Tuesday, August 31, 2010

Rhce Notes By Suresh Kumar Pakalapati

RH253
=====

Pam :- As linked to, and configured in /etc/pam.d/programname.

libwrap :- As linked to libwrap so or managed by so linked.

Uid:-

Gid:-

Service:
Chkconfig:
Xinetd:
system-config-services

Network:-

chkconfig --level 35 httpd on
chkconfig --list httpd

service httpd start
service httpd stop
service httpd lists

/etc/sysconfig/network-scripts/ifcfg-*  for network interfaces
/etc/sysconfig/*   for most others
/usr/share/doc/initscripts-*/sysconfig.txt

system-config-network [Device,Gateway,StaticRoute,DNS,Hostname]
system-config-network-tui[Device,Gateway]

ifup
ifdown

Virtual:-

libvirt
virt-manager
virt-install
virsh start domain
virsh shutdown/reboot/destroy domain
virsh suspend/resume   domain
virsh shave domain state-file
virsh autostart  domain
virsh  console domain
virsh list

xm create -c domain
xentop

Yum: -

/var/ftp/pub/gls/server.repo
cd /etc/yum.repos.d/
cp rhel-debuginfo.repo  errata.repo
vi  errata.repo
[errata]
name = updates repository
baseurl = ftp://instructor.example.com/pub/errata
enabled=1
gpgcheck=0

Yum Commads:-

yum list updates
yum install firefox
yum localinstall firefox.rpm
yum groupinstall packagegroup
yum remove package
yum update package
yum list all
yum list (installed,available,update)
yum grouplist
yum groupinfo packagegroup
yum info package
yum search searchterm
yum provides filename [ yum provides /usr/sbin/sendmail]

/dev/random
/dev/urandom
cat /dev/random

Open SSL:-

keypair: -  openssl genrsa -out server1.key.pem 1024
                 openssl req -new -key server1.key.pem -out server1.csr.pem

Selfsigned: -  openssl req -new -key server1.key.pem -out server1.crt.pem  -x509


Ssh:-

ssh-keygen  -t  dsa
ssh-keygen  -t  rsa

/etc/hosts.allow
/etc/hosts.deny

vi  /etc/hosts.allow
sshd:  192.168.0.114

openssh-client, openssh-server

/usr/sbin/sshd
/etc/init.d/sshd
/etc/ssh/sshd-config ,  /etc/ssh/* ,  ~/.ssh/*

openssh-ashpass,  tcp-wrappers

Client:- /etc/ssh/ssh-config   /usr/bin/ssh

Server:- /etc/ssh/sshd-config
               protocol 2
               Listenaddress 22 [192.168.0.114:22]
               permitRootLogin
               Banner  /etc/issue.net
               AllowTCPForwarding=Yes
               Gatewayports=Yes

ssh -L 3000:192.168.0.114:25  -N 192.168.0.5
ssh -R 3001:192.168.0.114:25  -N 192.168.0.5

ssh-copy-id  user@host
.ssh/authorized_keys

rpm  --verify packagename
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*
rpm --checksig pkgname

gpg --import  RPM-GPG-KEY
rpm --checksig package-file-name

vnc-server
vncserver
vncviewer localhost:9901

ssh-keygen  -t  dsa
ssh-copy-id  -i  ~/.ssh/id_dsa.pub  serverX

ssh student@serverX id
ssh-keygen -p -f ~/.ssh/id_dsa

yum -y install vnc vnc-server

/etc/termcap
gpg -c /tmp/termcap

openssl x509  -in example-ca.crt  -text | less


Selinux:-

Enforcing, Permissive, Disabled

/etc/sysconfig/selinux

system-config-securitylevel
getenforce  & setenforce  0|1
kernel  selinux=0|1  or  enforcing=0|1

Permissive:- mode is used for trouble shooting or development it logs policy violations but does not prevent
                   programs from running [0].

Enforcing:-  is the default mode [1].

user:role:type:sensitivity:category

ps -z
ls -z
ps -zc  syslogd,bash
ls -zd /etc/   /etc/aliases

chcon -R -t public_content_t/mydata/html
semanage  fcontext  -a-t
restorecon  -vvFR  /html/
ls -z  anakondaks.cfg

getsebool  -a | grep named
getsebool named_write_master_zones

setsebool  named_write_master_zones on
getsebool  named_write_master_zones

setsebool -P named_write_master_zones on

setrouble shootd
sealert  -a
sealert  -b
sealert  -l

Selinux Modes :   genenforce , setenforce
Security Contexts :  ps -z , ls -z , semanage, restorecon
Selinux Booleans :   getsebool, Setsebool
Troubleshooting tools :  settroubleshootd, sealert

NTP :-

ntpq -c pe
vi /etc/ntp.conf

ps -zc  ntpd
getsebool -a | grep ntp
setsebool  -p ntpd_disable_trans off
ntpq  -c  pe
rpm  -ql  ntp | grep ntp conf
restorecon  -v  /etc/ntp.conf

IPTABLES :-

system-config-securitylevel-tui

filtering in the kernel   network(3)(4) & (2) (data-link) layer

filter: the main packet filtering is performed in this table
nat:
mangle:    special effects
conntrack: stateful  prerouting & output

                                                      Filter      Nat        Mangle
INPUT                                           X                        X
FORWARD                                   X                        X
OUTPUT                                       X            X         X
PREROUTING                                            X          X
POSTROUTING                                         X           X

* Prerouting :- forward --> input --> output --> postrouting
   echo "1" > /proc/sys/net/ipv4/ip_forward

* DROP,ACCEPT,LOG,REJECT

Iptables  -t filter -AINPUT  -s 192.168.0.1  -J  DROP
                                |                   |                          |
                               V                 V                        V
                            Chain         Part of the rule     Target part of the rule
iptables -t filter -nvl --line-numbers
iptales -A INPUT -s 192.168.0.114  -J DROP

ip & network   {  -s 192.168.0/24
                               {  -d 192.168.0.1

network interface {  -i lo
                            {  -o eth1

Criteria canbe inverted with '!'   { -i eth0 -s '!'  192.168.0.0/24

iptables -I INPUT  -s 192.168.0.0/24  -J ACCEPT
iptables -I OUTPUT -o eth0 -d 192.168.0.0/24  -J ACCEPT
iptables -I  INPUT  -i lo -J ACCEPT

-p tcp  --dport 80
-p udp --sport 53
-p icmp  --icmp-type  host-unreachable

iptables -I INPUT -p tcp -s 192.168.0.1  --sport 123 -d 192.168.0.2  --dport 1024: -J ACCEPT

iptables -I INPUT -p icmp --icmp-type  echo-request -J DROP

iptables  -I INPUT  -p icmp  --icmp-type  -J  destination-unreachable  -J ACCEPT

ACCEPT, DROP, REJECT, Flush (-F)
Zero byte packet counter (-z [chain])
-N  (adds chain)
-X  (delets chain)

iptables -t nat -F POSTROUTING
iptables  -P INPUT      DROP
iptables  -A INPUT -J DROP
iptables  -A INPUT -J REJECT

NEW, ESTABLISHED, RELARED, INVALID

/proc/net/ip_conntrack
/proc/sys/net/ipv4/ip_conntrack
/proc/sys/net/ipv4/netfilter/ip_conntrack_*
ip_conntrack_ftp
ip_conntrack_tftp
ip_nat_ftp
ip_nat_tftp

/etc/sysconfig/iptables-config

iptables_modules = "ip_con---tftp  ip_nat_ftp"

iptables -A INPUT -m state --state  ESTABLISHED, RELATED -J ACCEPT

iptables  -A INPUT -m state --state NEW -p tcp  --dprot 25  -J ACCEPT
iptables  -A INPUT -m state --state NEW -J DROP


DNAT

Inbond: -   iptables -t NAT -A PREROUTING -p tcp --dport  80 -J DNAT  --to-dest 192.168.0.114
       
Outbond:- iptables -t NAT -A OUTPUT -p tcp --dport 80 -J DNAT --to-dest 192.168.0.200:3128

iptables -t NAT -A PREROUTING -i eth1 -p tcp  --dport 80 -J DNAT --to-dest 192.168.0.114  --to-dest
192.168.0.115  --to-dest 192.168.0.116

iptables -t NAT -A PREROUTING -i -p tcp  --dport  2201 -J DNAT --to-dest  192.168.0.1:22

iptables -t NAT -A OUTPUT -p tcp --dport 80 -J DNAT --to-dest 192.168.0.200:3128


SNAT

iptables  -t NAT -A POSTROUTING -o  eth0 -J MASQUERADE
iptables  -t NAT -A POSTROUTING -J SNAT --to-source  1.2.3.45
iptables  -t NAT -A POSTROUTING -J SNAT --to-source  1.2.3.45-1.2.3.55
iptables  -t NAT -A POSTROUTING -J SNAT --to-source  1.2.3.45:1234-1334

iptables-save
iptables-restore
service iptables save

vi  /etc/sysconfig/iptables

*filter
: INPUT DROP [573:46163]
: FORWARD ACCEPT [0:0]
: OUTPUT  ACCEPT [641:68532]
-A INPUT  -i lo -J  ACCEPT
-A INPUT  -p tcp  -m tcp  --dport  143   -J  ACCEPT
-A INPUT  -p tcp  -m tcp  --dport    22   -J  ACCEPT
-A INPUT  -p tcp  -m tcp  --dport    25   -S 192.168.0.114  -J ACCEPT
-A INPUT  -p tcp  -m tcp  --dport    53   -J  ACCEPT
-A INPUT  -p udp -m udp  --dport   53   -J  ACCEPT
-A INPUT  -p udp -m udp  --dport 123   -S  192.168.0.114  -J ACCEPT
-A INPUT  -p icmp -J ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -J REJECT --reject-with tcp-reset
COMMIT

vi   /etc/modprobe.conf
alias  net-pf-log off
alias  ipv6 off

iptables  -N class-rules
iptables -A input -J call-rules

service iptables save
-A class-rules -i lo -j accept
                      -p icmp  -j  accept 
                      -p udp  --dport 631  -j accept
                      -p tcp   --dport 631  -j accept
                      -m state --state Established,related -j accept
                      -p tcp  --dport 22 -j accept
                      -j LOG
                      -j  reject  --reject-with  icmp-host-prohibited

TCP-WRAPPERS

libwrap.so
ldd   $(which  sshd)  |  grep  libwrap

vi  /etc/hosts.allow
vi  /etc/hosts.deny
ALL
EXCEPT

vi  /etc/hosts.allow
sshd:  ALL  EXCEPT   192.168.0.114

vi /etc/hosts.deny
sshd:  ALL

vi  /etc/hosts.allow
vsftpd:  192.168.0.1
in.telnetd, portmap: 192.168.0.8

vi  /etc/hosts.deny
ALL: nkindia.com EXCEPT  mail.nkindia.com
vsftpd,  portmap: ALL
sshd:  192.168.0.   EXCEPT  192.168.0.4

vi  /etc/xinetd.conf

defaults
{
enabled  = yes
instances = 50
per-source = 10
v6only  = no
log-type = syslog daemon  info
log-on-failure = host
log-on-success = PID   Host Duration Exit
CPS  =  50 10
banner  =  /some/file
}
includedir    /etc/xinetd.d


NSS

vi   /etc/nsswitch.conf
getent
passwd: files  nis ldap

PAM
/lib/security/pam  modules
/etc/security
/etc/pam.d/
/etc/securitty

vi /etc/pam.d/login
auth  required  pam-securetty.so

pam_unix.so
pam_securetty.so
pam_deny.so
pam_permit.so

vi  /etc/pam.d/system-auth
auth  required  pam_env.so
auth  sufficient pam_unix.so  nullok  try_first_pass
auth  requisite pam_succeed.so  uid>=500 quit
auth  required  pam_deny.so

pam_krb5.so
pam_ldap.so
pam_smb_auth.so
pam_winbind.so

vi /etc/security/limits.conf


HTTP

httpd,  httpd-level,  httpd-manual
/usr/sbin/httpd
/etc/init.d/httpd                    
80/tcp   443/tcp (https)
/etc/httpd/*    ,    /var/www/*
system-config-httpd   ,   mod_ssl

Min & Max   Spare Servers
Logfile  Configuration
Host name lookup in  logs
Loaded  modules
Virtual hosts
user and group.

UserDir  public_html

Mimetype
Add type   application/x-httpd-php  .phtml
AddType  text/html  .htm

DirectoryIndex  index.html  default.htm

restorecon -R  /home/
/sbin/restorecon   ~/public_html

Virtual Host

Name Virtual Host  192.168.0.100:80

Servername Virtl.com
DocumentRoot  /virtl


ServerAlias  www.virt2.com   www2.virt2.com


Options Followsymlinks
Allowoverride  None



Options -Indexes
Allowoverride   AuthConfig



Order  Allow,Deny
Allow  from  example.com
Deny from   station2.example.com  station3.example.com


* service  httpd  configtest
* apachectl  configtest
* httpd -t

/etc/httpd/conf/httpd.conf
/etc/httpd/conf/ssl.conf

AuthName  "Bob's Secret Stuff"
AuthType    basic
AuthUserFile  /home/bob/.htpasswd
require  user    bob

AuthName "Bob's Secret  Stuff"
AuthType   basic
AuthUserFile  /etc/httpd/conf/.htpasswd
AuthGroupFile /etc/httpd/conf/.htgroup


require group staff



require  user bob


ScriptAlias   /cgi-bin/    /path/cgi-bin/

mod_perl
mod_php
mod_speling

ssl : -  /etc/httpd/confd/ssl.conf
certificate : -  /etc/pki/tls/certs/your_host.crt
private key: -  /etc/pki/tls/private/your_host.key

/etc/pki/tls/certs/makefile
make testcert
make certreq

SQUID