Professional Documents
Culture Documents
.
:
.
:
Linuxcbt
/
John_Wiley_Redhat_Linux_Networking_and_System_Administration
RHCSA_Hands-on.Guide.to.the.Red.Hat.Exams
M. Jang -RHCSA-RHCE Red Hat Linux Certification Study Guide, 6th
SELinux-Arabic.
.
:
] [ .
.
6
.
.
.
janateba@hotmail.com
https://www.facebook.com/?q=#/tibea2004
TEL:01009943027
RHCSA/RHCE Egypt
----------------------------------------------------------------------------------------------(NETWORK)
(4-----5)
(Network configuration)
(5-----6)
(Network Definition)
(6-----7)
TCP/IP
(7-----8)
(8----10)
TCP/IP
(10---12)
IP
---------------------------------------------------------------------------- (system monitor and security)
(13---13)
(system monitor)
(13---15)
netstat
(15---18)
nmap
(18---20)
log
(20---22)
(security overview)
(23---24)
(sudo configuration) sudo
(24---25)
(kerberos configuration) kerberos
---------------------------------------------------------------------------------------------------------------------- SELinux
(26---27)
SELinux
(28---32)
SELinux
(28---31)
Security context (label)
(31---32)
Security policy
(32---34)
SELinux
(34---37)
SELinux
(37---41)
SELinux
-------------------------------------------------------------------------------------- Fire wall Xinetd TCP wrapper
Fire wall
(42---43)
(43---50)
Iptables
(50---51)
NAT
(51---52)
Connection Tracking
(52---53)
IP Forwarding
(53---56)
(56---57)
The extended internet super-server (XINETED)
(57---58)
TCP WRAPPERS
---------------------------------------------------------------------------- (Pluggable Authentication Modules) PAM
(59---61)
+
(61---62)
/etc/pam.d/reboot
(62---64)
/etc/pam.d/system-auth
(64---67)
PAM
(67---69)
User authentication, account information, and password management
--------------------------------------------------------------------------------------------------- (File Secure)
(70---72)
(72---73)
/dev/random & /dev/urandom
(73---74)
One way hashes ("digital fingerprints")
(74---77)
symmetric encryption
(77---90)
Asymmetric encryption
(90---92)
X509 digital certificates and public key infrastructure
------------------------------------------------------------------------------------------------ remote access
(93--101)
SSH
(93---94)
(94---97)
(95---96)
Key based authentication
(96---97)
ONE TIME LOGINS: THE SSH AGENT
RHCSA/RHCE Egypt
(97---99)
SSH
(99--100)
SSH
(100-101)
(PORT REMOTE FORWARD) SHH
(---102--)
VNC
----------------------------------------------------------------------------------------- (APACHE SERVER)
(103-106)
(106-112)
[HTTPD]
(112-116)
STANDARD APACHE SECURITY CONFIGURATION
(117-118)
SPECIALIZED APACHE DIRECTORIES
(118-120)
VIRTUAL HOST
(121-125)
CREATE SSL CERTIFICATE
(125-126)
CGI
(127-134)
SQUID (PROXEY WEB SERVER CACH)
------------------------------------------------------------------------------- (linux network application)
(135-149)
DNS
(149-153)
DHCP
(153-156)
SET UP SYSTEM UTILIZATION REPORTS
(156-157)
CONFIGURE A SYSTEM LOGGING SERVER
(158-160)
THE NETWORK TIME PROTOCOL SERVICE (NTP)
---------------------------------------------------------------------------- (FILE SHARING SERVICE)
(161-169)
NFS (NETWORK FILE SHARING
(169-175)
VSFTP
(175-191)
SAMBA
(175-184)
[SAMBA SERVICES] +
(184-189)
THE SAMBA WEB ADMINISTRATION TOOL
(189-191)
SAMBA AS A CLIENT
(---191--)
Samba TROUBLESHOOTING
---------------------------------------------------------------------------------------------------------SMTP
(192-195)
+
(195-199)
POSTFIX CONFIGURATION
(200-201)
POSTFIX AUTHENTICATION
(201-206)
SENDMAIL
(206-209)
DOVECOT MAILBOX SERVER
---------------------------------------------------------------------------------------------------------------- Miscellaneous
(210-212)
ISCSI
(212-214)
BONDING
(214-229)
-------------------------------------------------- /------------------------------------------------------------
RHCSA/RHCE Egypt
Network configuration
NETWORKS
NETWORK CONFIGURATION
network :
1- /etc/hosts
2- /etc/resolv.conf
3- /etc/sysconfig/network
4- /etc/sysconfig/network-scripts/ifcfg-ethX
-1 ][/etc/hosts
(ip no.) IP
.
[root@localhost ~]#vim /etc/hosts
IP ). (local network
IP IP .
. IP
ping ip ) (resolving
#ping192.168.1.254
#pingrouter.mostafa.com
#pingrouter
:
ping-2
nmap-1
) traceroutedomain-3 [#traceroutewww.yahoo.com] (domain
) nslookupdomain-4 (domain
: ] [#nslookupwww.google.com
load balancer requests forward. request
digdomain-5 . nslookup
/etc/resolv.conf-2
[root@localhost ~]#vim/etc/resolv.conf
3 )(domain , search , nameserver
Name server DNS IP IP
.
[root@localhost ~]#hostname-f
Result ds.janateba.com
) domain , janateba.com =(ds
Search domain ping
ping machine1.mostafa.com ping machine1
domain .machine.mostafa.com
Domain ) directory server (ldap domain
domain mostafa.com
search mostafa.com
nameserver 912.168.126.2
.
RHCSA/RHCE Egypt
Network Def.
Search nameserver .
Hosts resolv.conf .
IP hosts .resolv.conf
system-config-network-tui
network GUI
/etc/sysconfig/network-3
:
Networking=yes
= Hostname
hostname :
#hostnamename
-1 hostname
-2 /etc/sysconfig/network
#sysctl-w kernel.hostname= new_name
/etc/sysconfig/network-scripts/ifcfg-eth0-4
eth0 ) (Lan ifcfg interface config
] [arp n addressing resolution control
: netcut ver1 arp table poisoning mac address
arp s stack out IP static mac address
netcut .router
NETWORK DEF .
TCP/IP
TCP/IP
ARP ICMP IP UDP TCP
TCP/IP )Telnet (SSH
) (NFS ).(FTP, HTTP
TCP/IP
TCP/IP :
-1 : FTP
-2 )( : telnet
SHH .
-3 SMTP :Email
)( .
-4 ) :(NFS FTP
.
-5 : .
-6 : . : rsh)
( rexecssh ) RPC (Remote Procedure Call
. RPC Xerox
Courier ) Sun RPC (.
.
RHCSA/RHCE Egypt
TCP/IP
-7 :
. NIS DNS.LDAP
-8 : telnet .
-9 ) ( :
. .x windows
TCP/IP
TCP/IP
.
. . TCP IP
TCP . IP
DoD .TCP / IP
TCP UDP User Datagram Protocol
) (
TCP ) (.
ICMP Internet Control Message protocol
.
. ICMP .
ICMP UDP . ports .
)(ARP , DNS , ICMP , UDP , RIP , SMTP , Telnet , .
OSI/ISO
. ]
[.
Physical Layer
. ) (physical .
) (Signal Voltage Swing ) .(bit duration
) (Interfaces .
Data Link Layer
) (Physical Link
) (Frames
. .( HDLC SLIPPPP) :
Network Layer
.
. ) (IP
) .(Routing ) (Routers .
Transport Layer
) (Session Layer
) .(Data Flow
) (TCP ).(Switching
.
RHCSA/RHCE Egypt
)(TCP/IP
) (TCP .
. )(Routing Protocols
( BGPOSPF) : ).(IP
Session Layer
. ) (Ecommerce
)(Load Balancing
.
) (Sessions .
Presentation Layer
) .(Pack & Un-Pack
.
Application Layer
))(Telnet, ftp, and mail (pop3 and SMTP
(OSl) ... .TCP/IP
Berkley sun . ) (
) (Internet Protocol Suit IPS TCP/IP
.IPS RFC1011 IPv6 Ipng
.IPv4
) (OSI ][ LAN
Ethernet FastEthernet GigaEthernet ) 10 100 1000
( .
Coaxial TwistedFiber optic
Twisted ) (Rj45
10 baseT ) 100 baseT ( repeaters
hubs . Etherent ) hubs switch
(routers .
Ethernet LAN
FDDI Fiber Distributed Data Interface
Etherent ) FDDI
( .
Twisted cable
RHCSA/RHCE Egypt
TCP/IP
Coaxial cable
FFDI cable
ATM
Asynchronous Transfer Mode LAN
.
/ : Frame Relay
) X.25 WAN (
) Packet Radio AX.25 NetRom (Rose
) ADSL DSLRDSL(
TCP/IP
) ( . .
/ Etherent ) ethX X (
pppX ppp siX SLIP fddiX FDDI
.
TCP/IP
:
"intranet-
/
(
)
. / .
):(node
)( ) .... CD
( / .
) Ethernet Address :(MAC Address
) NIC (network interface card
) ( NIC unique 2
NIC .MAC ADDRESS
48 )) (bit48:
00:88:40:73:AB:FF
)(hex decimal
0000 0000 1000 1000 0100 0000 0111 0011 1010 1011 1111
)(binary
mac address
Mac Address 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF
00:00:00:00:00:00 MAC Address .
FF:FF:FF:FF:FF:FF MAC Address
) (
6 hexadecimal )) ((0-9) (A-F
.
RHCSA/RHCE Egypt
TCP/IP
GIGABYTE C:2300:5
C:2300:5
CLIENT
Router
INTERNET
SWITCH
router router
switch MAC Address
MAC Address
) (
Internet protocol .IP
):(hostname
.
32 a-z, A-Z, 0-9
'.'#
Internet Address IP
IP bit 32 binary 32^2 v4 IP IPv4
IPv6 bit 128 .128^2
255-0 ) (192.168.0.1
. IP DNS ) ( .IP
)(PORT
)] TCP ([ UDP
RHCSA/RHCE Egypt
10
IP
IP
. .
) 0 255 32 4( ) 0 : :
(0.0.0.0 ) 127 (127.0.0.1 : local host) local
(loopback 0
broadcast ) .(192.168.255.255
192.168.0.0 255
:
RHCSA/RHCE Egypt
11
IP
(class A) A
Network.Host.Host.Host 1.0.0.1
) 126.254.254.254 126 16 ( .
(class B) B
Network.Network.Host.Host 128.1.0.1
16) 191.255.254.254 65 (
.
(class C) C
Network.Network.Network.Host 192.1.1.1
) 223.255.255.254 16(.
D) E (net.net.net.host 234.1.1.1 255.255.255.254
multicast.
)
( . A 10.255.255.255-10.0.0.0
B 172.31.0.0 -172.16.0.0 C 192.168.255.0 -192.168.0.0
Broad cast ) ( .
) datagrams ( .
ARP IP
. IP
.
IPv4 32 bit IIIIIIII.IIIIIIII.IIIIIIII.IIIIIIII
BINARY
8BIT . 8BIT . 8BIT . 8BIT
Hexadecimal
bit 8 = IIIIIIII = 2+2+2+2+2+2+2+2 256 0 .255
76543210.76543210.76543210.76543210
)=11110001.11111111.11110000.00000011 (binary
128+64+32+16+1.128+64+32+16+8+4+2+1.128+64+32+16.2+1
241.255.240.3
)(Decimal
NETMASK
.
IP . A B C.
netmask netmask 32
)) (bit32 (IP ) (AND
.
B 172.17.0.0 netmask 255.255.0.0
) ( . 20
) 172.17.1.0 ( 172.17.1.0 .172.17.20.0
backbone 172.17.1.0 IP
) (255.255.255.0
RHCSA/RHCE Egypt
12
IP
route
) ( routing
Information Protocol RIP External Gateway Protocol EGP
Border Gateway Protocol BGP gated
class subnet
255.255.255.255
IN class C IIIIIIII.IIIIIIII.IIIIIIII.00000000
255.255.255.0
default subnet mask in class C
10 IP
192.168.1.0 class C
subnet mask IP 10
10 2
17 2
25 =(255.255.255 = 24bit) +1
80 255.255.255.10000000 2
255.255.255.128 =Subnet mask 192.168.1.0/25
192.168.16.0 9 IP
9 255.255.255.240= 255.255.255.11110000-----2 192.168.16.0/28
NID
subnet mask .
) ( Subnet mask
ISP 40 192.168.0.0 (NID)------------
)) 26 = 32-6 (2 bit 32 (192.168.0.0/26 = net mask 255.255.255.192
255.255.255.1100000
Broadcast = 63
6 (255.255.255.11111000(248)) /29= subnet mask 2
IP 517 class B 155.13.18.0 2 22=10-32 155.13.18.0/22
10011011.00001101.000100 10.00000000
11111111.11111111.111111 00.00000000
00000000.00000000.000000 11.11111111
)10011011.00001101.000100 00.00000000 (Class B
10011011.00001101.000100 11.11111111
10011011.00001101.000100 00.00000001
10011011.00001101.000100 11.11111110
Address: 155.13.18.0
Netmask: 255.255.252.0 = 22
Wildcard: 0.0.3.255
>=
Network: 155.13.16.0/22
Broadcast: 155.13.19.255
HostMin: 155.13.16.1
HostMax: 155.13.19.254
Hosts/Net: 1022
subnet mask
IPcalc-1 sipcalc
whatmask-2
RHCSA/RHCE Egypt
13
])[(SYSTEM MONITORING
SYSTEM MPNITORING
AND SECURITY
])[(SYSTEM MONITORING
.
.
/
.
-2 ] [LOG
-1 :
-3 ) du -df -find -ls(
-4 ps top
.
ping dig
) (.
.
] [TCP ] [UDP
.
.
/ ] [netstat] [nmap
].[iptables
] )( [auditing
netstat
IP . .
. .
) (connection Client
/ .server
) ( ) (port
) ( netstat
) (terminal .
netstat
) ( ) ( .
.Windows NT
. .
:netstat
] [netstat .
] [netstat ) (option .
] [netstat ] [Unix socket
.
] [UNIX socket .
.
RHCSA/RHCE Egypt
14
])[(SYSTEM MONITORING
] [netstat
] [-t TCP
] [-u .UDP
] [-p ] [-n ] [process
TCP .
][auditing .
.
netstat .
] [-l netstat ] [listen
.
httpd 80 .
].[firewall
netstat
] [-s :
RHCSA/RHCE Egypt
15
])[(SYSTEM MONITORING
] [-i ] [-e :
] [netstat-ie ][ifconfig
][NMAP
] [netstat
. ].[nmap
: .
. nmap .
][nmap
) ( ) ( .
"" . nmap
. nmap
.
][port scanner
].[yuminstallnmap
] [nmap :
TCP.
] [nmap .
][nmap192.168.0.0/24 192.168.0.X
] [ping .
] [Nmap .
]:[nmap
:[TCP connect]-1 Unix TCP
:
#nmap-sT192.168.1.1
192.168.1.1 nmap
nmap 21 FTP 21
FTP Header
.nmap
:[SYN Stealth Scan]-2 half-open scanning
TCP TCP connect nmap Packet
SYN Packet
.
RHCSA/RHCE Egypt
16
])[(SYSTEM MONITORING
RHCSA/RHCE Egypt
17
])[(SYSTEM MONITORING
nmap :
#nmap-sS-oNlog.txt192.168.1.1
#nmap-sS-oXlog.xml192.168.1.1
! Black Hat Hackers
:
#nmap-sS-f192.168.1.1
IP Packet
:
#nmap-sS-D192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.1
IP 192.168.0.4 + 192.168.0.3 + 192.168.0.2 :
!
Nmap
Zenmap
Profiles
Profile .
] [nmap-frontend ].[nmapfe
] [service ] [chkconfig .
Avahi service
avahi . zeroconf
) (zero configuration networking . Avahi
) multicast DNS(mDNS .DNS discovery zeroconf
Bonjour .
Zeroconf DNS DHCP
.
Avahi .
Avahi
. avahi-daemon .
avahi .
.
log .
LOG
.
]. [log file
] [syslog daemon
][rsyslogd
] [log file
] [facility ] .[severity ] [facility].[severity
.
RHCSA/RHCE Egypt
18
])[(SYSTEM MONITORING
] [facility ][severity
] [Facility .
] [Severity
. logwatch
:logwatch
] [highlight .
logwatch :
#yuminstalllogwatch
:
#logwatch--serviceservice_name--print
] [--print .
.
#logwatch--logfilelogfile_name--print
][message secure maillog -.
] [--logdir :
#logwatch--logdirlogfile_location--print
] [ps ] [top
.
Process Limits
.
.
PID PID
.PID
).(hang
] [/etc/security/limits.conf .
:
]:[Who to limit
) @" ( "*" .
]:[Type of limit
] [soft ][hard
] [soft limit ] .[ulimit ] [hard limit .
]:[What to limit
. .
]:[Limit value
. unlimited .
.
RHCSA/RHCE Egypt
19
])[(SYSTEM MONITORING
.
] [/etc/security/limits.conf ] [/etc/security/limits.d/ PAM
pam_limits.so .
.
].[ulimit a
pid_max pid :
#cat/proc/sys/kernel/pid_max
for display PID maximum
#sysctl-wkernel.pid_max=4194303
or
#echo kernel.pid_max=4194303 >> /etc/sysctl.conf
:
.
] [ps ] [top
] [psacct :
:
#servicepsacctstart
] [/var/account/psacct
] .[binary file . ] [sa:
:
number of times run
"real-time" spent running
"cpu-time" used
average core memory usage
command name
] [--user-summary ] [sa:
:
] :[-a ] [sa ]* [***other
] [-a .
] :[-c .
] :[-n .
] :[-b .
.
RHCSA/RHCE Egypt
20
:
] [ac
][ac-dp
] [lastcomm :
/ .
.
) (black hack crackers .
) (escalating privileges .
) (Remote root/Local root BuffierOverFlow
NetworkManager BIND curl rsync apache
Netcat .
.
.
.
) (NSA / .SELinux
.
Fire wall ) (wrapper of the packet .
.user and host based security
) (permission .SELinux
firewalls
)............... TCP WrappersPluggable Authentication Modules (PAM
RHCSA/RHCE Egypt
21
bastion host
. proxy
service .
.
. Bastion host ) (Platform Application level .Circuit-level Gateway
Bastion Host:
. ASAPIX
Proxy
FTP SMTP telnet DNS .
chroot jail .
.NSA
:A bastion host . minimal
installation .
. web server file server authentication server
.
SSH VNC .SSH
bastion host :
.
.
.
:
) (Software Update tool
] [gpk-update-viewer :
] [gpk-prefs :
RHCSA/RHCE Egypt
22
The PolicyKit
SERVICE-SPECIFIC SECURITY
) (service .
hostnetwork user.group
:
)(Host based security Network based security User &Group based security
Host based security-1
) (hostname system Domain_name IP .
] [ACL] [selinux ] [File System Encryption ] [privileges for osi] [layers.
User-Based Security-2
.
/etc/cron.allow
Network based security-3
firewall Netfilterproxy
console security-4
/etc/securetty : ./etc/security/access.conf
access console . SSH.Telnet
NASA /:
1- Encrypted transmitted date whenever possible
2- Minimizes software to minimize vulnerability
3- Run different network service in separated system
4- Configure security tools to improve system Robustness
5- Least privilege
.
THE POLICYKIT
) .(administrative tools Administrative .
:
.
Details PolicyKit :
Vendor ][system-config-firewall
Action
org.fedoraproject.config.firewall.auth /usr/share/polkit-1/actions/
action action org.fedoraproject.config.firewall.policy
PolicyKit Console
.
/etc/sudoers
RHCSA/RHCE Egypt
23
Configuration sudo
CONFIGURATION SUDO
RHCSA/RHCE Egypt
24
Kerberos configuration
:
.1 JANA sudoers
:
JANA
ALL= ALL
.2
sudoers:
JANA
ALL= (ALL) NOPASSWD: ALL
JANA ALL ) (ALL
) (root NOPASSWD
ALL sudo .
.3 wheel
:
%wheel
ALL= (ALL) NOPASSWD: ALL
.4 ) (Cmnd_Alias NETWORKING
noreen NETWORKING :
noreen
=ALL
NETWORKING
.5 :
Jana ALL= (ALL) SOFTWARE
%JBA
/sbin/service mysql, /sbin/chkconfig mysql ALL
%CBS
ALL=/bin/service mysql, /sbin/chkconfig mysql
KERBEROS CONFIGURATION
Kerberos
Kerberos ) (secure authentication
/" "Client/Server .
MIT .
.
.
kerberos Cryptography Client Server
.
Kerberos MIT .Linux, BSD, Windows X
.
Kerberos ) symmetrical ( private
).DES (algorithms
Kerberos client ,
tickets:
-
authentication server
:
session .
session
.
kerberos
RHCSA/RHCE Egypt
25
Kerberos configuration
:
:Kerberos realm .1 (Kerberos authentication server) KDCs
/ ).(authentication
:KDC (Key Distribution Center) .2
kerberos ) (ticket .(authentication credentials) kerberos
:Kerberos Admin server .3 ) (remote administration
master KDC .Kerberos Admin Server
system-config-authentication
authconfig .
kerberos:
system-config-authentication ldap
kerberos :
authconfig:
sssd LDAP .
RHCSA/RHCE Egypt
26
selinux
SELINUX
SELINUX
: ) Security-Enhanced Linux (SELinux ) (security layers
. (U.S. National Security Agency).
SELinux:
.
) (contexts subjects objects.actionsSelinux IP
Subjects process service user
Objects files devices ports - sockets
SELinux
) .(U.S. National Security Agency
777
. MASH Flask
/
.(TE) Type Enforcement
) (
) (Linux Security Modules LSM Mandatory Access Control MAC
SELinux . ext4 ext3ext2
v2.2.12 22 2000 /
SELinux :
Discretionary Access Control DAC .1
) ( .
) (process Group User .
/
.
:
Administrators/Privilege-users (1
Non-Administrator/Non-privilege-users (2
) (
) (root user .
Mandatory Access Control MAC .2 )(Role-Based-Control
)(process -
) (devices )(ports . /
.
RHCSA/RHCE Egypt
27
selinux
.
MAC
:
- Every Thing is a File
User Group
SELinux :
- Every Thing is an Object
) (Object
) (security context policy .
DAC httpd
.
MAC httpd
httpd .
:selinux
MAC policy .
:selinux
.
/
.
/ ) policy(
RHCSA/RHCE Egypt
28
SELINUX
RHCSA/RHCE Egypt
Security context
29
#semanagefcontext-l = #cat/etc/selinux/targeted/context/files/file_contexts
SECURITY CONTEXT
LABEL ( ps-Z) -3
RHCSA/RHCE Egypt
30
Security context
-5 find
'[root@RHEL01 ~]#find/home/-context'*:httpd_*_content_t
-6
label label Label
TYPE . Labels Objects .
:
tar (1 label RHEL v4 update2 .
#tar--selinux-cfanaconda-ks.cfg.tar.gzanaconda-ks.cfg
.
#tar--selinux-xfanaconda-ks.cfg.tar.gz
label .
star (2 xattr
attribute label . H .
#star-xattr-H=exustar-c-f=anaconda-ks.cfg.staranaconda-ks.cfg
#star-xattr-H=exustar-x-f=anaconda-ks.cfg.star
rsync (3 label
cp scp
.
label
#rsync-avHPAXanaconda-ks-cfg10.0.0.80:/tmp
a H hard A ACL X xattr
P .
(SECURITY CONTEXT) LABEL
labels )- (.
labeling
-1 chcon
/ context object subject
Relabel label .
type/domain :
#chcon-ttype_name_tfilename
type/domain :
#chcon-R-ttype_name_tfilename
uid u t
role r t
f error message
: label
label :
#chcon--referenceCorrectFileNotCorrectFile
-2 restorecon
/ label label
...
#restorecon-Rv/home/KING/public_html
R/r (verbose) v (process) p (reset context) F
RHCSA/RHCE Egypt
31
Security policy
-3 semanage
chcon .
policycoreutils-python policycoreutils-python-gui
fcontext
security context :
-a add
-d delete -D delete all
-l list
-m modifiy
-f file type
)-s used for username (*_u) , for user role (*_r
-t for type/domain
SECURITY POLICY
targeted policy
/ ) (SELinux Policy
:Policy rules selinux selinux .
policy object .subject
: - - .
: Policy Label :
/ = - Object sandbox Type - - Object type Label Object
.user_home_t
Role UID // . Object
: apache Policy Label :
// = - Subject sandbox . domain - - Subject domain Label Subject httpd _t domain . httpd_exec_t
Role UID type/ httpd
.httpd_sys_content_t
type / httpd_user_content_t httpd_sys_content_t type
policy httpd // httpd /.
)(Targeted Policy
Redhat . Targeted
Subject Object Domain
// Policy .
unconfined_t SubjectObject
)(#cat/selinux/policyvers
Targeted Policy
. Policy
/
.
dhcpd_t - httpd_t - initrc_t - ldconfig_t - mysqld_t - named_t - ndc_t - nscd_t - ntpd_t - pegasus_tportmap_t - postgresql_t - snmpd_t - squid_t - syslogd_t - winbind_t - ypbind_t .
unconfined_t .
)(#mankselinux
SELinux
RHCSA/RHCE Egypt
32
)(Policy Boolean
) ( POLICY BOOLEAN
Policy ) 0 (1 " 0
/selinux/booleans/
:
policy policy.
" "0 0 SELinux
SELinux (pending) . /selinux/commit_pending_bools
:
boolean m l
system-config-selinux
ls /selinux/booleans | grep ftp boolean /selinux/booleans/
SELINUX
.:
.1 selinux
.2 policy selinux
SELinux /etc/selinux/config: /etc/sysconfig/selinux
RHCSA/RHCE Egypt
33
SELinux
SELinux policy
SELinux
enforcing -1
SELinux policies . enables
.active
permissive-2
SELinux polices
selinux Policies .
enabled .active
disabled-3
SELinux .
policy selinux
Policies
targeted-1
) (
Policy Subject Objects
.
policy
#yum-yinstallselinux-policy-targeted
/etc/selinux/targeted/policy/
policy
#yum-yinstallselinux-policy-devel
/usr/share/selinux/devel/
strict-2
Policy
policy
#yum-yinstallselinux-policy-strict
mls Multi Level Security-3
Labels Sensitivities Categories
policy
#yum-yinstallselinux-policy-mls
selinux
SELinux :
-1 ) SELinux (
/etc/selinux/config /etc/sysconfig/selinux
SELINUX=enforcing
-2 ) GRUB (
SELinux selinux=1 or 0
) enforcing=1(enforcing )enforcing=0(permissive
.disable = 0 : enable =1
kernel /boot/vmlinuz-2.6.18-164.15.1.el5 ro root=LABEL=/ selinux=1
.
RHCSA/RHCE Egypt
34
)(Relabeled Files
-3) setenforce (
enforcing permissive ) (SELinux:
-4 ) /selinux/enforce (
#echo "1" > /selinux/enforce
-5
system-config-selinux
: label mv label cp
label a ) (cp a Z
label:
[root@RHEL01 ~]# cp -Zsystem_u:object_r:file_t/etc/hostshosts
) ( RELABELED FILES
)(Relabel a filesystem
SELinux / label.
SELinux Labels relabeling
-1 autorelabel
autorelabel (#touch/.autorelabel ; reboot) : :
) (
-2 fixfiles
chcon chcon label fixfiles label
policy label.Subject/Object
mount label:
#mount-tnfs-ocontext=user_u:object_r:user_home_t10.0.0.99:/shares/homes /home
#mount-ofscontext=system_u:object_r:removable_t/dev/cdrom/media/cdrom
ERROR MESSAGE
SELinux .
. log .
SELinux Auditing SELinux auditd :
/var/log/audit/audit.log
Logs SELinux denials
/var/log/messages
Logs SELinux denials
RHCSA/RHCE Egypt
35
selinux
-1 system-config-selinux
SELinux
RHCSA/RHCE Egypt
36
selinux
-2 seaudit
setools SELinux .
)*(yum -y install setools
#seaudit-report/var/log/audit/audit.log
#seaudit-report--html-oselinuxLog.html/var/log/audit/audit.log
#seaudit-l/var/log/logFilePath.log
seaudit
-3 apol
setools policy types,roles,booleans,SIDs
-4checkpolicy
Policy .
-5 sesearch
labels
#sesearchathttpd_user_content/etc/selinux/targeted/policy/policy.21
-6 sestatus
SELinux), (disabled,enforcing ,permissive
Policy . /etc/sestatus.conf
#sestatus-v
-7 audit2allow
avc allow
#audit2allow-l/var/log/audit/audit.log
-8 audit2why
avc
#audit2why</var/log/audit/audit.log
-9 avcstat
SELinux avc
/selinux/avc/cache_stats
-10 seinfo
policy types
RHCSA/RHCE Egypt
37
selinux
-11 semanage
policy context Subjects/Objects
#semanagelogin-l
#semanageuser-l
semanageport-l SELinux
-12 semodule
selinux policy module /// .
-imodule_pkg install/replace module package #semanage-ihttpd.pp
-umodule_pkg upgrade module package
-dmodule_name disable module
-emodule_name enable module
-rmodule_name remove module
-l
list module
-bbase_module_pkg install/replace base module package
#semodule-l
pkg selinux usr/share/selinux/targeted
SELINUX
.
:
SELinux-1 permissive .
-2
-a labels file_contexts
-b label
-c label
-d html .
-3 public_html
public_html html .
-4 Security Context public_html
-5 selinux .
:
selinux-1 permissive .
-2
RHCSA/RHCE Egypt
38
selinux
-b-2 label
policy .
label
-d-2 html .
index.html /var/www/html
.
-3 public_html
RHCSA/RHCE Egypt
39
selinux
vim/etc/httpd/conf/httpd.conf
UserDir disable # UserDir public_html
:
SELinux enforcement
RHCSA/RHCE Egypt
40
selinux
label Objects:
!
-4 Security Context public_html
-5 selinux .
label public_html (user_home_t) type
domain/type policy role domain type
.object
label public_html .
) context (
) SELinux (:
restorecon relabeling
RHCSA/RHCE Egypt
41
selinux
relabeling restorecon
RHCSA/RHCE Egypt
42
FIREWALL
Firewall_XINETD
TCP WRAPPERS
FIREWALL
: .
.
.
/ .
.
) (
.
) ( )
( .
) (router .
.
Network Address Translation " " NAT
.
.masquerading NAT masquerading
IP gateway IP .IP router
ADSL
.IP ) (ADSL modem NAT masquerading .
.
:Definition ] [iptables headers .
header ] [iptables-based .
.
] [packet filtering .
.packets
] [type of data ] [source address ] [destination address
headers . packets ][destination address
. firewall header .packets
) maximum transmission unit (MTU
] [packets packets headers 32bit .
.
RHCSA/RHCE Egypt
43
IPTABLES
chains
Iptables Tables
RHCSA/RHCE Egypt
44
IPTABLES
:[Filter] -1 ] [iptables .
] [rules . 3 ] [chain:
] :[INPUT CHAIN .
] :[OUTPUT CHAIN ) . (
] :[FORWARD CHAIN .
RHCSA/RHCE Egypt
45
iptables
] [-t .filter
> <action direction action ] [iptables:
] [-Achain ] [APPEND rules .end of chain
] [-Dchain ] [DELET rules .chain
] [-L ] [LIST rules .chain
vn ) (rules .
] [-Fchain ] [FLUSH / rules ].[iptables
] [-Ichain ] [INSERT rules .chain
] [-Nchain ] [ADD NEW CHAIN .chain
] [-Xchain ] [DELET CHAIN .chain
CHAIN RULES
][Chain] [INPUT] [OUTPUT] [FORWARD] [PREROUTING] [POSTROUTING
.
.
.
RHCSA/RHCE Egypt
46
iptables
RHCSA/RHCE Egypt
47
iptables
IPTABLES
[#iptables-L]-1 rules table ][-ttable
[#iptables-tfilter-L] :
:[Chain] INPUT/FORWARD
:[Target] .
:[Port] .
:[Opt] rules
:[Source] [Destination] source ip destination ip
target num rules
.
[#iptables-FINPUT] -2 .INPUT F CHAIN
].[rules
] [#iptables-FFORWARD FORWARD:
[#iptables-tfilter-AINPUT-s192.168.0.1-jDROP]-3 IP
] [192.168.0.1 :
RHCSA/RHCE Egypt
48
iptables
[#iptables-tfilter-AINPUT-s192.168.0.1-ptcp--dport 22-jACCEPT]-4
[192.168.0.1] IP 22 TCP :
.SSH
3 4 . rules
IPTABLES .
[#iptables-AINPUT-s!192.168.0.1-ptcp-jDROP]-5
192.168.0.1 ]![ :
-7 :
[#iptables-IINPUT-ptcp-mtcp--dport22-jACCEPT] -8
22 ssh tcp [-m tcp] tcp:
][iptables
] [#serviceiptablessave :
#iptables-save
][/etc/sysconfig/iptables
] [#iptables-save>/etc/sysconfig/iptables ].[serviceiptablessave
][iptables-restore<file_name
.
RHCSA/RHCE Egypt
49
iptables
: /
fire wall header.
] [/etc/sysconfig/ip6tables ] [ip6tables . IPv6
chain :
][-Ichain / -IchainNO.] ------ [-Dchain / -DchainNO.
] [-n ] [-v ] [-L .
] [--line-numbers ] [-L .
] [-i interface ] [-ieth0 ] [-o][-ilo] / [-oeth1
-ieth0-s192.168.0.0/24
] [/etc/services
] [/etc/protocols/ .
] [iptables ][/etc/sysconfig/iptables
]![ :
] [iptables:
RHCSA/RHCE Egypt
50
icmp ] [#iptables-picmp-h
:
RHCSA/RHCE Egypt
51
Connection tracking
]:[NAT
[public IP]-1 .
-2 IP ].[IP Private
-3 IP ] [IP Private ] [router ].[gateway
-4 iptables ].[NAT masquerading
-5 ] [IP forwarding ][gateway] / [router .
-6 ] [default gateway IP][private IP
].[gateway] / [router
LAN .
IP] [source private IP IP ] [Public IP .
. ] [IP source ][port no
.
. IP IP
.
NAT:
DNAT Examples
INBOUND
#iptables-tnat-APREROUTING-ptcp--dport80-jDNAT--to-dest192.168.0.20
)OUTBOUND (with port redirection
#iptables-tnat-AOUTPUT-ptcp--dport 80-jDNAT--to-dest192.168.0.200:3128
SNAT Examples
MASQUERADE
#iptables-tnat-APOSTROUTING-oeth0-j MASQUERADE
SNAT
#iptables-tnat-APOSTROUTING-jSNAT--to-source 1.2.3.45
:
#iptables-tnat-APOSTROUTING-owlan0-jMASQUERADE
#iptables-tnat-APOSTROUTING-ovibr0-jMASQUERADE
#iptables-tnat-APOSTROUTING-ovibr1-jMASQUERADE
CONNECTION TRACKING
RHCSA/RHCE Egypt
52
].[conntrack
rapidshare ] [conntrack
].[state
:
:[NEW]-1 ) ( .connection track
:[ESTABLISHED]-2 .REPLY PACKET .
:[RELATED]-3 ICMP error.FTP
[INVALID]-4 ].[DROP
] [connection tracking TCP UDP
defragment tracking.
] [connection tracking .
].[iptables
One rule to permit established connections:
#iptables-A INPUT-mstate--stateESTABLISHED,RELATED-jACCEPT
Many rules; one for each permitted service:
#iptables-AINPUT-mstate--stateNEW-ptcp--dport 25-j ACCEPT
Lastly, one rule to block all others inbound:
#iptables-AINPUT-mstate--stateNEW-jDROP
] [connection tracking MODULES ].[/etc/sysconfig/iptables-config
]:[MODULES
ip_conntrack_ftp
ip_conntrack_irc
ip_conntrack
ip_nat_ftp
)ip_nat_irc (and others
] [ip_conntrack_ftp tracking ftp ].[firewall
] [ip_nat_ftp modification] [ftp packets NAT iptables-config
] [IPTABLES_MODULES ].[modules
/proc/net/ip_conntrack
established connection ip_conntract
max connections /proc/sys/net/ipv4/ip_conntrack
)IP FORWARDING (ROUTING
RHCSA/RHCE Egypt
53
] [routing .
-1 system-config-firewall
] [/etc/sysconfig/iptables . gui text mode .
text-mode .system-config-firewall-tui
RHCSA/RHCE Egypt
54
] [Trusted interfaces :
] [interface ]. [interface
] [wireless device
.
eth0 . eth1
wlan0 . ath0
] [device file
. add
:
] [interface .eth1 Ok
] [iptables:
#iptables-AINPUT-ieth0-jACCEPT
RHCSA/RHCE Egypt
55
]Masquerading [NAT
MASQUERDING .
. ./etc/sysconfig/iptables
PORT FORWARDING
.MASQUERDING [port forwarding]
.
] [custom rules .
.
RHCSA/RHCE Egypt
56
-2 :lokkit
) ( .
.
.gnome-lokkit
}#lokkit--selinux= {enforcing | permissive | disabled
}#lokkit--selinuxtype= {targeted | strict
#lokkit--enabled enable firewall
#lokkit--disabled disable firewall
][lokkit --help
.
.
iptables .
)THE EXTENDED INTERNET SUPER-SERVER (XINETED
:
] : [/etc/xinetd.d/ .
] [xinetd.d inetd .
: .
[/etc/rc.d/rc?.d] .
:RPC NIS NFS
][rpcinfo-phost
) ( [/etc/services]:
] [/etc/protocols . ] [/etc/rpc RPC .
.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
.
] [xinetd ][/etc/xinetd.conf
] [/etc/xinetd.d/
] [/etc/xinetd.conf ]} [disable= {yes | no
.
DoS .DDoS
rc?.d/ admin II .
. FTP
telnet ) (copy or login r ) (rsh, rcp, rexec,0
finger rwhod
.
.
.
OpenSSH ssh scp sftp
.
ssh telnet rolgin rsh . ssh
.
.
xinetd:
) ( telnet
ssh
rsync - which is popular for backups
cvs - popular for software development version control
gssftp - Kerberos-secured FTP service
.
RHCSA/RHCE Egypt
57
TCP Wrappers
parameters xinetd.d
TCP WRAPPERS
TCP TCP
].[TCP wrappers
] [xinetd .
] [static ] [dynamic
.[libwrap.so.0] wrappers
] [TCP wrappers ] [/etc/hosts.allow
] [/etc/hosts.deny .
] [strings ] [TCP wrappers
] [TCP wrappers .hosts_access
/bin /sbin :
RHCSA/RHCE Egypt
58
TCP Wrappers
EXCEPT .
RHCSA/RHCE Egypt
59
PAM
]PLUGGABLE AUTHENTICATION MODULES [PAM
] [configuration file :
]control-flag module-path [arguments
PAM .
Module-type
RHCSA/RHCE Egypt
60
Module-type:
:Authentication management [auth] .1
password . .
:Account management [account] .2 ][service access
.
. /
:Password management [password] .3 ] [authentication .
:Session management [session] .4 . :
Mounting/unmounting home .
Login/logout .
Restricting/unrestricting .
] [/etc/pam.d login:
:Control-flag .2 .authentication
:Control flag ] [authentication :
] :[required ] [authentication ] [authentication
. )
(][Proceeds if passed; continues even on fail
] :[requisite ] [authentication
) . (][Stops on failure
] :[sufficient ] [authentication ] [login
) . (][Requires no other verification if true
] :[optional PAM ] [authentication
[Ignores success or failure] . ] [authentication
] :[include
[Includes all module-type directives from another file] [modules
:Module-path .3 PAM ] [module .
:Arguments .4 ) ( .
:
.@include service
RHCSA/RHCE Egypt
61
PAM
application PAM
PAM configuration file
configuration module
.authentication
PAM application .
PAM :
] [/etc/pam.d/reboot :
][reboot
[auth
sufficient
]pam_rootok.so
] [reboot
. ] [pam_rootok.so ][true
] [reboot . ] [auth .
control_flag ] [sufficient .
.
[auth
required
]pam_console.so
] [console
.
[#auth
include
]system_auth
] [#.
] [# ] [system-auth
] [reboot .
] [system-auth . ] [remote user
.
[account
required
]pam_permit.so
] [pam_permit.so account ][remotely
] [root , local , remote reboot .
RHCSA/RHCE Egypt
62
] [login
] [system-auth
].[PAM
]:[/etc/pam.d/system-auth
/ )(authentication
] [pam_env.so )(environment variable
] [control_flag ] [required ).(authentication
] [pam_fprintd.so / ) (authentication
) (fingerprint reader ] [control_flag ] [sufficient
) (authentication .
] [pam_unix.so
) (authentication / ] [control_flag ] [sufficient
/ .
] [pam_succed_if.so] [control_flag
] [requsist uid 500
] [pam_deny.so
.
] [/etc/pam.d/login
])[(nologin user
.
RHCSA/RHCE Egypt
63
] [system-auth
:
] [pam_unix.so ] [/ lib/security
. ] [pam_localuser.so ] [/etc/passwd .
] [pam_succeed_if.so ) UID (500 .
] [pam_permit.so .
login :password
] [system-auth password :
) (try_first_pass .
SHA512 ] [shadow password )
( ) (try_first_pass
) [pam_deny.so] .(use_authok PAM .
login password 8 ] [session:
] .[/etc/pam.d/login
)(pam_limits.so ] .[/etc/security/limits.conf .
.
.
RHCSA/RHCE Egypt
64
:
PAM ] [pam_listfile.so :
:pam_mkhomedir-1
mkhomedir .
)(central authentication .
) NIS( .LDAP
HOME . mkhomedir HOME
. .session
:
:pam_mount-2
mount unmount
mount
home /etc/fstab .
) (.
) (.
unmount .
) (local file system mount
mount )(volumes mount
. ].[SMB/CIFS, FUSE, dm-crypt and LUKS
pam_mount
.
swap ) cryptoswap ( . .
) (authentication session :
RHCSA/RHCE Egypt
65
gid
user uid shell home .service
.(authentication account password session) PAM
uid 1000
.
pam_nologin-4
. /etc/nologin
. pam_nologin .authentication module
/etc/nologin .
) .(touch
pam_wheel-5
wheel ) ( . uid
)( .su pam_wheel su
wheel . pam_wheel
. wheel
PAM
PAM su
su wheel
pam_access-6
pam_access .pam_succeed_if pam_access
pam_succeed_if
. :
./etc/security/access.conf
+: petromod: pamela
-: ALL: ALL
petromod
pamela . .
+ access .deny
.
RHCSA/RHCE Egypt
66
TCP wrapper ] [: +-
) (hostname IP .
pam_deny-7
pam_deny .
.
. pam_deny
) (authentication:
password .
session .session
Modules Related to Back-End Storage
PAM .
pam_unix-8
.PAM
/etc/passwd /etc/shadow .
pam_unix2 NIS/NIS+
. .pam_unix
auth gets hashed password from NSS and compares it to hash of entered password
account checks for password expiration
password handles password changes to local files or NIS
session records login and logout to logs
debug use_first_pass .try_first_pass
:
Central password management
)pam_krb5.so (Kerberos V tickets
)pam_ldap.so (LDAP binds
)pam_smb_auth.so (old SMB authentication
)pam_winbind.so (SMB through winbindd (for Microsoft
auth Modules
pam_securetty.so fails if logging in as root from a terminal not in /etc/securetty
pam_listfile.so checks a characteristic of the authentication against a list in a file
A list of accounts can be allowed or denied
Password Policy
Password history
pam_unix.so with remember=N argument
Password strength
pam_cracklib.so
pam_passwdqc.so
Failed login monitoring
pam_tally.so
session Modules
pam_limits.so enforces resource limits
Uses /etc/security/limits.conf
pam_console.so sets permissions on local devices for console users
Can be used as an auth module as well
pam_selinux.so helps set SELinux context
.
RHCSA/RHCE Egypt
67
RHCSA/RHCE Egypt
68
"apple passwd
passwd .
-
])"apple" :[(plaintext
passwd ] [salt ][f8apple
] [salted password
) ( 11 ][cyphertext] .[aHBT9lIoaZc
passwd cyphertext /etc/passwd
/etc/passwd . 11
)" cyphertext ("aHBT9lIoaZc )".("F8
"apple" :
][salt /etc/passwd . cyphertext ] [salted password 11. cyphertext ./etc/passwd .Password Management
.
]) [(shadow password cypthertext
.
MD5 .
DES .56
8 8) ASCII:( * ) 7 /( = ) 56(.
[MD5 password] MD5
.
system-config-authentication md5 password
shadow password
cyphertext ./etc/shadow
MD5 )".("$
RHCSA/RHCE Egypt
69
].[-h
] [openssl passwd .
MD5 ).(apple
salt :
RHCSA/RHCE Egypt
70
SECURE FILES
SECURE FILES AND MORE
RHCSA/RHCE Egypt
71
! Ownership and premession ]) [(root user
] [/etc/shadow
] [elvis ] [disk
] [grep man page :
:
]) : [(Archived Information .
.
]) : [(Discarded Information
]) : [(Used Flash Drives for Sale
12 Schneier on Security - . 2006 10 2006
] [plaintext .
]) [(terminal .
][swap partition .
.
) (Encryption Schemes
) (Encryption Algorithms .
- .
.
.
RHCSA/RHCE Egypt
72
.
)
. .
]) [(interrupts ] ([pool
] [Entropy pool . ] [entropy
.
.
) (virtual device node ][/dev/random
] [entropy pool .
] [hexdump ] [binary ].[hexadecimal
] [entropy pool
] [/dev/random ]) [(interrupts .
] [entropy pool
. ] [/dev/urandom
] [entropy pool ) ( .
. ] [/dev/urandom .
The openssl library and openssl rand
] [openssl ] RPM [openssl . ] [openssl
] [openssl .
] [openssl ] [interactive shell:
RHCSA/RHCE Egypt
73
] [-base64 .
] [binary .
RHCSA/RHCE Egypt
74
Symmetric Encryption
] [finger print :
:
.
md5
.
md5
.
][One way hashes
:
) Asymmetric encryption-2 (
)Symmetric encryption -1 (
SYMMETRIC ENCRYPTION
RHCSA/RHCE Egypt
75
Symmetric Encryption
] [DES
] [Triple DES ] [DES 2001
]).[AES (Advanced Encryption Standard
.
.
)( )(
)( )( )(
.
.
.
)( )( .
. .
.
: ] [openssl ] [BLOWFISH ][bf
] [/symmetric_encrypt ] [passphrase ] .[janateba
] [-base64:
] [ciphertext ] [-d ) (
] [passphrase:
] [passphrase .
] [passphrase .
]) [(Symmetric Encryption
. ]) [(Symmetric Encryption
.
]).[(kerberos
) (session key
.
RHCSA/RHCE Egypt
76
Symmetric Encryption
) (session key )
( .
] [openssl ][Symmetric Encryption
] [OpenSSL ]) [(Symmetric Encryption ][man
] .[enc ]) [(Symmetric Encryption
].[openssl help
RHCSA/RHCE Egypt
77
] [gpg ] [-c
] [-d ][openssl:
] [passphrase
] [symmetric_encrypt.gpg .
] [-d:
] [symmetric_encrypt.gpg ] [cat
] [gpg-d ] [passphrase .
] [-o :
.
ASYMMETRIC ("PUBLIC KEY") ENCRYPTION
RHCSA/RHCE Egypt
78
) (public-key encryption
) (public-key ).(private-key
] [public key encryption .
.
) RSA (Rivest, Shamir and Adleman
.
/
.
]) [Pretty Good Privacy (PGP :
) (Phil Zimmerman .....
FPI
. ....
][PGP ][GNU ]) [GNU Privacy Guard (GPG
][GNUPG RHEL 6 2 GPG ].[GPG2
][gpg
.
:
RHCSA/RHCE Egypt
79
] [Alice ] [Bob
] [Gnu Privacy Guard ]).[(Public key
] [Alice ] [gpg /]). [(public/private key pairs
] [Alice ][gpg
RHCSA/RHCE Egypt
80
.
:
] [ID .
] [User ID ] [gpg ] [UID ].[authentication
] [O :
] [Passphrase
] [passphrase . ] [passphrase " " "
" . ] [passphrase :
] [Alice
].[entropy
RHCSA/RHCE Egypt
81
] [gpg--list-keys ] [gpg--list-secret-keys :
.
] [gpg--export
][gpg--export-secret-key
] [Alice ] [keyring ] [gpg .
) ( .
id
][bob
] [pub public key ID ] [sec secret key ID
][gpg--delete-keyskey_id
][gpg--delete-secret-keyskey_id
] [key-id
.
RHCSA/RHCE Egypt
82
Gnupg
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--send-keysXXXXXXXX--keyserverkeys.gnupg.net
XXXXXXXX KEY-ID KEY-ID
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--recv-keysXXXXXXXX
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--search-keysUSER/EMAIL
USER/EMAIL :
[Br4v3-H34r7@iSecur1ty ~]$gpg--search-keysBr4v3-H34r7
1 Enter N
Q.
] [~/.gnupg ][pubring.gpg
] [secring.gpg .
)Public Key Protocols I: Encryption (without Key Synchronization
GNU Privacy Guard.
.
RHCSA/RHCE Egypt
83
] [Bob ].[alice
][Bob] [alice .
.
] [S ][Alice
] [P ][Alice
]] [P [M ][P
] [M
] [Bob ] [M
] [Alice
.
] [Bob ] [Alice
][P .
] [Alice ] [P ][Bob
.
] [Bob ] [P
] [Alice ].[keyring
] [Bob ] [P
] [Alice ].[M
] [cipher text
].(P[M]) [Alice
] [Alice ] [S
] [P[M]] [cipher text
] [Alice
.
(S [P [M]] --> M).
RHCSA/RHCE Egypt
84
: ] [Alice .
. ] [Alice
.
. ] [Alice ] [Bob ][Alice
] [cyphertext ] [Alice.
] [Bob ] [Alice ] [accounts ] [Bob
] [Alice .
] [Alice ] [Bob:
RHCSA/RHCE Egypt
85
] [accounts.asc ] [.asc
] [--out|-o .
] [Bob ] [ciphertext ] [base64 :
] [Alice .
] [Alice ] [gpg--decrypt|-d :
] [--out|-o:
RHCSA/RHCE Egypt
86
.
.
. .
.
] [Alice ] .[Bob ][Bob
] [Alice ] [Bob .
] [Bob ].[Alice
.
] [Alice
] [P & S ][M
] [Bob ] [Bob ] [P
].[Alice
] [--sign|-s
] [new_accounts.asc ] [Alice:
.
RHCSA/RHCE Egypt
87
] [--verify .
] [Bob ] [Alice
] [Alice ] [--decrypt|-d:
RHCSA/RHCE Egypt
88
][signing ) (M;
] [Alice
] [One Way Hash)] (H [M
] [HASH .
] (M, S[H[M]]) [HASH
].[Bob
] [Bob .
.
] [Bob ] [One Way Hash
.
][P ] [Alice
].[HASH
(P[S[H[M]]] --> H[M]).
] [HASH
] [HASH
.
: ] [Bob . ] [Bob ] [Alice .
] [Alice .
] [Bob . ] [Bob ] [Alice
] [Alice ][digital signature
. .
] [Alice .
] [Alice ] .[new_accounts ] [Bob
.
RHCSA/RHCE Egypt
89
] [Bob ] [Pm
] [Alice ] [Mallory
][Sm
RHCSA/RHCE Egypt
90
] [Mallory
] [Alice ][Pa
] [Alice ] [Alice ][Bob
] [Mallory
.
]) [(Man-in-the-middle attacks
.
] [certificate-based systems SSL) HTTPS .(HTTP
].[X509 digital certificates
X509 DIGITAL CERTIFICATES AND PUBLIC KEY INFRASTRUCTURE
RHCSA/RHCE Egypt
91
] [Makefile ]. [.crt .
] [openssl :
/
] [passphrase
janateba.key
janateba.crt janateba.key
: ][.pem ] [makejanateba.pem
.
. .
][makefile ] [janateba.pem ][janateba.key] + [janateba.crt
] [makefile ] [self-signed certificate
] .[CA .
]) [(certificate signing request ] .[csr
].[APACHE
] [certificate authority
. CA ] [csr
.
] [make ] .[csr ] [csr
: " " challenge password ] [CA ][csr
. ].[self-signed certificate
] [csr] [self-signed certificate ] [openssl ][req
] [openssl ].[x509
RHCSA/RHCE Egypt
92
RHCSA/RHCE Egypt
93
Remote access
.
. .
.
. SSH VNC
. Telnet
POP SMTP IMAP
] [authentication .
) SSH ( secure shell
) (SSH
. SSH /
/ .
SSH X11
sftp .scp
SSH
. SSH
Telnet SSH . / .
].[rpm-qa|grep-issh
SSH tcp 22 SSH
SSH . Mac OS X
SolarisGNU/Linux .OpenVMS
.
) (SSH ][openssh-server, openssh-clients, openssh
] [SSH client [ssh, scp, sftp]:
SSH ] [sshd TCP ][22
][/etc/ssh
OpenSSH OpenSSL
.
.
RHCSA/RHCE Egypt
94
SSH
]:[sshd SSH ][servicesshdstart
]:[ssh-agent ].[key-based authentication
]:[ssh-add
]:[ssh SSH Telnet .
]:[ssh-keygen
]:[ssh-copy-id .
RHCSA/RHCE Egypt
95
Key-based authentication
:
stationX stationY
stationX .stationY
.
]).[(authentication
] [gpg ] [passphrase
].[SSH
] [gpg ] [passphrase
. ] [passphrase ] [passphrase
.
]): [(key-based authentication
-1 ] [ssh key pair SSH
-2 ] [~/.ssh/authorized_keys
.
] [ssh key pair ] .[ssh-keygen ] [-t
RSA DSA . .RSA
/root/.ssh/id_rsa
passphrase
#ssh-keygen-p-f~/.ssh/id_rsa
].[.pub
Fingerprint ] [one way hash
#ssh-keygen-l-f~/.ssh/id_rsa
: ] [RSA ] [DSA bit2048 .bit1024
].[-bsize
] [finger print gpg ] [gpg--fingerprintkey_id
RHCSA/RHCE Egypt
96
Key-based authentication
SSH ] [scp.
:
authorized_keys .
sshd ] [key-based authentication !
SSH ] [~/.ssh
.700 SSH .
ssh] [#sshroot@172.168.1.1 ] [ssh-llogin172.168.16.1
IP ]@[ ] [-l
RHCSA/RHCE Egypt
97
SSH
] [ssh-agent] . [passphrase ] [passphrase
.
. passphrase
] [agent passphrase
] [ssh agent ] [ssh-add
] [~/.ssh/id_rsa ] [~/.ssh/id_dsa ][ssh-agent
.
] [ssh-agent ].[ssh-agent
] [ssh-add
]) [eval $(ssh-agent s :
ssh-add
. ] [ssh-add-D ] [ssh-agent
.
][logout
ssh
places connect to server ssh :
:
#sshhostname
#sshuser@hostname
#sshhostnameremote-command
SSH
:[moduli]-1 .
- ) Diffie-Hellman key exchange (D-H
.
.
RHCSA/RHCE Egypt
98
ssh
.
:[ssh_config]-2 SSH ].[~/.ssh/config
:[sshd_config]-3 SSH .
:[ssh_host_dsa_key]-4 .dsa
:[ssh_host_dsa_key.pub]-5 .dsa
:[ssh_host_key]-6 ssh
.
:[ssh_host_key.pub]-7 ssh
.
:[ssh_host_rsa_key]-8 .rsa
:[ssh_host_rsa_key]-9 .rsa
/ ]:[~/.ssh/
:[authorized_keys]-1 .
.
:[id_dsa_key]-2 .dsa
:[id_dsa_key.pub]-3 .dsa
:[id_rsa_key]-4 .rsa
:[id_rsa_key.pub]-5 .rsa
:[known_hosts]-6 rsa .
SSH
SSH ] [/etc/ssh/ssh_config
"" .
.
] [SSH
.
.
.
] [~/.ssh/config
:
] [/etc/ssh/ssh_config
] [~/.ssh/config
. ] [/etc/ssh/sshd_config .
:
SSH stationY 2022 stationZ
joe :
] [Host ] [Host .
][wild cards .
] [*.example.com example.com
]* [Host .
]:[/etc/ssh/ssh_conf
] [User
SSH :
] [User joe ] [stationz.example.com ssh :
#sshjoe@stationZ.example.com #sshstationZ.example.com
] [Host
.
RHCSA/RHCE Egypt
99
SSH
][/etc/ssh/sshd_conf
] [Port 22 .
] [-p ssh [ssh-p2022root@stationY.example.com]:
] [ssh_config ].[sshd_config
] [AddressFamily any IPv4 IPv6 ]) [inet (IPv4
]) .[inet6 (IPv6 ] [ssh_config ].[sshd_config
] [ListenAddress 0.0.0.0 ]:[ListenAddress:: IPv4 IPv6
.
] [Protocol 2 2 .
] [ssh_config ].[sshd_config
] [PermitRootLogin SSH
] [PubkeyAuthentication ] [key-based authentication .
] [ssh_config ].[sshd_config
] [PasswordAuthentication ] [password-based authentication
. ] [ssh_config ].[sshd_config
] [UsePAM ] [PAM .
] [ssh-agent ] [/etc/ssh/ssh_config ][/etc/ssh/sshd_config
] :[AllowAgentForwarding yes key
] :[AllowTCPForwarding yes tcp
] :[GatewayPorts no .
] [X11Forwarding yes .
USER-BASED SECURITY FOR SSH
SSH . SSH user-based security
DenyUsers AllowUsers DenyGroups AllowGroups
]Ex. [AllowUsers user01,user02
.SSH SSH.
].[-fkey_name
SSH
iptables:
#iptables-AINPUT-ptcp-s172.168.1.1--dport22-jACCEPT
172.168.1.1]] IP ssh .
xinetd:
#vim/etc/hosts.allow
:
sshd: 172.168.1.1
:
#vim/etc/hosts.deny
:
sshd: ALL
IP 172.168.1.1
. ) spoof IP (.
#vim/etc/ssh/sshd_config
:
ListenAddress 172.168.1.1
PermitRootLogin no
Protocol 2
AllowUsers user1 user2
AllowGroups admins
Port 2022
RHCSA/RHCE Egypt
100
SHH TCP
:
172.168.1.1 . IP
IP .
root root
root.
SSH-2SSH-1.
user1 user2 .
admins .
:
#`which sshd` -t
.
X SSH
... ...
remotely ... rdesktop vnc rlogin telnet ssh ...
rdesktop vnc
...
: SSH Tunneling ... SSH
... :
#ssh-Xuser@domain.com
domain.com user ...
X X Forwarding ...
:
& gedit
gedit
:
#ssh-Xuser@IP-Address
IP Address ...
:
& #gcalctool
gcalctool ...
SHH TCP
RHCSA/RHCE Egypt
101
SHH TCP
:
#sshusername@hostname-Llocal-port:remote-hostname:remote-port
] [-L ] [Local Forward
#ssh-L2000:yahoo.com:110binary@example.com
2000
ssh / .
/ .SSH
LocalForward
] [ssh_config :
: stationY stationZ
] [Local Forward . stationY stationY:
#sshuser01@172.168.1.2-L1234:172.168.1.2:22
stationY stationY stationZ
SSH stationY stationZ
RHCSA/RHCE Egypt
102
VNC Servers
VNC SERVERS
. SSH : VNC
VNC .
.
VNC VNC-SERVER:
*#yum-yinstalltigervnc
tigervnc-clienttigervnc-server
vnc [vino].
tigervnc-server:
.
VNC .
-geometry
Defines the size of the viewer when the client connects
-nolisten tcp Denies TCP connections to the VNC server
tcp
-nohttpd
Denies web VNC clients from connecting
http
-localhost
)Forces the use of a secure gateway (port forwarding
) 2 ( session . VNC 5900
] [5900+ ] [+ ] [session ].[5902
.
] [vncpasswd:session_number session
session .
VNC-server vncserver:
VNC
VNC.
][vncserver-kill:1
].[vncviewerserverIP:port
RHCSA/RHCE Egypt
103
APACHE SERVER
Robert McCool
NCSA Httpd 1994 HTTPD
.
Brian Behlendorf
Roy T. Fielding Rob Hartill David Robinson Cliff Skolnick Randy Terbush Robert S. Thau
Andrew Wilson Eric Hagberg Frank Peters. Nicolas Pioch
Apache Portable Runtime
) (
IPv6 2002.
Tcl PHP mod_access mod_auth mod_digest
SSL TLS ] [http://www.apache.org
) ( mod_rewrite ) (mod_log_config
] mod_include. [mod_ext_filter
mod_gzi
AWStats / W3Perl Visitors
.
) ( ) (
LAMP
/ MySQL PHP .
Web Sphere
Mac OS X WebObjects .
.
IIS Sun Java System Web Server
Zeus Web Server ) nginx ( .Cherokee
) (GWS
.
.
RHCSA/RHCE Egypt
104
http://www.netcraft.com:
. HTTP
HTTP HTTPS.
).National Center for Supercomputing Applications (NCSA
).(www.apache.org
HTML .
VIRTUAL HOST
. ] .[PHP Python Perl Java and other
][authentication user & password kerberos ldap oracle MySQL Microsoft sql postar sql
http 80 https 443
http://httpd.apache.org/docs/2.2/new_features_2_2.html
http://httpd.apache.org/ABOUT_APACHE.html
http://en.wikipedia.org/wiki/Comparison_of_web_servers
:
Apache Tomcat JSP Java Servlet
.
Apache HTTP Server ) Java Server Faces (JSF
.
.
RHCSA/RHCE Egypt
105
50.
:
#yum-yinstallhttpd
:
#yum-ygroupinstallweb-server
or
"#yumgroupinstall"Web Server
:
-1 :
#service httpd start
#chkconfig httpd on
-2 :
#apachectl stop
#apachectl start
#apachectl graceful
] [http://localhost
] [/etc/httpd/conf.d/welcome.conf
][/var/www/error/noindex.html
.
RHCSA/RHCE Egypt
106
][httpd
] [elinks ] [yuminstallelinks
localhost :
][HTTPD
].[/etc/httpd/
httpd.conf ] [/etc/httpd/conf/
] [/etc/httpd/conf.d/ ] [.conf ].[ssl.conf
RHCSA/RHCE Egypt
107
][httpd
httpd.conf
] [/etc/httpd/conf/
].[vim
:
virtual host-3
main server-2
global environment-1
:
.
:
directories files modules "" containers
] [containers
)> <( .Directional brackets :
>"<Directory "/var/www/icons
>"<Files ~ "^\.ht
><IfModule mod_mime_magic.c
] [containers .(/) forward slash :
></Directory
></Files
></IfModule
:global environment
.
.
:
] [page not found
:
ServerTokens
RHCSA/RHCE Egypt
108
][httpd
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
]ServerTokens Min[imal
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
)Server sends (e.g.): Server: Apache/2.0.41 (Unix
)ServerTokens Full (or not specified
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens :
ServerRoot:
.
pid run/httpd.pid
/etc/httpd ][/etc/httpd/run/httpd.pid
timeout .
persistent connection request
] [one connection .Internet Download Manger
KeepAlive On request
.
persistent connection
.
MPM
preforkworker
Prefork MPM module
RHCSA/RHCE Egypt
109
][httpd
] [prefork.c :
[StartServers]-1 8 pid 8 [main pid + 8 fork] pid 9
server processes
MaxSpare .MinSpare
[MinSpareServers]-2 5 fork pid
Pid Pid pid 5 .
[MaxSpareServers]-3 20 Pid .20
[ServerLimit]-4 256 MaxClients .
[MaxClients]-5 256 / download
upload browsing
[MaxRequestsPerChild]-6 4000 / Pid fork.
prefork mpm pid ].[multi-process
Worker MPM module
modules
] [# .
] [auth_basic_module .authentication ldap_module
.ldap
.
RHCSA/RHCE Egypt
110
][httpd
html server-status
server-status
:
][http://192.168.16.1/server-status
apache
.
:main server
main server :
IP DNS hosts
.
URL ] [self-referential URLs URL
. UseCanonicalName On
ServerName . .URL
UseCanonicalName off URL
.
.www http://www/splat
.http://www.example.com/splat on off
.http://www/splat
.html
. website html image
soft link symbolic link .
] [/ ].[/etc/httpd/
] [Options :
ExecCGI FollowSymLinks Includes Indexes MultiViews SymLinksIfOwnerMatch
FollowSymLinks softlink symbolic link .
RHCSA/RHCE Egypt
111
html
.
] [.htaccess options
accounted . .
mp3
.
off . .log
APACHE LOG FILE
] [/etc/httpd/logs/
].[/var/log/httpd/
log access_logerror_log
)(virtual host
webalizer .
RHCSA/RHCE Egypt
112
. .
:
-1 ][firewall iptables .
-2 hosts .
-3 .
selinux-4
Ports and Firewalls
Listen .NameVirtualHost directives
HTTP HTTPS 80.443
ports iptables .system-config-firewall
#iptables-IINPUT5-ptcp-mtcp--dport80-jACCEPT
:Selinux
Security Context
.selinux
Security Context ] [ls-Z .
RHCSA/RHCE Egypt
113
[ BOOLEAN]
CGI .
. CGI selinux
policy SELinux boolean
: boolean) ( boolean
/selinux/booleans/
httpd_can_network_relay
Allow httpd to act as a relay.
httpd_can_network_connect_db
Allow httpd scripts and modules to connect to databases over
the network.
httpd_use_gpg
Allow httpd to run gpg in the gpg-web domain.
httpd_enable_cgi
Allow httpd CGI support.
CGI
httpd_use_cifs
Allow httpd to access CIFS file systems.
allow_httpd_mod_auth_pam
Allow Apache to use mod_auth_pam.
allow_httpd_anon_write
Allow Apache to modify public files used for public file
transfer services. Directories/Files must be labeled
public_rw_content_t.
httpd_enable_homedirs
Allow httpd to read home directories.
.
allow_httpd_sys_script_anon_write
Allow Apache scripts to write to public content.
Directories/Files must be labeled public_rw_content_t.
httpd_dbus_avahi
Allow Apache to communicate with the avahi service via dbus.
httpd_unified
Unify httpd handling of all content files.
httpd_can_network_connect
Allow httpd scripts and modules to connect to the network
using TCP.
allow_httpd_mod_auth_ntlm_winbind
Allow Apache to use mod_auth_pam.
httpd_tty_comm
Unify httpd to communicate with the terminal. Needed for
entering the passphrase for certificates at the terminal.
console
httpd_read_user_content
Allow httpd to read user content.
httpd_use_nfs
Allow httpd to access NFS file systems.
httpd_tmp_exec
Allow Apache to execute tmp content.
httpd_execmem
Allow httpd scripts and modules execmem/execstack.
httpd_can_sendmail
Allow http daemon to send mail.
httpd_builtin_scripting
Allow httpd to use built in scripting (usually PHP).
httpd_can_check_spam
Allow the http daemon to check spam.
httpd_can_network_connect_cobbler
Allow httpd scripts and modules to connect to cobbler over the
network.
httpd_ssi_exec
Allow httpd to run SSI executables in the same domain as
system CGI scripts.
. -CGI Server Side Include
httpd_enable_ftp_server
Allow httpd to act as an FTP server by listening on the FTP
port.
httpd_setrlimit
Allow the httpd daemon to change system limits.
RHCSA/RHCE Egypt
114
:Module Management
LoadModule
.
64 bit:
/usr/lib64/httpd/modules
32 bit:
/usr/lib/httpd/modules
SECURITY WITHIN APACHE
httpd.conf .
:
ServerTokens OS
ServerTokens Full
.
PHP .
Server root :
/.
FollowSymLinks ] [symbolic link . AllowOverride
] .[.htaccess ] [.htaccess
.DocumentRoot
AllowOverride All|None|directive-type [directive-type]...
] [.htaccess /var/www/html/data/ AllowOverride
.
>:<Directory
/var/www/html DocumentRoot
RHCSA/RHCE Egypt
115
Indexes
index.html .DocumentRoot
Order allow .
Listen IP TCP/IP port .
IP TCP / IP 80
IP IP
. IP
:
Listen 192.168.122.0:80
HTTPS Listen ssl.conf /etc/httpd/conf.d/
. 433 :
Listen 443
Host-Based Security
Order allow deny .IP
] [Order deny,allow deny.
deny allow IP
:
Deny from www.janateba.com
: IP DNS .
:
User-Based Security
.
.
] [user-based security
> <Directory
/var/www/html/test
:
AuthType Basic
] .[authentication basic user-based security
AuthName some comment
.
RHCSA/RHCE Egypt
116
AuthUserFile /etc/httpd/testpass
/etc/httpd/testpass
Require user engineer1
.engineer1
AuthGroupFile /etc/httpd/webgroups
/etc/httpd/webgroups
/etc/httpd/webgroups
AuthGroupFile :
Require group Design
:
AllowOverride AuthConfig
:
:
-1 AllowOverride :
AllowOverride All|None|directive-type [directive-type] ...
Directive-type :
AuthConfig
FileInfo
directory document
Indexes
Index
Limit
Order allow deny
Options
-2 AuthType :
AuthType Basic|Digest
Basic auth_basic_module
.
Digest auth_digest_module
.MD5
.
RHCSA/RHCE Egypt
117
. drafter1 :
c
#htpasswd/etc/httpd/webpassdrafter1
.
engineer1 drafter1 drafter1
/etc/httpd/grouppass:
Design: engineer1 drafter1
.
RHCSA/RHCE Egypt
118
Virtual Hosts
jana )(executable
701 :
#chmod701/home/jana
public_html
:705
#chmod705/home/jana/ public_html
Index.html .
SELinux ] SELinux [.
virtual host .
VIRTUAL HOSTS
2.2 IP .
virtual host .
virtual host /etc/httpd/conf/httpd.conf
www.example.com www.ist192.net IP
.
HTTPS virtual hosts
/etc/httpd/conf.d/ssl.conf
) (main directive .
virtual host IP.
virtual host
#
.
.
>1- <VirtualHost *:80
)*( IP 80 / :
><VirtualHost 192.168.30.2:80
2- ServerAdmin
[ServerAdmin janateba@gmail.com]:
3- DocumentRoot
index.html
DocumentRoot /var/www/html/index.html
.
RHCSA/RHCE Egypt
119
Virtual Hosts
4- ServerName
DNS HOST:
ServerName www.janateba.com
5- ErrorLog and CustomLog
log .ServerRoot ServerRoot virtual host
/etc/httpd/logs /var/logs/httpd
:
HTTPS ssl.conf
/etc/httpd/conf.d
mod_ssl ][yuminstallmod_ssl
ssl.conf mod_ssl :
LoadModule ssl_module modules/mod_ssl.so
Listen 433
VirtualHost NameVirtualHost
VirtualHost :
NameVirtualHost *:443
.
RHCSA/RHCE Egypt
120
Virtual Hosts
VirtualHost ssl.conf:
ServerNameDocumentRoot
ServerAdmin:
] [extension .
CGI :SSL
] [Internet Explorer:
RHCSA/RHCE Egypt
121
SSL
) SSL (Secure Sockets Layer
. .HTTPS
SSL :
.1 Confidentiality
.2 Integrity
.3 .Authentication
ssl :
ssl
ssl ssl.conf .
] [local certificate
]) [Certificate Authority(CA
][VeriSign, Thawte, or GoDaddy
RHCSA/RHCE Egypt
122
/etc/pki/tls/private
/etc/pki/tls/certs Next :
Next
self-signed certificate :
.
RHCSA/RHCE Egypt
123
CA
No :
Next :
passphrase Next :
Next
:
.
RHCSA/RHCE Egypt
124
CA HTTPS :
openssl:
CSR
.
RHCSA/RHCE Egypt
125
server2.key.csr
self-certificate:
RHCSA/RHCE Egypt
126
) (interpreted script ) ( C
) (Unix AWK and SED commands ) (PERL
(Practical Extraction and Report Language).
)(PERL Interpreter . HTTP
NT .
++C
CGI ) (compiled code
.
CGI :
LoadModule cgi_module
ScriptAlias CGI .
)(Alias ][ln-s
ScriptAlias
"ScriptAlias /cgi-bin/ "/var/www/cgi-bin
><Directory /var/www/cgi-bin
AllowOverride None
Options ExecCGI
AddHandler cgi-script .pl .cgi
Order allow,deny
Allow from all
></Directory
ScriptAlias cgi-bin
./var/www/cgi-bin CGI /var/www/cgi-bin
.
/ :
-1 AllowOverride None .
-2 Options ExecCGI ] [cgi .
-3 AddHandler cgi-script .pl cgi ] [.pl ][.cgi
.
-4 Order allow,deny ].[authentication
-5 Allow from all
: CGI VirtualHost ><Directory
:VirtualHost
Options ExecCGI
AddHandler cgi-script .pl
ScriptAlias /cgi-bin/ /www/docs/vhost1.example.com/cgi-bin/
: cgi label.httpd_sys_script_exec_t :
SET UP A SIMPLE CGI SCRIPT CGI
RHCSA/RHCE Egypt
127
RHCSA/RHCE Egypt
128
( ) If-Modified-Since
( )Expiry
( . DNS Expiry
. )
( . : RFC 3143
(HTTP Proxy/Caching).
.
.
.
-2
RHCSA/RHCE Egypt
129
HTTP .
-7
" " "Transparent Proxy
" ") Intercepting Proxy
( . WCCP "" .
) (Router
. : GRE
)Tunneling (OSI Layer 3 )MAC rewrites (OSI Layer 2
' - Transparent Proxy':
".
' Non-Transparent Proxy':
".
-8
" Forced proxy .
" " ) (
" " ) ( .
TCP.HTTP
HTTP .
.
)
( . HTTP
.
-9
) (Open Proxy
. IRC
.
.
IRC DNSBL
AHBL CBL NJABL .SORBS
.
)(Port scanning
.
.
-10
Reverse proxy
.
.
. :
/ SSL Acceleration:
)(SSL . SSL Acceleration
) . Secure Socket Layer (SSL SSL
SSL . SSL Server Certificate
. SSL
DNS . SSL
Load balancing:
.
)
(.
:
.
.
RHCSA/RHCE Egypt
130
: .
:
. .
:
.
.
:
.
.
) (Circumventor
.
.
. elgooG
Google
. 2007 Citizen Lab
]Proxify [http://proxify.com] - StupidCensorship - CGIProxy[http://www.jmarshall.com
Psiphon http://psiphon.civisec.org - Peacefire/Circumventor http://peacefire.org
UltraSurf FreeGate
.
) (
.
.
.
.
.
.
- .
.
) (.
VPN SSH
) (Tunneling
. 80 HTTP 443
.HTTPS
Tunneling - -
.
) (MAC .
.
.
)
( ICAP
. .
.
RHCSA/RHCE Egypt
131
)
.
(
.
)
( .
.
. .
JPEG .
.
) " : %70
%40 .(%30
.
HTTP .
HTTPS .
HTTP .
.
.
.
" ."CGI
. PHP CGI .
.
.Proxy Avoidance
Open proxy
) (open proxy
.
. .
.
) HTTP(
) HTTP (
.
.
.
.
.
)
( .
) ( .
-
) ( .
RHCSA/RHCE Egypt
132
:Apache HTTP Server .
)I2P ( : .
Nginx . POP3
:PHProxy .
.. PHProxy "Proxies". Tech-FAQ
:Privoxy
.
:Squid HTTP . UNIX/Linux
:Tinyproxy HTTP Deamon . POSIX
:Tor .
:Varnish )( .
:WWWOFFLE
) ( ) (.
.
:Ziproxy
. HTML
) :Pound (networking .
HTTPS front-end/ .
) :Delegate (networking .
web proxy squid .
Installing Squid
. squid
squid:
RHCSA/RHCE Egypt
133
ACL
) ACL (Access Control List
. .
acl .
acl:
acl name type definition1 definition2 definition3...
:
acl accesses_to_google dstdomain .google.com
acl accesses_to_search_engines dstdomain .yahoo.com .google.com .vivisimo.com
acl accesses_from_marketing_department src 10.52.0.0/16
acl need_to_authenticate proxy_auth
acl mynetwork src 192.168.88.0/24
acl :
http://www.visolve.com/squid/squid24s1/access_controls.php
.
URL :
:
http_access:
ACL / - . ACL
squid.conf . .http_access
. squid http_access .
/ . .
http_access:
http_access (allow|deny) acl1 acl2 acl3...
:
http_access allow mynetwork
http_access allow accesses_from_admins
http_access deny accesses_to_porn_urls
http_access allow accesses_during_lunchtime
http_access deny all
.
RHCSA/RHCE Egypt
134
acl http_access
.
:
3128
.http
icp_port icp 0
squid .
squid http:
#iptables-I INPUT5-ptcp-mtcp--dport3128-jACCEPT
#iptables-tnat-APREROUTING-ieth0-ptcp--dport80-jREDIRECT\--to-ports3128
.
cache_mem 20 MB
squid
cache_swap_low 75
cache_swap_high 90
%90 %70
maximum_object_size 8192 KB
8
cache_dir ufs /cache1 200 16 256
200 16
.256
cache_access_Iog /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache
#squid z
/http://urlblacklist.com
squidGuard ufdbguard 70 squidGuard
DansGuardian
false alarm
RHCSA/RHCE Egypt
135
Linux Network
Application
) Domain Name Service ( DNS
IP DNS IP
IP .
) DNS (Domain Name Services IP
Domain IP .
] [DOMAIN www.google.com IP
DOMAIN IP :
-1 ] [/etc/hosts IP ][DOMAIN
DOMAIN .
Domain
domain
(ca-teba.com) domain
ca client teba.com domain
RHCSA/RHCE Egypt
136
IP
] [local nameserver .
] [nameserver ] [internet lookup /
]. [nameserver root level
] : [nameserver root level ) (. root server 13
back bone
13 any cast
IP.
IP ) (fermi.physics.mit.edu
].[nameserver root level
" ". IP IP
) (top level domains IP ] [.edu local nameserver.
RHCSA/RHCE Egypt
137
IP .
TCP / IP IP fermi.physics.mit.edu .
:DNS
request . respond
nameserver local .
recursive request .recursive
.iterative requests
.
boyle.chemistry.mit.edu .root nameserver
Top level domain
org netcom .
Top Level Domain Second Level Domains
.
(Second Level Domains):
Sub domains
(Host Names):
.
RHCSA/RHCE Egypt
138
http://root-servers.org 13
RHCSA/RHCE Egypt
139
:DNS www.mheducation.com IP
12.163.148.101. delegated zone of authority
.
DNS RHEL )Berkeley Internet Name Domain (BIND
DNS
DNS.
DNS RHEL6 named BIND
Internet Software Consortium 9.7 BIND .RHEL6
rndc DNS apachectl Apache
service :
#service named status
bind Debian
named RHEL
) Install DNS (Bind DNS
BIND :
DNS configuration packages
basic configuration & documents Bind ------------- DNS
Bind-utils -------- DNS server dig & host
chroot directory log in Bind-chroot -----
Bind-libs -------- library files bind & bind utils
Bind-devel ------ development libraries bind
Bind-sdb -------- database LDAP
Bind-dyndb-ldap dynamic update LDAP
Network Infrastructure Server
BIND :YUM
#yuminstallbind
RHCSA/RHCE Egypt
140
Chroot directory
stimulation system system isolated system
system . service
-1 Iterative
IP
Domain Name Space IP
cash
.Recursive
RHCSA/RHCE Egypt
141
-2 Recursive
.
-3 Inverse
IP in-addr.arpa
IP .
IP ) (DNS IP
mail.yahoo.com
-1 DNS root server mail.yahoo.com
-2 root server com IP
-3 DNS com server mail.yahoo.com
-4 com server yahoo domain IP
-5 DNS yahoo domain mail subdomain IP
mail.yahoo.com. request .
Forward Lookup Zone:
Recursive Iterative
IP .
DNS . DNS
Reverse Lookup Zone:
Reverse IP
. DNS .
IP
IP Reverse
IP .
MINIMAL DNS SERVER CONFIGURATIONS
DNS .
DNS IP .
.
DNS:
RHCSA/RHCE Egypt
142
bind-chroot named
./var/named/chroot
ROOTDIR ./etc/sysconfig/named
SELinux context named.conf:
DNS
requests hosts
public DNS . Forwarder
DNS
DNS DNS resolveIPs
caching-only name server /etc/named.conf
/ caching-only name server
RHCSA/RHCE Egypt
143
options DNS:
[listen-on port 53]-1 ] [listen-on-v6 port 53
IPv4IPv6
IP .
IPv4 192.168.122.50 )
};{ (IP IP .6
-2 directory DNS data file
] [data file .DNS
bind-chroot /var/named/chroot
-3 dump-file CASH ) (DATA rndc flush
-4 statistics-file CASH ) (DATA rndc stats
-5 memstatistics-file .
-6 allow-query IP .
IP :
-7 9.5 BIND DNS * dnssec- :
logging .
logs:
channel ][log , syslog
categories log .
channel log file logs syslog file logs
log /var/named/data/named.run
severity logs :
Dynamic Debug Info Notice Warning Error Critical
dynamic Logs
zone:
RHCSA/RHCE Egypt
144
log DNS :
#tail-f/var/log/messages
named DNS :
#rndcstop
#/etc/init.d/namedstop
#servicenamedstop
named :
#chkconfignamedon
: / :
data file-1
configuration file-2
Examples:ftp server conf. /etc/vsftp
and
data /var
DNS services
Configuration file
Data file
/etc/named.conf
/var/named/
DNS server services chroot chroot
/var/named/chroot/
Configuration file
Data file
/var/named/chroot/etc/
/var/named/chroot/var/named/
(POSIX) standard linux app /etc
soft link chroot /etc
DNS server /etc chroot
A FORWARDING NAME SERVER
RHCSA/RHCE Egypt
145
/ DNS DNS
IP .
.
caching-only nameserver
IPv4 192.168.122.50
listen-on :
allow-query local host
:
FORWARDING FROM A CACHING-ONLY NAME SERVER
RHCSA/RHCE Egypt
146
DNS IP :
:dig
dig . [dig@127.0.0.1www.mcgraw-hill.com]
RHCSA/RHCE Egypt
147
reverse zone
Zone name
Zone type
Location of zone
zone file
Forward zone-1
reverse zone-2
Zone reverse IP in-addr.arpa .
RHCSA/RHCE Egypt
148
record section :
NS name server resource record .DNS MX Mail Exchange record .DNS A (address) record IP . AAAA .IPv6 CNAME aliases IP . CNAME . CNAME FTP
.rsync
The Reverse Zone
Reverse Zone lookups DNS IP .
) (ftp, irc, www, and others
. domain .
.
RHCSA/RHCE Egypt
149
.reverse zone
: reverse zone IP
reverse zone DNS named.conf:
RHCSA/RHCE Egypt
150
DHCP . / dhcpdhclient
dhclient dhcdbd
IPv6 dhcpv6_ client
DHCP .multicast
.ifconfig
DHCP SERVER CONFIGURATION
vim :
:option domain-name
) (domain IP DNS
Domain .IP
:option domain-name-servers
DNS IP .DNS
DNS.
:default-lease-time
IP DHCP IP .
:max-lease-time
IP .
:ddns-update-style interim
DHCP Dynamic DNS DNS
DNS DHCP . " "interim DDNS .
[Dynamic DNS] DDNS record DNS
.zone file DHCP
.
:authoritative
DHCP .authoritative
.
RHCSA/RHCE Egypt
151
:log-facility local7
Log
:ignore client-updates
.
RHCSA/RHCE Egypt
152
IP ].[MAC ADDRESS
:
RHCSA/RHCE Egypt
153
#man5dhcpd.conf
#mandhcpd.leases
#mandhcp-options
DHCP classes predefined classes rules
range IP
DHCP DHCP x9
].255.255.255.255 : [broadcast address
] [Microsoft client DHCPOFFER IP
. DHCP DHCP :
#routeadd--host255.255.255.255deveth0
eth0 .
SET UP SYSTEM UTILIZATION REPORTS
.
RHEL 6 sysstat .
.top fdisk.df
] [system utilization reports
.
" " CPU
RAM HARD.NETWORK
df top fdisk sysstat
.
sysstat . log file
sadf log file .
. top :
.
swap space
. .
.
RHCSA/RHCE Egypt
154
dstat dstat :
top .
THE SYSTEM STATUS SERVICE
.
sa1 1 1 .
-S DISK sar .swap space
sadd /var/log/sa dd .
.
sa2 ./var/log/sa
.
RHCSA/RHCE Egypt
155
] [-A .sar
sar ][man sar
sardd /var/log/sa dd .
SAR
CV sar sadf ) sysstat
iostat (mpstat / ) atsar (atsadc . sar
/proc .
:
.
activity10 .
sysstat .sar
RHCSA/RHCE Egypt
156
: man .
.EXAMPLES
d sadf ] [-- points to options
.sar
r n DEV .
.sar " "
.
sadf d
sa21 /var/log/sa/ .
] [-- points to options sar
sar / u
r dp block device sda n DEV
.
CONFIGURE A SYSTEM LOGGING SERVER
RHCSA/RHCE Egypt
157
UDP 514 IP
192.168.100.1 :
]* [*. .
:
authpriv, kern, and cron
:
debug, info, notice, warn, and so on
]@[ .UDP
]@@[ .TCP
: .
-2 log server log:
] [log server . TCP UDP
514
/etc/rsyslog.conf TCP
.UDP
.IP
TCP:
.
: .
$InputTCPMaxListeners
.20
session ) (200
$InputTCPMaxSessions
$InputTCPServerRun 514
LIMIT ACCESS TO SPECIFIED SYSTEMS
RHCSA/RHCE Egypt
158
synchronization
) logging server scan attack error message
application services(.
IPS logging server network discovery
.
) authentication server (Kerberos ticket
ticket ticket
NTP
Primary NTP server
secondary NTP Server clients
Secondary NTP server
clients load balance
NTP Peer
NTP Client
NTP server 16-1 1 16 Stratum
NTP Server
NTP server public NTP Server -1 internet
Gps NTP Server-2 internet
radio NTP Server -3 internet
Atom clock-4 0.001 100/ internet
NTP server NTP server 3
NTP client NTP client .public NTP server
NTP server NTP ] [public NTP server
network traffic ) secondary NTP server(
. network traffic
Secondary
NTP
SERVER
stratum 3
)(Primary
NTP
SERVER
stratum 2
Gps
Atom
clock
Stratum 1
NTP /etc/sysconfig/clock
/etc/ntp.conf
NTP Server public NTP Server
: synchronization NTP Client
synchronization 10 .
-1 NTP :
RHCSA/RHCE Egypt
159
restrict:
NTP .
NTP 192.168.122.0/24 restrict :
. NTP NTP
][master
NTP NTP :
RHCSA/RHCE Egypt
160
RHCSA/RHCE Egypt
161
More File
Sharing service
.
. NFS vsftp . samba
NFS . .
.
NFS .
Sun Microsystems .1980
.
access list -1 )machine base (IP base
.
-2 access list .
Exported file system share
-3 services .NIS
-4
portmap NIS
.
-5
NFS . NFS
./etc/sysconfig/nfs
NFS (NFSv4) 4 .
. NFS
). (ACLs
NFSv4 . ACL IETF .sun
NFSv3 64 GB 2 .
NFSv4 .
NFS ).Open Network Computing Remote Procedure Call (ONC RPC
RFCs . NFSv4
) Remote Procedure Call (RPC .rpcbind
NFS
./etc/sysconfig/nfs
NFS : RFC 5661) 4.1 (2010 clustered server
) .(pNFS NFS
.4.2
NFS
:
RHCSA/RHCE Egypt
162
NFSv3 NFSv2
RPC :
rpcbind NFSv2
NFSv3:
: NFS ) (Filesystems
. ) (mount filesystem / ).(remote client
SELinux . NFS
) (scripts NFS .daemon .
scripts NFS:
RHCSA/RHCE Egypt
163
acl:
(Allow (A) - Deny (D)) : : file owner (OWNER, GROUP, or EVERYONE):Premession
. rwx
write (w) and append (a) .write
ACL ] [nfs4_setfacl-efilename
. ) (mounted NFSv4 remotely :
) (vi editor .
append write nfs4_getfacl
.
:
(r) read (w) write (x) executable (a) append (d) delete file or directory (D) delete the subdir
(t) read attribute to the file/directory (T) write attribute to file/directory (c) read acl (C) write acl
(y) Synchronization the file
RHCSA/RHCE Egypt
164
NFS /etc/exports .
.exportfs -a
.
.
/etc/exports:
.
/etc/exports:
)Directory(directory_options
)host(host_options
Directory )(
Host ) (
) ( IP Hosts DNS
IP
:
192.168.0.0/255.255.255.0 192.168.0.1 ip 192.168.0.254
) (Classless Inter-Domain Routing (CIDR .192.168.0.0/24
)*( *.example.net
)(
:ro-1 :rw-2 . .
:async-3 NFS Cash .
:sync-4 NFS .
:no_root_squash-5 rw root
) rw (.
:root_squash-6 .no_root_squash
:insecure-7 .1024
:noaccess-8
.
RHCSA/RHCE Egypt
165
) (/etc/exports ].[exportfs -a
/etc/init.d/nfs
] [exportfs r ./etc/exports
) (
] [exportfs -au ]. [exportfs -a
NFS
/etc/exports ].[exportfs -v
exportfs:
:showmount
. NFS :
#showmount10.0.0.1
NFS .10.0.0.1
.
:[showmount a]-1
NFS .
:[showmount e]-2
NFS :
#showmount-eserver1.example.com
:[showmount d]-3
NFS )(mounted client
#showmount-dserver1.example.com
: .
SPECIAL REQUIREMENTS FOR /HOME DIRECTORIES
/home . . NFS
/home .
LDAP .kerberos
/home .
/etc/idmapd.conf NFS /home
. home nobody
.
:
Domain, Nobody-User, and Nobody-Group
domain nfsnobody .
] [servicerpcidmapdrestart NFS .
FIXED PORTS IN /ETC/SYSCONFIG/NFS
RHCSA/RHCE Egypt
166
rpcinfo .RPC
NFS SELINUX
SELinux boolean.
) (file type :NFS
RHCSA/RHCE Egypt
167
/ NFS
Statelessness
NFS .stateless .NFS
NFS rpc.mountd .
) .(mount_request .
)" ("magic cookie /.
stateless NFS NFS NFS
/ . )(single user client
NFS sync .
.
RHCSA/RHCE Egypt
168
RHCSA/RHCE Egypt
169
autofs .
Soft Mounting
soft . NFS
NFS soft NFS .
timeo .
/nfs/home 30 ) timeo (:
Diskless Clients
NFS Diskless Clients .
Diskless Clients ) (PROM .
) (/ swap /usr
/home /.
PROM DHCP TFTP .
NFS
NFS :
mountstats
Shows information about mounted NFS shares
nfsstat
Shows statistics of exported resources
nfsiostat
Shows statistics of NFS mounted shares
nfsstat:
,,
FTP File Transfer Protocol
,
anonymous
.
FTP / vsftp .RHEL 6
./etc/vsftpd
./etc/pam.d
RHCSA/RHCE Egypt
170
FTP /etc/vsftpd :
.
:ftpusers ,,
:user_list , FTP
][userlist_deny=NO .
.
:vsftpd_confg_migrate.sh . FTP
:vsftpd.conf FTP
.
FTP /etc/pam.d:
#vim /etc/vsftpd/vsftpd.conf
ftp_username . anonymous
anonymous user .ftp
/etc/passwd :
anonymous home
.ftp
anonymous anonymous_enable=YES
anonymous_enable=No
:FTP
user based -a ftp user name password
Anonymous based -b user ftp user name password
off security
upper case (lower case= upper case)) lower case
vsftpd.conf .
anonymous .local_enable = NO :
anonymous ] [local_enable = YES
.
) (anonymous write_enable=yes write_enable=no
anonymous local_enablewrite_enable
.NO
selinux Label. public_content_rw_t
.
RHCSA/RHCE Egypt
171
.
.lftp
log /var/log/xferlog :
Log IP
:
FTP
FTP :
-1 20 ).file transfer (upload download
-2 21 .control command
FTP 20 connect_from_port_20=YES
600 .
.
RHCSA/RHCE Egypt
172
120 ) (resume
.
FTP FTP
.
FTP anonymous
.
:
-1 home home .
-2 .
-3 .
R ls .
vsftpd.conf . ) (PAM
.
.
RHCSA/RHCE Egypt
173
] [userlist_enable=YES anonymous
user_list /etc/vsftpd
YES ] [userlist_deny=YES YES
NO
.
TCP_WARPPER .FTP
:
local_max_rate=100000
anon_max_rate=500000
RHCSA/RHCE Egypt
174
vsFTP boolean
-1 anonymous boolean
allow_ftpd_anon_write .public_content_rw_t
-2 NFS BOOLEAN
.allow_ftpd_full_access
-3 home .ftp_hmoe_dir
PORTS, FIREWALLS, AND VSFTP
. IP iptables
:255.255.255.0/192.168.122.0
tcp_wrappers=YES vsftpd.conf
TCP WARPPER /etc/hosts.allow./etc/hosts.deny
/etc/hosts.allow donna :tester1.example.com
RHCSA/RHCE Egypt
175
SAMBA
/etc/hosts.deny
] [ALL : ALL /etc/hosts.deny
.TCP_WARPPER
SAMBA
:
-1 ]-2 [Samba Services ][Samba as a Client
-3 ][Samba Troubleshooting
SAMBA /
) Common Internet File System (CIFS ) Server Message Block (SMB
.
Samba SMB .
SAMBA SMB
.CIFS SAMBA .Samba Web Administration Tool SAMBA
http://www.samba.org
][SAMBA SERVICES
: ) (CIFS ). (SMB
SMB s 1980 IBM .
SMB CIFS .
SAMBA client a member server ) PDC (primary Domain controller
)Member on AD (active directory .
SAMBA 4 AD controller .
SMB NetBIOS .TCP / IP
:SAMBA
] [linux directory tree /
/
/
/
SAMBA
workgroup domain ) (client ) (member server .PDC
home . )Windows Internet Name Service (WINS ) (client ).(server .workgroup browse service samba .NT4 PDC .SAMBA . ACLs . :SAMBA
SAMBA:
RHCSA/RHCE Egypt
176
SAMBA
137 138 .
SAMBA :SELinux
SELinux ) (targeted mode
.
RHCSA/RHCE Egypt
177
SAMBA
/etc/samba/smb.conf
].[man smb.conf
] [# ];[ ][#
];[ .
:
][global
option = value
][homes
option = value
][printers
option = value
][share
option = value OptionsValues
.
RHCSA/RHCE Egypt
178
SAMBA
Global
SELinux .
:
-1 :Network-Related Options
: workgroup = MYGROUP
.windows workgroup_name NT_Domain_name
netbios name = MYSERVER
windows .Samba
server string = Samba Server
Samba ] [%v .
interfaces =lo eth0 192.168.12.2/24 192.168.13.2/24
. eth0 ) loopback (lo .IP address
log file .
-3 :Standalone Server Options
security = share
share .
:security
:user -1 client domain controller ).(PDC
:domain-2 member server domain
.DC
.
RHCSA/RHCE Egypt
179
SAMBA
security domain
server IP
.
>password server = <NT-Server-Name
security ads .Active Directory
realm = MY_REALM
-5 :Domain Controller Options
RHCSA/RHCE Egypt
180
SAMBA
NetBIOS. IP
)Windows Internet Name Service (WINS DNS .
] [wins support = yes WINS .
WINS )(remotely w.x.y.z
IP .
: wins support wins server .
. ] [wins proxy = yes
.
dns proxy = No
DNS
-8 :Printing Options
.
printcap name ].[printcap name = /etc/printcap
cups options = raw
.cups
printcap name = lpstat
.
-9 :Filesystem Options
RHCSA/RHCE Egypt
181
SAMBA
map read = no
) (map read only ) (mounted media .dvd
map system = no
yes .
store dos attributes = yes
ACL :DOS
Shared Samba Directories :
/etc/samba/smb.conf .
:Shared homes-1
Home
comment = Home Directories
.
read only = No
.
browseable = no
home . home .
home /etc/passwd .
guest ok = no
.
hosts allow.hosts deny
:Shared Printers-2
:
comment = All Printers
.
path = /var/spool/samba
) .(Spool
browseable = yes
.
guest ok = yes
) ( .
print ok = yes
.
printable = yes
.cups
shared directory .
:Domain Logons-3
] [netlogon
.Microsoft Windows workstations
] [netlogon workstation
.
.
RHCSA/RHCE Egypt
182
SAMBA
:Workstation Profiles-4
. profile .Microsoft Windows workstations profile
) (Microsoft Windows registry .workstation
:Group Directories-5
/home/samba
.stuff .
/home/samba .
SELinux:
.Fred
home :
RHCSA/RHCE Egypt
183
SAMBA
:
path = /usr/somewhere/private
.
valid users = fred
.
)[Let Samba Join a Domain] (domain
DC .Domain
DC . Domain :
#netrpcjoin-Uroot
Domain DC :
#netrpcjoin-SDC-Uroot
root .Domain Domain
.administrator Domain
. DC ./etc/passwd
THE SAMBA USER DATABASE
.
.
.
./etc/samba/smbusers :smb.conf
username map = /etc/samba/smbusers
. smbpasswd
.
.
):(valid login shell
#useraddwinuser1-s/sbin/nologin
:
#smbpasswd-awinuser1
) (authentication database
.passdb backend smbpasswd ./etc/samba/smbpasswd
tdbsam passwd.tdb ./var/lib/samba/private
].[pdbedit L
./etc/samba/smb.conf
.
:
-1/ ] [PublicShare
) (authentication database .LDAP
.
RHCSA/RHCE Egypt
184
SAMBA
-2 / guest users.
-3 Domain .example.com
-4 .outsider1.example.org
guest ok = no .guest ok = yes
Domain example.com
hosts allow = .example.com
EXCEPT :
hosts allow = .example.com EXCEPT evil.example.com
:
hosts deny = evil.example.com
IP hosts allow.hosts deny
smb.conf
777 sticky bit .
THE SAMBA WEB ADMINISTRATION TOOL
) (RHEL6 .
SWAT
.samba-swat
RHEL 6 DVD .
.RHCE
SWAT ./etc/xinetd.d
:
http://127.0.0.1:901
:
root :
RHCSA/RHCE Egypt
185
SAMBA
) (Basic :
Base Options-1
:workgroup
.windows workgroup_name NT_Domain_name
:realm
) (Kerberos realm .Domain DNS
.server1.example.com ).(kerberos client
:netbios name
windows Samba .DNS
:netbios aliases
windows.
:server string
Samba ] [%v .
:Interfaces
. eth0 ) loopback (lo .IP address
RHCSA/RHCE Egypt
186
SAMBA
Security Options-2
)(global .
.
security
SERVER - ADS-DOMAIN -SHARE - USER
guest account
) (nonprivileged account .
invalid users
.valid users
admin users
.
read list
.
write list
.
Hosts allow
.hosts deny
.
Share Settings
GLOBALS SHARES swat
.smb.conf :
Choose Share
.Create Share
homes Change View To .Advanced
.
RHCSA/RHCE Egypt
187
SAMBA
comment
.
path
.
username
.
force user
.
force group
.
read only
.
guest ok
) (guest .
guest only
) (guest .
:Server Status
STATUS .swat
NetBIOS .Winbind
.
RHCSA/RHCE Egypt
188
SAMBA
.
. .smbpasswd
.
michael :
#smbpasswdmichael
doona :
#smbpasswd-adoona
smb.conf .
testparm .
. .
] [home .
testparm
Tests the syntax of the main config file for issues
]Syntax: testparm [options] <config file> [hostname] [host IP
Options:
-s
Suppresses the prompt
-v
)Provides verbose output (shows the default options
.
RHCSA/RHCE Egypt
189
SAMBA
: valid users
invalid users .
.
SAMBA AS A CLIENT
)(client :
-
)(client .
) (client .
smbclient FTP :
.
Mount Options
/ )(mounted .
mount.cifs ] .[mount t cifs
public : /home/shared
.
RHCSA/RHCE Egypt
190
SAMBA
donna . /
server1.example.com . donna
home :
.umount
automount
Automated Samba Mounts
-
/etc/fstab :
/etc/fstab .
credentials file :
) (credentials file:
/etc/smbdonna
. automounter .
:
Workgroups Domains Broadcast
#smbtree-b
. Enter
.
WORKGROUP
.SERVER ROOT
) root (.
#smbtree-b-UROOT
..
RHCSA/RHCE Egypt
191
SAMBA
:#smbclient-L//SERVER-UROOT
Mount mount.cifs ./etc/autofs
Samba TROUBLESHOOTING
.
.testparm ) (log files
. .
. writable
.writeable testparm .
"."unknown parameter
. testparm
:
.
. .mount.cifs :
.
log file
/var/log/messages
./var/log/samba
testparm ./var/log/messages
.
IP . .
:log.__ffff_127.0.0.1
smbstatus :
]Syntax: smbstatus [options
Options:
-p
Shows processes only
-L
Shows locks only
-v
Provides verbose output
-S
Shows shares only
.
RHCSA/RHCE Egypt
192
Electronic Mail
Servers
SMTP .
/ client/server .
. SMTP
.
user@host.domain
host.domain SMTP TCP 25 ) (
SMTP .telnet SMTP "" "
. POP3 .IMAP
RHEL sendmail ) Sendmail .(capital S
RHEL Dovecot .
(Internet Message Access Protocol) IMAP (the secure version) POP3S (Post Office Protocol) POP3
.(the secure version) IMAPS
:
:SPAM-1
.
) (SPAM
) (junk mail " " . multi-postage abusif SPAM:
)%25 (Adult
%22
)(Financial
%13
)(Products
)%9 (Internet
%10
)(Health
)%7 (Scams
)%5 (other
%5
)(Spiritual
)%6 (Leisure
:SCAM-2
. .
. .
.
:HOAXES-3 !
jdbgmgr.exe
.
RHCSA/RHCE Egypt
193
!! HOAXE )
.
: postfix sendmail
/ postfix sendmail
.
MDA MUA : (MUA) The mail user agent.MTA
. . MUA
Thunderbird (MDA) The mail delivery agent .Evolution
.MUA (MTA) the mail transfer agent
.
)POP3 (Post Office Protocol, version 3) and IMAP4 (Internet Message Access Protocol, version 4
)Mail User Agent (MUA
.mutt, Evolution, Thunderbird
)Mail Submission Agent (MSA
.MTA
.
RHCSA/RHCE Egypt
194
.
)Simple Mail Transfer Protocol (SMTP
POP3 SMTP IMAP4
.
LMTP SMTP SPAM
.SMTP
)POP3 (POST OFFICE PROTOCOL
MTA/MDA MUA
EMAIL .
)IMAP (INTERNET MESSAGE ACCESS PROTOCOL
MTA/MDA MUA header
MUA .
sendmail postfix " ) " (E-mail server yum
rpm .
Spamassassin ). (E-mail server
alternatives
alternatives ] [--config postfix . sendmail
alternatives SMTP :
alternatives mta:
mta :
alternatives :chkconfig
RHCSA/RHCE Egypt
195
service .mta
GENERAL USER SECURITY
SMTP
SMTP .
SMTP ./var/log/maillog :
-
sendmail.postfix
.
RHCSA/RHCE Egypt
196
postfix:
] :[mailq *) mail queue ! (.
] :[postmap ) (lookup table .Postfix
] :[postsuper . postfix
] :[postconf .postfix
./etc/postfix postconf .
postfix .main.cf 700 .
man ) (# postfix:
-1 :access
.
man ] [man 5 access ) (limits
access [patternaction] : :
192.168.122.50 OK
server1.example.com OK
192.168.100 REJECT
example.org REJECT
joe@porno.com REJECT
Pattern IP Domain action OK REJECT .
access ) (user-based security )(host-based security
postfix . iptables
-2 canonical:generic
] . [alias file
Domain . canonical .
generic . NAT .
[patternresult] :
) (:
Michael
michael@example.com
domain:
@example.org @example.com
[@example.org] Domain ].[@example.com
access canonical generic postmap
.
#postmapcanonical
#postmapgeneric
#postmapaccess
-3 :relocated
. :
john@example.com john@example.net
-4 :transport
). (smart host
.
RHCSA/RHCE Egypt
197
main.cf
.postfix 700
. . postfix :
(postfix queue) postfix
.queue_directory
postfix .
Postfix .master.cf daemon_directory .
Postfix ) (data file .
) (# main.cf
.mail_owner
#
.postfix
) (domain name IP Domain .
. localhost
all .
RHCSA/RHCE Egypt
198
main.cf
postconf:
] [-a ] [plug-in SASL.
] [-d .
] [-e .man.cf
] [-n .
] [-v .verbose
:
) (authentication main.cf
postfix :
.
RHCSA/RHCE Egypt
199
subservices
.
: telnet postfix ] [telnet localhost 25
:
RHCSA/RHCE Egypt
200
/ postfix .
main.cf :postfix
/ SASL .Postfix
/ .anonymous
/ .Microsoft outlook express
postfix /
mynetworks .postfix
postfix :
RHCSA/RHCE Egypt
201
sendmail ] [.db
.
:access-1
) (access control .
) (host name :
.
RHCSA/RHCE Egypt
202
sendmail.mc
sendmail.mc sendmail .
.
divert:
RHCSA/RHCE Egypt
203
sendmail.mc
dnl ] [#
dnl . sendmail ][divert(0) dnl
.divert
sendmail
define.
define SMART_HOST
:
define /
telnet
define .
/:
RHCSA/RHCE Egypt
204
sendmail.mc
define .LDAP
define sendmail .
timeout .
:FEATURE
sendmail
) .(submission_protocol ) sendmail
.(587
FEATURE
(smrsh) sendmail:
FEATURE domain
trusted-users local-host-names :
.
) (host-based security
/etc/mail/access .
SMTP
.
DAEMON_OPTIONS sendmail .
dnl.
sendmail.mc .
sendmail submission 587 :
RHCSA/RHCE Egypt
205
sendmail.mc
) TLS ( sendmail
SMTP .465
IPv6 .
IPv4.IPv6
FEATURE sendmail domain IP DNS
) .(accept_unresolved_domains .SPAM
MX record .DNS .
.
domain .
MASQUERADE .domain
MAILER .
SUBMIT.MC
.
make ./etc/mail
/ ) NIS (
.
IPv6
:
sendmail .
sendmail.mc DAEMON_OPTIONS
dnl
Addr=127.0.0.1 :
DNS FEATURE sendmail
) (accept_unresolved_domains:
RHCSA/RHCE Egypt
206
.
.access :
access
Connect:example.com
RELAY
Connect:10.0.0
RELAY
Connect:192.168.0
RELAY
Connect:jana.example.com
RELAY
FORWARD domain
RELAY /etc/mail/access IP REJECT
make /etc/mail m4 :
#service sendmail restart
#chkconfig sendmail on
: . local-host-names
Configure sendmail to Relay E-Mail to a Smart Host
sendmail ) (smart host
.
sendmail
postfix telnet sendmail:
#telnetlocalhost25
:
:
#mail-s test email root< /etc/hosts
DOVECOT MAILBOX SERVER
2002 Timo Sirainen
:
-
mbox.maildir
.
.
Bug .
Cluster.NFS
.
1000.
RHCSA/RHCE Egypt
207
:
MTA ) (Mail Transfer Agent Postfix
SMTP MTA domain
MTA MTA
Postfix.
MDA Mail Delivery Agent Dovecot
Dovecot
Dovecot Thunderbird
. Postfix
MTA Postfix MDADovecot
Dovecot :
mboxmaildir :
POP3, POP3S, IMAP4, IMAP4S and LMTP protocols
IMAP4
TCP port 143
POP3
TCP port 110
IMAP4S
TCP port 995
POP3S
TCP port 993
LMTP
TCP port 24
this is similar to the SMTP protocol for sending mail
:Dovecot
#yuminstalldovecot
/etc/dovecot/ ./etc/dovecot/dovecot.conf
dovecot dovecot
.
POP3S IMAP4S .
POP
) Post Office Protocol (POP
.pop .
MTA .
POP . POP .POP3
) (POP TCP
. ) (IMAP )
: ( .
:IMAP
IMAP IMAP4 ) (Internet Message Access Protocol
143 .
. IMAP 4 IMAP4 POP3
.
POP IMAP .
IMAP .
IMAP
POP
gmail
.
:Dovecot
Dovecot
/etc/dovecot/ :
.dovecot.conf
1000
/etc/dovecot/conf/
.
RHCSA/RHCE Egypt
208
.
dovecot.conf Root .vi /etc/dovecot/dovecot.conf :
protocols pop3.imap
IMAPS POP3S IMAP .POP3
) IP ( IP
. IP .
. :
POP3S IMAP4S :
:
mail_location
./etc/dovecot/conf.d/10-mail.conf dovecot
.
.
Dovecot :
#servicedovecotstart
#chkconfigdovecoton
dovecot :
#servicedovecotstatus
#chkconfig--listdovecot
:Dovecot Secure Certificates
./etc/pki/dovecot
/etc/pki/dovecot/dovecot-openssl.cnf:
] [req_dn ./etc/pki/dovecot/dovecot-openssl.cnf
) ( dovecot.pem :
/etc/pki/dovecot/certs
/etc/pki/dovecot/private
.
RHCSA/RHCE Egypt
209
mkcert.sh /usr/share/doc/dovecot-versionnum/examples/
:
# /usr/share/doc/dovecot-versionnum/examples/mkcert.sh
:dovecot
mutt Dovecot .user01
.
) . EPEL repo ( :
http://fedoraproject.org/wiki/EPEL
#yuminstallsquirrelmail
:
http://squirrelmail.org/docs/admin/admin-3.html
SquirrelMail
.PHP IMAP SMTP.HTML 4.0
SquirrelMail .
MIME .
RHCSA/RHCE Egypt
210
ISCSI
Miscellaneous
ISCSI
- : devices ) .(limitation 2
IDE 2 device .4 device 24
SATA device .24
fiber hard channel . SCSI
-:SCSI
figure 1-1 -----------------hardware SCSI -1
SCSI
OR
SATA
Server
Adaptor
figure 1-1
Adaptor
SCSI = Small Computer System Init
software SCSI-2 ISCSI IP addressing . figure 1-2
SHARE
SHARE
hard disk
5 HD
hard disk
hard disk
Server
3 HD
block device
block device
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
Storage server
Target
Initiator
Figure 1-2
hard disk
Target
RHCSA/RHCE Egypt
211
ISCSI
[root@localhost ~]#yuminstallscsi-target-utils
[root@localhost ~]#vim/etc/tgt/targets.conf
targets.conf- : )(/etc/sdc initiator )(iqn.2008-09.com.example:target-name
iqn ) (iscsi qualified name target
target initiator .
targets.conf
RESTRICTION
-3260
share :
[root@localhost ~]#tgtadm--modetarget--op show
-2 initiator
initiator [root@localhost ~]#yuminstalliscsi-initiator-utils
[root@localhost ~]#vim/etc/iscsi/iscsid.conf
iscsid.conf node.session.auth.authmethod = CHAP
node.session.auth.username_in = username_in
node.session.auth.password_in = password_in
target initiator IP addressing .
RHCSA/RHCE Egypt
212
[root@localhost ~]#iscsiadm-mdiscovery-tsendtargets-p192.168.126.134
target
Result: 192.168.126.134:3260 ,1 iqn.2013-01.com.mostaf:datastore1
[root@localhost ~]#iscsiadm-mnode-oshow
#iscsiadm--modenode--targetnameiqn.2001-05.com.doe:test--portal 192.168.1.1:3260--login
target.initiator
[root@localhost ~]# service iscsid start
fdisk l ) (shared hard disk [root@localhost ~]#cat/proc/partition
partition session [root@localhost ~]#iscsiadm-msession-oshow
software scsi limitation hardware scsi 8-10 Gfiber optic channel
server OS sharing HD HPA SCSI
iscsi :
#iscsiadm--modenode--targetnameiqn.2001-05.com.doe:test--portal 192.168.1.1:3260--logout
/etc/fstab _netdev
NETWORK INTERFACE CONFIGURATION BONDING
bonding .channel bonding interface
Virtual )
( IP
.Network Bonding/Teaming
:
https://www.kernel.org/doc/Documentation/networking/bonding.txt
.1 )(high bandwidth
.2 / )(Redundancy/resilience
#ethtool-peth030
30.
bond .slave
bonding mode:
mode . 0 1 2
. )balance-rr (round robin
]) :[Mode 0 (balance-rr ) : (round robin
slave . ).(load balancing and fault tolerance
]) :[Mode 1 (active-backup
. ).(fault tolerance
]) :[Mode 2 (balance-xor .XOR
] .[(Source MAC address is XORd with destination MAC address) modula slave count slave
.MAC ).(load balancing and fault tolerance
]) :[Mode 3 (broadcast .slave ) (
).(fault tolerance
]) :[Mode 4 (802.3ad ) (Dynamic Link Aggregation mode
) (aggregation group .duplex
.IEEE 802.3ad Dynamic link
]) :[Mode 5 (balance-tlb Adaptive transmit load balancing traffic
.slave slave . .
]) :[Mode 6 (balance-alb . Adaptive load balancing mode
.receive load balancing (rlb) + balance-tlb .
.
RHCSA/RHCE Egypt
213
:
\ Virtual :bond0
#vim/etc/sysconfig/network-scripts/ifcfg-bond0
IP Netmask :Gateway
DEVICE=bond0
ONBOOT=yes
USERCTL=no
TYPE=Ethernet
BOOTPROTO=none
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
BONDING_OPTS=mode=1 miion=50
\ :
-1 :Bond0
eth0 :
#vim/etc/sysconfig/network-scripts/ifcfg-eth0
:
DEVICE=eth0
BOOTPROTO=none
TYPE=Ethernet
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
MASTER=bond0
SLAVE=yes
:eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
MASTER=bond0
SLAVE=yes
bond0 Master
Slave
eth0 eth1
Packet
- MAC Address .
mode 1 fault tolerance - - -
-Active .-Backup-
. .
Modules :/etc/modprobe.d/bonding.conf
:
bonding
bond0
alias
RHCSA/RHCE Egypt
214
:
#service network restart
. Slave bond0 ifconfig
: Backup Active Network Teaming
#cat /proc/net/bonding/bond0
:
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: xx:xx:xx:xx:xx:xx
Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: xx:xx:xx:xx:xx:xx
6
Repo Configuration
Examples of /etc/yum.repos.d/*.repo Configuration
Ex#1
[GLS]
name=Instructor GLS Repo
baseurl=ftp://instructor.example.com/pub/gls
gpgcheck=0
Ex#2
[base]
name=Instructor Server Repository
baseurl=http://instructor.example.com/pub/rhel6/dvd
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
EX#3 - Configure your server to use separate Yum Repo to obtain updates
# vi /etc/yum.repos.d/updates.repo
[Updates]
name=updates Server
baseurl=ftp://instructor.example.com/pub/rhel6/Errata
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled =1
# yum update
Basic yum Commands
1. yum list = rpm -q>>display installed and available pkgs
2. yum search KEYWORD
3. yum info PKGNAME = rpm -qi
4. yum install PKGNAME
5. yum update PKGNAME
6. yum remove PKGNAME
RHCSA/RHCE Egypt
215
RPM
$ rpm -q -a >>all installed PKGS
$ rpm -q PKGNAME >>Currently installed PKGS
$ rpm -q -pPKGFILE.rpm >>all installed PKGS
$ rpm -q -f >>What pkgprovides FILENAME
$ rpm -q --conffiles >>list config files
$ rpm -q --docfiles >>list just thedocfiles
$ rpm -q --scripts >>preinstall screpts
$ rpm -q -l PKGNAME>>PKG included files
Network Management
Network Configuration Files
# /etc/sysconfig/network-scripts/ifcfg-* >>IPaddress and Subnet mask
# /etc/sysconfig/network & /etc/sysconfig/network-scripts/ifcfg-* >>Routing / Default Gateway
# /etc/sysconfig/network >> Hostname
# /etc/sysconfig/network-scripts/ifcfg-* & /etc/resolv.conf - or - /etc/hosts >>Name resolutions
Network Commands
$ ip addr show eth0
$ ip -s link show eth0
$ ip route
$ ifup eth0
# vi /etc/sysconfig/network-scripts/ifcfg-*
Static
BOOTPROTO=static
IPADDR=
PREFIX=24
GATEWAY=
DNS1=
DHCP
BOOTPROTO=dhcp
ANY
DEVICE=eth0
ONBOOT=yes
HWADDR=
NM_CONTROLLED=yes
Lock DNS number in /etc/resolv.conf in DHCP cuz DHCP change the dns number when rebooting
vi /etc/sysconfig/network-scripts/ifcfg-*
PEERDNS=no
Aliases
- Assign multiple address to Single interface.
- Disable Network manager when? Configure Aliases and Bounding.
There are three basic Steps to adding an alias IP:
1- # service NetworkManager stop ; chkconfig NetworkManager off
2- Interactivity add alias
# ip addr add 10.1.1.250/24 dev eth0 label eth0:0
# ip addr show eth0
Persistently add alias by creating /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
IPADDR=10.1.1.250
PREFIX=24
ONPARENT=yes
3-restart network services
# Service network restart
RHCSA/RHCE Egypt
216
Bounding
-bind multiple network interfaces together into a Single channel
Using: Bonding kernel module & Channel bonding interface
Identify eth card by command:
# ethtool -p eth0 30 >>To blink the LEDs on eth0 for 30 second
Bonding Modes
Mode 0:Balance-rr Round Robin Policy -Packets are Transmitted in round robin fashion through all slaves any slave can receive
Mode 1:(Active - Backup) :only one Slave interface is in use at a time ,but if it fails another slave takes over
mode 3:(broadcast) all oackets are broadcast from all slaves
Example - (Active - Backup) Configuration
. /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=BON0
IPADDR=10.1.1.250
PREFIX=24
ONBOOT=yes
BOOTPROTO=none
USERCTR=no
BONDING_OPTS="mode=1 miion=50"
. /etc/sysconfig/network-scripts/ifcfg-slave-name(eth0)
DEVICE=<name>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
. /etc/modprobe.d/bonding.conf
alias bond0 bonding
Tuning Kernel Network Parameters
. Kernel parameters /proc/sys/dir
. Sysctl
- Example:Disable ping reply
# sysctl -a |grep icmp >>net.ipv4.icmp_echo_ignore_all = 0
# grep -A5 icmp /usr/share/doc/kernel-doc-*/Documentation/networking/ip-sysctl.txt
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
-or#echo " net.ipv4.icmp_echo_ignore_all = 1">>/etc/sysctl.conf
# Execute sysctl -p to enforce this setting immediately
Storage Management
# fdisk -cul /dev/vda >> c for legacy dos comp. mode ,u display output in sectors
# fdisk -cu /dev/vda >>n>>p>>3>>w>>reboot
Create new Filesystem
# mkfs -t ext4 /dev/vda3
# blkid /dev/vda3>>get UUID of the filesystem
# mkdir /mountpoint
# vi /etc/fstab
UUID=uuid
/mountpoint
ext4 defaults
12
# mount /mountpoint
Remove an Existing Filesystem
# umount /mountpoint
#vi /etc/fstab
#rmdir /mountpoint
Create a New Encrypted Volume
1. # fdisk -cu /dev/vda >Create new partition
RHCSA/RHCE Egypt
217
RHCSA/RHCE Egypt
218
6. #vim /etc/fstab
7. #mount -a
Extend a Logical Volume
1. #vgdisplay VG_name >>Determine the amount of free space in VG
2. #lvextend -l +50 /dev/VGNAME/LVNAME - or #lvextend -l +50%FREE /dev/VGNAME/LVNAME - or #lvextend -L 50GB /dev/VGNAME/LVNAME
3. #resize2fs /dev/VGNAME/LVNAME
Reducing a Filesystem and Logical Volume
1. #umount /data
2. #fsck -f /dev/mapper/vgname-lvname
3. #resize2fs -p /dev/mapper/vgname-lvname 512M >>the filesystem will be 512 MB
4. #lvreduce -L 512M /dev/mapper/vgname-lvname
5. #mount -a
Extending and Reducing a Volume Group
- Extend Volume Grouped 1. #fdisk -cu /dev/vda >>n >>e>>n>>+512M>>t>>5>>8e>>w>>reboot
2. #pvcreate /dev/vda5
3. #vgextend VGNAME /dev/vda5
4. #vgdisplay VGNAME (check size and free space)
5. #lvdisplay
- Reduce VG 1. #pvmove /dev/vdaN >>relocate any physical extents used on /dev/vdaN to another physical Volumes in the VG
2. #vgreduce vgname /dev/vdaN
Account Management
#cat /etc/shadow
username:$1$QsDZWIXg$FoREiKhX6bhLp19JnzttL1:15614:0:99999:7:::
1. 1 mean including hashing algorithm
2. QsDZWIXg - the salt used to encrypt the hash
3. FoREiKhX6bhLp19JnzttL1 - the encrypted hash
#chage -m 0 -M 90 -W 7 -I 14 username
m:min days - M:max days - W:warn days - I:inactive days d: day YY:MM:DD E expiration day
#chage -l username >>list user current setting
#chage -d 0 username >>force update password o next login
Examples#
#chage -M 90 -I 30 -E 2012-09-30 -d 0 username >>account expire at 2012-09-30
#usermod
ACL
#getfacl file
#setfacl -m u:user:rw filename >>grants rw to user
#setfacl -m g:group:rw filename >>grants rw to group
#setfacl -x u:user
>>removes the existing ACL for user
#ls -ld file >>display group permissions which reflect the current ACL mask
#setfacl -m d:u:user:rw directory
- ACL mount option #tune2fs -l /dev/block-dev |grep 'Default mount'
Default mount options: user_xattr acl
to turn on acl support
#tune2fs -o acl, user_xattr /dev/block-dev
Example#1
setfacl -m g:2group:r-x dir
setfacl -m d:g:2group:r-x dir
#chmod 2770 /dir - or - #chmod g+s /dir
RHCSA/RHCE Egypt
219
Example#2
#mkdir /opt/research
#chgrp grads /opt/research
#chmod 2770 /opt/research
#setfacl -m g:profs:rwx /opt/research
#setfacl -m g:interns:rx /opt/research
#setfacl -m d:g:profs:rwx /opt/research
#setfacl -m d:o::- /opt/research
Authentication Management
- Network authentication Using LDAP
PKGS(-open ldap_x.x.x
-nss_pass_ldap_x_x_x
-open ldap_client_x.x.x)
#system-config-authentication
User Account Database: ldap
Ldap base search DN: dc=domain,dc=com
ldap server: FQDN of ldap Server
Check the Box use TLS encryption
Add the correct url which points to the ladpcertificate.pem file. Normally this file is located on a webserver
(https://internal.webserver.com/ladpcertificate.pem)
Authentication configuration: ldap
#mkdir /home/guests
#vim /etc/auto.master
/home/guests
auto.guests
#vim /etc/auto.guests
*
-rw,soft,rsize=8192,wsize=8192
serverX:/home/guest/&
#/etc/init.d/autofs reload
vim /etc/sysconfig/autofs
and uncomment ldap sections to enable autofs
-check sssd service running... , Edit /etc/sssd/sssd.conf [ enumerate = True ] ,#service sssd restart
-getent passwd username >>to verify the account info being used
Kerberos Configuration
. kerberos Realm - the set of machines that all use the same KDCs (Kerberos authentication server) for authentication.
. KDC - key Distribution Center - Central servers that store information about Kerberos passwords and issue Kerberos tickets
RHCSA/RHCE Egypt
220
ldapuser2
-rw
instructor.example.com:home/guests/ldapuser2
ldapuser3
-rw
instructor.example.com:home/guests/ldapuser3
- or *
-rw
instructor.example.com:home/guests/&
due to bug in autofs pkg uses command service autofs reload instead of #service autofs restart
INSTALLATION, KICKSTART AND VIRTUALIZATION
Create kickstart file by modifying a Template
/root/anaconda-ks.cfg
Kickstart file parameters
%pakages (Packages and yum group list)
%pre (Script that runs before install starts)
%post (Script that runs before install completes)
#system-config-kickstart (kickstart GUI tool)
#ksvalidator file.ks (check Kickstart file syntax)
#yum whatprovides *bin/ksvalidator
#yum install -y pykickstart
#ksvalidator ~/projman.cfg
#yum install -y httpd
#service httpd start
#chkconfig httpd on
#chmod 644 ~/projman.cfg
#cp ~/projman.cfg /var/www/html
KVM (Kernel Based Virtualization)
#grep flags /proc/cpuinfo >>should include svm (secure VM)& vmx (VM extensions) &lm(long mode)
#virt-manager
#virsh start VMname
#virsh shutdown VMname
#virsh destroy VMname
#virsh console VMname >>conect to a console of a VM
#virsh autostart VMname
#virsh list --all
Boot Management
#cat /boot/grub/grub.conf >>Second stage of Grub
#who -r >>view current runlevel
#init runlevel# >>change runlevel
#vi /etc/inittab >>change runlevel
What is the order of startup from powering on to login prompt?
9 steps BIOS/UEFI
Hard Disk
MBR
GRUB :/boot/grub/grub.conf
Kernel loaded by GRUB
Init (first Linux Process)
Open /etc/inittab to see which level to load (say it's 3 here)
on "startup" :Move to /etc/rc3.d Start running the numbered links in order to /etc/init.d's files >>send runlevel event
RHCSA/RHCE Egypt
221
RHCSA/RHCE Egypt
222
RHCSA/RHCE Egypt
223
The DNATtarget can only be used in the PREROUTING chain and the OUTPUT chain of the nat table
To enable forwarding persistently across reboots add net . ipV4. ip forward =1 to /etc/ sysctl.conf and run
sysctl -p
NTP Server Configuration
Public ntp servers available are www.pool.ntp.org
Main parameters in /etc/ntp.conf : server,peer,and,restrict
[root@serverX ~]#/etc/init.d/ntpd status
[root@serverX ~]#system-config-date >>gui windows
configure firewall to allow any packets come to ntp
iptables -I INPUT -p udp --dport 123 -j ACCEPT
[root@serverX ~]#ntpq -p >>Monitor NTP Synchronization
[root@serverX ~]#vim /etc/ntp.conf >> add ntp servers and add "prefer" to calculate the average time
between the 4 servers
server 0.it.pool.ntp.org prefer
server 1.it.pool.ntp.org
server 2.it.pool.ntp.org
server 3.it.pool.ntp.org
[root@serverX ~]#service ntpd restart
RHCSA/RHCE Egypt
224
RHCSA/RHCE Egypt
225
RHCSA/RHCE Egypt
226
RHCSA/RHCE Egypt
227
-Reverse Lookup
IP -->name
The Client have IP and ask about name
-Forwarder Lookup -or- forward query
-Recursive Lookup >>good in small network
Client ask TE-data dns about www.yahoo.com. Then. Dns answer TE-data dns about com
Then TE-data ask com dns about yahoo then com reply to TE-data dns
TE-data dns ask yahoo about www then yahoo reply to TE-data
Then TE-data reply to the Client about www.yahoo.com.
DNS Structure Types
1-Generic Top Level Domain (GLTD)
2-Country Code Top Level Domain (CCTLD)
DNS Communication
-Connection between master and slave is TCP on port 53 .
-Connection between any Client and DNS server [master -or- slave] is UDP on port 53.
RHCSA/RHCE Egypt
228
DNS Records
IPv4 - Maps a host name to an IP address: A record
IPv6: AAAA record
Mail exchanger :MX record
alias for a host name :Cname record
service: SRV record
MAP IP to a host name: PTR record (pointer record)
DNS Installation
- bind named should run with normal user and group privileges (named user&group)
-run bind under chroot environment to isolate it on isolated directory
Bind packages
-bind >>DNS Main pkg
-bind-chroot>>to isolate bind in isolation directory
-bind-utils >>include tools like(host-dig-nslookup -...etc)
-bind-libs
Using Chroot to isolate DNS
/var/named/chroot/etc >>configuration files
/var/named/chroot/var/named >>data files
Bind configuration
-by defaults bind configuration file located under /etc/ directory /etc/named.conf
-data files under /var/named
On /etc/sysconfig/named file @ last line ROOTDIR=/var/named/chroot
-copy sample files of configuration files and data files to isolated location under chroot dir
[root@serverX ~]#cd /usr/share/doc/bind-9.8.2/sample/
[root@serverX ~]#ls
etc
var
[root@serverX ~]#cp /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc
[root@serverX ~]#cp /usr/share/doc/bind-9.8.2/sample/var/named/* /var/named/chroot/var/named/
[root@serverX ~]#cd /var/named/chroot/
[root@serverXchroot]#chown -R named:named etc/
[root@serverXchroot]#chown -R named:named var/
[root@serverXchroot]# rm /etc/named.conf
[root@serverXchroot]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
[root@serverX ~]#vim /etc/named.conf
Option {argument; argument ;};
Options
{
// Put files that named is allowed to write in the data/ directory:
directory
"/var/named";
// "Working" directory
dump-file
"data/cache_dump.db";
statistics-file
"data/named_stats.txt";
memstatistics-file
"data/named_mem_stats.txt";
//listen-on port 53 { any; };
listen-on port 53
{ 127.0.0.1; };
//listen-on-v6 port 53 { any; };
#
listen-on-v6 port 53 { ::1; };
Access restrictions
allow-query
{ any; };
allow-query-cache
{ localhost; };
********************
allow-query >>if you want to make access restrictions control list to allow specific machines to query from DNS server
- or
RHCSA/RHCE Egypt
229
allow-query { any; };
allow-query-cache { any; };
forwarders { 192.168.1.2; }; >>if the client did not find query in local zones it send queries to other DNS
with IP 192.168.1.2 it can be your ISP IP or your router IP
listn-on port 53
{ 127.0.0.1; 192.168.126.90; }; >>if you want to listen on two interfaces
named.ca file This file responsible to define all global ROOT servers
Creating Zones
1-Forward Lookup Zone
[root@serverX ~]#vim /var/named/chroot/etc/named.conf
zone "example.com" IN {
type master;
file "example.com.forward";
};
[root@serverX ~]#cp /var/named/chroot/var/named/named.empty /var/named/chroot/var/named/example.com.forward
RHCSA/RHCE Egypt