RHCE-Notes

June 18, 2008

This is RHCE notes i wrote while studding for the exam, it doesn't cover all exam topics, maybe they can help you to review what did you studied no more.. User Administration: - adduser UserName - deluser UserName - usermod: to modifiy user information.. - chage: change expiration date for user account. - always when you use a directory as a share for a group, use SGID, for ex: chmod 2770 /share-dir for login/logout scripts and bash, refer to this topic: bash loging, startup scripts and shell initialization files ACL: mount with acl, ex: mount -o remount, acl /dev/sda5 /home as root: touch /home/idle-boy/a getfacl /home/idle-boy/a getfacl: Removing leading '/' from absolute path names # file: home/idle-boy/a # owner: root # group: root user::rw- group::r-- other::r-- setfacl -m u:idle-boy:rw -m g:idle-boy:rwx /home/idle-boy/a getfacl: Removing leading '/' from absolute path names # file: home/idle-boy/a # owner: root # group: root user::rw- user:idle-boy:rw- group::r-- group:idle-boy:rwx mask::rwx other::r-- Quotas: - check if kernel support quota: grep CONFIG_QUOTA /boot/config-`uname -r` you should see: CONFIG_QUOTA=y - quota package: quota Using Quota two file have to be presented in the file system you need to activate quota in: quota.user: for user related quota quota.group: for group related quota to create this files, you need to mount the file system with quota support: mount -t ext3 /dev/sdaX /mount-point -o remount, usrquota, grpquota now create the files using quotacheck command: quotacheck -cugm /mount-point to activate quota in the mount point use quotaon: quotaon /mount-point to edit users quota, use edquota command, for example: edquota -u f00 to report quota usege use repquota command... it's better to automate quotacheck, use a cronjob for that.. ############################### PAM: A very good book to read about/understand PAM is: Pluggable Authentication Modules for Kenneth Geisshirt, from Packt Publishing. you can find information about PAM at this location: /usr/share/doc/pam-version-num/txts to prevent other users login but root: touch /etc/nologin and /etc/pam.d/login must contain: account required pam_nologin.so after the last auth module. you can type a msg in that file, the msg will appear for successful login (root) and failed login (other users) to control root access into tty, edit /etc/securetty Four different type of PAM modules: - auth: username/password are here.. - account: allows or denies access according to the account policies (ex/ password expiration date) - password: manages other password policies. - session: applies settings for an application.. ############################### LDAP (client): needed rpm packages: openldap, openldap-client, nss_ldap two files to be edited: /etc/ldap.conf: change the following: host IP ldap server ip is written here.. base dc=sqawasmi,dc=com sets the default base distinguished name, in this case, sqawasmi.com ssl strt_tls needed if you want TLS support to encrypt passwords.. pam_password supports encryption schemes for passwords, options are: crypt, nds and ad nss_init, groups_ignoreusers root, ldap assumes no supplemental groups in LDAP server. /etc/openldap.conf BASE dc=sqawasmi,dc=com same as dc in /etc/ldap.conf URI ldap://IP LDAP server ip.. make sure that your client will look for LDAP server for key authentication, for example: /etc/nsswitch.conf: passwd: files ldap shadow: files ldap group: files ldap there is no services to run in the boot process.. ############################### NIS (client): rpm packages: to activate NIS client you need to edit one file: /etc/yp.conf: domain NIS-DomainName server NIS-Server make sure that your client will look for NIS server for key authentication, for example: passwd: files nis shadow: files nis group: files nis you need to activate ypbind and also chkconfig it to run in boot.. service ypbind start && chkconfig ypbind on ############################## NFS man exports; to see the format of /etc/exports on server: /etc/init.d/portmap start && /etc/init.d/nfs start edit /etc/exports, ex: /data *.sqawasmi.com(rw,sync) *(ro,sync) 10.0.0.0/24(ro,sync) exportfs -a on client: mount -t nfs 10.0.0.1:/data /mnt/share -o soft,timeo=300 if you used the hostname to export to, then you need a working DNS, it use dnslookup to know the IP.. to know that every thing is running in the server: rpcinfo -p HOST show mounts on the server: showmount -e HOST put it in the boot process: chkconfig nfs on && chkconfig portmap on for selinux see man nfs_selinux securing using iptables: edit /etc/sysconfig/nfs, and configure rcp* ports: LOCKD_TCPPORT=33332 LOCKD_UDPPORT=33333 MOUNTD_PORT=33334 STATD_PORT=33335 in /etc/services put rquotad tcp/udp ports: rquotad 33330/tcp rquotad 33331/udp grep nfs /etc/services grep portmap /etc/services open the ports... ################################### vsFTPD: enable anonymous access: anonymous_enable=yes enable remote users write: write_enable=yes enable local users login: local_enable=yes to enable pam authintication: pam_service_name=vsftpd support the use of security commands of tcp_wrappers: tcp_wrappers=yes welcome msg: ftpd_banner=Welcome.. or in users home directory, in .message, but you need to enable: dirmessage_enable=yes controlling who can loging using /etc/vsftpd/user_list file, yes means don't allow, no means allow them userlist_enable=yes (pam also check /etc/vsftpd/ftpusers for allowed users) for selinux see ftpd_selinux ##################################### DNS install bind bind-utils caching-nameserver, and bind-chroot if you need it in chrooted environment.. Caching Name Server: cp /etc/named.caching-nameserver.conf /etc/named.conf edit /etc/named.conf and change the following as you like: listen-on port 53 { 127.0.0.1; }; // for example: listen-on port 53 { 127.0.0.1; 10.0.0.1;}; allow-query { localhost; }; allow-query // ex: { localhost; 10.0.0.0/24; }; to serv for 10.0.0.0/24 network /etc/named start chkconfig named on Slave Name Server: same as Caching file but add a zone (look at /etc/named.rfc1912.zones) for your domain and it's master server, for example: zone "sqawasmi.com" IN { type slave; file "slaves/sqawasmi.com"; masters { 10.0.0.1; }; } also you may add another zone for ptr, example: zone "0.0.10.in-addr.arpa" IN { type slave; file "slaves/sqawasmi.rr.com"; masters { 10.0.0.1; }; } A Forwarding Only Name Server: you need to add two things into options: forward only; forwarders { 10.0.0.1; 10.0.0.2; }; Master Name Server: selinux: setsebool -P named_write_master_zones 1 (look at /etc/named.rfc1912.zones) for your domain and it's master server, for example: zone "sqawasmi.com" IN { type slave; file "sqawasmi.com"; } also you may add another zone for ptr, example: zone "0.0.10.in-addr.arpa" IN { type slave; file "slaves/sqawasmi.rr.com"; } now you need to create a zones file under /var/named, you can use /var/named/localhost.zone as template for your zone, for example: /var/named/sqawasmi.com.zone $TTL 86400 @ IN SOA @ sqawasmi.com. ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS @ IN A 10.0.0.10 blog IN A 10.0.0.1 other IN A 10.0.0.2 IN AAAA ::1 for ptr zone: /var/named/sqawasmi.com.rr.zone $TTL 86400 @ IN SOA @ sqawasmi.com. ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS @ 10 IN ptr sqawasmi.com. 1 IN ptr blog.sqawasmi.com. 2 IN ptr other.sqawasmi.com. finally you have to create a rndc key, use this: rndc-confgen -a -b 512 add this to your named.conf file: include "/etc/rndc.key"; ################################### NTP Client: choose one of the servers listed in /etc/ntp.conf, then: ntpdate 0.rhel.pool.ntp.org /etc/init.d/ntpd start chkconfig ntpd on server: allow other servers in your client to connect to you: restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap or you can allow one client: restrict 10.0.0.2 mask 255.255.255.255 nomodify notrap #################################### DHCP Server: package: dhcp configuration file: /etc/dhcp.conf see: /usr/share/doc/dhcp-*/dhcpd.conf.sample Client: package: dhclient #################################### SQUID port number: http_port 3128 don't cache URLs contain cgi-bin or ? use hierarchy_stoplist directive and urlpath_regex in acl hierarchy_stoplist cgi-bin ? acl DontCache urlpath_regex cgi-bin \? cache deny DontCache specify a freshness for a service: you can use refres_pattern directive: refresh_pattern regex: Min percent Max where Min: is the time (in minutes) an object without an explicit expiry time should be considered fresh. Max: is an upper (in minutes) limit on how long objects without an explicit expiry time will be considered fresh. example: refersh_pattern ^ftp: 1440 20% 10080 use acl with src to create acl, ex: acl my_lan src 10.0.0.0/24 use http_access to allow or deny all, networks, host, or ports, for example, allow my_lan and deny others http_access allow my_lan http_access deny all specify the local computer name: visible_hostname LocalComputerName to create a basic cache directories in /var/spool/squid use: squid -z squid with nating: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 --j REDIRECT --to-ports 3128 for selinux see; /etc/squid/squid.conf has a lot explanation... #################################### sendmail, Postfix and dovecot: sendmail: add your domain into /etc/mail/local-host-names vi /etc/mail/sendmail.mc allow other computers to to use your sendmail server, comment the following: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl don't accept unresolvable domains, comment the follwoing: FEATURE(`accept_unresolvable_domains')dnl edit /etc/mail/access to relay/reject/discard outgoing domains, for example @example.org REJECT deny.sqawasmi.com REJECT sqawasmi.com RELAY 10.0.0 RELAY edit /etc/aliases to for aliasing and then do newaliases command me : shaker idle : shaker ~ # newaliases /etc/mail/virtusertable used to map virual address to real address send from another host: define(`SMART_HOST', `smtp.sqawasmi.com')dnl you should add access for this server in /etc/mail/access make -C /etc/mail/ Postfix: configuration file: /etc/postfix/main.cf edit variables: myhostname: this is the host will appear in the hello... mydomain: your domain name myorigin: this is the origin of the domain, for example sqawasmi.com, then all emails for shaker will be shaker@sqawasmi.com inet_interfaces: what interfaces should i listen for? mydestination: specifies the list of domains that this machine considers itself the final destination for. mynetworks: specifies a list of trusted smtp clients. access goes in this file: /etc/postfix/access virual: /etc/postfix/virtual you need Dovecot: configuration file: /etc/dovecot.conf variables: protocols: choose the protocol you want to use.. listen: if you don't use the standard ports ssl listen: same as above... activate ssl: ssl_disable = no ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem creating ssl certificates: you need to edit /etc/pki/dovecot/dovecot-openssl.cnf file as rquired issue this command: /usr/share/doc/dovecot-versionNumber/examples/mkcert.sh /etc/init.d/dovecot start && chkconfig dovecot on #################################### tcp_wrappers two files: /etc/hosts.allow: tcp_wrappers look at this, if it find a match for the service it grants access, no additional searches are required, if no match in that file then it continue to read the next file: /etc/hosts.deny: if it finds a match then deny access, if no match then access is automatically granted. format: daemon_list: client_list or ALL : ALL for example: /etc/hosts.allow: sshd : 10.0.0.2 /etc/hosts.deny: sshd : ALL depending on those files, ssh login is permitted just for 10.0.0.2 host. you can use subnet or a domain like this: /etc/hosts.allow: sshd : 10.0.0.0/255.255.255.0, .sqawasmi.com /etc/hosts.deny: sshd : ALL depending on those files, ssh login is permitted for 10.0.0.0 network and all computers in sqawasmi.com domain. you can use EXPECT operator to expect hosts/networks or daemons.. twist or spawn command to send messages, track access and log problems.. ex: /etc/hosts.deny sshd : nossh.sqawasmi.com : twist /bin/echo %c not allowed iptables: huh?

Posted in Linux others.., RHCE