3232 Exam
3232 Exam
3232 Exam
To complete:
secure grub with password
gpg Encryption and Decryption
Useful files
/etc/inittab
Useful commands
#ifconfig
#ping desktop15.example.com
#host <ipaddress>
#hostname
#dig -x <ipaddress>
#nslookup <ipaddress>
#nsloopup <DNS Name>
to get ipaddress
Gives DNS Name
Gives the host name of the machine you are logged in
Has Question / Answer / Authority / Additional sections
#which ls
#rpm -qf /bin/ls
#ln -s <source with path name> <link name> to create soft links
#who -r
#runlevel
#uname -a
#uname -r
#cat /proc/cpuinfo
#cat /proc/meminfo
#cat /proc/partitions
#ps
#ps -a
#ps -aux | less
Page#1 of
22
#top
more flexibility
#parted /dev/sda
#partx -d /dev/sda
#partx -a /dev/sda
edit partition table. type help for commands that can be used
Singal hup.
to display label
to change label
#findfs LABEL="mydisk2"
#file <fileName>
#stat <fileName>
User Related
#useradd user1
#useradd -u 10001 -g ftp -G adm,apache -d /var/user123 -c "Comment" -s /bin/bash user123
g => Primary Group
G => Secondary Groups
d => Home directory
c => Comment
s => Login shell
#vim /etc/default/useradd
Page#2 of
22
#id <userid>
#groups <userid>
#usermod
#usermod
#usermod
#usermod
group
-s /sbin/nologin user123
-L user123
-aG adm,ftp,student user123
-G student user123
#gpasswd -a u1 ftp
#gpasswd -M u1,u2,u3,u4 apache
#gpasswd -d u1 apache
#userdel -r u2
#init 1
Page#3 of
22
#runlevel
or
#who r
to see runlevel
to see runlevel
directory)
ACL
#tune2fs -l /dev/sda5 | grep -i default
If defualt mount option is none, need to change to ACL for the partition
#tune2fs -o acl,user_xattr /dev/sda5
#mount /dev/sda5 /mnt
#cd /mnt
#getfacl /mnt
#setfacl -m u:<userid>:rwx <file/directory>
#setfacl -m g:<group>:rwx <file/directory>
#getfacl <file/directory>
#setfacl -x u:<userid> <file/directory>
#setfacl -x g:<group> <file/directory>
Disk Quotas
Page#4 of
22
#edquota -u <userid>
#edquota -t
Set soft and hard blocks. hard blocks is the max limit.
Soft blocks is from where user gets waring
sudo
#visudo
to edit /etc/sudoers file in vim editor (:wq for saving the file)
#visudo -c After adding entries compile the file to make sure no errors
Groups in the file are always preceded by %
Ex: peter,bob,%mygroup ALL= NOPASSWD: ALL
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute all commands without requiring password
Ex: peter,bob,%mygroup ALL= NOPASSWD: /sbin/fdisk
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute only fdisk command without requiring password.
All other commands require password.
Creating LVM
1. Create two LVM type partition /dev/sda5 and /dev/sda6
2. Create PVs
Page#5 of
22
10 extents
80M size
#mkfs.ext4 /dev/myVG/mylv1
or
#mkfs.ext4 /dev/mapper/myVG-mylv1
#mkdir -p /mnt/mylv1
#mount /dev/myVG/mylv1 /mnt/mylv1
or
#mount /dev/mapper/myVG-mylv1 /mnt/mylv1
#df -h
#vim /etc/fstab
/dev/myVG/mylv1 /mnt/mylv1 ext4 defaults 0 0
Reducing LVM
1.
2.
3.
4.
5.
6.
Page#6 of
22
Extending LVM
Can be done onine.
No unmounting is needed
#df -h
#lvextend -L +256M /dev/vg10/lv_home Add additional 256M to lv_home
#df -h
Does not show the increased size, yet
#resize2fs /dev/vg10/lv_home
#df -h
Removing LVM
#lvscan
#lvchange -an /dev/myVG/lv_test to make lvm inactive
Should show lv_test inactive
#lvscan
#lvremove /dev/myVG/lv_test
#lvscan
Removing VG
1. Deactivate all LVMs in the VG
2. Remove all LVMs in the VG
3. Remove VG
#vgremove myVG
Page#7 of
22
mkfs.ext4 /dev/mapper/<cryptLogicalName>
cryptsetup luksClose <crptLogicalName>
mount /dev/mapper/<cryptLogicalName>
Make an entry in /etc/fstab
Make an entry in /etc/crypttab
Networking concepts
Important files are
Local resolver
Domain Name, DNS Server ip address must
Global config file. NETWORKING should be YES,
/etc/hosts
/etc/resolv.conf
/etc/sysconfig/network
ssh -
Data Encryption
#ssh root@192.168.0.5
Page#8 of
22
#system-config-date
swap
If
If
If
If
RAM
RAM
RAM
RAM
is
is
is
is
0
4
8
16
4GB,
8GB,
16GB,
64GB,
then
then
then
then
swap
swap
swap
swap
=
=
=
=
2
4
8
16
+
+
+
+
(0.5
(0.5
(0.5
(0.5
of
of
of
of
RAM)
RAM)
RAM)
RAM)
Kernel install
#lftp 192.168.0.254/updates
#mget kernel*
#rpm -qRp <Kernel Package Name>
Page#9 of
22
to get dependencies
at
Query to see if one off jobs are scheduled
#atq
#at 3:08
at>/sbin/reboot
at>ctrl+d
#atq
#atq
crontab
edit crontab for current user
edit crontab for specified user
#crontab -e
#crontab -eu <userid>
Look in /etc/crontab for the exact format for writing cron entries
Make sure to use which command to get complete path of commands to be
executed as these need to go into crontab.
Ex: for echo command you need to use /bin/echo
add users in this file to stop them from editing crontab
add users in this file to allow them to edit crontab
#vim /etc/cron.deny
#vim /etc/cron.allow
rpm
#rpm
#rpm
#rpm
#rpm
#rpm
#rpm
-qa
-qa | wc -l
-q <packageName>
-qRp <packageName>
-qR <packageName>
-qlp <packageName>
Page#10 of
22
list all
list installed
list available
serach vsftpd
install vsftpd* -y
remove vsftpd* -y
deplist vsftpd*
#which date
#yum provides /bin/date
#yum grouplist
Page#11 of
22
#vim /etc/exports
/kickstart 192.168.0.0/24(ro,sync,no_root_squash) Share to ips from 192.168.0.0 to 192.168.0.24
r for re-export and v for verbose
#exportfs -rv
#service nfs restart
#chkconfig nfs on
NFS is done thru nfsnobody user
Samba Server
#yum install samba* -y
#which smbd
#which nmbd
#ldd /usr/sbin/smbd | grep -i libwrap Nothing found.
#vim /etc/samba/smb.conf
Page#12 of
22
[myshare]
comment
path
writeable
valid user
browseable
=
=
=
=
=
public stuff
/share
yes
u5
yes
#useradd u5
#smbpasswd -a u5
#smbpasswd -d u5
#smbpasswd -x u5
#pdbedit -L -w
#mkdir /share
#getenforce
#ls -ldZ /share
Basically,
#mkdir -p /mnt/cifs
#mount -t cifs //192.168.0.254/myshare /mnt/cifs -o username=u5,password=<sambaPassword>
#df -h
#vim /etc/fstab
Add the following entry
//192.168.0.254/myshare
/mnt/cifs cifs defaults,username=u5,password=<sambaPassword> 0 0
#umount /mnt/cifs
#df -h
#mount -a
#df -h
#smbclient //192.168.0.254/myshare -U u5
Page#13 of
22
smb>ls
tcp_wrappers
#which vsftpd
gives /usr/sbin/vsftpd
#ldd /usr/sbin/vsftpd | grep -i libwrap shows a line. It means tcp_wrappers are supported
#which httpd
#ldd /usr/sbin/httpd | grep -i libwrap
supported
gives /usr/sbin/httpd
Does not show a line. It means tcp_wrappers are NOT
#which sshd
#ldd /usr/sbin/sshd
gives /usr/sbin/sshd
shows a line. It means tcp_wrappers are supported
| grep -i libwrap
sshd: .example.com
sshd: 192.168.0.
sshd: ALL EXCEPT .example.com
#vim /etc/hosts.allow
vsftpd: desktop20.example.com
prevented in hosts.deny
LDAP
#system-config-authentication
or
on Desktop --> System --> Administration --> Authentication
Select LDAP
DN - dc=example,dc=com
LDAP Server - ldap://instructor.example.com
Check TLS to encrypt connections
Certificate link - http://192.168.0.254/pub/EXAMPLE-CA-CERT
Authentication Method - LDAP Password
Click Apply
On VMs
- Look for sssd service
On Desktops - Look for nslcd servive
Page#14 of
22
/remote /etc/auto.remote
These can have any name
#vim /etc/auto.remote
kick -rw,fstype=nfs 192.168.0.254:/kickstart
restart will not work
#service autofs stop
#service autofs start
#chkconfig autofs on
#cd /remote/kick
#df -h
#cd
to go to your home directory, wait for the timeout period
#df -h
you will not see /remote/kick mount point
Page#15 of
22
#showmount -e 192.168.0.254
If /home/guests is the directory shared on 192.168.0.254 and if this has home directories for
ldap users
#vim /etc/auto.master
/home/guests /etc/auto.ldap
#vim /etc/auto.ldap
ldapuser1 -rw,fstype=nfs 192.168.0.254:/home/guests/ldapuser1 for single user
* -rw,fstype=nfs 192.168.0.254:/home/guests/&
generic for multiple users
SELinux
#yum install setroubleshoot* -y
#vim /etc/sysconfig/selinux
#getenforce
#setenforce 0
#setenforce Permissive
#setenforce 1
#setenforce Enforcing
#semanage fcontext -l
Permissive
Enforcing
Page#16 of
22
#restorecon -R -v /var/ftp/dropbox R for recursive for all files in the directory and v for
verbose
#chcon -Rt public_contents_rw_t /var/ftp/dropbox
#ls -ldZ /ver/ftp/dropbox
Get process booleans
#getsebool -a | less
#setsebool allow_ftpd_anon_write=1 Set process booleans
For troubleshooting and error messages
so that you can use sealrt command
#yum install setroubleshoot* -y
#sealert -a /var/log/audit/audit.log
#cat /var/log/messages | grep setroubleshoot
#sealert -l <alert copied above>
FTP Client
#yum install ftp* -y
#yum install lftp* -y
#ftp 192.168.0.254
#lftp 192.168.0.254
#vim /etc/vsftpd/ftpusers
#vim /etc/vsftpd/user_list
/etc/vsftpd/vsftpd.conf
Page#17 of
22
HTTP/Apache server
#rpm -qa | grep httpd
#yum install http* -y
Page#18 of
22
Default port is 80
Document root is /var/www/html
User is apache
Group is apache
All logs are in the following directories
/etc/httpd/logs
/var/log/httpd
to see configuration files for httpd
here, if needed
DirectoryIndex index.html index.html.var
directory,
directory,
directory,
directory,
create
create
create
create
Step 2 (Server)
---------------#vim /etc/httpd/conf/httpd.conf
make sure that the following entries exist
Page#19 of
22
google.html.
yahoo.html.
facebook.html.
twitter.html.
Put
Put
Put
Put
in
in
in
in
some
some
some
some
text
text
text
text
NameVirtualHost 192.168.0.250:80
NameVirtualHost 192.168.0.250:8080
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex
index.html
google.html
yahoo.html
facebook.html
twitter.html
index.html.var
google.html.var
yahoo.html.var
facebook.html.var
twitter.html.var
Listen 80
Listen 8080
<VirtualHost 192.168.0.250:80>
ServerAdmin root@demo.example.com
DocumentRoot /var/www/vrtual/google
Serverame
google.example.com
</VirtualHost>
#<Directory "/var/www/virtual/google">
#
AllowOverride None
#
Options
None
#
Order
allow,deny
Allow and then deny all others
#
Allow from all
#</Directory>
<Directory "/var/www/virtual/google">
AllowOverride None
Options
None
Order
allow,deny
Allow desktop3.example.com Allow google site only from desktop3.example.com.
</Directory>
<VirtualHost 192.168.0.250:80>
ServerAdmin root@demo.example.com
DocumentRoot /var/www/vrtual/yahoo
Serverame
yahoo.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
ServerAdmin root@demo.example.com
DocumentRoot /var/www/vrtual/facebook
Serverame
facebook.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
ServerAdmin root@demo.example.com
DocumentRoot /var/www/vrtual/twitter
Serverame
twitter.example.com
</VirtualHost>
<Directory "/var/www/virtual/twitter">
AuthType
basic
Page#20 of
22
Syntax check
virtual host syntax check
Step 4a (Server)
----------------#useradd user1
#useradd user2
#htpasswd -cm /etc/httpd/.htpasswd user1 c for create and m for add md5 encryption password
for user1
#htpasswd -m /etc/httpd/.htpasswd user2 Since file already exists, no c needed.
Step 4b (Server)
---------------#vim /etc/hosts
Add the following entries
192.168.0.250 google.example.com
192.168.0.250 yahoo.example.com
192.168.0.250 facebook.example.com
192.168.0.250 twitter.example.com
Step 5 (Server)
---------------#service httpd restart
#chkconfig httpd on
Step 6 (Server)
---------------#tail -f /var/log/httpd/access_log
Step 7 (Client)
---------------In browser
http://google.exmaple.com
http://yahoo.exmaple.com
http://facebook.exmaple.com:8080
http://twitter.exmaple.com:8080
Step 8 (Server)
---------------#elinks --dump google.example.com
#elinks --dump yahoo.example.com
#elinks --dump facebook.example.com
#elinks --dump twitter.example.com
Page#21 of
22
m => mode
t => type
st => send targets
Page#22 of
22
get UUID
#vim /etc/fstab
Add the following entry
UUID="......." /mnt/iscsi ext4 _netdev 0 0
#mount -a
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -u -o delete
u => logout
o => cache it to delete it. No data is deleted
-name snow.png
/ -name '*.txt'
/etc -name '*pass*'
/home -user joe -group joe
/home -user joe -not -group joe
/home -user joe -o -user jane
/home -not\(-user joe -o -user jane)
/ -user joe -o -uid 500
/ -perm 755
/ -perm +222
/ -perm -222
/ -perm -002
/ -size 10M
/ -size +10M
/ -size -10M
/tmp -ctime +10
Page#23 of
22
files
files
files
files
files
files
files
files
files
files
files
files
files
Prompts
for each file move
#find -size -100M -exec mv {} /tmp/smallfiles/ \; files that are less than 100M size are
NO
PROMPT
#find / -type f -group ftp -not -user root -exec cp -p {} /tmp/ftpfiles/ \;
#find / -type f -perm -002 -exec chmod o-w {} \;
#find / -not -perm +111 -name '*.sh' -ok chmod 755 {} \;
Virtual Machine
#virsh destroy <vserverName>
#virsh undefine <vserverName>
to launch Virtual Machine Manager
#virt-manager
/etc
to see how much space it occupies
c
v
f
z
j
=>
=>
=>
=>
=>
Create
verbose
file tar
gzip
bzip2
tar is the only command where destination is given first and source later.
iptables
#iptables
#iptables
#iptables
#iptables
-F
-t filter -F
-t nat -F
-t mangle -F
Page#24 of
22
Flush
Flush
Flush
Flush
default iptables.
filter tables
nat tables
mangle tables
#service
#service
#service
#service
iptables
iptables
iptables
iptables
save
Save the iptables
stop
start
restart
Page#25 of
22