RHCE-Notes

Date June 18, 2008

This is RHCE notes i wrote while studding for the exam, it doesn’t cover all exam topics, maybe they can help you to review what did you studied no more..
User Administration:
– adduser UserName
– deluser UserName
– usermod: to modifiy user information..
– chage: change expiration date for user account.
– always when you use a directory as a share for a group, use SGID, for ex: chmod 2770 /share-dir

for login/logout scripts and bash, refer to this topic: bash loging, startup scripts and shell initialization files

ACL:
mount with acl, ex:
mount -o remount, acl /dev/sda5 /home
as root: touch /home/idle-boy/a

getfacl /home/idle-boy/a
getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
group::r–
other::r–

setfacl -m u:idle-boy:rw -m g:idle-boy:rwx /home/idle-boy/a

getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
user:idle-boy:rw-
group::r–
group:idle-boy:rwx
mask::rwx
other::r–

Quotas:
– check if kernel support quota:
grep CONFIG_QUOTA /boot/config-`uname -r`
you should see:
CONFIG_QUOTA=y

– quota package: quota

Using Quota
two file have to be presented in the file system you need to activate quota in:
quota.user: for user related quota
quota.group: for group related quota
to create this files, you need to mount the file system with quota support:

mount -t ext3 /dev/sdaX /mount-point -o remount, usrquota, grpquota

now create the files using quotacheck command:
quotacheck -cugm /mount-point

to activate quota in the mount point use quotaon:
quotaon /mount-point

to edit users quota, use edquota command, for example:
edquota -u f00

to report quota usege use repquota command…

it’s better to automate quotacheck, use a cronjob for that..

###############################

PAM:
A very good book to read about/understand PAM is: Pluggable Authentication Modules for Kenneth Geisshirt, from Packt Publishing.

you can find information about PAM at this location:
/usr/share/doc/pam-version-num/txts

to prevent other users login but root:
touch /etc/nologin
and /etc/pam.d/login must contain:
account required pam_nologin.so
after the last auth module.

you can type a msg in that file, the msg will appear for successful login (root) and failed login (other users)

to control root access into tty, edit /etc/securetty

Four different type of PAM modules:
– auth: username/password are here..
– account: allows or denies access according to the account policies (ex/ password expiration date)
– password: manages other password policies.
– session: applies settings for an application..

###############################

LDAP (client):
needed rpm packages:
openldap, openldap-client, nss_ldap
two files to be edited:
/etc/ldap.conf: change the following:
host IP ldap server ip is written here..
base dc=sqawasmi,dc=com sets the default base distinguished name, in this case, sqawasmi.com
ssl strt_tls needed if you want TLS support to encrypt passwords..
pam_password supports encryption schemes for passwords, options are: crypt, nds and ad
nss_init, groups_ignoreusers root, ldap assumes no supplemental groups in LDAP server.

/etc/openldap.conf
BASE dc=sqawasmi,dc=com same as dc in /etc/ldap.conf
URI ldap://IP LDAP server ip..

make sure that your client will look for LDAP server for key authentication, for example:
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap

there is no services to run in the boot process..

###############################

NIS (client):
rpm packages:

to activate NIS client you need to edit one file:
/etc/yp.conf:
domain NIS-DomainName server NIS-Server

make sure that your client will look for NIS server for key authentication, for example:
passwd: files nis
shadow: files nis
group: files nis

you need to activate ypbind and also chkconfig it to run in boot..
service ypbind start && chkconfig ypbind on

##############################

NFS

man exports; to see the format of /etc/exports
on server:
/etc/init.d/portmap start && /etc/init.d/nfs start
edit /etc/exports, ex:
/data *.sqawasmi.com(rw,sync) *(ro,sync) 10.0.0.0/24(ro,sync)
exportfs -a

on client:
mount -t nfs 10.0.0.1:/data /mnt/share -o soft,timeo=300

if you used the hostname to export to, then you need a working DNS, it use dnslookup to know the IP..

to know that every thing is running in the server:
rpcinfo -p HOST

show mounts on the server:
showmount -e HOST

put it in the boot process: chkconfig nfs on && chkconfig portmap on

for selinux see man nfs_selinux

securing using iptables:
edit /etc/sysconfig/nfs, and configure rcp* ports:
LOCKD_TCPPORT=33332
LOCKD_UDPPORT=33333
MOUNTD_PORT=33334
STATD_PORT=33335

in /etc/services put rquotad tcp/udp ports:
rquotad 33330/tcp
rquotad 33331/udp

grep nfs /etc/services
grep portmap /etc/services

open the ports…

###################################

vsFTPD:
enable anonymous access:
anonymous_enable=yes
enable remote users write:
write_enable=yes
enable local users login:
local_enable=yes
to enable pam authintication:
pam_service_name=vsftpd
support the use of security commands of tcp_wrappers:
tcp_wrappers=yes
welcome msg:
ftpd_banner=Welcome..
or in users home directory, in .message, but you need to enable:
dirmessage_enable=yes
controlling who can loging using /etc/vsftpd/user_list file, yes means don’t allow, no means allow them
userlist_enable=yes
(pam also check /etc/vsftpd/ftpusers for allowed users)

for selinux see ftpd_selinux

#####################################

DNS

install bind bind-utils caching-nameserver, and bind-chroot if you need it in chrooted environment..

Caching Name Server:
cp /etc/named.caching-nameserver.conf /etc/named.conf
edit /etc/named.conf and change the following as you like:
listen-on port 53 { 127.0.0.1; }; // for example: listen-on port 53 { 127.0.0.1; 10.0.0.1;};
allow-query { localhost; }; allow-query // ex: { localhost; 10.0.0.0/24; }; to serv for 10.0.0.0/24 network

/etc/named start
chkconfig named on

Slave Name Server:
same as Caching file but add a zone (look at /etc/named.rfc1912.zones) for your domain and it’s master server, for example:
zone “sqawasmi.com” IN {
type slave;
file “slaves/sqawasmi.com”;
masters {
10.0.0.1;
};
}

also you may add another zone for ptr, example:

zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
masters {
10.0.0.1;
};
}

A Forwarding Only Name Server:
you need to add two things into options:
forward only;
forwarders {
10.0.0.1;
10.0.0.2;
};

Master Name Server:
selinux: setsebool -P named_write_master_zones 1
(look at /etc/named.rfc1912.zones) for your domain and it’s master server, for example:
zone “sqawasmi.com” IN {
type slave;
file “sqawasmi.com”;
}

also you may add another zone for ptr, example:

zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
}

now you need to create a zones file under /var/named, you can use /var/named/localhost.zone as template for your zone, for example:
/var/named/sqawasmi.com.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS @
IN A 10.0.0.10
blog IN A 10.0.0.1
other IN A 10.0.0.2
IN AAAA ::1

for ptr zone:
/var/named/sqawasmi.com.rr.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS @
10 IN ptr sqawasmi.com.
1 IN ptr blog.sqawasmi.com.
2 IN ptr other.sqawasmi.com.

finally you have to create a rndc key, use this:
rndc-confgen -a -b 512

add this to your named.conf file:
include “/etc/rndc.key”;

###################################

NTP
Client:
choose one of the servers listed in /etc/ntp.conf, then:
ntpdate 0.rhel.pool.ntp.org

/etc/init.d/ntpd start
chkconfig ntpd on

server:
allow other servers in your client to connect to you:
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap

or you can allow one client:
restrict 10.0.0.2 mask 255.255.255.255 nomodify notrap

####################################

DHCP
Server:
package: dhcp
configuration file: /etc/dhcp.conf
see: /usr/share/doc/dhcp-*/dhcpd.conf.sample

Client:
package: dhclient

####################################

SQUID
port number:
http_port 3128

don’t cache URLs contain cgi-bin or ?
use hierarchy_stoplist directive and urlpath_regex in acl
hierarchy_stoplist cgi-bin ?
acl DontCache urlpath_regex cgi-bin \?
cache deny DontCache

specify a freshness for a service:
you can use refres_pattern directive:
refresh_pattern regex: Min percent Max
where
Min: is the time (in minutes) an object without an explicit expiry time should be considered fresh.
Max: is an upper (in minutes) limit on how long objects without an explicit expiry time will be considered fresh.
example:
refersh_pattern ^ftp: 1440 20% 10080

use acl with src to create acl, ex:
acl my_lan src 10.0.0.0/24
use http_access to allow or deny all, networks, host, or ports, for example, allow my_lan and deny others
http_access allow my_lan
http_access deny all

specify the local computer name:
visible_hostname LocalComputerName

to create a basic cache directories in /var/spool/squid use:
squid -z

squid with nating:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 –j REDIRECT –to-ports 3128

for selinux see;

/etc/squid/squid.conf has a lot explanation…

####################################

sendmail, Postfix and dovecot:

sendmail:
add your domain into /etc/mail/local-host-names
vi /etc/mail/sendmail.mc
allow other computers to to use your sendmail server, comment the following:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
don’t accept unresolvable domains, comment the follwoing:
FEATURE(`accept_unresolvable_domains’)dnl

edit /etc/mail/access to relay/reject/discard outgoing domains, for example
@example.org REJECT
deny.sqawasmi.com REJECT
sqawasmi.com RELAY
10.0.0 RELAY

edit /etc/aliases to for aliasing and then do newaliases command
me : shaker
idle : shaker
~ # newaliases

/etc/mail/virtusertable used to map virual address to real address

send from another host:
define(`SMART_HOST’, `smtp.sqawasmi.com’)dnl
you should add access for this server in /etc/mail/access

make -C /etc/mail/

Postfix:
configuration file: /etc/postfix/main.cf

edit variables:
myhostname: this is the host will appear in the hello…
mydomain: your domain name
myorigin: this is the origin of the domain, for example sqawasmi.com, then all emails for shaker will be shaker@sqawasmi.com
inet_interfaces: what interfaces should i listen for?
mydestination: specifies the list of domains that this machine considers itself the final destination for.
mynetworks: specifies a list of trusted smtp clients.

access goes in this file: /etc/postfix/access
virual: /etc/postfix/virtual you need

Dovecot:
configuration file:
/etc/dovecot.conf

variables:
protocols: choose the protocol you want to use..
listen: if you don’t use the standard ports
ssl listen: same as above…

activate ssl:
ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
creating ssl certificates:
you need to edit /etc/pki/dovecot/dovecot-openssl.cnf file as rquired
issue this command:
/usr/share/doc/dovecot-versionNumber/examples/mkcert.sh

/etc/init.d/dovecot start && chkconfig dovecot on

####################################

tcp_wrappers
two files:
/etc/hosts.allow: tcp_wrappers look at this, if it find a match for the service it grants access, no additional searches are required, if no match in that file then it continue to read the next file:
/etc/hosts.deny: if it finds a match then deny access, if no match then access is automatically granted.

format:
daemon_list: client_list or ALL : ALL

for example:
/etc/hosts.allow:
sshd : 10.0.0.2
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted just for 10.0.0.2 host.

you can use subnet or a domain like this:
/etc/hosts.allow:
sshd : 10.0.0.0/255.255.255.0, .sqawasmi.com
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted for 10.0.0.0 network and all computers in sqawasmi.com domain.

you can use EXPECT operator to expect hosts/networks or daemons..

twist or spawn command to send messages, track access and log problems.. ex:
/etc/hosts.deny
sshd : nossh.sqawasmi.com : twist /bin/echo %c not allowed

iptables:
huh?

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • StumbleUpon
  • Technorati
  • Reddit
  • Webnews
  • MisterWong
  • Y!GG

4 Responses to “RHCE-Notes”

  1. noon ali said:

    i want a software or programs that write by needham schrouder protocol if you can not found it sent the floe chart in my e_mail

    thank you!!

  2. AlexM said:

    Your blog is interesting!

    Keep up the good work!

  3. mike conigliaro said:

    thanks for this. i have also been posting my study notes at http://conigliaro.org/wiki/rhce

  4. Abraham said:

    Good work! Thanks for sharing! :^)

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>