Beruflich Dokumente
Kultur Dokumente
Current Release: 7
We will use:
1. CentOS7x
2. RedHat Enterprise 7x
NOTE: New installer presents consolidated GUI interface (ALL options) on 1 screen
NOTE: Multiple tasks can be carried out during installation: i.e. 'root password',
'additional user' and the like
NOTE: Configure NIC prior to NTP configuration
NOTE: Initial Kickstart file is still supplied to shorten the time required for
subsequent installs: ~/root
NOTE: Default GNOME LOGIN allows anyone to restart | power-off the system. Will
tweak later.
# Text-based Installation #
1. CentOS 7x
2. RedHat Enterprise 7x
NOTE: It's as simple as passing the string: 'inst.txt' on the kernel's command line
during installation
NOTE: The installation process is carried out via TEXT but does NOT impact the
outcome of the installed server's interface. i.e., server may run with or without a
GUI.
NOTE: It's merely a matter of the interface that is presented during installation,
indicated by the 'inst.text' option passed to the installation kernel's command
line (CLI)
NOTE: Ensure that you select: 'Tab' during the installation's main GRUB2 menu
presentation and modify the kernel line to include: 'inst.text' to invoke TEXT-mode
NOTE: Sometimes VMWare ESXi does NOT update the screen when it receives no stream
of data from the GUEST, which results in console-access delays.
# Network-based (HTTP) #
Requirements:
1. HTTPD instance somewhere: i.e. IIS, Apache, etc.
2. Export of the tree (ISO image) to the HTTP share location (URL)
3. Client-side - minimal (network boot) ISO image - Net access
NOTE: PXE-booting obviates the need for any local media - look at this if desired
Tasks:
1. Explore HTTP configuration
a. 192.168.75.101/{RHEL,CentOS}
a1. http://192.168.75.101/CentOS/7
a2. http://192.168.75.101/RHEL/7
NOTE: Any of the ISO images will let you change the source to a network source
# Kickstart Configuration #
Features:
1. Automates delivery - rapid provisioning
NOTE: https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide_/sect-kickstart-syntax.html
3. The location of the CFG file MUST be specified upon installation invocation
a. 'Tab' at main GRUB screen, indicate that KS is desired:
a1. 'inst.ks=http://192.168.75.101/{RHEL,CentOS}/*.cfg'
NOTE: Name your .cfg files in a fashion similar to Virtual Machine images:
i.e. centos7-infrastructure-server-gui.cfg
i.e. rhel7-is-gui-40GB.cfg
6. Required / optional sections are the same: i.e. command, %packages, [%pre] and
[%post]
7. Omitted items will cause the installer to prompt the user for input
Task:
1. Re-install both systems in an automated fashion
a. Access nodes
b. Modify .cfg files
c. Publish .cfg files to HTTP repository
c1. 'inst.ks=http://192.168.75.101/CentOS/centos7-is.cfg'
c2. 'inst.ks=http://192.168.75.101/RHEL/rhel7-is.cfg'
d. Re-install nodes using minimal|network ISO referencing the .cfg files
NOTE: Ensure that published (HTTP) .cfg files are flagged 644 or readable by web
user
NOTE: Since we reprovisioned: CentOS7 instance entirely in VMWare, its default SDA
was blank, which rendered the installation fully-automated
NOTE: If VM instance fails to boot from ISO image, try the following:
1. Delete, then Re-provision GUEST
2. Remove startup disk and provision anew
# Rescue Environment #
Features:
1. Multiple modes
a. Rescue
b. Emergency
NOTE: Both are based on an installed system: i.e. N3
NOTE: Both provide Single-User modes to attempt to rectify system problems
NOTE: Both modes are accessible from an already running system via: 'systemctl
{rescue,emergency}
NOTE: As a result of these modes, you enter Single-User mode, which drops network
connectivity, thus external connections
NOTE: 'systemctl ...' typically sends messages to logged-in users, unless '--
nowall' option is used
NOTE: using: 'inst.rescue' from the kernel boot line
NOTE: Standard GRUB2 menu, secondary '...rescue' option, is really a backup kernel,
which launches into multi-user mode
NOTE: Nowadays, virtualize, and take snapshots prior to ALL key updates
Tasks:
1. Mislabel GRUB2 references to the kernel
a. '/etc/grub2.cfg'
2. Booted from Install Rescue Mode (from any ISO that boots the installer)
3. Repeat on CentOS
NOTE: If you lose the 'root' password, use:
a. Install Rescue Mode to mount the '/' FS
b. 'chroot /mnt/sysimage'
c. 'passwd root'
d. 'reboot'
NOTE: Because of this, for security purposes, guard that permitted boot media for
ALL systems
Tasks:
1. 'gzip'
a. 'gzip -c Xorg.9.log.old > Xorg.9.log.old.gz'
b. 'gunzip Xorg.9.log.old.gz'
c. 'gzip -l Xorg.9.log.old.gz' - reveals stats about the compressed object
d. 'zcat Xorg.9.log.old.gz' - auto-decompresses the content on-the-fly
2. 'bzip2'
a. 'bzip2 -c Xorg.9.log.old > Xorg.9.log.old.bz2'
b. 'bunzip2 Xorg.9.log.old.bz2'
c. 'bzcat Xorg.9.log.old.bz2'
NOTE: With 'zip' and 'tar', because they are archival tools, it makes sense to
specify the TARGET first, then an aribitrary number of source files/directories
8. State control:
a. emergency
b. rescue
c. poweroff
d. restart
e. hibernation
f. suspension
9. 'systemd' units - encapsulation of the following:
a. services
b. sockets
c. system state snapshots
d. paths
e. mounts
f. etc.
10. Supports system state snapshots - current unit configuration, which is
temporarily held
NOTE: snapshots do NOT persist reboots
11. D-bus activation of services
a. D-bus activation (where supported by service) allows on-demand invocation of
service upon request by the client(service)
12. Socket-based activation (where supported by service) allows messages to be
queued during service restarts
a. 'systemd' functions as a proxy(broker) between the client and the ultimate
service
13. Device-based activation - i.e. hot-plugged device activates corresponding
service(s)
14. Path-based activation - if paticular file || directory is accessed,
corresponding service(s) is invoked. i.e. NFS, NFS with Automount
15. On-demand starting of daemons
16. Parallelization of service invocation at startup: i.e. MySQL && SSH
17. Mount || Automout management
18. Services do NOT inherit environment: $PATH && $HOME from current $USER - more
secure
Key Directories:
1. '/usr/lib/systemd/system' - repository of ALL services: i.e. /etc/rc.d/init.d
2. '/etc/systemd/system' - symlinked, ACTIVE, services
3. '/run/systemd' - run-time systemd units - auto-generated
Tasks:
1. Explore basic power management control
a. 'init 6' - 'systemctl [--no-wall] reboot'
b. 'init 0' - 'systemctl [--no-wall] poweroff'
NOTE: 'init 6', etc., still works, but may eventually be deprecated
2. Service Management
a. 'systemctl' - dumps ALL managed units: services, devices, paths, mounts,
sockets, etc.
b. 'systemctl list-units' - lists loaded units of ALL types
c. 'systemctl list-sockets' - lists loaded sockets, ordered by address
NOTE: Useful in debugging problems communicating with sockets
d. 'systemctl status [NAME..|PID..] - shows runtime stats
d1. '/usr/lib/systemd/system/atd.service' - actual service file
NOTE: The data returned is comprehensive, and under prior versions of RHEL, we had
to aggregate these data from various sources: i.e. 'ps -ef | service_name', 'cat
/var/run/PID', '/etc/*'
# Checksums #
Features:
1. Generate unique fingerprints based on a set of data
a. Files
b. STDIN
2. Verifies the intrinsic quality of data to ensure non-tampering
3. Published content online, is usually accompanied by checksums for your perusal
Tasks:
1. 'nano test.txt' - populate with junk
2. 'md5sum test.txt' - 'ba1f2511fc30423bdbb183fe33f3dd0f'
'4cd713d16b3f7078041799001428d0ee'
'ba1f2511fc30423bdbb183fe33f3dd0f'
Tasks:
1. Create dummy data to parse
a. 'grep "Linux" grep.test.txt'
b. 'grep "^Linux" grep.test.txt' - returns lines that begin with "Linux"
c. 'grep '^Linux$' grep.test.txt' - returns lines that begin and end with 'Linux'
d. 'grep 'LinuxCBT' grep.test.txt' - returns lines that end with 'LinuxCBT'
e. 'grep 'LinuxCBT ' grep.test.txt' - returns lines that end with 'LinuxCBT '
NOTE: Printable and non-printable chars (space(tab, various whitespace)) are
analyzed
NOTE: 'cat -A grep.test.txt' - reveals both types of chars
# AWK #
Features:
1. Field (column) Processor
2. Supports egrep-compatible (POSIX) REGEXES
Tasks:
1. awk '{print $1 }' [FILE] || STDIN- prints the first field from the data-stream
2. 'awk '{print $1,$2 }' FILE - returns $1,$2
NOTE: 'awk' can be used to transform Field and/or Record separators
3. 'awk -F'[:+;,]' '{print $1,$2,$3,$4}' grep.test.txt' - uses multiple possible
delimiters to identify fields
NOTE: Whitepspace is ALWAYS considered a possible field separator unless overriden
NOTE: Be careful if data-set contains space that is NOT to be treated as a field-
separator
Usage:
1. 'sed -e 'instruction' file || STDIN
NOTE: Additional '-e 'instruction' ' commands will perform additional modifications
in the order presented
2. 'sed -f script_file_name file || STDIN' - organized way of providing N number
of instructions to 'sed'
File Permissions:
1. 10-bits that represent Linux file permissions, despite the type of FS in use:
i.e. EXT4, XFS, EXT{2,3}, ReiserFS, etc.
'crw--w----. 1 linuxcbt tty 136, 2 Dec 4 07:12 2'
6 2 0
'-' in bits 2-10 or 1-9, represents disabled bits
10-bits - leading bit describes the type of object in the FS
9-remaining bits: 1-9 or 2-10 represent permissions for:
a. Owner of the object
b. Members of the group labeled on the object: i.e. group=tty
c. Everyone else
Total permissions for objects = 7 7 7 (rwx rwx rwx)
r=4
w=2
x=1
4. Both mechanisms (Soft and Hard) provide a way to publish content to users in
various locations across the system
a. Permits the exposition of content outside of normally protected zones: i.e.
$USER || /home/$USER
Tasks:
1. Soft links
a. 'ln -s source_file target'
a1. 'ln -s grep.test.txt grep2.test.txt' - creates soft link in the same
directory
'lrwxrwxrwx. 1 root root 13 Dec 5 09:18 grep2.test.txt ->
grep.test.txt'
NOTE: Despite the apparent: 0777 permissions associated with soft symlinks, the
underlying (target) file's permissions always prevails. This is known as effective
permissions on the file object.
a2. 'ln -s ~linuxcbt/Documents/grep.test.txt'
a3. 'ln -s ~linuxcbt/Documents/grep.test.txt /boot' - creates soft link in a
different FS
a4. 'ls -l ~linuxcbt/Documents/grep.test.txt' - confirm link counter = 1
2. Hard Links
a. 'ln source_file target' - creates hard link - increments the link counter
b. 'chmod 644 ~linuxcbt/Documents/temp/grep.test.txt.hard' - impacts the
underlying INODE, which means ALL instances of the document (hard-link form) will
now wear the latest permissions
c. 'mkdir /projectx && ln ~linuxcbt/Documents/grep.test.txt' - creates an
instance of the object for 'general' access without having to grant users access to
your $HOME dir
d. Remove one or more hard instances
d1. 'rm -rf ~linuxcbt/Documents/grep.test.txt'
# SWAP #
Features:
1. Virtual memory - disk-based memory
2. Dedicate (preferred) partitions to SWAP mission
3. Use an existing FS: i.e. XFS, EXT4, etc. and provision a file-based SWAP area
4. SWAP remains a distinct FS type, despite the recent RHEL shift to XFS
Tasks:
1. Create additional SWAP space from a file using existing FS
a. 'dd if=/dev/zero of=/swap/swapfile1G-1 bs=1M count=1024' - creates a zeroed-
out file as a basis with which to overlay an FS such as SWAP
b. 'mkswap /swap/swapfile1G-1' - overlays SWAP FS on zeroed-out file
NOTE: A unique: UUID is auto-assigned, and may be referenced via: /etc/fstab
c. 'swapon /swap/swapfile1G-1' - enables the SWAP device dynamically
d. 'swapon -s ' - displays current SWAP partitions
e. Update: '/etc/fstab' - '/swap/swapfile1G-1 swap swap defaults 0 0'
# XFS #
Features:
1. New default for RHEL7
2. Supports:
a. Extension (growth) - NOT the ability to shrink
b. Freeze | Unfreeze - for snapshots
c. Backups | Restorations
d. Sub-second timestamps: currently = nanosecond || 10^^-9 precision
d1. 'stat FILE' and peruse
e. Ability to separate the journal log from the data storage area - improves
performance
Tasks:
1. Create extra XFS mounts on target systems
a. Provision storage: Virtual || Physical
b. Identify and partition
b1. 'fdisk -l' - this should reveal the new storage block: '/dev/sdc'
b2. 'parted /dev/sdc mklabel gpt'
b3. 'parted /dev/sdc mkpart 1 1 100%'
c. Overlay with XFS file system
c1. 'mkfs.xfs /dev/sdc1'
d. Mount and Use
d1. 'mkdir /projectx'
d2. 'mount /dev/sdc1 /projectx && df -h && dd if=/dev/zero of=/projectx/512M
count=512 bs=1M && ls -lh /projectx'
Tasks:
1. 6-Steps to setup LVM
a. Provision storage and create LVM partitions using: 'parted'
a1. Use Hypervisor tool to add new disks
a2. Use: 'parted' to create label: 'parted /dev/sdd mklabel gpt'
a3. 'parted /dev/sdd set 1 lvm on' - flags partition as type LVM
Tasks:
1. 'ls -l /etc/{passwd,group,shadow}
2. 'cat /etc/passwd'
'linuxcbt:x:1000:1000:LinuxCBT User:/home/linuxcbt:/bin/bash'
'root:x:0:0:root:/root:/bin/bash'
UID=0GID=0 - special reservation for 'root'
Accounts with: UID|GID=[1-999] are reserved for system/daemons/utilties/etc.
Tools:
1. 'useradd'
a. 'useradd -g linuxcbt2 -G wheel -m linuxcbt2'
a. 'groupadd -g 1001 linuxcbt2 && useradd -g linuxcbt2 -G wheel,projectx -m
linuxcbt2 && passwd linuxcbt2'
2. 'usermod'
3. 'userdel'
4. 'groupadd'
a. 'groupadd linuxcbt2'
5. 'groupmod'
a. 'nano /etc/group'
NOTE: You may have to re-initiate existing $SHELLs for the new group membership to
reflect
6. 'groupdel'
NOTE: Regardless of whether directory services are used, 'root' and basic system
accounts are ALWAYS defined in: /etc/{passwd,shadow,group,gshadow}
# Cron - Scheduler #
Features:
1. Scheduler
2. Runs jobs on schedule:
a. minute, hour, day, month, year
3. Assumes computer is always on, unlike: anacron
4. Global schedule: /etc/crontab && /etc/cron* (include directories)
5. Individual schedules: /var/spool/cron - one is stored per user - crontabs
6. Checks ALL config files every minute, including: /etc/anacrontab
7. 'crontab' - used to modify user'r cron table entries
a. 'root' may use this tool to manage other user's cron tables
b. per-user may use this tool to manager their cron table: /var/spool/cron/$USER
8. Permit -> /etc/cron.allow
9. Deny -> /etc/cron.deny
Tasks:
1. '/etc/crontab' - discuss the entries
a. Minute(0-59) - i.e. 31, 1,11,21, 10,33,58, 10-23, */1, */5
b. Hour(0-23) - similar subdivision values apply. i.e. */2, 0,4,12
c. Day of the month(1-31)
d. Month (1-12)
e. Day of the week (Sun,Mon,Tue||0-7)
NOTE: Some systems handle the extreme values for dow differently: 0,7 may be
treated as Sunday or Monday. Consult Cron documentation per system
NOTE: 'crontab' utility is the only way for non-privileged $USER to modify their
crontab, as the actual crontab file in: /var/spool/cron is viewable only by 'root'
d. Modify crontab as 'root' because job runs too frequently
#Syslog#
Features:
1. Logs daemon information as well as potentially other sources of data: i.e.
networked devices, remote systems, etc.
2. Supports:
a. Unix Domain Sockets (/dev/log)
b. Internet sockets using: UDP:514 || TCP:514
3. Ability to log to local and remote targets (@hostname) simultaneously
NOTE: Possible Syslog setups in your Prod environment:
a. ALL interconnected devices (routers|switches|firewalls), log to 1 Syslog node,
and that node replicates the logs to 1 or more other Syslog nodes
b. ALL interconnected devices log to 2 or more Syslog nodes simultaneously
4. Default configuration accepts messages on: UDS but NOT on Internet socket
5. Implemented as 'rsyslog'
6. '/etc/rsyslog.conf'
7. RPM = rsyslog
8. In-built rules mechanism routes incoming messages accordingly
a. Facilities - source of information: i.e. mail, local0-7, auth, etc.
b. Levels - Importance of the incoming message - 0(Debug)-7(emerg)
b1. Debug(0), Info(1), Notice(2), Warning(3), Error(4), Crit(5), Alert(6),
Emerg(7)
NOTE: You typically want to capture messages at: Warning(3) and higher
NOTE: Message collection is cumulative up-the-chain:
i.e. Messages captured at the Warning(3) level, will also include more severe
messages levels above, but not less severe messages below: i.e. Notice(2) or lower.
NOTE: This reduces the verbosity and overall data storage requirements by sending
only 'important' messages.
Tasks:
1. Look at primary config file: '/etc/rsyslog.conf'
a. RULES Section
a1. Left side -> Facilities.Levels
a2. Right side -> Destinations
b. 'systemctl rsyslog restart && netstat -nultp | grep 514' - confirm TCP && UDP
bindings
NOTE: '/var/log/messages' -> catchall, so, messages coming from devices that log at
the .info level and more severe, will be logged here as well. i.e. infrastructure
device logs to both its own file and: /var/log/messages
NOTE: To prevent double-logging, exclude using a ruile that ends with: i.e.
'local4.none' in the primary catchall rule that routes messages to:
/var/log/messages
d. Alter both rules to ensure that ALL messages, from ALL facilities at
level=info and higher(more severe) are duplicated to both nodes
NOTE: Once you have designated 1 or more Syslog systems, be prepared to parse
NOTE: This is why Syslog messages typically include: HOSTNAME, to help parse the
source of messages
# LogRotate #
Features:
1. System-wide log-rotation capability
2. Archival capabilities
3. Rules-driven:
a. '/etc/logrotate.d' - N number of rules governing various LOG files
b. '/etc/logrotate.conf' - catchall of options and includes: '/etc/logrotate.d'
entries
c. Segments logs: i.e. MAIL, LOCAL, USER, etc.
c1. Logrotate focuses on a discrete set of files, NOT SYSLOG facilities
NOTE: SYSLOG handles the routing of data to target files
NOTE: LOGROTATE merely manages those files
4. Implemented as 'logrotate' package
5. Run daily (/etc/cron.daily/logrotate) by cron
6. Rotation is driven by:
a. Size: i.e. 100k, 100MB, 100GB
b. Time: i.e. daily, weekly, monthly, yearly
7. Both critera: time and size can be specified simultaneously
NOTE: The first to be realized (time or size) is honored
Tasks:
1. Examine current configuration
a. '/etc/logrotate.conf'
b. '/etc/logrotate.d'
b1. daemon-specific log files rules
NOTE: values not explicitly defined: i.e. 'dateext', or otherwise, at the scope
level of the file, are inherited from the 'global' superscope.
3. Execute 'logrotate'
a. 'sudo logrotate -v -f /etc/logrotate.conf'
NOTE: logrotate will eventually rotate off your disk the log files based on the
rules defined, so be sure to archive otherwise
NOTE: Any file that is SYSLOG-handled (LOG file is created by SYSLOG), place its
rule within the: /etc/logrotate.d/syslog file to reduce the number of instances of
SYSLOG reload
NOTE: logrotate is merely a script binary, not a daemon, that is resident in the
process table only when called
NOTE: Daily, weekly, monthly jobs are now handled by Anacron: /etc/anacrontab
5. 'curl'
a. 'curl http://192.168.75.101/index.html' - dumps remote content to STDOUT
NOTE: By dumping to STDOUT, you can quickly query multiple servers to check
possibly for corrupt content, because 'curl' supports multiple servers, files,
wildcards, etc.
b. 'curl -O http://192.168.75.101/test.data' - pulls the file to a locally-named
equivalent
# Time Administration #
Features:
1. Time synchronization && administration
a. Default includes: 'chronyd', which synchs the local system against various
sources
NOTE: Sources can be: external clocks, NTP, manual time config via: 'chronyc'
NOTE: 'chronyc' by default, is limited to localhost connections, however, may be
configured to accept remote connections using IP-based security
NOTE: 'chronyd' works well in virtualized, intermittently connected situations
b. Drop-in replacement for NTPD - 'rpm -ql chrony'
b1. Currently, 'chronyd' supports NTPv3 only
c. Only replace with NTP if permanently connected/enabled
d. Currently, symmetric keys for time-synch security is supported
Usage:
1. 'timedatectl'
2. 'timedatectl list-timezones'
3. 'timedatectl set-timezone Asia/Tokyo'
4. 'systemctl reboot && timedatectl '
NOTE: Local time offset is merely used for display purposes. i.e. time values are
stored using UTC
'chronyd' config
a. '/etc/chrony.conf'
a1. 'allow 192.168.75.0/24'
a2. 'local stratum 1' - this allows this clock to be favoured by NTP clients
a3. 'sudo systemctl restart chronyd'
b. Point NTP clients to this instance
NOTE: Ensure that ipTables is NOT blocking (Default) UDP:123
Updates:
a. 'yum check-update' - search for ALL available updates
b. 'yum [-y] update' - updates ALL updatable packages
NOTE: Isn't always desriable
c. 'yum [-y] update package[s]...' - updates specified package[s]
c1. 'yum -y update openssl wget' - selectives updates
#YUM Repositories#
Features:
1. Centralized access to content (RPM packages)
a. Network-based
2. Can be: local (file://), remote (http://) || (ftp://)
3. Serves various packages:
a. 'base'
b. 'extras'
c. 'plus'
d. 'updates'
NOTE: These are merely directory trees off the main repository tree
NOTE: Each contains a .repo file and various RPMS
NOTE: Each .repo file describes the content within that tree
e. i.e. 'http://mirror.centos.org/centos/7/' - explore this tree
NOTE: RedHat systems require a subscription to use 'their' CDN for updates, etc.
NOTE: The various branches on repositories are specified in the YUM config files
4. Primary YUM config file: '/etc/yum.conf
a. Sets globals
b. Includes Repos from: '/etc/yum.repos.d'
5. 'yum repolist' - enumerates enabled Repos
a. You may enable/disable Repos as needed
6. Packages can be flagged to 'install' only and not 'update'
7. 'yum-config'manager' - dumps the current configuration, but allows Repo
administration
Tasks:
1. 'yum-config-manager [section[s]]'
2. Install YUM Repo
a. One option is to dump the contents of the largest ISO image to a web-accesible
instance
b. Second option is to use the 'createrepo' RPM to setup a tree
3. Commence installation
a. Obtain ISO image and mount and copy contents to a tree somewhere (i.e.
staging)
b. Ensure that the 'createrepo' RPM is installed as it provides us with the
'createrepo' utility
NOTE: 'createrepo' may be run from other distros
NOTE: 'createrepo' utility generates the necessary '.repo' file for usage by
clients
c. Ensure directory tree, with '.repo' file, is in a web-accessible location
d. Add the repository to 1 or more clients and use
NOTE: Ensure that you have a valid RedHat subscription or find a third-party
provider of the 'updates' branch
d1. 'sudo yum-config-manager --add-repo http://192.168.75.101/RHEL/7'
NOTE: 'yum-config-manager' merely writes the '.repo' file to: '/etc/yum.repos.d'
NOTE: Add GPG key as follows: 'rpm --import http://192.168.75.101/RHEL/7/RPM-GPG-
KEY-redhat-release'
# IP Administration #
Features:
1. DHCP - 'dhclient' is invoked to manage interface(s)
2. Static - settings are stored in interface configuration file:
/etc/sysconfig/network-scripts
3. Both (Dynamic and Static)
4. Temporary configurations
5. Virtual interfaces - Potentially multiple L3 addresses (IPv[4|6])
6. With this release a more complex set of logic is used to promote persistent NIC
nomenclature, with the ultimate fallback resorting to: eth0-N
7. 'NetworkManager' is the primary manager of interfaces
NOTE: If changes are not noticed, try restarting this daemon: 'systemctl restart
NetworkManager'
8. '/etc/init.d/network' - is still applicable - legacy purposes
9. '/etc/init.d/network' && 'NetworkManager' services work in conjunction to
manage interfaces, routes, and various network configuration items by consulting
one another to avoid conflict
Management Tools
1. 'nmtui*' - $SHELL(curses)-based - current limitations: Edit of VPNs, WiFi/WPA,
802.1x connections
2. 'nmcli' - FULL(capable of administering ALL network areas) CLI-suite
3. 'control-center' - GUI - Press 'Super' key - then type:
a. 'control network'
b. 'nm-connection-editor'
Tasks:
1. 'lspci' - identify available NIC(s)
2. 'dmesg' - reflects last-boot detected hardware
3. 'lsmod | grep e100' - check Kernel driver/module
4. 'ifconfig' - dumps current configuration including default IP address
assignment
a. 'DEV' - useful with other commands: i.e. 'ip'
b. MAC Address information
c. MTU
d. Data in/out
e. Error information
NOTE: 'ifconfig' is NOT deprecated, but should not be used for general IP
administration
NOTE: Use: 'ip' command and its sub-commands to manage network details including
IP, etc.
# DHCP Server #
Features:
1. Auto-configuration of IP-based client
Tasks:
1. Installation of DHCP Server
a. 'yum search dhcp' - 'dhcp.x86_64' + helper packages
a1. 'sudo yum install dhcp'
NOTE: Post-installation, DHCPD does not auto-start because it is absent of a
configuration
b. Copy sample '/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example' ->
'/etc/dhcp/dhcpd.conf'
b1. 'sudo cp -v /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
/etc/dhcp/dhcpd.conf'
c. Peruse and modify this sample file to suit our network
NOTE: Our nodes are multihomed, however, DHCPD will only serve on subnets to which:
1. it is connected
2. Has a 'subnet' declaration in the configuration file
NOTE: To ensure that DHCPD does NOT service unauthorized subnets, modify 'systemd'
startup configuration for DHCPD to ensure that it binds to the desired interface(s)
NOTE: This is the equivalent of forcing the daemon to listen to a specific address:
i.e. MTA
c1. Modify sample configuration to suit our: 192.168.76.0/24 subnet
NOTE: Any directive listed outside of curly braces '{}' is a global/system-wide
directive: i.e. 'domain-name' && 'domain-name-servers', etc.
NOTE: Often times, in organizations, ALL nodes belong to a common domain name: i.e.
'linuxcbt.internal', however, if departments have distinct sub-domains, then use
the 'domain-name' option at the subnet scope level: i.e. 'option domain-name
dev.linuxcbt.internal', 'option domain-name sales.linuxcbt.internal'
NOTE: This will ensure that each department's unique domain name is served
accordingly on a per-subnet basis
NOTE: The same applies to other resources: i.e. 'option domain-name-servers'
NOTE: If problems activating interface(s), simply resort to the $SHELL, and copy an
existing interface configuration and modify accordingly
#DNS#
Features:
1. Name-to-IP(Forward) and IP-to-Name(Reverse) resolution
NOTE: Overwhelmingly, humanity performs 'Forward' queries because it is natural and
easier to remember
Tasks:
1. Search and Install BIND as Caching-Only Server
a. 'yum search bind dns' -> 'bind.x86_64'
b. 'sudo yum install bind'
2. Explore
a. '/etc/named'
a1. '/etc/named.conf'
a2. '/var/named' - top-level directory for:
a2a. 'chroot' environment
a2b. 'slaves' zone(s)
a2c. 'master' zone(s)
a2d. Default (loopback, localhost, root DNS servers, etc.)
5. Perform queries
a. 'dig @192.168.75.121 linuxcbtrouter1.linuxcbt.internal'
Tasks:
1. Install VSFTPD
a. 'yum search vsftpd'
b. 'yum install vsftpd' - NOT enabled by default
c. 'systemctl status vsftpd'
d. 'sudo systemctl enable vsftpd && systemctl status vsftpd && ps -ef | grep
vsftp'
3. Update the SELinux configuration to allow 'normal' users to interact with their
$HOME directories
a. 'getsebool -a | grep ^ftp' - dumps FTP-related SELinux booleans
'ftp_home_dir'
b. 'setsebool -P ftp_home_dir=1'
6. LOGGING
a. '/var/log/messages' - service/daemon(VSFTPD) behaviour(up/down/etc.)
b. '/var/log/xferlog' - uploads/downloads - movement of content
Tasks:
1. Install
a. 'sudo yum install httpd'
b. 'sudo systemctl enable httpd'
c. 'sudo systemctl start httpd'
d. 'ps -ef | grep httpd' - reveals 6 processes
d1. Master process, which spawns N number of child processes
d2. 5 child processes
NOTE: 'error_log' does NOT use the 'LogFormat' VARs in its messages but rather has
a SYSLOG style represenation:
a. TimeStamp
b. Section of Apache that generated the message
c. PID
d. Daemon/Apache area service
e. Message
#Virtual Hosts#
Features:
1. 2-Types
a. IP-Based - one site(web) per IP address - inefficient usage of IPs
b. Host Header Name-based - multiple sites per IP address - efficient way of
using scarce IPv4 resources - relies upon HTTP1.1+
Tasks:
1. IP-Based - .131,.151,.152, .161,.162,.163
a. Add some spare addresses
b. Test access sans VHosts - examine default behaviou of default site
NOTE: By default, Apache serves the 'Default' HOST via ALL accessible IPs on the
system
d. 'mkdir /var/www/site1'
e. 'echo "TEST of SITE1: from linuxcbtel71.linuxcbt.internal" >>
/var/www/site1/index.html '
f. 'apachectl graceful && httpd -S' - reload and ensure that VHost is configured
# MariaDB #
Features:
1. RDBMS fork/spawn of MySQL
Tasks:
1. Install MariaDB via YUM
a. 'sudo yum install mariadb mariadb-server'
b. 'sudo systemctl enable mariadb && sudo systemctl start mariadb'
c. 'netstat -ntlp | grep 3306'
#NMap #
Features:
1. Reconnaissance tool - gather information about network participants, services,
etc.
2. Port Scanning -> TCP:{22,80,21,3306},ICMP
3. Host | Device detection -> Mobile, Known Desktop(DELL), etc.
4. Service detection -> What version of SSH, Apache, etc.
5. OS Fingerprinting -> What OS? Which version?
6. Multi-target scanning - expedites the overall scan
7. Largely: Reconnaissance, and partly vulnerability scanner (via NSEs)
Tasks:
1. Install
a. 'yum install nmap' -> 6.40x
b. Absolute latest version -> insecure.org/nmap - this is the PROD route
b. 'nmap -v 192.168.75.0/24'
NOTE: These non-privileged scans are invoked as: TCP:CONNECT scans, which complete
the entire TCP lifecyle, which results in a larger TARGET LOG footprint
NOTE: To improve stealth, execute 'nmap' as privileged user: 'root' - TCP:SYN
(half-open connections)
Usage:
1. 'sudo tcpdump -v[v]' - dumps packets to|fro local system and potentially
broadcast packets
2. 'sudo tcpdump -w `date +%F`-01.capture -v -i eno16777736' - does NOT dump to
STDOUT, but rather, reports the number of packets captured thus far and writes to a
file
NOTE: 'tcpdump -w...' - captures ALL layers, so you can then post-process with BPFs
3. 'tcpdump -r 2014-12-23-01.capture' - replays the captured packets (137 packets)
4. 'tcpdump -c 30 -w `date +%F`-02.30-packets.capture -i eno16777736' - captures
30 packets and exits
5. 'tcpdump -A -v -i eno16777736' - dumps L3 details
6. 'tcpdump -e -v -i eno16777736' - dumps L2 details
7. 'tcpdump -n -e -v -i eno16777736' - refrain from name resolution - improves
performance
8. 'tcpdump -n -e -v -i eno16777736 host 192.168.75.121 and host 192.168.75.17'
9. 'tcpdump -n -e -A -v -i eno16777736 host 192.168.75.121 and tcp port 21'
10. 'tcpdump -n -e -A -v -i eno16777736 udp port 123' - capture ALL witnessed
UDP:123 traffic
Usage:
1. Ensure 'firewall-config' is installed
NOTE: 'firewall-cmd' is installed by default, but is somewhat useless because of
the myriad options
a. 'sudo yum -y install firewall-config'
# SELinux #
Features:
1. Restricts access by SUBJECTS (users and/or processes) to: OBJECTS (files)
a. SUBJECTS:
a1. Any user attached in any form to the system
a2. Processes, which are attached to users attached to the system
b. OBJECTS:
b1. Any file on the system
b2. '-', 'd', 'c', 'b', etc.
Tasks:
1. Examine current default
a. Sans: 'nologin' $SHELL tied to user's account, users can typically SSH and
obtain a TTY
3. Update system-wide SSH configuration to force SFTP-only sessions for the named
account:
a. '/etc/ssh/sshd_config'
'ChrootDirectory /home/linuxcbt'
'ForceCommand internal-sftp'
'AllowTCPForwarding no'
'X11Forwarding no'
b. 'sudo systemctl restart sshd'
c. Confirm SFTP-only connectivity
4. Revert ~linuxcbt permissions and test
a. 'sudo chown linuxcbt.linuxcbt /home/linuxcbt'
CAVEAT: Unless you restrict the $USER from modifying: ~/.ssh/authorized_keys file,
there is the risk that they may override your directive (unlike:
/etc/ssh/sshd_config'
Tasks:
1. 'adduser linuxcbtsftp1 && passwd linuxcbtsftp1'
2. Setup PKI-based login
3. Modify TARGET (SERVER): $HOME/.ssh/authorized_keys - place options before 'ssh-
rsa KEY'
4. Test normal SSH connection from CLIENT -> no-pty allocated
5. Use account to move data via: 'dd'
a. 'dd if=1000.txt | ssh 192.168.75.17' - produces the same content from CLIENT
on SERVER
NOTE: This mechaniism supoorts the execution of most commands, including $SHELL
scripts
NOTE: The CLIENT can use different SSH keys to execute different commands on the
SERVER