/init.mountd rpcinfo -p or service portmap status or service nfs status exportfs -r --> refresh exports exportfs -v --> list exports exportfs -a --> export all shares exportfs -u --> unexport shares showmount -e host --> show moounted exports portmap. /etc/init.mountd.local_enable=YES write_enable=YES chroot_list_enable=YES pam_service_name=vsftp userlist_enable=YES tcp_wrappers=YES (/etc/hosts.insecure. portmap p: 192.d/netfs (mount network filesystems at boot) exportfs -r service nfs reload/start. rpc.quotad.

com(rw.redhat.168.example.misc showmount -e <servername> /mnt/pub nfs defaults 0 0 security issues: authentication.d/netfs autofs rsize=8192.com(ro.0/255.sync) server1.master. portmap insfrastructure /etc/sysconfig/nfs: MOUNTD_PORT="32756" STAD_PORT="32766" . wsize=8192 perf tuning soft hard intr nolock /etc/auto.example.0(sync) NFS and SElinux: allow_gsd_read_tmp allow_nfsd_anon_write nfs-export_all_ro nfs-export_all_rw example: setsebool -P nfs_export_all-rw 1 Client side: /etc/fstab server1:/var/ftp/pub /etc/init. privacy.sync) /root/presentations server2./var/ftp/pub *. /etc/auto.10.255.255.sync) /data 192.com(rw.

smbd packages: samba.. mount -t cifs //stationx /mnt/samba -o user=user.. nmblookup -U WINS_server -R name nmblookup \* mount -t cifs service mountpoint -o option1. smb. 445 webadmin: port 901 /etc/samba/*. CONFIG_CIFS_FS and CONFIG_SMB_FS) winbindd . file_mode=644 smbmount //server/share /mnt/smb_mountpoint -o username=smbuser smbumount mount-point Also in /etc/fstab: //stationX/homes /mnt/homes cifs username=bob.139. uid=500.conf system-config-samba.LOCKD_TCPPORT="32765" LOCKD_UDPPORT=32765" Note: both lockds are in same port. samba-swat Example: testparm /etc/samba/smb.cifs. umount. smbclient nmbd. samba-client ports: 137.txt 0 0 //station1/homes /mnt/homes cifs username=bob. samba-common.conf server1 <ip address> Starting Samba: chkconfig smb on service smb start service smb status mount. smbprint. SElinux support for Samba: . smbstatus smbpasswd.noauto 0 0 (this will not ask for password during reboot) Use winbindd daemon if windows usernames and password are to be used.138. SAMBA: cifs or smbfs (kernel components.uid=bob 0 0 //servername/share /mntpt cifs credentials=/etc/samba/cred. testparm.uid=bob. testparm. smbusers smbclient -L <hostname> -U 'userjoe@passwd' smbclient //machine/service user should be in /etc/passwd.cifs.. dom=domain.option2.wins.

realm = MY_REALM # Backend to store user information in. password server = <NT-Server-Name> # Use the realm option only with security = ads # Specifies the Active Directory realm the host is part of . ### server for another computer. New installations should # use either tdbsam or ldapsam.cifs //enterprise5a/tmp test -o username=michael%abc123 /sbin/umount. printing = cups cups options = raw .2/24 .conf ============================================= #============================ Global Settings: ============================== workgroup = MYGROUP netbios name = enterprise5a server string = Samba Server security = user ## security can be user for local.cifs test add the above command to the user's : . smbpasswd is available for backwards # compatibility. ads for atcive directory. interfaces = 192. domain master = yes .168.bash_logout files respectively.168.2.conf.168. hosts allow = 192. local master = no .bashrc and . printcap name = lpstat .2/24 192. os level = 33 ### Don't use this # if you already have a Windows NT domain controller doing this job .168.%m ## more than one NIC . 127. passdb backend = tdbsam . or share for peer-to-peer workgroup . preferred master = yes # Windows95 workstations. . load printers = yes printcap name = /etc/printcap .13. 192.1.log ## Log size is in KB max log size = 50 # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # or to auto-locate the domain controller/s # password server = * . guest account = pcguest log file = /var/log/samba/%m. domain logons = yes . SAMBA CONFIGURATION: /etc/samba/smb.allow_smb_anon_write --> public_content_rw_t samba_enable_home_dirs samba_share_nfs use_samba_home_dirs setsebool -P samba_enable_home_dirs 1 Note: You can share the exutables for users by setting SUID the following: chmod u+x /sbin/mount/cifs chmod u=s /sbin/umount/cifs /sbin/mount. tdbsam requires no further configuration.12. . include = /usr/local/samba/lib/smb. domain for a domain controller.

bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name. logon script = %m. guest ok = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /usr/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print . path = /usr/local/samba/lib/netlogon . writable = no . share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory . guest ok = no . add group script = /usr/sbin/groupadd %g . delete user script = /usr/sbin/userdel %u .# if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) .Tells the NMBD component of Samba to enable it's WINS Server . wins server = w. writeable = no .bat # run a specific logon batch file per username . comment = Network Logon Service . guest ok = yes . wins support = yes . wins proxy = yes dns proxy = no username map = /etc/samba/smbusers # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts .z . [netlogon] . add user script = /usr/sbin/useradd %u . add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u . path = /usr/local/samba/profiles . browseable = no . %U is username # You must uncomment the [Profiles] share below .[Profiles] .y. delete user from group script = /usr/sbin/deluser %u %g . delete group script = /usr/sbin/groupdel %g #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writeable = yes # Un-comment the following and create the netlogon directory for Domain Logons . logon path = \\%L\Profiles\%U # Windows Internet Name Serving Support Section: # WINS Support .x. logon script = %U.

comment = PC Directories . path = /home/fred . writable = yes . writable = yes . Spool data will be placed in fred's # home directory. comment = Temporary file space . path = /usr/somewhere/else/public . printable = no # a service which has a different directory for each machine that connects # this allows you to tailor configurations to incoming machines.[fredsdir] . # The %m gets replaced with the machine name that is connecting. usable only by fred. printer = freds_printer . Note that fred must have write access to the spool directory. writable = no .[public] . usable only by fred. read only = no .[fredsprn] . valid users = fred . printable = no # The following two entries demonstrate how to share a directory so that two . only guest = yes . path = /homes/fred . write list = @staff # A private printer. path = /home/pc/%m . comment = Fred's Printer .[public] . . public = yes . . path = /home/samba . public = no . # wherever it is. public = yes .[tmp] . writable = yes . public = yes . Note that fred requires write # access to the directory.[pchome] . comment = Fred's Service .printable = yes # This one is useful for people to share files . path = /tmp . printable = yes # A private directory. You could # also use the %U option to tailor it by user name. comment = Public Stuff . public = no . printable = no . . writable = yes . valid users = fred . public = no .

create mask = 0765 #============================ Share Definitions ============================== Joining a Domain: net rpc join -U root net rpc join -S DC -U root Setting up accounts and passwords similar to Windows: useradd username smbpasswd -a newUser more /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 .# users can place files there that will be owned by the specific users. Obviously this could be extended to # as many users as required.httpd-devel. valid users = mary fred . writable = yes .conf mod_perl. the directory should be writable by both users and should have the # sticky bit set on it to prevent abuse.conf MOdular directive files via: Include conf.httpd-manual Installation: yum install httpd yum install system-config-httpd yum groupinstall "Web Server" yum grouplist ->will list groups of packages available. In this # setup.sh --> adds all passwords to /etc/samba/smbpasswd file NOTE: don't forget to set the sticky bit for a publicshare! chmod 1777 /home/publicshare Unit 6 :Apache /etc/httpd/conf/httpd.[myshare] . printable = no . comment = Mary's and Fred's stuff . mod_ssl Packages: httpd.. yum install mod_ssl squid chkconfig --list httpd chkconfig --level 35 httpd on service httpd configtest (or httpd -t or apachectl configtest apachectl stop apachectl start .. . public = no . root = administrator admin nobody = guest pcguest smbguest mksmbpasswd. path = /usr/somewhere/shared .d/*.

install elinks package. yum install elinks test webserver page: elinks 127.conf /usr/sbin/httpd /etc/init.1 Custom error page: /etc/httpd/conf. /var/www/* system-config-httpd mod_ssl DocumentRoot /var/www/html ServerRoot "/etc/httpd" Selinux Contexts: system_u:object_r:httpd_config_t system_u:objec_r:httpd_log_t system_u:objec_r:httpd_modules_t system_u:objec_r:httpd_content_t NOte: restore contexts before configuring! chcon -R --reference=/var/www/html /var/www/html/data restorecon -R /var/www/html Configuration: Min & MAx spare servers log files hostname modules virtual hosts user and group /etc/httpd/modules User Directory: UserDir public_html example: /home/bob/public_html restorecon -R /home restorecon ~/public_html .0.service httpd reload NOTE: If links pakage is required.0.d/httpd /etc/httpd/* .d/welcome.

deny --> Note: clients matched by both allow and deny are denied! order deny.htm Virtual hosts: NameVirtualHost 192.0.virt2.com </VirtualHost> SSL Virtual hosts: /etc/httpd/conf.MIME types: AddType application/x-httpd-php .phtml AddType text/html .htaccess: .com DocumentRoot /virt1 ServerAlias www.100:80 <virtualHost 192.html default. allow --> Note: clients matched by both allow and deny are allowed! .100:80> ServerName virt1.168.168.168.htm Index Files: DirectoryIndex index.virt1.0.com DocumentRoot /virt1 ServerAlias www.conf Access Control: mod_access order allow.com </VirtualHost> <virtualHost 192.100:80> ServerName virt1.d/ssl.0.

crt SSLCertificateKeyFile /etc/pki/tls/private/localhost. mod_php.key SQUID: /etc/squid/squid.key /etc/pki/tls/certs/MakefileSelf-signed cert: make testcert CSR: make certreq SSLCErtificateFile /etc/pki/tls/certs/localhost..crt private key: /etc/pki/tls/private/your_host. acl local_net src 192..0.0/24 http_access allow local_net http_reply_access allow all .conf: http_port 3128 cache_mem 8 MB cache_dir ufs /var/spool/squid 100 16 256 hierarchy_stoplist --> forwards requests directly refresh_pattern .conf Encryption: certificate: /etc/pki/tls/certs/your_host.d/ssl.AuthUserFile htpasswd examples: htpasswd -cm /etc/httpd/.168.mod_speling SSL: mod_ssl /etc/httpd/conf..htpasswd bob htpasswd -m /etc/httpd/.htpasswd alice AllowOverride Authconfig --> CGI : ScriptAlias /cgi-bin/ //path_to/cgi-bin/ mod_perl.

icp_access allow all visible_hostname server1 Build cache directories: squid -z iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 setsebool -P squid_connect_any 1 /usr/sbin/squid. cache_dir http_access cahce_mem acl http_port /etc/sysconfig/squid: SQUID_OPTS="-D" --> diables DNS checking SQUID_SHUTDOWN_TIMEOUT=100 Unit 7 : Mail ========= Mial server packages: cryrus-imapd* cyrus-sasl dovecot exim mailman postfix sednmail sednmail-cf spamassasin squirrelmail system-switch-mail --> switch between sendmail and postfix system-switch-mail-gnome DOVECOT: /etc/dovecot.conf . /etc/init.d/squid port: 3128 connections only on loopback interface.

mail_location mbox_read_locks and mbox_write_locks setting If you're using /var/mail/ directory for INBOXes. you may need to set mail_extra_groups = mail so Dovecot can create dotlocks there.1.0. If you intend to use SSL. If you're using NFS or some other remote filesystem that's shared between multiple computers.sh script.30 RELAY make -C /etc/mail/ or m4 /etc/mail/sendmail. Local computer email access: DAEMON_OPTIONS(`Port=smtp. sendmail -d0 < /dev/null ========================================== . Testing: mutt -f pops://root@secure:995 openssl s_client -connect secure:995 user test pass mypassword stat retr 1 dele 1 quit SENDMAIL: In /etc/mail sendmail.cf --> for outgoing mail submit. RELAY domaintable --> forward to differenet domains helpfile local-host-names mailertable Makefile spamassasin submit. DISCARD.cf service sendmail restart --> will run make -C /etc/mail of sendmail-cf package is installed.0.cf --> for incoming mail sendmail. add in /etc/mail/access 192.168. set ssl_cert_file and ssl_key_file settings.Addr=127.mc access --> REJECT. Easiest way to get SSL certificates built is to use Dovecot's doc/mkcert. Name=MTA')dnl If no DNS: FEATURE(`accept_unresolvable_domains')dnl TO make the server relay for other domains. dnl is used to comment a line.mc trusted-users virtusertable /etc/aliases In /var/log/mail --> statistics has data which is read by mailstats program. For better performance you may want to set mbox_very_dirty_syncs = yes option.mc > sendmail. Otherwise set ssl_disable = yes. you'll need to set mmap_disable = yes.

189.com myhostname = secure.postfix POSTFIX: postconf -d postconf -n postconf -e key=value postconf -m man 5 postconf mydomain = example.com myorigin = $mydomain inet_interfaces = all mynetworks = 168.0/28.0.100.lan)dnl ========================================== /etc/smrsh --> sendmail restricted shell /etc/aliases newaliases ========================================== Address rewrite: FEATURE(genericstable)dnl FEATURE(always_add_domain)dnl GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl ========================================== ========================================== Address rewrite: FEATURE(genericstable)dnl FEATURE(always_add_domain)dnl GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl ========================================== FEATURE(`blacklist_recipients')dnl Switchiong MTAs: a.ternatives --display mta a.ternatives --config mta alternatives --set mta /usr/sbin/sendmail.0.example.MASQUERADE: EXPOSED_USER(`root')dnl FEATURE(masquerade_envelope)dnl MASQUERADE_DOMAIN(mydomain. 127.0/8 masquerade_exceptions = root virtual_alias_maps = hash:/etc/postfix/virtual postmap /etc/postfix/virtual (rehash the file) postalias PROCMAIL: postconf -e "mailbox_command = /usr/bin/procmail" Unit 8 : Security (04/06/08) Need for security: .

generating digital certs: public/private key pair: openssl genrsa -out server1. rcp Cryptography: (openssl. rc2.DSA keys. /dev/urandom .key. sha1sum. Kerberos./dev/random.IDEA) .blowfish. /etc/init.ssh.private/public keys pki .key.insecure protocols with insecure password .rc5.telnet.gpg) random numbers and entropy sources .d/sshd.pem openssh: /etc/ssh ssh-keygen.pem Self-signed cert: openssl req -new -key server1.signed public key is called a certificate.sha. /var/lib/random-seed.pem -out server1. ftp.rc4. /etc/ssh*.pop3 insecure info . nfs.cast3.pem -x509 make dovecot.rsh. RSA.key.crt.md2.mdc2.sendmail.md5.passwd.pem From CA: server1.pem -out server1. trusted 3rd part is a Certificate Authority. host auth using system key pairs /usr/sbin/sshd. s/key and SecureIF.nis insecure auth . ssh-askpass Types of auth: passwd. symmetric algorithms (3des. /etc/ssh/ssh_config /etc/ssh/sshd_config protocol listenaddress permitrootlogin banner .sha1 Utilities: sum.pem 1024 CSR:openssl req -new -key server1.csr. md5sum etc. openssl assymetric algorithms .md160. gpg. openssl rand [-base64} num one way hashes . $HOME/.crt.

d /etc/securetty --> check for the ttys use /etc/pam.closes and logs session NOTE: look in system-auth file for entries.conf --> passwd: files nis ldap getent services getent passwd smith libpam library PAM modules in /lib/security /etc/pamd.ssh-add --> collects key passphrases aah-agent --> manages key passphrases rpm --verify package_name rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat* rpm --checksig packages_file_name Unit 9: PAM /etc/nsswitch.d/other if there is no PAM configuration for an application TYPES of PAM modules: auth --> identity account --> account policies password --> password changes session --> opens. control flags: required --> proceeds to next cmd requisite --> stops process suffcient --> no other cmds need processed optional --> ignores include --> ALL modules system-config-authentication .

so --> NSS . pam_listfile.so --> creates home directory if it does not exist pam_rootok. /etc/security/limits.md5.messages in : /var/log/secure and /var/log/messages Some Modules: pam_unix.so --> checks authentication against a list in a file.so --> forwards xauth cookies change password aging: chage -M 90 username .so --> password strength pam_passwdqc.so --> allows all users! (Never have this in a secure system.so --> will allow only user ttys in /etc/securetty pam_nologin. pam_cracklib.so --> sudo . users cannot log in.so --> passes if runninmg as root.conf pam_console. example: auth required pam_listfile.so --> sets selinux context root:system_t:unconfined_t user_t:system_t:unconfined_t pam_mkhomedir. /etc/security/console. shadow passwords etc pam_securetty.so --> password strength (without dictoionary word checking) pam_tally. but only for laptops). password history.perms pam_selinux.so --> resource limits. Allows su without a password pam_timestamp.so --> permissions on local devices. /var/run/sudo pam_xauth.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed pam_permit.so --> if /etc/nologin exists.so --> failed login monitoring in /var/log/faillog pam_limits.

Sign up to vote on this title
UsefulNot useful