{"id":40,"date":"2008-06-18T18:30:19","date_gmt":"2008-06-18T16:30:19","guid":{"rendered":"http:\/\/blog.sqawasmi.com\/?p=40"},"modified":"2008-10-04T10:15:36","modified_gmt":"2008-10-04T08:15:36","slug":"rhce-notes","status":"publish","type":"post","link":"https:\/\/blog.sqawasmi.com\/index.php\/2008\/06\/18\/rhce-notes\/","title":{"rendered":"RHCE-Notes"},"content":{"rendered":"

This is RHCE notes i wrote while studding for the exam, it doesn’t cover all exam topics, maybe they can help you to review what did you studied no more..
\nUser Administration:
\n– adduser UserName
\n– deluser UserName
\n– usermod: to modifiy user information..
\n– chage: change expiration date for user account.
\n– always when you use a directory as a share for a group, use SGID, for ex: chmod 2770 \/share-dir<\/p>\n

for login\/logout scripts and bash, refer to this topic: bash loging, startup scripts and shell initialization files<\/a><\/p>\n

ACL:
\nmount with acl, ex:
\nmount -o remount, acl \/dev\/sda5 \/home
\nas root: touch \/home\/idle-boy\/a<\/p>\n

getfacl \/home\/idle-boy\/a
\ngetfacl: Removing leading ‘\/’ from absolute path names
\n# file: home\/idle-boy\/a
\n# owner: root
\n# group: root
\nuser::rw-
\ngroup::r–
\nother::r–<\/p>\n

setfacl -m u:idle-boy:rw -m g:idle-boy:rwx \/home\/idle-boy\/a<\/p>\n

getfacl: Removing leading ‘\/’ from absolute path names
\n# file: home\/idle-boy\/a
\n# owner: root
\n# group: root
\nuser::rw-
\nuser:idle-boy:rw-
\ngroup::r–
\ngroup:idle-boy:rwx
\nmask::rwx
\nother::r–<\/p>\n

Quotas:
\n– check if kernel support quota:
\ngrep CONFIG_QUOTA \/boot\/config-`uname -r`
\nyou should see:
\nCONFIG_QUOTA=y<\/p>\n

– quota package: quota<\/p>\n

Using Quota
\ntwo file have to be presented in the file system you need to activate quota in:
\nquota.user: for user related quota
\nquota.group: for group related quota
\nto create this files, you need to mount the file system with quota support:<\/p>\n

mount -t ext3 \/dev\/sdaX \/mount-point -o remount, usrquota, grpquota<\/p>\n

now create the files using quotacheck command:
\nquotacheck -cugm \/mount-point<\/p>\n

to activate quota in the mount point use quotaon:
\nquotaon \/mount-point<\/p>\n

to edit users quota, use edquota command, for example:
\nedquota -u f00<\/p>\n

to report quota usege use repquota command…<\/p>\n

it’s better to automate quotacheck, use a cronjob for that..<\/p>\n

###############################<\/p>\n

PAM:
\nA very good book to read about\/understand PAM is: Pluggable Authentication Modules for Kenneth Geisshirt, from Packt Publishing.<\/p>\n

you can find information about PAM at this location:
\n\/usr\/share\/doc\/pam-version-num\/txts<\/p>\n

to prevent other users login but root:
\ntouch \/etc\/nologin
\nand \/etc\/pam.d\/login must contain:
\naccount required pam_nologin.so
\nafter the last auth module.<\/p>\n

you can type a msg in that file, the msg will appear for successful login (root) and failed login (other users)<\/p>\n

to control root access into tty, edit \/etc\/securetty<\/p>\n

Four different type of PAM modules:
\n– auth: username\/password are here..
\n– account: allows or denies access according to the account policies (ex\/ password expiration date)
\n– password: manages other password policies.
\n– session: applies settings for an application..<\/p>\n

###############################<\/p>\n

LDAP (client):
\nneeded rpm packages:
\nopenldap, openldap-client, nss_ldap
\ntwo files to be edited:
\n\/etc\/ldap.conf: change the following:
\nhost IP ldap server ip is written here..
\nbase dc=sqawasmi,dc=com sets the default base distinguished name, in this case, sqawasmi.com
\nssl strt_tls needed if you want TLS support to encrypt passwords..
\npam_password supports encryption schemes for passwords, options are: crypt, nds and ad
\nnss_init, groups_ignoreusers root, ldap assumes no supplemental groups in LDAP server.<\/p>\n

\/etc\/openldap.conf
\nBASE dc=sqawasmi,dc=com same as dc in \/etc\/ldap.conf
\nURI ldap:\/\/IP LDAP server ip..<\/p>\n

make sure that your client will look for LDAP server for key authentication, for example:
\n\/etc\/nsswitch.conf:
\npasswd: files ldap
\nshadow: files ldap
\ngroup: files ldap<\/p>\n

there is no services to run in the boot process..<\/p>\n

###############################<\/p>\n

NIS (client):
\nrpm packages:<\/p>\n

to activate NIS client you need to edit one file:
\n\/etc\/yp.conf:
\ndomain NIS-DomainName server NIS-Server<\/p>\n

make sure that your client will look for NIS server for key authentication, for example:
\npasswd: files nis
\nshadow: files nis
\ngroup: files nis<\/p>\n

you need to activate ypbind and also chkconfig it to run in boot..
\nservice ypbind start && chkconfig ypbind on<\/p>\n

##############################<\/p>\n

NFS<\/p>\n

man exports; to see the format of \/etc\/exports
\non server:
\n\/etc\/init.d\/portmap start && \/etc\/init.d\/nfs start
\nedit \/etc\/exports, ex:
\n\/data *.sqawasmi.com(rw,sync) *(ro,sync) 10.0.0.0\/24(ro,sync)
\nexportfs -a<\/p>\n

on client:
\nmount -t nfs 10.0.0.1:\/data \/mnt\/share -o soft,timeo=300<\/p>\n

if you used the hostname to export to, then you need a working DNS, it use dnslookup to know the IP..<\/p>\n

to know that every thing is running in the server:
\nrpcinfo -p HOST<\/p>\n

show mounts on the server:
\nshowmount -e HOST<\/p>\n

put it in the boot process: chkconfig nfs on && chkconfig portmap on<\/p>\n

for selinux see man nfs_selinux<\/p>\n

securing using iptables:
\nedit \/etc\/sysconfig\/nfs, and configure rcp* ports:
\nLOCKD_TCPPORT=33332
\nLOCKD_UDPPORT=33333
\nMOUNTD_PORT=33334
\nSTATD_PORT=33335<\/p>\n

in \/etc\/services put rquotad tcp\/udp ports:
\nrquotad 33330\/tcp
\nrquotad 33331\/udp<\/p>\n

grep nfs \/etc\/services
\ngrep portmap \/etc\/services<\/p>\n

open the ports…<\/p>\n

###################################<\/p>\n

vsFTPD:
\nenable anonymous access:
\nanonymous_enable=yes
\nenable remote users write:
\nwrite_enable=yes
\nenable local users login:
\nlocal_enable=yes
\nto enable pam authintication:
\npam_service_name=vsftpd
\nsupport the use of security commands of tcp_wrappers:
\ntcp_wrappers=yes
\nwelcome msg:
\nftpd_banner=Welcome..
\nor in users home directory, in .message, but you need to enable:
\ndirmessage_enable=yes
\ncontrolling who can loging using \/etc\/vsftpd\/user_list file, yes means don’t allow, no means allow them
\nuserlist_enable=yes
\n(pam also check \/etc\/vsftpd\/ftpusers for allowed users)<\/p>\n

for selinux see ftpd_selinux<\/p>\n

#####################################<\/p>\n

DNS<\/p>\n

install bind bind-utils caching-nameserver, and bind-chroot if you need it in chrooted environment..<\/p>\n

Caching Name Server:
\ncp \/etc\/named.caching-nameserver.conf \/etc\/named.conf
\nedit \/etc\/named.conf and change the following as you like:
\nlisten-on port 53 { 127.0.0.1; }; \/\/ for example: listen-on port 53 { 127.0.0.1; 10.0.0.1;};
\nallow-query { localhost; }; allow-query \/\/ ex: { localhost; 10.0.0.0\/24; }; to serv for 10.0.0.0\/24 network<\/p>\n

\/etc\/named start
\nchkconfig named on<\/p>\n

Slave Name Server:
\nsame as Caching file but add a zone (look at \/etc\/named.rfc1912.zones) for your domain and it’s master server, for example:
\nzone “sqawasmi.com” IN {
\ntype slave;
\nfile “slaves\/sqawasmi.com”;
\nmasters {
\n10.0.0.1;
\n};
\n}<\/p>\n

also you may add another zone for ptr, example:<\/p>\n

zone “0.0.10.in-addr.arpa” IN {
\ntype slave;
\nfile “slaves\/sqawasmi.rr.com”;
\nmasters {
\n10.0.0.1;
\n};
\n}<\/p>\n

A Forwarding Only Name Server:
\nyou need to add two things into options:
\nforward only;
\nforwarders {
\n10.0.0.1;
\n10.0.0.2;
\n};<\/p>\n

Master Name Server:
\nselinux: setsebool -P named_write_master_zones 1
\n(look at \/etc\/named.rfc1912.zones) for your domain and it’s master server, for example:
\nzone “sqawasmi.com” IN {
\ntype slave;
\nfile “sqawasmi.com”;
\n}<\/p>\n

also you may add another zone for ptr, example:<\/p>\n

zone “0.0.10.in-addr.arpa” IN {
\ntype slave;
\nfile “slaves\/sqawasmi.rr.com”;
\n}<\/p>\n

now you need to create a zones file under \/var\/named, you can use \/var\/named\/localhost.zone as template for your zone, for example:
\n\/var\/named\/sqawasmi.com.zone
\n$TTL 86400
\n@ IN SOA @ sqawasmi.com. (
\n42 ; serial (d. adams)
\n3H ; refresh
\n15M ; retry
\n1W ; expiry
\n1D ) ; minimum<\/p>\n

IN NS @
\nIN A 10.0.0.10
\nblog IN A 10.0.0.1
\nother IN A 10.0.0.2
\nIN AAAA ::1<\/p>\n

for ptr zone:
\n\/var\/named\/sqawasmi.com.rr.zone
\n$TTL 86400
\n@ IN SOA @ sqawasmi.com. (
\n42 ; serial (d. adams)
\n3H ; refresh
\n15M ; retry
\n1W ; expiry
\n1D ) ; minimum<\/p>\n

IN NS @
\n10 IN ptr sqawasmi.com.
\n1 IN ptr blog.sqawasmi.com.
\n2 IN ptr other.sqawasmi.com.<\/p>\n

finally you have to create a rndc key, use this:
\nrndc-confgen -a -b 512<\/p>\n

add this to your named.conf file:
\ninclude “\/etc\/rndc.key”;<\/p>\n

###################################<\/p>\n

NTP
\nClient:
\nchoose one of the servers listed in \/etc\/ntp.conf, then:
\nntpdate 0.rhel.pool.ntp.org<\/p>\n

\/etc\/init.d\/ntpd start
\nchkconfig ntpd on<\/p>\n

server:
\nallow other servers in your client to connect to you:
\nrestrict 10.0.0.0 mask 255.255.255.0 nomodify notrap<\/p>\n

or you can allow one client:
\nrestrict 10.0.0.2 mask 255.255.255.255 nomodify notrap<\/p>\n

####################################<\/p>\n

DHCP
\nServer:
\npackage: dhcp
\nconfiguration file: \/etc\/dhcp.conf
\nsee: \/usr\/share\/doc\/dhcp-*\/dhcpd.conf.sample<\/p>\n

Client:
\npackage: dhclient<\/p>\n

####################################<\/p>\n

SQUID
\nport number:
\nhttp_port 3128<\/p>\n

don’t cache URLs contain cgi-bin or ?
\nuse hierarchy_stoplist directive and urlpath_regex in acl
\nhierarchy_stoplist cgi-bin ?
\nacl DontCache urlpath_regex cgi-bin \\?
\ncache deny DontCache<\/p>\n

specify a freshness for a service:
\nyou can use refres_pattern directive:
\nrefresh_pattern regex: Min percent Max
\nwhere
\nMin: is the time (in minutes) an object without an explicit expiry time should be considered fresh.
\nMax: is an upper (in minutes) limit on how long objects without an explicit expiry time will be considered fresh.
\nexample:
\nrefersh_pattern ^ftp: 1440 20% 10080<\/p>\n

use acl with src to create acl, ex:
\nacl my_lan src 10.0.0.0\/24
\nuse http_access to allow or deny all, networks, host, or ports, for example, allow my_lan and deny others
\nhttp_access allow my_lan
\nhttp_access deny all<\/p>\n

specify the local computer name:
\nvisible_hostname LocalComputerName<\/p>\n

to create a basic cache directories in \/var\/spool\/squid use:
\nsquid -z<\/p>\n

squid with nating:
\niptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 –j REDIRECT –to-ports 3128<\/p>\n

for selinux see;<\/p>\n

\/etc\/squid\/squid.conf has a lot explanation…<\/p>\n

####################################<\/p>\n

sendmail, Postfix and dovecot:<\/p>\n

sendmail:
\nadd your domain into \/etc\/mail\/local-host-names
\nvi \/etc\/mail\/sendmail.mc
\nallow other computers to to use your sendmail server, comment the following:
\nDAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
\ndon’t accept unresolvable domains, comment the follwoing:
\nFEATURE(`accept_unresolvable_domains’)dnl<\/p>\n

edit \/etc\/mail\/access to relay\/reject\/discard outgoing domains, for example
\n@example.org REJECT
\ndeny.sqawasmi.com REJECT
\nsqawasmi.com RELAY
\n10.0.0 RELAY<\/p>\n

edit \/etc\/aliases to for aliasing and then do newaliases command
\nme : shaker
\nidle : shaker
\n~ # newaliases<\/p>\n

\/etc\/mail\/virtusertable used to map virual address to real address<\/p>\n

send from another host:
\ndefine(`SMART_HOST’, `smtp.sqawasmi.com’)dnl
\nyou should add access for this server in \/etc\/mail\/access<\/p>\n

make -C \/etc\/mail\/<\/p>\n

Postfix:
\nconfiguration file: \/etc\/postfix\/main.cf<\/p>\n

edit variables:
\nmyhostname: this is the host will appear in the hello…
\nmydomain: your domain name
\nmyorigin: this is the origin of the domain, for example sqawasmi.com, then all emails for shaker will be shaker@sqawasmi.com
\ninet_interfaces: what interfaces should i listen for?
\nmydestination: specifies the list of domains that this machine considers itself the final destination for.
\nmynetworks: specifies a list of trusted smtp clients.<\/p>\n

access goes in this file: \/etc\/postfix\/access
\nvirual: \/etc\/postfix\/virtual you need<\/p>\n

Dovecot:
\nconfiguration file:
\n\/etc\/dovecot.conf<\/p>\n

variables:
\nprotocols: choose the protocol you want to use..
\nlisten: if you don’t use the standard ports
\nssl listen: same as above…<\/p>\n

activate ssl:
\nssl_disable = no
\nssl_cert_file = \/etc\/pki\/dovecot\/certs\/dovecot.pem
\nssl_key_file = \/etc\/pki\/dovecot\/private\/dovecot.pem
\ncreating ssl certificates:
\nyou need to edit \/etc\/pki\/dovecot\/dovecot-openssl.cnf file as rquired
\nissue this command:
\n\/usr\/share\/doc\/dovecot-versionNumber\/examples\/mkcert.sh<\/p>\n

\/etc\/init.d\/dovecot start && chkconfig dovecot on<\/p>\n

####################################<\/p>\n

tcp_wrappers
\ntwo files:
\n\/etc\/hosts.allow: tcp_wrappers look at this, if it find a match for the service it grants access, no additional searches are required, if no match in that file then it continue to read the next file:
\n\/etc\/hosts.deny: if it finds a match then deny access, if no match then access is automatically granted.<\/p>\n

format:
\ndaemon_list: client_list or ALL : ALL<\/p>\n

for example:
\n\/etc\/hosts.allow:
\nsshd : 10.0.0.2
\n\/etc\/hosts.deny:
\nsshd : ALL
\ndepending on those files, ssh login is permitted just for 10.0.0.2 host.<\/p>\n

you can use subnet or a domain like this:
\n\/etc\/hosts.allow:
\nsshd : 10.0.0.0\/255.255.255.0, .sqawasmi.com
\n\/etc\/hosts.deny:
\nsshd : ALL
\ndepending on those files, ssh login is permitted for 10.0.0.0 network and all computers in sqawasmi.com domain.<\/p>\n

you can use EXPECT operator to expect hosts\/networks or daemons..<\/p>\n

twist or spawn command to send messages, track access and log problems.. ex:
\n\/etc\/hosts.deny
\nsshd : nossh.sqawasmi.com : twist \/bin\/echo %c not allowed<\/p>\n

iptables:
\nhuh?<\/p>\n

Related Images:<\/h3>","protected":false},"excerpt":{"rendered":"

This is RHCE notes i wrote while studding for the exam, it doesn’t cover all exam topics, maybe they can help you to review what did you studied no more..
\nUser Administration:
\n– adduser UserName
\n– deluser UserName
\n– usermod: to modifiy user information..
\n– chage: change expiration date for user account.
\n– always when you use a directory as a share for a group, use SGID, for ex: chmod 2770 \/share-dir<\/p>\n

for login\/logout scripts and bash, refer to this topic: bash loging, startup scripts and shell initialization files<\/p>\n

ACL:
\nmount with acl, ex:
\nmount -o remount, acl \/dev\/sda5 \/home
\nas root: touch \/home\/idle-boy\/a<\/p>\n

getfacl \/home\/idle-boy\/a
\ngetfacl: Removing leading ‘\/’ from<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"ngg_post_thumbnail":0,"footnotes":""},"categories":[18,20],"tags":[],"class_list":["post-40","post","type-post","status-publish","format-standard","hentry","category-linux-other-things","category-rhce"],"_links":{"self":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/40","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":3,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"predecessor-version":[{"id":56,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/posts\/40\/revisions\/56"}],"wp:attachment":[{"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.sqawasmi.com\/index.php\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}