Texas Tech University



Notes from

Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS, & Red Hat Power Users

Christopher Negus 978-0470082911

last modification: 9/13/21

Amazon Link for 2013 Book

: Why, When and How to use a Virtual Machine

Ch1: Starting with Fedora Linux

About:

Fedora ()

CentOS ()

Backtrack now Kali () (Documentation for Kali)

DistroWatch ().

Linux Timeline: (Google linux+distro+timeline)

Comparing

Fedora is the rapid-development, cutting edge Linux system

Novell Suse same basic dual-distribution

Debian a high-quality Linux distribution

Many derivative Linux distributions-- Ubuntu Linux, KNOPPIX live CD based on Debian.

Why command line?

GUIs are meant to be easy & intuitive

Almost any time something goes wrong

Remote systems administration

Features not supported by GUI

GUI is broken or not installed

Finding Commands

bash: anycommand: command not found

why?:

You mistyped the command name.

anycommand is not in your PATH.

Might need to be the root user for the command to be in your PATH.

anycommand not installed on your computer.

Command and Sample Output Description

type mount Show the first mount command in PATH.

whereis mount Show binary, source, and man pages for mount.

locate bash.ps Find bash.ps anywhere in the file system.

which umount Find the umount command anywhere in your PATH or aliases.

rpm -qal |grep umount Find umount in any installed package.

yum whatprovides bzfs find out which package provides some feature or file

yum search somefise find any packages matching in the description, summary & package fields

Command Reference Info

-h or –help

ls --help | less

apropos crontab

whatis cat

man find

info ls

Other Notes

Installing Kali version 1.0.4 (Backtrack 6 ish) Current version 9/3/2019 is Kali Linux 2019.3

I had display resolution problems after I did all of this, so it is a work in progress ϑ

1. Download the correct iso from here:

2. Open vmware (fusion or workstation)

3. Install kali from iso

I left most stuff at the default install setting except I bumped RAM to 1024

Before you do anything else copy the vmware file to a backup if possible.

4. Log in as root

5. Open terminal

6. apt-get update --fix-missing

7. apt-get install kde-plasma-desktop (from here)

I deviated from the video and set the display manager to kdm

Other instructions can be found here

8. apt-get install yakuake

Up to here it seems to work

9. apt-get install open-vm-tools (from here)

Ended up with 9GB used out of the 20GB I allocated to it

Ch2: Installing and Adding software

USB flash:

Get diskboot.img from one of the online mirrors then execute:

dd if=/media/cdrom/diskboot.img of=/dev/sda

Choosing how install proceeds:

boot: linux text

Other boot options (p17 -- 10%):

Boot Prompt HOWTO (HOWTO/BootPrompt-HOWTO.html)

nodmraid

norobe

selinux=0

Installation screens (p18 -- 11%)

Test media, Language, Keyboard, Install or upgrade, Disk partitions, boot loader, network, time zone, root password, software packages, reboot

yum:

repos (p21 -- 12%)

yum list

yum info wordpress

yum search mp3

yum whatprovides ogg123

yum install wordpress

yum groupinstall XFCE

yum update

yum

yum --disablerepo=livna search yum-utils

yum --enablerepo=livna install mplayer

yum –exclude=somepackage update



rpm: (14%)

rpm -ivh some.rpm

rpm -Uvh some.rpm

rpm -e badpackage

rpm -q or -qa or -ql somepackage or rpm -qa | grep ogg

rpm -qi somepackage or -ql somepackage or -qlp some.rpm

Ch 3: Using the shell

Setup:

To get use of the function keys in your virtual machine on a Macbook: in the virtual machine’s settings under keyboard & mouse set Mac Profile

Basic use:

gnome-terminal -x alsamixer Start terminal with alsamixer displayed

xterm

konsole

yakuake

Virtual Terminals

Ctrl-Alt-F1 to F6

ps ps a ps au ps ax ps aw

/etc/inittab & upstart

bash history

history

history 5

!! (rum previous command)

Ctrl-r to search for string in history

Command line completion

tracer Command completion: Completes to traceroute command

cd /home/ch File completion: Completes to /home/chris directory

cd ~jo User homedir completion: Completes to /home/john

echo $PA Env variable completion: Completes to $PATH

Redirecting stdin, stdout, stderr

ls /tmp /tmpp

ls /tmp /tmmp > output.txt

ls /tmp /tmmp 2> errors.txt

ls /tmp /tmmp 2> errors.txt > output.txt

ls /tmp >> output.txt

ls /tmp 2> /dev/null

mail chris < /etc/hosts

ls /tmp | sort

ls /tmp/ /tmmp 2> /dev/null | sort

rpm -qa | grep -i sql | wc -l

Using backticks, you can execute one section of a command line first and feed the output of that

command to the rest of the command line. Here are examples:

rpm -qf `which ps`

ls -l `which traceroute`

Misc

pwd, whoami

Using alias

~/.bashrc or /etc/bashrc

alias ll="ls -lh"

alias la="ls -lah"

alias cl="cd /var/log"

alias ct=”cd /usr/local/tomcat”

Others

.bashrc

watch cat /proc/loadavg

su

su bob

sudo & /etc/sudoers (root ALL=(ALL) ALL)

Environment variables

export PS1='\e[1A\e[s\e[H\e[37;41;1m\e[K \e[1C\u@\h \e[5C \w \e[5C \d \e[5C [\A] \e[0m\e[u\n--> '

()

PS1, PS2, PS3, PS4

set & env

export ABC=123

export PATH=$PATH:/home/fcaen

NEVER NEVER put . In your path

Simple shell scripts

debugging

java scripts

DailyQuote (~/java & ~/Dropbox/Ike/4361/Examples

/etc/crontab

/etc/cron.daily/newquote

myscript.sh

chmod u+x myscript.sh also talk about file permissions (table 4.1 22% loc 830)

#!/bin/bash

MYSTRING=abc

if [ $MYSTRING = abc ] ; then

echo “The variable is abc”

fi

To negate the condition

MYSTRING=abcd

if [ $MYSTRING != abc ] ; then

echo “The variable is not abc”

fi

Examples testing for numbers

MYNUMBER=1

if [ $MYNUMBER -eq 1 ] ; then echo “MYNUMBER equals 1”; fi

if [ $MYNUMBER -lt 2 ] ; then echo “MYNUMBER less than 2”; fi

if [ $MYNUMBER -le 1 ] ; then echo “MYNUMBER less than or equal to 1”; fi

if [ $MYNUMBER -gt 0 ] ; then echo “MYNUMBER greater than 0”; fi

if [ $MYNUMBER -ge 1 ] ; then echo “MYNUMBER greater than or equal 1”; fi

Testing File names

filename=$HOME

if [ -e $filename ] ; then echo “$filename exists”; fi

if [ -f “$filename” ] ; then

echo “$filename is a regular file”

elif [ -d “$filename” ] ; then

echo “$filename is a directory”

else

echo “I have no idea what $filename is”

fi

Other file test operators (table 3.1 p46 20% loc 728)

case “$VAR” in

string1)

{ action1 };;

string2)

{ action2 };;

*)

{ default action } ;;

esac

for NUMBER in 0 1 2 3 4 5 6 7 8 9

do

echo The number is $NUMBER

done

for FILE in `/bin/ls`; do echo $FILE; done

x=1

while [ $x -le 5 ]

do

echo "Welcome $x times"

x=$(( $x + 1 ))

done

VAR=0

until [ $VAR -eq 3 ]; do echo $VAR; VAR=$[$VAR+1]; done

---------------

#!/bin/bash

#simple script to show command line args and if test

echo $0

echo $1

echo $2

if [ "$1" ]; then

echo string not empty

else

echo string empty

fi

Debugging

bash -x myscript.sh

1 Debugging on part(s) of the script

.

set -x # activate debugging from here

w

set +x # stop debugging from here

and yes it is wierd that it is backwards – is on + is off

The Bash Guide for Beginners

& man bash

DrJohn other useful things:

yakuake

fuse rpms

encfs ~/.data ~/data

sshfs bob@jrdoffice:/home/bob/Ike /Gandalf/RemoteSites/Ike

sudo mount -t cifs '//Ariel/Easy' ~/Easy -o credentials=/Gandalf/configs/.what,uid=500,gid=500

subnet scans

sudo ping -b 10.0.1.0

sudo nmap -v 10.0.1.0/16

Ch 4: Working with Files

Everything in a Linux file system can be viewed as a file (data files, directories, devices, pipes, etc)

Regular files: (20% loc 764)

file somefilename --determine type of file

touch /home/bob/newfile.ext -- create blank file

> /home/bob/newfile.txt -- create blank file

ls -l /usr/bin/apropos

file /usr/bin/whatis

file /bin/ls

directories

mkdir

x permission must be on or users can not use directory as their current directory

umask umask -S (23% loc 852)

Symbolic & Hard Links

ln -s /path/somefile.txt /newpath/symlink.txt

symbolic link – own set of permissions, can exist on different partitions, new inode number

ln /path/file.txt /newpath/hardlink.txt

hard link – same permissions, cannot exist on different partitions, same inode number

ls -li --show all info and inode numbers

symlinks ./ -- show all symbolic links in current dir

symlinks -r ./

symlinks -rv ./

device files overview only (21% loc 800)

named pipes & sockets overview only (22% loc 807)

Permissions (Table 4.1 22% loc 830)

421421421 -- rwxrwxrwx -- usergroupother

original permssions new

chmod 0700 any rwx------

chmod 0711 any rwx—x--x

chmod go+r rwx------ rwxr—r--

chmod 0777 any rwxrwxrwx

chmod a=rwx any rwxrwxrwx

chmod a+rwx any rwxrwxrwx

chmod -R 700 recursive

first 0 in all above = set-UID = 4, set-GID = 2, sticky = 1 (

set-UID will now work for shell scripts

only on ext2, ext3, ext4 file systems (24% loc 900)

lsattr, chattr --- a (append only), c (compressed), d (no dump), i (immutable), j (data journaling), s (secure deletion), t (no merging), u (undeletable), A ( no atime updates), D (synchronous directory updates), S (synchronous updates), T (top of directory hierarchy)

chattr +A somefile

good to check the attributes once in a while for security purposes

Ownership

chown bob test/

chown bob:bob

chown -R bob /

traversing file system

cd or cd ~ -- change to user home directory

cd - -- change to previous directory

cd /tmp -- change to tmp off of root

cd tmp -- change to tmp off of current dir

cd .. -- change to parent dir

Copying files

cp -a /var/www/html /backupdisk

cp -R /var/www/html /backupdisk

backup methods

dd (24% loc 879)

as root:

dd if=/dev/sdg bs=512 count=1 of=$BACKUPDIR/sdg_MBR

/sbin/fdisk /dev/hda -l > $BACKUPDIR/hda_partition_table.txt

Searching for files (25 % loc 917)

updatedb

/etc/updatedb.conf

locate & locate -i & locate -r (regluar expression)

which

find / -name e100 (25% loc 925)

Other options for files

ls -l, ls -la, ls -t, ls -i etc (26% loc 955)

alias ll="ls -lh"

alias la="ls -lah"

alias cl="cd /var/lo"

md5sum someFile.txt (26% loc 964)

sha1sum someFile.txt

sha1sum -c SHA1SUM.txt

lsof ---list open files

filelight ---diskusage

tripwire

Ch 5: Manipulating Text

Regular Expressions

a* any set of characters. a, ab, abc, aefopq

. any single character. a.c matches abc adc aqc

[ ] Matches a single character in the brackets a[bcd]e abe ace ade

[^ ] Matches a single character not in the brackets a[^bc]e aqe ade

^a a at the beginning of a line

*a$ a at the end of a line

a.c three character string starting with a and ending with c

[bcf]at bat, cat, or fat

[a-d]at aat, bat, dat ...

[A-D]at Aat ...

1[3-5]7 137, 147, 157

\tHello a tab character preceding the word Hello

\.[tT][xX][Tt] txt, Txt, TXt ...



Editing text files

vi, vim (), joe, emacs, pico, nano

Listing text files

cat myfile.txt

cat myfile.txt > newcopy.txt

cat myfile.txt >> append.txt

cat -s myfile.txt display consecutive blank lines as one

cat -n myfile.txt show numbers on lines

cat -b myfile.txt show numbers on non blank lines

head myfile

cat myfile | head

head -n 10 myfile

ps auxw | head -10

tail myfile

tail -n 25 myfile

tail -f /var/log/httpd/access_log watch web server log continuously

more myfile.txt

less myfile.txt

/bob search for a string (bob) in a file

/ repeat search

pr quick text formatting tool

rpm -qa | sort | pr - -column=2 | less

Searching for text

grep francois myfile.txt

grep 404 /var/log/httpd/access_log

ps auwx | grep init

ps auwx | grep “\[*\]”

grep -Rn xdg /etc - directory tree with line numbers in result

Sorting output

rpm -qa | grep kernel | sort

rpm -qa | grep kernel | sort -r reverse order

ps auxw | sort -k 4,4

ps auxw | sort -k 2,2n

Replacing text with sed

cat myfile.txt | sed s/christopher/chris/

sed s/christopher/chris/ < myfile.txt > newmyfile.txt

Checking for differences between files with diff

diff /etc/named.conf.rpmnew /etc/named.conf

diff -u f1.txt f2.txt -- adds modification dates and times to output

seq 1 15 > f1.txt

sed s/4/four/ < f1.txt > f2.txt

vimdiff f1.txt f2.txt -- opens files side by side in vim

Using awk to process columns

ps auxw | awk '{print $1 $11}' --only show columns 1 & 11

ps auxw | awk '/bob/ {print $1, $11}' --show bob's processes

Converting text files to different Formats

unix2dos < f1.txt > f2.txt

dos2unix < f2.txt > f1.txt

Other



((CategoryDistributions))

Book Excerpt: A Practical Guide to Fedora and Red Hat Enterprise Linux

Ch 6: Multimedia

To split avi (or other video) files: Online Documentation

ffmpeg -ss 01:09:12 -t 01:15:23 -i Family-19970512-19971225.avi ./19970702.avi

To join avi (or other video) files: Online Documentation

mencoder -ovc copy -oac copy -o 19950326-BelindaTap.avi 19950326-BelindaTap-1.avi /

19950326-BelindaTap-2.avi

To convert between types of video (Do not use on DRM files!)

transcode -y xvid -Z 720 -b 224 -i VTS_03_1.VOB -o newfile.avi

transcode -y xvid -Z 720 -b 224 -i oldfile.mpg -o newfile.avi

works ok but you loose 5.1 surround

Handbrake

Brief Audio tools

play -h

play somesong.wav

play hi.au vol .6

ogg123 mysong.ogg

ogg123 -z *.ogg --play in random order

ogg123 -Z *.ogg -- play in random order forever

ogg123 /home/bob/music -- play music in music and subdirectories

mpg321 mysong.mp3

mpg321 -@ myplaylist

alsamixer

alsamixergui

cdparanoia -vsQ -- is CD drive capable of ripping music

cdparanoia -B -- rip tracks as wav files by track name

cdparanoia -B -- “5-7” -- rip tracks 5, 6, 7 as seperate files

oggenc mysong.wav -- encodes mysong from wav to ogg

oggenc ab.flac -o ab.ogg -- encodes flac to ogg

oggenc song.wav -q 9 -- raises quality level from default of 3 to 9

oggenc song.wav -o song.ogg -a Bernstein -G Classical -d 06/05/1972 -t “Simple Song” /

-l “Album Name” -c info=”From Kennedy Center”

-- sox the Swiss army knife of audio manipulation (Online Documentation)

sox head.wav tail.wav output.wav -- concatenate two wav files

sox sound1.wav -a stat -- display information about the file

Ch 7: Administering File Systems

Basic File system partitions (three basic types)

swap, boot, root

ext3 == ext2 + journaling

linux supports ext4, ext3, ext2, iso9660, Jffs21, jfs, msdos, ntfs, squashfs, swap, ufs, vfat, xfs

others nfs, sshfs, encfs, cifs & others (FUSE)

Partitioning:

install: used to be called Disk Druid

fdisk or parted

fdisk

/sbin/fdisk -l -- shows all partitions

(After Fedora 7 all IDE, SCSI, & SATA use /dev/sd..)

(newer Fedoras use the UUID – see the /etc/fstab file & /dev/disk

/sbin/fdisk -l /dev/sda

/sbin/fdisk /dev/sda --work on a particular disc

m --gets command listing

n --new partition (assumes ext3 type unless told otherwise)

d --delete partition

w --write changed info to disc (BE CAREFUL!)

parted

newer more functionality

GUI: gparted or qtparted

1. sudo /sbin/parted -l /dev/sda

Model: ATA ST31000340AS (scsi)

Disk /dev/sda: 1000GB

Sector size (logical/physical): 512B/512B

Partition Table: msdos

Number Start End Size Type File system Flags

1 32.3kB 215GB 215GB primary ext3 boot

2 215GB 429GB 215GB primary ext3

changes immediately written to disk!

man parted shows brief listing info parted much more complete

in parted session help shows commands, mkpart creates new partition

both following will usually destroy file systems!

resize 2 will resize linux partitions (#2)

use the ntfsresize command to resize ntfs partitions

ntfsinfo

Both tools above only change parition table they do not format the partition

mkfs -t ext3 /dev/sda1

mkfs -t ext3 -v -c /dev/sda1 -- more verbose output and check for bad blocks

mkfs -t ntfs /dev/sda2

-- always put -t filesystemtype first

Working with existing partitions

Backup / Restore

sudo /sbin/sfdisk -d /dev/sda

# partition table of /dev/sda

unit: sectors

/dev/sda1 : start= 63, size=419424957, Id=83, bootable

/dev/sda2 : start=419425020, size=419425020, Id=83

/dev/sda3 : start= 0, size= 0, Id= 0

/dev/sda4 : start= 0, size= 0, Id= 0

-- d option above formats output for later restoration

/sbin/sfdisk /dev/sda < sda-part-table -- restore

/sbin/sfdisk -d /dev/sda | /dev/sdb -- copy to new disk

Changing partition label

sudo /sbin/e2label /dev/sda1 yields /

sudo /sbin/e2label /dev/sda2 yields /1

/sbin/e2label /dev/sda2 /newlable

Virtual File System

portable, liveCD, virtual OS

dd if=/dev/zero of=mydisk count=2048000

du -sh mydisk & df -h (see below for more on both)

1001M mydisk

/sbin/mkfs -t ext3 mydisk

lots of info output

mkdir test

sudo mount -o loop mydisk test

mount

/home/bob/mydisk on /home/bob/test type ext3 (rw,loop=/dev/loop0)

Viewing & Changing file system attributes

sudo /sbin/tune2fs -l /dev/sda1 (or dumpe2fs)

lots of information

man tune2fs

-c set maximal count before fsck

-j turn ext2 fs into ext3 by adding journaling

swap partitions

mkswap /dev/sda3

virtual partition as swap

dd -if=/dev/zero of=/tmp/swapfile count=65536

chmod 600 /tmp/swapfile

mkswap /tmp/swapfile

swapon

swapoff

swapon -s

Mounting filesystems

/etc/fstab

LABEL=/ / ext3 defaults 1 1

devpts /dev/pts devpts gid=5,mode=620 0 0

sysfs /sys sysfs defaults 0 0

proc /proc proc defaults 0 0

LABEL=SWAP-sdc1 swap swap defaults 0 0

/dev/sdf1 /Gandalf/WinXP ntfs defaults 0 0

device mountpoint type options -o dump checkorder

pseudo filesystems

mount -o options

mount

mount, mount -t ext3, mount | sort, mount -l (labels)

mount -t ext3 /dev/sda1 /Gandalf/Belinda -o=below

ro, rw, uid=xxx, gid=xxx, noexec,

--bind (new additional location), --move

mount -v -o loop -t iso9660 diskboot.img ~/diskimg

mount -v -o loop local.iso ~/imgdir

/sbin/losetup -a -- show loopback device status

Unmounting filesystems

umount -v /dev/sda1

umount -v /Gandalf/Belinda

device is busy

/usr/sbin/lsof | grep mountpoint

Checking file systems badblocks & fsck

/sbin/badblocks -v /dev/sdc1 readonly test

/sbin/badblocks -vsn /dev/sdc1 non destructive read write test (slowest)

/sbin/badblocks -vsw /dev/sdc1 faster destructive read write test

fsck /dev/sda1

/sbin/fsck -TV /dev/sda1 do not display fsck version and be verbose

/sbin/fsck -TVy /dev/sda1 yes to all 'do I fix' questions

File system use

df -h usage summary in human readable mode

df -hi inode use also

df -hl only display local file systems

df -hT show file system type also

du -h /home/bob disk use of my home directory

du -h /home must be root

du -sh / summarize results

du -sch /home /data /usr/local multiple dirs

du -sh --exclude='*.iso' /home/bob exclude iso files from results & summarize

Ch 8: Backups & Removable Media

tape archive: tar

[-]A --catenate --concatenate

[-]c --create

[-]d --diff --compare

[-]r --append

[-]t --list

[-]u --update

[-]x --extract –get

-j --compress using bzip2

-z --compress using gzip

-v --verbose output

tar c *.txt | gzip -c > myfiles.tar.gz -- make tar archive then gzip it

tar czvf myfiles.tar.gz *.txt -- same thing

gunzip myfiles.tar.gz | tar x -- unzip then extract

gunzip myfiles.tar.gz ; tar xf myfiles.tar

tar xzvf myfiles.tar.gz

tar tvf myfiles.tar -- list files in archive

tar -tzvf myfiles.tgs -- list files in gzip compressed archive

tar -Af archive1.tar archive2.tar -- adds archive2 to archive1

tar –delete file1.txt myfiles.tar -- deletes file from archive

compression tools

lzop, gzip, bzip2 -- in order from fastest / least compression

rar x -- extract

rar a -- add file

tar cjvf myfiles.tar.bz2 *.txt

tar xjvf myfiles.tar.bz2

gzip myfile -- gzips myfile into myfile.gz

gzip -v myfile -- verbose output

gzip -tv myfile.gz -- tests integrity of file

gzip -lv myfile.gz -- get detailed information

gzip -rv mydir -- compress all files in directory

bzip2 myfile -- myfile into myfile.bz2

bzip2 -v myfile

bunzip2 myfile.bz2

bzip2 -d myfile.bz2

bzip2 -vd myfile.bz2

backing up over network with ssh

rsnapshot vie yum install rsnapshot ()

mkdir mybackup ; cd mybackup -- all files beginning with myfile are

ssh bob@server1 'tar cf – myfile*' | tar xvf - -- copied from server into local home dir

tar cf – myfile* | ssh bob@server1 'cd /home/bob/myfolder ; tar xvf - -- OUT

ssh bob@server1 'tar czf – myfile*' | cat > myfiles.tgz -- IN

tar czvf – myfile* | ssh bob@server1 ' cat > myfiles.tgz -- OUT

backing up files over network with rsync (Detailed rsync reference)

rsync -a source/ destination/ – equal to cp -a source/. destination/

rsync -a -e ssh source/ username@:/path/to/destination/

--the -e option specifies the remote shell to use

rsync -a a b – assuming there is a file a/foo this gives a file b/a/foo

rsync -a a/ b – gives b/foo point is backslashes matter but only on the source

rsync -a --delete source/ destination/ – any files in /destination but not in /source are deleted

– create test-src, test-dest, test-src/somefiles

rsync –delete –backup –backup_dir=bk-`date +%A` -avz test-src/ test-dest/$(date +%F)

--mirrors remote pics directory on local system (-a run in archive mode, -v verbose, -z compresses files, --delete remove any local files not still on server)

rsync -avz –delete bob@server1:/home/bob/pics bobspics

-- creates /var/backups/backup-Monday etc

mkdir /var/backups

rsync –delete –backup –backup_dir=/var/backups/backup-`date +%A` \

-avz bob@server1:/home/bob/Personal/ /var/backups/current-backup/

-- create hard links instead of duplicate files (--link-dest option)

rm -rf /var/backups/backup-old/

mv /var/backups/backup-current/ /var/backups/backup-old/

rsync –delete –link-dest=/var/backups/backup-old/ -avz bob@server1:/home/bob/Personal \

/var/backups/backup-current/

– longer script can be found here:

backing up with unison

-- rsync assumes that machine being backed up in only one where data is being modified

-- when have 2 (ie desktop & laptop) unison is better

yum install unison

unison /home/bob ssh://bob@server1//home/bob

unison /home/bob /mnt/backups/bob-home

-- to force unison to run in command line mode (-ui text)

unison /home/bob ssh://bob@server1//home/bob -ui text

-- will prompt for y on every change. If you trust unison to find newest file use -auto

unison /home/bob ssh://bob@server1//home/bob -auto

-- no man pages

unison -help

unison -doc all | less

Backing up to removable media

mkisofs -o home.iso /home -- all files in DOS 8.3 naming mode

mkisofs -o home2.iso -J -R /home --Add Joliet & Rock Ridge extensions

mkisofs -o home3.iso -J -R music/ pics/ docs/ -- multiple dirs or files

-- /var/pics becomes /home/bob/Pictures on cd image

mkisofs -o home.iso -J -R -graft-points Pictures/=/var/pics/ /home/bob

-- add more information to ISO

mkisofs -o home.iso -R -J -p -publisher “Bob Thomas” -V “WebBackup” \

-A “mkisofs” -volset “1 of 4 backups, September 22, 2008” /home/bob

volname home.iso -- display volume name

isoinfo -d -i home.iso -- display all header information

mkdir /home/bob/test

mount -o loop home.iso /home/bob/test -- mount image in test dir

umount /home/bob/test

Burning to CD/DVD

cdrecord –scanbus -- shows information on CD/DVD drive(s)

cdrecord -dummy home.iso -- test burn without doing anything

cdrecord -v home.iso

cdrecord -v -eject home.iso

-- multisession using growisofs

growisofs -z /dev/sr0 -R -J /home/bob --Master & burn to DVD

growisofs -z /dev/sr0 -R -J /home/belinda -- Add to burn

growisofs -M /dev/sr0=/dev/zero -- Close burn

growisofs -dvd-compat -z /dev/sr0=home.iso -- burn image to DVD

CH 9: Checking and Managing Running Processes

Viewing active processes with ps

ps --help -- brief list of options

ps -A or e -- list all processes

ps -x -- list processes without controlling ttys

ps -u bob -- for user bob

ps -auwwx -- every process unlimited width BSD style

ps -ejH -- hierarchy with process/session ids

ps -axjf --

ps -ef --forest --

pstree

custom output with the -o option page 151

Active processes with top

top -- show processes

top -d 5 -- change update delay from 3 to 5 sec

top -u bob -- show for user bob

top -n 10 -- update 10 times then quit

top -b -- run in non-interactive mode, good for file directed output

Finding processes using pgrep

pgrep init -- yeilds ... why 3?

1

3204

3205

pgrep -l init -- long listing

1 init

3204 start_kdeinit

3205 kdeinit

Using fuser to find processes

sudo /sbin/fuser -mauv /home/bob -- show all processes with anything in /home/bob open

-- m show processes with file in . Open, v verbose, a all processes, u what user owns

sudo /sbin/fuser -k /boot -- kill every process that has anything in /boot open

nice

-- sets process priority, regular user 19 (way low) to -20 (way high)

-- merely a suggestion

nice -n 12 gimp -- launch gimp with low priority

renice +2 -u bob -- set bob's process to lower priority

Running processes in background or forground with fg, bg, & jobs

open terminal, type gimp -- run gimp in foreground, will die if you close the terminal

type gimp & -- run gimp in background, ditto

--in running foreground process will stop it and put it in background

jobs --will list running process in that terminal

bg 1 --will put job 1 in background

fg 1 --will put job 1 in foreground

--kills current fg process

--kills terminal session

jobs -l -- long listing of all fg & bg process for current terminal session

kill & killall

ps -aux

kill 28665 -- send SIGTERM to process with PID of 28665

kill -9 4985 -- send SIGKILL to process with PID of 4985 (careful, no shutdown)

killall spamd -- kill all spamd running

Running processes away from the current shell

nohup gimp & -- run gimp with no ability to interrupt

Scheduling processes to run

at now +1 min

at>updatedb

at>Ctrl+d

at teatime

at now +5 days

at 10/05/08

atq -- query for jobs in queue

crontab -e -- create a crontab for current user and open in vi or vim

/etc/crontab -- minute, hour, day, month, & day of week

01 * * * * root run-parts /etc/cron.hourly

02 4 * * * root run-parts /etc/cron.daily

22 4 * * 0 root run-parts /etc/cron.weekly

42 4 1 * * root run-parts /etc/cron.monthly

-- simply link or put the script you want to run in one of the directories above

Ch 10: Managing the System

Focus in on Monitoring Resources in use

files in /proc (sudo ls -lah /proc)

might have to install sysstat packagel

Memory Use:

free (-m in megabytes, -g in gigabytes, -s 5 continuously display every 5 seconds)

free -m

free -m

total used free shared buffers cached

Mem: 8008 4846 3161 0 141 3793

-/+ buffers/cache: 912 7095

Swap: 16002 0 16002

top -- Shift M

vmstat -- view memory use over time

vmstat 3 -- update every three seconds

man vmstat -- field discriptions, watch for io backlog if lots memory in use, wasted CPU time

procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------

r b swpd free buff cache si so bi bo in cs us sy id wa st

CPU Usage:

iostat -c 3 -- update every 3 seconds

Linux 2.6.25.14-69.fc8 (Gandalf) 10/01/2008

avg-cpu: %user %nice %system %iowait %steal %idle

1.94 1.23 1.04 0.88 0.00 94.91

iostat -c -t -- print with time stamp

man iostat -- for listing of fields displayed

--> dstat -t -c 3 -- colors for different types of data

-----time----- ----total-cpu-usage----

date/time |usr sys idl wai hiq siq

01-10 17:08:41| 3 1 95 1 0 0

01-10 17:08:44| 0 1 99 0 0 0

01-10 17:08:47| 2 1 97 0 0 0

01-10 17:08:50| 0 1 99 0 0 0

01-10 17:08:53| 0 1 99 0 0 0

01-10 17:08:56| 0 1 99 0 0 0

01-10 17:08:58| 0 1 99 0 0 0

cat /proc/cpuinfo -- lots of info about processor(s)

flags line show features cpu supports

Storage Devices

du & df

iostat -d

Linux 2.6.25.14-69.fc8 (Gandalf) 10/01/2008

Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn

sda 7.76 214.40 182.76 6445638 5494280

/usr/sbin/lsof -- all open files (lots)

lsof -c bash -- files open by bash shells

lsof -d cwd -- all directories open as current working dir in bash

lsof /dev/sda1 -- anything open on that filesystem

lsof /Gandalf/data -- anything open in that directory structure (and subs)

Mastering Time

system-config-date -- date, ntpd, timezone, etc gui

cat /etc/sysconfig/clock

# The ZONE parameter is only evaluated by system-config-date.

# The time zone of the system is defined by the contents of /etc/localtime.

ZONE="America/Chicago"

UTC=false

ARC=false

/usr/share/zoneinfo/America/Chicago -- time zone info

cp or ln -s above to /etc/localtime

--> date

Wed Oct 1 17:50:55 CDT 2008

--> date '+%A %B %d %G'

Wednesday October 01 2008

--> date --date='8 months 3 days'

Thu Jun 4 17:51:50 CDT 2009

date 081215212008 -- set date to Aug 12, 2:21pm 2008

cal -- show calendar

October 2008

Su Mo Tu We Th Fr Sa

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31

--> cal 2009

2009

January February March

Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa

1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7

4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14

11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21

18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28

25 26 27 28 29 30 31 29 30 31

/sbin/hwclock -r -- display current CMOS hardware clock setting

/sbin/hwclock –hstosys -- set system clock from hardware clock (root)

Using Network Time Protocol

yum install ntpd

service ntpd start

chkconfig ntpd on

/etc/sysconfig/ntpd -- main config file

SYNC_HWCLOCK=no -- set to yes to sync

-- problem is why would you want to run a time server ?

ntpd -qg -- q says quit after syncing, g says don't panic for way off

Managing the boot process

A detailed look at the fedora boot process

BIOS

MBR on “first” bootable partition

GRUB

/boot/grub/grub.conf -- other configs are symbolic links to this

kernel

kernel needs root file system to load modules (block devices, etc)

devices drivers are on root file system so how does kernel get them ?

a small initial ram disk (initrd)

init process

/etc/inittab -- runlevel, etc

/boot/grub/grub.conf -- lots of other kernel boot options (table 2-1)

default=1

timeout=5

splashimage=(hd1,0)/boot/grub/splash.xpm.gz

title Fedora (2.6.26.3-14.fc8)

root (hd1,0)

kernel /boot/vmlinuz-2.6.26.3-14.fc8 ro root=LABEL=/ rhgb init=/sbin/bootchartd

initrd /boot/initrd-2.6.26.3-14.fc8.img

grub-install /dev/sda -- reinstall grub

mkinitrd ... -- recreate initial ram disk

Startup & Run Levels

/sbin/runlevel -- display current and previous

init 5 or 3 etc -- change runlevel

init q -- process changes in inittab (mostly for gettys)

/sbin/chkconfig --list, smb on, --add , --level ....

/sbin/service smb -- show usage statement

service smb restart -- etc

/etc/rc.d/rc

systemd

see /etc/systemd and /lib/systemd files

man systemctl



The Kernel

uname

dmesg

lsmod

modinfo pata_acpi

/sbin/modprobe -l | grep c-qcam

modprobe c-qcam

modprobe -r c-qcam

/etc/sysctl.conf -- Kernel sysctl configuration file for Red Hat Linux

/sbin/sysctl -a | less -- list all kernel parameters

sudo /sbin/dmidecode -- list info about all hardware

sudo /sbin/hdparm /dev/sda -- view and change information relating to hard drive

Ch 11: Managing Network Connections

GUI based tools

Network Configuration via GUI works mostly

Gnome-System-->Administration-->Network

Troubleshooting

Start at bottom of TCP/IP stack

1 - Check cables on local card and on routers/gateway etc

2 - Check that card is properly installed and has the correct drivers

3 - Check the settings for the card to make sure you do not have mismatches

4 - If all else fails get a NIC that is supported in Linux

Checking Links

/sbin/ethtool -- lots of help info

/sbin/ethtool | less -- nothing because help output goes to stderr (ethtool 2>&1 | less)

sudo /sbin/ethtool eth1 -- settings for eth1

Settings for eth1:

Supported ports: [ MII ]

Supported link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Supports auto-negotiation: Yes

Advertised link modes: 10baseT/Half 10baseT/Full

100baseT/Half 100baseT/Full

1000baseT/Full

Advertised auto-negotiation: Yes

Speed: 100Mb/s

Duplex: Full

Port: MII

PHYAD: 2

Transceiver: external

Auto-negotiation: on

Supports Wake-on: g

Wake-on: d

Link detected: yes

sudo /sbin/ethtool -i eth1 -- driver information

driver: forcedeth

version: 0.61

firmware-version:

bus-info: 0000:00:12.

sudo /sbin/ethtool -S eth1 -- Statistics

sudo /sbin/ethtool -s eth1 speed 100 duplex full autoneg off -- change card settings temp.

-- /etc/sysconfig/network-scripts/ifcfg-eth1 contains “permanent” settings

-- less /usr/share/doc/initscripts-*/sysconfig.txt

sudo netstat -i -- network statistics

sudo netstat -nap -- information about all network processes

Managing Network Connections

sudo /sbin/service

Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]

/sbin/service network restart or status or stop or start

sudo /sbin/chkconfig

usage: chkconfig --list [name]

chkconfig --add

chkconfig --del

chkconfig --override

chkconfig [--level ]

less /usr/share/doc/initscripts-*/sysconfig.txt

sudo /sbin/ifdown eth1

sudo /sbin/ifup eth1

Viewing Ethernet Connection Information

/sbin/ifconfig -- connection info for all active (add -a to get inactive) connections

/sbin/ip addr show eth1 -- similar information

/sbin/ip a -- info for all interfaces

/sbin/ip help -- (addr help, route help, tunnel help)

ipcalc -bmn 192.168.1.0/24

NETMASK=255.255.255.0

BROADCAST=192.168.1.255

NETWORK=192.168.1.0

Wireless Connections

Use the GUI if at all possible

wireless-tools, ndiswrapper, etc from rpm.

/sbin/lspci | grep wireless -- to see wireless PCI cards

/sbin/iwconfig -- same sort of info as ifconfig but for wireless

/sbin/iwconfig –help -- essid, channel, sens, key, .....

Dial-Up Modems – Skipped

Checking Name Resolution

cat /etc/resolv.conf

nameserver 208.180.42.68

nameserver 208.180.42.100

dig or -- search the servers in resolv.conf

dig @4.1.2.1 -- search a specific server

dig + trace -- recursively trace DNS servers

host 208.180.42.100 -- reverse DNS lookup

More Troubleshooting

/sbin/ip route -- like old route command

172.16.240.0/24 dev vmnet8 proto kernel scope link src 172.16.240.1

192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2

172.16.140.0/24 dev vmnet1 proto kernel scope link src 172.16.140.1

default via 192.168.1.1 dev eth1

ping gateway to see if connected

/sbin/arp -v -- list ARP cache entries by name

Address HWtype HWaddress Flags Mask Iface

DirectvDvr ether 00:50:00:d4:bb:5c C eth1

home ether 00:15:6c:8c:61:44 C eth1

Gimli ether 00:17:02:bb:1e:5b C eth1

traceroute ttu.edu -- * * * probably means firewall

sudo traceroute -T 129.118.51.8 -- use TCP packets not default UDP (bypass firewall)

sudo traceroute -n ... -- disable name resolution

Network Statistics

netstat -s -- summary of TCP, ICMP, UDP connections

netstat -tanp -- TCP connection information

netstat -uanp -- UDP

Other Useful Tools

sudo /usr/sbin/tcpdump -- (-v or -vv for more stuff)

wireshark

nmap

CH 12: Accessing Network Resources

Sometime even when a GUI is available command line commands are VERY useful

Browse the web

lynx -- old text based browser

links -- newer command but /usr/bin/links -> elinks

elinks -- the current “choice” allows mouse use & colors in terminal session

-- Control Keys Table 12-1 pg. 210 (Esc toggles menu on/off)

Transferring Files -- wget

-- download files using http or ftp

wget

wget

wget –user=someuser –password=passwordforuser

wget

-- download single web page

wget /3351/index.html

-- download single page along with required images, etc and use local file names

wget -pk

-- append html to downloaded files so .cgi or .asp etc will work locally

wget -E

-- recursively mirror entire site -- be careful!!!!

wget -m

-- combining above we get

wget -mEkK

-- restart an incomplete download

wget -- start download

--- assume it is interrupted here ---

wget -c -- finish

Transferring Files -- curl

-- curl (client for URLs) is also available for single shot downloads

Transferring Files -- lftp

lftp mirrors. -- anonymous connection

lftp bob:mypasswd@server1 -- authenticated connection but bad to type pass this way

lftp -u bob server1 -- will ask for password

-- once session is open

pwd, cd, ls, get (download), put (upload), Ctl-z (set download to background,

mget (get all in.), mput (put all in), bookmark, quit

Transferring Files -- ssh

-- warning you do NOT get a warning about overwriting existing files when using some of these

scp mfile bob@server1:/home/bob/tmp -- file up, will ask for password

scp server1:/home/bob/myfilke ./ -- file down, assumes bob is current user

scp -p ... -- preserves permissions and timestamps

scp -P 4382 ... -- use port 4382 not the default of 22

scp -r mydir bob@server1 -- recurse mydir and copy all

-- sftp uses ssh but allows an ftp like interface ( ? for a list of commands)

sftp bob@server1 -- then use any of the ftp commands to copy & move around

Sharing remote directories -- NFS (Network File System)

-- works in some Windows ops too

service nfs start -- starts service configs are /etc/sysconfig/nfs, /etc/exports

/usr/sbin/exportfs -v -- shows all shared directories along with permissions

service nfs reload -- reload nfs with changes to /etc/export

exportnfs -r -- load changes to /etc/export

exportnfs -vr

/usr/sbin/showmount -e -- show directories available on local system

showmount -e client. -- show directories available on other system

mount server.:/export/myshare /Gandalf/nfsDIR -- mount remote (nfs3)

mount -q rw,hard, intr ... -- options can also be entered on mount line

mount -t nfs4 -- nfs4 is more versatile but less used might not work

Sharing remote directories -- SAMBA

-- SMB (server message block is old) cifs is current file system type

-- GUI config tools are availble (swap is a nice easy web interface)

1. sudo yum install samba-swat

2. sudo /sbin/chkconfig swat on

3. sudo /etc/init.d/xinetd start

4. elinks

findsmb -- scan network for shares

*=DMB

+=LMB

IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION

---------------------------------------------------------------------

192.168.1.2 Gandalf [WIZARDS] [Unix] [Samba 3.0.21c]

smbtree -- text representation of network shares

Password:

WIZARDS

\\ARIEL

\\ARIEL\C$ Default share

\\ARIEL\Belinda (C)

\\ARIEL\Easy (E)

sudo smbpasswd -a bob -- add an existing Linux user as a samba user

smbclient -L Ariel -- list services available by a server to current user or anonymous

smbclient -L Ariel -U bob

sbmclient //192.168.1.1/myshare -U bob -- ftp style connection

-- mounting

sudo mount -t cifs -o username=bob,password=mypass //server1/myshare /where/I/mountedit

sudo mount -t cifs '//Ariel/Easy (E)' /Gandalf/Belinda/Easy /

-o credentials=/home/bob/.cred,uid=500,gid=500

smbstatus -- current mount and lock status

nmblookup Ariel -- lookup IP for samba server Ariel

testparm -- check samba configuration

testparm -v | less -- show default parameters you did not set

Sharing remote directories -- sshfs --

yum install fuse-sshfs

sshfs bob@server1:/home/bob/myshare /Gandalf/RemoteSites/bob -- mount will as password

sudo umount /Gandalf/RemoteSites/bob -- unmount

Ch 13: Remote System Admin

Most professional linux admins do not run X on production servers

Thus command line admin is a necessity

Old tools like telnet, ftp, rsh, rexec, rcp are security risks (text userid and password)

Modern tools like ssh, scp, sftp are much more secure

Legacy tools are sometimes good for troubleshooting

telnet 80

GET / HTTP/1.0

--- extra carriage return here

HTTP/1.1 200 OK

Remote admin with ssh

Configuration

-- make sure sshd service is running by default

-- /etc/ssh/sshd_config server configuration file

Port 1248

X11Forwarding yes

AllowTcpForwarding no

-- /etc/ssh/ssh_config client configuration file

ForwardX11 yes (or ssh -X bob@someserver each time connect)

Regular use

ssh bob@server1 -- the 'correct' way to change users

ssh server1 -- login to remote as current user

ssh -p 1248 bob@server1 -- port other than default of 22

ssh tunneling (a good howto is here )

ssh -X or with configuration correctly setup kcalc etc

ssh -L 1234:localhost:631 remoteserver -- tunnel CUPS server

ssh -l remoteuser -nNT -R 1100:129.118.49.11:22 remoteip -p remotesshport

ssh user@remotehost -L 24800:remotehost:25 -N

-- use myserver to connect to internet

ssh -L 12345:localhost::80 myserver

-- ssh as a SOCKS Proxy

ssh -D 12345 myserver //look at man pages

then change connection settings in firefox to match

(preferences-advanced-settings-manual connection SOCKS:localhost port:12345)

ssh public key login

cat ~/.ssh/known_hosts -- existing public keys for previous connections

ssh-keygen -- generate public / private keys for current user

-- leaving password prompt blank makes connections easy but is risky

copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on remote server

ssh-agent -- gives the ability to store keys for duration of this session

eval 'ssh-agent' -- adds vars to environment

ssh-add -- will add default private key (ssh-keygen) to

Using screen: A rich remote shell Cool!!!

ssh gives you one temporary screen at a time, if it times out or dies you loose everything

yum install screen (FC8 by default)

ssh into remote server

screen -- you now have a screen running on remote server

screen -ls -- list active screens

Ctrl-a, d -- detach screen, leave it running but return to ssh terminal window

Ctrl-a, ? -- help

screen -r -- reattach to a previously detached screen (works even after quitting ssh)

screen -r 7089.pts-2.myserver -- reattach if are multiple detached screens

screen -S mysession -- name the screen session

screen -x or screen -x mysession -- share screen session (same user logged on)

-- try this

ssh into some server

screen

top

Ctrl-a, d

exit ssh

ssh again into same server

screen -r -- top will still be running

Using a Remote Windows Desktop

WinXP – Control Panel / System / Remote enable and add users

yum install rdesktop tsclient

tsclient & -- graphical Terminal Server Client

rdesktop Ariel

rdesktop -u bob -p password win1

rdesktop -f win1 -- maximize display

rdesktop -0 -r sound:local win1 -- direct sound from server to client

Other remote linux apps

xhost -- non encrypted ssh better

Sharing desktops with VNC

yum install vnc vnc-server

/etc/sysconfig/vncservers

VNCSERVERS=”1:bob 2:thomas”

vncpasswd -- set current user vnc password

chkconfig vncserver on -- set vnc server to run

make sure to open TCP ports 590+displaynumber in iptables

vncviewer myserver:1 or myserver:2 -- connect to vncserver from client

-- above is a really simple window manager so on the server

edit ~/.vnc/xstartup and add

unset SESSION_MANAGER

exec /etc/X11/xinit/xinitrc

and restart the vncserver

-- on untrusted networks tunnel vnc

ssh -L 5902:localhost:5902 vncserver

Can share a vnc desktop using Vino

Ch 14: Locking Down Security (for working with user accounts see also Ch10 in Fedora Bible 2011 notes)

“Securing your Linux system means first restricting access to the user accounts and services on the system. After that, security means checking that no one has gotten around the defenses you have setup.”

Fedora is designed to be secure by default:

1. no user accounts with blank passwords

2. firewall is restrictive by default

3. most network services are off

4. SELinux is set to enforcing if you do not change this on the install

Working with users and groups

ALWAYS LOG IN AS A REGULAR USER! Then use su or sudo to gain root access

/etc/ssh/sshd_config PermitRootLogin no

The GUI way for servers:

webmin: () -- remember to change default port from 10000

cPanel (), Plesk (plesk), Ensim ()

Adding user accounts

--> sudo /usr/sbin/useradd -D -- show useradd default values

GROUP=100 -- default group

HOME=/home -- base home directory

INACTIVE=-1 -- password expiration is disabled

EXPIRE= -- Don't set password expire date

SHELL=/bin/bash -- default shell

SKEL=/etc/skel -- copy default home config files from here

CREATE_MAIL_SPOOL=yes -- create mail spool directory

-- fedora overrides the default group with a new group for each new user

-- above values in /etc/default/useradd

useradd bob -- typed as root allows change of password for bob

-- root is only warned if bad password is used

-- some of the options for useradd

sudo /usr/sbin/useradd –help

-b, --base-dir /var/users -- base directory for the new user account

-d, --home-dir /home/jj -- home directory for the new user account

-e, --expiredate 2009-01-01 -- set account expiration date to 2009-01-01

-g 700 -u 700 -- use specific GID & UID for new user

-G students,tomcatusers -- list of supplementary groups for the new user

sudo /usr/sbin/groupadd -- before adding a user to a group the group must exist

groups bob -- list the groups bob belongs to

bob vboxusers

-- some of the real config files for users and groups

/etc/passwd test:x:502:503::/home/test:/bin/bash

/etc/shadow test:$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::

/etc/group test:x:503:drjohn,bob

Changing default useradd values

edit /etc/default/useradd & /etc/login.defs to make changes permanent

user options above in useradd command to make temporary changes

add files or directories to /etc/skel to change 'startup' /home/newuser (ex public_html)

Modifying User Accounts

sudo /usr/sbin/usermod -c “Dr Bob” bob -- change bob's comment field

sudo /usr/sbin/usermod -s /bin/sh bob -- change bob's default shell

sudo /usr/sbin/usermod -L bob -- lock the bob user account

sudo /usr/sbin/usermod -U bob -- unlock the bob user account

chsh -s /bin/sh -- change current user's shell to /bin/sh

-- change finger information

-- change office, home phone, office phone, full name

chfn -o "BA607" -h 806-687-9028 -p 806-438-2049 -f "DrJohn"

finger

Login Name Tty Idle Login Time Office Office Phone

bob DrJohn *:0 Oct 20 13:30 BA607 806-438-2049

-- above information is stored in the 5th field of the /etc/passwd file

-- ONLY edit the /etc/passwd file carefully and with vipw

Deleting User accounts

/usr/sbin/userdel bob --delete user bob

userdel -r bob -- delete user, home directory, and mail spool

Managing Passwords

-- modify current user password

--> passwd

Changing password for user bob.

Changing password for bob.

(current) UNIX password:

New UNIX password: I typed hi

BAD PASSWORD: it is WAY too short

New UNIX password: I typed hello

BAD PASSWORD: it is too short

New UNIX password: I typed password

BAD PASSWORD: it is based on a dictionary word

--> sudo passwd bob

Password:

Changing password for user bob.

New UNIX password: I typed hi

BAD PASSWORD: it is WAY too short

Retype new UNIX password: I typed hi

passwd: all authentication tokens updated successfully.

-- moral is be VERY careful when setting/modifying passwords as root

sudo passwd -l bob -- lock the bob user account

sudo passwd -u bob -- unlock the bob user account

-- this is done by placing !! at the front of the password field in /etc/shadow

test:!!$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::

-- administrator can require users to change passwords regularly

passwd -n 2 bob -- set minimun password life to 2 days

passwd -x 300 bob -- set maximum password life to 300 days

passwd -w 10 bob -- warn of password expiration 10 days in advance

passwd -i 14 bob -- days after expiration that account is disabled

-- view password expiration information

--> chage -l bob

Last password change : Oct 20, 2008

Password expires : December 31, 2008

Password inactive : January 31, 2009

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

-- as root can use the chage command to manage password expiration

sudo chage -I 40 bob -- make account inactive in 40 days

sudo chage -d 5 bob -- force user's password to expire in 5 days

-- 0 above would force password change on next login

Adding Groups

-- similar commands as for users above

-- groupadd, groupdel, groupmod, groupmems (add & remove members)

groupadd Marketing -- add group Marketing

groupadd -g 701 tomcat -- add group tomcat with GID of 701

groupmod -g 777 tomcat -- make tomcat group GID 777

groupmod -n tomcat tomcatS08 -- change name of tomcat group to tomcatS08

groupdel tomcat -- delete tomcat group

Checking on Users

find -nouser -- No user corresponds to file’s numeric user ID.

find -nogroup -- No group corresponds to file’s numeric group ID.

find -uid nnn -- File’s numeric user ID is nnn.

find -user bob -- File is owned by user bob (numeric user ID is allowed).

--> sudo du -sh /home/test/ -- check on disk usage in user's home dir

2.2M /home/test/ -- -sh means summarize results and make human readable

-- fuser, ps, top identify running commands and can check for users (Ch 9)

sudo last -- lists the most recent successful logins

sudo lastb -- lists most recent unsuccessful logins

-- on zeus I get page after page after page

sudo who -u -- list who is currently logged in long form

sudo users -- list who is currently logged in short form

--> id ==> uid=500(bob) gid=500(bob) groups=500(bob),502(vboxusers)

--> who am i -- long form

bob pts/4 2008-10-20 16:49 (localhost.localdomain)

--> whoami -- short form

bob

--> finger -s bob -- short form

Login Name Tty Idle Login Time Office Office Phone

...

--> finger -l bob -- long form

Login: bob Name: DrJohn

Directory: /home/bob Shell: /bin/bash

Office: BA607, 806-438-2049 Home Phone: 806-687-9028

On since Mon Oct 20 13:30 (CDT) on :0 (messages off)

On since Mon Oct 20 13:31 (CDT) on pts/1 from :0.0

3 hours 48 minutes idle

(messages off)

On since Mon Oct 20 13:31 (CDT) on pts/2 from :0.1 (messages off)

On since Mon Oct 20 13:31 (CDT) on pts/3 from :0

3 hours 48 minutes idle

On since Mon Oct 20 16:49 (CDT) on pts/4 from localhost.localdomain

No mail.

No Plan.

-- when ~/.project (single line) and ~/.plan (multi line) files are added results become

--> finger -l bob

Login: bob Name: DrJohn

...

Project:

To make the Internet safer

Plan:

By teaching

students how to become

Linux professionals

Working with System Logs (for firewall info see below)

/var/log ... -- system logs are here and in subdirectories

-- fedora uses rsyslogd (system log daemon) and rklogd (kernel log daemon)

-- started by /etc/init.d/rsyslog (a newer better version of syslogd)

-- rotation is handled by /etc/cron.daily/logrotate

-- based on settings in /etc/logrotate.conf & in /etc/logrotate.d/

logwatch -- a system log analyzer and reporter than allows summary messaging

sudo logger Hello World from bob -- add messages to log files (new Video card)

sudo cat /var/log/messages

... Oct 20 17:38:26 localhost durrett: Hello World from bob

Linux Bible 2010 Edition: Boot Up to Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and 13 Other Distributions by Christopher Negus

Last annotated on December 2, 2010

Chapter 12: Securing Linux

In This Chapter Linux security checklist Using password protection Monitoring log files Communicating with secure shell tools Understanding attack techniques Protecting servers with certificates Using special Linux security tools distributions

Why should you care about security? According to the Internet Storm Center (), a computer connected to the Internet has an average of 16 minutes

Linux Security Checklist

Control physical access

Add users and passwords—Creating separate user accounts

Set read, write, and execute permissions

Protect the root user

Use trusted software

Get software updates

Use secure applications

Use restrictive firewalls

Enable only services you need

Limit access to services

Check your system

Monitor your system

Use SELinux

your computer, then, is safer. As Red Hat continues to work out the kinks in SELinux, there has been a tendency for users to see SELinux failures and just disable the entire SELinux service. However, a better course is to find out whether SELinux is really stopping you from doing something that is unsafe.

Finding distribution-specific security resources

Red Hat Enterprise Linux and Fedora security—Check the Red Hat Security site (security) for RHEL security issues (that typically relate to Fedora systems as well). From here you can look for and read about available updates. You can also get information on security training and consulting from Red Hat, Inc. For Fedora security issues, see the Fedora Wiki ().

Refer to the Red Hat Enterprise Linux 4 Security Guide for an in-depth look at Linux security for Red Hat systems. You can access this guide online from the following address:docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide

doc/manuals/securing-debian-howto Ubuntu security—Find security guides and tools for Ubuntu on the Ubuntu security page (). Gentoo security—Included on the Gentoo Linux Security page (security) are tools, announcements, and links to security policy and project documents associated with securing Gentoo systems. Find the Gentoo security handbook here:

Choosing good passwords

(choosing a sentence on your personal Web page is a bad idea).

Table 12-1 lists examples of strong passwords and the tricks used to remember them.

Mrci7yo! My rusty car is 7 years old!

2emBp1ib 2 elephants make BAD pets, 1 is better

ItMc?Gib Is that MY coat? Give it back

The passwords look like gibberish

Using a shadow password file

Checking for the shadow password file The password file is named passwd and is found in the /etc directory. The shadow password file is named shadow and is also located in /etc. If your /etc/shadow file is missing, it is likely that your Linux system is storing the password information in the /etc/passwd file instead.

A Practical Guide to Fedora and Red Hat Enterprise Linux by Mark G. Sobell

Last annotated on December 1, 2011

SELinux

NSA Security-Enhanced Linux

Traditional Linux security, called Discretionary Access Control (DAC):

In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system.

The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions and output in these examples may differ from your system. Use the ls -l command to view file permissions:

$ ls -l file1

-rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1

SELinux (Security Enhanced Linux), implements Mandatory Access Control

(MAC): A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity.

The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:

$ ls -Z file1

-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1

In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and, optionally, Multi-Level Security (MLS).

SELinux can be in one of three states (modes):

Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.

Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Warnings are issued

Disabled: SELinux is disabled. Only DAC rules are used.

SELinux implements one or more of the following policies:

Targeted—Applies to specific objects

MLS—Multilevel Security

Strict—Applies

SELinux Contexts for Processes

ps -eZ unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd

There is always a tradeoff between security and usability.

More Information from the Fedora Project



Two ways to disable SELinux: You can modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot the system, or you can use system-config-selinux (as explained on the next page).

Files on FC

• system-config-selinux (a GUI tool)

• /etc/selinux/config

← SELINUX= (disabled, permissive, or enforcing)

← SELINUXTYPE= (targeted or strict)

• /etc/selinux/targeted/

• /usr/sbin/getenforce

• /usr/sbin/setenforce

• /usr/sbin/sestatus

• /usr/sbin/semanage

The getenforce and setenforce utilities report on and temporarily set the SELinux mode. The sestatus utility displays a summary of the state of SELinux:

Security Contexts

• All Objects (files, interprocess communcation channels, sockets, network hosts, etc)

• and Subjects (processes)

• have a single security context associated with them

• user:role:type (our primary focus is the type portion)

← run id in a terminal

← run ls -Z

← run ps -Z

← ps -auxZ

Type enforcement Access Control

• rule format:

← Source Type(s)

← Target Type(s)

← Object Class(es)

← Permission(s)

• allow user_t bin_t : file {read executee getattr};

• allow user_t passwd_exec_t : file {getattr execute};

sestatus results on my FC14

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: enforcing

Mode from config file: enforcing

Policy version: 24

Policy from config file: targeted

config file on my FC14

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

# targeted - Targeted processes are protected,

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

Blockhosts ()

--> After install -- rpm -ql BlockHosts

/etc/blockhosts.cfg

/etc/logrotate.d/blockhosts

/etc/logwatch/conf/services/blockhosts.conf

/etc/logwatch/scripts/services/blockhosts

/usr/bin/bhrss.py

/usr/bin/blockhosts.py

/usr/share/doc/BlockHosts-2.4.0

/usr/share/doc/BlockHosts-2.4.0/CHANGES

/usr/share/doc/BlockHosts-2.4.0/INSTALL

/usr/share/doc/BlockHosts-2.4.0/LICENSE

/usr/share/doc/BlockHosts-2.4.0/README

/usr/share/doc/BlockHosts-2.4.0/bhrss.html

/usr/share/doc/BlockHosts-2.4.0/blockhosts.html

--- /etc/blockhosts.cfg

HOSTS_BLOCKFILE = "/etc/hosts.allow"

COUNT_THRESHOLD = 7 number of invalid attempts

AGE_THRESHOLD = 12 number of hours to block

WHITELIST list of IPs to always allow

BLACKLIST list of IPs to always block

LOGFILES – default list of logs to process (/var/log/secure)

--- /etc/hosts.allow

/etc/hosts.allow (or /etc/hosts.deny but only one not both files) - the hosts block file

Add following sections, in this order:

-- your permanent whitelist and blacklist of IP addresses (if needed)

-- blockhosts marker lines - two lines

-- execute command to kick off blockhosts.py on connects to services

Example below

# ----

# permanent whitelist addresses - these should always be ALLOWED access – edit as needed

ALL: 127.0.0.1 : allow

ALL: 192.168.0. : allow

# permanent blacklist addresses - these should always be DENIED access – edit as needed

ALL: 10. : deny

ALL: 192. : deny

ALL: 172. : deny

# ----------------------------------------

# next section is the blockhosts section - it will add/delete entries in

# between the two marker lines (#---- BlockHosts Additions)

#---- BlockHosts Additions

#---- BlockHosts Additions

# ----------------------------------------

# finally, the command to execute the blockhosts script, based on

# connection to particular service or services, for example, for

# sshd, proftpd, etc - if using pure-ftpd, etc, be sure to use those

# words instead - this is spread over multiple lines, so has \ at end of

# line to signal continuation:

sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \

--echo "%c-%s" --ipblock=iptables \

--whitelist="10\..*,127.0.0.1" --blacklist="192.168.1.1,192.168.1.2" \

#---

the version on zeus

sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py \

--verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \

Other Advanced Security Features

SELinux

Central Logging

Tripwire

RMPdatabase

chkroot

Apache 2.2.6-1 Notes and 2.2.17-1

Basics

Find the server rpms: rpm -qa | grep httpd (apache to httpd)

Show files rpm -ql httpd

service httpd start or /etc/init.d/httpd restart

/sbin/chkconfig httpd on

Important files / folders in httpd-2.2.6-1.fc7 and httpd-2.2.17-1.fc14.x86_64

• /etc/httpd most of the config files or links to them

• /etc/httpd/conf

• /etc/httpd/conf.d module specific config files, see README

• /etc/httpd/conf/httpd.conf main apache server config file

for 'global environment', 'main or default server', & 'virtual hosts'

• /etc/httpd/logs link to /var/log/httpd

• /etc/httpd/modules link to /usr/lib64/httpd/modules

• /etc/httpd/run link to /var/run

• /etc/logrotate.d/httpd how often to rotate logs

• /etc/rc.d/init.d/httpd startup script

• /etc/sysconfig/httpd basic service config file for httpd startup script

• /usr/bin/ab benchmarking tool

• /usr/bin/htdigest manage user files for digest automation

• /usr/bin/htpasswd manage user files for basic authentication

• /usr/bin/logresolve resolve IP addresses to host names in log files

• /usr/lib64/httpd/modules apache modules for added functionality

• /usr/sbin/apachectl server control interface

• /usr/sbin/httpd man server binary

• /usr/sbin/rotatelogs

• /usr/sbin/suexec switch user before executing, allows apache user not root

• /var/www/error where error files are

• /var/www/html main server html root

• /var/www/icons server icons

A limited graphical configuration utility

• system-config-httpd-1.4.3-1.fc7 and system-config-httpd-1.5.2-2.fc14.noarch

• /usr/bin/system-config-httpd

/etc/httpd/conf/httpd.conf Notes

### Section 1: Global Environment

ServerRoot "/etc/httpd"

PidFile run/httpd.pid

Timeout 120

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 15

#Listen 12.34.56.78:80

Listen 80

# LoadModule foo_module modules/mod_foo.so DSO support

Include conf.d/*.conf

User apache

Group apache

### Section 2: 'Main' server configuration

ServerAdmin root@localhost

#ServerName :80

UseCanonicalName Off

DocumentRoot "/var/www/html"

Options FollowSymLinks

AllowOverride None

# Note that from this point forward you must specifically allow

Options Indexes FollowSymLinks

AllowOverride None #controls what directives may be placed in .htaccess files

Order allow,deny

Allow from all

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

ErrorLog logs/error_log

# The following directives define some format nicknames for use with a CustomLog directive

#

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%h %l %u %t \"%r\" %>s %b %f %{host}i" debug

CustomLog logs/access_log debug

CustomLog logs/access_log combined

ServerSignature On

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

Alias /image /ftp/pub/image

A request for would cause the server to return the file /ftp/pub/image/foo.gif

User directories

~public/public_html

user directory (/home/durrett) must be chmod 711, but not all of its subdirectories

public_html & all of its subdirectories must be 755

UserDir enable test (you must list the users to enable)

Doing this makes it possible to find users on the system

An alternative to the above is:

create a new /var/www/html directory (mkdir DrJohn)

change ownership to the user:apache (chown durrett:apache /var/www/html/DrJohn)

add the user link to the directory (ln -s /var/www/html/DrJohn /home/durrett/DrJohn_site)

# UserDir disable

chmod 711

mkdir /home/drjohn/public_html

chmod 755 /home/drjohn/public_html

#

# Control access to UserDir directories. The following is an example

# for a site where these directories are restricted to read-only.

#

#

# AllowOverride FileInfo AuthConfig Limit

# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

#

# Order allow,deny

# Allow from all

#

#

# Order deny,allow

# Deny from all

#

#



#

# Use name-based virtual hosting.

#

NameVirtualHost *:53148

#

# NOTE: NameVirtualHost cannot be used without a port specifier

# (e.g. :80) if mod_ssl is being used, due to the nature of the

# SSL protocol.

#

#

# VirtualHost example:

# Almost any Apache directive may go into a VirtualHost container.

# The first VirtualHost section is used for requests without a known

# server name.

#

#

# ServerAdmin webmaster@dummy-host.

# DocumentRoot /www/docs/dummy-host.

# ServerName dummy-host.

# ErrorLog logs/dummy-host.-error_log

# CustomLog logs/dummy-host.-access_log common

#

# ServerAdmin webmaster@dummy-host.

DocumentRoot /var/www/gandalf

ServerName gandalf

ErrorLog logs/gandalf-error_log

# CustomLog logs/dummy-host.-access_log common

# ServerAdmin webmaster@dummy-host.

DocumentRoot /var/www/mediawiki

ServerName wiki

ErrorLog logs/wiki-error_log

# CustomLog logs/dummy-host.-access_log common

Fedora firewalls / iptables notes

(partially from Negus' Fedora Linux toolbox)

Negus – Ch 10: Configuring the built in firewall

-- based on the iptables facility ()

-- lots of GUIs: sudo /usr/bin/system-config-firewall, firestarter, shorewall, fwbuilder

/etc/sysconfig/iptables -- config file (remember to BACK it UP before changing)

iptables -L -- display current iptables filter table

iptables-save -- send current iptables filter table to stdout ( > somefile to save it)

-------------------------------------------------------------------------

Other notes:

The basic structure of iptables

mangle (1) (3) mangle & filter nat

--------->Routing Decision -------> FORWARD -----POSTROUTING

PREROUTING | ↑

| |

| (2) mangle |

| filter OUTPUT

mangle & nat |

& INPUT | (4)

filter |

|------> local process ----> Routing

Decision

1) when packet enters from network kernel looks at destination

2) if destined for this machine packet goes to INPUT chain

3) if not destined for this machine, if FORWARD chain exists rules in it are applied and packet is sent as specified in the rules, if FORWARD chain does not exist default policy is applied

4) packets sent from local process are routed, then put on the OUTPUT chain

----------------------------------------------------------

iptables basic concepts

1. different sets of rules for different chains within different tables

2. initial tables are: NAT, FILTER, MANGLE

3. initial chains are: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

4. targets to jump to are: ACCEPT, DROP, REJECT, LOG, SNAT, MASQUERADE

iptables operations to manage whole chains:

1. Create a new chain (-N).

2. Delete an empty chain (-X).

3. Change the policy for a built-in chain. (-P).

4. List the rules in a chain (-L).

5. Flush the rules out of a chain (-F).

iptables operations on the rules inside a chain:

1. Append a new rule to a chain (-A).

2. Insert a new rule at some position in a chain (-I).

3. Replace a rule at some position in a chain (-R).

4. Delete a rule at some position in a chain, or the first that matches (-D).

individual rules:

1. Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target')

2. EX: wipe out (flush) all previous rules

iptables -F

3. EX: set default policies for INPUT chain

iptables -P INPUT DROP

4. EX: create a new chain in the filter table

iptables -N okay

5. EX: drop all ICMP packets coming from the IP address 127.0.0.1.

iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP

6. EX: accept everything coming from the loopback address

iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT

7. EX: accept packets for the local web server coming from the Internet (eth0)

iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 -j ACCEPT

8. EX: forward all packets addressed to a web server to gandalf

iptables -t nat -A PREROUTING -p tcp -d $EXT_NIC --dport 80 \

--to-destination $WEB_SVR

Fedora rpm iptables files:

/sbin/iptables

/sbin/iptables-save

/etc/sysconfig/iptables-config

/etc/sysconfig/iptables -- test hint “how do I find this out?”

/etc/init.d/iptables

------------------------------------------------------

steps to play with iptables:

cd ~

vi rc.firewall

WEB_SVR=”gandalf”

EXT_NIC=”eth0”

/sbin/iptables -F

/sbin/iptables -P INPUT DROP # you are not going to get much now

...

:wq

sudo rc.firewall

/sbin/iptables -L

then play

#an example

#!/bin/sh

# Simple masq firewall

#Assumes all modules are either loaded or compiled into kernel

#setup network for forwarding, dynamic ips

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

IPTABLES=/usr/sbin/iptables

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

ANY=”0.0.0.0/0” # Match any IP address

CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks

CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks

CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks

EXTIF="eth0"

INTIF="eth1"

echo " External Interface: $EXTIF"

echo " Internal Interface: $INTIF"

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -F INPUT

$IPTABLES -F OUTPUT

$IPTABLES -F -t nat

echo "FWD: Allow all connections OUT and only existing and related ones IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Deny TCP and UDP packets to privileged ports

#$IPTABLES -A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP

#$IPTABLES -A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP

# Deny TCP connection attempts

#$IPTABLES -A INPUT -i $EXTIF -p tcp --syn -j DROP

#accept packets for the local web server coming from the Internet (eth0)

$IPTABLES -A INPUT -p TCP -i $EXTIF -s 0/0 --dport 80 -j ACCEPT

# Deny IMCP echo-requests

$IPTABLES -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP

FireHOL, the iptables stateful packet filtering firewall builder.

FireHOL, the iptables stateful packet filtering firewall builder.



1. Identify your network interfaces

sudo ip link show

1: lo: mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: mtu 1500 qdisc noop state DOWN qlen 1000

link/ether 00:1f:c6:51:13:11 brd ff:ff:ff:ff:ff:ff

3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:1f:c6:51:13:12 brd ff:ff:ff:ff:ff:ff

2. Think about what each interface should do

Ignore lo, in the case above eth0 is not used and eth1 is everything

Also think about what services ie servers you want.

3. Create the FireHOL configuration structure

In my Fedora 10 system the configuration file is /etc/firehol/firehol.conf

and by default it says

version 5

# Accept all client traffic on any interface

interface any world

client all accept

You should probably rename the interface if you are going to build a “real” firewall

version 5

interface eth1 world

client all accept

4. Now add servers and clients you wish to accept

version 5

interface any world

client all accept

interface eth1 home

server dns accept

server ssh accept

server http accept

If you have special ports or have moved services you may define your own servers

server custom myservice proto/sports cports accept

If you want to move the ssh port to 41265 the above file becomes:

version 5

interface any world

client all accept

interface eth1 home

server dns accept

server custom myssh tcp/41265 default accept

server http accept

5. Checking

Run sudo /etc/rc.d/init.d/firehol debug

And it will show you the iptables results or problems

6. Pretty much done.

You can do much more, routing tables, masquerade, NAT but this gets you started

Brief MySQL Notes and Links

1. Get started with MySQL

2. Installing Apache2 with PHP5 and MySQL Support on OpenSuse 12.2 (LAMP)

3. Installing Apache2 with PHP5 and MySQL Support on Fedora

4. Installing LAMP on Ubuntu for Newbies

5. What is MySQL Configuration File

6. Right after install root password is blank

7. Brief Database Setup Notes (ISQS 4361)

8. show tables;

9. Reference Manuals

Linux RamDisk by Van Emery (see link below)

Base system is Fedora Core 9 (or any 2.4+ kernel)

ls -l /dev/ram*

lrwxrwxrwx 1 root root 4 Jun 12 00:31 /dev/ram -> ram1

brw-rw---- 1 root disk 1, 0 Jan 30 2003 /dev/ram0

brw-rw---- 1 root disk 1, 1 Jan 30 2003 /dev/ram1

...

dmesg | grep RAMDISK

RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize

RAMDISK: Compressed image found at block 0

To increase size of RamDisk edit entry in grub.conf

kernel /vmlinuz-2.4.20-20.9 ro root=LABEL=/ hdc=ide-scsi ramdisk_size=16000

confirmation of success of resize is in dmesg after reboot

dmesg | grep RAMDISK

Format the disk

mke2fs -m 0 /dev/ram0

Create the mount point and mount the disk

mkdir /mnt/rd

mount /dev/ram0 /mnt/rd

Now verify the new ramdisk mount:

mount | grep ram0

/dev/ram0 on /mnt/rd type ext2 (rw)

df -h | grep ram0

/dev/ram0 16M 13K 16M 1% /mnt/rd

For a detailed look at the new disk

tune2fs -l /dev/ram0

Give yourself access to the disk

chown van:root /mnt/rd

chmod 0770 /mnt/rd

ls -ald /mnt/rd

drwxrwx--- 2 van root 4096 Dec 8 11:09 /mnt/rd

To automate the creation every time you boot put the following into your /etc/rc.d/rc.local file

# Formats, mounts, and sets permissions on my 16MB ramdisk

/sbin/mke2fs -q -m 0 /dev/ram0

/bin/mount /dev/ram0 /mnt/rd

/bin/chown van:root /mnt/rd

/bin/chmod 0750 /mnt/rd

Other links

OtherLinks/tripwire-notes.odt

OtherLinks/Apache-2.2.6-Notes.odt



SELinux Notes ()

Potential to compartmentalize and secure every component of a Linux system

– processes, files, directories, users, devices etc

Instead of the all or nothing idea of root or not root you have LOTS of discretion

Mandatory Access Control (MAC) rather than Discretionary Access Control

Directories, files, etc in SELinux have many more attributes associated with them than in standard

Two different security models

– Type Enforcement

– All Objects are bound to a security attribute called a type

– All process are bound to an attribute called a domain

– Every user is allowed to access objects based on the domain in which they operate

– Role-Based Access Control

– each user operates in a specific role

– roles are arranged in a hierarchy with specific permissions at each level

Files:

/etc/selinux/config

– SELINUX = (disabled, permissive, or enforcing)

– SELINUXTYPE = (targeted, mls (multilevel security))

– targeted limits impact an attack on a single server can have on the system

– /etc/selinux/config/targeted

/usr/sbin/getenforce – report status

/usr/sbin/setenforce – set status

Documentation:

/usr/share/doc/selinux-doc...

/usr/share/doc/selinux-policy

--> cat /usr/share/doc/selinux-policy-3.0.8/example.fc

# myapp executable will have:

# label: system_u:object_r:myapp_exec_t

# MLS sensitivity: s0

# MCS categories:

/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)

Users:

still have passwd file, root user, etc

Tools:

checkpolicy – looks at policy.conf file if found

yum install setools-gui

/usr/bin/apol

/usr/bin/seaudit

/usr/bin/sediffx

rpm -qa | grep selinux

Desktop Menu Specification

()

Desktops

Two general types of desktop:

“heavyweight” like KDE & GNOME contain desktop & app dev. Frame.

And “plain” that only include desktop

Problem is getting everything to work together

XDG Base directory Specification

$XDG_DATA_HOME user specific data files ($HOME/.local/share)

$XDG_CONFIG_HOME user specific configuration files ($HOME/.config)

$XDG_DATA_DIRS preference-ordered set of directories to search for data files (/usr/local/share/:/usr/share)

$XDG_CONFIG_DIRS preference-ordered set of base directories to search for configuration files in addition to the $XDG_CONFIG_HOME (/etc/xdg)

/etc/xdg/user-dirs.conf

# This controls the behaviour of xdg-user-dirs-update which is run on user login

# You can also have per-user config in ~/.config/user-dirs.conf, or specify

# the XDG_CONFIG_HOME and/or XDG_CONFIG_DIRS to override this

#

enabled=True

~/.config/user-dirs.dirs (default is /etc/xdg/user-dirs.defaults)

XDG_DESKTOP_DIR="$HOME/Desktop"

XDG_DOWNLOAD_DIR="$HOME/downloads"

XDG_TEMPLATES_DIR="$HOME/Templates"

XDG_PUBLICSHARE_DIR="$HOME/Public"

XDG_DOCUMENTS_DIR="$HOME/Documents"

XDG_MUSIC_DIR="$HOME/Music"

XDG_PICTURES_DIR="$HOME/Pictures"

XDG_VIDEOS_DIR="$HOME/Videos"

File locations

$XDG_CONFIG_DIRS/menus/${XDG_MENU_PREFIX}applications.menu

XML definition of the main application menu layout

$XDG_CONFIG_DIRS/menus/applications-merged/

third parties may add new files in this location to create their own sub-menus

$XDG_DATA_DIRS/applications/

a .desktop file for each possible menu item

$XDG_DATA_DIRS/desktop-directories/

directory entries which may be associated with folders in the menu

foo.desktop specifications



look in /usr/share/applications for examples

Extensions to the desktop format above

Categories is a list of strings used to classify menu items

OnlyShowIn a list of strings identifying the environments that should display a given menu item

NotShowIn desktops that should not display an item

Example elements in kde-applications.menu

Applications

kde-unknown.directory

Core

KDE

X-Red-Hat-Base

System Settings

system-settings.menu

X-KDE-KDevelopIDE

kde-development-kdevelop.directory

Development

X-KDE-KDevelopIDE

Misc Review notes

bash scripts

example script:

#!/bin/bash

#add a -v to the line above for debugging

echo "date is $(date +%F)"

echo

dte1='date +%F'

echo "dte1=$dte1"

echo

dte2="date +%F"

echo "dte2=$dte2"

echo

dte3=$(date +%F)

echo "dte3=$dte3"

echo

dte4=`date +%A`

echo "dte4=$dte4"

results:

--> test-src/dt.sh

date is 2008-11-12

dte1=date +%F

dte2=date +%F

dte3=2008-11-12

dte4=Wednesday

– after changing first line to #!/bin/bash -v

--> test-src/dt.sh

#!/bin/bash -v

#add a -v to the line above for debugging

echo "date is $(date +%F)"

date +%F

date is 2008-11-12

echo

dte1='date +%F'

echo "dte1=$dte1"

dte1=date +%F

echo

dte2="date +%F"

echo "dte2=$dte2"

dte2=date +%F

echo

dte3=$(date +%F)

date +%F

echo "dte3=$dte3"

dte3=2008-11-12

echo

dte4=`date +%A`

date +%A

echo "dte4=$dte4"

dte4=Wednesday

a backup bash script

#!/bin/bash

BACKUPDIR="/Gandalf/data/backup/"

ECHODATA="Backup done: "

EXCLUDES="--exclude=Recyled --exclude=recyler --exclude=. --exclude=.. --exclude='*Trash*' --exclude='temp*' --exclude='tmp*'"

#echo -e "\nMoving old backup to previous folder"

rm $BACKUPDIR/previous/*

mv $BACKUPDIR/current/* $BACKUPDIR/previous

echo

echo $BACKUPDATA/current/etc.tgz

tar -zhcf $BACKUPDIR/current/etc.tgz /etc

echo

echo $BACKUPDIR/current/boot.tgz

tar -chzf $BACKUPDIR/current/boot.tgz /boot /Gandalf/FC8/boot --exclude=/boot/boot

echo

echo partion tables

./backup_partition_tables.sh

a backup bash script for disk partitions

#!/bin/bash

BACKUPDIR="/Gandalf/data/backup/current"

echo $BACKUPDIR/MBR_Partion_Tables.tgz

dd if=/dev/sda bs=512 count=1 of=$BACKUPDIR/sda_MBR

dd if=/dev/sdb bs=512 count=1 of=$BACKUPDIR/sdb_MBR

/sbin/fdisk /dev/sda -l > $BACKUPDIR/sda_partition_table.txt

/sbin/fdisk /dev/sdb -l > $BACKUPDIR/sdb_partition_table.txt

tar -czf $BACKUPDIR/MBR_Partition_Tables.tgz $BACKUPDIR/hd* $BACKUPDIR/sd*

rm $BACKUPDIR/hd*

rm $BACKUPDIR/sd*

a file system mounting bash script (mnt)

#!/bin/bash

n=`echo $1 | tr A-Z a-z`

if [ "$0" = "/usr/local/bin/mnt" ]; then

case $n in

"kitchen" | "k" | "belinda" | "b" )

sudo mount -t cifs

'//Ariel/Easy (E)'

/Gandalf/Belinda/Easy

-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;

"safe" | "s" | "encrypt" | "e" )

encfs /Gandalf/data/.safe /Gandalf/data/safe ;;

"gimli" | "g" )

sudo mount -t cifs "//192.168.1.50/media" /Gimli/media

-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;

"zeus" | "z" )

sshfs drjohn@zeus:/home/durrett/Ike Gandalf/RemoteSites/Ike ;;

* )

echo "Usage: mnt WhatToMount" ;;

esac

elif [ "$0" = "/usr/local/bin/umnt" ]; then

case $n in

"kitchen" | "k" | "belinda" | "b" )

sudo umount /Gandalf/Belinda/Easy ;

"safe" | "s" | "encrypt" | "e" )

fusermount -u /Gandalf/data/safe ;;

"gimli" | "g" | "gimlidecent" | "go" | "gimliown" | "go" )

sudo umount /Gimli/media ;

"zeus" | "z" )

sudo umount /Gandalf/RemoteSites/Ike ;;

esac

fi

to unmount

ln -s mnt umnt

a bash “data” file

username=drjohn

password=sean

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download