Post on 22-Nov-2015
transcript
Linux (RHEL6) Notes
Page#1 of 22
To complete:secure grub with passwordgpg Encryption and Decryption
Useful files
/etc/inittab has run level definitions
Useful commands
#ifconfig#ping desktop15.example.com to get ipaddress#host Gives DNS Name#hostname Gives the host name of the machine you are logged in#dig -x Has Question / Answer / Authority / Additional sections#nslookup #nsloopup It gives hostname and ip address
#man -k ftp | less Search man pages for ftp#man 8 mount go to 8th section of man help for mount command
#which ls from where ls is getting executed#rpm -qf /bin/ls finds the package in which ls is
#cp -pvrf p for preserve, v for verbose, r for recursive and f for force overwrite if exist
#du -h disk usage for file#du -h disk usage for individual files in the directory#du -sh disk usage summary for the directory
#ln -s to create soft links
#who -r for current system runlevel#runlevel for current system runlevel
#uname -a for more details about the system#uname -r for current kernel version
#cat /proc/cpuinfo to see if CPU supports VMX#cat /proc/meminfo to see RAM size to set swap size#cat /proc/partitions after running partx command
#ps processes with in your current terminal#ps -a all processes in all terminals#ps -aux | less a for all, u for user, x for executing does not indicate parent process
#ps -ef | less Shows parent process
Linux (RHEL6) Notes
Page#2 of 22
#kill -l To see kill signals#kill -9 Signal Kill. Children become Zombie "Z" processes#kill -15 Singal Term. Kill children and then the parent so that there are no Zombie processes#kill -1 Singal hup. Restarting i.e., stopping and starting services
#top more flexibility
#parted /dev/sda edit partition table. type help for commands that can be used#partx -d /dev/sda#partx -a /dev/sda
#fdisk -cu /dev/sdam for helpn for new partitionp for print partitionst to change partition system idd for deleting partitionw for write table to disk and quitq for quitting without saving
#fdisk -l | less Shows info about partitions
#mkfs -t ext4 /dev/sda5or#mkfs.ext4 /dev/sda5or#mkfs.ext4 -L "mydisk1" /dev/sda5 L gives label while formatting
#e2label /dev/sda5 to display label#e2label /dev/sda5 "mydisk2" to change label
#findfs LABEL="mydisk2" gives output /dev/sda5
#file to know type of file, if a file is tar file, zipped or not etc.
#stat to know more details about file, access time, modify time, change time etc.
User Related
#useradd user1
#useradd -u 10001 -g ftp -G adm,apache -d /var/user123 -c "Comment" -s /bin/bash user123 g => Primary GroupG => Secondary Groupsd => Home directoryc => Comments => Login shell
#vim /etc/default/useradd defaults for useradd
Linux (RHEL6) Notes
Page#3 of 22
#id to see the details about the user
#groups list all groups belonging to a userid
#usermod -s /sbin/nologin user123 to change login shell for user#usermod -L user123 lock user#usermod -aG adm,ftp,student user123 to add secondary groups #usermod -G student user123 to replace all secondary groups with this one secondary group
#gpasswd -a u1 ftp add user to group#gpasswd -M u1,u2,u3,u4 apache add user to multiple groups#gpasswd -d u1 apache delete user from apache group
#userdel -r u2 recursively delete all user info for u2
#chage -l List Aging parameters for userid#chage -m 0 -M 90 -W 7 -I 14 #vim /etc/login.defs has the default values
#chown #chgrp #chown :
#chown -R recursively change ownership#chgrp -R #chown :
#chmod g+rwx #chmod -R a+rwx Recursively change ownership
Setting password for user (4 ways)
#passwd #echo "" | passwd --stdin #useradd -p "" #usermod -p ""
Resetting root password if you dont know it
#init 1 If you are already logged into the system
Interrupt Linux boot process (press F12)Then enter the followinge1 to get into single user mode. It asks root access without password You can also user s or S instead of 1 for getting into single user modego backb to continue to boot
Linux (RHEL6) Notes
Page#4 of 22
#runlevel to see runlevelor#who r to see runlevel
#passwd root This will not work because SELinux is in enforcing mode#setenforce 0or#setenforce Permissive Now, the password can be changed
#passwd root
set gid (Numeric value is 2)
#mkdir /mydata /mydata is owned by root root#ls -ld /mydata#groupadd grp new group that needs to own /mydata#chgrp grp /mydata#ls -ld /mydata#chmod g+w /mydata to make sure any user in grp group can write to /mydata#ls -ld /mydata#chmod g+s /mydata so that if any body belonging to grp group creates a file in /mydata, it will have grp group (inherited from the directory)
Sticky bit (Numeric value is 1)
If you set sticky bit, only the owners of the file can delete a file,even if the other users are in the same group as the owner and alsothe group has write permissions
#chmod o+t /mydata to set sticky bit
ACL
#tune2fs -l /dev/sda5 | grep -i default Look for default mount options
If defualt mount option is none, need to change to ACL for the partition
#tune2fs -o acl,user_xattr /dev/sda5 Change it for the partition#mount /dev/sda5 /mnt#cd /mnt#getfacl /mnt getfacle for mount point#setfacl -m u::rwx to modify acl#setfacl -m g::rwx to modify acl#getfacl #setfacl -x u: to remove from acl#setfacl -x g: to remove from acl
Disk Quotas
Linux (RHEL6) Notes
Page#5 of 22
Create an ext4 partition and mount it as /quotadir in fstab as follows#vim /etc/fstab/dev/sda5 /quotadir ext4 defaults,usrquota,grpquota 0 0 Note usrquota, grpquota#mount -a#mount It will list the usrquota attribute for /quotadir mount point
#quotacheck -cuv /quotadir to be done on mount pointc => Createu => User Quotav => VerboseCreates quota.user file in /quotadir
#quotacheck -cgv /quotadir to be done on mount pointc => Createu => Grop Quotav => VerboseCreates quota.grop file in /quotadir
#quotaon /quotadir Activate quota on filesystem. Need to use mount point#quotaon -p /quotadir Print state of all file systems if quotas are turned on or off#quota -v verbose file systems where quotas are turned on#quota -uv verbose quota for specific userid#repquota /quotadiror#repquota /dev/sda5
#edquota -u to set quota for the user in vim editor. Set soft and hard blocks. hard blocks is the max limit. Soft blocks is from where user gets waring
#edquota -t to set grace period
sudo
#visudo to edit /etc/sudoers file in vim editor (:wq for saving the file)#visudo -c After adding entries compile the file to make sure no errors
Groups in the file are always preceded by %
Ex: peter,bob,%mygroup ALL= NOPASSWD: ALLusers peter and bob, group mygroup on all servers, (since there is no list in paranthesis after ALL=, all users can sudo as root) can execute all commands without requiring password
Ex: peter,bob,%mygroup ALL= NOPASSWD: /sbin/fdiskusers peter and bob, group mygroup on all servers, (since there is no list in paranthesis after ALL=, all users can sudo as root) can execute only fdisk command without requiring password. All other commands require password.
Creating LVM
1. Create two LVM type partition /dev/sda5 and /dev/sda62. Create PVs
Linux (RHEL6) Notes
Page#6 of 22
3. Create Volume Group using the PVs4. Create LVMs with in the Volume Group5. ext4 formatting6. mount LVM file system7. Check if mounted8. Make mounts permanent
#fdisk -cu /dev/sda
#pvcreate /dev/sda5#pvcreate /dev/sda6
#vgcreate -s 8 myVG /dev/sda5 /dev/sda6 s is PE size#vgdisplay myVG
#lvcreate -l 10 -n mylv1 myVG 10 extentsor#lvcreate -L 80M -n mylv2 myVG 80M size
#mkfs.ext4 /dev/myVG/mylv1or#mkfs.ext4 /dev/mapper/myVG-mylv1
#mkdir -p /mnt/mylv1
#mount /dev/myVG/mylv1 /mnt/mylv1or#mount /dev/mapper/myVG-mylv1 /mnt/mylv1
#df -h
#vim /etc/fstab/dev/myVG/mylv1 /mnt/mylv1 ext4 defaults 0 0
Reducing LVM
1. Make sure that there are no users connected to the mount2. Unmount the mount point3. Defrag the LVM4. Resize the LVM5. Reduce the LVM6. Mount the LVM
#fuser -vm /home#fuser -km /home#umount /home#df -h to see the free space#e2fsck -f /dev/vg10/lv_home#df -h to see the free space#resize2fs /dev/vg10/lv_home 256M#lvreduce -L 256M /dev/vg20/lv_home#df -h to see the free space#mount -a to mount all mount points from fstab
Linux (RHEL6) Notes
Page#7 of 22
Extending LVM
Can be done onine. No unmounting is needed
#df -h#lvextend -L +256M /dev/vg10/lv_home Add additional 256M to lv_home#df -h Does not show the increased size, yet#resize2fs /dev/vg10/lv_home #df -h
Removing LVM
#lvscan#lvchange -an /dev/myVG/lv_test to make lvm inactive#lvscan Should show lv_test inactive#lvremove /dev/myVG/lv_test#lvscan
Reducing VG (by removing PV)
#vgs#pvmove /dev/sda5 moves data from /dev/sda5 to next available PV#vgreduce myVG /dev/sda5#vgs
Extending VG (by adding PV)
#pvs#fdisk -cu /dev/sda add a new LVM partition (8e)#partx -a /dev/sda#vgextend myVG /dev/sda6#vgs#pvs
Removing VG
1. Deactivate all LVMs in the VG2. Remove all LVMs in the VG3. Remove VG
#vgremove myVG
Encrypting Partitions / LVMs using LUKSLUKS - Linux Unique Key Setup
Steps=====1. Create partition, partx -a /dev/sda2. cryptsetup luksFormat 3. cryptsetup luksOpen
Linux (RHEL6) Notes
Page#8 of 22
4. mkfs.ext4 /dev/mapper/5. cryptsetup luksClose 6. mount /dev/mapper/7. Make an entry in /etc/fstab8. Make an entry in /etc/crypttab
#fidsk -cu /dev/sda create a new partition sda5#partx -a /dev/sda#cryptsetup luksFormat /dev/sda5 asks for data overwriting. say YES#cryptsetup luksOpen /dev/sda5 cryptdata#dmsetup table List all the volumes managed by device mapper#mkfs.ext4 /dev/mapper/cryptdata#mkdir /mnt/cryptdata#mount /dev/mappper/cryptdata /mnt/cryptdata#df -h#umount /mnt/cryptdata#blkid /dev/mapper/cryptdataget the UUID#vim /etc/fstabAdd a new lineUUID="" /mnt/cryptdata ext4 defaults 0 0#df -h#vim /etc/crypttab when you reboot, system will ask for passphrase for sda5 Add a new linecryptdata /dev/sda5 none instead of none, give passphrase
Networking concepts
Important files are
/etc/hosts Local resolver/etc/resolv.conf Domain Name, DNS Server ip address must/etc/sysconfig/network Global config file. NETWORKING should be YES, HOSTNAME, GATEWAY must/etc/sysconfig/network-scripts/ifcfg-eth0 interface specific file
#service NetworkManager restart#service network restart
#ifcfg
#mii-tool#setup Takes you to network setup#mii-link#ifdown eth0#ifup eth0
ssh - Data Encryption
#ssh root@192.168.0.5 After login, you will see /root/.ssh/known_hosts in the source system for root user#ssh -X root@192.168.0.5 for X forwarding
Linux (RHEL6) Notes
Page#9 of 22
#system-config-date after above login will display in X window
ssh - Key based Authentication
#ssh-keygen -t rsa At source generate rsa key pair private key in /root/.ssh/id_rsa public key in /root/.ssh/id_rsa.pub
#ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.0.5 This copies public key from source to destination to root/.ssh/authorized_keysNo password required after copying the key. This is user specific
swap
If RAM is 0 - 4GB, then swap = 2 + (0.5 of RAM)If RAM is 4 - 8GB, then swap = 4 + (0.5 of RAM)If RAM is 8 - 16GB, then swap = 8 + (0.5 of RAM)If RAM is 16 - 64GB, then swap = 16 + (0.5 of RAM)
Partition based Swap
#mkswap /dev/sda6 Swap file system#swapon /dev/sda6 Activate swap#swapoff /dev/sda6 Deactivate swap#swapon -s Show swap summary#vim /etc/fstab Permanent swap/dev/sda6 swap swap defaults 0 0#swapon -a Activate all swaps from /etc/fstab
File based Swap
#dd if=/dev/zero of=/swapfile bs=1M count=500#du -sh /swapfile#dd if=/dev/zero of=/swapfile-thin bs=1M count=1 seek=1000#du -sh /swapfile-thin#mkswap /swapfile#swapon /swapfile#swapoff /swapfile#vim /etc/fstab/swapfile swap swap defaults 0 0#swapon -a
Securing grub with password
Kernel install
#lftp 192.168.0.254/updates#mget kernel*#rpm -qRp to get dependencies
Linux (RHEL6) Notes
Page#10 of 22
#rpm -U DO NOT use this. This will overwrite existing kernel#rpm -ivh Always use i option to install new kernel#rpm -ivh
#vim /etc/grub.conf you will see new kernel here.If you installed a kernel newer than existing kernel, new kernel will become the defaultIf you installed a kernel older than existing kernel, existing kernel remains as default
at
#atq Query to see if one off jobs are scheduled
#at 3:08 at>/sbin/rebootat>ctrl+d
#atq shows the above job
#atrm to remove a job
#atq to make sure that the job is gone
crontab
#crontab -e edit crontab for current user#crontab -eu edit crontab for specified user
Look in /etc/crontab for the exact format for writing cron entriesMake sure to use which command to get complete path of commands to beexecuted as these need to go into crontab.
Ex: for echo command you need to use /bin/echo
#vim /etc/cron.deny add users in this file to stop them from editing crontab#vim /etc/cron.allow add users in this file to allow them to edit crontab
If a user exists in both files, cron.allow takes precedence over cron.deny.
#service crond restart#chkconfig crond on
#crontab -lu list crontab for specified user
rpm
#rpm -qa Query all packages installed in the system#rpm -qa | wc -l#rpm -q to check if package already exists or not#rpm -qRp Lists depenedencies#rpm -qR Query installed package#rpm -qlp List all the files included in the package
Linux (RHEL6) Notes
Page#11 of 22
#rpm -qldp Displays only document files#rmp -qlcp Displays only config files#rpm -qlsp Displays only script files
#rpm -ql vsftpd
#rpm -ivh i for install, v for verbose, h for percentage completion#rpm -Uvh U for update#rpm -e to uninstall package. Dependencies are not removed
yum - Yellowdog Update Manager
#yum list all#yum list installed#yum list available#yum serach vsftpd#yum install vsftpd* -y#yum remove vsftpd* -y#yum deplist vsftpd*
#which date#yum provides /bin/date
#yum grouplist to list group packages installed in the system
#yum localinstall --nogpgcheck
Setting up Local yum
#mount -o loop,ro /home/rhel6.iso /mnt#cp -pvrf /mnt/* /var/ftp/pub
#vim /etc/yum.repos.d/local.repoAdd the following lines[rhel6-64bit-local]name=rhel6 local packagesbaseurl=file:///var/ftp/pubenabled=1gpgcheck=0
#vim /etc/yum.repos.d/rhel6.repoAdd the following lines[rhel6-64bit-server]name=rhel6 server packagesbaseurl=ftp://192.168.0.254/pub/rhel6/dvdenabled=1gpgcheck=0
#vim /etc/vsftpd/vsftpd.confMake sure that anonymous can login because yum uses anonymous login
#service vsftpd restart#chkconfig vsftpd on
Linux (RHEL6) Notes
Page#12 of 22
#yum clean all to clean repodata cache on the client#yum list all to see the packages available
NFS Sharing (server side - 192.168.0.254) - Share Resources
#yum install nfs* -y package is nfs-utils
#mkdir /kickstart
#vim /etc/exports/kickstart 192.168.0.0/24(ro,sync,no_root_squash) Share to ips from 192.168.0.0 to 192.168.0.24
#exportfs -rv r for re-export and v for verbose
#service nfs restart#chkconfig nfs on
NFS is done thru nfsnobody user
NFS Sharing (client side) - NFS mount shared resources
#showmount -e #mkdir /mnt/nfs#mount -t nfs 192.168.0.254:/kickstart /mnt/nfs#umount /mnt/nfs#df -h#vim fstab192.168.0.254:/kickstart /mnt/nfs nfs defauts 0 0#mount -a
as any user, you can also perform the following without mounting#cd /net/192.168.0.254#ls You will see kickstart
Samba Server
#yum install samba* -y
#which smbd#which nmbd
#ldd /usr/sbin/smbd | grep -i libwrap Nothing found. So, tcp_wrappers support is NOT there for samba
#vim /etc/samba/smb.conf Samba Main config file
In Global Settings section, you may need to change the workgroup
In Shared Settings section, add the following
Linux (RHEL6) Notes
Page#13 of 22
[myshare]comment = public stuffpath = /sharewriteable = yes you can put in read only = yesvalid user = u5browseable = yes
#useradd u5#smbpasswd -a u5 a for adding password#smbpasswd -d u5 d for deactivating password entry#smbpasswd -x u5 x for deleting the password entry
#pdbedit -L -w list users that have samba passwords
#mkdir /share
#getenforce
#ls -ldZ /share If SELinux is Enforcing, then need to change the context for /share directory
#chcon -t samba_share_t /share
#ls -ldZ /share
#cd /share#touch file1
#service smb restart
Logs are in /var/log/samba
CIFS Sharing (client side) - Samba mount shared resources
#smbclient -L //192.168.0.254 | lessFrom the list we can only use "Disk" or "Print" type shares onlySharename that is shown in the list may have a totally different name on the host. Basically, share name hides the inside directory name on the server.
#mkdir -p /mnt/cifs#mount -t cifs //192.168.0.254/myshare /mnt/cifs -o username=u5,password= #df -h#vim /etc/fstabAdd the following entry//192.168.0.254/myshare /mnt/cifs cifs defaults,username=u5,password= 0 0#umount /mnt/cifs#df -h#mount -a#df -h
#smbclient //192.168.0.254/myshare -U u5
Linux (RHEL6) Notes
Page#14 of 22
smb>ls shows file1 created above
tcp_wrappers
#which vsftpd gives /usr/sbin/vsftpd#ldd /usr/sbin/vsftpd | grep -i libwrap shows a line. It means tcp_wrappers are supported
#which httpd gives /usr/sbin/httpd#ldd /usr/sbin/httpd | grep -i libwrap Does not show a line. It means tcp_wrappers are NOT supported
#which sshd gives /usr/sbin/sshd#ldd /usr/sbin/sshd | grep -i libwrap shows a line. It means tcp_wrappers are supported
tcp_wrapper Access control is done thru
/etc/hosts.deny/etc/hosts.allow
No need to restart services if you change these files
#vim /etc/hosts.denyvsftpd: desktop20.example.com desktop20 is not allowed to FTP to this servervsftpd: ALL .example.com .example.com domain is not allowed to FTP to this servervsftpd: ALL EXCEPT .example.com Any other domain other than .example.com is not allowed to FTP to this serversshd: .example.com .example.com domain is not allowed to SSH to this serversshd: 192.168.0. 192.168.0. domain is not allowed to SSH to this serversshd: ALL EXCEPT .example.com Any other domain other than .example.com is not allowed to SSH to this server
#vim /etc/hosts.allowvsftpd: desktop20.example.com desktop20 is allowed to FTP to this server though it is prevented in hosts.deny
LDAP
#system-config-authenticationoron Desktop --> System --> Administration --> Authentication
Select LDAP DN - dc=example,dc=comLDAP Server - ldap://instructor.example.comCheck TLS to encrypt connectionsCertificate link - http://192.168.0.254/pub/EXAMPLE-CA-CERTAuthentication Method - LDAP PasswordClick Apply
On VMs - Look for sssd serviceOn Desktops - Look for nslcd servive
Linux (RHEL6) Notes
Page#15 of 22
#service sssd status#chkconfig --list sssd
#getent passwd #su - ldapuser1
Based on the settings in /etc/nsswitch.conf, system will look in local users and then goes for LDAP. look for
passwd: files sss
autofs (NFS mount) - No fstab entries needed
No need to install autofs. It comes in with base install
#vim /etc/sysconfig/autofs You can specify autofs parameters like timeout. TIMEOUT 300 Timout can also be specified in auto.master#vim /etc/auto.master Put in your own directory name and the file that contains mount information/remote /etc/auto.remote These can have any name#vim /etc/auto.remotekick -rw,fstype=nfs 192.168.0.254:/kickstart#service autofs stop restart will not work#service autofs start #chkconfig autofs on#cd /remote/kick#df -h#cd to go to your home directory, wait for the timeout period#df -h you will not see /remote/kick mount point
autofs (Local mount) - No fstab entries needed
No need to install autofs. It comes in with base install
Create a partition /dev/sda5 and mount as /local/disk1Create an LVM /dev/vg00/lv01 and mount as /local/lv1
#vim /etc/auto.master/local /etc/auto.local#vim /etc/auto.localdisk1 -fstype=ext4 :/dev/sda5lv1 -fstype=ext4 :/dev/vg00/lv01#service autofs stop restart will not work#service autofs start#chkconfig autofs on#df -h#cd /local#df -h#cd lv1#df -h
Linux (RHEL6) Notes
Page#16 of 22
autofs for ldapusers - No fstab entries required
No need to install autofs. It comes in with base install
#showmount -e 192.168.0.254If /home/guests is the directory shared on 192.168.0.254 and if this has home directories for ldap users
#vim /etc/auto.master/home/guests /etc/auto.ldap#vim /etc/auto.ldapldapuser1 -rw,fstype=nfs 192.168.0.254:/home/guests/ldapuser1 for single user* -rw,fstype=nfs 192.168.0.254:/home/guests/& generic for multiple users
autofs for samba - No fstab entries required
No need to install autofs. It comes in with base install
#vim /etc/sysconfig/autofs You can specify autofs parameters like timeout. TIMEOUT 300 Timout can also be specified in auto.master#vim /etc/auto.master Put in your own directory name and the file that contains mount information/cifs /etc/auto.cifs These can have any name#vim /etc/auto.cifscifsshare -rw,fstype=cifs,username=u5,password= ://192.168.0.254/myshare#service autofs stop restart will not work#service autofs start #chkconfig autofs on#cd /cifs/cifsshare#df -h#cd to go to your home directory, wait for the timeout period#df -h you will not see /cifs/cifsshare mount point
SELinux
#yum install setroubleshoot* -y
#vim /etc/sysconfig/selinux Config file for selinux#getenforce#setenforce 0 Permissive#setenforce Permissive#setenforce 1 Enforcing#setenforce Enforcing
#semanage fcontext -l displays registry of resource contexts
Security context is#service tgtd stop applied to resources#ls -lZ to view the security context for all files / directories #ps -Z to view the process security context#chcon -u #chcon -r #chcon -t
Linux (RHEL6) Notes
Page#17 of 22
cp (copy) a file to a destination will inherit destination contextmv (move) a file to a destination will NOT inherit destination context
#semanage fcontext -a -t public_contents_rw_t "var/ftp/dropbox(/.*)?" add a new entry into the registry
#restorecon -R -v /var/ftp/dropbox R for recursive for all files in the directory and v for verbose#chcon -Rt public_contents_rw_t /var/ftp/dropbox#ls -ldZ /ver/ftp/dropbox
#getsebool -a | less Get process booleans#setsebool allow_ftpd_anon_write=1 Set process booleans
For troubleshooting and error messages
#yum install setroubleshoot* -y so that you can use sealrt command#sealert -a /var/log/audit/audit.log
#cat /var/log/messages | grep setroubleshoot copy alert from here#sealert -l
FTP Client
#yum install ftp* -y#yum install lftp* -y#ftp 192.168.0.254 enter userid and password#lftp 192.168.0.254 does not ask for userid and password
FTP Server - vsftpd (Very Secure FTP)
#yum remove vsftpd* -y#yum install vsftpd* -y
#vim /etc/vsftpd/vsftpd.conf config file. You can change log file location here, if needed.#vim /etc/vsftpd/ftpusers Userids that are NOT allowed to login thru FTP#vim /etc/vsftpd/user_list please look at userlist_deny parameter in /etc/vsftpd/vsftpd.conf
If userlist_deny=NO, allows only users listed in the user_list fileIf userlist_deny=YES, NEVER allows any users listed in the user_list file. For this case, from the client side when you are trying to login as a user mentioned in the user_list file,no login prompt is given.
If a user exists in both files, ftpusers file takes precedence.
If you change any of the above files, make sure to restart ftp service
#service vsftpd status
Linux (RHEL6) Notes
Page#18 of 22
#service vsftpd restart#chkconfig vsftpd on
To check messages for FTP#tail -f /var/log/messages
To track the packets, you can install wireshark#yum install wire* -y
To stop ftp connections coming into your server#vim hosts.deny edit this file
Uploadable FTP Server using SELinux
1. Create directory /var/ftp/dropbox2. Change the group ownership from root to ftp group3. Make sure that ftp group can write to that directory4. If SELinux is enforced, make sure that context for dropbox directory is same as ftp directory5. Set process boolean for anonymous write6. Make sure vsftp config file for anonymous write and upload7. Restart FTP service
#mkdir -p /var/ftp/dropbox created and owned by root
#chgrp ftp /var/ftp/dropbox
#chmod g+rwx /var/ftp/dropbox
#getenforce Make sure it is SELinux enforcing#cd /var#ls -ldZ /var/ftp to see the context for ftp directory#ls -ldZ /var/ftp/dropbox to see the context for dropbox directory#restorecon -R -v /var/ftp/dropboxor#chcon -Rt public_content_rw_t /var/ftp/dropbox
#getsebool -a | grep ftpd look for allow_ftpd_anon_write#setsebool -P allow_ftpd_anon_write=1 P implies persistent setting
#vim /etc/vsftpd/vsftpd.confanon_upload_enable=YESanon_nkdir_write_enable=YES
#service vsftpd status#service vsftpd restart#chkconfig vsftpd on
HTTP/Apache server
#rpm -qa | grep httpd to see if apache is installed or not#yum install http* -y
Linux (RHEL6) Notes
Page#19 of 22
Default port is 80Document root is /var/www/htmlUser is apacheGroup is apacheAll logs are in the following directories/etc/httpd/logs/var/log/httpd
#rpm -qc httpd* to see configuration files for httpd
httpd startup parameters are in #vim /etc/sysconfig/httpd.conf
/etc/httpd is the main directory
#vim /etc/httpd/conf/httpd.conf main config file for httpd. You can change log file location here, if neededDirectoryIndex index.html index.html.var
After making changes, please make sure to restart the service#service httpd restart#chkconfig httpd on
In browser, use the following URLshttp://localhost looks for index.html file in /var/www/htmlhttp://127.0.0.1 looks for index.html file in /var/www/htmlhttp:// looks for index.html file in /var/www/html
#yum install elinks* -y#elinks --dump localhost#elinks --dump #elinks 192.168.11.3 This worked for me and the above two URLs did not
Name based and port based Virtual Hosting (with restricting access to host for one of the sites)(with user based authentication for one of the sites)
Step 1 (Server)----------------#mkdir -p /var/www/virtual#cd /var/www/virtual#mkdir google In this directory, create google.html. Put in some text#mkdir yahoo In this directory, create yahoo.html. Put in some text#mkdir facebook In this directory, create facebook.html. Put in some text#mkdir twitter In this directory, create twitter.html. Put in some text
Step 2 (Server)----------------#vim /etc/httpd/conf/httpd.conf
make sure that the following entries exist
Linux (RHEL6) Notes
Page#20 of 22
NameVirtualHost 192.168.0.250:80NameVirtualHost 192.168.0.250:8080
DirectoryIndex index.html index.html.varDirectoryIndex google.html google.html.varDirectoryIndex yahoo.html yahoo.html.varDirectoryIndex facebook.html facebook.html.varDirectoryIndex twitter.html twitter.html.var
Listen 80Listen 8080
ServerAdmin root@demo.example.comDocumentRoot /var/www/vrtual/googleServerame google.example.com
## AllowOverride None# Options None# Order allow,deny Allow and then deny all others# Allow from all#
AllowOverride NoneOptions NoneOrder allow,denyAllow desktop3.example.com Allow google site only from desktop3.example.com.
Deny all others
ServerAdmin root@demo.example.comDocumentRoot /var/www/vrtual/yahooServerame yahoo.example.com
ServerAdmin root@demo.example.comDocumentRoot /var/www/vrtual/facebookServerame facebook.example.com
ServerAdmin root@demo.example.comDocumentRoot /var/www/vrtual/twitterServerame twitter.example.com
AuthType basic
Linux (RHEL6) Notes
Page#21 of 22
AuthName "This is for user based Authentication"AuthUserFile /etc/httpd/.htpasswd
Require user1 user2
Step 3 (Server)----------------#service httpd configtest#httpd -t Syntax check#httpd -S virtual host syntax check
Step 4a (Server)-----------------#useradd user1#useradd user2#htpasswd -cm /etc/httpd/.htpasswd user1 c for create and m for add md5 encryption password for user1#htpasswd -m /etc/httpd/.htpasswd user2 Since file already exists, no c needed. Add md5 encryption password for user2
Step 4b (Server)----------------#vim /etc/hosts
Add the following entries192.168.0.250 google.example.com192.168.0.250 yahoo.example.com192.168.0.250 facebook.example.com192.168.0.250 twitter.example.com
Step 5 (Server)----------------#service httpd restart#chkconfig httpd on
Step 6 (Server)----------------#tail -f /var/log/httpd/access_log to see the hits on the apache server
Step 7 (Client)----------------In browserhttp://google.exmaple.com only allowed from desktop3.example.com http://yahoo.exmaple.comhttp://facebook.exmaple.com:8080http://twitter.exmaple.com:8080 asks for userid and password. Need to enter user1 or user2 and their http password
Step 8 (Server)----------------#elinks --dump google.example.com only allowed from desktop3.example.com #elinks --dump yahoo.example.com#elinks --dump facebook.example.com#elinks --dump twitter.example.com asks for userid and password. Need to enter user1
Linux (RHEL6) Notes
Page#22 of 22
or user2 and their http password
Monitoring a website
ab command is used to perform realtime performance testing on a website
#ab http://demo.example.com You will see various things. one of them is response time#ab -n 200 -c 10 http://demo.example.com 200 requests from 10 users. The response time increases#ab -n 1000 -c 20 http://demo.example.com 1000 requests from 20 users. The response time further increases
iSCSI - Server side
#yum install scsi-target-utils* -y
#vim /etc/tgt/targets.conf
Add the following entries
backing-store /dev/sda5initiator-address 192.168.0.16
backing-store /dev/sda6initiator-address 192.168.0.117
#service tgtd stop#service tgtd start#chkconfig tgtd on
Default port for tgtd is 3260Make sure that the port is open by issuing the following command
#netstat -ntlp | less
iSCSI - Client side
Go to one of the clients mentioned in the server's /etc/tgt/targets.conf file
#yum install iscsi-initiator-utils* -y
#iscsiadm -m discovery -t st -p 192.168.0.1 This is to get iqn number of the iscsi drive shared for the client by the serverm => modet => typest => send targets
Linux (RHEL6) Notes
Page#23 of 22
p => portalip address of server that is sharing the disk
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -lT => Target iqn numberl => login
If you get success message then the disk is attached. To check if the disk is attached
#tail /var/log/messages | less
#fdisk -l | less Show /dev/sdb attached. You can now partition it
#fdisk -cu /dev/sdb Add new partitions#partx -d /dev/sdb#partx -a /dev/sdb#cat /proc/partitions#mkfs.ext4 /dev/sdb1
For mounting always use blkid. Do not use /dev/sdb1
#mkdir /mnt/iscsi#blkid /dev/sdb1 get UUID
#vim /etc/fstabAdd the following entryUUID="......." /mnt/iscsi ext4 _netdev 0 0
#mount -a
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -u -o deleteu => logouto => cache it to delete it. No data is deleted
File Searching (examples)
#find -name snow.png#find / -name '*.txt'#find /etc -name '*pass*'#find /home -user joe -group joe files owned by user joe and group joe#find /home -user joe -not -group joe files owned by user joe and not by group joe#find /home -user joe -o -user jane files owned by user joe or user jane#find /home -not\(-user joe -o -user jane) files NOT owned by user joe or user jane#find / -user joe -o -uid 500 files owned by user joe or user with uid 500#find / -perm 755 files that have 755 permissions#find / -perm +222 files that anyone can write#find / -perm -222 files that every one can write#find / -perm -002 files that others can write#find / -size 10M files exactly 10M in size#find / -size +10M files > 10M in size#find / -size -10M files < 10M in size#find /tmp -ctime +10 files changed more than 10 days ago
Linux (RHEL6) Notes
Page#24 of 22
#find -size +100M -ok mv {} /tmp/largefiles/ \; files that are more than 100M size are moved to a different directory Prompts for each file move#find -size -100M -exec mv {} /tmp/smallfiles/ \; files that are less than 100M size are moved to a different directory NO PROMPT
#find / -type f -group ftp -not -user root -exec cp -p {} /tmp/ftpfiles/ \;#find / -type f -perm -002 -exec chmod o-w {} \;#find / -not -perm +111 -name '*.sh' -ok chmod 755 {} \;
Virtual Machine
#virsh destroy #virsh undefine
#virt-manager to launch Virtual Machine Manager
tar and compression
Order of compression.
#tar -cvf etc.tar /etc#du -h etc.tar to see how much space it occupies
#tar -czvf etc.tar.gz /etc#du -h etc.tar.gz to see how much space it occupies
#tar -cjvf etc.tar.bz /etc#du -h etc.tar.bz to see how much space it occupies
#tar -cJvf etc.tar.xz /etc#du -h etc.tar.xz to see how much space it occupies
c => Createv => verbosef => file tarz => gzipj => bzip2
tar is the only command where destination is given first and source later.
iptables
#iptables -F Flush default iptables. Default are filter tables#iptables -t filter -F Flush filter tables#iptables -t nat -F Flush nat tables#iptables -t mangle -F Flush mangle tables
Linux (RHEL6) Notes
Page#25 of 22
#service iptables save Save the iptables#service iptables stop#service iptables start#service iptables restart
VNC Server and Viewer
Did not look into it. Is it covered in the exam?
gpg GNU Privacy Guard