######

# RHCE
######
###########################
# note 1 User Administation
###########################
RHCE-Notes

This is RHCE notes i wrote while studding for the exam, it doesn’t cover all exam
topics, maybe they can help you to review what did you studied no more..
User Administration:
- adduser UserName
- deluser UserName
- usermod: to modifiy user information..
- chage: change expiration date for user account.
- always when you use a directory as a share for a group, use SGID, for ex: chmod
2770 /share-dir

for login/logout scripts and bash, refer to this topic: bash loging, startup
scripts and shell initialization files

ACL:
mount with acl, ex:
mount -o remount, acl /dev/sda5 /home
as root: touch /home/idle-boy/a
getfacl /home/idle-boy/a
getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
group::r–
other::r–
setfacl -m u:idle-boy:rw -m g:idle-boy:rwx /home/idle-boy/a
getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
user:idle-boy:rw-
group::r–
group:idle-boy:rwx
mask::rwx
other::r–
Quotas:
- check if kernel support quota:
grep CONFIG_QUOTA /boot/config-`uname -r`
you should see:
CONFIG_QUOTA=y
- quota package: quota
Using Quota
two file have to be presented in the file system you need to activate quota in:
quota.user: for user related quota
quota.group: for group related quota
to create this files, you need to mount the file system with quota support:
mount -t ext3 /dev/sdaX /mount-point -o remount, usrquota, grpquota
now create the files using quotacheck command:
quotacheck -cugm /mount-point
to activate quota in the mount point use quotaon:
quotaon /mount-point
to edit users quota, use edquota command, for example:
edquota -u f00
to report quota usege use repquota command…
it’s better to automate quotacheck, use a cronjob for that..
###############################
PAM:
A very good book to read about/understand PAM is: Pluggable Authentication Modules
for Kenneth Geisshirt, from Packt Publishing.
you can find information about PAM at this location:
/usr/share/doc/pam-version-num/txts
to prevent other users login but root:
touch /etc/nologin
and /etc/pam.d/login must contain:
account required pam_nologin.so
after the last auth module.
you can type a msg in that file, the msg will appear for successful login (root)
and failed login (other users)
to control root access into tty, edit /etc/securetty
Four different type of PAM modules:
- auth: username/password are here..
- account: allows or denies access according to the account policies (ex/ password
expiration date)
- password: manages other password policies.
- session: applies settings for an application..
###############################
LDAP (client):
needed rpm packages:
openldap, openldap-client, nss_ldap
two files to be edited:
/etc/ldap.conf: change the following:
host IP ldap server ip is written here..
base dc=sqawasmi,dc=com sets the default base distinguished name, in this case,
sqawasmi.com
ssl strt_tls needed if you want TLS support to encrypt passwords..
pam_password supports encryption schemes for passwords, options are: crypt, nds
and ad
nss_init, groups_ignoreusers root, ldap assumes no supplemental groups in LDAP
server.
/etc/openldap.conf
BASE dc=sqawasmi,dc=com same as dc in /etc/ldap.conf
URI ldap://IP LDAP server ip..
make sure that your client will look for LDAP server for key authentication, for
example:
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
there is no services to run in the boot process..
###############################
NIS (client):
rpm packages:
to activate NIS client you need to edit one file:
/etc/yp.conf:
domain NIS-DomainName server NIS-Server
make sure that your client will look for NIS server for key authentication, for
example:
passwd: files nis
shadow: files nis
group: files nis
you need to activate ypbind and also chkconfig it to run in boot..
service ypbind start && chkconfig ypbind on
##############################
NFS
man exports; to see the format of /etc/exports
on server:
/etc/init.d/portmap start && /etc/init.d/nfs start
edit /etc/exports, ex:
/data *.sqawasmi.com(rw,sync) *(ro,sync) 10.0.0.0/24(ro,sync)
exportfs -a
on client:
mount -t nfs 10.0.0.1:/data /mnt/share -o soft,timeo=300
if you used the hostname to export to, then you need a working DNS, it use
dnslookup to know the IP..
to know that every thing is running in the server:
rpcinfo -p HOST
show mounts on the server:
showmount -e HOST
put it in the boot process: chkconfig nfs on && chkconfig portmap on
for selinux see man nfs_selinux
securing using iptables:
edit /etc/sysconfig/nfs, and configure rcp* ports:
LOCKD_TCPPORT=33332
LOCKD_UDPPORT=33333
MOUNTD_PORT=33334
STATD_PORT=33335
in /etc/services put rquotad tcp/udp ports:
rquotad 33330/tcp
rquotad 33331/udp
grep nfs /etc/services
grep portmap /etc/services
open the ports…
###################################
vsFTPD:
enable anonymous access:
anonymous_enable=yes
enable remote users write:
write_enable=yes
enable local users login:
local_enable=yes
to enable pam authintication:
pam_service_name=vsftpd
support the use of security commands of tcp_wrappers:
tcp_wrappers=yes
welcome msg:
ftpd_banner=Welcome..
or in users home directory, in .message, but you need to enable:
dirmessage_enable=yes
controlling who can loging using /etc/vsftpd/user_list file, yes means don’t
allow, no means allow them
userlist_enable=yes
(pam also check /etc/vsftpd/ftpusers for allowed users)
for selinux see ftpd_selinux
#####################################
DNS
install bind bind-utils caching-nameserver, and bind-chroot if you need it in
chrooted environment..
Caching Name Server:
cp /etc/named.caching-nameserver.conf /etc/named.conf
edit /etc/named.conf and change the following as you like:
listen-on port 53 { 127.0.0.1; }; // for example: listen-on port 53 { 127.0.0.1;
10.0.0.1;};
allow-query { localhost; }; allow-query // ex: { localhost; 10.0.0.0/24; }; to
serv for 10.0.0.0/24 network
/etc/named start
chkconfig named on
Slave Name Server:
same as Caching file but add a zone (look at /etc/named.rfc1912.zones) for your
domain and it’s master server, for example:
zone “sqawasmi.com” IN {
type slave;
file “slaves/sqawasmi.com”;
masters {
10.0.0.1;
};
}
also you may add another zone for ptr, example:
zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
masters {
10.0.0.1;
};
}
A Forwarding Only Name Server:
you need to add two things into options:
forward only;
forwarders {
10.0.0.1;
10.0.0.2;
};
Master Name Server:
selinux: setsebool -P named_write_master_zones 1
(look at /etc/named.rfc1912.zones) for your domain and it’s master server, for
example:
zone “sqawasmi.com” IN {
type slave;
file “sqawasmi.com”;
}
also you may add another zone for ptr, example:
zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
}
now you need to create a zones file under /var/named, you can use
/var/named/localhost.zone as template for your zone, for example:
/var/named/sqawasmi.com.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 10.0.0.10
blog IN A 10.0.0.1
other IN A 10.0.0.2
IN AAAA ::1
for ptr zone:
/var/named/sqawasmi.com.rr.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
10 IN ptr sqawasmi.com.
1 IN ptr blog.sqawasmi.com.
2 IN ptr other.sqawasmi.com.
finally you have to create a rndc key, use this:
rndc-confgen -a -b 512
add this to your named.conf file:
include “/etc/rndc.key”;
###################################
NTP
Client:
choose one of the servers listed in /etc/ntp.conf, then:
ntpdate 0.rhel.pool.ntp.org
/etc/init.d/ntpd start
chkconfig ntpd on
server:
allow other servers in your client to connect to you:
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
or you can allow one client:
restrict 10.0.0.2 mask 255.255.255.255 nomodify notrap
####################################
DHCP
Server:
package: dhcp
configuration file: /etc/dhcp.conf
see: /usr/share/doc/dhcp-*/dhcpd.conf.sample
Client:
package: dhclient
####################################
SQUID
port number:
http_port 3128
don’t cache URLs contain cgi-bin or ?
use hierarchy_stoplist directive and urlpath_regex in acl
hierarchy_stoplist cgi-bin ?
acl DontCache urlpath_regex cgi-bin \?
cache deny DontCache
specify a freshness for a service:
you can use refres_pattern directive:
refresh_pattern regex: Min percent Max
where
Min: is the time (in minutes) an object without an explicit expiry time should be
considered fresh.
Max: is an upper (in minutes) limit on how long objects without an explicit expiry
time will be considered fresh.
example:
refersh_pattern ^ftp: 1440 20% 10080
use acl with src to create acl, ex:
acl my_lan src 10.0.0.0/24
use http_access to allow or deny all, networks, host, or ports, for example, allow
my_lan and deny others
http_access allow my_lan
http_access deny all
specify the local computer name:
visible_hostname LocalComputerName
to create a basic cache directories in /var/spool/squid use:
squid -z
squid with nating:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 –j REDIRECT –to-ports 3128
for selinux see;
/etc/squid/squid.conf has a lot explanation…
####################################
sendmail, Postfix and dovecot:
sendmail:
add your domain into /etc/mail/local-host-names
vi /etc/mail/sendmail.mc
allow other computers to to use your sendmail server, comment the following:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
don’t accept unresolvable domains, comment the follwoing:
FEATURE(`accept_unresolvable_domains’)dnl
edit /etc/mail/access to relay/reject/discard outgoing domains, for example
@example.org REJECT
deny.sqawasmi.com REJECT
sqawasmi.com RELAY
10.0.0 RELAY
edit /etc/aliases to for aliasing and then do newaliases command
me : shaker
idle : shaker
~ # newaliases
/etc/mail/virtusertable used to map virual address to real address
send from another host:
define(`SMART_HOST’, `smtp.sqawasmi.com’)dnl
you should add access for this server in /etc/mail/access
make -C /etc/mail/
Postfix:
configuration file: /etc/postfix/main.cf
edit variables:
myhostname: this is the host will appear in the hello…
mydomain: your domain name
myorigin: this is the origin of the domain, for example sqawasmi.com, then all
emails for shaker will be shaker@sqawasmi.com
inet_interfaces: what interfaces should i listen for?
mydestination: specifies the list of domains that this machine considers itself
the final destination for.
mynetworks: specifies a list of trusted smtp clients.
access goes in this file: /etc/postfix/access
virual: /etc/postfix/virtual you need
Dovecot:
configuration file:
/etc/dovecot.conf
variables:
protocols: choose the protocol you want to use..
listen: if you don’t use the standard ports
ssl listen: same as above…
activate ssl:
ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
creating ssl certificates:
you need to edit /etc/pki/dovecot/dovecot-openssl.cnf file as rquired
issue this command:
/usr/share/doc/dovecot-versionNumber/examples/mkcert.sh
/etc/init.d/dovecot start && chkconfig dovecot on
####################################
tcp_wrappers
two files:
/etc/hosts.allow: tcp_wrappers look at this, if it find a match for the service it
grants access, no additional searches are required, if no match in that file then
it continue to read the next file:
/etc/hosts.deny: if it finds a match then deny access, if no match then access is
automatically granted.
format:
daemon_list: client_list or ALL : ALL
for example:
/etc/hosts.allow:
sshd : 10.0.0.2
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted just for 10.0.0.2 host.
you can use subnet or a domain like this:
/etc/hosts.allow:
sshd : 10.0.0.0/255.255.255.0, .sqawasmi.com
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted for 10.0.0.0 network and all
computers in sqawasmi.com domain.
you can use EXPECT operator to expect hosts/networks or daemons..
twist or spawn command to send messages, track access and log problems.. ex:
/etc/hosts.deny
sshd : nossh.sqawasmi.com : twist /bin/echo %c not allowed

###################
# note 2 login-bash
###################

bash loging, startup scripts and shell initialization files

bash loging, startup scripts and shell initialization files..

ok, i will talk about bash,
When a user logs in, environment variables are set from various places.
startup scripts in order is like this:
/etc/passwd
/etc/shadow
/etc/group
/etc/profile will run.
then all the files (that end with sh) in the /etc/profile.d directory
then bash will look for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that
order, and reads and executes commands from the first one that exists and is
readable. (i.e if ~/.bash_profile is not exists then bash will look for
~/.bash_login then ~/.profile and sources that instead). may be ~/.bash_profile
source ~/.bash_login and ~/.bashrc in it.
~/.bashrc might point to /etc/bashrc
at logout ~/.bash_logout may run
bash command history are kept in ~/.bash_history
some of this scripts may not exists in your system (~/.bash_profile,
~/.bash_login, ~/.profile, ~/.bashrc, /etc/bashrc and and ~/.bash_logout),
lets we explain them:

1. /etc/passwd
/etc/passwd file contains basic user attributes. This is an ASCII file that
contains an entry for each user. Each entry defines the basic attributes applied
to a user.
An entry in the /etc/passwd file has the following form (one entry per line):
Name:Password:UserID:PrincipleGroup:Gecos:HomeDirectory:Shell
For security reasons, most Linux Distributions no longer store password in this
file (store it in /etc/shadow).
A corrupt /etc/passwd file can easily render a Linux box unusable.
for more info about /etc/passwd see:
manpages: man passwd
2. /etc/shadow
shadow contains the encrypted password information for user’s accounts and
optional the password aging information (other information such as account or
password expiration values, etc).
for more info:
manpages: man shadow
http://db.assam-glug.org/documentations/Linux-admin-made-easy/shadow-file-
formats.html

3. /etc/group
/etc/group is an ASCII file which defines the groups to which users belong. There
is one entry per line, and each line has the format:
group_name:passwd:GID:user1,user2,user3….userN
as you see, you have to sperate each user with comma.
for more info see:
manpages: man group
4. /etc/profile
/etc/profile file contains system wide environment stuff and startup programs, all
settings that you want to apply to all your users environments should be in this
file.
5. /etc/profile.d/*.sh
/etc/profile.d is a good place to put application specific settings and their
environment variables.
6. ~/.bash_profile, ~/.bash_login, and ~/.profile
they can be used like /etc/profile file but for a specific user… they are user-
specific bash environmental default settings, contains extra configuration options
or change default settings.
bash will look for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order,
and reads and executes commands from the first one that exists and is readable.
~/.profile is good when use another shell (like csh) that will not understand bash
command and will look for this file.
* ~/.bashrc
this file used for user-specific aliases, export and user functions.
~/.bashrc might point to /etc/bashrc to run global things.
finaly may be you would like to know that when you create a new user, then the
home directory for that user will initialised with files from the /etc/skel
directory (i.e /etc/skel directory contains subdirectories and files used to
populate a new user’s home directory). The system administrator can create files
in /etc/skel/ directory that will provide a default environment for users.
i dont know a good site talking about that, but take a look at this one:
http://www.faqs.org/docs/linux_admin/x2331.html
to understand them better (/etc/profile, ~/.bash_profile, ~/.bash_login,
~/.profile, ~/.bashrc, /etc/bashrc and and ~/.bash_logout) this sites may give
help:
http://www.faqs.org/docs/abs/HTML/files.html
http://www.faqs.org/docs/securing/chap6sec64.html
http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_03_01.html
http://www.linux-migration.org/ch02s03.html
http://www.gnu.org/software/bash/manual/bash.html
http://www.comptechdoc.org/os/linux/usersguide/linux_ugenvironment.html
http://www.linuxfromscratch.org/blfs/view/6.1/postlfs/profile.html
######################
# note 3 SMTP, n/w,IP
######################
Study Notes

Here are the brief steps from my RHCE study guide to help you remember the steps
to configure a virtual host, and configure permissions.

* HTTP/HTTPS
install httpd, check context with ls -Z
Q: Create a virtual host www1.example.com w/ subdirectory /var/www/html/www1
A:
1) install httpd, modify /etc/httpd/conf/httpd.conf file
<VirtualHost 192.168.0.1:80="">
ServerName www1.example.com
DocumentRoot /var/www/html/www1
</VirtualHost>
2) chcon -R --reference /var/www/html /var/www/html/www1
3) service httpd restart
4) chkconfig httpd on
Testing
service httpd configtest
ls -Z /var/www/html/www1

The important things to remember are "chcon" to change the context, and "ls -Z" to
check it.

How to Hide Files and Directories in Linux

In Linux, directories are not accessible until the device is mounted. This is
usually done at startup by the mount command which uses the /etc/fstab file.

Files that start with a dot "." are hidden, but not completely (you can do ls -a
to see the files). An example is the ~/.bashrc file. You can also hide files in a
directory name that starts with a dot, e.g. ~/.ssh

Now for the real trick

Entire directories can be hidden, simply by mounting another device on top of the
directory. The original files will still be in tact, but not visible until the
device is remounted.
First, find a device that is available to mount (boot is nice, because it is
usually small).

$ mount
/dev/hda1 on /boot type ext3 (rw)
...
etc...

Then make your stealth directory, copy files to it, and mount a directory over it.

$ cd /mnt
$ mkdir stealth
$ touch /mnt/stealth/somefile.txt
$ ls /mnt/stealth/
somefile.txt
$ mount -t ext3 /dev/hda1 /mnt/stealth
ls /mnt/stealth/
config-2.6.9-5.EL initrd-2.6.9-5.EL.img message
System.map-2.6.9-5.ELsmp
config-2.6.9-5.ELsmp initrd-2.6.9-5.ELsmp.img message.ja vmlinuz-
2.6.9-5.EL
grub lost+found System.map-2.6.9-5.EL vmlinuz-
2.6.9-5.ELsmp

Then simply unmount when you want to access your original files

$ umount /mnt/stealth/
$ ls /mnt/stealth/
somefile.txt

How to Turn on IP Forwardarding

IP Forwarding

Effectively makes a Linux box act as a router

Is usually used with two network interfaces (one internal, and one external)

Can be used with firewall services and is often used for NAT

Steps to Turn on IP Forwarding

1) Modify /etc/sysctl.conf
 vi /etc/sysctl.conf
add this line:
inet.ipv4.ip_forward=1
2) Make the Change Active
sysctl -p
3) To View Current Settings:
sysctl -a | grep ipv4

More info can be found on the redhat site:

https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-
firewall-ipt-fwd.html

We'll leave firewall rules for another topic...

How to Change the Root Password to Get Into a Linux Box

This procedure assumes you have console access, and are authorized to make changes
to accounts on the machine, including root.

If you own the machine, you can boot into single user mode, and change the
password, or create an account.

If using grub (you should see a blue bootup screen), press "a", "space", "1",
"enter"
a 1
That will boot to single user mode.

Then you can change the root password

passwd

Then reboot Ctrl-Alt-Del

You should create user accounts other than root. Use the useradd command.
useradd someone
passwd someone

Friday, April 27, 2007

RHCE Study Notes - SMTP
Study notes for any exam are difficult enough to find, but RHCE material seems
even more scarce. This article tells how to prepare for one of the objectives,
which is configuration of an SMTP server.

RHCE Study Notes

I wrote up some study notes as I was preparing for the RCHE exam. Here are some
quick notes based on the official RedHat objectives, labs, and possible questions
I thought might be reasonable requests.

SMTP Related Questions

install sendmail, sendmail-cf, sendmail-doc (optional)

Q: Configure mail server to accept internet email

A: modify /etc/mail/sendmail.mc
1) cd /etc/mail
2) vi /etc/mail/sendmail.mc
search for 127.0, put dnl at the front of the line
3) make
or m4 sendmail.mc > sendmail.cf
service sendmail restart
Q: Mail alias
A: modify /etc/aliases, run newaliases
Q: Receive mail for DomainX.example.com
A: modify sendmail mc as above, and add domain to /etc/mail/local-host-names
domainx.example.com
Debugging:
mail -v root
mailq, mailq -Ac
sendmail -q
tail -f /var/log/maillog

Configure Sendmail as a Server for Other Clients

A little more detail...

as root, or sudo

backup your /etc/mail/sendmail.mc and sendmail.cf files

vi /etc/mail/sendmail.mc

Search for a line with 127, and comment the line by placing "dnl #" at the
beginning
Change this line
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
to this
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

/sbin/service sendmail restart

/sbin/chkconfig sendmail on

Debugging:
mail -v root
mailq, mailq -Ac
sendmail -q
tail -f /var/log/maillog

Links
For more details, see the Red Hat Reference Guide
https://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-email-
mta.html

And LinuxSelfHelp
http://www.linuxselfhelp.com/quick/sendmail.html

Network Config
How Do I Configure Networking in RedHat Linux?

Depending on the version of RedHat, or Fedora:

redhat-config-network
system-config-network

bash-2.05b$ which redhat-config-network

/usr/bin/redhat-config-network
bash-2.05b$

Network Related Files:

/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network
/etc/hosts
/etc/resolv.conf

For more details, remember that the Red Hat Manuals are available online:

http://www.redhat.com/docs/manuals

Network Info:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-
networkscripts-interfaces.html