Linux Admin III

/

.
:

.
:

Linuxcbt
/
John_Wiley_Redhat_Linux_Networking_and_System_Administration
RHCSA_Hands-on.Guide.to.the.Red.Hat.Exams
M. Jang -RHCSA-RHCE Red Hat Linux Certification Study Guide, 6th
SELinux-Arabic.
.
:
] [ .
.
6
.
.
.

janateba@hotmail.com
https://www.facebook.com/?q=#/tibea2004
TEL:01009943027
RHCSA/RHCE Egypt
----------------------------------------------------------------------------------------------(NETWORK)
(4-----5)
(Network configuration)
(5-----6)
(Network Definition)
(6-----7)
TCP/IP
(7-----8)

(8----10)
TCP/IP
(10---12)
IP
---------------------------------------------------------------------------- (system monitor and security)
(13---13)
(system monitor)
(13---15)
netstat
(15---18)
nmap
(18---20)
log
(20---22)
(security overview)
(23---24)
(sudo configuration) sudo
(24---25)
(kerberos configuration) kerberos
---------------------------------------------------------------------------------------------------------------------- SELinux
(26---27)
SELinux
(28---32)
SELinux
(28---31)
Security context (label)
(31---32)
Security policy
(32---34)
SELinux
(34---37)
SELinux
(37---41)
SELinux
-------------------------------------------------------------------------------------- Fire wall Xinetd TCP wrapper
Fire wall
(42---43)
(43---50)
Iptables
(50---51)
NAT
(51---52)
Connection Tracking
(52---53)
IP Forwarding
(53---56)

(56---57)
The extended internet super-server (XINETED)
(57---58)
TCP WRAPPERS
---------------------------------------------------------------------------- (Pluggable Authentication Modules) PAM
(59---61)
+
(61---62)
/etc/pam.d/reboot
(62---64)
/etc/pam.d/system-auth
(64---67)
PAM
(67---69)
User authentication, account information, and password management
--------------------------------------------------------------------------------------------------- (File Secure)
(70---72)

(72---73)
/dev/random & /dev/urandom
(73---74)
One way hashes ("digital fingerprints")
(74---77)
symmetric encryption
(77---90)
Asymmetric encryption
(90---92)
X509 digital certificates and public key infrastructure
------------------------------------------------------------------------------------------------ remote access
(93--101)
SSH
(93---94)
(94---97)

(95---96)
Key based authentication
(96---97)
ONE TIME LOGINS: THE SSH AGENT
RHCSA/RHCE Egypt
(97---99)
SSH
(99--100)
SSH
(100-101)
(PORT REMOTE FORWARD) SHH
(---102--)
VNC
----------------------------------------------------------------------------------------- (APACHE SERVER)
(103-106)
(106-112)
[HTTPD]
(112-116)
STANDARD APACHE SECURITY CONFIGURATION
(117-118)
SPECIALIZED APACHE DIRECTORIES
(118-120)
VIRTUAL HOST
(121-125)
CREATE SSL CERTIFICATE
(125-126)
CGI
(127-134)
SQUID (PROXEY WEB SERVER CACH)
------------------------------------------------------------------------------- (linux network application)
(135-149)
DNS
(149-153)
DHCP
(153-156)
SET UP SYSTEM UTILIZATION REPORTS
(156-157)
CONFIGURE A SYSTEM LOGGING SERVER
(158-160)
THE NETWORK TIME PROTOCOL SERVICE (NTP)
---------------------------------------------------------------------------- (FILE SHARING SERVICE)
(161-169)
NFS (NETWORK FILE SHARING
(169-175)
VSFTP
(175-191)
SAMBA
(175-184)
[SAMBA SERVICES] +
(184-189)
THE SAMBA WEB ADMINISTRATION TOOL
(189-191)
SAMBA AS A CLIENT
(---191--)
Samba TROUBLESHOOTING
---------------------------------------------------------------------------------------------------------SMTP
(192-195)
+
(195-199)
POSTFIX CONFIGURATION
(200-201)
POSTFIX AUTHENTICATION
(201-206)
SENDMAIL
(206-209)
DOVECOT MAILBOX SERVER
---------------------------------------------------------------------------------------------------------------- Miscellaneous
(210-212)
ISCSI
(212-214)
BONDING
(214-229)

-------------------------------------------------- /------------------------------------------------------------
RHCSA/RHCE Egypt
Network configuration
NETWORKS

NETWORK CONFIGURATION
network :
1- /etc/hosts
2- /etc/resolv.conf
3- /etc/sysconfig/network
4- /etc/sysconfig/network-scripts/ifcfg-ethX
-1 ][/etc/hosts
(ip no.) IP
.
[root@localhost ~]#vim /etc/hosts
IP ). (local network
IP IP .
. IP
ping ip ) (resolving
#ping192.168.1.254
#pingrouter.mostafa.com
#pingrouter
:
ping-2
nmap-1
) traceroutedomain-3 [#traceroutewww.yahoo.com] (domain
) nslookupdomain-4 (domain
: ] [#nslookupwww.google.com
load balancer requests forward. request
digdomain-5 . nslookup
/etc/resolv.conf-2
[root@localhost ~]#vim/etc/resolv.conf
3 )(domain , search , nameserver
Name server DNS IP IP
.
[root@localhost ~]#hostname-f

Result ds.janateba.com
) domain , janateba.com =(ds
Search domain ping
ping machine1.mostafa.com ping machine1
domain .machine.mostafa.com
Domain ) directory server (ldap domain
domain mostafa.com
search mostafa.com
nameserver 912.168.126.2
.
RHCSA/RHCE Egypt
Network Def.
Search nameserver .
Hosts resolv.conf .
IP hosts .resolv.conf
system-config-network-tui
network GUI
/etc/sysconfig/network-3
:

Networking=yes
= Hostname
hostname :
#hostnamename
-1 hostname
-2 /etc/sysconfig/network
#sysctl-w kernel.hostname= new_name
/etc/sysconfig/network-scripts/ifcfg-eth0-4
eth0 ) (Lan ifcfg interface config
] [arp n addressing resolution control
: netcut ver1 arp table poisoning mac address
arp s stack out IP static mac address
netcut .router
NETWORK DEF .
TCP/IP

TCP/IP
ARP ICMP IP UDP TCP
TCP/IP )Telnet (SSH
) (NFS ).(FTP, HTTP
TCP/IP
TCP/IP :
-1 : FTP
-2 )( : telnet
SHH .
-3 SMTP :Email

)( .
-4 ) :(NFS FTP
.
-5 : .
-6 : . : rsh)
( rexecssh ) RPC (Remote Procedure Call
. RPC Xerox
Courier ) Sun RPC (.
.
RHCSA/RHCE Egypt
TCP/IP
-7 :
. NIS DNS.LDAP
-8 : telnet .
-9 ) ( :
. .x windows
TCP/IP
TCP/IP
.
. . TCP IP
TCP . IP
DoD .TCP / IP
TCP UDP User Datagram Protocol
) (
TCP ) (.
ICMP Internet Control Message protocol
.

. ICMP .
ICMP UDP . ports .
)(ARP , DNS , ICMP , UDP , RIP , SMTP , Telnet , .
OSI/ISO
. ]
[.
Physical Layer

. ) (physical .
) (Signal Voltage Swing ) .(bit duration
) (Interfaces .
Data Link Layer
) (Physical Link
) (Frames
. .( HDLC SLIPPPP) :
Network Layer
.
. ) (IP
) .(Routing ) (Routers .
Transport Layer

) (Session Layer
) .(Data Flow
) (TCP ).(Switching
.
RHCSA/RHCE Egypt
)(TCP/IP
) (TCP .

. )(Routing Protocols
( BGPOSPF) : ).(IP
Session Layer

. ) (Ecommerce
)(Load Balancing
.
) (Sessions .
Presentation Layer
) .(Pack & Un-Pack

.
Application Layer

))(Telnet, ftp, and mail (pop3 and SMTP
(OSl) ... .TCP/IP
Berkley sun . ) (
) (Internet Protocol Suit IPS TCP/IP
.IPS RFC1011 IPv6 Ipng
.IPv4

) (OSI ][ LAN
Ethernet FastEthernet GigaEthernet ) 10 100 1000
( .
Coaxial TwistedFiber optic
Twisted ) (Rj45
10 baseT ) 100 baseT ( repeaters
hubs . Etherent ) hubs switch
(routers .

Ethernet LAN
FDDI Fiber Distributed Data Interface
Etherent ) FDDI
( .
Twisted cable
RHCSA/RHCE Egypt
TCP/IP
Coaxial cable
FFDI cable
ATM
Asynchronous Transfer Mode LAN
.
/ : Frame Relay
) X.25 WAN (
) Packet Radio AX.25 NetRom (Rose
) ADSL DSLRDSL(

TCP/IP
) ( . .
/ Etherent ) ethX X (
pppX ppp siX SLIP fddiX FDDI
.
TCP/IP
:
"intranet-
/

(
)
. / .
):(node
)( ) .... CD
( / .
) Ethernet Address :(MAC Address
) NIC (network interface card
) ( NIC unique 2
NIC .MAC ADDRESS
48 )) (bit48:
00:88:40:73:AB:FF
)(hex decimal
0000 0000 1000 1000 0100 0000 0111 0011 1010 1011 1111
)(binary

mac address
Mac Address 00:00:00:00:00:00 FF:FF:FF:FF:FF:FF
00:00:00:00:00:00 MAC Address .
FF:FF:FF:FF:FF:FF MAC Address
) (
6 hexadecimal )) ((0-9) (A-F
.
RHCSA/RHCE Egypt
TCP/IP
GIGABYTE C:2300:5
C:2300:5
CLIENT
Router
INTERNET
SWITCH
router router
switch MAC Address
MAC Address
) (
Internet protocol .IP
):(hostname

.
32 a-z, A-Z, 0-9
'.'#
Internet Address IP
IP bit 32 binary 32^2 v4 IP IPv4
IPv6 bit 128 .128^2
255-0 ) (192.168.0.1
. IP DNS ) ( .IP
)(PORT
)] TCP ([ UDP

telnet 23 ftp .21

.

8080 .
Domain Name System DNS
.
IP .
) .(IP Address
IP
.
Domain Names
wikipedia.org
IP DNS
IP . )
( ) com edu gov mil )
( org
) http://www.uoc.edu nteum@pirulo.remix.es ) ( uoc.edu
remix.es ) ( ) SRI-NIC
][.
DHCP, bootp
) IP( .
.
ARP, RARP
) IEEE 802 LAN ( IP .
.RARP
: ARP
.
RHCSA/RHCE Egypt
10
IP
ARP ) MAC (OSI

) .(IP RARP ) ( .
.
RARP
: Socket Library

API Sockets .
TCP/IP )
/(.
API Berkeley Socket Library
.Winsocks
:TCP/IP LAN Server
Client

8080 - -
8080

:
: Socket 8080
Socket

.

Sockets API ++
MFC MFC

) ( AT INET
) (AF UNIX / C libc AF_INETAF_UNIX
) AF_IPX ( Novell) AF_X25 (X.25 AF_ATMPVC) AF_ATMSVC (ATM
AF_AX25 AF_NETROM AF_ROSE .amateur radio
gateway
IP
. .
) 0 255 32 4( ) 0 : :
(0.0.0.0 ) 127 (127.0.0.1 : local host) local
(loopback 0
broadcast ) .(192.168.255.255
192.168.0.0 255
:
RHCSA/RHCE Egypt
11
IP
(class A) A
Network.Host.Host.Host 1.0.0.1
) 126.254.254.254 126 16 ( .
(class B) B
Network.Network.Host.Host 128.1.0.1
16) 191.255.254.254 65 (
.
(class C) C
Network.Network.Network.Host 192.1.1.1
) 223.255.255.254 16(.
D) E (net.net.net.host 234.1.1.1 255.255.255.254
multicast.
)
( . A 10.255.255.255-10.0.0.0
B 172.31.0.0 -172.16.0.0 C 192.168.255.0 -192.168.0.0
Broad cast ) ( .
) datagrams ( .
ARP IP
. IP
.
IPv4 32 bit IIIIIIII.IIIIIIII.IIIIIIII.IIIIIIII
BINARY
8BIT . 8BIT . 8BIT . 8BIT
Hexadecimal
bit 8 = IIIIIIII = 2+2+2+2+2+2+2+2 256 0 .255
76543210.76543210.76543210.76543210
)=11110001.11111111.11110000.00000011 (binary
128+64+32+16+1.128+64+32+16+8+4+2+1.128+64+32+16.2+1
241.255.240.3
)(Decimal
NETMASK
.

IP . A B C.
netmask netmask 32
)) (bit32 (IP ) (AND
.
B 172.17.0.0 netmask 255.255.0.0
) ( . 20
) 172.17.1.0 ( 172.17.1.0 .172.17.20.0
backbone 172.17.1.0 IP

) (255.255.255.0
RHCSA/RHCE Egypt
12
IP
route
) ( routing
Information Protocol RIP External Gateway Protocol EGP
Border Gateway Protocol BGP gated
class subnet
255.255.255.255
IN class C IIIIIIII.IIIIIIII.IIIIIIII.00000000
255.255.255.0
default subnet mask in class C
10 IP
192.168.1.0 class C
subnet mask IP 10
10 2
17 2
25 =(255.255.255 = 24bit) +1
80 255.255.255.10000000 2
255.255.255.128 =Subnet mask 192.168.1.0/25
192.168.16.0 9 IP
9 255.255.255.240= 255.255.255.11110000-----2 192.168.16.0/28
NID
subnet mask .
) ( Subnet mask
ISP 40 192.168.0.0 (NID)------------
)) 26 = 32-6 (2 bit 32 (192.168.0.0/26 = net mask 255.255.255.192
255.255.255.1100000
Broadcast = 63
6 (255.255.255.11111000(248)) /29= subnet mask 2
IP 517 class B 155.13.18.0 2 22=10-32 155.13.18.0/22
10011011.00001101.000100 10.00000000
11111111.11111111.111111 00.00000000
00000000.00000000.000000 11.11111111
)10011011.00001101.000100 00.00000000 (Class B
10011011.00001101.000100 11.11111111
10011011.00001101.000100 00.00000001
10011011.00001101.000100 11.11111110
Address: 155.13.18.0
Netmask: 255.255.252.0 = 22
Wildcard: 0.0.3.255
>=
Network: 155.13.16.0/22
Broadcast: 155.13.19.255
HostMin: 155.13.16.1
HostMax: 155.13.19.254
Hosts/Net: 1022
subnet mask
IPcalc-1 sipcalc
whatmask-2
RHCSA/RHCE Egypt
13
])[(SYSTEM MONITORING
SYSTEM MPNITORING
AND SECURITY

.

.
/
.
-2 ] [LOG
-1 :
-3 ) du -df -find -ls(
-4 ps top
.
ping dig
) (.
.
] [TCP ] [UDP
.
.

/ ] [netstat] [nmap
].[iptables
] )( [auditing
netstat

IP . .
. .
) (connection Client
/ .server
) ( ) (port
) ( netstat
) (terminal .
netstat
) ( ) ( .
.Windows NT
. .
:netstat
] [netstat .
] [netstat ) (option .
] [netstat ] [Unix socket
.
] [UNIX socket .
.
RHCSA/RHCE Egypt
14
] [netstat
] [-t TCP
] [-u .UDP
] [-p ] [-n ] [process
TCP .

][auditing .
.
netstat .

] [-l netstat ] [listen
.
httpd 80 .
].[firewall
netstat
] [-s :
] [-s TCP UDP .

] [routing table ] [-r:
RHCSA/RHCE Egypt
15

] [-i ] [-e :
] [netstat-ie ][ifconfig
][NMAP
] [netstat
. ].[nmap
: .

. nmap .
][nmap
) ( ) ( .
"" . nmap
. nmap
.
][port scanner

].[yuminstallnmap
] [nmap :
TCP.
] [nmap .
][nmap192.168.0.0/24 192.168.0.X
] [ping .
] [Nmap .
]:[nmap
:[TCP connect]-1 Unix TCP
:
#nmap-sT192.168.1.1
192.168.1.1 nmap
nmap 21 FTP 21
FTP Header
.nmap
:[SYN Stealth Scan]-2 half-open scanning
TCP TCP connect nmap Packet
SYN Packet
.
RHCSA/RHCE Egypt
16
) Packet ( SYN-ACK ) ( root

#nmap-sS192.168.1.1
:[UDP connect]-3 nmap UDP Packet ) (byte-0
Packet ICMP
)(ICMP Packet
! :
#nmap-sU192.168.1.1
:[ACK Scan]-4
nmap Packet ACK SYN SYN ACK
Packet RST
Packet RST ) (filtered
, :
#nmap-sA-p80192.168.1.1
192.168.1.1 80 .
:[IP Protocol Scan]-5 nmap IP Packet
Packet ICMP
, :
#nmap-sO192.168.1.1
:[Version Detection Scan]-6
nmap
Metasploit remote
)! (Black Hat Hackers Wins :
#nmap-sV192.168.1.1
:[Ping Scan]-7 nmap
Packet ICMP ping
ICMP Packet
nmap TCP Ping RST ACK
, :
#nmap-sP192.168.1.1-255
1.1192.168. 225.1192.168. :
#nmap-sP192.168.1.1/24
Class C Netmask: 255.255.255.0
80 Webserver :
#nmap-sP-p80192.168.1.1-255
nmap
) (21,22,53,80 :
#nmap-sS-p21,22,53,80192.168.1.1-255
] [-v
:
#nmap-sS-v-p21,22,53,80192.168.1.1-255
1 :100
#nmap-sS-p1-100127.0.0.1
nmap
: Remote OS Fingerprint
#nmap-O-v192.168.1.1
:
#nmap-sS-A192.168.1.1

80 :
#nmap-sS-A-p80192.168.1.1
nmap
:
#nmap-sS-F192.168.1.1
.
RHCSA/RHCE Egypt
17
nmap :
#nmap-sS-oNlog.txt192.168.1.1
#nmap-sS-oXlog.xml192.168.1.1
! Black Hat Hackers

:
#nmap-sS-f192.168.1.1
IP Packet
:
#nmap-sS-D192.168.1.2,192.168.1.3,192.168.1.4,192.168.1.1
IP 192.168.0.4 + 192.168.0.3 + 192.168.0.2 :
!
Nmap
Zenmap
Profiles
Profile .
] [nmap-frontend ].[nmapfe
] [service ] [chkconfig .
Avahi service
avahi . zeroconf
) (zero configuration networking . Avahi
) multicast DNS(mDNS .DNS discovery zeroconf
Bonjour .
Zeroconf DNS DHCP
.
Avahi .
Avahi
. avahi-daemon .
avahi .
.
log .
LOG
.
]. [log file
] [syslog daemon
][rsyslogd
] [log file
] [facility ] .[severity ] [facility].[severity
.
RHCSA/RHCE Egypt
18
] [facility ][severity
] [Facility .
] [Severity
. logwatch
:logwatch
] [highlight .
logwatch :
#yuminstalllogwatch
:
#logwatch--serviceservice_name--print
] [--print .
.
#logwatch--logfilelogfile_name--print
][message secure maillog -.
] [--logdir :
#logwatch--logdirlogfile_location--print

] [ps ] [top
.
Process Limits
.

.
PID PID
.PID
).(hang

] [/etc/security/limits.conf .
:
]:[Who to limit
) @" ( "*" .
]:[Type of limit
] [soft ][hard
] [soft limit ] .[ulimit ] [hard limit .
]:[What to limit
. .
]:[Limit value
. unlimited .
.
RHCSA/RHCE Egypt
19

.
] [/etc/security/limits.conf ] [/etc/security/limits.d/ PAM
pam_limits.so .
.
].[ulimit a
pid_max pid :
#cat/proc/sys/kernel/pid_max
for display PID maximum
#sysctl-wkernel.pid_max=4194303
or
#echo kernel.pid_max=4194303 >> /etc/sysctl.conf
:
.

] [ps ] [top

] [psacct :
:
#servicepsacctstart
] [/var/account/psacct
] .[binary file . ] [sa:
:
number of times run
"real-time" spent running
"cpu-time" used
average core memory usage
command name
] [--user-summary ] [sa:
:
] :[-a ] [sa ]* [***other
] [-a .
] :[-c .
] :[-n .
] :[-b .
.
RHCSA/RHCE Egypt
20
:
] [ac
][ac-dp
] [lastcomm :
/ .
.
) (black hack crackers .

) (escalating privileges .
) (Remote root/Local root BuffierOverFlow
NetworkManager BIND curl rsync apache
Netcat .

.
.
.
) (NSA / .SELinux
.
Fire wall ) (wrapper of the packet .
.user and host based security
) (permission .SELinux
firewalls
)............... TCP WrappersPluggable Authentication Modules (PAM
RHCSA/RHCE Egypt
21
THE LAYERS OF LINUX SECURITY

) (linux security layer

.
.bastion host
bastion host
. proxy
service .
.

. Bastion host ) (Platform Application level .Circuit-level Gateway
Bastion Host:
. ASAPIX
Proxy
FTP SMTP telnet DNS .
chroot jail .
.NSA
:A bastion host . minimal
installation .
. web server file server authentication server
.
SSH VNC .SSH
bastion host :
.
.
.
:
) (Software Update tool
] [gpk-update-viewer :

] [gpk-prefs :
RHCSA/RHCE Egypt
22
The PolicyKit
SERVICE-SPECIFIC SECURITY
) (service .
hostnetwork user.group
:
)(Host based security Network based security User &Group based security
Host based security-1
) (hostname system Domain_name IP .
] [ACL] [selinux ] [File System Encryption ] [privileges for osi] [layers.
User-Based Security-2
.
/etc/cron.allow
Network based security-3
firewall Netfilterproxy
console security-4
/etc/securetty : ./etc/security/access.conf
access console . SSH.Telnet
NASA /:
1- Encrypted transmitted date whenever possible
2- Minimizes software to minimize vulnerability
3- Run different network service in separated system
4- Configure security tools to improve system Robustness
5- Least privilege
.
THE POLICYKIT

) .(administrative tools Administrative .
:
.
Details PolicyKit :
Vendor ][system-config-firewall
Action
org.fedoraproject.config.firewall.auth /usr/share/polkit-1/actions/
action action org.fedoraproject.config.firewall.policy
PolicyKit Console
.
/etc/sudoers
RHCSA/RHCE Egypt
23
Configuration sudo
CONFIGURATION SUDO
Sudo ) (substitute user do

) .( root
) (as root ) . (as another user sudo
.
sudo .
sudo :
] [sudo .
]* [/etc/sudoers/ .visudo
] :[visudo sudo . sudoers
vi sanity checks .
sudoers visudo:
:
USER HOSTNAME=COMMAND
:USER ) % @(.
:HOSTNAME .
. sudo sudoers
. . ALL
) (hostname .IP
:COMMAND .
) .( wild cards "" .
aliases:
user aliases .1 :
:
)User_Alias ADMINS (alias name) = jana, noreen, mohammed, sammer (user name list
host aliases .2 host host IP
:
Host_Alias MAILSERVER = smtp, smtp2
command aliases .3
sudoers #
:
Cmnd_Alias SOFTWARE = bin/rpm, usr/bin/up2date, usr/bin/yum
RHCSA/RHCE Egypt
24
Kerberos configuration
:
.1 JANA sudoers
:
JANA
ALL= ALL
.2
sudoers:
JANA
ALL= (ALL) NOPASSWD: ALL
JANA ALL ) (ALL
) (root NOPASSWD
ALL sudo .
.3 wheel
:
%wheel
ALL= (ALL) NOPASSWD: ALL
.4 ) (Cmnd_Alias NETWORKING
noreen NETWORKING :
noreen
=ALL
NETWORKING
.5 :
Jana ALL= (ALL) SOFTWARE
%JBA
/sbin/service mysql, /sbin/chkconfig mysql ALL
%CBS
ALL=/bin/service mysql, /sbin/chkconfig mysql
KERBEROS CONFIGURATION
Kerberos
Kerberos ) (secure authentication
/" "Client/Server .
MIT .

.
.
kerberos Cryptography Client Server

.
Kerberos MIT .Linux, BSD, Windows X
.

Kerberos ) symmetrical ( private
).DES (algorithms
Kerberos client ,
tickets:
-
authentication server
:
session .

session
.
kerberos
RHCSA/RHCE Egypt
25
Kerberos configuration
:
:Kerberos realm .1 (Kerberos authentication server) KDCs
/ ).(authentication
:KDC (Key Distribution Center) .2
kerberos ) (ticket .(authentication credentials) kerberos
:Kerberos Admin server .3 ) (remote administration
master KDC .Kerberos Admin Server
system-config-authentication
authconfig .
kerberos:
system-config-authentication ldap
kerberos :
authconfig:
sssd LDAP .
RHCSA/RHCE Egypt
26
selinux
SELINUX
SELINUX
: ) Security-Enhanced Linux (SELinux ) (security layers
. (U.S. National Security Agency).
SELinux:
.
) (contexts subjects objects.actionsSelinux IP
Subjects process service user
Objects files devices ports - sockets
SELinux
) .(U.S. National Security Agency
777
. MASH Flask
/
.(TE) Type Enforcement
) (
) (Linux Security Modules LSM Mandatory Access Control MAC
SELinux . ext4 ext3ext2
v2.2.12 22 2000 /
SELinux :
Discretionary Access Control DAC .1
) ( .
) (process Group User .
/
.
:
Administrators/Privilege-users (1
Non-Administrator/Non-privilege-users (2
) (
) (root user .
Mandatory Access Control MAC .2 )(Role-Based-Control
)(process -
) (devices )(ports . /
.
RHCSA/RHCE Egypt
27
selinux

.
MAC
:
- Every Thing is a File
User Group
SELinux :
- Every Thing is an Object
) (Object
) (security context policy .
DAC httpd

.
MAC httpd
httpd .
:selinux
MAC policy .
:selinux
.
/
.

/ ) policy(

RHCSA/RHCE Egypt
28
SELINUX
: MAC DAC DAC MAC

- /- MAC
MAC .
SELINUX:
getsebool, setsebool, chcon, ls -Z, and the SELinux Management Tool
SELINUX
SELinux ) (Domain ) (process )(Domain

/ processes Sandbox
. Role Role Process
/ . Domain
SELinux :
.1 (LABEL) Security Context-
:
User Identity Role Domain / Type Sensitivity Category .2 Security Policy-
SECURITY CONTEXT
object subject Security Context Security Context .

User_Identity : Role : Domain/Type
" " :
user_u:object_r:httpd_sys_content_t
Role User Identity
User Identity SELinux role . role
. Role newrole ][su

.
)(yuminstallpolicycoreutils-newrole
newrole policycoreutils-newrole
Role process Role Processes/users
Role UID :
UID )( _u system_u
Role ) (_r object_r
Domain / Type domain type sandbox
Sandbox .
Domain sandbox subject .
Type sandbox object .
type domain ) (_thttpd_t :
/ SECURITY CONTEXT
Object Subject " " "Label

xattrs Extended Attribute . xattrs
.
User Label:
- Non-privileged User: user_u
- Privileged User (root): root
- System User: system_u
- Unprotected user: unconfined_u
Role-Based Access Control - RBAC
- Process: system_r
-user: user_r
- File: object_r
.
RHCSA/RHCE Egypt
Security context
29
Type (Objects (files))/Domain (Subjects (processes/programs/users))

- Privileged/Non-privileged Users: unconfined_t
- Processes ex. {httpd: httpd_t ; dhcpd: dhcpd_t}
(chcon , restorecon, fixfiles) : Label
.( root:sysadm_r:sysadm_t) ( file context)
Label
root:object_r:user_home_t
system_u:object_r:httpd_exec_t
user_u:object_r:user_home_dir_t
user_u:object_r:httpd_sys_content_t
system_u:object_r:tmp_t
/etc/selinux/targeted/contexts/files/ : label
#semanagefcontext-l = #cat/etc/selinux/targeted/context/files/file_contexts
SECURITY CONTEXT
. Objects Subjects labels

LABEL ( ls-Z) -1
LABEL secon ( id-Z) -2
LABEL ( ps-Z) -3
RHCSA/RHCE Egypt
30
Security context
-4 mkdir install security context

#mkdir-Zuser_u:object_r:user_home_dir_tmohammed_sobhy
-5 find
'[root@RHEL01 ~]#find/home/-context'*:httpd_*_content_t
-6
label label Label
TYPE . Labels Objects .
:
tar (1 label RHEL v4 update2 .
#tar--selinux-cfanaconda-ks.cfg.tar.gzanaconda-ks.cfg
.
#tar--selinux-xfanaconda-ks.cfg.tar.gz
label .
star (2 xattr
attribute label . H .

#star-xattr-H=exustar-c-f=anaconda-ks.cfg.staranaconda-ks.cfg

#star-xattr-H=exustar-x-f=anaconda-ks.cfg.star
rsync (3 label
cp scp
.
label
#rsync-avHPAXanaconda-ks-cfg10.0.0.80:/tmp
a H hard A ACL X xattr
P .
(SECURITY CONTEXT) LABEL
labels )- (.
labeling
-1 chcon
/ context object subject
Relabel label .
type/domain :
#chcon-ttype_name_tfilename
type/domain :
#chcon-R-ttype_name_tfilename
uid u t
role r t
f error message
: label
label :
#chcon--referenceCorrectFileNotCorrectFile
-2 restorecon
/ label label
...
#restorecon-Rv/home/KING/public_html
R/r (verbose) v (process) p (reset context) F
RHCSA/RHCE Egypt
31
Security policy
-3 semanage
chcon .
policycoreutils-python policycoreutils-python-gui
fcontext
security context :
-a add
-d delete -D delete all
-l list
-m modifiy
-f file type
)-s used for username (*_u) , for user role (*_r
-t for type/domain
SECURITY POLICY
targeted policy
/ ) (SELinux Policy
:Policy rules selinux selinux .
policy object .subject
: - - .
: Policy Label :
/ = - Object sandbox Type - - Object type Label Object
.user_home_t
Role UID // . Object
: apache Policy Label :
// = - Subject sandbox . domain - - Subject domain Label Subject httpd _t domain . httpd_exec_t
Role UID type/ httpd
.httpd_sys_content_t
type / httpd_user_content_t httpd_sys_content_t type
policy httpd // httpd /.
)(Targeted Policy
Redhat . Targeted
Subject Object Domain
// Policy .
unconfined_t SubjectObject
Domain unconfined_t MAC DAC .

SELINUX STRICT
policy policy
policy /etc/selinux/targeted/policy/
Policy Policy.PolicyVersion /etc/selinux/targeted/policy/policy.24
)(#cat/selinux/policyvers
Targeted Policy
. Policy
/
.
dhcpd_t - httpd_t - initrc_t - ldconfig_t - mysqld_t - named_t - ndc_t - nscd_t - ntpd_t - pegasus_tportmap_t - postgresql_t - snmpd_t - squid_t - syslogd_t - winbind_t - ypbind_t .
unconfined_t .
)(#mankselinux
SELinux
RHCSA/RHCE Egypt
32
)(Policy Boolean
) ( POLICY BOOLEAN
Policy ) 0 (1 " 0
/selinux/booleans/
:
policy policy.
" "0 0 SELinux
SELinux (pending) . /selinux/commit_pending_bools
:
booleans home .FTP

) (setsebool -P )(setsebool -P
getsebool -a policy policy .
: .
#setsebool-Phttpd_enable_homedirson
) 0 (1 =0 =1) (
#setsebool-Phttpd_enable_homedirs1
:
/etc/selinux/targeted/modules/active/booleans.local
togglesebool policy on off

semanage
booleans :
#yum y install policycoreutils-python policycoreutils-gui
booleans : policy.
#semanageboolean-l
boolean grep:
boolean m l
system-config-selinux
ls /selinux/booleans | grep ftp boolean /selinux/booleans/
SELINUX
.:
.1 selinux
.2 policy selinux
SELinux /etc/selinux/config: /etc/sysconfig/selinux
RHCSA/RHCE Egypt
33
SELinux
SELinux policy
SELinux
enforcing -1
SELinux policies . enables
.active
permissive-2
SELinux polices
selinux Policies .
enabled .active
disabled-3
SELinux .
policy selinux
Policies
targeted-1
) (
Policy Subject Objects

.
policy
#yum-yinstallselinux-policy-targeted
/etc/selinux/targeted/policy/
policy
#yum-yinstallselinux-policy-devel
/usr/share/selinux/devel/
strict-2

Policy

policy
#yum-yinstallselinux-policy-strict
mls Multi Level Security-3
Labels Sensitivities Categories
policy
#yum-yinstallselinux-policy-mls
selinux
SELinux :
-1 ) SELinux (
/etc/selinux/config /etc/sysconfig/selinux
SELINUX=enforcing
-2 ) GRUB (
SELinux selinux=1 or 0
) enforcing=1(enforcing )enforcing=0(permissive
.disable = 0 : enable =1
kernel /boot/vmlinuz-2.6.18-164.15.1.el5 ro root=LABEL=/ selinux=1
.
RHCSA/RHCE Egypt
34
)(Relabeled Files
-3) setenforce (
enforcing permissive ) (SELinux:
-4 ) /selinux/enforce (
#echo "1" > /selinux/enforce
-5
system-config-selinux
: label mv label cp
label a ) (cp a Z
label:
[root@RHEL01 ~]# cp -Zsystem_u:object_r:file_t/etc/hostshosts
) ( RELABELED FILES
)(Relabel a filesystem
SELinux / label.
SELinux Labels relabeling

-1 autorelabel
autorelabel (#touch/.autorelabel ; reboot) : :
) (
-2 fixfiles
chcon chcon label fixfiles label
policy label.Subject/Object

mount label:
#mount-tnfs-ocontext=user_u:object_r:user_home_t10.0.0.99:/shares/homes /home
#mount-ofscontext=system_u:object_r:removable_t/dev/cdrom/media/cdrom
ERROR MESSAGE
SELinux .
. log .
SELinux Auditing SELinux auditd :
/var/log/audit/audit.log
Logs SELinux denials
/var/log/messages
Logs SELinux denials
RHCSA/RHCE Egypt
35
selinux
AVC selinux ) (Advanced Vector Cache

.
:
type=AVC msg=audit(1273808351.267:175): avc: denied { getattr } for pid=10586
comm="httpd" path="/home/KING/public_html" dev=hda1 ino=959060
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=dir
1- type=AVC
. avc
)2- msg=audit(1273808351.267:175
(msg=audit)-1
(1273808351.267) -2 )(date-d@1273808351.267
(175) -3
"3- comm="httpd
// / )(subject httpd
)(path="/home/KING/public_html" dev=hda1 ino=959060
4- scontext=root:system_r:httpd_t:s0
label security context subject
5- tcontext=root:object_r:user_home_t:s0
label object .
setroubleshootd avc

*yum -y install setroubleshoot
:

#sealert-a/var/log/audit/audit.log

#sealert-b
selinux
#sealert-l
look up alert by id
SELINUX
-1 system-config-selinux
SELinux
RHCSA/RHCE Egypt
36
selinux
-2 seaudit
setools SELinux .

)*(yum -y install setools

#seaudit-report/var/log/audit/audit.log

#seaudit-report--html-oselinuxLog.html/var/log/audit/audit.log

#seaudit-l/var/log/logFilePath.log
seaudit
-3 apol
setools policy types,roles,booleans,SIDs
-4checkpolicy
Policy .
-5 sesearch
labels
#sesearchathttpd_user_content/etc/selinux/targeted/policy/policy.21
-6 sestatus
SELinux), (disabled,enforcing ,permissive
Policy . /etc/sestatus.conf
#sestatus-v
-7 audit2allow
avc allow
#audit2allow-l/var/log/audit/audit.log
-8 audit2why
avc
#audit2why</var/log/audit/audit.log
-9 avcstat
SELinux avc
/selinux/avc/cache_stats
-10 seinfo
policy types
RHCSA/RHCE Egypt
37
selinux
-11 semanage
policy context Subjects/Objects
#semanagelogin-l
#semanageuser-l
semanageport-l SELinux
-12 semodule
selinux policy module /// .
-imodule_pkg install/replace module package #semanage-ihttpd.pp
-umodule_pkg upgrade module package
-dmodule_name disable module
-emodule_name enable module
-rmodule_name remove module
-l
list module
-bbase_module_pkg install/replace base module package
#semodule-l
pkg selinux usr/share/selinux/targeted
SELINUX
.
:
SELinux-1 permissive .
-2
-a labels file_contexts
-b label
-c label
-d html .
-3 public_html
public_html html .
-4 Security Context public_html
-5 selinux .
:
selinux-1 permissive .
-2
-a-2 labels file_contexts
RHCSA/RHCE Egypt
38
selinux
context head head less context

context:
t
-b-2 label
httpd domain httpd_t

-c-2 label
policy .
label
-d-2 html .
index.html /var/www/html
.
-3 public_html
RHCSA/RHCE Egypt
39
selinux
vim/etc/httpd/conf/httpd.conf
UserDir disable # UserDir public_html
:
service httpd restart

-a-3 public_html html .
) ( public_html tibea2004 index.html
.
DAC DAC MAC:
.

SELinux enforcement
RHCSA/RHCE Egypt
40
selinux
label Objects:
!
-4 Security Context public_html
-5 selinux .
label public_html (user_home_t) type
domain/type policy role domain type
.object
label public_html .
) context (
) SELinux (:

/ftp selinux context security context

.ftp
-1 /ftp security context
-2 context ftp /var/ftp
context /var/ftp public_content_t

-3 context /ftp /var/ftp ) (chcon t :
restorecon relabeling
RHCSA/RHCE Egypt
41
selinux
relabeling restorecon
context context Relabel

restorecon context semanage
context user identify semanageuser-l

user_identifiy role .
selinux .
RHCSA/RHCE Egypt
42
FIREWALL
Firewall_XINETD
TCP WRAPPERS
FIREWALL
: .
.
.
/ .
.
) (
.
) ( )
( .
) (router .

.
Network Address Translation " " NAT
.
.masquerading NAT masquerading
IP gateway IP .IP router
ADSL
.IP ) (ADSL modem NAT masquerading .
.
:Definition ] [iptables headers .
header ] [iptables-based .
.

] [packet filtering .
.packets
] [type of data ] [source address ] [destination address
headers . packets ][destination address
. firewall header .packets
) maximum transmission unit (MTU
] [packets packets headers 32bit .
.
RHCSA/RHCE Egypt
43
IPTABLES
RHEL6 ] [iptables ] [ip6tables IPv4IPv6

Firewall ----------------------- in kernel space-------------- Netfilter
)Firewall ----------------------- in user space -------------- iptables (script to can user act with Netfilter
:
Iptables >> Linux
PIX >> Cisco
ASA >> Cisco
ISA & TMG >> Microsoft
Juniper firewall >> juniper
IPTABLES
: iptables / :
NAT .
] [iptables ] [tables . ] [chains
].[rules
rules
chains
Iptables Tables
RHCSA/RHCE Egypt
44
IPTABLES
[Filter] : ] [NAT ] [mangled ][raw
:[Filter] -1 ] [iptables .
] [rules . 3 ] [chain:
] :[INPUT CHAIN .
] :[OUTPUT CHAIN ) . (
] :[FORWARD CHAIN .
RHCSA/RHCE Egypt
45
iptables
:[NAT] -2 NAT 3 ] [chain:

] :[OUTPUT CHAIN NAT .
] :[PREROUTING CHAIN ) . (routing )
( . destination IP header package IP
. )( DNAT (destination NAT
] :[POSTROUTING CHAIN header ) . (routing
) ( . source IP header package
.(gateway or router ip) IP )( SNAT (source NAT
:[Mangle] -3 :
]- [PREROUTING CHAIN] - [FORWARD CHAIN] - [OUTPUT CHAIN] - [INPUT CHAIN
][POSTROUTING CHAIN
:[raw] -4 ][OUTPUT CHAIN] - [PREROUTING CHAIN
][Filter
) ( ][NAT
] [IP masquerading ] [NAT
] [Filter .
firewall rules .if condition

IPTABLES
] [iptables IPv4 ] [ipchains ] [iptables ] [ip6tables IPv6

][arptables ARP ] [ebtables Ethernet frame
iptables :
] [-t .filter
> <action direction action ] [iptables:
] [-Achain ] [APPEND rules .end of chain
] [-Dchain ] [DELET rules .chain
] [-L ] [LIST rules .chain
vn ) (rules .
] [-Fchain ] [FLUSH / rules ].[iptables
] [-Ichain ] [INSERT rules .chain
] [-Nchain ] [ADD NEW CHAIN .chain
] [-Xchain ] [DELET CHAIN .chain
CHAIN RULES
][Chain] [INPUT] [OUTPUT] [FORWARD] [PREROUTING] [POSTROUTING
.
.
.
RHCSA/RHCE Egypt
46
iptables
> <packet pattern .IP

] [-sip_address .[source IP] IP
] [-dip_address .[destination IP] IP
> <packet pattern
TCP/IP TCP UDP ICMP
]} [-p{tcp|udp|icmp ].[--dportport_number
][-ptcp--dport80
] [--sport source port ] [--dport destination port
icmp ][-picmp--icmp-typehost-unreachable
] [-P .
)
( ] [-PCHAINTARGET :
#iptables-PINPUTDROP
#iptables-POUTPUTREJECT
#iptables-PFORWARDREJECT
)#iptables-PINPUT DROP >>> set policy to INPUT table (big rule
> [j] <what to do ] [iptables
:
] :[ACCEPT rules .firewall
] :[REJECT rules .
.ICMP
] :[DROP rules .
] [LOG .
] [LOG ][ACCEPT ] [REJECT ] [DROP
.
RHCSA/RHCE Egypt
47
iptables
IPTABLES
[#iptables-L]-1 rules table ][-ttable
[#iptables-tfilter-L] :
:[Chain] INPUT/FORWARD
:[Target] .
:[Port] .
:[Opt] rules
:[Source] [Destination] source ip destination ip
target num rules
.
[#iptables-FINPUT] -2 .INPUT F CHAIN
].[rules
] [#iptables-FFORWARD FORWARD:
[#iptables-tfilter-AINPUT-s192.168.0.1-jDROP]-3 IP
] [192.168.0.1 :
].[if packet received from 192.168.0.1 drop

.
RHCSA/RHCE Egypt
48
iptables
[#iptables-tfilter-AINPUT-s192.168.0.1-ptcp--dport 22-jACCEPT]-4
[192.168.0.1] IP 22 TCP :
.SSH
3 4 . rules
IPTABLES .
[#iptables-AINPUT-s!192.168.0.1-ptcp-jDROP]-5
192.168.0.1 ]![ :
-7 :
[#iptables-IINPUT-ptcp-mtcp--dport22-jACCEPT] -8
22 ssh tcp [-m tcp] tcp:
][iptables
] [#serviceiptablessave :
#iptables-save
][/etc/sysconfig/iptables
] [#iptables-save>/etc/sysconfig/iptables ].[serviceiptablessave
][iptables-restore<file_name
.
RHCSA/RHCE Egypt
49
iptables
: /
fire wall header.
] [/etc/sysconfig/ip6tables ] [ip6tables . IPv6
chain :
][-Ichain / -IchainNO.] ------ [-Dchain / -DchainNO.
] [-n ] [-v ] [-L .
] [--line-numbers ] [-L .
] [-i interface ] [-ieth0 ] [-o][-ilo] / [-oeth1
-ieth0-s192.168.0.0/24
] [/etc/services
] [/etc/protocols/ .
] [iptables ][/etc/sysconfig/iptables
]![ :
] [iptables:
RHCSA/RHCE Egypt
50
]NAT [IP Masquerading
icmp ] [#iptables-picmp-h
:
]NAT [IP MASQUERADING
)" (Network Address Translation "NAT )(Network Masquerading

) (Native Address Translation ) (IP Masquerading
network traffic ) (router IP] [source] [destination
header " "TCP/UDP .(IP packets) IP )- (checksums
- .
] [NAT IPv4 .IP ] [NAT
][router
IP . ).(gateway
][NAT
IP . IP
IP .
:
] [public ip
IP IP
] [public ip IP IP
] [Public IP . .IPv6
]-1 :[NAT ) "NAT " )" (Network Address Port Translation
""NAPT"( "PAT many to one NAT
IP.
-2 ) " )" " (Basic NAT
)" " (Static NAT ))"(one-to-one NAT
. IP . ) (broadband connection
. ) (DMZ host IP
.
: ) ) ((source NAT
IP ) ).((destination NAT
.
] [IP masquerading ] [gateway ] [router .
)( LAN
"" ).(DSL
.
RHCSA/RHCE Egypt
51
Connection tracking
]:[NAT
[public IP]-1 .
-2 IP ].[IP Private
-3 IP ] [IP Private ] [router ].[gateway
-4 iptables ].[NAT masquerading
-5 ] [IP forwarding ][gateway] / [router .
-6 ] [default gateway IP][private IP
].[gateway] / [router
LAN .
IP] [source private IP IP ] [Public IP .
. ] [IP source ][port no
.
. IP IP
.
NAT:
DNAT Examples
INBOUND
#iptables-tnat-APREROUTING-ptcp--dport80-jDNAT--to-dest192.168.0.20
)OUTBOUND (with port redirection
#iptables-tnat-AOUTPUT-ptcp--dport 80-jDNAT--to-dest192.168.0.200:3128
SNAT Examples
MASQUERADE
#iptables-tnat-APOSTROUTING-oeth0-j MASQUERADE
SNAT
#iptables-tnat-APOSTROUTING-jSNAT--to-source 1.2.3.45
:
#iptables-tnat-APOSTROUTING-owlan0-jMASQUERADE
#iptables-tnat-APOSTROUTING-ovibr0-jMASQUERADE
#iptables-tnat-APOSTROUTING-ovibr1-jMASQUERADE
CONNECTION TRACKING
rapidshare mediafire rapidshare

mediafire
.
] [new connection ] [client
] [server .
.
RHCSA/RHCE Egypt
52
)IP FORWARDING (ROUTING

].[conntrack
rapidshare ] [conntrack
].[state
:
:[NEW]-1 ) ( .connection track
:[ESTABLISHED]-2 .REPLY PACKET .
:[RELATED]-3 ICMP error.FTP
[INVALID]-4 ].[DROP
] [connection tracking TCP UDP
defragment tracking.
] [connection tracking .
].[iptables
One rule to permit established connections:
#iptables-A INPUT-mstate--stateESTABLISHED,RELATED-jACCEPT
Many rules; one for each permitted service:
#iptables-AINPUT-mstate--stateNEW-ptcp--dport 25-j ACCEPT
Lastly, one rule to block all others inbound:
#iptables-AINPUT-mstate--stateNEW-jDROP
] [connection tracking MODULES ].[/etc/sysconfig/iptables-config
]:[MODULES
ip_conntrack_ftp
ip_conntrack_irc
ip_conntrack
ip_nat_ftp
)ip_nat_irc (and others
] [ip_conntrack_ftp tracking ftp ].[firewall
] [ip_nat_ftp modification] [ftp packets NAT iptables-config
] [IPTABLES_MODULES ].[modules
/proc/net/ip_conntrack
established connection ip_conntract
max connections /proc/sys/net/ipv4/ip_conntrack
)IP FORWARDING (ROUTING
] [IP FORWARDING ] .[ROUTING .IP

] [ROUTER .
] [IP gateway
] [ROUTER .
] [ROUTER " :
.1 .
.2 .
) (routing table IP
.
router " IP address
data link layer Ethernet token-ring .
] [ROUTER IP] [Destination IP . IP
/ . ][gateway
.
] [IP forwarding ] [/etc/sysctl.conf:
RHCSA/RHCE Egypt
53
The Red Hat Firewall Configuration Tool
] [routing .
IP Forwarding (routing) does NOT work in RHEL6 when using NetworkManager.

THE RED HAT FIREWALL CONFIGURATION TOOL
-1 system-config-firewall

] [/etc/sysconfig/iptables . gui text mode .
text-mode .system-config-firewall-tui
RHCSA/RHCE Egypt
54
] [Trusted interfaces :
] [interface ]. [interface
] [wireless device
.
eth0 . eth1
wlan0 . ath0
] [device file
. add
:
] [interface .eth1 Ok
] [iptables:
#iptables-AINPUT-ieth0-jACCEPT
RHCSA/RHCE Egypt
55
]Masquerading [NAT
MASQUERDING .
. ./etc/sysconfig/iptables
PORT FORWARDING

.MASQUERDING [port forwarding]

.
] [icmp filter Ping
] [custom rules .
.
RHCSA/RHCE Egypt
56
)The Extended Internet Super-Server (xineted
-2 :lokkit
) ( .
.
.gnome-lokkit
}#lokkit--selinux= {enforcing | permissive | disabled
}#lokkit--selinuxtype= {targeted | strict
#lokkit--enabled enable firewall
#lokkit--disabled disable firewall
][lokkit --help

.
.
iptables .
)THE EXTENDED INTERNET SUPER-SERVER (XINETED
:
] : [/etc/xinetd.d/ .
] [xinetd.d inetd .
: .
[/etc/rc.d/rc?.d] .
:RPC NIS NFS
][rpcinfo-phost
) ( [/etc/services]:
] [/etc/protocols . ] [/etc/rpc RPC .
.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
.
] [xinetd ][/etc/xinetd.conf
] [/etc/xinetd.d/
] [/etc/xinetd.conf ]} [disable= {yes | no
.
DoS .DDoS
rc?.d/ admin II .
. FTP
telnet ) (copy or login r ) (rsh, rcp, rexec,0
finger rwhod
.
.
.
OpenSSH ssh scp sftp
.
ssh telnet rolgin rsh . ssh
.

.
xinetd:
) ( telnet
ssh
rsync - which is popular for backups
cvs - popular for software development version control
gssftp - Kerberos-secured FTP service
.
RHCSA/RHCE Egypt
57
TCP Wrappers
parameters xinetd.d
TCP WRAPPERS
TCP TCP
].[TCP wrappers
] [xinetd .
] [static ] [dynamic
.[libwrap.so.0] wrappers
] [TCP wrappers ] [/etc/hosts.allow
] [/etc/hosts.deny .
] [strings ] [TCP wrappers
] [TCP wrappers .hosts_access
/bin /sbin :
sshd ] [TCP wrappers httpd .

] [TCP wrappersldd <which-service name> | grep libwrap :
which :
RHCSA/RHCE Egypt
58
TCP Wrappers
libwrap.so.0 ] [TCP wrappers

. IP ][TCP wrappers
.
] [TCP wrappers ] [/etc/hosts.allow
].[/etc/hosts.deny
:
]daemon_list: client_list [: options
ALL: ALL
Client_list :
request service ] [TCP wrappers ][/etc/hosts.allow

service allow list ] [/etc/hosts.deny
deny deny hosts hosts . allow
:
EXCEPT .
DENY hosts.allow SPAWN :

in.telnetd: ALL: spawn echo "login attempt from %c to %s" | mail -s warning root
ALL: ALL: DENY
[TCP wrappers] : .IPv6
RHCSA/RHCE Egypt
59
]Pluggable Authentication Modules [PAM
PAM
]PLUGGABLE AUTHENTICATION MODULES [PAM
] [PAM ] [administrative tools

. / )(user authentication
. ] .[PAM
/ . 1996 SUN Microsystems Solaris
2.6 .PAM
] [PAM ] [library modules
. ) (PAM .
]) [PAM( ] [/lib/ ] [/lib/security/ ] [PAM ][/etc/pam.d
] [/etc/security/ PAM ].[#apropospam
: ] [login program ] [PAM
. ] [/etc/pam.d/login :
] [root users ] [secure terminal

][/etc/securetty .
:configuration files
] [/etc/pam.d
] [PAM ) (
. ][PAM ] [/lib/security/ 32bit ] [/lib64/security/
.64bit .
][/usr/share/doc/pam-versionnumber html/.txt/
] [configuration file :
]control-flag module-path [arguments
PAM .
Module-type
:Module-type .1 ].[auth account password session

.
.
RHCSA/RHCE Egypt
60
Module-type:
:Authentication management [auth] .1
password . .
:Account management [account] .2 ][service access
.
. /
:Password management [password] .3 ] [authentication .
:Session management [session] .4 . :
Mounting/unmounting home .
Login/logout .
Restricting/unrestricting .
] [/etc/pam.d login:
:Control-flag .2 .authentication
:Control flag ] [authentication :
] :[required ] [authentication ] [authentication
. )
(][Proceeds if passed; continues even on fail
] :[requisite ] [authentication
) . (][Stops on failure
] :[sufficient ] [authentication ] [login
) . (][Requires no other verification if true
] :[optional PAM ] [authentication
[Ignores success or failure] . ] [authentication
] :[include
[Includes all module-type directives from another file] [modules
:Module-path .3 PAM ] [module .
:Arguments .4 ) ( .
:
.@include service
RHCSA/RHCE Egypt
61
PAM
application PAM
PAM configuration file
configuration module
.authentication
PAM application .
PAM :
] [/etc/pam.d/reboot :
][reboot
[auth
sufficient
]pam_rootok.so
] [reboot
. ] [pam_rootok.so ][true
] [reboot . ] [auth .
control_flag ] [sufficient .
.
[auth
required
]pam_console.so

] [console
.
[#auth
include
]system_auth
] [#.
] [# ] [system-auth
] [reboot .
] [system-auth . ] [remote user
.
[account
required
]pam_permit.so
] [pam_permit.so account ][remotely
] [root , local , remote reboot .
RHCSA/RHCE Egypt
62
] [login
] [system-auth
].[PAM
]:[/etc/pam.d/system-auth
/ )(authentication
] [pam_env.so )(environment variable
] [control_flag ] [required ).(authentication
] [pam_fprintd.so / ) (authentication
) (fingerprint reader ] [control_flag ] [sufficient
) (authentication .
] [pam_unix.so
) (authentication / ] [control_flag ] [sufficient
/ .
] [pam_succed_if.so] [control_flag
] [requsist uid 500
] [pam_deny.so
.
] [/etc/pam.d/login
])[(nologin user
.
RHCSA/RHCE Egypt
63
] [system-auth
:
] [pam_unix.so ] [/ lib/security
. ] [pam_localuser.so ] [/etc/passwd .
] [pam_succeed_if.so ) UID (500 .
] [pam_permit.so .
login :password
] [system-auth password :
) (try_first_pass .
SHA512 ] [shadow password )
( ) (try_first_pass
) [pam_deny.so] .(use_authok PAM .
login password 8 ] [session:
][pam_selinux.so close SELinux] [pam_selinux.so open

SELinux . ) (pam_loginuid.so ][UID
. ).(pam_console.so
] [HOME ] [/etc/skel
.
].[console kit
] [system-auth :
] .[/etc/pam.d/login
)(pam_limits.so ] .[/etc/security/limits.conf .
.
.
RHCSA/RHCE Egypt
64
PAM and User-Based Security

] [PAM . ] [pam_listfile.so
vsftp ] [/etc/pam.d/vsftpd .
].[keyring
:
PAM ] [pam_listfile.so :
:pam_mkhomedir-1
mkhomedir .
)(central authentication .
) NIS( .LDAP
HOME . mkhomedir HOME
. .session
:
:pam_mount-2
mount unmount
mount
home /etc/fstab .
) (.
) (.

unmount .
) (local file system mount
mount )(volumes mount
. ].[SMB/CIFS, FUSE, dm-crypt and LUKS
pam_mount
.
swap ) cryptoswap ( . .
) (authentication session :
RHCSA/RHCE Egypt
65
][Modules Used to Restrict Access

) (NIS, LDAP, etc.
PAM .
pam_succeed_if -3
.
Active Directory .
10006 UID 10963 .
gid
user uid shell home .service
.(authentication account password session) PAM
uid 1000
.
pam_nologin-4
. /etc/nologin
. pam_nologin .authentication module
/etc/nologin .
) .(touch
pam_wheel-5
wheel ) ( . uid
)( .su pam_wheel su
wheel . pam_wheel
. wheel
PAM
PAM su
su wheel
pam_access-6
pam_access .pam_succeed_if pam_access
pam_succeed_if
. :
./etc/security/access.conf
+: petromod: pamela
-: ALL: ALL
petromod
pamela . .
+ access .deny
.
RHCSA/RHCE Egypt
66
TCP wrapper ] [: +-
) (hostname IP .
pam_deny-7
pam_deny .
.
. pam_deny
) (authentication:
password .
session .session
Modules Related to Back-End Storage
PAM .
pam_unix-8
.PAM
/etc/passwd /etc/shadow .
pam_unix2 NIS/NIS+
. .pam_unix
auth gets hashed password from NSS and compares it to hash of entered password
account checks for password expiration

password handles password changes to local files or NIS

session records login and logout to logs

debug use_first_pass .try_first_pass
:
Central password management
)pam_krb5.so (Kerberos V tickets
)pam_ldap.so (LDAP binds
)pam_smb_auth.so (old SMB authentication
)pam_winbind.so (SMB through winbindd (for Microsoft
auth Modules
pam_securetty.so fails if logging in as root from a terminal not in /etc/securetty
pam_listfile.so checks a characteristic of the authentication against a list in a file
A list of accounts can be allowed or denied
Password Policy
Password history
pam_unix.so with remember=N argument
Password strength
pam_cracklib.so
pam_passwdqc.so
Failed login monitoring
pam_tally.so
session Modules
pam_limits.so enforces resource limits
Uses /etc/security/limits.conf
pam_console.so sets permissions on local devices for console users
Can be used as an auth module as well
pam_selinux.so helps set SELinux context
.
RHCSA/RHCE Egypt
67
User Authentication, Account Information, and Password Management
Utilities and Authentication

Local admin tools need authentication
su, reboot, system-config-*, etc.
pam_rootok.so passes if running as root
pam_timestamp.so for sudo-like behavior
pam_xauth.so forwards xauth cookies
PAM Troubleshooting
Check the system logs
/var/log/messages
/var/log/secure
USER AUTHENTICATION, ACCOUNT INFORMATION, AND PASSWORD MANAGEMENT
Authentication vs. Authorization

.
]) [(user_model
]) [(user_model :
]) :[(authentication
]) :[(Authorization

][user authentication ]) [(account information . /etc/passwd .
/etc/passwd ]) [(authentication ]).[(account information

) ( ])" :[(authentication ".
.
/etc/passwd : UID GID home directory .
]) : [(shadow passwords
] [/etc/shadow X ].[/etc/passwd
RHCSA/RHCE Egypt
68
"apple passwd
passwd .
-
])"apple" :[(plaintext
passwd ] [salt ][f8apple
] [salted password
) ( 11 ][cyphertext] .[aHBT9lIoaZc
passwd cyphertext /etc/passwd
/etc/passwd . 11
)" cyphertext ("aHBT9lIoaZc )".("F8
"apple" :
][salt /etc/passwd . cyphertext ] [salted password 11. cyphertext ./etc/passwd .Password Management
.
]) [(shadow password cypthertext
.
MD5 .
DES .56
8 8) ASCII:( * ) 7 /( = ) 56(.
[MD5 password] MD5
.
system-config-authentication md5 password
shadow password
cyphertext ./etc/shadow
MD5 )".("$
)" ("1 . MD5 "".1

"CBYGbXRT" 8.
"xTMRC01udINgd1LH/9quu1" cyphertext .
] [openssl OpenSSL .
] [openssl passwd .
RHCSA/RHCE Egypt
69
].[-h
] [openssl passwd .
MD5 ).(apple
salt :
RHCSA/RHCE Egypt
70
Secure Files and More
SECURE FILES

SECURE FILES AND MORE
]):[(encryption ] [Cryptography 4000

) ( )
( . .
1960
. ] [IBM
. ]) [Data Encryption Standard (DES
.
1970 ] [Diffe & Hellman
] [public-key cryptography . ][security
] [intractability ] [discrete logarithm problem
. . 1970
) (Adleman, Shamir, Rivest ][digital signature
] [RSA
] [factoring ] [prime integers
) (
. )
] [RSA . 1985 ] [EL-Gamal
][Public-Key Scheme
. ][digital signature
] [RSA ].[EL-Gamal
]- :[encryption
) ( . ] [privacy
.
] [decryption . .
/
]) [(advantage .
.
/
]) [(disadvantage.
.
.

.
]Telnet :[Plaintext Authentication POP FTP .
] SMTP:[Information Leakage NFS SMB , .
] :[Insecure Authentication RSH
]) [(authentication .
: station1 ] [tcpdump
eth0 1660 .
.
RHCSA/RHCE Egypt
71
Secure Files and More

! Ownership and premession ]) [(root user
] [/etc/shadow
] [elvis ] [disk
] [grep man page :
:
]) : [(Archived Information .
.
]) : [(Discarded Information

]) : [(Used Flash Drives for Sale
12 Schneier on Security - . 2006 10 2006

] [plaintext .
]) [(terminal .
][swap partition .
.
) (Encryption Schemes

) (Encryption Algorithms .
- .
.
.
RHCSA/RHCE Egypt
72
][/dev/random & /dev/urandom
][/DEV/RANDOM & /DEV/URANDOM
.
)
. .
]) [(interrupts ] ([pool
] [Entropy pool . ] [entropy
.
.
) (virtual device node ][/dev/random
] [entropy pool .
] [hexdump ] [binary ].[hexadecimal
] [entropy pool
] [/dev/random ]) [(interrupts .
] [entropy pool
. ] [/dev/urandom
] [entropy pool ) ( .
. ] [/dev/urandom .
The openssl library and openssl rand
] [openssl ] RPM [openssl . ] [openssl
] [openssl .
] [openssl ] [interactive shell:
RHCSA/RHCE Egypt
73
)"One way hashes ("digital fingerprints
] [man ] [openssl ] [ssl

.
40 ] [binary ] .[stdout
] [-base64 ] [openssl .
] [-base64 .
] [binary .
)"ONE WAY HASHES ("DIGITAL FINGERPRINTS
] [One way hashes ] [digital fingerprints

. ] [sign
) (Hash Key
.
md5 sha1 md5
. md5

.
:
. ] [One way hashes ] [finger print
.
RHCSA/RHCE Egypt
74
Symmetric Encryption
] [One way hashes ] [finger print

] [finger print
.
] [md5sum ] "[finger print]" [MD5 .
] [finger print :
:

.
md5
.
md5

.
][One way hashes
:
) Asymmetric encryption-2 (
)Symmetric encryption -1 (
SYMMETRIC ENCRYPTION
) (Symmetric Key Encryption

.
- : ] [plaintext ][ciphertext
]) [(key ] .[passphrase
].[passphrase
] [passphrase .
])[DES (Data Encryption Standard
SSL
.1976
.
RHCSA/RHCE Egypt
75
] [DES
] [Triple DES ] [DES 2001
]).[AES (Advanced Encryption Standard
.

.

)( )(
)( )( )(
.
.

.

)( )( .
. .
.
: ] [openssl ] [BLOWFISH ][bf
] [/symmetric_encrypt ] [passphrase ] .[janateba
] [-base64:

] [ciphertext ] [-d ) (
] [passphrase:
] [passphrase .
] [passphrase .
]) [(Symmetric Encryption
. ]) [(Symmetric Encryption
.
]).[(kerberos
) (session key

.
RHCSA/RHCE Egypt
76
) (session key )
( .
] [openssl ][Symmetric Encryption
] [OpenSSL ]) [(Symmetric Encryption ][man
] .[enc ]) [(Symmetric Encryption
].[openssl help
][passphrase ] [-pass ] [passphrase .

] [passphrase .
][passphrase ] .[stdin .
] [Passphrase .
RHCSA/RHCE Egypt
77
Asymmetric ("public key") encryption
] [gpg ] [-c
] [-d ][openssl:
] [passphrase
] [symmetric_encrypt.gpg .
] [-d:
] [symmetric_encrypt.gpg ] [cat
] [gpg-d ] [passphrase .
] [-o :
.
ASYMMETRIC ("PUBLIC KEY") ENCRYPTION
1970 ]) . [(Symmetric Encryption 1970

: ]). [(Asymmetric Encryption
.
.
]) [(Asymmetric key encryption

.
.
RHCSA/RHCE Egypt
78
) (public-key encryption
) (public-key ).(private-key
] [public key encryption .

.
) RSA (Rivest, Shamir and Adleman
.
/
.
]) [Pretty Good Privacy (PGP :
) (Phil Zimmerman .....
FPI
. ....
][PGP ][GNU ]) [GNU Privacy Guard (GPG
][GNUPG RHEL 6 2 GPG ].[GPG2
][gpg
.
:
RHCSA/RHCE Egypt
79
] [Alice ] [Bob
] [Gnu Privacy Guard ]).[(Public key
] [Alice ] [gpg /]). [(public/private key pairs
] [Alice ][gpg
] [gpg ]) [(public and private key

]) [(binary ][~/.gnupg ].[keyring
] [Keyring . ][keyring
.
] [Alice ] [Keyring .
] [gpg ] [gpg ] [gpg2

]) [(public and private key ] [gpg--gen-key
] [GNU Privacy Guard :
])[(Public key algorithm and key length
])[(An optional period of validity
])[(Optional identity information
] [Passphrase ])[(An optional "passphrase" for her secret key
] [RSA and RSA

] [gpg ][DSA and ELgamal
] [sign .
].[Enter/Return
RHCSA/RHCE Egypt
80
.
:
] [ID .
] [User ID ] [gpg ] [UID ].[authentication
] [O :
] [Passphrase
] [passphrase . ] [passphrase " " "
" . ] [passphrase :
] [Alice ] [passphrase ] [enter\return

. ] [OK ][TAKE THIS ONE WAY
] [Alice
].[entropy
RHCSA/RHCE Egypt
81
] [public/private key ].[keyring
] [gpg--list-keys ] [gpg--list-secret-keys :
.
] [gpg--export
] [--armor\-a ] [GNU Privacy Guard ] [ASCII

"ASCII" . ].[Base64
][gpg--export-secret-key
] [Alice ] [keyring ] [gpg .
) ( .
id
][bob
] [pub public key ID ] [sec secret key ID
][gpg--delete-keyskey_id
][gpg--delete-secret-keyskey_id
] [key-id
.
RHCSA/RHCE Egypt
82
Gnupg
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--send-keysXXXXXXXX--keyserverkeys.gnupg.net
XXXXXXXX KEY-ID KEY-ID
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--recv-keysXXXXXXXX
:
[Br4v3-H34r7@iSecur1ty ~]$gpg--search-keysUSER/EMAIL
USER/EMAIL :
[Br4v3-H34r7@iSecur1ty ~]$gpg--search-keysBr4v3-H34r7
1 Enter N
Q.
] [~/.gnupg ][pubring.gpg
] [secring.gpg .

)Public Key Protocols I: Encryption (without Key Synchronization
GNU Privacy Guard.
.
RHCSA/RHCE Egypt
83
] [Bob ].[alice
][Bob] [alice .
.
] [S ][Alice
] [P ][Alice
]] [P [M ][P
] [M

] [Bob ] [M
] [Alice
.
] [Bob ] [Alice
][P .
] [Alice ] [P ][Bob
.
] [Bob ] [P
] [Alice ].[keyring
] [Bob ] [P
] [Alice ].[M
] [cipher text
].(P[M]) [Alice
] [Alice ] [S
] [P[M]] [cipher text
] [Alice
.
(S [P [M]] --> M).
RHCSA/RHCE Egypt
84
: ] [Alice .
. ] [Alice
.
. ] [Alice ] [Bob ][Alice
] [cyphertext ] [Alice.

] [Bob ] [Alice ] [accounts ] [Bob
] [Alice .
] [Alice ] [Bob:
] [Bob ] [/accounts ].[Alice

] [gpg--encrypt|-e KEY-ID KEY-ID
/ KEY-ID Enter
KEY-ID Enter
: KEY_ID
] [-rkey_ID|--recipientkey_id:
[bob@dhcppc3 ~]$gpg-rXXXXXXXX-rXXXXXXXX-eaccounts
RHCSA/RHCE Egypt
85
] [accounts.asc ] [.asc
] [--out|-o .
] [Bob ] [ciphertext ] [base64 :
] [Alice .
] [Alice ] [gpg--decrypt|-d :
] [--out|-o:
) ( Public Key Protocols II: Digital Signatures

GNU Privacy Guard.
RHCSA/RHCE Egypt
86
.
.

. .
.
] [Alice ] .[Bob ][Bob
] [Alice ] [Bob .
] [Bob ].[Alice
.
] [Alice
] [P & S ][M
] [Bob ] [Bob ] [P
].[Alice
] [Alice/ ] [sign ][M

] [S ]] [S[M
][Bob
] [Bob ][P ] [Alice

]] [S[M ] [Alice .
(P[S[M]] --> M).
: ] [Bob . ] [Bob ] [Alice .

] [Alice .
] [Bob . ] [Bob ] [Alice
] [Alice ][digital signature
. .
] [Alice .

] [Alice ] .[new_accounts ] [Bob
.
] [--sign|-s
] [new_accounts.asc ] [Alice:
.
RHCSA/RHCE Egypt
87
] [--verify .
] [Bob ] [Alice
] [Alice ] [--decrypt|-d:
Public Key Protocols III: Detached Digital Signatures

GNU Privacy Guard.
]) :[(Detached Digital Signatures .
.
] [Bob .
.
] [Bob
.
.
] [S ][Alice
] [P ][Alice
]] [P [M ][P
] [M
]] [H[M ] [one way hash ][HASH
] [Alice
] [P & S ][M
] [Bob ] [Bob ][P
].[Alice
RHCSA/RHCE Egypt
88
][signing ) (M;
] [Alice
] [One Way Hash)] (H [M
] [HASH .
] (M, S[H[M]]) [HASH
].[Bob

] [Bob .
.
] [Bob ] [One Way Hash
.
][P ] [Alice
].[HASH
(P[S[H[M]]] --> H[M]).
] [HASH
] [HASH
.
: ] [Bob . ] [Bob ] [Alice .
] [Alice .
] [Bob . ] [Bob ] [Alice
] [Alice ][digital signature
. .
] [Alice .

] [Alice ] .[new_accounts ] [Bob
.
] [Detached Digital Signatures

] [--detach-sign ] [--sign|-s ] [hash :
] [Bob ] [Bob ] [Alice

] [--verify ] [new_accounts .
.
RHCSA/RHCE Egypt
89
Public Key Infrastructures
PUBLIC KEY INFRASTRUCTURES
])[Public Key Infrastructure (PKI

] [Public key protocol / ])[(client
) ( ) (] [web server:
-1 .
-2 .
-3 ) (
] .[session key ] [session key .
-4 ] [session key .
.
-5 ] [session key . .
. .
.
])[(man-in-the-middle
] [Alice ] [Bob ] [Mallory
. ] [Alice [Bob .
][Alice
] [Bob] [Mallory .
] [Mallory ) (
] [Mallory

] [gpg ] [Alice
] [Mallory ][Mallory .
] [Bob ] [Mallory ] [Alice
] [Mallory ].[Alice

)]([Alice] [Bob] [Mallory
)]([Pa] [Pb] [Pm
] [Bob ] [Pm
] [Alice ] [Mallory
][Sm
RHCSA/RHCE Egypt
90
X509 Digital Certificates and Public Key Infrastructure
] [Mallory
] [Alice ][Pa
] [Alice ] [Alice ][Bob
] [Mallory
.
]) [(Man-in-the-middle attacks
.
] [certificate-based systems SSL) HTTPS .(HTTP
].[X509 digital certificates
X509 DIGITAL CERTIFICATES AND PUBLIC KEY INFRASTRUCTURE
Digital certificate ]) [CA (Certificate Authority

] [X509 ] [RFC2459 ]). [(digital signature
.
:
])[(The name of the certificate's owner
])[(An expiration date
])[(A digital signature
]) [(digital signature .
:
[https://www.redhat.com] : . ] [https
][URL ]. [redhat.com
] [digital signature .Equifax
] [Equifax ] [certificate authorities
.
]) [certificate authorities 1.5 (80
.
Equifax
.
.
.

.
] [man-in-the-middle attack DNS IP
redhat.com .
])[Public Key Infrastructure (PKI
x509 :
:Subject-1 / ) (C ) (ST stat) (L
public key-2
city.
:issuer-3 ) (CA .Subject
:period of validity-4
:
#opensslx509-inXserver.crt-text
) (
#opensslx509-inXserver.crt-noout-subject
) ( subject
#opensslx509-inXserver.crt-noout-issuer
) ( issuer
#opensslx509-inXserver.crt-noout-dates
) ( period of validity
Creating Digital Certificates
] [openssl .
] [certificate authority ] [ca ] [openssl
.
][makefile ] [make ].[/etc/pki/tls/certs/
.
RHCSA/RHCE Egypt
91
] [Makefile ]. [.crt .
] [openssl :
/
] [passphrase
janateba.key
janateba.crt janateba.key
: ][.pem ] [makejanateba.pem
.
. .
][makefile ] [janateba.pem ][janateba.key] + [janateba.crt
] [makefile ] [self-signed certificate
] .[CA .
]) [(certificate signing request ] .[csr
].[APACHE
] [certificate authority
. CA ] [csr
.
] [make ] .[csr ] [csr
: " " challenge password ] [CA ][csr
. ].[self-signed certificate
] [csr] [self-signed certificate ] [openssl ][req
] [openssl ].[x509
RHCSA/RHCE Egypt
92
] [hybrid encryption ] [symmetric encryption ].[Asymmetric encryption

:

Gpg4win
Kgpg KDE Seahorse :GNOME
RHCSA/RHCE Egypt
93
)SSH (secure shell
Remote access

.
. .
.
. SSH VNC
. Telnet
POP SMTP IMAP
] [authentication .
) SSH ( secure shell
) (SSH
. SSH /
/ .
SSH X11
sftp .scp

SSH
. SSH
Telnet SSH . / .
].[rpm-qa|grep-issh
SSH tcp 22 SSH
SSH . Mac OS X
SolarisGNU/Linux .OpenVMS
.
) (SSH ][openssh-server, openssh-clients, openssh
] [SSH client [ssh, scp, sftp]:
SSH ] [sshd TCP ][22
][/etc/ssh
OpenSSH OpenSSL
.
.
RHCSA/RHCE Egypt
94
] [basic encrypted communication
SSH
]:[sshd SSH ][servicesshdstart
]:[ssh-agent ].[key-based authentication
]:[ssh-add
]:[ssh SSH Telnet .
]:[ssh-keygen
]:[ssh-copy-id .
] [BASIC ENCRYPTED COMMUNICATION
SSH / ]) . [(password-based authentication

/ ]). [(key-based authentication
SSH / Authentication:
: password-based Authentication
.
binary .
Host-Key .
) ( .
: Key-based Authentication

. Passphrase Public Private
.
.
: Passphrase-Less Authentication
Passphrase
Automated .cron
.
SSH 2002
Slackware Ubuntu Debian Fedora CentOS .
KEY-BASED AUTHENTICATION
]) [(authentication ])[(Asymmetric key pair

].[gpg
]) [(key-based authentication ][private
]) [(digital signature .

.

:
)(Secure authentication without a password
.
RHCSA/RHCE Egypt
95
Key-based authentication
:
stationX stationY
stationX .stationY

.
]).[(authentication
] [gpg ] [passphrase
].[SSH
] [gpg ] [passphrase
. ] [passphrase ] [passphrase
.
]): [(key-based authentication
-1 ] [ssh key pair SSH
-2 ] [~/.ssh/authorized_keys
.
] [ssh key pair ] .[ssh-keygen ] [-t
RSA DSA . .RSA
/root/.ssh/id_rsa
passphrase
#ssh-keygen-p-f~/.ssh/id_rsa
].[.pub
Fingerprint ] [one way hash
#ssh-keygen-l-f~/.ssh/id_rsa
: ] [RSA ] [DSA bit2048 .bit1024
].[-bsize
] [finger print gpg ] [gpg--fingerprintkey_id
] [key pair authorized_keys

.
RHCSA/RHCE Egypt
96
Key-based authentication
SSH ] [scp.
] [scp ] [ssh tunnel :

#scpsource_file_locationdestination_location:location_you_want_copy_in_it
]Destination_location= [servier_name\ip user_name@server_name\ip
] [ssh-copy-id:
SSH ] [host key

] [~/.ssh/known_hosts SSH .
IP .
:
authorized_keys .
sshd ] [key-based authentication !
SSH ] [~/.ssh
.700 SSH .
ssh] [#sshroot@172.168.1.1 ] [ssh-llogin172.168.16.1
IP ]@[ ] [-l
ONE TIME LOGINS: THE SSH AGENT
] [key-based authentication : passphrase

passphrase
passphrase .
][ssh agent
] :[ssh-agent SSH .
] [public key authentication
SSH .
. .
.
.
SSH . .
. ][$HOME/.ssh/authorized_keys
.
RHCSA/RHCE Egypt
97
SSH

] [ssh-agent] . [passphrase ] [passphrase
.
. passphrase
] [agent passphrase
] [ssh agent ] [ssh-add
] [~/.ssh/id_rsa ] [~/.ssh/id_dsa ][ssh-agent
.
] [ssh-agent ].[ssh-agent
] [ssh-add
]) [eval $(ssh-agent s :
ssh-add
] [ssh-agent-s ] [ssh agent

] [ssh-add ] [ssh agent ssh
passphrase
. ] [ssh-add-D ] [ssh-agent
.
][logout
ssh
places connect to server ssh :
:
#sshhostname
#sshuser@hostname
#sshhostnameremote-command
SSH
ssh sshd ] [/etc/ssh/ :
:[moduli]-1 .
- ) Diffie-Hellman key exchange (D-H
.
.
RHCSA/RHCE Egypt
98
ssh
.
:[ssh_config]-2 SSH ].[~/.ssh/config
:[sshd_config]-3 SSH .
:[ssh_host_dsa_key]-4 .dsa
:[ssh_host_dsa_key.pub]-5 .dsa
:[ssh_host_key]-6 ssh
.
:[ssh_host_key.pub]-7 ssh
.
:[ssh_host_rsa_key]-8 .rsa
:[ssh_host_rsa_key]-9 .rsa
/ ]:[~/.ssh/
:[authorized_keys]-1 .
.
:[id_dsa_key]-2 .dsa
:[id_dsa_key.pub]-3 .dsa
:[id_rsa_key]-4 .rsa
:[id_rsa_key.pub]-5 .rsa
:[known_hosts]-6 rsa .
SSH
SSH ] [/etc/ssh/ssh_config
"" .
.
] [SSH
.
.

.
] [~/.ssh/config
:
] [/etc/ssh/ssh_config
] [~/.ssh/config
. ] [/etc/ssh/sshd_config .
:
SSH stationY 2022 stationZ
joe :
] [Host ] [Host .
][wild cards .
] [*.example.com example.com
]* [Host .
]:[/etc/ssh/ssh_conf
] [User
SSH :
] [User joe ] [stationz.example.com ssh :
#sshjoe@stationZ.example.com #sshstationZ.example.com
] [Host
.
RHCSA/RHCE Egypt
99
SSH
][/etc/ssh/sshd_conf
] [Port 22 .
] [-p ssh [ssh-p2022root@stationY.example.com]:
] [ssh_config ].[sshd_config
] [AddressFamily any IPv4 IPv6 ]) [inet (IPv4
]) .[inet6 (IPv6 ] [ssh_config ].[sshd_config
] [ListenAddress 0.0.0.0 ]:[ListenAddress:: IPv4 IPv6
.
] [Protocol 2 2 .
] [PermitRootLogin SSH
] [PubkeyAuthentication ] [key-based authentication .
] [PasswordAuthentication ] [password-based authentication
. ] [ssh_config ].[sshd_config
] [UsePAM ] [PAM .
] [ssh-agent ] [/etc/ssh/ssh_config ][/etc/ssh/sshd_config
] :[AllowAgentForwarding yes key
] :[AllowTCPForwarding yes tcp
] :[GatewayPorts no .
] [X11Forwarding yes .
USER-BASED SECURITY FOR SSH

SSH . SSH user-based security
DenyUsers AllowUsers DenyGroups AllowGroups
]Ex. [AllowUsers user01,user02
.SSH SSH.
].[-fkey_name
SSH
iptables:
#iptables-AINPUT-ptcp-s172.168.1.1--dport22-jACCEPT
172.168.1.1]] IP ssh .
xinetd:
#vim/etc/hosts.allow
:
sshd: 172.168.1.1
:
#vim/etc/hosts.deny
:
sshd: ALL
IP 172.168.1.1
. ) spoof IP (.

#vim/etc/ssh/sshd_config
:
ListenAddress 172.168.1.1
PermitRootLogin no
Protocol 2
AllowUsers user1 user2
AllowGroups admins
Port 2022
RHCSA/RHCE Egypt
100
SHH TCP
:
172.168.1.1 . IP
IP .
root root
root.
SSH-2SSH-1.
user1 user2 .
admins .

:
#`which sshd` -t
.
X SSH
... ...
remotely ... rdesktop vnc rlogin telnet ssh ...
rdesktop vnc
...
: SSH Tunneling ... SSH
... :
#ssh-Xuser@domain.com
domain.com user ...
X X Forwarding ...
:
& gedit
gedit
:
#ssh-Xuser@IP-Address
IP Address ...
:
& #gcalctool
gcalctool ...
SHH TCP
Port forwarding Tunneling traffic

... SSH
... traffic SSH ...
:
(1
(2 ...
(3 ...
...
Port Forwarding:
: Local Port Forwarding SSH .LocalForwards
Local Port Remote Port
... SSH : Thunderbird
... ) (ISP 25
...
12345 23 yahoo.com SSH
example.com SSH ...
SSH . .
] [SSH
. SSHD TCP .
] [local forward/PortForward / ]) [(local port
SSH ]).[(foreign port
.
RHCSA/RHCE Egypt
101
SHH TCP
:
#sshusername@hostname-Llocal-port:remote-hostname:remote-port
] [-L ] [Local Forward
#ssh-L2000:yahoo.com:110binary@example.com
2000
ssh / .
/ .SSH
LocalForward
] [ssh_config :
: stationY stationZ
] [Local Forward . stationY stationY:
#sshuser01@172.168.1.2-L1234:172.168.1.2:22
stationY stationY stationZ
SSH stationY stationZ
: Remote Port Forwarding SSH RemoteForwards Reverse Tunneling

... Remote Port Local
Port ... SSH :
... Remote Port Forwarding
... :
#ssh-R9999:localhost:22binary@home.no-ip.org
*:
R Remote Port forwarding... 9999 22 localhost home.no-ip.org binary :
#sshuser@localhost-p 9999
:
user localhost 9999 :
1024 .root top for loop ls Remote .
RHCSA/RHCE Egypt
102
VNC Servers
VNC SERVERS

. SSH : VNC
VNC .
.
VNC VNC-SERVER:
*#yum-yinstalltigervnc
tigervnc-clienttigervnc-server
vnc [vino].
tigervnc-server:
.
VNC .
-geometry
Defines the size of the viewer when the client connects

-nolisten tcp Denies TCP connections to the VNC server
tcp
-nohttpd
Denies web VNC clients from connecting
http
-localhost
)Forces the use of a secure gateway (port forwarding

) 2 ( session . VNC 5900
] [5900+ ] [+ ] [session ].[5902
.
] [vncpasswd:session_number session
session .
VNC-server vncserver:
VNC
VNC.
][vncserver-kill:1
].[vncviewerserverIP:port
RHCSA/RHCE Egypt
103
APACHE SERVER
) (Apache HTTP Server )

(

) (
. 1996 )( 2009
.
2013 54.2 . 53.3 .

Robert McCool
NCSA Httpd 1994 HTTPD
.
Brian Behlendorf
Roy T. Fielding Rob Hartill David Robinson Cliff Skolnick Randy Terbush Robert S. Thau
Andrew Wilson Eric Hagberg Frank Peters. Nicolas Pioch

Apache Portable Runtime
) (
IPv6 2002.

Tcl PHP mod_access mod_auth mod_digest
SSL TLS ] [http://www.apache.org
) ( mod_rewrite ) (mod_log_config
] mod_include. [mod_ext_filter
mod_gzi
AWStats / W3Perl Visitors
.
) ( ) (
LAMP
/ MySQL PHP .
Web Sphere
Mac OS X WebObjects .

.
IIS Sun Java System Web Server
Zeus Web Server ) nginx ( .Cherokee
) (GWS
.
.
RHCSA/RHCE Egypt
104
http://www.netcraft.com:
. HTTP
HTTP HTTPS.
).National Center for Supercomputing Applications (NCSA
).(www.apache.org
HTML .
VIRTUAL HOST
. ] .[PHP Python Perl Java and other
][authentication user & password kerberos ldap oracle MySQL Microsoft sql postar sql
http 80 https 443
http://httpd.apache.org/docs/2.2/new_features_2_2.html
http://httpd.apache.org/ABOUT_APACHE.html
http://en.wikipedia.org/wiki/Comparison_of_web_servers
:
Apache Tomcat JSP Java Servlet
.
Apache HTTP Server ) Java Server Faces (JSF
.
.
RHCSA/RHCE Egypt
105

50.
Apache DNS URL

IP IP 80
HTTP ). IP ( DNS
HTTP GET . URL
URL .
http://www.example.com/news.html/ /var/www/html/news.html
/ .
.

:
#yum-yinstallhttpd

:
#yum-ygroupinstallweb-server
or
"#yumgroupinstall"Web Server
:
-1 :
#service httpd start
#chkconfig httpd on
-2 :
#apachectl stop
#apachectl start
#apachectl graceful
] [http://localhost
] [/etc/httpd/conf.d/welcome.conf
][/var/www/error/noindex.html
.
RHCSA/RHCE Egypt
106
][httpd
] [elinks ] [yuminstallelinks
localhost :
][HTTPD
].[/etc/httpd/
httpd.conf ] [/etc/httpd/conf/
] [/etc/httpd/conf.d/ ] [.conf ].[ssl.conf
RHCSA/RHCE Egypt
107
][httpd
httpd.conf
] [/etc/httpd/conf/
].[vim
:
virtual host-3
main server-2
global environment-1
:
.
:
directories files modules "" containers
] [containers
)> <( .Directional brackets :
>"<Directory "/var/www/icons
>"<Files ~ "^\.ht
><IfModule mod_mime_magic.c
] [containers .(/) forward slash :
></Directory
></Files
></IfModule
:global environment
.
.
:
] [page not found
:
ServerTokens
]][OS FULL (or not specified) Min[imal] Major Minor Prod[uctOnly

ServerTokens ] [Page Not Found
:
]ServerTokens Prod[uctOnly
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
.
RHCSA/RHCE Egypt
108
][httpd
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
]ServerTokens Min[imal
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
)Server sends (e.g.): Server: Apache/2.0.41 (Unix
)ServerTokens Full (or not specified
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens :
ServerRoot:
.
pid run/httpd.pid
/etc/httpd ][/etc/httpd/run/httpd.pid
timeout .
persistent connection request
] [one connection .Internet Download Manger
KeepAlive On request
.
persistent connection
.
MPM
preforkworker
Prefork MPM module
browsing downloading .uploading

pid
pid pid pid
pid
)(.
pid
pid
.
.
RHCSA/RHCE Egypt
109
][httpd
] [prefork.c :
[StartServers]-1 8 pid 8 [main pid + 8 fork] pid 9
server processes
MaxSpare .MinSpare
[MinSpareServers]-2 5 fork pid
Pid Pid pid 5 .
[MaxSpareServers]-3 20 Pid .20
[ServerLimit]-4 256 MaxClients .
[MaxClients]-5 256 / download
upload browsing
[MaxRequestsPerChild]-6 4000 / Pid fork.
prefork mpm pid ].[multi-process
Worker MPM module
worker PMP multi-process multi-threading prefork

pid multi-threading

.
ThreadsPerChild
MaxClients ].[total number of threading
worker PMP-1: .prefork PMP
-2 .PHP
:
) (parent pid . ][child
.ThreadsPerChild
:
[StartServers]-1 4 8 .thread
[MaxClients]-2 ].[total number of threading
[MaxSpareThreads]-3 75
.MaxClients
[MinSpareThreads]-4 25 .
[MaxRequestsPerChild]-5 0 / .
IP 80
IP ][Listen 192.168.16.1:80
]Dynamic shared object [DSO
modules
] [# .
] [auth_basic_module .authentication ldap_module
.ldap
.
RHCSA/RHCE Egypt
110
][httpd
html server-status
server-status
:
][http://192.168.16.1/server-status
apache
.
:main server
main server :

IP DNS hosts
.
URL ] [self-referential URLs URL
. UseCanonicalName On
ServerName . .URL
UseCanonicalName off URL
.

.www http://www/splat
.http://www.example.com/splat on off
.http://www/splat
.html
. website html image
soft link symbolic link .
] [/ ].[/etc/httpd/
] [Options :
ExecCGI FollowSymLinks Includes Indexes MultiViews SymLinksIfOwnerMatch
FollowSymLinks softlink symbolic link .
] [Allow from all ] [Deny all

][Allow from 192.168.16.1
Order
.
RHCSA/RHCE Egypt
111
Apache Log File
html
.

] [.htaccess options
accounted . .
mp3
.
off . .log
APACHE LOG FILE
] [/etc/httpd/logs/
].[/var/log/httpd/
log access_logerror_log
)(virtual host
webalizer .
RHCSA/RHCE Egypt
112
Standard Apache Security Configuration
STANDARD APACHE SECURITY CONFIGURATION

. .
:
-1 ][firewall iptables .
-2 hosts .
-3 .
selinux-4
Ports and Firewalls
Listen .NameVirtualHost directives
HTTP HTTPS 80.443
ports iptables .system-config-firewall
#iptables-IINPUT5-ptcp-mtcp--dport80-jACCEPT
:Selinux
Security Context
.selinux
Security Context ] [ls-Z .
selinux /var/www/html context

label label public_html
:
#chcon-R-t httpd_user_content_t/home/tibea2004/public_html
) ( security context
#chcon-R--reference=/var/www/html/home/tibea2004/public_html
context public_html
#mkdir--contextsystem_u:object_r:httpd_sys_content_t/home/tibea2004/public_html
.
RHCSA/RHCE Egypt
Standard Apache Security Configuration
113
[ BOOLEAN]
CGI .
. CGI selinux
policy SELinux boolean
: boolean) ( boolean
/selinux/booleans/
httpd_can_network_relay
Allow httpd to act as a relay.
httpd_can_network_connect_db
Allow httpd scripts and modules to connect to databases over
the network.
httpd_use_gpg
Allow httpd to run gpg in the gpg-web domain.
httpd_enable_cgi
Allow httpd CGI support.
CGI
httpd_use_cifs
Allow httpd to access CIFS file systems.
allow_httpd_mod_auth_pam
Allow Apache to use mod_auth_pam.
allow_httpd_anon_write
Allow Apache to modify public files used for public file
transfer services. Directories/Files must be labeled
public_rw_content_t.
httpd_enable_homedirs
Allow httpd to read home directories.
.
allow_httpd_sys_script_anon_write
Allow Apache scripts to write to public content.
Directories/Files must be labeled public_rw_content_t.
httpd_dbus_avahi
Allow Apache to communicate with the avahi service via dbus.
httpd_unified
Unify httpd handling of all content files.
httpd_can_network_connect
Allow httpd scripts and modules to connect to the network
using TCP.
allow_httpd_mod_auth_ntlm_winbind
Allow Apache to use mod_auth_pam.
httpd_tty_comm
Unify httpd to communicate with the terminal. Needed for
entering the passphrase for certificates at the terminal.
console
httpd_read_user_content
Allow httpd to read user content.
httpd_use_nfs
Allow httpd to access NFS file systems.
httpd_tmp_exec
Allow Apache to execute tmp content.
httpd_execmem
Allow httpd scripts and modules execmem/execstack.
httpd_can_sendmail
Allow http daemon to send mail.
httpd_builtin_scripting
Allow httpd to use built in scripting (usually PHP).
httpd_can_check_spam
Allow the http daemon to check spam.
httpd_can_network_connect_cobbler
Allow httpd scripts and modules to connect to cobbler over the
network.
httpd_ssi_exec
Allow httpd to run SSI executables in the same domain as
system CGI scripts.
. -CGI Server Side Include
httpd_enable_ftp_server
Allow httpd to act as an FTP server by listening on the FTP
port.
httpd_setrlimit
Allow the httpd daemon to change system limits.
RHCSA/RHCE Egypt
114
Security within Apache
:Module Management
LoadModule
.
64 bit:
/usr/lib64/httpd/modules
32 bit:
/usr/lib/httpd/modules
SECURITY WITHIN APACHE
httpd.conf .
:
ServerTokens OS
ServerTokens Full
.

PHP .
Server root :
/.
FollowSymLinks ] [symbolic link . AllowOverride
] .[.htaccess ] [.htaccess
.DocumentRoot
AllowOverride All|None|directive-type [directive-type]...
] [.htaccess /var/www/html/data/ AllowOverride
.

>:<Directory
/var/www/html DocumentRoot
RHCSA/RHCE Egypt
115
Indexes
index.html .DocumentRoot
Order allow .
Listen IP TCP/IP port .

IP TCP / IP 80
IP IP
. IP
:
Listen 192.168.122.0:80
HTTPS Listen ssl.conf /etc/httpd/conf.d/
. 433 :
Listen 443
Host-Based Security
Order allow deny .IP
] [Order deny,allow deny.
deny allow IP
:
Deny from www.janateba.com
: IP DNS .
:
User-Based Security
.
.
] [user-based security
> <Directory
/var/www/html/test
:
AuthType Basic
] .[authentication basic user-based security
AuthName some comment
.
RHCSA/RHCE Egypt
116

AuthUserFile /etc/httpd/testpass
/etc/httpd/testpass
Require user engineer1
.engineer1
AuthGroupFile /etc/httpd/webgroups
/etc/httpd/webgroups
/etc/httpd/webgroups
AuthGroupFile :
Require group Design
:
AllowOverride AuthConfig
:
:
-1 AllowOverride :
AllowOverride All|None|directive-type [directive-type] ...
Directive-type :
AuthConfig

FileInfo
directory document
Indexes
Index
Limit
Order allow deny
Options
-2 AuthType :
AuthType Basic|Digest
Basic auth_basic_module
.
Digest auth_digest_module
.MD5
.
RHCSA/RHCE Egypt
117
Specialized Apache Directories
SPECIALIZED APACHE DIRECTORIES
] [specialized apache directories

].[.htaccess
" ) "(directory
.
][.htaccess
] [.htaccess directives
) (directory virtual host
> <Directory /etc/httpd/conf/httpd.conf
:
AllowOverride Options
AllowOverride ]> [<directory.
] [.htaccess ][labeled
.[httpd_config_t] SELinux

Password-Protected Access

useradd passwd
htpasswd .
webpass /etc/httpd directory
:
#htpasswd-c/etc/httpd/webpassengineer1
c engineer1 . engineer1
webpass .
. ServerRoot
. drafter1 :
c
#htpasswd/etc/httpd/webpassdrafter1
.
engineer1 drafter1 drafter1
/etc/httpd/grouppass:
Design: engineer1 drafter1
.
Home Directory Access

). (User home directory
UserDir disabled UserDir public_html
~/public_html
jana :
/home/jana/public_ html
.
RHCSA/RHCE Egypt
118
Virtual Hosts
jana )(executable
701 :
#chmod701/home/jana
public_html
:705
#chmod705/home/jana/ public_html
Index.html .
SELinux ] SELinux [.
virtual host .
VIRTUAL HOSTS
2.2 IP .
virtual host .
virtual host /etc/httpd/conf/httpd.conf
www.example.com www.ist192.net IP
.
HTTPS virtual hosts
/etc/httpd/conf.d/ssl.conf
) (main directive .
virtual host IP.
virtual host
#
.
.
>1- <VirtualHost *:80
)*( IP 80 / :
><VirtualHost 192.168.30.2:80
2- ServerAdmin

[ServerAdmin janateba@gmail.com]:
3- DocumentRoot
index.html
DocumentRoot /var/www/html/index.html
.
RHCSA/RHCE Egypt
119
Virtual Hosts
4- ServerName
DNS HOST:
ServerName www.janateba.com
5- ErrorLog and CustomLog
log .ServerRoot ServerRoot virtual host
/etc/httpd/logs /var/logs/httpd
:
virtual host ][httpd-t

.
:
Syntax OK
virtual host :
#httpd-S
#httpd-DDUMP_VHOSTS
SECURE VIRTUAL HOSTS
HTTPS ssl.conf
/etc/httpd/conf.d
mod_ssl ][yuminstallmod_ssl
ssl.conf mod_ssl :
LoadModule ssl_module modules/mod_ssl.so
Listen 433
VirtualHost NameVirtualHost
VirtualHost :
NameVirtualHost *:443
.
RHCSA/RHCE Egypt
120
Virtual Hosts
VirtualHost ssl.conf:
ServerNameDocumentRoot
ServerAdmin:
ErrorLog TransferLog LogLevel CustomLog log:
SSL ]:[create ssl certificate
] [extension .
CGI :SSL
] [Internet Explorer:
RHCSA/RHCE Egypt
121
Create a New SSL Certificate
CREATE A NEW SSL CERTIFICATE
SSL
) SSL (Secure Sockets Layer
. .HTTPS
SSL :
.1 Confidentiality
.2 Integrity
.3 .Authentication
ssl :
ssl
ssl ssl.conf .
] [local certificate

]) [Certificate Authority(CA
][VeriSign, Thawte, or GoDaddy
/etc/pki/tls/certs/ ssl certificate

makefile make certificate .VirtualHost
CA
.
.
RHCSA/RHCE Egypt
122
" "self-signed certificate /etc/pki/tls/certs

VirtualHost vhosts2.example.com:
#genkeyvhosts2.example.com
genkey /etc/pki/tls/private /etc/pki/tls/certs
genkey :
/etc/pki/tls/private
/etc/pki/tls/certs Next :
Next
self-signed certificate :
.
RHCSA/RHCE Egypt
123
CA
No :
Next :
passphrase Next :
Next
:
.
RHCSA/RHCE Egypt
124
CA HTTPS :
openssl:
CSR
.
RHCSA/RHCE Egypt
125
Deploy a Basic CGI Application
server2.key.csr
self-certificate:
DEPLOY A BASIC CGI APPLICATION
) (CGI = Common Gateway Interface

) (CGI .
.
common gateway interface CGI basic C
] [.cgi ] [.pl Perl Perl
basic C Delphi PHP
CGI Perl
....
1 100

cgi cgi
cgi ...
cgi cgi

.. cgi

cgi CGI ...
.
CGI :
) (interpreted script ).(compiled code
.
RHCSA/RHCE Egypt
126
Deploy a Basic CGI Application
) (interpreted script ) ( C
) (Unix AWK and SED commands ) (PERL
(Practical Extraction and Report Language).
)(PERL Interpreter . HTTP
NT .
++C
CGI ) (compiled code
.

CGI :
LoadModule cgi_module
ScriptAlias CGI .
)(Alias ][ln-s
ScriptAlias
"ScriptAlias /cgi-bin/ "/var/www/cgi-bin
><Directory /var/www/cgi-bin
AllowOverride None
Options ExecCGI
AddHandler cgi-script .pl .cgi
Order allow,deny
Allow from all
></Directory
ScriptAlias cgi-bin
./var/www/cgi-bin CGI /var/www/cgi-bin
.
/ :
-1 AllowOverride None .
-2 Options ExecCGI ] [cgi .
-3 AddHandler cgi-script .pl cgi ] [.pl ][.cgi
.
-4 Order allow,deny ].[authentication
-5 Allow from all
: CGI VirtualHost ><Directory
:VirtualHost
Options ExecCGI
AddHandler cgi-script .pl
ScriptAlias /cgi-bin/ /www/docs/vhost1.example.com/cgi-bin/
: cgi label.httpd_sys_script_exec_t :
SET UP A SIMPLE CGI SCRIPT CGI
-1 hello.pl [cgi-bin] cgi :

#!/usr/bin/perl
;print Content-type: text/html\n\n
;!print Hello, World
-2 :
#chmod755hello.pl
-3 SELinux :
#ls-Z/var/www/cgi-bin
SELinux context httpd_sys_script_exec_t
][semanagefcontext-a
hello.pl Firefox elinks :

http://vhost1.example.com/cgi-bin/hello.pl
RHCSA/RHCE Egypt
127
Squid Web Proxy
SQUID WEB PROXY

A proxy server .
. squid web proxy .
:Squid cache HTTP FTP .web proxy cache

.
squid bandwidth
10 20 . . ICP
] .[Inter-Cache Protocol . HTTP
.FTP .www.squid-cache.org

.
. .IP
. - -
.
"" .
.
:
) (
) ( -
.
) Gateway
( ) Tunneling Proxy SSL
( .
.
) (Reverse Proxy ) (.

) (proxy ) (proxy server

) (www (firewall:).
:
-1 (Caching):
) (proxy server

.
-2 (filtering):

.
-3 ) :(firewall
.

:
-1
Caching proxy
.

. .
RAID
Journaling
TCP
.
.
. HTTP 1.0
) ( ) ETAG
.
RHCSA/RHCE Egypt
128
Squid Web Proxy
( ) If-Modified-Since
( )Expiry
( . DNS Expiry
. )
( . : RFC 3143
(HTTP Proxy/Caching).
.
.
.
-2
" ) (WWW Web proxy".

. Squid
) (URL .

Linux
.
Linux

[PDA]). ) (AOL
"" JPEG.
.
" "AOL Users Click Here
"".
-3
.
) (

.
. :
) (DNS )) URL regex

MIME .
.
.

) ( .
Daemon/ ICAP
.
-4
) ( .
.
.

. :
. .
.
-5 )(Hostile Proxy

.
. ) (
SSL.
-6
Intercepting proxy
" " Transparent proxy

) .

) ( .
.
.
RHCSA/RHCE Egypt
129
Squid Web Proxy

HTTP .
-7
" " "Transparent Proxy
" ") Intercepting Proxy
( . WCCP "" .
) (Router
. : GRE
)Tunneling (OSI Layer 3 )MAC rewrites (OSI Layer 2
' - Transparent Proxy':
".
' Non-Transparent Proxy':

".
-8
" Forced proxy .
" " ) (
" " ) ( .
TCP.HTTP
HTTP .
.
)
( . HTTP
.
-9
) (Open Proxy
. IRC
.
.
IRC DNSBL
AHBL CBL NJABL .SORBS
.

)(Port scanning
.
.
-10
Reverse proxy

.
.
. :
/ SSL Acceleration:
)(SSL . SSL Acceleration
) . Secure Socket Layer (SSL SSL
SSL . SSL Server Certificate
. SSL
DNS . SSL
Load balancing:
.
)
(.
:

.
.
RHCSA/RHCE Egypt
130
Squid Web Proxy
: .
:
. .
:
.
.

:
.

.

) (Circumventor
.
.
. elgooG
Google

. 2007 Citizen Lab

]Proxify [http://proxify.com] - StupidCensorship - CGIProxy[http://www.jmarshall.com

Psiphon http://psiphon.civisec.org - Peacefire/Circumventor http://peacefire.org
UltraSurf FreeGate

Anonymizer .Ghost Surf http://www.tenebril.com

Gpass HTTP Tunnel Relakks
:
.Guardster
JAP ANON http://anon.inf.tu-dresden.de/index_en.html - Tor http://tor.eff.org - I2P http://www.i2p.net
.
) (
.
.
.

.
.
.

- .

.

) (.
VPN SSH
) (Tunneling
. 80 HTTP 443
.HTTPS

Tunneling - -
.

) (MAC .

.

.
)
( ICAP
. .
.
RHCSA/RHCE Egypt
131
Squid Web Proxy
)
.
(
.
)
( .
.
. .
JPEG .
.
) " : %70
%40 .(%30
.
HTTP .
HTTPS .
HTTP .
.
.
.
" ."CGI
. PHP CGI .

.

.Proxy Avoidance
Open proxy
) (open proxy
.

. .

.

) HTTP(
) HTTP (
.
.
.
.

.

)

( .
) ( .
-

) ( .
RHCSA/RHCE Egypt
132
Squid Web Proxy

:Apache HTTP Server .
)I2P ( : .
Nginx . POP3
:PHProxy .
.. PHProxy "Proxies". Tech-FAQ
:Privoxy
.
:Squid HTTP . UNIX/Linux
:Tinyproxy HTTP Deamon . POSIX
:Tor .
:Varnish )( .
:WWWOFFLE
) ( ) (.
.
:Ziproxy
. HTML
) :Pound (networking .
HTTPS front-end/ .
) :Delegate (networking .
web proxy squid .
Installing Squid
. squid
squid:
service chkconfig .squid
Configuring the Proxy

:
/etc/sysconfig/squid
Startup options for the config file
/etc/squid/squid.conf
Main config file for the service
/var/spool/squid
Cache location on the proxy server
/var/log/squid
Log files for the proxy server
.8080 squid 3128
. quid
.
/etc/sysconfig/squid " SQUID_OPTS="-D ] [-D
DNS .man
]:[/etc/squid/squid.conf
.squid .
RHCSA/RHCE Egypt
133
Squid Web Proxy
ACL
) ACL (Access Control List
. .
acl .
acl:
acl name type definition1 definition2 definition3...
:
acl accesses_to_google dstdomain .google.com
acl accesses_to_search_engines dstdomain .yahoo.com .google.com .vivisimo.com
acl accesses_from_marketing_department src 10.52.0.0/16
acl need_to_authenticate proxy_auth
acl mynetwork src 192.168.88.0/24
acl :
http://www.visolve.com/squid/squid24s1/access_controls.php
.
URL :
:
http_access:
ACL / - . ACL
squid.conf . .http_access
. squid http_access .
/ . .
http_access:
http_access (allow|deny) acl1 acl2 acl3...
:
http_access allow mynetwork
http_access allow accesses_from_admins
http_access deny accesses_to_porn_urls
http_access allow accesses_during_lunchtime
http_access deny all
.
RHCSA/RHCE Egypt
134
Squid Web Proxy
acl http_access
.
:
3128
.http
icp_port icp 0
squid .
squid http:
#iptables-I INPUT5-ptcp-mtcp--dport3128-jACCEPT
#iptables-tnat-APREROUTING-ieth0-ptcp--dport80-jREDIRECT\--to-ports3128
to-ports 3128-- selinux:
.
cache_mem 20 MB
squid
cache_swap_low 75
cache_swap_high 90
%90 %70
maximum_object_size 8192 KB
8
cache_dir ufs /cache1 200 16 256
200 16
.256
cache_access_Iog /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache
#squid z
/http://urlblacklist.com
squidGuard ufdbguard 70 squidGuard
DansGuardian
false alarm
RHCSA/RHCE Egypt
135
)Domain Name Service (DNS
Linux Network
Application
) Domain Name Service ( DNS

IP DNS IP
IP .
) DNS (Domain Name Services IP
Domain IP .
] [DOMAIN www.google.com IP
DOMAIN IP :
-1 ] [/etc/hosts IP ][DOMAIN

DOMAIN .
-2 ] :[/etc/resolve IP [NAME SERVER] DNS

) (.
/etc/hosts nameserver
/etc/resolve /etc/hosts Domain
.DNS
DNS 53 UDP TCP ].[named
DNS BIND %90 BIND DNS
BIND = Berkely Internet Name Daemon BSD
Domain Name Service

Workgroup

domain
domain
Domain

domain
(ca-teba.com) domain
ca client teba.com domain
RHCSA/RHCE Egypt
136
IP
] [local nameserver .
] [nameserver ] [internet lookup /
]. [nameserver root level
] : [nameserver root level ) (. root server 13
back bone
13 any cast
IP.
IP ) (fermi.physics.mit.edu
].[nameserver root level
" ". IP IP
) (top level domains IP ] [.edu local nameserver.
IP ] [.edu local nameserver

.edu fermi.physics.mit.edu IP .
] [.edu ] [top level nameserver
] [.mit.edu .
] [.mint.edu
] [fermi.physics.mit.edu IP ] [fermi.physics.mit.edu
.
RHCSA/RHCE Egypt
137
IP .
TCP / IP IP fermi.physics.mit.edu .
:DNS
request . respond
nameserver local .
recursive request .recursive
.iterative requests
.
boyle.chemistry.mit.edu .root nameserver
Top level domain
org netcom .
Top Level Domain Second Level Domains
.
(Second Level Domains):
Sub domains
(Host Names):
.
RHCSA/RHCE Egypt
Domain Name Service (DNS)
138
. fs GENERIC TOP-LEVEL DOMAINS (GTLD)

country COUNTRY CODE TOP-LEVEL DOMAINS (CCTLD)
List Of Full Form of Domain Names Extensions

.com ? Commercial Internet sites.
.edu ? Educational sites.
.firm ? For an Internet site for a business.
.gov ? For a U.S. government site on the Internet.
.int ? International institutions.
.mil ? For a U.S. military site on the Internet.
.mobi ? For mobile phones.
.nato ? For NATO sites.
.net ? For Internet administrative sites.
.nom ? For a personal site on the Internet.
.org ? For organizational Internet sites.
.store ?for a retail business.
.web ? For an Internet site that is about the World Wide Web.
.us ? United States
.uk ?united kingdom
.eg ? Egypt
,( fully qualified domain name) FQDN
.
.
:[root nameserver] 13
http://root-servers.org 13
RHCSA/RHCE Egypt
139
:DNS www.mheducation.com IP
12.163.148.101. delegated zone of authority
.
DNS RHEL )Berkeley Internet Name Domain (BIND
DNS
DNS.
DNS RHEL6 named BIND
Internet Software Consortium 9.7 BIND .RHEL6
rndc DNS apachectl Apache
service :
#service named status
bind Debian
named RHEL
) Install DNS (Bind DNS
BIND :
DNS configuration packages
basic configuration & documents Bind ------------- DNS
Bind-utils -------- DNS server dig & host
chroot directory log in Bind-chroot -----
Bind-libs -------- library files bind & bind utils
Bind-devel ------ development libraries bind
Bind-sdb -------- database LDAP
Bind-dyndb-ldap dynamic update LDAP
Network Infrastructure Server
BIND :YUM
#yuminstallbind
RHCSA/RHCE Egypt
140
Chroot directory
stimulation system system isolated system
system . service
Different Types of DNS Servers

:Primary Master Server Master .
zones ...
:Secondary Master Server ) ( Primary Master
Domains Zones ...
Primary Master ...
.
Primary Zone Zone Transfer.
:Caching only Server
...
: :Hybrid Server
Primary Master Caching Secondary Master Caching
...
:Authoritative only name Server [stub] DNS
) primary (master ) secondary (slave cash .
:Recursive server - DNS
] .[recursive DNS DNS
.
- recursive DNS
.
:Forward only .
request :DNS
-1 Iterative
IP
Domain Name Space IP
cash
.Recursive
RHCSA/RHCE Egypt
141
-2 Recursive

.
-3 Inverse
IP in-addr.arpa
IP .
IP ) (DNS IP
mail.yahoo.com
-1 DNS root server mail.yahoo.com
-2 root server com IP
-3 DNS com server mail.yahoo.com
-4 com server yahoo domain IP
-5 DNS yahoo domain mail subdomain IP
mail.yahoo.com. request .
Forward Lookup Zone:
Recursive Iterative
IP .
DNS . DNS
Reverse Lookup Zone:
Reverse IP
. DNS .
IP
IP Reverse
IP .
MINIMAL DNS SERVER CONFIGURATIONS
DNS .
DNS IP .
.
DNS:
RHCSA/RHCE Egypt
142
bind-chroot named
./var/named/chroot
ROOTDIR ./etc/sysconfig/named
SELinux context named.conf:
DNS
Named_write_master_zones zone DDNS

DNS ][rndcflush
: DNS /usr/share/doc/bind-9*/sample
A CACHING-ONLY NAME SERVER
requests hosts
public DNS . Forwarder
DNS
DNS DNS resolveIPs
caching-only name server /etc/named.conf
/ caching-only name server
RHCSA/RHCE Egypt
143
options DNS:
[listen-on port 53]-1 ] [listen-on-v6 port 53
IPv4IPv6
IP .
IPv4 192.168.122.50 )
};{ (IP IP .6
-2 directory DNS data file
] [data file .DNS
bind-chroot /var/named/chroot
-3 dump-file CASH ) (DATA rndc flush
-4 statistics-file CASH ) (DATA rndc stats
-5 memstatistics-file .
-6 allow-query IP .
IP :
-7 9.5 BIND DNS * dnssec- :
: DNS dnssec-validation yes

root )( .
log :
logging .
logs:
channel ][log , syslog
categories log .
channel log file logs syslog file logs
log /var/named/data/named.run
severity logs :
Dynamic Debug Info Notice Warning Error Critical
dynamic Logs
zone:
) (. root DNS server root zone

root zone named.ca /var/named/named.ca 13
.
RHCSA/RHCE Egypt
144
include setting local host

/etc/named.rfc1912.zones
/ DSN
name caching DNS server * bind-
named:
#/etc/init.d/namedstart
#servicenamedstart
] [rndc status ] [service named status rndc .
log DNS :
#tail-f/var/log/messages
named DNS :
#rndcstop
#/etc/init.d/namedstop
#servicenamedstop
named :
#chkconfignamedon
: / :
data file-1
configuration file-2
Examples:ftp server conf. /etc/vsftp
and
data /var
DNS services
Configuration file
Data file
/etc/named.conf
/var/named/
DNS server services chroot chroot
/var/named/chroot/
Configuration file
Data file
/var/named/chroot/etc/
/var/named/chroot/var/named/
(POSIX) standard linux app /etc
soft link chroot /etc
DNS server /etc chroot
A FORWARDING NAME SERVER
DNS Forwarding Name Server /etc/named.conf

:
RHCSA/RHCE Egypt
145
/ DNS DNS
IP .
.
caching-only nameserver
IPv4 192.168.122.50
listen-on :
allow-query local host
:
FORWARDING FROM A CACHING-ONLY NAME SERVER
caching-only name server /etc/named.conf

/ .forward
. DNS cashing
only .forwarding
:
BIND TROUBLESHOOTING COMMANDS
bind named rndc hostdig

named daemon /usr/sbin named
./etc/init.d
DNS /etc/init.d/named start . host dig
.nslookup
rndc
DNS :
rndc status, rndc flush, rndc reload, and rndc stop
] [rndc status ][service named status
] [rndc flush
memory services
] [rndc reload DNS configuration .DNS database file
] [rndc stop DNS ].[service named stop
DNS rndc reload

#hostmheducation.comlocalhost
.
RHCSA/RHCE Egypt
146
DNS IP :
:dig
dig . [dig@127.0.0.1www.mcgraw-hill.com]
dig DNS www.mcgraw-hill.com.

DNS
named.ca .
RHCSA/RHCE Egypt
147
header dig status :

:NOERROR :NXDOMAIN Domain .
:SERVFAIL DNS dnssec .
:REFUSED DNS .
HOW TO CREATE ZONE FILES
master name server .zone file

DNS example.org.zone /var/named
named zone file
/etc/named.conf :forward lookup zone file
Zone name
Zone type
forward zone
Location of zone
reverse zone
Zone name
Zone type
Location of zone
zone file
Forward zone-1
reverse zone-2
Zone reverse IP in-addr.arpa .
zone file zone file :

record section-2
SOA section-1
RHCSA/RHCE Egypt
148
TTL Time To Live IP

SOA Start Of Authority zone zone
zone
:
serial-1 4
.
:refresh frequency-2 DNS SLAVE
DNS.
:retry frequency-3 DNS slave .
:expiration period-4 DNS
.
record section :
NS name server resource record .DNS MX Mail Exchange record .DNS A (address) record IP . AAAA .IPv6 CNAME aliases IP . CNAME . CNAME FTP
.rsync
The Reverse Zone
Reverse Zone lookups DNS IP .
) (ftp, irc, www, and others
. domain .
.
RHCSA/RHCE Egypt
149
)Dynamic Host Configuration Protocol (DHCP
.reverse zone
: reverse zone IP
reverse zone DNS named.conf:
zone file :reverse
host -l your-domain.com zone

/var/log/messages
Reverse zone .sendmail
DNS -1 view internet user
connect www mail local user www mail dB .
DNSsec-2 signing zone public key private key
Public key software hardware )HSM (hardware security module
)DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP
:
DHCP (Dynamic Host Configuration Protocol)-1
BOOTP-2
DHCP DHCP . BOOTP
DHCP .
DHCP . BOOTP
DHCP .remotely
DORA=Discover Offer Request Ack.
DHCP
client IP broadcast ) (discover 67
client DHCP
(offer) IP 68 client) IP (request DHCP IP ).(Ack.
DHCP TCP/IP
DHCP client )(IP, Subnet mask, default getway, DNS,Domain
dhcp server dhcpd
DHCP IP client client IP DHCP IP client
DHCP Client lease file IPs client
client IP IPs
client IP IP client mac address
.
RHCSA/RHCE Egypt
150

INSTALLING DHCP PACKAGES
DHCP . / dhcpdhclient
dhclient dhcdbd
IPv6 dhcpv6_ client
DHCP .multicast
.ifconfig
DHCP SERVER CONFIGURATION
dhcpd DHCP ./etc/dhcp/dhcpd.conf

DHCP IP . .
dhcpd.conf.sample ./usr/share/doc/dhcp-versionnum/
DHCP :
/etc/dhcp/dhcpd.conf
Main config file for the DHCP service using IPv4 addresses
/etc/dhcp/dhcpd6.conf
Main config file for the DHCP service using IPv6 addresses
/var/lib/dhcpd/dhcpd.leases
IP IPv4 client lease file
/var/lib/dhcpd/dhcpd6.leases
IP IPv6 client lease file
vim :
:option domain-name
) (domain IP DNS
Domain .IP
:option domain-name-servers
DNS IP .DNS
DNS.
:default-lease-time
IP DHCP IP .
:max-lease-time
IP .
:ddns-update-style interim
DHCP Dynamic DNS DNS
DNS DHCP . " "interim DDNS .
[Dynamic DNS] DDNS record DNS
.zone file DHCP
.
:authoritative
DHCP .authoritative
.
RHCSA/RHCE Egypt
151
:log-facility local7
Log
:ignore client-updates
.
:subnet 10.5.5.0 netmask 255.255.255. 224

10.5.5.0
.255.255.255.224 netmask DHCP 10.5.5.1 10.5.5.30
.
:option routers
)(router . option routers
. DHCP gateway
.
:option subnet-mask
subnet mask .DHCP
:option nis-domain
NIS .
:option domain-name
) (domain IP DNS
Domain .IP
:option domain-name-servers
DNS IP .DNS
DNS.
:option time-offset
) UTC(.
:option ntp-servers
) Network Time Protocol (NTP
.
:option netbios-name-servers
) Windows Internet Naming Service (WINS .
:option netbios-node-type 2
Peer-to-peer node searches, associated with WINS
:range dynamic-bootp 10.5.5.26 10.5.5.30
IP .BOOTP
:default-lease-time
IP DHCP IP .
:max-lease-time
IP .
:next-server
.
#.
:range 10.5.5.26 10.5.5.30
IP DHCP .
RHCSA/RHCE Egypt
152
IP ].[MAC ADDRESS
:
DHCP ) 08:00:07:26:c0:a5 (mac address

. IP 10.5.5.27 .fantasia
DHCP : . IP ] [static IP .
DHCP eth0 DHCP
eth1 :
#servicedhcpdstarteth1
client DHCP
#dhclient-v-reth0
DHCP ] [servicedhcpdstop
][#/usr/sbin/dhcpd-d-f
DHCP IP MAC Address

var/lib/dhcpd/dhcpd.leases
} {option man
.
RHCSA/RHCE Egypt
153
Set Up System Utilization Reports
#man5dhcpd.conf
#mandhcpd.leases
#mandhcp-options
DHCP classes predefined classes rules
range IP
DHCP AND MICROSOFT WINDOWS
DHCP DHCP x9
].255.255.255.255 : [broadcast address
] [Microsoft client DHCPOFFER IP
. DHCP DHCP :
#routeadd--host255.255.255.255deveth0
eth0 .
SET UP SYSTEM UTILIZATION REPORTS
.
RHEL 6 sysstat .
.top fdisk.df
] [system utilization reports
.
" " CPU
RAM HARD.NETWORK
df top fdisk sysstat
.
sysstat . log file
sadf log file .
. top :
.
swap space
. .
.
RHCSA/RHCE Egypt
154
dstat dstat :
top .
THE SYSTEM STATUS SERVICE
] [system status service . sysstat

sysstat sysstat sysstat.ioconf /etc/sysconfig
sysstat log file .

] [log file :
/etc/sysconfig/sysstat.ioconf
sysstat /proc
partitionsdiskstats
sysstat.ioconf
. sysstat . /etc/cron.d
] [log file /var/log/sa
sysstat /etc/cron.d
.
sa1 1 1 .
-S DISK sar .swap space
sadd /var/log/sa dd .
.
sa2 ./var/log/sa
.
RHCSA/RHCE Egypt
155
] [-A .sar
sar ][man sar
sardd /var/log/sa dd .
SAR
CV sar sadf ) sysstat
iostat (mpstat / ) atsar (atsadc . sar
/proc .
:
PREPARE A SYSTEM STATUS REPORT
sadf ] [log file

/var/log/sa
] [binary file ) sa10 (
.sadf
sadf :
.
activity10 .
sysstat .sar
RHCSA/RHCE Egypt
156
Configure a System Logging Server
sar .sadf man

sadf swap space
/var/log/sa/sa21
: man .
.EXAMPLES
d sadf ] [-- points to options
.sar
r n DEV .
.sar " "
.
sadf d
sa21 /var/log/sa/ .
] [-- points to options sar
sar / u
r dp block device sda n DEV
.
CONFIGURE A SYSTEM LOGGING SERVER
] [system admin I and II log

log .remotely [centralized log server] log log
.
logging client logging
server log ]. [logging client
rsyslog / . modules
log TCP / IP .514
rsyslog /usr/share/doc/rsyslog-4.6.2 .html
rsyslog :) (input) (output).(library
) (input module /
] [# /etc/rsyslog.conf
) (output module .
) (log data .
-1 log:
log ] [/etc/rsyslog:
modules imuxsock.so $ModLoad

] [$ModLoad imuxsock log.
imklog.so] [$ModLoad imklog .
immark.so # --MARK--
.
log file TCP 514 IP 192.168.122.1
:
RHCSA/RHCE Egypt
157
Configure a System Logging Server
UDP 514 IP
192.168.100.1 :
]* [*. .
:
authpriv, kern, and cron
:
debug, info, notice, warn, and so on
]@[ .UDP
]@@[ .TCP
: .
-2 log server log:
] [log server . TCP UDP
514
/etc/rsyslog.conf TCP
.UDP
.log server imudp.so imtcp.so

TCP UDP TCP .UDP
514 log server
.TCP
TCP UDP :
.IP
TCP:
.
: .
$InputTCPMaxListeners
.20
session ) (200
$InputTCPMaxSessions
$InputTCPServerRun 514
LIMIT ACCESS TO SPECIFIED SYSTEMS
logging server .iptables

/etc/sysconfig/iptables IP TCP 514
RHCSA/RHCE Egypt
158
)The Network Time protocol Service (NTP
)THE NETWORK TIME PROTOCOL SERVICE (NTP
synchronization
) logging server scan attack error message
application services(.
IPS logging server network discovery
.
) authentication server (Kerberos ticket
ticket ticket
NTP

Primary NTP server
secondary NTP Server clients
Secondary NTP server
clients load balance
NTP Peer

NTP Client

NTP server 16-1 1 16 Stratum
NTP Server
NTP server public NTP Server -1 internet
Gps NTP Server-2 internet
radio NTP Server -3 internet
Atom clock-4 0.001 100/ internet
NTP server NTP server 3
NTP client NTP client .public NTP server
NTP server NTP ] [public NTP server
network traffic ) secondary NTP server(
. network traffic
Secondary
NTP
SERVER
stratum 3
)(Primary
NTP
SERVER
stratum 2
Gps
Atom
clock
Stratum 1
NTP 123 .UDP ] [daemon .ntpd

THE NTP SERVER CONFIGURATION
NTP /etc/sysconfig/clock
/etc/ntp.conf
NTP Server public NTP Server
: synchronization NTP Client
synchronization 10 .
-1 NTP :
]. [yum install ntp

-2 /etc/ntp.conf .
driftfile :
RHCSA/RHCE Egypt
159
restrict . NTP restrict

IPv4 restrict -6 .IPv6 .
restrict:
NTP " NTP peers "

nopeer . NTP noquery .
restrict NTP .
NTP .
NTP 192.168.122.0/24 restrict :
. NTP NTP
][master
NTP NTP :
public NTP Server ] [serverName of server/ IPprefer

prefer .
public NTP Server local time bios
stratum 5 client stratum 2
NTP server peer
RHCSA/RHCE Egypt
160
Security Limits on NTP

restrict /etc/ntp.conf NTP.
.123 . NTP
) UDP (TCP .123
][#system-config-date
NTP Server GUI
: /etc/ntp.conf NTP server NTP Client

NTP /etc/ntp.conf
-1 ] [#system-config-date .
-2 ][#ntpdateserver_name
: ntpdate ntpd .
ntpq .synchronization
./etc/ntp.conf ] [-p .
] [#ntptraceserver_name .public NTP server
RHCSA/RHCE Egypt
161
The Network File System (NFS) Server
More File
Sharing service
THE NETWORK FILE SYS TEM ( NFS ) SERVER
.
. NFS vsftp . samba
NFS . .
.
NFS .
Sun Microsystems .1980
.
access list -1 )machine base (IP base
.
-2 access list .
Exported file system share
-3 services .NIS
-4
portmap NIS
.
-5
NFS . NFS
./etc/sysconfig/nfs
NFS (NFSv4) 4 .
. NFS
). (ACLs
NFSv4 . ACL IETF .sun
NFSv3 64 GB 2 .
NFSv4 .
NFS ).Open Network Computing Remote Procedure Call (ONC RPC
RFCs . NFSv4
) Remote Procedure Call (RPC .rpcbind
NFS
./etc/sysconfig/nfs
NFS : RFC 5661) 4.1 (2010 clustered server
) .(pNFS NFS
.4.2
NFS
:
RHCSA/RHCE Egypt
162
NFSv3 NFSv2
RPC :
rpcbind NFSv2
NFSv3:
RHEL6 : rpcbind portmapper RHEL5

rpcbind portmap . NFS
.
: NFS ) (Filesystems
. ) (mount filesystem / ).(remote client
SELinux . NFS
) (scripts NFS .daemon .
scripts NFS:
NFS scripts runlevel.

scripts
:
#service script_name start
#chkconfig script_name on
NFS /etc/init.d/nfs
) (Daemon service . ) (Daemon service /bin ./sbin
.
RHCSA/RHCE Egypt
163
) (Daemon service rpc.statd .NFS
(NFS Control Commands and Files) NFS

NFS exports mounted
.
mount ./usr/sbin
NFS:
mount.nfs - mount.nfs4 - umount.nfs - umount.nfs4 - mount.nfs4 = mount t nfs4
NFS:
ACL .nfs4_acl_tools Filesystem

) (local mounted .acl )(nfs4_setfacl
) (nfs4_editfacl ).(nfs4_getfacl
/home acl NFS
nfs4_getfacl :
acl:
(Allow (A) - Deny (D)) : : file owner (OWNER, GROUP, or EVERYONE):Premession
. rwx
write (w) and append (a) .write
ACL ] [nfs4_setfacl-efilename
. ) (mounted NFSv4 remotely :
) (vi editor .
append write nfs4_getfacl
.
:
(r) read (w) write (x) executable (a) append (d) delete file or directory (D) delete the subdir
(t) read attribute to the file/directory (T) write attribute to file/directory (c) read acl (C) write acl
(y) Synchronization the file
RHCSA/RHCE Egypt
164
NFS /etc/exports .
.exportfs -a
.
.
/etc/exports:
.
/etc/exports:
)Directory(directory_options
)host(host_options
Directory )(
Host ) (
) ( IP Hosts DNS
IP
:
192.168.0.0/255.255.255.0 192.168.0.1 ip 192.168.0.254
) (Classless Inter-Domain Routing (CIDR .192.168.0.0/24
)*( *.example.net
)(

:ro-1 :rw-2 . .
:async-3 NFS Cash .
:sync-4 NFS .
:no_root_squash-5 rw root
) rw (.
:root_squash-6 .no_root_squash
:insecure-7 .1024
:noaccess-8
.
RHCSA/RHCE Egypt
165
) (/etc/exports ].[exportfs -a
/etc/init.d/nfs
] [exportfs r ./etc/exports
) (
] [exportfs -au ]. [exportfs -a
NFS
/etc/exports ].[exportfs -v
exportfs:
:showmount
. NFS :
#showmount10.0.0.1
NFS .10.0.0.1
.
:[showmount a]-1
NFS .
:[showmount e]-2
NFS :
#showmount-eserver1.example.com
:[showmount d]-3
NFS )(mounted client
#showmount-dserver1.example.com
: .
SPECIAL REQUIREMENTS FOR /HOME DIRECTORIES
/home . . NFS
/home .
LDAP .kerberos
/home .
/etc/idmapd.conf NFS /home
. home nobody
.
:
Domain, Nobody-User, and Nobody-Group
domain nfsnobody .
] [servicerpcidmapdrestart NFS .
FIXED PORTS IN /ETC/SYSCONFIG/NFS
NFSv4 TCP 2049. UDP 111

.
RHCSA/RHCE Egypt
166
2049 .NFSv4 111 RPC .

RHEL6 NFSv3 NFSv2.
NFSv4
. NFS ./etc/sysconfig/nfs
.
].[service nfs restart
./etc/sysconfig/nfs
rpcinfo .RPC
NFS SELINUX
SELinux boolean.
) (file type :NFS
) (file type boolean .
RHCSA/RHCE Egypt
167
boolean SELinux Administration Tool NFS :
selinux boolean NFS:
) QUIRKS AND LIMITATIONS OF NFS ( NFS
/ NFS
Statelessness
NFS .stateless .NFS
NFS rpc.mountd .
) .(mount_request .
)" ("magic cookie /.
stateless NFS NFS NFS
/ . )(single user client
NFS sync .
.
RHCSA/RHCE Egypt
168
Absolute and Relative Symbolic Links

symbolic link .
. .
:
-1 .symbolic link
-2 NFS ) (link_relative absolute link
relative link
.
Root Squash
NFS root_squash NFS
.NFS ) (USER ID = 0
.nfsnobody
no_root_squash ./etc/exports
NFS .

.
:NFS Hangs
NFS stateless .
.
.
.
Inverse DNS Pointers
daemon NFS .
./etc/exports IP
DNS . .
NFS rpc.mountd .
" " request from unknown host ./var/log/messages
File Locking
NFS ) (mount .
. .file-locking daemon
NFSv4 NFS .file lock
file lock NFS .
: NFS ).RPC (Remote Procedure Call

rpc.statd ./etc/init.d/rpcbind
.rpcinfo p
NFS FSTAB
NFS NFS ./etc/fstab
/etc/fstab /homenfs
nfsserv NFSv4 ):/nfs/home (mount point
soft timeo .NFS

].[man nfs
.
RHCSA/RHCE Egypt
169
The Very Secure FTP Server
autofs .
Soft Mounting
soft . NFS
NFS soft NFS .
timeo .
/nfs/home 30 ) timeo (:
Diskless Clients
NFS Diskless Clients .
Diskless Clients ) (PROM .
) (/ swap /usr
/home /.
PROM DHCP TFTP .
NFS
NFS :
mountstats
Shows information about mounted NFS shares
nfsstat
Shows statistics of exported resources
nfsiostat
Shows statistics of NFS mounted shares
nfsstat:
THE VERY SECURE FTP SERVER
,,
FTP File Transfer Protocol
,
anonymous
.
FTP / vsftp .RHEL 6
vsftpd .FTP FTP

. FTP
. .
./etc/vsftpd
./etc/pam.d
RHCSA/RHCE Egypt
170
FTP /etc/vsftpd :
.
:ftpusers ,,

:user_list , FTP
][userlist_deny=NO .
.
:vsftpd_confg_migrate.sh . FTP
:vsftpd.conf FTP
.
FTP /etc/pam.d:
vsftp .TCP wrapper

man vsftpd.conf :

#vim /etc/vsftpd/vsftpd.conf
ftp_username . anonymous
anonymous user .ftp
/etc/passwd :
anonymous home
.ftp
anonymous anonymous_enable=YES
anonymous_enable=No
:FTP
user based -a ftp user name password
Anonymous based -b user ftp user name password
off security
upper case (lower case= upper case)) lower case
vsftpd.conf .
anonymous .local_enable = NO :
anonymous ] [local_enable = YES
.
) (anonymous write_enable=yes write_enable=no
anonymous local_enablewrite_enable
.NO
selinux Label. public_content_rw_t
.
RHCSA/RHCE Egypt
171
)(boolean allow_ftpd_anon_write ftp_home_dir

. FTP
. umask
umask ].[local_umask=022
anonymous )(upload ) (write .FTP

) (uploaded
. anonymous .

anonymous
chown_username .nobody
.
.lftp
log upload download

/var/log/vsftpd.log
log /var/log/xferlog :
Log IP
:
FTP
FTP :
-1 20 ).file transfer (upload download
-2 21 .control command
FTP 20 connect_from_port_20=YES
600 .
.
RHCSA/RHCE Egypt
172
120 ) (resume
.
] [nonprivileged user nobody

] [user authentication database
]. [user authentication database
FTP FTP
.
how are you

h o w y ) deny of services attack (Dos attack
binary ascii
FTP anonymous

.
:
-1 home home .
-2 .
-3 .
R ls .
vsftp IPv4 .IPv6 FTP

.
vsftpd.conf . ) (PAM
.
.
RHCSA/RHCE Egypt
173
] [userlist_enable=YES anonymous
user_list /etc/vsftpd
YES ] [userlist_deny=YES YES
NO
.
TCP_WARPPER .FTP
:
local_max_rate=100000
anon_max_rate=500000
RHCSA/RHCE Egypt
174
CONFIGURE SELINUX SUPPORT FOR VSFTP
SELinux vsFTP file type .boolean

) (file_types FTP:
boolean vsFTP boolean section

.SELinux Administration tool
vsFTP boolean
-1 anonymous boolean
allow_ftpd_anon_write .public_content_rw_t
-2 NFS BOOLEAN
.allow_ftpd_full_access
-3 home .ftp_hmoe_dir
PORTS, FIREWALLS, AND VSFTP
FTP . TCP .21

. :
. IP iptables
:255.255.255.0/192.168.122.0
tcp_wrappers=YES vsftpd.conf
TCP WARPPER /etc/hosts.allow./etc/hosts.deny
/etc/hosts.allow donna :tester1.example.com
RHCSA/RHCE Egypt
175
SAMBA
/etc/hosts.deny
] [ALL : ALL /etc/hosts.deny
.TCP_WARPPER
SAMBA
:
-1 ]-2 [Samba Services ][Samba as a Client
-3 ][Samba Troubleshooting
SAMBA /
) Common Internet File System (CIFS ) Server Message Block (SMB
.
Samba SMB .
SAMBA SMB
.CIFS SAMBA .Samba Web Administration Tool SAMBA
http://www.samba.org
][SAMBA SERVICES
: ) (CIFS ). (SMB
SMB s 1980 IBM .
SMB CIFS .
SAMBA client a member server ) PDC (primary Domain controller
)Member on AD (active directory .
SAMBA 4 AD controller .
SMB NetBIOS .TCP / IP
:SAMBA
] [linux directory tree /
/
/
/
SAMBA
workgroup domain ) (client ) (member server .PDC
home . )Windows Internet Name Service (WINS ) (client ).(server .workgroup browse service samba .NT4 PDC .SAMBA . ACLs . :SAMBA
SAMBA:
RHCSA/RHCE Egypt
176
SAMBA
][#yum groupinstall CIFS file server

:SAMBA
.

/etc/sysconfig/iptables :
137 138 .
SAMBA :SELinux
SELinux ) (targeted mode
.
RHCSA/RHCE Egypt
177
SAMBA
boolean .qemu_use_cifs boolean

.
home :
#setsebool-Psamba_enable_home_dirs1
boolean samba_export_all_ro samba_export_all_rw
. label
. httpd_sys_content_t
label ).samba_share_t (file type
label boolean samba_export_all_ro samba_export_all_rw
.
label :
#chcon-R-tsamba_share_t/share
relabel SELinux file_contexts.local
/etc/selinux/targeted/contexts/files :
#semanagefcontext-a-tsamba_share_t/share
)(configuration
) (daemon .
.
) (daemon :
Samba service daemon (smbd)-1
NetBIOS name service (nmbd)-2
)Winbind (winbindd
. ./etc/samba/smb.conf
] [smbd nmbd
winbindd /etc/samba/smb.conf .
smbd nmbd winbindd :/etc/sysconfig/samba
/etc/samba/smb.conf
].[man smb.conf
] [# ];[ ][#
];[ .
:
][global
option = value
][homes
option = value
][printers
option = value
][share
option = value OptionsValues
.
RHCSA/RHCE Egypt
178
SAMBA
Global

SELinux .
:
-1 :Network-Related Options
: workgroup = MYGROUP
.windows workgroup_name NT_Domain_name
netbios name = MYSERVER
windows .Samba
server string = Samba Server
Samba ] [%v .
interfaces =lo eth0 192.168.12.2/24 192.168.13.2/24

. eth0 ) loopback (lo .IP address
hosts allow = 127. 192.168.12. 192.168.13.

.
IP 192.168.12.0 192.168.13.0 ) .(127
.
: ] [hosts deny host-based
security. ) (
] [hosts allow ] [hosts deny .
-2 :Logging Options
log file = /var/log/samba/log.%m

] [log file Samba %m .
max log size = 50
log file .
-3 :Standalone Server Options
security = share
share .
:security
:user -1 client domain controller ).(PDC
:domain-2 member server domain
.DC
.
RHCSA/RHCE Egypt
179
SAMBA
:ads-3 member server .active directory

:server-4 client .DC
:share-5 peer to peer .
:anonymous-6 .
passdb backend = tdbsam
) (authentication database
smbpasswd .tdbsam
smbpasswd ./etc/samba tdbsam
Trivial Database Security Accounts Manager ./var/lib/samba
) (remotely LDAP ].[passdb backend = ldapsam
-4 :Domain Members Options
security domain
server IP
.
>password server = <NT-Server-Name
security ads .Active Directory
realm = MY_REALM
-5 :Domain Controller Options
) .(domain controller security user

domain master :domain
; domain master = yes
; domain logins = yes
.
.
add user script delete group user

.
.
RHCSA/RHCE Egypt
180
SAMBA
-6 :Browse Control Options
browser master domain controller browse

master browser master client work group
domain preferred master
.
-7 :Name Resolution
NetBIOS. IP
)Windows Internet Name Service (WINS DNS .
] [wins support = yes WINS .
WINS )(remotely w.x.y.z
IP .
: wins support wins server .
. ] [wins proxy = yes
.
dns proxy = No
DNS
-8 :Printing Options
.
printcap name ].[printcap name = /etc/printcap
cups options = raw
.cups
printcap name = lpstat
.
-9 :Filesystem Options
extend attribute ) (ACL .

.
map archive = no
) (the DOS file archive attribute
) (executable bit .mask create
.
map hidden = no
.
.
RHCSA/RHCE Egypt
181
SAMBA
map read = no
) (map read only ) (mounted media .dvd
map system = no
yes .
store dos attributes = yes
ACL :DOS
Shared Samba Directories :
/etc/samba/smb.conf .
:Shared homes-1
Home
comment = Home Directories
.
read only = No
.
browseable = no
home . home .
home /etc/passwd .
guest ok = no
.
hosts allow.hosts deny
:Shared Printers-2
:
comment = All Printers
.
path = /var/spool/samba
) .(Spool
browseable = yes
.
guest ok = yes
) ( .
print ok = yes
.
printable = yes
.cups
shared directory .
:Domain Logons-3
] [netlogon
.Microsoft Windows workstations
] [netlogon workstation
.
.
RHCSA/RHCE Egypt
182
SAMBA
:Workstation Profiles-4
. profile .Microsoft Windows workstations profile
) (Microsoft Windows registry .workstation
:Group Directories-5
/home/samba
.stuff .
/home/samba .
SELinux:
:Other Sample Stanzas-6

.
/tmp .
)(public = yes ) (read only = no .
.Fred
home :
RHCSA/RHCE Egypt
183
SAMBA
:
path = /usr/somewhere/private
.
valid users = fred
.
)[Let Samba Join a Domain] (domain
DC .Domain
DC . Domain :
#netrpcjoin-Uroot
Domain DC :
#netrpcjoin-SDC-Uroot
root .Domain Domain
.administrator Domain
. DC ./etc/passwd
THE SAMBA USER DATABASE
.
.
.
./etc/samba/smbusers :smb.conf
username map = /etc/samba/smbusers
. smbpasswd
.
.
):(valid login shell
#useraddwinuser1-s/sbin/nologin
:
#smbpasswd-awinuser1
) (authentication database
.passdb backend smbpasswd ./etc/samba/smbpasswd
tdbsam passwd.tdb ./var/lib/samba/private
].[pdbedit L

./etc/samba/smb.conf
.
:
-1/ ] [PublicShare
) (authentication database .LDAP
.
RHCSA/RHCE Egypt
184
SAMBA
-2 / guest users.
-3 Domain .example.com
-4 .outsider1.example.org
guest ok = no .guest ok = yes
Domain example.com
hosts allow = .example.com
EXCEPT :
hosts allow = .example.com EXCEPT evil.example.com
:
hosts deny = evil.example.com
IP hosts allow.hosts deny
smb.conf
777 sticky bit .
THE SAMBA WEB ADMINISTRATION TOOL
) (RHEL6 .
SWAT
.samba-swat
RHEL 6 DVD .
.RHCE
SWAT ./etc/xinetd.d
:
http://127.0.0.1:901
:
root :
RHCSA/RHCE Egypt
185
SAMBA
swat global global

smb.conf :
) (Basic :
Base Options-1
:workgroup
.windows workgroup_name NT_Domain_name
:realm
) (Kerberos realm .Domain DNS
.server1.example.com ).(kerberos client
:netbios name
windows Samba .DNS
:netbios aliases
windows.
:server string
Samba ] [%v .
:Interfaces

. eth0 ) loopback (lo .IP address
RHCSA/RHCE Egypt
186
SAMBA
Security Options-2
)(global .
.
security
SERVER - ADS-DOMAIN -SHARE - USER
guest account
) (nonprivileged account .
invalid users
.valid users
admin users
.
read list
.
write list
.
Hosts allow
.hosts deny
.
Share Settings
GLOBALS SHARES swat
.smb.conf :
Choose Share
.Create Share
homes Change View To .Advanced
.
RHCSA/RHCE Egypt
187
SAMBA
comment
.
path
.
username
.
force user
.
force group
.
read only
.
guest ok
) (guest .
guest only
) (guest .
:Server Status
STATUS .swat
NetBIOS .Winbind
.
swat ./etc/samba/smb.conf VIEW .

.
User Management
) (Samba user authentication database . swat
PASSWORD .swat
.
RHCSA/RHCE Egypt
188
SAMBA
.
. .smbpasswd
.
michael :
#smbpasswdmichael
doona :
#smbpasswd-adoona
TEST CHANGES TO /ETC/SAMBA/SMB.CONF
smb.conf .
testparm .

. .
] [home .
testparm
Tests the syntax of the main config file for issues
]Syntax: testparm [options] <config file> [hostname] [host IP
Options:
-s
Suppresses the prompt
-v
)Provides verbose output (shows the default options
.
RHCSA/RHCE Egypt
189
SAMBA
REVIEW USER- AND HOST-BASED SAMBA SECURITY
RHCE " ) (host-based security

) "(user-based security .
) (user-based security .smb.conf
/var/lib/samba
.smbpasswd
-
) (user-based security smb.conf

] .[security = user valid users
.invalid users global setting
.
) (host-based security smb.conf
.iptables hosts allow hosts deny .
hosts allow :
.
: valid users
invalid users .
.
SAMBA AS A CLIENT
)(client :
-
)(client .
) (client .
) (samba client .samba-client

.
.smbclient
SMB .
smbclient
.
:
/ .smbclient ] [-L
] [-U .
.
public donna OfficePrinter
Maui:
smbclient FTP :
.
Mount Options
/ )(mounted .
mount.cifs ] .[mount t cifs
public : /home/shared
.
RHCSA/RHCE Egypt
190
SAMBA
donna . /
server1.example.com . donna
home :
.umount
automount
Automated Samba Mounts
-
/etc/fstab :
/etc/fstab .
credentials file :
) (credentials file:
/etc/smbdonna
. automounter .
:
Workgroups Domains Broadcast
#smbtree-b

. Enter
.
WORKGROUP
.SERVER ROOT
) root (.
#smbtree-b-UROOT
..
RHCSA/RHCE Egypt
191
SAMBA

:#smbclient-L//SERVER-UROOT
Mount mount.cifs ./etc/autofs

Samba TROUBLESHOOTING
.
.testparm ) (log files
. .
. writable
.writeable testparm .
"."unknown parameter
. testparm
:
.
. .mount.cifs :
.
log file
/var/log/messages
./var/log/samba
testparm ./var/log/messages
.
IP . .

:log.__ffff_127.0.0.1
smbstatus :
]Syntax: smbstatus [options
Options:
-p
Shows processes only
-L
Shows locks only
-v
Provides verbose output
-S
Shows shares only
.
RHCSA/RHCE Egypt
192
The ELECTRONIC MAIL SERVER
Electronic Mail
Servers
THE ELECTRONIC MAIL SERVER

.
.
.
Sendmail Dovecot . postfix
Dovecot . .

.
Fetchmail Dovecot postfix sendmail Procmail .
sendmail RHEL5 RHCE
)Simple Mail Transfer Protocol (SMTP Postfix RHEL6
.Sendmail
SMTP . ) ESMTP
.(Extended SMTP
SMTP .
/ client/server .

. SMTP
.
user@host.domain
host.domain SMTP TCP 25 ) (
SMTP .telnet SMTP "" "
. POP3 .IMAP
RHEL sendmail ) Sendmail .(capital S
RHEL Dovecot .
(Internet Message Access Protocol) IMAP (the secure version) POP3S (Post Office Protocol) POP3
.(the secure version) IMAPS
:
:SPAM-1
.
) (SPAM
) (junk mail " " . multi-postage abusif SPAM:
)%25 (Adult
%22
)(Financial
%13
)(Products
)%9 (Internet
%10
)(Health
)%7 (Scams
)%5 (other
%5
)(Spiritual
)%6 (Leisure
:SCAM-2
. .
. .
.
:HOAXES-3 !

jdbgmgr.exe

.
RHCSA/RHCE Egypt
193
!! HOAXE )
.

: postfix sendmail
/ postfix sendmail
.
MDA MUA : (MUA) The mail user agent.MTA
. . MUA
Thunderbird (MDA) The mail delivery agent .Evolution
.MUA (MTA) the mail transfer agent
.
)Mail Transfer Agent (MTA

Postfix or sendmail
) (outbound service forwarding relaying
)(smart_host_communication MTAs aliases .spool
Postfix sendmail .
Dovecot

)POP3 (Post Office Protocol, version 3) and IMAP4 (Internet Message Access Protocol, version 4
)Mail User Agent (MUA
.mutt, Evolution, Thunderbird
)Mail Submission Agent (MSA
.MTA
.
RHCSA/RHCE Egypt
194
)Mail Delivery Agent (MDA

.
Procmail
.
)Simple Mail Transfer Protocol (SMTP
POP3 SMTP IMAP4
.
LMTP SMTP SPAM
.SMTP
)POP3 (POST OFFICE PROTOCOL
MTA/MDA MUA
EMAIL .
)IMAP (INTERNET MESSAGE ACCESS PROTOCOL
MTA/MDA MUA header
MUA .
sendmail postfix " ) " (E-mail server yum
rpm .
Spamassassin ). (E-mail server
alternatives
alternatives ] [--config postfix . sendmail
alternatives SMTP :
alternatives mta:
mta :
alternatives :chkconfig
RHCSA/RHCE Egypt
195
General User Security
service .mta
GENERAL USER SECURITY
SMTP
SMTP .
SMTP ./var/log/maillog :
-
sendmail.postfix
.

SMTP .25 iptables

source subnet .25
iptables:
SELinux SMTP boolean Postfix
)(Testing an E-Mail Server

:
THE CONFIGURATION OF POSTFIX
postfix sendmail . postfix

] [smart host .
postfix ] [.cf . postmap
access access.db .postmap

#gedit virtusertable
#postmap virtusertable
postfix master . master
).(nqmgr pickup smtpd
-
nqmgr relay .delivery

pickup .
smtpd .
RHCSA/RHCE Egypt
196
The Configuration of Postfix
postfix:
] :[mailq *) mail queue ! (.
] :[postmap ) (lookup table .Postfix
] :[postsuper . postfix
] :[postconf .postfix
./etc/postfix postconf .
postfix .main.cf 700 .
man ) (# postfix:
-1 :access
.
man ] [man 5 access ) (limits
access [patternaction] : :
192.168.122.50 OK
server1.example.com OK
192.168.100 REJECT
example.org REJECT
joe@porno.com REJECT
Pattern IP Domain action OK REJECT .
access ) (user-based security )(host-based security
postfix . iptables
-2 canonical:generic
] . [alias file
Domain . canonical .
generic . NAT .
[patternresult] :
) (:
Michael
michael@example.com
domain:
@example.org @example.com
[@example.org] Domain ].[@example.com
access canonical generic postmap
.
#postmapcanonical
#postmapgeneric
#postmapaccess
-3 :relocated
. :
john@example.com john@example.net
-4 :transport
). (smart host
.
RHCSA/RHCE Egypt
197
main.cf
example.com SMTP postfix

:server1.example.com
example.com smtp:server1.example.com
:smart host
SMTP
.
. SMTP-AUTH POP .SMTP
-5 :virtual
elizabeth@example.com
:
elizabeth@example.com root
elizabeth@example.com
root .
master.cf main.cf
] [master.cf .master
] [main.cf .postfix
main.cf
.postfix 700
. . postfix :
(postfix queue) postfix
.queue_directory
postfix .
Postfix .master.cf daemon_directory .
Postfix ) (data file .
) (# main.cf
.mail_owner
#
.postfix
) (domain name IP Domain .
POSTFIX .origination domain

.jana.com
. localhost
all .
RHCSA/RHCE Egypt
198
main.cf
postfix IPv4 .IPv6
:mydestination Domain .Postfix

.postfix . domain names
) sendmail's .( /etc/mail/sendmail.cw Domain
.
)(FQDN
:
:mynetworks ) (trusted network .postfix

.postconf n ]. [postconf n
postconf:
] [-a ] [plug-in SASL.
] [-d .
] [-e .man.cf
] [-n .
] [-v .verbose
:
) (authentication main.cf
postfix :
.
RHCSA/RHCE Egypt
199
The master.cf Configuration File
] [postfix check main.cf .

.
THE /ETC/ALIASES CONFIGURATION FILE
Postfix ) (aliases Domain. ./etc/aliases

/etc/aliases main.cf /etc/aliases
) (sendmail /etc/aliases.db :postfix
/etc/aliases ) (current mapping .
) newaliases postfix (sendmail aliases
. aliases
Domain . :/etc/aliases
newaliases .
helpdesk@example.com .
THE MASTER.CF CONFIGURATION FILE
: . master.cf postfix SMTP .

.587
) (smart host relay .
.Secure SMTP
:
] :[service .
] :[type .
] :[private .postfix
] :[unpriv .
] :[chroot )(mail queue .chroot
] :[wakeup .
]:[maxproc .
] :[command .
subservices
.
: telnet postfix ] [telnet localhost 25
:
RHCSA/RHCE Egypt
200
/ )postfix (Configure Postfix Authentication
/ (CONFIGURE POSTFIX AUTHENTICATION) POSTFIX
/ postfix .
main.cf :postfix
/ SASL .Postfix
/ .anonymous
/ .Microsoft outlook express
postfix /
mynetworks .postfix
postfix :
Configure Incoming E-Mail

postfix
.main.cf :postfix
Configure a Relay through a Smart Host

) (smart host SMTP
SMTP . ) (smart host :relayhost
.
RHCSA/RHCE Egypt
201
The Other SMTP Service: sendmail
) (smart host outsider1.example.org

main.cf:
) .(smart host
./etc/aliases
) (root michael
/etc/aliases:
THE OTHER SMTP SERVICE: SENDMAIL
: SMTP SMTP .RHEL5

./etc/mail/ .macros
. macros
.
:sendmail
sendmail /etc/mail/sendmail.cf ./etc/mail/submit.cf sendmail.cf
1800
) (# submit.cf .
rulesets sendmail ) (spam filter
. .
/etc/sendmail.mc
. ) (macros sendmail.cf .
sendmail.mc make/ .sendmail.cf
)(sendmail.mc 200
) ( .sendmail
/etc/mail
sendmail ].[servicesendmailreload
m4 " sendmail sendmail
sendmail.mc . sendmail m4
m4 sendmail.cf ".
)(CONFIGURATION FILES
sendmail ] [.db
.
:access-1
) (access control .
) (host name :
.
RHCSA/RHCE Egypt
202
sendmail.mc
:REJECT . :DISCARD REJECT . :RELAY .:aliasesdb-stamp-2

).(.db
:domaintable-3
mapping Domain .
jana.com .noreen.com mohammed@jana.com
mohammed@noreen.com:
jana.com
noreen.com
:helpfile-4
sendmail ]. [telnet localhost 25
:local-host-names-5
) (host name ) (aliases sendmail Domain
.
:mailertable-6
.DNS
:makefile-7
/ .sendmail.mc
:sendmail.cf-8
.sendmail
:sendmail.mc-9
sendmail.cf.
:spamassassin/-10
.SPAM
/etc/procmailrc procmail .
:statistic-11
sendmail .binary mailstats
.
:submit.cf-12
.
:submit.mc-13
submit.cf.
:trusted-users-14
.
:virtusertable-15
. sendmail
.Domain
: sendmail .sendmail-cf
.sendmail.mc virtusertable:
postfix sendmail ] .[.db
/etc/mail /etc/mail/make .
/etc/aliases newaliases/ .Postfix
SENDMAIL.MC
sendmail.mc sendmail .
.
divert:
RHCSA/RHCE Egypt
203
sendmail.mc
dnl ] [#
dnl . sendmail ][divert(0) dnl
.divert
include cf.m4 sendmail-cf:

include make ) (.mc
. sendmail.mc make m4
sendmail.cf
#m4/etc/mail/sendmail.cm>/etc/mail/sendmail.cf
make .m4
sendmail.cm (`) (backtick) back quote
.(') single quote
:VERSIONED .
:OSTYPE .
:define
/ . sendmail.mc
) (e-mail aliases (/etc/aliases) ALIASES_FILE
procmail PROCMAIL_MAILER_PATH
/ ) (authentication .confAUTH_OPTIONS
-
sendmail
define.
define SMART_HOST
:
define .sendmail aliases procmail

/.
define /
telnet
define .
/:
SSL / TLS sendmail

:
RHCSA/RHCE Egypt
204
sendmail.mc
define .LDAP
define sendmail .
timeout .
:FEATURE
sendmail
) .(submission_protocol ) sendmail
.(587
FEATURE
(smrsh) sendmail:
FEATURE domain
trusted-users local-host-names :
.
) (host-based security
/etc/mail/access .
SMTP
.
DAEMON_OPTIONS sendmail .
dnl.
sendmail.mc .
sendmail submission 587 :
RHCSA/RHCE Egypt
205
sendmail.mc
) TLS ( sendmail
SMTP .465
IPv6 .
IPv4.IPv6
FEATURE sendmail domain IP DNS
) .(accept_unresolved_domains .SPAM
MX record .DNS .
.
domain .
MASQUERADE .domain
MAILER .
SUBMIT.MC
.
make ./etc/mail
/ ) NIS (
.
IPv6
:
sendmail .
sendmail.mc DAEMON_OPTIONS
dnl
Addr=127.0.0.1 :
DNS FEATURE sendmail
) (accept_unresolved_domains:
RHCSA/RHCE Egypt
206
Dovecot Mailbox Server
.
.access :
access
Connect:example.com
RELAY
Connect:10.0.0
RELAY
Connect:192.168.0
RELAY
Connect:jana.example.com
RELAY
FORWARD domain
RELAY /etc/mail/access IP REJECT
make /etc/mail m4 :
#service sendmail restart
#chkconfig sendmail on
: . local-host-names
Configure sendmail to Relay E-Mail to a Smart Host
sendmail ) (smart host
.
(Configure User-Based and Host-Based sendmail Security) sendmail
) (user-based security ./etc/mail/access

) (host-based security .TCP WARPPER
sendmail
postfix telnet sendmail:
#telnetlocalhost25
:
:
#mail-s test email root< /etc/hosts
DOVECOT MAILBOX SERVER

2002 Timo Sirainen
:
-
mbox.maildir
.
.
Bug .
Cluster.NFS
.
1000.
RHCSA/RHCE Egypt
207
:
MTA ) (Mail Transfer Agent Postfix
SMTP MTA domain
MTA MTA
Postfix.
MDA Mail Delivery Agent Dovecot
Dovecot
Dovecot Thunderbird
. Postfix
MTA Postfix MDADovecot
Dovecot :
mboxmaildir :
POP3, POP3S, IMAP4, IMAP4S and LMTP protocols
IMAP4
TCP port 143
POP3
TCP port 110
IMAP4S
TCP port 995
POP3S
TCP port 993
LMTP
TCP port 24
this is similar to the SMTP protocol for sending mail
:Dovecot
#yuminstalldovecot
/etc/dovecot/ ./etc/dovecot/dovecot.conf
dovecot dovecot
.
POP3S IMAP4S .
POP
) Post Office Protocol (POP
.pop .
MTA .
POP . POP .POP3
) (POP TCP
. ) (IMAP )
: ( .
:IMAP
IMAP IMAP4 ) (Internet Message Access Protocol
143 .
. IMAP 4 IMAP4 POP3
.
POP IMAP .
IMAP .
IMAP
POP
gmail
.
:Dovecot
Dovecot
/etc/dovecot/ :
.dovecot.conf
1000
/etc/dovecot/conf/
.
RHCSA/RHCE Egypt
208
.
dovecot.conf Root .vi /etc/dovecot/dovecot.conf :
protocols pop3.imap
IMAPS POP3S IMAP .POP3
) IP ( IP
. IP .
. :
POP3S IMAP4S :
:
mail_location
./etc/dovecot/conf.d/10-mail.conf dovecot
.
.
Dovecot :
#servicedovecotstart
#chkconfigdovecoton
dovecot :
#servicedovecotstatus
#chkconfig--listdovecot
:Dovecot Secure Certificates
./etc/pki/dovecot
/etc/pki/dovecot/dovecot-openssl.cnf:
] [req_dn ./etc/pki/dovecot/dovecot-openssl.cnf
) ( dovecot.pem :
/etc/pki/dovecot/certs
/etc/pki/dovecot/private
.
RHCSA/RHCE Egypt
209
Squirrelmail for webmail
mkcert.sh /usr/share/doc/dovecot-versionnum/examples/
:
# /usr/share/doc/dovecot-versionnum/examples/mkcert.sh
:dovecot
mutt Dovecot .user01
SQUIRRELMAIL FOR WEBMAIL
.
) . EPEL repo ( :
http://fedoraproject.org/wiki/EPEL

#yuminstallsquirrelmail
:
http://squirrelmail.org/docs/admin/admin-3.html
SquirrelMail
.PHP IMAP SMTP.HTML 4.0
SquirrelMail .
MIME .
RHCSA/RHCE Egypt
210
ISCSI
Miscellaneous
ISCSI
- : devices ) .(limitation 2
IDE 2 device .4 device 24
SATA device .24
fiber hard channel . SCSI
-:SCSI
figure 1-1 -----------------hardware SCSI -1
SCSI
OR
SATA
Server
Adaptor
figure 1-1
Adaptor
SCSI = Small Computer System Init
software SCSI-2 ISCSI IP addressing . figure 1-2
SHARE
SHARE
hard disk
5 HD
hard disk
hard disk
Server
3 HD
block device
block device
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
hard disk
Storage server
Target
Initiator
Figure 1-2
hard disk
Target
figure 1-2 8 block device

block device folder block device block file
.block
.initiator
.target
target initiator physical .IP address
targetinitiator
-1 target
target .
RHCSA/RHCE Egypt
211
ISCSI
[root@localhost ~]#yuminstallscsi-target-utils
[root@localhost ~]#vim/etc/tgt/targets.conf
targets.conf- : )(/etc/sdc initiator )(iqn.2008-09.com.example:target-name
iqn ) (iscsi qualified name target
target initiator .
targets.conf
RESTRICTION
RESTRICTION (logical unit number) lun no.

.
) (incominguseruser_namepassword .
-2 :
-3260
share :
[root@localhost ~]#tgtadm--modetarget--op show

-2 initiator
initiator [root@localhost ~]#yuminstalliscsi-initiator-utils
[root@localhost ~]#vim/etc/iscsi/iscsid.conf
iscsid.conf node.session.auth.authmethod = CHAP
node.session.auth.username_in = username_in
node.session.auth.password_in = password_in
target initiator IP addressing .
RHCSA/RHCE Egypt
212
Network interface configuration bonding
[root@localhost ~]#iscsiadm-mdiscovery-tsendtargets-p192.168.126.134
target
Result: 192.168.126.134:3260 ,1 iqn.2013-01.com.mostaf:datastore1
[root@localhost ~]#iscsiadm-mnode-oshow

#iscsiadm--modenode--targetnameiqn.2001-05.com.doe:test--portal 192.168.1.1:3260--login
target.initiator
[root@localhost ~]# service iscsid start
fdisk l ) (shared hard disk [root@localhost ~]#cat/proc/partition
partition session [root@localhost ~]#iscsiadm-msession-oshow
software scsi limitation hardware scsi 8-10 Gfiber optic channel
server OS sharing HD HPA SCSI
iscsi :
#iscsiadm--modenode--targetnameiqn.2001-05.com.doe:test--portal 192.168.1.1:3260--logout
/etc/fstab _netdev
NETWORK INTERFACE CONFIGURATION BONDING

bonding .channel bonding interface
Virtual )
( IP
.Network Bonding/Teaming
:
https://www.kernel.org/doc/Documentation/networking/bonding.txt

.1 )(high bandwidth
.2 / )(Redundancy/resilience

#ethtool-peth030
30.
bond .slave
bonding mode:
mode . 0 1 2
. )balance-rr (round robin
]) :[Mode 0 (balance-rr ) : (round robin
slave . ).(load balancing and fault tolerance
]) :[Mode 1 (active-backup
. ).(fault tolerance
]) :[Mode 2 (balance-xor .XOR
] .[(Source MAC address is XORd with destination MAC address) modula slave count slave
.MAC ).(load balancing and fault tolerance
]) :[Mode 3 (broadcast .slave ) (
).(fault tolerance
]) :[Mode 4 (802.3ad ) (Dynamic Link Aggregation mode
) (aggregation group .duplex
.IEEE 802.3ad Dynamic link
]) :[Mode 5 (balance-tlb Adaptive transmit load balancing traffic
.slave slave . .
]) :[Mode 6 (balance-alb . Adaptive load balancing mode
.receive load balancing (rlb) + balance-tlb .
.
RHCSA/RHCE Egypt
213
Network interface configuration bonding
:
\ Virtual :bond0
#vim/etc/sysconfig/network-scripts/ifcfg-bond0
IP Netmask :Gateway
DEVICE=bond0
ONBOOT=yes
USERCTL=no
TYPE=Ethernet
BOOTPROTO=none
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
GATEWAY=192.168.1.1
BONDING_OPTS=mode=1 miion=50
\ :
-1 :Bond0
eth0 :
#vim/etc/sysconfig/network-scripts/ifcfg-eth0
:
DEVICE=eth0
BOOTPROTO=none
TYPE=Ethernet
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
MASTER=bond0
SLAVE=yes
:eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
HWADDR=xx:xx:xx:xx:xx:xx
MASTER=bond0
SLAVE=yes
bond0 Master
Slave
eth0 eth1
Packet

- MAC Address .

mode 1 fault tolerance - - -
-Active .-Backup-
. .

Modules :/etc/modprobe.d/bonding.conf
:
bonding
bond0
alias
] [BONDING_OPTS=mode=1 miion=50 ifcfg-bond0

options bond0 miimon=50 mode=1
bond0 bonding
50 miimon
Fault tolerance .mode=1
.
RHCSA/RHCE Egypt
214
:
#service network restart
. Slave bond0 ifconfig
: Backup Active Network Teaming
#cat /proc/net/bonding/bond0
:
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth0
MII Status: up
Link Failure Count: 0
Permanent HW addr: xx:xx:xx:xx:xx:xx
Slave Interface: eth1
MII Status: up
Link Failure Count: 0
Permanent HW addr: xx:xx:xx:xx:xx:xx
6
Repo Configuration
Examples of /etc/yum.repos.d/*.repo Configuration
Ex#1
[GLS]
name=Instructor GLS Repo
baseurl=ftp://instructor.example.com/pub/gls
gpgcheck=0
Ex#2
[base]
name=Instructor Server Repository
baseurl=http://instructor.example.com/pub/rhel6/dvd
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
EX#3 - Configure your server to use separate Yum Repo to obtain updates
# vi /etc/yum.repos.d/updates.repo
[Updates]
name=updates Server
baseurl=ftp://instructor.example.com/pub/rhel6/Errata
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled =1
# yum update
Basic yum Commands
1. yum list = rpm -q>>display installed and available pkgs
2. yum search KEYWORD
3. yum info PKGNAME = rpm -qi
4. yum install PKGNAME
5. yum update PKGNAME
6. yum remove PKGNAME
RHCSA/RHCE Egypt
215
RPM
$ rpm -q -a >>all installed PKGS
$ rpm -q PKGNAME >>Currently installed PKGS
$ rpm -q -pPKGFILE.rpm >>all installed PKGS
$ rpm -q -f >>What pkgprovides FILENAME
$ rpm -q --conffiles >>list config files
$ rpm -q --docfiles >>list just thedocfiles
$ rpm -q --scripts >>preinstall screpts
$ rpm -q -l PKGNAME>>PKG included files
Network Management
Network Configuration Files
# /etc/sysconfig/network-scripts/ifcfg-* >>IPaddress and Subnet mask
# /etc/sysconfig/network & /etc/sysconfig/network-scripts/ifcfg-* >>Routing / Default Gateway
# /etc/sysconfig/network >> Hostname
# /etc/sysconfig/network-scripts/ifcfg-* & /etc/resolv.conf - or - /etc/hosts >>Name resolutions
Network Commands
$ ip addr show eth0
$ ip -s link show eth0
$ ip route
$ ifup eth0
# vi /etc/sysconfig/network-scripts/ifcfg-*
Static
BOOTPROTO=static
IPADDR=
PREFIX=24
GATEWAY=
DNS1=
DHCP
BOOTPROTO=dhcp
ANY
DEVICE=eth0
ONBOOT=yes
HWADDR=
NM_CONTROLLED=yes
Lock DNS number in /etc/resolv.conf in DHCP cuz DHCP change the dns number when rebooting
vi /etc/sysconfig/network-scripts/ifcfg-*
PEERDNS=no
Aliases
- Assign multiple address to Single interface.
- Disable Network manager when? Configure Aliases and Bounding.
There are three basic Steps to adding an alias IP:
1- # service NetworkManager stop ; chkconfig NetworkManager off
2- Interactivity add alias
# ip addr add 10.1.1.250/24 dev eth0 label eth0:0
# ip addr show eth0
Persistently add alias by creating /etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
IPADDR=10.1.1.250
PREFIX=24
ONPARENT=yes
3-restart network services
# Service network restart
RHCSA/RHCE Egypt
216
Bounding
-bind multiple network interfaces together into a Single channel
Using: Bonding kernel module & Channel bonding interface
Identify eth card by command:
# ethtool -p eth0 30 >>To blink the LEDs on eth0 for 30 second
Bonding Modes
Mode 0:Balance-rr Round Robin Policy -Packets are Transmitted in round robin fashion through all slaves any slave can receive
Mode 1:(Active - Backup) :only one Slave interface is in use at a time ,but if it fails another slave takes over
mode 3:(broadcast) all oackets are broadcast from all slaves
Example - (Active - Backup) Configuration
. /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=BON0
IPADDR=10.1.1.250
PREFIX=24
ONBOOT=yes
BOOTPROTO=none
USERCTR=no
BONDING_OPTS="mode=1 miion=50"
. /etc/sysconfig/network-scripts/ifcfg-slave-name(eth0)
DEVICE=<name>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no
. /etc/modprobe.d/bonding.conf
alias bond0 bonding
Tuning Kernel Network Parameters
. Kernel parameters /proc/sys/dir
. Sysctl
- Example:Disable ping reply
# sysctl -a |grep icmp >>net.ipv4.icmp_echo_ignore_all = 0
# grep -A5 icmp /usr/share/doc/kernel-doc-*/Documentation/networking/ip-sysctl.txt
# sysctl -w net.ipv4.icmp_echo_ignore_all=1
-or#echo " net.ipv4.icmp_echo_ignore_all = 1">>/etc/sysctl.conf
# Execute sysctl -p to enforce this setting immediately
Storage Management
# fdisk -cul /dev/vda >> c for legacy dos comp. mode ,u display output in sectors
# fdisk -cu /dev/vda >>n>>p>>3>>w>>reboot
Create new Filesystem
# mkfs -t ext4 /dev/vda3
# blkid /dev/vda3>>get UUID of the filesystem
# mkdir /mountpoint
# vi /etc/fstab
UUID=uuid
/mountpoint
ext4 defaults
12
# mount /mountpoint
Remove an Existing Filesystem
# umount /mountpoint
#vi /etc/fstab
#rmdir /mountpoint
Create a New Encrypted Volume
1. # fdisk -cu /dev/vda >Create new partition
RHCSA/RHCE Egypt
217
2. # cryptsetup luksFormat /dev/vdaN

3. # cryptsetup luksOpen /dev/vdaN name (ex.luks.data) >>unlocks the encrypt vol as /dev/mapper/name (luks-data)
4. #mkfs -t ext4 /dev/mapper/name(luks-data)
5. #mkdir /secret ; mount /dev/mapper/name /secret
6. #umount /dev/mapper/name ;cryptsetup luksClose name >>lock the encrypt vol
7. #vi /etc/crypttab
(mapper name) name
/dev/vdaN(source drive)
/path/to/password/file -or- none luks
8. #vi /etc/fstab
9. #/dev/mapper/name /secret
ext4 defaults
12
10.Automatic entry of encryption password >>place password in a text file
- echo "your_password" > /root/encdisk
- chown root /root/encdisk
- chmod 600 /root/encdisk
- cryptsetup luksAddKey /dev/vda3 /root/encdisk
Manage Swap
1. #fdisk -cu /dev/vda>>n>>t>>Number>>82>>w>>reboot (create new partation and change the type to 82)
2. #mkswap /dev/vdaN
3. #blkid /dev/vdaN
4. #vi /etc/fstab >>[UUID='----"
swap swap defaults
0 0]
5. #swapon -a
6. #swapon -s >>show swap partations status
- remove swap partation
# swapoff /dev/vdaN
Accessing ISCSI Storage
ISCSI initiator: a client that needs access to row SAN storage
ISCSI target: a remote hard disk presented from an ISCSI server, or "target portal"
ISCSI target portal: a server that provides targets over the network to an initiator
IQN:"ISCSI Qualified Name, each initiator and target needs a unique name to identify it
To Access a new target with an iscsi initiator
1- Install iscsi initiator software:
iscsi-initiator-utils
2- Set initiator's IQN in
/etc/iscsi/initiatorname.iscsi
3- Discover iscsi targets provided by iscsi server (Target portal)
# iscsiadm -m discovery -t st -p 102.168.0.254
4- Log in to one or more ISCSI targets on the server
# iscsiadm -m node -T iqn.2010-09.com.example:lun1 -p 192.168.0.254 -l
5-Identify which device is the ISCSI target
# ls -l /dev/disk/by-path/*iscsi* &check service iscsi status
6-#vi /etc/fstab
UUID="----"
/mountpoint
ext4 _netdev
00
7- Ensure the iscsi and iscsid services will start - chkconfig
#vim /var/lib/iscsi/node_name >>node.startup = automatic
Remove iscsi disks
1- Remove partition from /etc/fstab
2- Log out of the iscsi target
# iscsiadm -m node -T iqn.2010-09.com.example:lun1 -p 192.168.0.254 -u
3- Delete the local record
Logical Volume Management
Implement LVM
1. #fdisk -cu /dev/vda >>n>>p>>3>>+512M>>t>>3>>8e>>w>>reboot
2. #pvcreate /dev/vda3
3. #vgcreate VG_name /dev/vda3
4. #lvcreate -n LV_name -L 256MB VG_name
5. #mkfs -t ext4 /dev/VG_name/lvname
RHCSA/RHCE Egypt
218
6. #vim /etc/fstab
7. #mount -a
Extend a Logical Volume
1. #vgdisplay VG_name >>Determine the amount of free space in VG
2. #lvextend -l +50 /dev/VGNAME/LVNAME - or #lvextend -l +50%FREE /dev/VGNAME/LVNAME - or #lvextend -L 50GB /dev/VGNAME/LVNAME
3. #resize2fs /dev/VGNAME/LVNAME
Reducing a Filesystem and Logical Volume
1. #umount /data
2. #fsck -f /dev/mapper/vgname-lvname
3. #resize2fs -p /dev/mapper/vgname-lvname 512M >>the filesystem will be 512 MB
4. #lvreduce -L 512M /dev/mapper/vgname-lvname
5. #mount -a
Extending and Reducing a Volume Group
- Extend Volume Grouped 1. #fdisk -cu /dev/vda >>n >>e>>n>>+512M>>t>>5>>8e>>w>>reboot
2. #pvcreate /dev/vda5
3. #vgextend VGNAME /dev/vda5
4. #vgdisplay VGNAME (check size and free space)
5. #lvdisplay
- Reduce VG 1. #pvmove /dev/vdaN >>relocate any physical extents used on /dev/vdaN to another physical Volumes in the VG
2. #vgreduce vgname /dev/vdaN
Account Management
#cat /etc/shadow
username:$1$QsDZWIXg$FoREiKhX6bhLp19JnzttL1:15614:0:99999:7:::
1. 1 mean including hashing algorithm
2. QsDZWIXg - the salt used to encrypt the hash
3. FoREiKhX6bhLp19JnzttL1 - the encrypted hash
#chage -m 0 -M 90 -W 7 -I 14 username
m:min days - M:max days - W:warn days - I:inactive days d: day YY:MM:DD E expiration day
#chage -l username >>list user current setting
#chage -d 0 username >>force update password o next login
Examples#
#chage -M 90 -I 30 -E 2012-09-30 -d 0 username >>account expire at 2012-09-30
#usermod
ACL
#getfacl file
#setfacl -m u:user:rw filename >>grants rw to user
#setfacl -m g:group:rw filename >>grants rw to group
#setfacl -x u:user
>>removes the existing ACL for user
#ls -ld file >>display group permissions which reflect the current ACL mask
#setfacl -m d:u:user:rw directory
- ACL mount option #tune2fs -l /dev/block-dev |grep 'Default mount'
Default mount options: user_xattr acl
to turn on acl support
#tune2fs -o acl, user_xattr /dev/block-dev
Example#1
setfacl -m g:2group:r-x dir
setfacl -m d:g:2group:r-x dir
#chmod 2770 /dir - or - #chmod g+s /dir
RHCSA/RHCE Egypt
219
Example#2
#mkdir /opt/research
#chgrp grads /opt/research
#chmod 2770 /opt/research
#setfacl -m g:profs:rwx /opt/research
#setfacl -m g:interns:rx /opt/research
#setfacl -m d:g:profs:rwx /opt/research
#setfacl -m d:o::- /opt/research
Authentication Management
- Network authentication Using LDAP
PKGS(-open ldap_x.x.x
-nss_pass_ldap_x_x_x
-open ldap_client_x.x.x)
#system-config-authentication
User Account Database: ldap
Ldap base search DN: dc=domain,dc=com
ldap server: FQDN of ldap Server
Check the Box use TLS encryption
Add the correct url which points to the ladpcertificate.pem file. Normally this file is located on a webserver
(https://internal.webserver.com/ladpcertificate.pem)
Authentication configuration: ldap
#mkdir /home/guests
#vim /etc/auto.master
/home/guests
auto.guests
#vim /etc/auto.guests
*
-rw,soft,rsize=8192,wsize=8192
serverX:/home/guest/&
#/etc/init.d/autofs reload
vim /etc/sysconfig/autofs
and uncomment ldap sections to enable autofs
-check sssd service running... , Edit /etc/sssd/sssd.conf [ enumerate = True ] ,#service sssd restart
-getent passwd username >>to verify the account info being used
Kerberos Configuration
. kerberos Realm - the set of machines that all use the same KDCs (Kerberos authentication server) for authentication.
. KDC - key Distribution Center - Central servers that store information about Kerberos passwords and issue Kerberos tickets
. Kerberos Admin Server - Servers that allow remote admin

#yum groupinstall -y directory-client
#yum install -y openldab-clients
#yum install -y krb5-workstation
when use command line MUST disable LDAP Authentication
#authconfig --enableldap --ldapserver=instructor.example.com --enableldaptls -ldaploadcacert=ftp://instructor.example.com/pub/example.crt --ldapbasedn="dc=example,dc=com"
--disableldapauth --enablekrb5 --krb5kdc=instructor.example.com -krb5adminserver=instructor.example.com --krb5realm=EXAMPLE.com --enablesssd --enablesssdauth -update
#getent passwd ldapuserX
#ssh ldapuserX@serverX
Troubleshooting System Security Services Daemon (SSSD)
-Lock in /var/log/sssd
-Modify /etc/sssd/sssd.conf to increase information logges:debug_level=10
Network Mounting Home Directories
1. #showmount -e nfsserver.domain
2. #getent passwd username
3. #vi /etc/auto.master
/home/guests /etc/auto.guests
4. #vi /etc/auto.guests
ldapuser1
-rw
instructor.example.com:home/guests/ldapuser1
RHCSA/RHCE Egypt
220
ldapuser2
-rw
ldapuser3
-rw
- or *
-rw
instructor.example.com:home/guests/&
due to bug in autofs pkg uses command service autofs reload instead of #service autofs restart
INSTALLATION, KICKSTART AND VIRTUALIZATION
Create kickstart file by modifying a Template
/root/anaconda-ks.cfg
Kickstart file parameters
%pakages (Packages and yum group list)
%pre (Script that runs before install starts)
%post (Script that runs before install completes)
#system-config-kickstart (kickstart GUI tool)
#ksvalidator file.ks (check Kickstart file syntax)
#yum whatprovides *bin/ksvalidator
#yum install -y pykickstart
#ksvalidator ~/projman.cfg
#yum install -y httpd
#service httpd start
#chkconfig httpd on
#chmod 644 ~/projman.cfg
#cp ~/projman.cfg /var/www/html
KVM (Kernel Based Virtualization)
#grep flags /proc/cpuinfo >>should include svm (secure VM)& vmx (VM extensions) &lm(long mode)
#virt-manager
#virsh start VMname
#virsh shutdown VMname
#virsh destroy VMname
#virsh console VMname >>conect to a console of a VM
#virsh autostart VMname
#virsh list --all
Boot Management
#cat /boot/grub/grub.conf >>Second stage of Grub
#who -r >>view current runlevel
#init runlevel# >>change runlevel
#vi /etc/inittab >>change runlevel
What is the order of startup from powering on to login prompt?
9 steps BIOS/UEFI
Hard Disk
MBR
GRUB :/boot/grub/grub.conf
Kernel loaded by GRUB
Init (first Linux Process)
Open /etc/inittab to see which level to load (say it's 3 here)
on "startup" :Move to /etc/rc3.d Start running the numbered links in order to /etc/init.d's files >>send runlevel event
on "runlevel":rc.conf - /etc/rc.d/rc[0-6].d/ >>send rc event

on "rc":start ttys.conf & prefdm.conf
Services Start
If you end up at the grub> prompt, how can you find the partition with the /boot directory (2 ways)?
find /grub/grub.conf
root
Result: (hd0,0)
cat (hd0,0)/grub/grub.conf
RHCSA/RHCE Egypt
221
How do you boot without a grub.conf file?

Run root to find location eg. (hd0,0)
kernel=(hd0,0)/ ([Tab] for Kernel and add ro to the end) root=/dev/mapper/vg_humu-lv_root
initrd=(hd0,0)/ ([Tab] for ramdisk)
boot
What happens?
Once the kernel is running, it starts init. The init program is responsible for completing the boot process by
starting all other non-kernel system processes.
With Upstart, init starts "jobs" when various "events" happen, such as when the system boots, we enter a
runlevel,
or another init job starts or stops. These jobs are stored as scriptsin the /etc/init/ directory.
At boot, the startup event causes init to run the /etc/init/rcS.conf job which:
Runs /etc/rc.d/rc.sysinit to start LVM, mount and check file systems, set the system clock, and do other
housekeeping.
Looks in /etc/inittab to find the runlevel.
Sends an event to init telling it to enter that run level.
The runlevel event causes init to run the /etc/init/rc.conf job which runs the /etc/rc.d/rc script with the
desired run level as an argument:
Example: rc.conf runs rc 5, which runs /etc/rc.d/rcS.d/K* stop and /etc/rc.d/rcS.d/S* start.
The scripts are run in numeric order, first the K's and then the S's.
The /etc/rc.d/rcS.d/ scripts are symlinks to the scripts used by service.
Whether the links start with a K or an S depends on whether the service has been turned on or off with
chkconfig
Repairing Boot Issues
[root@serverX ~]#grup
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
Repairing Damaged Filesystem
[root@serverX ~]#umount /dev/vda1
[root@serverX ~]#fsck /dev/vda1
[root@serverX ~]#mount /dev/vda1
When system cannot mount filesystems
1.remount the root file-system read-write:
(Repair filesystem 1)#mount -o remount,rw / >>check /etc/fstab and /etc/crypttab
(Repair filesystem 2)#mount -a
(Repair filesystem 3)#exit
SELINUX MANAGEMENT
[root@serverX ~]#vi /etc/sysconfig/selinux >>change SELINUX :enforcing-permissive-disabled
[root@serverX ~]#ls /selinux/booleans >>enable or disable booleans by setting 1 or 0
[root@serverX ~]#getsebool -a >>display the booleans
[root@serverX ~]#setsebool -P >>modifies the SELinux policy
[root@serverX ~]#semanage boolean -l|grep httpd_enable_homedirs
SELinux pkg:
Policycoreutils pkg support>>restorecon
Policycoreutils-python pkg support>>semanage
[root@serverX ~]#chcon -u system_u -t http_sys_content_t /vhosts/
[root@serverX ~]#getenforce
[root@serverX ~]#setenforce 0 - or - 1
0 permissive
1 enforcing
[root@serverX ~]#ps -axZ
[root@serverX ~]#ps -ZC httpd
RHCSA/RHCE Egypt
222
[root@serverX ~]#ls -Z /var/www

[root@serverX ~]#ls -dZ /var/www/
[root@serverX ~]#semanage fcontext -l
[root@serverX ~]#restorecon -Rv /var/www/
Example to add a context for new dir
mkdir /virtual
touch /virtual/index.html
ls -Zd /virtual/
ls -Z /virtual/
semanage fcontext -a -f "" -t httpd_sys_content_t '/virtual(/.*)?'
restorecon -RFvv /virtual/
ls -Zd /virtual/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /virtual/
ls -Z /virtual/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 index.html
Monitor SELinux Violations
setroubleshoot-server pk shoud be installed
[root@node1 ~]# sealert -a /var/log/audit/audit.log >>used to produce reports for all incidents in that file
FIREWALL Management
[root@serverX ~]#iptables -L
[root@serverX ~]#vi /etc/sysconfig/iptables >>iptables rules
[root@serverX ~]#less /proc/net/ip_conntrack >>Connection Tracking
1-activate
[root@serverX ~]#echo"1">/proc/sys/net/ipv4/ip_forward >>Activate
[root@serverX ~]#echo"1">/proc/sys/net/ipv6/conf/all/forwarding >>Activate
2-[root@serverX ~]#vim /etc/sysctl.conf :net.ipv4.ip_forward = 1
Configure a Routing Table
[root@serverX ~]#route -n >>check routing tableipv4
[root@serverX ~]#route -A inet6 -n >>check routing table ipv6
[root@serverX ~]#route adddefault gw 10.0.48.1dev eth0
[root@serverX ~]#route -A inet6 add default gw ipv6 dev eth0
Configure a static route
- /etc/sysconfig/network-scripts/route-eth0
Default via 10.0.48.1 dev eth0
Netfilter
Chain is alist of Rules
built-in Chains:INPUT,OUTPUT,FORWARD
policy"target":ACCEPT,DROP,REJECT,LOG
table:a set of chains used for a particular purpose
[root@serverX ~]#cat /etc/sysconfig/iptables
Iptables options
---------------[root@serverX ~]#iptables -vnl --line-numbers
[root@serverX ~]#iptables -N NEW-CHAIN >>create new chain
[root@serverX ~]#iptables -A CHAIN <rule> -j <target> >>add a rule to the end of chain
[root@serverX ~]#iptables -I CHAIN # <rule> -j <target> >>insert rule as rule no# in chain
[root@serverX ~]#iptables -D CHAIN # >>delete rule # from chain
[root@serverX ~]#iptables -F CHAIN >>delete all rules from chain
[root@serverX ~]#iptables -F >>Flush default table
[root@serverX ~]#iptables -X >>Flush all chains and default table
[root@serverX ~]#iptables-save - or - service iptables-save
Rules commands
[root@serverX ~]#iptables -s 192.168.0.0/24 >>source IP or network
RHCSA/RHCE Egypt
223
[root@serverX ~]#iptables -d 10.0.48.1 >>destination IP or netwirk

[root@serverX ~]#iptables -p udp --sport68 --dport 67 >>udp/tcp and source/destination ports
[root@serverX ~]#iptables -i eth0 >>inbound eth
[root@serverX ~]#iptables -o eth0 >>outbound eth
[root@serverX ~]#iptables -m state --state ESTABLISHED,RELATED >>state tracking
-state tracking stores info about all connections (NEW,ESTABLISHED,RELATED,INVALID)
Example:[root@serverX ~]#cat /root/bin/resetfw.sh
#!/bin/bash
# Set INPUT chain default policy to DROP
iptables -P INPUT DROP
# Flush all rule in the filter table
iptables -F
# will ACCEPT all packets from lo interface
iptables -A INPUT -i lo -j ACCEPT
# ACCEPT all ESTABLISHED,RELATED packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#ACCEPT all New connections to tcp port 22
iptables -A INPUT -m state --state NEW -p tcp--dport 22 -j ACCEPT
# REJECT all packets from 192.168.1.0/24
iptables -A INPUT -s 192.168.1.0/24 -j REJECT
#ACCEPT all icmp traffic from 192.168.0.0/24
iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
Network Address Translation - NAT = Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
POSTROUTING:allows altering - change - IP address
MASQUERADE:relabels with gateway IP
DNAT target causes the destination ip to be changed to match the IP address specified be the
--to-destination option
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.254
with the above command if you requested any website it will swich you to 192.168.0.254
examples
iptables -t nat -A POSTROUTING -0 ethO - j MASQUERADE
iptables -t nat -A POSTROUTING -0 ethO - j SNAT - -to-source 192.168.0.1
iptables -t nat -A PREROUTING -i etha -m tcp -p tcp --dport 89 j DNAT --to-destination 192.168.0.100:8989
The DNATtarget can only be used in the PREROUTING chain and the OUTPUT chain of the nat table
To enable forwarding persistently across reboots add net . ipV4. ip forward =1 to /etc/ sysctl.conf and run
sysctl -p
NTP Server Configuration
Public ntp servers available are www.pool.ntp.org
Main parameters in /etc/ntp.conf : server,peer,and,restrict
[root@serverX ~]#/etc/init.d/ntpd status
[root@serverX ~]#system-config-date >>gui windows
configure firewall to allow any packets come to ntp
iptables -I INPUT -p udp --dport 123 -j ACCEPT
[root@serverX ~]#ntpq -p >>Monitor NTP Synchronization
[root@serverX ~]#vim /etc/ntp.conf >> add ntp servers and add "prefer" to calculate the average time
between the 4 servers
server 0.it.pool.ntp.org prefer
server 1.it.pool.ntp.org
[root@serverX ~]#service ntpd restart
RHCSA/RHCE Egypt
224
check ntp port

[root@serverX ~]#netstat -nulp |grep 123 >>cus it is udp
[root@serverX ~]#netstat -ntlp |grep port num# >>grep tcp port
System Logging Service
Report commands
df -h
iostat -kNk 2 10 >>I/O status report will view 10 times every 2 sec
vmstat 2 10 >>swap report will view 10 times every 2 sec
rsyslogd >>log service
/etc/rsyslog.conf
Log messages have 2 characteristics that are used to sort them:
(Facility "indicate what kind of message it is", priority "indicates the importance of the event being logged")
======================================================
Priority
|
meaning
======================================================
emerge
|
system is unusable
Alert
|
immediate action required
crit
|
critical condition
Err
|
error condition
Warning
|
Warning condition
Notice
|
normal but significant condition
Info
|
informational messages
Debug
|
Debugging messages
Configure a remote logging service
1-configure rsyslog on the remote log server to accept log msgs
.uncomment TCP and UDP line in the modules section in /etc/rsyslog.conf file
# provides UDP syslog reception
$ModLoad imudp.so
$UPDServerRun 514
# provide TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
DHCP Server "Dynamic host configuration protocol"
[root@serverX ~]#yum search dhcp
[root@serverX ~]#yum install dhcp
[root@serverX ~]#vim /etc/dhcp/dhcpd.conf >>empty by default
take version from dhcpd.conf from /usr/share/doc/dhcp*/dhcp.conf.sample
[root@serverX ~]# cp /usr/share/doc/dhcp*/dhcp.conf.sample /etc/dhcp/dhcpd.conf
[root@serverX ~]#vim /etc/dhcp/dhcpd.conf
option domain-name "amr.com";
option domain-name-servers 8.8.8.8;
default lease time 600; >>the IP take by PC for 10 min and ask it again
max-lease-time 7200;if not response drop took ip
#authoritative;
subnet 192.168.126.0 netmask 255.255.255.0 {
range 192.168.126.80 192.168.126.120;
option routers 192.168.126.2;
};
#Fixed IP address specified for hosts
host Example-Server {
hardware ethernet 00:0C:29:78:2D:FD;
fixed address 192.168.126.5;
};
RHCSA/RHCE Egypt
225
[root@serverX ~]#service dhcpd restart

[root@serverX ~]#netstat -nulp | grep -i 67 >>dhcp port
[root@serverX ~]#vim /var/lib/dhcpd/dhcpd.leases >>contain info about all dhcp clients
The Client Side
[root@ClientX ~]#pkill dhclient
[root@ClientX ~]#dhclient -v eth0>>to active dhcp client service
[root@ClientX ~]#cat /etc/resolv.conf
search amr.com
nameserver 8.8.8.8
Network File Server NFS
nfs-utils-lib-*.rpm
[root@serverX ~]#vim /etc/exports >>take care about directory permissions
/data/
192.168.0.1(ro)
/data2/
192.168.0.5(rw)
/data3/
192.168.0.0/24(rw) >>share for whole network
/data3/
example.com(rw) >>for domain
/var/ftp/pub 192.168.0.0/24(ro,sync) >>share to all hosts on network read-only
- any time /etc/exports edited should execute
#exportfs -r >>to ensure thet the changes applied
#exportfs -v >>display all exports
port 2049/TCP >>for nfsd
ports for rpcbind,rpc.mountd,lockd and rpc.rquotad must be open on the server
- rpcbind service replaces portmap
To mount a NFS file system on a client
mount -t nfs nfsserver:/exported-fs /mount-point
- nfsserver :is nfs server hostname or IP.
#vi /etc/fstab
nfsserver:/exports
mpunt-point
nfs
defaults
0
0
Client-Side NFS mount options
- rw , ro
-vers=4 try to mount using nfs version specified only
-soft:the user can set an additional timeo=<value> option, where <value> specifies the number of seconds to
pass before the error is reported.
File Sharing With CIFS
1. Graphical access to a CIFS share
using nautilus >>places>>connect to server
service type: Windows share
Server: serverx
Share: winuserx
Domain Name: CLASSX
2.Command line ftp-style access to a CIFS share:smbclient
[root@serverX ~]#smbclient -L server.example.com -U uwinuserX
-or[root@serverX ~]#smbclient -L //serverX/home -U winuserX
smb: \>ls
3.Manually mount a CIFS share
Mount -t cifs -o user=username //serve/share /mntpoint
4.Persistently mount a CIFS share
[root@serverX ~]#vim /etc/fstab
//server/share /mntpoint
cifs
credentials=/etc/filename 0 0
[root@serverX ~]#cat /etc/filename
user=amr
pass=password
-orwe can set smbpassword for specific user
RHCSA/RHCE Egypt
226
[root@serverX ~]#smbpasswd -a username

[root@serverX ~]#cat /etc/samba/smbpasswd
username:500:xxxxxxxxxxxxxxx
Providing Home Directories as CIFS Shares
CIFS pkgs
.samba-common - support files for samba
.samba-client
.samba
.samba-doc
.samba-winbind
.samba-swat >>web page configuration tool
Samba Services
.smb and nmb: service script name
./etc/samba/smb.conf: Main Configuration file
/etc/samba/smb.conf:
content three special sections, [global], [homes] and [printers]
[global] Section
.workgroup the workgroup is used to specify the windows workgroup or domain name for the network
.server string :Description field
.printcap name = /etc/printcap
List of shared printer
.hosts allow can specify the hosts by name ot IP
ex.allow hosts = 192.168.5. >>allow hosts on this subnet
.Security :this option affects how clients respond to samba
- for security = user ,client must log in with a valid username and password
- for security = domain ,will work if machine added to NT Domain
Share Definitions
[homes]
comment = Home Directories
browseable = no
writable = yes
[root@serverX ~]#service nfs restart
[root@serverX ~]#
File Sharing With FTP
# yum install vsftpd
-FTP Drop-box Anonymous Upload
1.create upload dir
1.1-Group ownership:ftp
1.2-Permissions:ftp group has (wx) ,other has no access
#chmod 733 upload/
2.Modefy SELinux for anonymous upload
2.1-File/Dir type context:public_content_rw_t
2.2-Boolean:allow_ftpd_anon_write must be enabled
3.Modefy /etc/vsftpd/vsftpd.conf
3.1-anon_upload_enable=YES
3.2-chown_uploads=YES
3.3-chown_username=daemon
3.4-anon_umask=077 (default vlaue)
4.Modefy iptables to support inbound ftp connection
4.1- vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
4.2-open connection to tcp port 21 and allow ESTABLISHED and RELATED network traffic
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
RHCSA/RHCE Egypt
227
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

SSH User Authentication and Control
[root@serverX ~]#ssh-keygen -or- ssh-keygen -t rsa -or- dsa
[root@serverX ~]#chmod 755 .ssh
[root@serverX ~]#ssh-copy-id -i .ssh/id_rsa.pub root@remotehost -or[root@serverX ~]#scp ~/.ssh/id_dsa.pub root@remotehost:.ssh/authorized_keys
Basic SMTP Configuration
MTA: MAIL Transfer Agent; like postfix, sendmail
MUA: Mail User Agent
MDA: Mail Delivery Agent
Relaying: when an email serve (MTA) forwards submitted mail to another server for delivery
Queuing: a failed delivery or relay attempt is queued and retried periodically by MTA
Rejected: when e-mail message is refused by an email server during the initial submission
Bounced: when an e-mail message is returned by a remote server to the original e-mail server and/or the user
after it accepted for delivery by the remote server
Configure Postfix MTA
[root@serverX ~]#yum install -y postfix
[root@serverX ~]#yum install -y mutt >>mutt is a MUA test sending and receiving
[root@serverX ~]#mutt user@localhost
[root@serverX ~]#mailq >>to check and examine the delivery queue
[root@serverX ~]#tail -f /var/log/maillog
[root@serverX ~]#netstat -tuln | grep: 25
[root@serverX ~]#vim /etc/postfix/mail.cf >>mail configuration file for postfix
inet_interface=all >>to enable daemon to use all interfaces then check by then
[root@serverX ~]#service postfix restart
[root@serverX ~]#netstat -tuln | grep: 25
DNS (Domain Name Server)
DNS Types
-Caching-only name server
when any client ask for website it cache the website IP provide it direct to any other clients without new querys
-master name server

-Slave name Server
Lookup Types
-Forward Lookup>>good in public network or big domains
name --> IP
Client ask TE-data DNS about www.yahoo.com.
Then TE-data dns ask root server (.) about com
Then TE-data reply to Client with com. IP
Then Client ask com about yahoo -after com. reply with IP - then Client ask yahoo about www
-Reverse Lookup
IP -->name
The Client have IP and ask about name
-Forwarder Lookup -or- forward query
-Recursive Lookup >>good in small network
Client ask TE-data dns about www.yahoo.com. Then. Dns answer TE-data dns about com
Then TE-data ask com dns about yahoo then com reply to TE-data dns
TE-data dns ask yahoo about www then yahoo reply to TE-data
Then TE-data reply to the Client about www.yahoo.com.
DNS Structure Types
1-Generic Top Level Domain (GLTD)
2-Country Code Top Level Domain (CCTLD)
DNS Communication
-Connection between master and slave is TCP on port 53 .
-Connection between any Client and DNS server [master -or- slave] is UDP on port 53.
RHCSA/RHCE Egypt
228
DNS Records
IPv4 - Maps a host name to an IP address: A record
IPv6: AAAA record
Mail exchanger :MX record
alias for a host name :Cname record
service: SRV record
MAP IP to a host name: PTR record (pointer record)
DNS Installation
- bind named should run with normal user and group privileges (named user&group)
-run bind under chroot environment to isolate it on isolated directory
Bind packages
-bind >>DNS Main pkg
-bind-chroot>>to isolate bind in isolation directory
-bind-utils >>include tools like(host-dig-nslookup -...etc)
-bind-libs
Using Chroot to isolate DNS
/var/named/chroot/etc >>configuration files
/var/named/chroot/var/named >>data files
Bind configuration
-by defaults bind configuration file located under /etc/ directory /etc/named.conf
-data files under /var/named
On /etc/sysconfig/named file @ last line ROOTDIR=/var/named/chroot
-copy sample files of configuration files and data files to isolated location under chroot dir
[root@serverX ~]#cd /usr/share/doc/bind-9.8.2/sample/
[root@serverX ~]#ls
etc
var
[root@serverX ~]#cp /usr/share/doc/bind-9.8.2/sample/etc/* /var/named/chroot/etc
[root@serverX ~]#cp /usr/share/doc/bind-9.8.2/sample/var/named/* /var/named/chroot/var/named/
[root@serverX ~]#cd /var/named/chroot/
[root@serverXchroot]#chown -R named:named etc/
[root@serverXchroot]#chown -R named:named var/
[root@serverXchroot]# rm /etc/named.conf
[root@serverXchroot]# ln -s /var/named/chroot/etc/named.conf /etc/named.conf
[root@serverX ~]#vim /etc/named.conf
Option {argument; argument ;};
Options
{
// Put files that named is allowed to write in the data/ directory:
directory
"/var/named";
// "Working" directory
dump-file
"data/cache_dump.db";
statistics-file
"data/named_stats.txt";
memstatistics-file
"data/named_mem_stats.txt";
//listen-on port 53 { any; };
listen-on port 53
{ 127.0.0.1; };
//listen-on-v6 port 53 { any; };
#
listen-on-v6 port 53 { ::1; };
Access restrictions
allow-query
{ any; };
allow-query-cache
{ localhost; };
********************
allow-query >>if you want to make access restrictions control list to allow specific machines to query from DNS server
- or
RHCSA/RHCE Egypt
229
allow-query { any; };
allow-query-cache { any; };
forwarders { 192.168.1.2; }; >>if the client did not find query in local zones it send queries to other DNS
with IP 192.168.1.2 it can be your ISP IP or your router IP
listn-on port 53
{ 127.0.0.1; 192.168.126.90; }; >>if you want to listen on two interfaces
named.ca file This file responsible to define all global ROOT servers
Creating Zones
1-Forward Lookup Zone
[root@serverX ~]#vim /var/named/chroot/etc/named.conf
zone "example.com" IN {
type master;
file "example.com.forward";
};
[root@serverX ~]#cp /var/named/chroot/var/named/named.empty /var/named/chroot/var/named/example.com.forward
[root@serverX ~]#chown named:named /var/named/chroot/var/named/example.com.forward

--- NEW FILE example.com.forward --$TTL 3H >>Time to limit 3 hours
@
IN SOA
example.com. root.example.com. (
0
; serial
3H
; refresh
1H
; retry
1W
; expire
3H ) ; minimum
@
NS
server.example.com.
server
A
192.168.126.254
www
A
192.168.126.2
[root@serverX ~]#service named restart
track and debug
[root@serverX ~]#tail -f /var/log/messages
to check if i can query from dns server
[root@serverX ~]#dig @DNS-server-IP
[root@serverX ~]#service named status
SSL [secure socket layer]
Openssl
Port 443 - https protocol
-to make apache support ssl
[root@serverX ~]#yum install mod_ssl
Make local cert. on the local machine
********************************************
[root@serverX ~]#genkey --days 730 www.example.com
[root@serverX ~]#/etc/pki/tls/certs/www.example.com.crt
[root@serverX ~]#/etc/pki/tls/private/www.example.com.key
misc.
POSIX:portable operating system interface X
Pkill yum >>send the specified signal (by default SIGTERM) to each process instead of listing them on
stdout.
To create any file with this style file name
#touch "file name"
#touch file\ name
RHCSA/RHCE Egypt

Linux Admin III

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Linux Admin III

Hochgeladen von

Copyright:

Verfügbare Formate

/

telnet 23 ftp .21

ARP ) MAC (OSI

] [-s TCP UDP .

) Packet ( SYN-ACK ) ( root

THE LAYERS OF LINUX SECURITY

Sudo ) (substitute user do

: MAC DAC DAC MAC

SELinux ) (Domain ) (process )(Domain

object subject Security Context Security Context .

. Role newrole ][su

Object Subject " " "Label

Type (Objects (files))/Domain (Subjects (processes/programs/users))

. Objects Subjects labels

LABEL secon ( id-Z) -2

-4 mkdir install security context

Domain unconfined_t MAC DAC .

booleans home .FTP

togglesebool policy on off

AVC selinux ) (Advanced Vector Cache

-a-2 labels file_contexts

context head head less context

httpd domain httpd_t

service httpd restart

/ftp selinux context security context

-2 context ftp /var/ftp

context /var/ftp public_content_t

context context Relabel

context user identify semanageuser-l

RHEL6 ] [iptables ] [ip6tables IPv4IPv6

[Filter] : ] [NAT ] [mangled ][raw

:[NAT] -2 NAT 3 ] [chain:

firewall rules .if condition

] [iptables IPv4 ] [ipchains ] [iptables ] [ip6tables IPv6

> <packet pattern .IP

].[if packet received from 192.168.0.1 drop

]NAT [IP Masquerading

]NAT [IP MASQUERADING

)" (Network Address Translation "NAT )(Network Masquerading

rapidshare mediafire rapidshare

)IP FORWARDING (ROUTING

] [IP FORWARDING ] .[ROUTING .IP

The Red Hat Firewall Configuration Tool

IP Forwarding (routing) does NOT work in RHEL6 when using NetworkManager.

The Red Hat Firewall Configuration Tool

The Red Hat Firewall Configuration Tool

] [icmp filter Ping

)The Extended Internet Super-Server (xineted

sshd ] [TCP wrappers httpd .

libwrap.so.0 ] [TCP wrappers

request service ] [TCP wrappers ][/etc/hosts.allow

DENY hosts.allow SPAWN :

]Pluggable Authentication Modules [PAM

] [PAM ] [administrative tools

] [root users ] [secure terminal

:Module-type .1 ].[auth account password session

]Pluggable Authentication Modules [PAM

]Pluggable Authentication Modules [PAM

]Pluggable Authentication Modules [PAM

]Pluggable Authentication Modules [PAM

][pam_selinux.so close SELinux] [pam_selinux.so open

PAM and User-Based Security

][Modules Used to Restrict Access

User Authentication, Account Information, and Password Management