Академический Документы
Профессиональный Документы
Культура Документы
###Kickstart Configurator###
Features:
1. Hands-free, automated installation
2. Scripted installation
3. Script can be used on multiple systems
Note: 'system-config-kickstart' is NOT installed by default
Steps:
1. Open previously created 'anaconda-ks.cfg' file and modify
2. Define partitions accordingly
3. Confirm settings
4. Publish the 'ks.cfg' file to HTTP server
5. Install server using the following at the main menu:
'linux ks=http://192.168.75.100/ks.cfg'
Note: The following can be used to boot a kickstart installation:
1. boot.iso CD-ROM
2. First CD-ROM of the RH5 installation set
3. The DVD-ROM of the RH5 installation set
4. USB Pen/Stick - diskboot.img (use dd)
###FTP INSTALLATION###
Steps:
1. Create FTP user account on FTP server
a. 'useradd -s /bin/false -d /srv/wwwlinuxcbt.com linuxinstall'
b. 'passwd linuxinstall'
2. Confirm FTP connectivity as the user 'linuxinstall'
3. Reboot server with 'boot.iso' CD and type 'linux askmethod'
###BASIC LINUX COMMANDS###
1. tty - reveals the current terminal
2. whoami - reveals the currently logged-in user
3. which - reveals where in the search path a program is located
4. echo - prints to the screen
a. echo $PATH - dumps the current path to STDOUT
b. echo $PWD - dumps ths contents of the $PWD variable
c. echo $OLDPWD - dumps the most recently visited directory
5. set - prints and optionally sets shell variables
6. clear - clears the screen or terminal
7. reset - resets the screen buffer
8. history - reveals your command history
a. !690 - executes the 690th command in our history
b. command history is maintained on a per-user basis via:
~/.bash_history
~ = users's $HOME directory in the BASH shell
9. pwd - prints the working directory
10. cd - changes directory to desired directory
a. 'cd ' with no options changes to the $HOME directory
b. 'cd ~' changes to the $HOME directory
c. 'cd /' changes to the root of the file system
d. 'cd Desktop/' changes us to the relative directory 'Desktop'
e. 'cd ..' changes us one-level up in the directory tree
f. 'cd ../..' changes us two-levels up in the directory tree
11. Arrow keys (up and down) navigates through your command history
12. BASH supports tab completion:
a. type unique characters in the command and press 'Tab' key
13. You can copy and paste in GNOME terminal windows using:
a. left button to block
b. right button to paste OR Ctrl-Shift-v to paste
14. ls - lists files and directories
a. ls / - lists the contents of the '/' mount point
b. ls -l - lists the contents of a directory in long format:
Includes: permissions, links, ownership, size, date, name
c. ls -ld /etc - lists properties of the directory '/etc', NOT the contents of
'/etc'
d. ls -ltr - sorts chronologically from older to newer (bottom)
e. ls --help - returns possible usage information
f. ls -a - reveals hidden files. e.g. '.bash_history'
Note: files/directories prefixed with '.' are hidden. e.g. '.bash_history'
15. cat - catenates files
a. cat 123.txt - dumps the contents of '123.txt' to STDOUT
b. cat 123.txt 456.txt dumps both files to STDOUT
c. cat 123.txt 456.txt > 123456.txt - creates new catenated file
16. mkdir - creates a new directory
a. mkdir testRH5 - creates a 'testRH5' directory
17. cp - copies files
a. cp 123.txt testRH5/
By default, 'cp' does NOT preserve the original modification time
b. cp -v 456.txt testRH5/
18. mv - moves files
a. mv 123456.txt testRH5/ - moves the file, preserving timestamp
19. rm - removes files/directories
a. rm 123.txt
b. rm -rf 456.txt - removes recursively and enforces
20. touch - creates blank file/updates timestamp
a. touch test.txt - will create a zero-byte file, if it doesn't exist
b. touch 123456.txt - will update the timestamp
c. touch -t 200801091530 123456.txt - changes timestamp
21. stat - reveals statistics of files
a. stat 123456.txt - reveals full attributes of the file
22. find - finds files using search patterns
a. find / -name 'fstab'
Note: 'find' can search for fields returned by the 'stat' command
23. alias - returns/sets aliases for commands
a. alias - dumps current aliases
b. alias copy='cp -v'
Pipes '|':
Features: Connects the output stream of one command to the input stream of a sub
sequent command
1. cat 123.txt | sort
2. cat 456.txt 123.txt | sort
3. cat 456.txt 123.txt | sort | grep 3
###Command Chaining###
Features:
1. Permits the execution of multiple commands in sequence
2. Also permits execution based on the success or failure of a previous command
1. cat 123.txt ; ls -l - this runs first command, then second command without r
egards for exit status of the first command
2. cat 123.txt && ls -l - this runs second command, if first command is success
ful
3. cat 1234.txt && ls -l
4. cat 123.txt || ls -l - this runs second command, if first command fails
Gzip:
Includes:
1. gzip - compresses/decompresses files
2. gunzip - decompresses gzip files
Tasks:
1. compress '1million.txt' file using gzip
a. gzip -c 1million.txt > 1million.txt.gz
Note: gzip auto-dumps to STDOUT, by default
b. gzip -l 1million.txt.gz - returns status information
c. gunzip 1million.txt.gz - dumps to file, and removes compressed version
d. gzip -d 1million.txt.gz
e. zcat 1million.txt.gz - dumps the contents to STDOUT
f. less 1million.txt.gzip - dumps the contents of gzip files to STDOUT
Bzip2:
1. bzip2 -c 1million.txt > 1million.txt.bz2
Note: Bzip2 tends to outperform gzip on larger files
2. bunzip2 1million.txt.bz2
3. bzip2 -d 1million.txt.bz2
4. bzcat 1million.txt.bz2 - dumps contents to STDOUT
5. less 1million.txt.bz2 - also dumps the contents to STDOUT
###GREP###
Features:
1. The ability to parse lines based on text and/or RegExes
2. Post-processor
3. Searches case-sensitively, by default
4. Searches for the text anywhere on the line
8. rpm -qa | grep grep - searches the package database for programs named 'grep'
9. rpm -qa | grep -i xorg | wc -l - returns the number of pacakges with 'xorg' i
n their names
10. grep sshd messages
11. grep -v sshd messages - performs and inverted search (all but 'sshd' entries
will be returned)
12. grep -v sshd messages | grep -v gconfd
13. grep -C 2 sshd messages - returns 2 lines, above and below matching line
Note: Most, if not all, Linux programs log linearly, which means one line after
another, from the earliest to the current
Note: Use single or double quotes to specify RegExes
Also, execute 'grep' using 'egrep' when RegExes are being used
###Awk###
Features:
1. Field/Column processor
2. Supports egrep-compatible (POSIX) RegExes
3. Can return full lines like grep
4. Awk runs 3 steps:
a. BEGIN - optional
b. Body, where the main action(s) take place
c. END - optional
5. Multiple body actions can be executed by separating them using semicolons. e
.g. '{ print $1; print $2 }'
6. Awk, auto-loops through input stream, regardless of the source of the stream
. e.g. STDIN, Pipe, File
Usage:
1. awk '/optional_match/ { action }' file_name | Pipe
2. awk '{ print $1 }' grep1.txt
Note: Use single quotes with awk, to avoid shell interpolation of awk's variable
s
3. awk '{ print $1,$2 }' grep1.txt
Note: Default input and output field separators is whitespace
4. awk '/linux/ { print } ' grep1.txt - this will print ALL lines containing 'l
inux'
5. awk '{ if ($2 ~ /Linux/) print}' grep1.txt
6. awk '{ if ($2 ~ /8/) print }' /var/log/messages - this will print the entire
line for log items for the 8th
7. awk '{ print $3 }' /var/log/messages | awk -F: '{ print $1}'
###Perl###
Features:
1. Parses text
2. Executes programs
3. CGI - Web forms, etc.
4. Supports RegExes (Perl and POSIX)
5. etc.
Task:
1. Print 'Hello World' to STDOUT
a. perl -c helloworld.pl - checks the syntax of the script
b. perl helloworld.pl - executes the script
c. chmod +x helloworld.pl && ./helloworld.pl
2. Parse RegExes from the command line
###System Utilities###
Features:
1. Process listing
2. Free/available memory
3. Disk utilization
1. ps - process status/listing
a. ps -ef or ps -aux
2. top - combines, ps, uptime, free and updates regulary
3. uptime - returns useful system utilization information:
a. current time
b. uptime - days, hours and minutes
c. connected users
d. load averaged - 1,5,15 minute values
4. free - returns memory utilization
a. RAM
b. SWAP
free -m - for human readable format
5. df - returns disk partition/mount point information
a. df - returns info. using kilobytes
b. df -h - returns info. using megabytes/human readable (gigs/teray/etc.)
6. vmstat - reports on: processes, memory, paging, block I/O, traps, CPU activit
y
a. vmstat
b. vmstat -p /dev/hda1 - returns partitions stats for /dev/hda1 (/boot)
7. gnome-system-monitor - GUI, combining most system utilities
8. ls -ltr /proc
a. cat /proc/cpuinfo
9. kill PID - kills the process with a given PID
10. runlevel - returns runlevel information using 2 fields:
a. represents previous runlevel
b. represents current runlevel
###User/Group Management###
Features:
1. The ability to control users and groups
Primary tools:
1. useradd - used to add users and modify group membership
2. system-config-users
Task:
1. Create a user named 'student1' using 'useradd'
Note: Default user settings derive from: /etc/login.defs
a. useradd student1
b. set password for user 'student1': passwd student1
Default User Accounts DB: /etc/passwd
student1:x:501:501::/home/student1:/bin/bash
username:shadow_reference:uid:gid:Description(GECOS):$HOME:$SHELL
Note: /etc/passwd is a world-readable file
Note: /etc/shadow now stores passwords in encrypted form
Note: /etc/shadow is NOT world-readable
Fields in /etc/shadow:
student1:$1$XSFMv2ru$lfTACjN.XxaxbHA0EkB4U0:13891:0:99999:7:::
1. username:
2. encrypted_password:
3. Days_since_Unix_epoch_password_was_changed (01/01/1970)
4. Days before password may be changed
5. Days after which the password MUST be changed
6. Days before password is to expire that user is warned
7. Days after password expires, that account is disabled
8. Days since Unix epoch, that account is disabled
9. Reserved field (currently unused)
Groups:
1. groupadd - adds new group
2. groups - lists groups on the system: /etc/group
/etc/group - maintains group membership information
Task: Create a 'sales' group and add 'linuxcbt' and 'student1' as members
1. groupadd sales
2. usermod -G sales linuxcbt
3. usermod -G sales student1
Note: 2 types of groups exist:
1. Primary - used by default for a user's permissions
2. Supplemental - used to determine effective permissions
Note: use 'id' to determine the group information of user
Note: Create a new shell session to realize new group membership information
userdel/groupdel are used to delete users and groups, respectively
SETGID:
Features:
1. Ability to enforce permissions to a directory structure
mkdir /sales
chmod 2775 /sales
Create a file in the '/sales' directory as 'linuxcbt'
seq 1000000 > linuxcbt.1million.txt
chgrp:
Permits updating of group permissions
Sticky Bit:
Features:
1. Ability to ensure that users cannot delete others' files in a directory
drwxrwxrwt 23 root root 4096 Jan 13 15:05 /tmp/
###Symlinks###
Features:
1. Provides shortcuts to files (including directories)
2. Provides hard links to inode (file system) locations
Soft Links:
1. ln -s source_file target
a. ln -s ./regextest.pl lastscript.pl
Note: Soft links may span multiple file systems/hard drives
Note: Symlink count is NOT increased when using soft links
2. ln -s /home/linuxcbt/testRH5/regextest.pl . - this will symlink (soft) to t
he /boot file system
Note: With soft links, if you change the name or location of the source file, yo
u will break ALL of the symlinks (soft)
Hard Links:
Features:
1. The ability to reference the same inode/hard drive location from multiple p
laces within the same file system
a. ln source target
ln regextest.pl ./testhardregextest.pl - creates a hard link
###Quotas###
Features:
1. Limits disk usage (blocks or inodes)
2. Tied to file systems (set on a per file system basis)
3. Can be configured for users and groups
Steps to enable quota support:
1. Enable quota support per file system in: /etc/fstab
a. defaults,usrquota,grpquota
2. Remount the file system(s)
a. mount -o remount /
b. use 'mount' to confirm that 'usrquota,grpquota' support are enabled
3. Create quota database files and generate disk usage table
a. quotacheck -mcug / - this creates /aquota.user & /aquota.group
b. quotacheck -mavug
4. Assign quota policies
a. edquota username - set blocks/inodes soft_limits hard_limit
edquota student1 - sets quotas for user 'student1'
export EDITOR=nano - to have edquota default to 'nano' editor
5. Check quotas
a. quota username
quota student1
Note: place 'quotacheck -avug' in /etc/cron.*(hourly,daily)
6. Report on usage
a. repquota -a - this reports on usage
Note: The blocks are measured in 1K increments. i.e. 20000 blocks is roughly 20M
B
Steps:
1. Identify current swap space
a. swapon -s - enumerates partitions and/or files, which constitute swap stora
ge
b. free -m
2. Select target drive and provision swap partition
a. fdisk /dev/sdb
b. n
c. 2
d. 500
e. +512 (cylinder 562) - 63 cylinders are required for 512MB
f. t - change type
g. 82 - Linux Swap/Solaris
h. w - committ changes to disk
3. Create the swap file system on the raw partition: /dev/sdb2
a. mkswap /dev/sdb2
4. Enable swapping - publish the swap space to the kernel
a. swapon /dev/sdb2 - this enables swapping on /dev/sdb2
5. update /etc/fstab
a. /dev/sdb2 swap swap defaults 0 0
swapoff /dev/sdb2 - disables swapping on /dev/sdb2
Task:
1. Improve system performance by distributing swapping to /dev/sdb2
a. swapon /dev/sdb2
b. swapoff /dev/sda6
c. disable /dev/sda6 via /etc/fstab
Task:
1. Create 512MB swap file
a. dd if=/dev/zero of=/home1/swapfile1 bs=1024 count=524288
b. mkswap /home1/swapfile1 - overlays swap file system
c. swapon /home1/swapfile1 - makes swap space avaialable to the kernel
2. Ensure that when the system reboots, the swapfile is made avialable to the k
ernel
a. nano /etc/fstab - /home1/swapfile1 swap swap defaults 0 0
Note: Be certain to update: /etc/fstab so that volumes are mounted when the syst
em reboots
3-tiers of LVM display commands include:
a. pvdisplay - physical volumes - represent raw LVM partitions
b. vgdisplay - volume groups - aggregate physical volumes
c. lvdisplay - logical volumes - file systems - mount here
###RAID###
Features:
1. The ability to increase availability and reliability of data
Tasks:
1. Create a RAID-1 Device (/dev/md0..n)
a. fdisk /dev/sdb - to create usable raw partitions
b. partprobe /dev/sdb - to force a kernel update of the partition layout of th
e disk: /dev/sdb
b. mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb5 /dev/sdb6
c. cat /proc/mdstat - lists active RAID (md) information
d. mke2fs -j /dev/md0 - overlays a file system on the RAID device
e. mount /dev/md0 /raid1
f. update: /etc/fstab
Note: use 'mdadm --query /dev/md0' to get information about a RAID device
Verify:
1. rpm -Va - verifies ALL packages on the system, returning info. only if ther
e are discrepancies from the original installation
2. rpm -Vf /usr/bin/nano
Task: Change '/usr/bin/nano' then verify
SM5....T /usr/bin/nano
S(file size), M(mode or permissions), 5(MD5), T(mod time)
3. rpm -Vp nano
Removal:
1. rpm -ev *.rpm - removes a pacakge
Note: removal process considers dependencies and will complain if the removal wi
ll break 1 or more packages. To get around this, use '--nodeps' option with 'rpm
-ev --nodeps *.rpm'
2. rpm -ev gftp
###YUM Configuration###
Features:
1. The ability to centralize packages (updates)
Installation & Setup:
1. Install 'createrepo*rpm'
2. Setup directory structure
a. /srv/www/linuxcbt.com/RH5/yum
3. Run 'createrepo /srv/www/linuxcbt.com/RH5/yum'
4. Publish the yum repository using HTTP
5. Configure yum client to use HTTP to fetch the RPMs
a. /etc/yum.conf
a1. ###Included as our first repository on the SUSE box###
[0001]
name=linuxcbtsuse1
baseurl=http://192.168.75.100/RH5/yum
Note: Ensure that about 3GBs are available for the yum respository
###Cron - Scheduler###
Features:
1. Scheduler
2. Rules (Cron entries) are based on times:
a. minute (0-59)
b. hour (0-23)
c. day of the month (1-31)
d. month (1-12)
e. day of the week (Sun,Mon,Tue, etc. OR 0-7)
f. command to execute (shell, perl, php, etc.)
3. Wakes up every minute in search of programs to execute
4. Reads cron entries from multiple files
5. Maintains per-user and system-wide (/etc/crontab) schedules
/etc:
cron.d/
cron.deny - denies cron execution by user
cron.monthly/ - runs jobs monthly
cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily
cron.hourly/ - runs jobs hourly
crontab - contains system-wide schedules
Note: '*' wildcard in a time column means to run for all values
Per-user Crontabs:
Stored in: /var/spool/cron
Task:
1. Create a cron entry for the user 'student1'
a. su student1
b. crontab -e
c. create an entry, minus the name of the user
Note: 'crontab -l' - enumerates per-user cron entries
System-wide Crontab:
Stored in: /etc/crontab
Task:
1. Create a cron entry in: /etc/crontab
Note: 'crontab -l -u username' - enumerates per-user cron entries
###SysLogD###
Features:
1. Handles logging
2. Unix Domain Sockets (/dev/log)
3. Internet Sockets (UDP:514)
4. Ability to log to local and remote targets
Implented as 'sysklogd' package
###Log Rotation###
Features:
1. Rotation of logs based on criteria
a. size
b. age (daily, weekly, monthly)
2. Compression
3. Maintain logs for a defined period
PING:
Features:
1. ability to communicate with hosts using ICMP
a. PING sends ICMP echo-requests
b. PING expects to receive ICMP echo-replies
Task: PING some hosts and evaluate the output
1. ping localhost (127.0.0.1)
2. ping -c 3 localhost - sends 3 ICMP echo-requests
Note: 'ping localhost' performs name resolution using /etc/hosts
/etc/hosts stores static name-to-IP mappings
Note: 127.0.0.0/8 is fully-reserved to the loopback adapter of ALL IPv4 hosts
3. ping -c 3 192.168.75.199
4. ping -c 3 -i 3 192.168.75.199 - delays PINGs to 3 seconds apart
Note: PING defaults to a standard 1-second interval
Note: Firewall(s) may block ICMP traffic, causing PING to fail
TELNET:
Features:
1. Great for basic TCP port diagnosis
Task:
1. Connect to TCP ports on various hosts
a. telnet 192.168.75.100 22
b. telnet www.linuxcbt.com 80
NETSTAT:
Features:
1. Provides network connection information from /proc/net/*
Task:
1. Return useful information for various protocols
a. netstat
b. netstat -a - returns all protocols/sockets
c. netstat -ntlp - returns all TCP LISTENERS without name resolution
d. netstat -nulp - returns all UDP lISTENERS without name resolution
Note: netstat uses /etc/services to translate ports to names
Note: 0.0.0.0:514 - this means that Syslog will accept traffic to any of the def
ined IP addresses/interfaces on the system
e. netstat -ntp - returns established connections (sockets)
f. netstat -rn - returns the routing table
ARP:
Features:
1. Resolves layer-2 (OSI model) MAC addresses to layer-3 IP addresses
Task:
1. Examine MAC addresses using: ifconfig and arp
a. ifconfig - returns our local MAC addresses
Link encap:Ethernet HWaddr 00:02:B3:98:41:08
b. arp -a - returns MAC to IP mappings
Note: When 2 TCP/IP hosts communicate, ARP is performed to translate the IP addr
ess (v6/v4) to a MAC address.
Note: If a one or more routers separate the communicating hosts, then the MAC ad
dress of the default router's (gateway's) interface is stored by each client
Install:
a. rpm -ivh kernel-2.6.18-53.el5.i686.rpm
Note: This will update GRUB (/boot/grub/grub.conf)
Note: Will also place the new kernel in the /boot file system
Examine traces in:
a. /boot
b. /boot/grub/grub.conf
3. Remove traces of former kernel using 'rpm -e [--nodeps]'
a. kernel-2.6.18-8.el5 - removes older version
b. kernel-headers-2.6.18-8.el5 - force remove ignoring dependencies 'rpm -e --n
odeps kernel-headers-2.6.18-8.el5'
c. kernel-devel-2.6.18-8.el5
4. Install new 'kernel-headers' and 'kernel-devel' packages using YUM:
a. yum -y install kernel-headers
b. yum -y install kernel-devel
5. Confirm that the 3 'kernel-*' packages are installed:
a. rpm -qa | grep kernel
Note: Removal of older kernel-* packages cleans up:
a. /boot
b. /boot/grub/grub.conf (menu.lst)
###LFTP###
Features:
1. Sophisticated FTP client
2. Provides connectivity:
a. FTP
b. HTTP/HTTPS
c. SFTP(SSHv2)
3. Interactive and non-interactive client
4. Supports scripting
5. Reads system-wide (/etc/lftp.conf) and per-user config files (~/.lftprc)
6. Behaves like the BASH shell
a. Command history
b. Permits execution of background jobs. Use CTRL-Z to background.
c. Tab completion
7. Supports mirroring (forward and reverse) of content
8. Supports FTP retransmit/reconnect from where you left off
9. Supports bookmarks of sites
10. Supports escape to shell using '!command' e.g. '!bash'
11. Supports the execution of BASH programs '!command' e.g. '!ps -ef'
Usage:
1. lftp - enters interactive mode
a. 'set -a' - reveals all variables
2. lftp linuxcbt@192.168.75.199
3. mget -c - continues downloads
4. mput -c - continues uploads
5. lftp -u linuxcbt,abc123 sftp://192.168.75.199 - Connects to SFTP server
6. mirror -v mirror/ - mirrors a remote directory named 'mirror' to the local s
ystem
7. mirror -Rv mirror/ - Reverse mirror (puts) - items to remote server
###Telnet Server###
Features:
1. Shell interface on remote system
2. Binds to TCP:23
Caveat:
1. Clear-text based application (credentials are transmitted in the clear)
2. By default, 'root' is NOT permitted access via telnet-server - /etc/securett
y
Requirements:
1. xinetd - installed automatically via yum
Install Telnet Server:
1. yum -y install telnet-server
2. nano /etc/xinetd.d/telnet - change 'disable = yes' to 'disable = no'
3. service xinetd restart - effects changes
Tasks:
1. Connect to both systems from either system using 'telnet' client
a. telnet 192.168.75.199 - This will allocate a free pseudo-terminal, if the u
ser authenticates successfully
Note: By default, telnet-server reads and dislplays the contents of: /etc/issue
Note: TCP|UDP ports are 16-bit based: 2**16, OR, 0-65535
Note: ptys are assigned sequentially, by default
2. Enable 'root' login via telnet
a. mv /etc/securetty /etc/securetty.disabled
Note: Wherever/whenever possible opt for SSH in place of Telnet Server
Reverse Zones:
Features:
1. The ability to resolve a name, given an IPv4 or IPv6 address
Tasks:
1. Define an IPv4 reverse zone for the local subnet:
a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
b. Update: /etc/named.conf
c. Create zone file in: /var/named
d. Update configuration
e. Restart named
f. test using 'dig -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets
2. /var/named/zone_file
a. Include entries using the last 64-bits or IPv6 host part
d.a.a.4.b.1.e.f.f.f.e.5.a.0.2.0 IN PTR linuxcbtmedia1.linuxcbt.internal.
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host, expa
nding all zeros
b. Create PTR record based on the reverse, nibble-format of the address
Test using dig:
a. dig -x 2002:4687:db25:3:20a:5eff:fe1b:4aad
###AutoFS###
Features:
1. Automatically mounts file systems (NFS, local, SMBFS, etc.) upon I/O request
Requirements:
1. autofs-*rpm must be installed
/etc/auto.master - primary configuration file
- also contains mount points and their mappings
/etc/sysconfig/autofs - default startup directives
Note: AutoFS must be running in order to auto-mount directories
Task:
1. Create an automount for /shares, which will mount /nfs1 & /nfs2
a. update /etc/auto.master - '/shares /etc/auto.shares'
b. cp /etc/auto.misc /etc/auto.shares
c. update the rules in /etc/auto.shares
d. Create AutoFS tree: /shares/
e. Restart the autofs service
f. Unmount: /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
g. Test access to AutoFS controlled directory
g1. 'ls -l /shares/nfs1'
Note: syntax for auto-mount files is as follows:
<mount-point> [<options>] <location>
nfs1 -fstype=nfs 192.168.75.199:/nfs1
###Samba ###
Features:
1. Provides Windows features (file & print) on Linux | Unix
/etc/samba/smb.conf - primary config file
Clients:
1. findsmb - finds SMB hosts on the network
2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workg
roups, hosts, and shares)
3. smbget - similar to 'wget', in that, it will download files from the remote
share
a. smbget -u dean smb://linuxcbtwin1/mtemp/20070524_SAN_Allocations.ods
4. smbclient - interactive (FTP-like_ utility to connect to shares - permits up
loads/downloads from shares
a. smbclient -U dean //linuxcbtwin1/mtemp
b. mget file* - downloads file(s)
c. mput file* - uploads file(s)
Samba Server:
/etc/samba/smb.conf - primary config file
SWAT manages /etc/samba/smb.conf
Samba Server Modes:
1. User
a. One Samba-defined user is required per Linux user
b. Authentication of users is handled by Samba server
2. Server/Domain (PDC/BDC)
a. Authentication is handled by the Windows NT/2K/2K3/2K8 server
b. Still requires a local Samba-defined user accounts database
3. ADS - Active Directory
a. Authentication is handled by Active Directory
b. When used with Winbind, locally-defined Samba users are NOT required
Note: Ultimately, users must authenticate to the local Linux file system
Task:
1. Install SWAT
a. yum -y install samba-swat
b. nano /etc/xinetd.d/swat - set 'disable = no'
c. service xinetd restart
d. netstat -ntl | grep 901
/etc/samba/smbpasswd maps Windows users to /etc/passwd
2. Install rdesktop and connect to Windows XP to test connectivity to Samba
a. yum -y install rdesktop
Winbind:
Features:
1. Windows AD integration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication
Requirements:
1. krb5-* packages
2. Properly configured Kerberos environment:
a. /etc/krb5.conf
[libdefaults]
default_realm = AD2.LINUXCBT.INTERNAL
[realms]
AD2.LINUXCBT.INTERNAL = {
kdc = linuxcbtwin3.ad2.linuxcbt.internal
admin_server = linuxcbtwin3
}
[domain_realm]
.linuxcbtwin3.ad2.linuxbt.internal = AD2.LINUXCBT.INTERNAL
Steps:
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Samba server's DNS to point to ADS server
a. /etc/resolv.conf
b. /etc/hosts - including a pointer to the ADS server (linuxcbtwin3)
4. Join AD domain:
a. 'net ads join -U administrator'
5. Confirm AD membership using: 'Active Directory Users & Computers' Tool
6. Setup Winbind to authenticate using ADS:
a. /etc/pam.d/system-auth - account & auth settings
auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so'
account sufficient /lib/security/pam_winbind.so
b. /etc/nsswitch.conf
passwd: files winbind
group: files winbind
c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000
Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to logon to your Samba-Winbind Linux box
using SSH, Telnet, mingetty, etc., change the 'Template Shell' directive to a va
lid shell. i.e. /bin/bash
d. Create 'Template homedir' %D (Domain) directory beneath '/home'
mkdir /home/LINUXGENIUS
7. Test Winbind Integration using: wbinfo
a. wbinfo -u - this enumerates users in AD
b. wbinfo -g - this enumerates groups in AD
c. ssh into LINUXCBTSERV1 (Winbind) as ADS user
Task1:
1. Authenticate using ADS, as 'administrator' from Windows box
2. Create a user named 'linuxcbt' in AD
3. Create shared directory on the Samba box, and provide access (Share it)
Tasks:
1. Install Apache 2.2x
a. httpd*rpm
/etc/httpd - top-level configuration container on RH5
/etc/httpd/conf - primary configuration directory
/etc/httpd/conf/httpd.conf - primary Apache configuration file
/etc/httpd/conf.d - drop-in configuration directory, read by Apache upon startup
2. Explorer: /etc/httpd/conf/httpd.conf
a. HTTPD runs as: apache:apache
b. Apache maintains, always, a 'main' server, which is independent of Virtual
Hosts. This server is a catch-all for traffic that doesn't match any of the defi
ned virtual hosts.
c. <Directory> directive governs file system access.
Note: The primary Apache process runs as 'root', and has access to the full file
system. However, <Directory> directive restricts the web-user's view of the fil
e system.
d. Test access to '.ht*' files from web root
e. ErrorLog logs/error_log - default error log file for ALL hosts
f. logs/access_log - default log file for default server
Note: Every directory, outside of the 'DocumentRoot' should have at least one:
<Directory> directive defined.
3. Start Apache and continue to explore
a. service httpd start
root 31324 1 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31326 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31327 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31328 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31329 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31330 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31331 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31332 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 31333 31324 0 10:17 ? 00:00:00 /usr/sbin/httpd
Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as 'apache' and can only see files/directo
ries that 'apache:apache' can see
4. Create an Alias for content outside of the web root (/var/www/html)
a. Alias /testalias1 /var/www/testalias1
<Directory /var/www/testalias1>
AllowOverride Non
order allow,deny
allow from all
</Directory>
5. Ensure that Apache will start when the system boots
a. chkconfig --level 35 httpd on && chkconfig --list httpd
Virtual Hosts Configuration:
Features:
1. Ability to share/serve content based on 1 or more IP addresses
2. Supports 2 modes of Virtual Hosts:
a. IP Based - one site per IP address
b. Host header names - multiple sites per IP address
Tasks:
1. Create IP Based Virtual Hosts
a. ifconfig eth0:1 192.168.75.210
b. Configure the Virtual Host:
<VirtualHost 192.168.75.210>
ServerAdmin webmaster@linuxcbtserv4.linuxcbt.internal
ServerName site1.linuxcbt.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site1.linuxcbt.internal.access.log combined
ErrorLog logs/site1.linuxcbt.internal.error.log
</VirtualHost>
c. Create: /var/www/site1 and content
d. Update: /etc/httpd/conf/httpd.conf with VHost information
###MySQL###
Features:
1. DBMS Engine
2. Compabtible with various front-ends:
a. Perl
b. PHP
c. ODBC
d. GUI Management
Tasks:
1. Install MySQL Client & Server
a. yum -y install mysql
/etc/my.cnf - primary config file
/usr/bin/mysql - primary client used to interact with the server
/usr/bin/mysqladmin - primary admin utility to return useful info, and perform a
dmin tasks from the shell
b. yum -y install mysql-server
/usr/libexec/mysqld - DBMS engine
2. Start MySQL server and modify perms for 'root'
a. service mysqld start
b. chkconfig --level 35 mysqld on
c. mysqladmin -u root password abc123
###Postfix MTA###
Features:
1. Message Transfer Agent (MTA)
2. Modular (SpamAssAssin)
3. Drop-in replacement for Sendmail, as it provides a 'sendmail' binary
Note: Use 'system-switch-mail*' package to switch between Postfix and Sendmail
Tasks:
1. Install Postfix
a. yum -y install postfix
/etc/postfix - primary configuration directory
/etc/postfix/main.cf - primary configuration file
/etc/postfix/transport - contains routing rules for domains
/etc/postfix/virtual - contains virtual user mappings
2. Install 'system-switch-mail' package
a. yum -y install system-switch-mail
3. Switch default MTA from Sendmail, to Postfix
a. system-switch-mail
Note: The default Postfix configuration binds to 127.0.0.1:25
4. Test local mail delivery
a. Use 'mutt' to test local delivery
4. Configure Postfix to receive messages from remote systems
a. set: inet_interfaces=all
b. set mydestinations = linuxcbt.internal
c. service postfix restart
d. Confirm directives using: 'postconf'
e. Attempt to send message from LINUXCBTSERV1 -> LINUXCBTSERV4
f. If it fails, configure MTA on LINUXCBTSERV1 to listen to routable IP
f1. update /etc/mail/sendmail.mc
f2. make all -C /etc/mail
f3. service sendmail restart
Note: Ensure that 'sendmail-cf*' package is installed, in order to updated .mc f
iles to .cf files
Tasks:
1. Install Squirrelmail with support via Apache
a.Download from squirrelmail.org - *.bz2
b. Confirm the MD5SUM
c. Copy the *.bz2 file to the Apache server
d. yum -y install php php-imap - installs PHP support for Apache/IMAP
e. mkdir /var/www/mail
f. Extract Squirrelmail to: /var/www/mail
g. Optionally, create symlink named 'mail' to point to Squirremail version
h. Create the Apache Virtual Host
<VirtualHost 192.168.75.199:80>
ServerAdmin webmaster@mail.linuxcbt.internal
ServerName mail.linuxcbt.internal
DocumentRoot /var/www/mail
<Directory /var/www/mail>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
CustomLog logs/mail.linuxcbt.internal.access.log combined
ErrorLog logs/mail.linuxcbt.internal.error.log
</VirtualHost>
i. Restart Apache
j. Configure SquirrelMail defaults: /var/www/mail/mail/config/conf.pl
k. Create 'attach' and 'data' directories for SquirrelMail: /var/local/squirre
lmail/{data,attach}
l. Update permissions so SquirrelMail may write to 'data' and 'attach' directo
ries: chown -R apache.apache /var/local/squirrelmail
k. Setup DNS
l. Attempt to access SquirrelMail
http://mail.linuxcbt.internal/mail
http://mail.linuxcbt.internal/mail/src/configtest.php
Note: If SELinux is enabled, use 'setsebool...' to allow httpd to connect to IMA
P and SMTP ports. Consult: /var/log/messages
Tasks:
1. Install Squid Proxy server
a. yum -y install squid
/etc/squid - primary configuration container
/etc/squid/squid.conf - primary configuration file
/usr/sbin/squidclient - used to test Squid Proxy server
/var/log/squid - primary log directory
/var/spool/squid - cache directory containter
2. Start Squid, and ensure that it starts when the system reboots
a. service squid start
b. chkconfig --level 35 squid on
Note: Ensure that ample/fast disk storage is available for: /var/spool/squid
Note: Squid defaults to TCP:3128
3. Configure Firefox browser to use Squid Proxy server
4. Configure Squid to allow LAN access through, to resources
a. nano /etc/squid/squid.conf
b. acl lan_users src 192.168.75.0/24
c. http_access allow lan_users
5. Deny 192.168.75.10, but allow ALL other users from the local subnet
a.
acl_lan_bad_users src 192.168.75.10
http_access deny acl_lan_bad_users
###SELinux Intro###
Features:
1. Restricts access by subjects (users and/or processes) to objects (files)
2. Provides Mandatory Access Controls (MACs)
3. MACs extend Discretionary Access Controls (DACs(Standard Linux Permissions)
)
4. Stores MAC permissions in extended attributes of file systems
5. SELinux provides a way to separate: users, processes (subjects), and object
s, via labeling, and monitors/controls their interaction
6. SELinux is integrated into the Linux kernel
7. Implements sandboxes for subjects and objects
8. Default RH5 implementation creates sandboxes (domains) for 'targeted' daemo
ns and one sandbox (unconfined_t) for everything else
9. SELinux is implemented/enabled by RH5, by default
10. Operates in the following modes:
a. Permissive - permission is always granted, but denials are logged in: /var
/log/messages
b. Enforcing - strictly enforces 'targeted' policy rules
c. Disabled - Only DACs are applied
11. Operating modes can be applied upon startup or while the system is running
SELinux Config files & Tools:
1. sestatus - displays current SELinux status, including:
a. policy name 'targeted'
b. policy version '21'
c. Operating mode: 'enforcing|permissive|disabled'
2. /etc/sysconfig/selinux - primary startup|config file for SELinux
3. /etc/selinux/targeted - top-level container for the 'targeted' policy
4. setenforce = 0(permissive) 1(enforcing)
5. '-Z' can be applied to the following tools to obtain SELinux context info:
a. mv, cp, ls, ps, id
6. chcon -R -t type file - applies SELinux label to file/directory
Tasks:
1. Disable SELinux upon boot-up on LINUXCBTSERV4
a. nano /etc/grub.conf
a1. Update 'kernel' line to reflect: selinux=0
Note: If files(objects) lose their SELinux context, there are multiple ways to r
elabel them:
1. 'touch /.autorelabel && reboot' - init will relable the system according to
the 'targeted' policy
2. 'fixfiles' - use to relabel objects (files) while the system is running
Note: List of daemons protected by the 'targeted' SELinux policy:
1. apache(httpd)
2. dchpd
3. ntpd
4. named
5. syslogd
6. squid
7. snmpd
8. portmap
9. nscd
10. winbind
Note: The 'targeted' policy assigns ALL other subjects and objects to the 'uncon
fined_t' domain
Note: The default SELinux 'targeted' policy, using MACs, binds subject domains:
i.e. 'httpd_t' to object types: i.e. 'httpd_config_t'
Note: SELinux MACs compound Linux DACs
###OpenSSHv2###
Features:
1. Provides data encryption services based on PKI - Confidentiality
2. Primarily used to protect the transport layer
3. Encrypted shell sessions, file transfers
4. Password-less logins
5. Port forwarding - Pseudo-VPN
SSH Clients:
/etc/ssh/ssh_config - shared system-wide config file for SSH clients
1. scp - secure, non-interactive, copy program
a. scp sample.txt linuxcbt@linuxcbtmedia1:
b. scp linuxcbt@linuxcbtmedia1:testRH5/sample.txt sample2.txt
2. sftp - secure, interactive, FTP-like, copy program
a. sftp linuxcbt@linuxcbtmedia1
3. ssh - shell-based client
a. ssh linuxcbt@linuxcbtmedia1
a. ssh linuxcbt@linuxcbtmedia1 "uptime"
4. ssh-copy-id - permits easy propagation of SSH pub/priv keypair
a. ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.75.10
5. ssh-keygen - used to generage SSH pub/priv keypair
Note: Use '-v' with SSH clients to enable verbosity
a. ssh-keygen -t rsa
Task:
1. Setup Password-less logins using SSH
###IPTables###
Features:
1. Firewall for Linux
2. Interface to Netfilter, which is loaded by the kernel
3. Operates primarily @ layers 3 & 4 of the OSI model
4. Modular
5. Provides Network Address Translation (NAT)
6. IPTables can also access other layers (2, 5-7), with modules
1. grep -i config_netfilter /boot/config*
Note: Save rules in: /etc/sysconfig/iptables so that when IPTables is restarted,
the rules will be applied OR, update /etc/sysconfig/iptables-config to save the
rules automatically
/sbin/iptables - primary ACL modifier utility
/sbin/iptables-restore - restores rules to current IPTables instance
/sbin/iptables-save - saves rules to STDOUT, by default, or to a file
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. iptables -A INPUT -p tcp --dport 22 -j ACCEPT
b. iptables -A INPUT -j DROP
2. Filter outbound traffic to ANY remote SSH port
a. iptables -A OUTPUT -p tcp --dport 22 -j DROP
3. Flush ALL rules from OUTPUT chain of the Filter table
a. iptables -F OUTPUT
4. Save rules to file, then flush rules
a. iptables-save > iptables.rules.1
5. Reinstate flushed rules
a. iptables-restore iptables.rules.1
###IPv6 IPTables###
Features:
1. Firewall for IPv6
/etc/rc.d/init.d/ip6tables - run-script
/etc/sysconfig/ip6tables-config - system-wide config file
/sbin/ip6tables - primary tool for administering IP6Tables
/sbin/ip6tables-restore
/sbin/ip6tables-save
2. Maintains 3 default tables:
a. Filter - matches IPTables(IPv4)
b. Mangle - matches IPTables(IPv4)
c. Raw
Usage:
1. ip6tables -L
Note: IPv6 firewall rules are administered independently of IPv4 rules
Tasks:
1. Filter inbound traffic to remote RH5 system to SSH
a. ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
b. ip6tables -A INPUT -j DROP
2. Filter outbound traffic to ANY remote SSH port
a. ip6tables -A OUTPUT -p tcp --dport 22 -j DROP
3. Flush ALL rules from OUTPUT chain of the Filter table
a. ip6tables -F OUTPUT
4. Save rules to file, then flush rules
a. ip6tables-save > ip6tables.rules.1
5. Reinstate flushed rules
a. ip6tables-restore ip6tables.rules.1
###NMap###
Features:
1. Port/Reconnaissance Scanner
2. Hosts & device detection
3. Service detection
4. OS Fingerprinting
5. Multi-target scanning
6. Produces various reports
Tasks:
1. Download and install the latest version of NMap - nmap.org
a. wget http://download.insecure.org/nmap/dist/nmap-4.53-1.i386.rpm
b. rpm -Uvh nmap-4.53-1.i386.rpm
/usr/bin/nmap - primary binary
Note: Executing 'nmap' as non-privileged user, causes it to operate in TCP-Conne
ct mode, instead of the stealthy TCP-SYN mode
/usr/share/nmap - top-level container for key NMap files
/usr/share/nmap/nmap-os-db - OS Fingerprinting DB
/usr/share/nmap/nmap-mac-prefixes - Maps MAC prefixes to companies
/usr/share/nmap/nmap-services - resolves service names to port numbers
Usage:
1. Scan the localhost for open ports
a. nmap -v localhost
2. Service detection scan - attempts to resolve services to names & versions
a. nmap -v -sV 192.168.75.199
3. OS Fingerprinting scan
a. nmap -v -O 192.168.75.199
4. Reporting
a. nmap -v -oN filename.txt 192.168.75.1 - normal output
b. nmap -v -oX filename.xml 192.168.75.1 - XML output
5. OS Fingerprinting & Service detection
a. nmap -v -A 192.168.75.1
6. Scan the entire network using '-A' and XML output
a. nmap -v -A -oX 192.168.75.0.scan.xml 192.168.75.0/24
###Nessus###
Features:
1. Vulnerability Scanner
2. Port Scanner
3. Host | Device detection
4. Can be used to scan NETBIOS (Windows|Samba) servers
5. Profiles (Scan Policies) for target scans, with specific exploits to query
6. Reporting
7. Client/Server enabled; multiple clients may use the central Nessus server
8. Client support for Windows, Linux, etc.
9. Runs as a service, awaiting inbound PenTest requests
10. Penetration testing tool
11. Nessus can be automated
12. Supports plug-ins for vulnerability signatures
13. Supports parallel scanning of targets
Tasks:
1. Download Nessus from nessus.org and install
2. Register nessus using 'nessus-fetch', with provided code
a. /opt/nessus/bin/nessus-fetch --register A65E-5116-4D76-FCD5-FF2A
3. Install Nessus Client and Explore the interface
a. rpm -Uvh NessusClient*
4. Perform a PenTest of the localhost
5. Perform a PenTest of the local network
6. Evaluate results
Note: Nessus will auto-update its plug-ins after registration, every 12-hours
###Snort NIDS###
Features:
1. Network Intrusion Detection System (NIDS)
2. Packet Sniffer
3. Packet Logger - logs using TCPDump format
Tasks:
1. Download and install Snort NIDS
a. snort.org
b. Confirm MD5SUM: 'md5sum snort-2.8.0.2.tar.gz' Compare to snort-2.8.0.2.tar.
gz.md5
c. Import GPG key used to sign the current release of Snort
d. gpg --verify snort-2.8.0.2.tar.gz.sig snort-2.8.0.2.tar.gz
Requirements:
1. gcc - C compiler
2. make - creates binaries
3. libpcre - Provides access to Perl Compatible RegExes
4. mysql-devel* - provides access to MySQL
5. libpcap* - provides the TCPDump, packet capture library
e. Extract and install (compile) Snort NIDS
e1. tar -xzvf snort-2.8.0.2.tar.gz - creates top-level directory
e2. ./configure --with-mysql --enable-dynamicplugin - checks for prerequisites
, including: mysql-devel, libpcre, gcc, make, etc.
e3. make - creates binaries
e4. su (as 'root') and execute 'make install' - places binaries in /usr/local/
accessible location