Rhce Cheat Sheet 6a5623

.tgz # extract (tar/gzip) tar xvzf .tgz # compress (tar/bzip) tar cvjf .tbz # extract (tar/bzip) tar xvjf .tbz

configure an email client on Red Hat Enterprise Linux echo "message" | mail <email> -s "subject" mail <email> -s "subject" <

use text and/or graphical browser to access HTTP/HTTPS URLs • elinks • lynx

use lftp to access FTP URLs

HELP in RHEL5 man man -k

search for specific word in manuals

makewhatis

create manuals database

command --info /usr/share/doc/<service or package>

installed documentation

/usr/share/doc/Deployment-Guide

all the manual

System > Documentation > Deployment Guide elinks /var/www/manual/

Apache Documentation

RHCT skills Troubleshooting and System Maintenance RHCTs should be able to: boot systems into different run levels for troubleshooting and system maintenance append the desired runlevel to grub's kernel line: • 1-5 runs appropriate rc and init scripts • single only runs rc.sysinit • emergency skips all rc and init scripts diagnose and correct misconfigured networking 1. 2. 3. 4. 5. 6. 7. 8. 9.

check /etc/sysconfig/network check /etc/sysconfig/network-scripts/ifcfg- service network restart chkconfig network on ifconfig ping netstat -r ping <default gateway> ping 4.2.2.2

redhat network config tool: system-config-network

diagnose and correct hostname resolution problems 1. 2. 3. 4.

check /etc/nsswitch.conf check /etc/resolv.conf check /etc/hosts dig @ google.com

redhat network config tool: system-config-network

configure the X Window System and a desktop environment install x: yum groupinstall "x window system"

• init respawns /etc/X11/prefdm -nodaemon to keep x running in runlevel 5 • startx to start manually xfs is supposedly required for x windows (even though i can run x fine without it…):

service xfs on chkconfig xfs on

x environment config: • • • • •

/etc/sysconfig/desktop /etc/X11/xinit/xinitrc /etc/X11/xinit/Xclients ~/.xinitrc ~./Xclients

redhat display config tool: system-config-display [--reconfig]

install gnome desktop: yum groupinstall "gnome desktop environment"

switchdesk allows you to change your desktop environment: yum install switchdesk switchdesk

if switchdesk is not available, edit /etc/sysconfig/desktop: DISPLAYMANAGER= DESKTOP=

add new partitions, filesystems, and swap to existing systems partitions

manage partitions: fdisk <device>

n m p t d w q

partprobe

new partition menu print partition table toggle partition type delete partition write changes to disk quit make kernel aware of new partitions

( try also partprobe /dev/sda )

filesystems

make filesystems: mkfs.<ext2|ext3>

mkfs -t ext3 /dev/sda5 mkfs -t ext3 -L home-drive /dev/sda5

label filesystems: e2label <partition> blkid

list UUID and Labels of partitions

manage filesystem settings: tune2fs <partition> dumpe2fs <partition> mkdir /test mount -t ext3 /dev/sda5 /test mount -o acl /dev/sda5 /test

mount with ACL created filesystems

edit /etc/fstab to make mount permanent /dev/sda5

/test

ext3

defaults

0

0

check fstab with mount -a command if recovering /etc/fstab during recovery operation you need to mount read/write: mount -o remount,rw /

swap

note that it's possible to create a swap file instead of a partition: dd if=/dev/zero of= bs=1024 count=<size>

format the file/partition: mkswap <partition|file> nano -w /etc/fstab swapon -va cat /proc/swaps

use standard command-line tools to analyze problems and configure system • check for full filesystems, quotas

Installation and Configuration RHCTs must be able to: perform network OS installation at boot prompt: linux askmethod

implement a custom partitioning scheme configure printing printing is provided by cups: service cups start chkconfig cups on

redhat printer config tool:

system-config-printer

web config tool:

http://localhost:631

printing via command line: # print lpr # view print queue lpq # remove print job lprm <job number>

configure the scheduling of tasks using cron and at cron

make sure vixie cron is installed and running: yum install vixie-cron service crond start chkconfig crond on

1. 2. 3. 4.

if /etc/cron.allow exists, only these s are allowed (/etc/cron.deny is ignored) if /etc/cron.allow does not exist, everyone allowed except s in /etc/cron.deny if neither exists, only root allowed empty /etc/cron.deny means all s allowed (default)

edit your cron jobs: crontab -e

crontab format: <minute> <month> 24

13

*

*

*

/home//script

/etc/crontab has additional field before command. at/batch

make sure at is installed and running: yum install at service atd start chkconfig atd on

1. 2. 3. 4.

if /etc/at.allow exists, only these s are allowed (/etc/at.deny is ignored) if /etc/at.allow does not exist, everyone allowed except s in /etc/at.deny if neither exists, only root allowed empty /etc/at.deny means all s allowed (default)

# add jobs at now + 1 hour at>

at 09:00 2009-07-23 at> batch at> # list jobs atq remove jobs atrm <job>

attach system to a network directory service, such as NIS or LDAP redhat config tools:

system-config-authentication authconfig-tui

required packages for nis:

yum install ypbind portmap

required packages for ldap:

yum install nss-ldap openldap

configure autofs make sure the autofs service is running: service autofs start chkconfig autofs on

ensure the following line in /etc/nsswitch.conf: automount: files nis

define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master: /test /etc/auto.test

create /etc/auto.test: blah example.com:/pub/something * example:/home/&

1. local /test/blah ⇒ remote example.com:/pub/something 2. local /test/ ⇒ remote example:/home/ ( this method can be used to automount home directories) test automounting: ls /test/blah ls /test/ # redhat defaults ls /net/ ls /misc/cd

add and manage s, groups, quotas, and File Access Control Lists redhat /group config tool:

system-config-s

s /etc/wd file format: name::uid:gid:gecos:homedir:shell

/etc/shadow file format: name::lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire

command line management: add <> mod <> mod -aG s <name> chage <> chage -M 30

add to group and keep all other group hips set to expire in 30 days

del <> pwck

• default expiration settings in /etc/.defs groups /etc/group file format: groupname::gid:

command line group management: groups <> groupadd <> groupmod <> groupdel <> grpck gwd -a group <>

quotas

install quota package : yum install quota add fs options to /etc/fstab: usrquota,grpquota remount device mount -o remount <mount point>

init quota database: quotacheck -cugm <device>

enable/disable quotas

quotaon <device> quotaoff <device>

edit quotas edquota -u <> edquota -g

edit grace time edquota -ut <> edquota -gt

check/report quotas quota <> repquota -aug

Access Control Lists

install acl package yum install acl

add fs options to /etc/fstab: acl

remount device: mount -o remount,acl <mount point>

manage acls: # set acls setfacl -m [d:]u:<>: setfacl -m [d:]g: : setfacl -m u::--- /shared/to/secret-file

remove all access to file

# get acls getfacl # remove acls setfacl -x u:<> setfacl -x g:<> setfacl --remove-all setfacl --remove-default

configure filesystem permissions for collaboration 1. 2. 3. 4.

create new group add s to group chown folder to root. chmod folder to 2770 (g+s)

install and update packages using rpm # install rpm -ivh <package>.rpm

this is also required for Samba Group shares

# update rpm -Uvh <package>.rpm # freshen rpm -Fvh <package>.rpm # remove rpm -e <package> # query by file name rpm -qf # a file rpm -Vf > # status of all packages rpm -Va > /tmp/rpm rpm -qi package

get info on installed package

while inside the rescue environment, use the –root option to specify the real location of your root file system (e.g. –root=/mnt/sysimage). properly update the kernel package 1. always do an install (i.e. rpm -ivh ) rather than an update 2. check /boot/grub/grub.conf for proper configuration configure the system to update/install packages from remote repositories using yum or pup yum config goes in /etc/yum.repos.d/ [id] name=my repo baseurl=http://example.com/centos/ enabled=1

create yum repository from installation DVD umount /media/RHEL_5.4\ i386\ DVD/ [root@mail ~]# mkdir /mnt/cdrom [root@mail ~]# mount /dev/cdrom /mnt/cdrom/ mount: block device /dev/cdrom is write-protected, mounting read-only [root@mail ~]# cd /mnt/cdrom/Server/repodata

[root@mail yum.repos.d]# cat rhel-cd.repo

[rhel-cd] name=Red Hat Enterprise Linux $releasever - $basearch - Debug baseurl=file:/mnt/cdrom/Server/ #baseurl=file:///media/RHEL_5.4\ i386\ DVD/Server/

enabled=1 gpgcheck=0 #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release yum search nmap system-config-packages during installation )

( this will now display package groups available

modify the system bootloader • production config is in /boot/grub/grub.conf • see examples in /usr/share/doc/grub-*/menu.lst implement software RAID at install-time and run-time to start, we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”) create raid device: md --create /dev/md0 --level=<0|1|4|5|6|10> --raid-devices= <device list>

fail disk in array: md /dev/md0 -f <device>

remove disk from array: md /dev/md0 -r <device>

add disk to array: md /dev/md0 -a <device>

stop array: md --stop /dev/md0

check raid status: md --detail /dev/md0 cat /proc/mdstat

format works as usual: mkfs.ext3 /dev/md0

don't forget to configure /etc/fstab appropriately. use /proc/sys and sysctl to modify and set kernel run-time parameters config is in /etc/sysctl.conf # search through parameters sysctl -a | grep <whatever> # apply changes from config file immediately

sysctl -p

use scripting to automate system maintenance tasks configure NTP for time synchronization with a higher-stratum server redhat config tool: system-config-date

• config is in /etc/ntp.conf synchronization configuration example: server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org

apply changes: service ntpd restart chkconfig ntpd on

changes: ntpq -p

RHCE skills Troubleshooting and System Maintenance RHCEs must demonstrate the RHCT skills listed above, and should be able to: use the rescue environment provided by first installation CD linux rescue

• • •

when working in non-chrooted rescue mode: mount /dev/hdc /mnt/source (to access install files on the cd/dvd) rpm commands should use the –root=/mnt/sysimage option

manually make /dev and /proc available in chrooted mode: mount -o bind /dev /mnt/sysimage/dev mount -o bind /proc /mnt/sysimage/proc

diagnose and correct boot failures arising from bootloader, module, and filesystem errors check in order: 1. 2. 3. 4. 5. 6.

mbr /boot/grub/grub.conf /etc/fstab /etc/inittab /etc/rc.d/rc.sysinit /etc/rc.d/rc*.d

7. /etc/rc.d/init.d/* 8. /etc/rc.d/rc.local grub errors

• in general, use the last line before the error message to see where grub error'd out • to find correct value for root option, type find /grub/stage1 at the grub command line ( that all file names in grub.conf are relative to the root option) • check for missing files in kernel and/or initrd lines kernel errors

• missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block • invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory reinstall grub to mbr: grub-install <device> or

grub grub> find /grub/stage1 grub> root (hd0,0) grub> setup (hd0) grub> quit to protect grub : grub-md5-crypt

to create md5 hash

copy and paste this into /boot/grub/grub.conf ( 2 options – protect editing of GRUB during boot or protect selection of kernel image – for testing ) recreate initrd: mkinitrd

fix corrupt filesystem: fsck <partition>

if fsck is unable to locate a superblock, you can specify an alternative one: dumpe2fs <partition> fsck -b <partition>

diagnose and correct problems with network services (see Installation and Configuration below for a list of these services) see what's listening on what port: netstat -ntaupe

add, remove, and resize logical volumes redhat lvm config tool: yum install system-config-lvm system-config-lvm

create physical volume: pvcreate <device>

create volume group: vgcreate [pv device]

extend volume group: vgextend

create logical volume: lvcreate --size <size>M --name

extend logical volume: lvextend --size <size>M <device> resize2fs <device>

shrink logical volume: resize2fs <device> <size>M lvreduce --size <size>M <device>

remove logical volume: lvremove <device> lvm vgchange -ay lvm lvs

activate lvm Volume Groups in Rescue Mode use these commands to check lvm in rescue mode

lvm vgs lvm pvs lvm vgsan lvm pvscan lvm lvscan mkdir /mnt/sysimage mount /dev/VolGroup00/LogVol00 /mnt/sysimage mount /dev/sda1 /mnt/sysimage/boot

mount root partition mount boot partition

from here you can resize LVM partitions or reinstall grub diagnose and correct networking services problems where SELinux contexts are interfering with proper operation. enable/disable selinux in /etc/sysconfig/selinux: SELINUX=enforcing SELINUXTYPE=targeted

install selinux troubleshooter: yum install setroubleshoot service setroubleshoot start chkconfig setroubleshoot on

install selinux management tool: yum install policycoreutils-gui

list selinux errors: sealert -a /var/log/audit/audit.log | less

launch gui browser: sealert -b

list selinux booleans: getsebool -a

set selinux boolean: setsebool -P = <0|1>

make persistent SELinux changes

(check ftp, nfs, http, smb for such problems )

list security contexts: ls -Z

change security contexts: # using reference (copy contexts from existing known-good file) chcon -R --reference # manual chcon -R -u <> chcon -R -t use semanage fcontext to survive a relabel of filesystem ( especially when changing SELinux from ON to OFF to ON ) semanage fcontext -a -t public_content_t '/www/data/html(/.*)?' restorecon -vvFR /www/data/html

restore default context

Installation and Configuration RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services. For each of these services, RHCEs must be able to: • • • • •

install the packages needed to provide the service configure SELinux to the service configure the service to start when the system is booted configure the service for basic operation Configure host-based and -based security for the service

HTTP/HTTPS install yum install httpd mod_ssl httpd-manual

selinux

make new DocumentRoot match default DocumentRoot ( apache will serve files from):

this applies to any directory that

chcon -R --reference /var/www /www

start at boot chkconfig httpd on

basic config

• requirements for ~/ directories: • Dir directive • chmod 701 the 's home directory • change security context on the 's Dir • requirements for .htaccess file usage: • AllowOverride All directive • requirements for name-based virtual hosts: • NameVirtualHost *:80 and NameVirtualHost *:443 directives • each virtual host requires appropriate ServerName and ServerAlias directives • a single virtual host cannot span multiple ports (i.e. 80 and 443). two separate VirtualHost *:<port> sections are needed to do this. self-signed ssl cert: cd /etc/pki/tls/certs rm localhost.crt make testcert.pem edit /etc/httpd/conf.d/ssl.conf change following lines to point to new certificate :

SSLCertificateFile /etc/pki/tls/certs/dino.pem #SSLCertificateFile /etc/pki/tls/certs/localhost.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/pki/tls/certs/dino.pem #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

check virtual host config: httpd -D DUMP_VHOSTS

host-based security

firewall config: protocol ports t 80, 443 hosts are allowed by default and must be explicitly denied: Order deny,allow Deny from 192.168.0.0/255.255.255.0 Deny from badguys.example.com

hosts are denied by default and must be explicitly allowed: Order allow,deny Allow from 192.168.0.0/255.255.255.0 Allow from goodguys.example.com

-based security

create web file: htwd -c /etc/httpd/webs test1 htwd /etc/httpd/webs test2

create web group file (/etc/httpd/webgroups): testgroup: test1 test2

allow access by group: AuthType Basic AuthName "top secret area" AuthFile /etc/httpd/webs AuthGroupFile /etc/httpd/webgroups Require group testgroup

service functionality

test http/https: elinks :// /[path]

SMB install yum install samba samba-client

selinux

allow samba to share home directories: setsebool -P samba_enable_home_dirs=1

mark a directory as shareble with samba: chcon -R -T samba_share_t

start at boot chkconfig smb on

basic config

redhat samba config tool: yum install system-config-samba system-config-samba

set workgroup/domain: workgroup = <workgroup>

security modes: # connections check local pwdb (default) security = # member server on a domain, uses pwdb on a dc security = domain workgroup = EXAMPLE # member server on an ad domain using kerberos, uses pwdb on a dc security = ads realm = EXAMPLE.COM server = kerberos.example.com # used when samba was not capable of being a domain member server (DO NOT USE) security = server encrypt s = yes server = # each share requires a (DO NOT USE) security = share

share options: [<share name>] # path for share path = <path> # share is visible browseable = # rw enabled writeable = # this is a shared printer printable =

# all s connecting to this share use as their primary group group =

domain: net rpc -U root mount -t cifs 192.168.0.200:shared-folder /mnt/share -o =<>

fstab example: // /<share> <mountpoint> 0 0

cifs

=<name>,=<>

mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root s host-based security

firewall config: protocol ports t 139, 445 udp 137, 138 hosts allow/deny can be used per-server or per-share: hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 hosts deny = 0.0.0.0/0

-based security

maintenance: # add (local linux must exist first, or be translated via /etc/samba/smbs): smbwd -a <name> # enable/disable : smbwd -e <name> smbwd -d <name> # remove : smbwd -x <name>

service smb reload may be needed after changes share access: valid s = <1> @

• share access is also controlled by unix file permissions service functionality

list shares: smbclient -L -U <name>

browse shares: smbclient // /<share> -U <name>

test allow/deny statements for a host: testparm /etc/samba/smb.conf

NFS install yum install portmap nfs-utils

start at boot chkconfig chkconfig chkconfig chkconfig

portmap on nfs on nfslock on netfs on

basic config

redhat config tool: yum install system-config-nfs system-config-nfs

format of /etc/exports: <mountpoint> ( ) [ ( ) ...]

activate new exports: /etc/init.d/nfs restart

host-based security

edit /etc/sysconfig/nfs and restart nfs to set static ports firewall config: # see ports rpcinfo -p open ports 111, 2049 and rpc ports defined in /etc/sysconfig/nfs

host based security is intrinsic to the format of the exports file -based security

use standard file permissions service functionality

list exports: showmount -e

FTP install yum install vsftpd

selinux

allow local s to and cd into home directories: setsebool -P ftp_home_dir=1

start at boot chkconfig vsftpd on

basic config host-based security

• use iptables with -[!]s option firewall config: protocol ports t 21 ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config t_wrappers example: vsftpd : 192.168.0.

-based security

• allow/deny controlled via /etc/vsftpd/_list ( s in /etc/vsftpd/ftps are always denied via pam) • default allow/deny is configured by list_deny statement in vsftpd.conf service functionality

test ftp: ftp <server>

Web proxy install yum install squid

selinux

allow squid to connect to the network (this is recommended, but was not needed in my testing): setsebool -P squid_connect_any=1

start at boot chkconfig squid on

host-based security

firewall config: protocol ports t 3128 Edit /etc/squid/squid.conf visible_hostname www.quake.lan allow access from local networks: acl our_networks src 192.168.1.0/24 192.168.2.0/23 http_access allow our_networks

with blocklist

acl our_networks src 192.168.1.0/24 192.168.2.0/23 acl block-sites dstdomain .yahoo.com .hotmail.com acl block-words url_regex sex cunt penis movies http_access deny block-sites http_access deny block-words http_access allow our_networks -based security

Install ncsa_auth htwd /etc/squid/wd name

create name / file

Edit /etc/squid/squid.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/wd auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_s proxy_auth REQUIRED http_access allow ncsa_s service functionality

test proxy: HTTP_PROXY=<server>:3128 elinks

SMTP Using Sendmail yum install sendmail sendmail-cf edit /etc/mail/sendmail.mc dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

LOCAL_DOMAIN(`example.com')dnl build new sendmail.cf : make -C /etc/mail edit /etc/mail/access Connect:192.168.0

RELAY

allow relay from local LAN

edit /etc/mail/local-host-names example.com

domains hosted on our server

quake.lan edit /etc/mail/virtualtable [email protected]

[email protected]

virtual s mappings

/etc/aliases root:

tony:

mark

run newaliases to build new file

to enable masquerading in sendmail

edit /etc/mail/sendmail.mc MASQUERADE_AS(`mydomain.com')dnl FEATURE(masquerade_envelope)dnl FEATURE(masquerade_entire_domain)dnl MASQUERADE_DOMAIN(localhost)dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

aliases to other s

MAILER(smtp)dnl MAILER(procmail)dnl rebuild sendmail.cf file ( make -C /etc/mail ) check mail ing through : /var/log/maillog check /var/spool/mail to see mailboxes

install yum install postfix alternatives --config mta service sendmail stop

start at boot chkconfig postfix on

basic config

listen on public interfaces: inet_interfaces = all

specify all destination hostnames/domains: mydestination = , , ...

specify origin domain: myorigin = $mydomain

local aliases in /etc/aliases (

dont forget to run newaliases to apply changes):

: <1>[, 2]

virtual aliases in /etc/postfix/virtual ( changes):

dont forget to run postmap /etc/postfix/virtual to apply

: <>

enable virtual aliases: virtual_alias_maps = hash:/etc/postfix/virtual

outbound address rewriting in /etc/postfix/generic ( /etc/postfix/generic to apply changes):

dont forget to run postmap

: <>

enable outbound aliases: smtp_generic_maps = hash:/etc/postfix/generic

host-based security

• use iptables with -[!]s option firewall config: protocol ports t 25 -based security

use smtp auth? service functionality

test smtp: telnet <server> 25

IMAP, IMAPS, and POP3 install yum install dovecot

start at boot chkconfig dovecot on

basic config

enable protocols: protocols = imap imaps pop3 pop3s

create custom ssl cert: nano -w /etc/pki/dovecot/dovecot-openssl.cnf /usr/share/doc/dovecot-*/examples/mkcert.sh service dovecot restart or

mv /etc/pki/dovecot/certs/dovecot.pem /etc/pki/dovecot/certs/dovecot.pem.orig mv /etc/pki/dovecot/private/dovecot.pem /etc/pki/dovecot/private/dovecot.pem.orig cd /etc/pki/tls/certs/ make dovecot.pem dovecot.pem /etc/pki/dovecot/certs/ dovecot.pem /etc/pki/dovecot/private/ host-based security

use iptables with -[!]s option protocol ports t 143, 110, 995, 993

-A RH-Firewall-1-INPUT -p t -m t -s 192.168.0.0/24 --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -p t -m t -s 192.168.0.0/24 --dport 25 -j ACCEPT -based security

use pam_listfile in /etc/pam.d/dovecot service functionality

test mailbox : mutt -f ://<>@<server>

SSH install yum install openssh-server

start at boot chkconfig sshd on

Generate Public / Private key pair

ssh-keygen -t rsa

create public / private keys for

ssh-copy-id -i .ssh/id_rsa.pub server_IP

send public key and install in server

ssh-keygen -p

create for ssh keys to be used

-based security

allow/deny access: Allows 1 2 [email protected] Denys 4 5 [email protected]

host-based security

• use ipchains with -[!]s option firewall config: protocol ports t 22 t_wrappers example: sshd : 192.168.0.

service functionality

test logging in: ssh <>@<server>

DNS (caching name server, slave name server) install yum install bind-chroot caching-nameserver system-config-bind

start at boot chkconfig named on setup bind with system-config-bind make sure there is no file /var/named/chroot/etc/named.conf system-config-bind this will ask to create new named.conf Now start editing DNS Server options > right click on DNS Server > EDIT add Forwarders > Ipv4 > 192.168.0.200

New > View > name: External > From ACL : any to ACL : any Once saved all other settings are migrated into the View.

Right click on DNS Server or View > Add Zone > Class : Internet Origin Type : Forward quake.lan Zone Type : master go on quake.lan > right click > Add > A,MX,CNAME,PTR records check DNS resolution with dig or nslookup open IPTABLES ports 53 UDP and T.

basic config

copy sample config: -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.conf

caching-only nameserver: • edit listen-on directives (comment out to listen on all interfaces) • edit allow-query directives (comment out allow queries from everyone) • edit match-clients and match-destinations directives to allow recursive queries from other hosts slave nameserver: • get slave example from /usr/share/doc/bind-*/sample/etc/named.conf

host-based security

firewall config: protocol ports t 53 udp 53 allow-query example: allow-query { 192.168.0.0/16; localnets; };

-based security

N/A service functionality

test query: dig @<server> <domain>

test zone transfer: dig @<server> <domain> axfr

NTP install yum install ntp

start at boot chkconfig ntpd on

host-based security

firewall config: protocol ports udp 123 allow other servers to sync with us: restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

-based security

N/A service functionality

show peers: ntpq -p

RHCEs must also be able to:

configure hands-free installation using Kickstart yum install system-config-kickstart

1. make installation tree available 2. create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator) 3. validate kickstart file 4. make kickstart file available • bootable diskette (place in top level directory) • bootable cdrom (place in top level directory) • network (http, ftp, nfs) 5. use bootable media and supply appropriate kernel parameter ks=floppy:/ks.cfg ks=cdrom:/ks.cfg ks=http://example.com/ks.cfg ks=nfs:example.com:/ks.cfg

implement logical volumes at install-time use iptables to implement packet filtering and/or NAT do not use system-config-securitylevel, as it will overwrite your custom iptables rules. the following method seems to be the best way to go: 1. make changes in /etc/sysconfig/iptables to load conntrack modules 2. run /etc/init.d/iptables restart to apply changes packet filtering

packet filtering example: -A -p -m [-s[!] <source address>] --dport <destination port> -j ACCEPT -A RH-Firewall-1-INPUT -p t -m t -s 192.168.0.0/24 --dport 631 -j ACCEPT

NAT

enable ip forwarding in /etc/sysctl.conf: net.ipv4.ip_forward = 1

to test from another machine: ip route replace default via

inbound dnat: iptables -t nat -A PREROUTING -p --dport <destination port> -j DNAT --to-dest <private server>:<port>

outbound dnat: iptables -t nat -A OUTPUT -p --dport <destination port> -j DNAT --todest <private server>:<port>

masquerading: iptables -t nat -A POSTROUTING -o -j MASQUERADE

snat: iptables -t nat -A POSTROUTING -j SNAT --to-source :<port>

setup for router to internet Check Deployment guide chapter for IPTABLES syntax

Setup RH Firewall with default settings using eth0 to Internet while eth1 to LAN. vi /etc/sysct.conf and set

net.ipv4.ip_forward = 1

add following rules from CLI: iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p t --dport 80 -j DNAT --to 192.168.188.133:80 iptables-save > /etc/sysconfig/iptables Add extra rules to the RH-FIREWALL-1 ACCEPT / DENY statements

use PAM to implement -level restrictions module documentation

• /usr/share/doc/pam-*/txts module configuration

• /etc/pam.d • /etc/security <module interface> <module name> <module arguments>

module interface

description

authentication (e.g. verifies , set group hip or kerberos tickets, etc.) verifies that access is allowed (e.g. expired ?, check group hip, etc.) handles changes session manages sessions (e.g. mount home dir, create mailbox, logging, etc.) control flag description required must , continue testing on failure auth

requisite sufficient optional include

must , stop testing on failure failure is ignored, but if ing so far, return success at this point or failure is irrelevant include another file

pam_listfile.so example

allow/deny s if listed in /etc/special: auth required pam_listfile.so onerr=success item= sense= file=/etc/special

Additional Notes t_wrappers file format: : [except ] [:

Rhce Cheat Sheet 6a5623

Overview 26281t

More details 6y5l6z

Related Documents 3h463d

Rhce Cheat Sheet 6a5623

Rhce 6m662s

Cheat Sheet 35c2d

Cheat Sheet 35c2d

Cheat Sheet 35c2d

Cheat Sheet 35c2d

More Documents from "Biswadip Gupta" 7226r

Rhce Cheat Sheet 6a5623

Abs Theory 6cw3m

Teradata-advanced-sql-part1.pdf 6c1f3n

Icmr Rda-2010.pdf 5l3160

4p345f

2-d Viewing And Clipping 2z533f