Dr John's Site
Notes from
Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS, & Red Hat Power Users
Christopher Negus 978-0470082911
last modification: 9/13/21
Amazon Link for 2013 Book
: Why, When and How to use a Virtual Machine
Ch1: Starting with Fedora Linux
About:
Fedora ()
CentOS ()
Backtrack now Kali () (Documentation for Kali)
DistroWatch ().
Linux Timeline: (Google linux+distro+timeline)
Comparing
Fedora is the rapid-development, cutting edge Linux system
Novell Suse same basic dual-distribution
Debian a high-quality Linux distribution
Many derivative Linux distributions-- Ubuntu Linux, KNOPPIX live CD based on Debian.
Why command line?
GUIs are meant to be easy & intuitive
Almost any time something goes wrong
Remote systems administration
Features not supported by GUI
GUI is broken or not installed
Finding Commands
bash: anycommand: command not found
why?:
You mistyped the command name.
anycommand is not in your PATH.
Might need to be the root user for the command to be in your PATH.
anycommand not installed on your computer.
Command and Sample Output Description
type mount Show the first mount command in PATH.
whereis mount Show binary, source, and man pages for mount.
locate bash.ps Find bash.ps anywhere in the file system.
which umount Find the umount command anywhere in your PATH or aliases.
rpm -qal |grep umount Find umount in any installed package.
yum whatprovides bzfs find out which package provides some feature or file
yum search somefise find any packages matching in the description, summary & package fields
Command Reference Info
-h or –help
ls --help | less
apropos crontab
whatis cat
man find
info ls
Other Notes
Installing Kali version 1.0.4 (Backtrack 6 ish) Current version 9/3/2019 is Kali Linux 2019.3
I had display resolution problems after I did all of this, so it is a work in progress ϑ
1. Download the correct iso from here:
2. Open vmware (fusion or workstation)
3. Install kali from iso
I left most stuff at the default install setting except I bumped RAM to 1024
Before you do anything else copy the vmware file to a backup if possible.
4. Log in as root
5. Open terminal
6. apt-get update --fix-missing
7. apt-get install kde-plasma-desktop (from here)
I deviated from the video and set the display manager to kdm
Other instructions can be found here
8. apt-get install yakuake
Up to here it seems to work
9. apt-get install open-vm-tools (from here)
Ended up with 9GB used out of the 20GB I allocated to it
Ch2: Installing and Adding software
USB flash:
Get diskboot.img from one of the online mirrors then execute:
dd if=/media/cdrom/diskboot.img of=/dev/sda
Choosing how install proceeds:
boot: linux text
Other boot options (p17 -- 10%):
Boot Prompt HOWTO (HOWTO/BootPrompt-HOWTO.html)
nodmraid
norobe
selinux=0
Installation screens (p18 -- 11%)
Test media, Language, Keyboard, Install or upgrade, Disk partitions, boot loader, network, time zone, root password, software packages, reboot
yum:
repos (p21 -- 12%)
yum list
yum info wordpress
yum search mp3
yum whatprovides ogg123
yum install wordpress
yum groupinstall XFCE
yum update
yum
yum --disablerepo=livna search yum-utils
yum --enablerepo=livna install mplayer
yum –exclude=somepackage update
rpm: (14%)
rpm -ivh some.rpm
rpm -Uvh some.rpm
rpm -e badpackage
rpm -q or -qa or -ql somepackage or rpm -qa | grep ogg
rpm -qi somepackage or -ql somepackage or -qlp some.rpm
Ch 3: Using the shell
Setup:
To get use of the function keys in your virtual machine on a Macbook: in the virtual machine’s settings under keyboard & mouse set Mac Profile
Basic use:
gnome-terminal -x alsamixer Start terminal with alsamixer displayed
xterm
konsole
yakuake
Virtual Terminals
Ctrl-Alt-F1 to F6
ps ps a ps au ps ax ps aw
/etc/inittab & upstart
bash history
history
history 5
!! (rum previous command)
Ctrl-r to search for string in history
Command line completion
tracer Command completion: Completes to traceroute command
cd /home/ch File completion: Completes to /home/chris directory
cd ~jo User homedir completion: Completes to /home/john
echo $PA Env variable completion: Completes to $PATH
Redirecting stdin, stdout, stderr
ls /tmp /tmpp
ls /tmp /tmmp > output.txt
ls /tmp /tmmp 2> errors.txt
ls /tmp /tmmp 2> errors.txt > output.txt
ls /tmp >> output.txt
ls /tmp 2> /dev/null
mail chris < /etc/hosts
ls /tmp | sort
ls /tmp/ /tmmp 2> /dev/null | sort
rpm -qa | grep -i sql | wc -l
Using backticks, you can execute one section of a command line first and feed the output of that
command to the rest of the command line. Here are examples:
rpm -qf `which ps`
ls -l `which traceroute`
Misc
pwd, whoami
Using alias
~/.bashrc or /etc/bashrc
alias ll="ls -lh"
alias la="ls -lah"
alias cl="cd /var/log"
alias ct=”cd /usr/local/tomcat”
Others
.bashrc
watch cat /proc/loadavg
su
su bob
sudo & /etc/sudoers (root ALL=(ALL) ALL)
Environment variables
export PS1='\e[1A\e[s\e[H\e[37;41;1m\e[K \e[1C\u@\h \e[5C \w \e[5C \d \e[5C [\A] \e[0m\e[u\n--> '
()
PS1, PS2, PS3, PS4
set & env
export ABC=123
export PATH=$PATH:/home/fcaen
NEVER NEVER put . In your path
Simple shell scripts
debugging
java scripts
DailyQuote (~/java & ~/Dropbox/Ike/4361/Examples
/etc/crontab
/etc/cron.daily/newquote
myscript.sh
chmod u+x myscript.sh also talk about file permissions (table 4.1 22% loc 830)
#!/bin/bash
MYSTRING=abc
if [ $MYSTRING = abc ] ; then
echo “The variable is abc”
fi
To negate the condition
MYSTRING=abcd
if [ $MYSTRING != abc ] ; then
echo “The variable is not abc”
fi
Examples testing for numbers
MYNUMBER=1
if [ $MYNUMBER -eq 1 ] ; then echo “MYNUMBER equals 1”; fi
if [ $MYNUMBER -lt 2 ] ; then echo “MYNUMBER less than 2”; fi
if [ $MYNUMBER -le 1 ] ; then echo “MYNUMBER less than or equal to 1”; fi
if [ $MYNUMBER -gt 0 ] ; then echo “MYNUMBER greater than 0”; fi
if [ $MYNUMBER -ge 1 ] ; then echo “MYNUMBER greater than or equal 1”; fi
Testing File names
filename=$HOME
if [ -e $filename ] ; then echo “$filename exists”; fi
if [ -f “$filename” ] ; then
echo “$filename is a regular file”
elif [ -d “$filename” ] ; then
echo “$filename is a directory”
else
echo “I have no idea what $filename is”
fi
Other file test operators (table 3.1 p46 20% loc 728)
case “$VAR” in
string1)
{ action1 };;
string2)
{ action2 };;
*)
{ default action } ;;
esac
for NUMBER in 0 1 2 3 4 5 6 7 8 9
do
echo The number is $NUMBER
done
for FILE in `/bin/ls`; do echo $FILE; done
x=1
while [ $x -le 5 ]
do
echo "Welcome $x times"
x=$(( $x + 1 ))
done
VAR=0
until [ $VAR -eq 3 ]; do echo $VAR; VAR=$[$VAR+1]; done
---------------
#!/bin/bash
#simple script to show command line args and if test
echo $0
echo $1
echo $2
if [ "$1" ]; then
echo string not empty
else
echo string empty
fi
Debugging
bash -x myscript.sh
1 Debugging on part(s) of the script
.
set -x # activate debugging from here
w
set +x # stop debugging from here
and yes it is wierd that it is backwards – is on + is off
The Bash Guide for Beginners
& man bash
DrJohn other useful things:
yakuake
fuse rpms
encfs ~/.data ~/data
sshfs bob@jrdoffice:/home/bob/Ike /Gandalf/RemoteSites/Ike
sudo mount -t cifs '//Ariel/Easy' ~/Easy -o credentials=/Gandalf/configs/.what,uid=500,gid=500
subnet scans
sudo ping -b 10.0.1.0
sudo nmap -v 10.0.1.0/16
Ch 4: Working with Files
Everything in a Linux file system can be viewed as a file (data files, directories, devices, pipes, etc)
Regular files: (20% loc 764)
file somefilename --determine type of file
touch /home/bob/newfile.ext -- create blank file
> /home/bob/newfile.txt -- create blank file
ls -l /usr/bin/apropos
file /usr/bin/whatis
file /bin/ls
directories
mkdir
x permission must be on or users can not use directory as their current directory
umask umask -S (23% loc 852)
Symbolic & Hard Links
ln -s /path/somefile.txt /newpath/symlink.txt
symbolic link – own set of permissions, can exist on different partitions, new inode number
ln /path/file.txt /newpath/hardlink.txt
hard link – same permissions, cannot exist on different partitions, same inode number
ls -li --show all info and inode numbers
symlinks ./ -- show all symbolic links in current dir
symlinks -r ./
symlinks -rv ./
device files overview only (21% loc 800)
named pipes & sockets overview only (22% loc 807)
Permissions (Table 4.1 22% loc 830)
421421421 -- rwxrwxrwx -- usergroupother
original permssions new
chmod 0700 any rwx------
chmod 0711 any rwx—x--x
chmod go+r rwx------ rwxr—r--
chmod 0777 any rwxrwxrwx
chmod a=rwx any rwxrwxrwx
chmod a+rwx any rwxrwxrwx
chmod -R 700 recursive
first 0 in all above = set-UID = 4, set-GID = 2, sticky = 1 (
set-UID will now work for shell scripts
only on ext2, ext3, ext4 file systems (24% loc 900)
lsattr, chattr --- a (append only), c (compressed), d (no dump), i (immutable), j (data journaling), s (secure deletion), t (no merging), u (undeletable), A ( no atime updates), D (synchronous directory updates), S (synchronous updates), T (top of directory hierarchy)
chattr +A somefile
good to check the attributes once in a while for security purposes
Ownership
chown bob test/
chown bob:bob
chown -R bob /
traversing file system
cd or cd ~ -- change to user home directory
cd - -- change to previous directory
cd /tmp -- change to tmp off of root
cd tmp -- change to tmp off of current dir
cd .. -- change to parent dir
Copying files
cp -a /var/www/html /backupdisk
cp -R /var/www/html /backupdisk
backup methods
dd (24% loc 879)
as root:
dd if=/dev/sdg bs=512 count=1 of=$BACKUPDIR/sdg_MBR
/sbin/fdisk /dev/hda -l > $BACKUPDIR/hda_partition_table.txt
Searching for files (25 % loc 917)
updatedb
/etc/updatedb.conf
locate & locate -i & locate -r (regluar expression)
which
find / -name e100 (25% loc 925)
Other options for files
ls -l, ls -la, ls -t, ls -i etc (26% loc 955)
alias ll="ls -lh"
alias la="ls -lah"
alias cl="cd /var/lo"
md5sum someFile.txt (26% loc 964)
sha1sum someFile.txt
sha1sum -c SHA1SUM.txt
lsof ---list open files
filelight ---diskusage
tripwire
Ch 5: Manipulating Text
Regular Expressions
a* any set of characters. a, ab, abc, aefopq
. any single character. a.c matches abc adc aqc
[ ] Matches a single character in the brackets a[bcd]e abe ace ade
[^ ] Matches a single character not in the brackets a[^bc]e aqe ade
^a a at the beginning of a line
*a$ a at the end of a line
a.c three character string starting with a and ending with c
[bcf]at bat, cat, or fat
[a-d]at aat, bat, dat ...
[A-D]at Aat ...
1[3-5]7 137, 147, 157
\tHello a tab character preceding the word Hello
\.[tT][xX][Tt] txt, Txt, TXt ...
Editing text files
vi, vim (), joe, emacs, pico, nano
Listing text files
cat myfile.txt
cat myfile.txt > newcopy.txt
cat myfile.txt >> append.txt
cat -s myfile.txt display consecutive blank lines as one
cat -n myfile.txt show numbers on lines
cat -b myfile.txt show numbers on non blank lines
head myfile
cat myfile | head
head -n 10 myfile
ps auxw | head -10
tail myfile
tail -n 25 myfile
tail -f /var/log/httpd/access_log watch web server log continuously
more myfile.txt
less myfile.txt
/bob search for a string (bob) in a file
/ repeat search
pr quick text formatting tool
rpm -qa | sort | pr - -column=2 | less
Searching for text
grep francois myfile.txt
grep 404 /var/log/httpd/access_log
ps auwx | grep init
ps auwx | grep “\[*\]”
grep -Rn xdg /etc - directory tree with line numbers in result
Sorting output
rpm -qa | grep kernel | sort
rpm -qa | grep kernel | sort -r reverse order
ps auxw | sort -k 4,4
ps auxw | sort -k 2,2n
Replacing text with sed
cat myfile.txt | sed s/christopher/chris/
sed s/christopher/chris/ < myfile.txt > newmyfile.txt
Checking for differences between files with diff
diff /etc/named.conf.rpmnew /etc/named.conf
diff -u f1.txt f2.txt -- adds modification dates and times to output
seq 1 15 > f1.txt
sed s/4/four/ < f1.txt > f2.txt
vimdiff f1.txt f2.txt -- opens files side by side in vim
Using awk to process columns
ps auxw | awk '{print $1 $11}' --only show columns 1 & 11
ps auxw | awk '/bob/ {print $1, $11}' --show bob's processes
Converting text files to different Formats
unix2dos < f1.txt > f2.txt
dos2unix < f2.txt > f1.txt
Other
((CategoryDistributions))
Book Excerpt: A Practical Guide to Fedora and Red Hat Enterprise Linux
Ch 6: Multimedia
To split avi (or other video) files: Online Documentation
ffmpeg -ss 01:09:12 -t 01:15:23 -i Family-19970512-19971225.avi ./19970702.avi
To join avi (or other video) files: Online Documentation
mencoder -ovc copy -oac copy -o 19950326-BelindaTap.avi 19950326-BelindaTap-1.avi /
19950326-BelindaTap-2.avi
To convert between types of video (Do not use on DRM files!)
transcode -y xvid -Z 720 -b 224 -i VTS_03_1.VOB -o newfile.avi
transcode -y xvid -Z 720 -b 224 -i oldfile.mpg -o newfile.avi
works ok but you loose 5.1 surround
Handbrake
Brief Audio tools
play -h
play somesong.wav
play hi.au vol .6
ogg123 mysong.ogg
ogg123 -z *.ogg --play in random order
ogg123 -Z *.ogg -- play in random order forever
ogg123 /home/bob/music -- play music in music and subdirectories
mpg321 mysong.mp3
mpg321 -@ myplaylist
alsamixer
alsamixergui
cdparanoia -vsQ -- is CD drive capable of ripping music
cdparanoia -B -- rip tracks as wav files by track name
cdparanoia -B -- “5-7” -- rip tracks 5, 6, 7 as seperate files
oggenc mysong.wav -- encodes mysong from wav to ogg
oggenc ab.flac -o ab.ogg -- encodes flac to ogg
oggenc song.wav -q 9 -- raises quality level from default of 3 to 9
oggenc song.wav -o song.ogg -a Bernstein -G Classical -d 06/05/1972 -t “Simple Song” /
-l “Album Name” -c info=”From Kennedy Center”
-- sox the Swiss army knife of audio manipulation (Online Documentation)
sox head.wav tail.wav output.wav -- concatenate two wav files
sox sound1.wav -a stat -- display information about the file
Ch 7: Administering File Systems
Basic File system partitions (three basic types)
swap, boot, root
ext3 == ext2 + journaling
linux supports ext4, ext3, ext2, iso9660, Jffs21, jfs, msdos, ntfs, squashfs, swap, ufs, vfat, xfs
others nfs, sshfs, encfs, cifs & others (FUSE)
Partitioning:
install: used to be called Disk Druid
fdisk or parted
fdisk
/sbin/fdisk -l -- shows all partitions
(After Fedora 7 all IDE, SCSI, & SATA use /dev/sd..)
(newer Fedoras use the UUID – see the /etc/fstab file & /dev/disk
/sbin/fdisk -l /dev/sda
/sbin/fdisk /dev/sda --work on a particular disc
m --gets command listing
n --new partition (assumes ext3 type unless told otherwise)
d --delete partition
w --write changed info to disc (BE CAREFUL!)
parted
newer more functionality
GUI: gparted or qtparted
1. sudo /sbin/parted -l /dev/sda
Model: ATA ST31000340AS (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32.3kB 215GB 215GB primary ext3 boot
2 215GB 429GB 215GB primary ext3
changes immediately written to disk!
man parted shows brief listing info parted much more complete
in parted session help shows commands, mkpart creates new partition
both following will usually destroy file systems!
resize 2 will resize linux partitions (#2)
use the ntfsresize command to resize ntfs partitions
ntfsinfo
Both tools above only change parition table they do not format the partition
mkfs -t ext3 /dev/sda1
mkfs -t ext3 -v -c /dev/sda1 -- more verbose output and check for bad blocks
mkfs -t ntfs /dev/sda2
-- always put -t filesystemtype first
Working with existing partitions
Backup / Restore
sudo /sbin/sfdisk -d /dev/sda
# partition table of /dev/sda
unit: sectors
/dev/sda1 : start= 63, size=419424957, Id=83, bootable
/dev/sda2 : start=419425020, size=419425020, Id=83
/dev/sda3 : start= 0, size= 0, Id= 0
/dev/sda4 : start= 0, size= 0, Id= 0
-- d option above formats output for later restoration
/sbin/sfdisk /dev/sda < sda-part-table -- restore
/sbin/sfdisk -d /dev/sda | /dev/sdb -- copy to new disk
Changing partition label
sudo /sbin/e2label /dev/sda1 yields /
sudo /sbin/e2label /dev/sda2 yields /1
/sbin/e2label /dev/sda2 /newlable
Virtual File System
portable, liveCD, virtual OS
dd if=/dev/zero of=mydisk count=2048000
du -sh mydisk & df -h (see below for more on both)
1001M mydisk
/sbin/mkfs -t ext3 mydisk
lots of info output
mkdir test
sudo mount -o loop mydisk test
mount
/home/bob/mydisk on /home/bob/test type ext3 (rw,loop=/dev/loop0)
Viewing & Changing file system attributes
sudo /sbin/tune2fs -l /dev/sda1 (or dumpe2fs)
lots of information
man tune2fs
-c set maximal count before fsck
-j turn ext2 fs into ext3 by adding journaling
swap partitions
mkswap /dev/sda3
virtual partition as swap
dd -if=/dev/zero of=/tmp/swapfile count=65536
chmod 600 /tmp/swapfile
mkswap /tmp/swapfile
swapon
swapoff
swapon -s
Mounting filesystems
/etc/fstab
LABEL=/ / ext3 defaults 1 1
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
LABEL=SWAP-sdc1 swap swap defaults 0 0
/dev/sdf1 /Gandalf/WinXP ntfs defaults 0 0
device mountpoint type options -o dump checkorder
pseudo filesystems
mount -o options
mount
mount, mount -t ext3, mount | sort, mount -l (labels)
mount -t ext3 /dev/sda1 /Gandalf/Belinda -o=below
ro, rw, uid=xxx, gid=xxx, noexec,
--bind (new additional location), --move
mount -v -o loop -t iso9660 diskboot.img ~/diskimg
mount -v -o loop local.iso ~/imgdir
/sbin/losetup -a -- show loopback device status
Unmounting filesystems
umount -v /dev/sda1
umount -v /Gandalf/Belinda
device is busy
/usr/sbin/lsof | grep mountpoint
Checking file systems badblocks & fsck
/sbin/badblocks -v /dev/sdc1 readonly test
/sbin/badblocks -vsn /dev/sdc1 non destructive read write test (slowest)
/sbin/badblocks -vsw /dev/sdc1 faster destructive read write test
fsck /dev/sda1
/sbin/fsck -TV /dev/sda1 do not display fsck version and be verbose
/sbin/fsck -TVy /dev/sda1 yes to all 'do I fix' questions
File system use
df -h usage summary in human readable mode
df -hi inode use also
df -hl only display local file systems
df -hT show file system type also
du -h /home/bob disk use of my home directory
du -h /home must be root
du -sh / summarize results
du -sch /home /data /usr/local multiple dirs
du -sh --exclude='*.iso' /home/bob exclude iso files from results & summarize
Ch 8: Backups & Removable Media
tape archive: tar
[-]A --catenate --concatenate
[-]c --create
[-]d --diff --compare
[-]r --append
[-]t --list
[-]u --update
[-]x --extract –get
-j --compress using bzip2
-z --compress using gzip
-v --verbose output
tar c *.txt | gzip -c > myfiles.tar.gz -- make tar archive then gzip it
tar czvf myfiles.tar.gz *.txt -- same thing
gunzip myfiles.tar.gz | tar x -- unzip then extract
gunzip myfiles.tar.gz ; tar xf myfiles.tar
tar xzvf myfiles.tar.gz
tar tvf myfiles.tar -- list files in archive
tar -tzvf myfiles.tgs -- list files in gzip compressed archive
tar -Af archive1.tar archive2.tar -- adds archive2 to archive1
tar –delete file1.txt myfiles.tar -- deletes file from archive
compression tools
lzop, gzip, bzip2 -- in order from fastest / least compression
rar x -- extract
rar a -- add file
tar cjvf myfiles.tar.bz2 *.txt
tar xjvf myfiles.tar.bz2
gzip myfile -- gzips myfile into myfile.gz
gzip -v myfile -- verbose output
gzip -tv myfile.gz -- tests integrity of file
gzip -lv myfile.gz -- get detailed information
gzip -rv mydir -- compress all files in directory
bzip2 myfile -- myfile into myfile.bz2
bzip2 -v myfile
bunzip2 myfile.bz2
bzip2 -d myfile.bz2
bzip2 -vd myfile.bz2
backing up over network with ssh
rsnapshot vie yum install rsnapshot ()
mkdir mybackup ; cd mybackup -- all files beginning with myfile are
ssh bob@server1 'tar cf – myfile*' | tar xvf - -- copied from server into local home dir
tar cf – myfile* | ssh bob@server1 'cd /home/bob/myfolder ; tar xvf - -- OUT
ssh bob@server1 'tar czf – myfile*' | cat > myfiles.tgz -- IN
tar czvf – myfile* | ssh bob@server1 ' cat > myfiles.tgz -- OUT
backing up files over network with rsync (Detailed rsync reference)
rsync -a source/ destination/ – equal to cp -a source/. destination/
rsync -a -e ssh source/ username@:/path/to/destination/
--the -e option specifies the remote shell to use
rsync -a a b – assuming there is a file a/foo this gives a file b/a/foo
rsync -a a/ b – gives b/foo point is backslashes matter but only on the source
rsync -a --delete source/ destination/ – any files in /destination but not in /source are deleted
– create test-src, test-dest, test-src/somefiles
rsync –delete –backup –backup_dir=bk-`date +%A` -avz test-src/ test-dest/$(date +%F)
--mirrors remote pics directory on local system (-a run in archive mode, -v verbose, -z compresses files, --delete remove any local files not still on server)
rsync -avz –delete bob@server1:/home/bob/pics bobspics
-- creates /var/backups/backup-Monday etc
mkdir /var/backups
rsync –delete –backup –backup_dir=/var/backups/backup-`date +%A` \
-avz bob@server1:/home/bob/Personal/ /var/backups/current-backup/
-- create hard links instead of duplicate files (--link-dest option)
rm -rf /var/backups/backup-old/
mv /var/backups/backup-current/ /var/backups/backup-old/
rsync –delete –link-dest=/var/backups/backup-old/ -avz bob@server1:/home/bob/Personal \
/var/backups/backup-current/
– longer script can be found here:
backing up with unison
-- rsync assumes that machine being backed up in only one where data is being modified
-- when have 2 (ie desktop & laptop) unison is better
yum install unison
unison /home/bob ssh://bob@server1//home/bob
unison /home/bob /mnt/backups/bob-home
-- to force unison to run in command line mode (-ui text)
unison /home/bob ssh://bob@server1//home/bob -ui text
-- will prompt for y on every change. If you trust unison to find newest file use -auto
unison /home/bob ssh://bob@server1//home/bob -auto
-- no man pages
unison -help
unison -doc all | less
Backing up to removable media
mkisofs -o home.iso /home -- all files in DOS 8.3 naming mode
mkisofs -o home2.iso -J -R /home --Add Joliet & Rock Ridge extensions
mkisofs -o home3.iso -J -R music/ pics/ docs/ -- multiple dirs or files
-- /var/pics becomes /home/bob/Pictures on cd image
mkisofs -o home.iso -J -R -graft-points Pictures/=/var/pics/ /home/bob
-- add more information to ISO
mkisofs -o home.iso -R -J -p -publisher “Bob Thomas” -V “WebBackup” \
-A “mkisofs” -volset “1 of 4 backups, September 22, 2008” /home/bob
volname home.iso -- display volume name
isoinfo -d -i home.iso -- display all header information
mkdir /home/bob/test
mount -o loop home.iso /home/bob/test -- mount image in test dir
umount /home/bob/test
Burning to CD/DVD
cdrecord –scanbus -- shows information on CD/DVD drive(s)
cdrecord -dummy home.iso -- test burn without doing anything
cdrecord -v home.iso
cdrecord -v -eject home.iso
-- multisession using growisofs
growisofs -z /dev/sr0 -R -J /home/bob --Master & burn to DVD
growisofs -z /dev/sr0 -R -J /home/belinda -- Add to burn
growisofs -M /dev/sr0=/dev/zero -- Close burn
growisofs -dvd-compat -z /dev/sr0=home.iso -- burn image to DVD
CH 9: Checking and Managing Running Processes
Viewing active processes with ps
ps --help -- brief list of options
ps -A or e -- list all processes
ps -x -- list processes without controlling ttys
ps -u bob -- for user bob
ps -auwwx -- every process unlimited width BSD style
ps -ejH -- hierarchy with process/session ids
ps -axjf --
ps -ef --forest --
pstree
custom output with the -o option page 151
Active processes with top
top -- show processes
top -d 5 -- change update delay from 3 to 5 sec
top -u bob -- show for user bob
top -n 10 -- update 10 times then quit
top -b -- run in non-interactive mode, good for file directed output
Finding processes using pgrep
pgrep init -- yeilds ... why 3?
1
3204
3205
pgrep -l init -- long listing
1 init
3204 start_kdeinit
3205 kdeinit
Using fuser to find processes
sudo /sbin/fuser -mauv /home/bob -- show all processes with anything in /home/bob open
-- m show processes with file in . Open, v verbose, a all processes, u what user owns
sudo /sbin/fuser -k /boot -- kill every process that has anything in /boot open
nice
-- sets process priority, regular user 19 (way low) to -20 (way high)
-- merely a suggestion
nice -n 12 gimp -- launch gimp with low priority
renice +2 -u bob -- set bob's process to lower priority
Running processes in background or forground with fg, bg, & jobs
open terminal, type gimp -- run gimp in foreground, will die if you close the terminal
type gimp & -- run gimp in background, ditto
--in running foreground process will stop it and put it in background
jobs --will list running process in that terminal
bg 1 --will put job 1 in background
fg 1 --will put job 1 in foreground
--kills current fg process
--kills terminal session
jobs -l -- long listing of all fg & bg process for current terminal session
kill & killall
ps -aux
kill 28665 -- send SIGTERM to process with PID of 28665
kill -9 4985 -- send SIGKILL to process with PID of 4985 (careful, no shutdown)
killall spamd -- kill all spamd running
Running processes away from the current shell
nohup gimp & -- run gimp with no ability to interrupt
Scheduling processes to run
at now +1 min
at>updatedb
at>Ctrl+d
at teatime
at now +5 days
at 10/05/08
atq -- query for jobs in queue
crontab -e -- create a crontab for current user and open in vi or vim
/etc/crontab -- minute, hour, day, month, & day of week
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
-- simply link or put the script you want to run in one of the directories above
Ch 10: Managing the System
Focus in on Monitoring Resources in use
files in /proc (sudo ls -lah /proc)
might have to install sysstat packagel
Memory Use:
free (-m in megabytes, -g in gigabytes, -s 5 continuously display every 5 seconds)
free -m
free -m
total used free shared buffers cached
Mem: 8008 4846 3161 0 141 3793
-/+ buffers/cache: 912 7095
Swap: 16002 0 16002
top -- Shift M
vmstat -- view memory use over time
vmstat 3 -- update every three seconds
man vmstat -- field discriptions, watch for io backlog if lots memory in use, wasted CPU time
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
CPU Usage:
iostat -c 3 -- update every 3 seconds
Linux 2.6.25.14-69.fc8 (Gandalf) 10/01/2008
avg-cpu: %user %nice %system %iowait %steal %idle
1.94 1.23 1.04 0.88 0.00 94.91
iostat -c -t -- print with time stamp
man iostat -- for listing of fields displayed
--> dstat -t -c 3 -- colors for different types of data
-----time----- ----total-cpu-usage----
date/time |usr sys idl wai hiq siq
01-10 17:08:41| 3 1 95 1 0 0
01-10 17:08:44| 0 1 99 0 0 0
01-10 17:08:47| 2 1 97 0 0 0
01-10 17:08:50| 0 1 99 0 0 0
01-10 17:08:53| 0 1 99 0 0 0
01-10 17:08:56| 0 1 99 0 0 0
01-10 17:08:58| 0 1 99 0 0 0
cat /proc/cpuinfo -- lots of info about processor(s)
flags line show features cpu supports
Storage Devices
du & df
iostat -d
Linux 2.6.25.14-69.fc8 (Gandalf) 10/01/2008
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn
sda 7.76 214.40 182.76 6445638 5494280
/usr/sbin/lsof -- all open files (lots)
lsof -c bash -- files open by bash shells
lsof -d cwd -- all directories open as current working dir in bash
lsof /dev/sda1 -- anything open on that filesystem
lsof /Gandalf/data -- anything open in that directory structure (and subs)
Mastering Time
system-config-date -- date, ntpd, timezone, etc gui
cat /etc/sysconfig/clock
# The ZONE parameter is only evaluated by system-config-date.
# The time zone of the system is defined by the contents of /etc/localtime.
ZONE="America/Chicago"
UTC=false
ARC=false
/usr/share/zoneinfo/America/Chicago -- time zone info
cp or ln -s above to /etc/localtime
--> date
Wed Oct 1 17:50:55 CDT 2008
--> date '+%A %B %d %G'
Wednesday October 01 2008
--> date --date='8 months 3 days'
Thu Jun 4 17:51:50 CDT 2009
date 081215212008 -- set date to Aug 12, 2:21pm 2008
cal -- show calendar
October 2008
Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
--> cal 2009
2009
January February March
Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa Su Mo Tu We Th Fr Sa
1 2 3 1 2 3 4 5 6 7 1 2 3 4 5 6 7
4 5 6 7 8 9 10 8 9 10 11 12 13 14 8 9 10 11 12 13 14
11 12 13 14 15 16 17 15 16 17 18 19 20 21 15 16 17 18 19 20 21
18 19 20 21 22 23 24 22 23 24 25 26 27 28 22 23 24 25 26 27 28
25 26 27 28 29 30 31 29 30 31
/sbin/hwclock -r -- display current CMOS hardware clock setting
/sbin/hwclock –hstosys -- set system clock from hardware clock (root)
Using Network Time Protocol
yum install ntpd
service ntpd start
chkconfig ntpd on
/etc/sysconfig/ntpd -- main config file
SYNC_HWCLOCK=no -- set to yes to sync
-- problem is why would you want to run a time server ?
ntpd -qg -- q says quit after syncing, g says don't panic for way off
Managing the boot process
A detailed look at the fedora boot process
BIOS
MBR on “first” bootable partition
GRUB
/boot/grub/grub.conf -- other configs are symbolic links to this
kernel
kernel needs root file system to load modules (block devices, etc)
devices drivers are on root file system so how does kernel get them ?
a small initial ram disk (initrd)
init process
/etc/inittab -- runlevel, etc
/boot/grub/grub.conf -- lots of other kernel boot options (table 2-1)
default=1
timeout=5
splashimage=(hd1,0)/boot/grub/splash.xpm.gz
title Fedora (2.6.26.3-14.fc8)
root (hd1,0)
kernel /boot/vmlinuz-2.6.26.3-14.fc8 ro root=LABEL=/ rhgb init=/sbin/bootchartd
initrd /boot/initrd-2.6.26.3-14.fc8.img
grub-install /dev/sda -- reinstall grub
mkinitrd ... -- recreate initial ram disk
Startup & Run Levels
/sbin/runlevel -- display current and previous
init 5 or 3 etc -- change runlevel
init q -- process changes in inittab (mostly for gettys)
/sbin/chkconfig --list, smb on, --add , --level ....
/sbin/service smb -- show usage statement
service smb restart -- etc
/etc/rc.d/rc
systemd
see /etc/systemd and /lib/systemd files
man systemctl
The Kernel
uname
dmesg
lsmod
modinfo pata_acpi
/sbin/modprobe -l | grep c-qcam
modprobe c-qcam
modprobe -r c-qcam
/etc/sysctl.conf -- Kernel sysctl configuration file for Red Hat Linux
/sbin/sysctl -a | less -- list all kernel parameters
sudo /sbin/dmidecode -- list info about all hardware
sudo /sbin/hdparm /dev/sda -- view and change information relating to hard drive
Ch 11: Managing Network Connections
GUI based tools
Network Configuration via GUI works mostly
Gnome-System-->Administration-->Network
Troubleshooting
Start at bottom of TCP/IP stack
1 - Check cables on local card and on routers/gateway etc
2 - Check that card is properly installed and has the correct drivers
3 - Check the settings for the card to make sure you do not have mismatches
4 - If all else fails get a NIC that is supported in Linux
Checking Links
/sbin/ethtool -- lots of help info
/sbin/ethtool | less -- nothing because help output goes to stderr (ethtool 2>&1 | less)
sudo /sbin/ethtool eth1 -- settings for eth1
Settings for eth1:
Supported ports: [ MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 2
Transceiver: external
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Link detected: yes
sudo /sbin/ethtool -i eth1 -- driver information
driver: forcedeth
version: 0.61
firmware-version:
bus-info: 0000:00:12.
sudo /sbin/ethtool -S eth1 -- Statistics
sudo /sbin/ethtool -s eth1 speed 100 duplex full autoneg off -- change card settings temp.
-- /etc/sysconfig/network-scripts/ifcfg-eth1 contains “permanent” settings
-- less /usr/share/doc/initscripts-*/sysconfig.txt
sudo netstat -i -- network statistics
sudo netstat -nap -- information about all network processes
Managing Network Connections
sudo /sbin/service
Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]
/sbin/service network restart or status or stop or start
sudo /sbin/chkconfig
usage: chkconfig --list [name]
chkconfig --add
chkconfig --del
chkconfig --override
chkconfig [--level ]
less /usr/share/doc/initscripts-*/sysconfig.txt
sudo /sbin/ifdown eth1
sudo /sbin/ifup eth1
Viewing Ethernet Connection Information
/sbin/ifconfig -- connection info for all active (add -a to get inactive) connections
/sbin/ip addr show eth1 -- similar information
/sbin/ip a -- info for all interfaces
/sbin/ip help -- (addr help, route help, tunnel help)
ipcalc -bmn 192.168.1.0/24
NETMASK=255.255.255.0
BROADCAST=192.168.1.255
NETWORK=192.168.1.0
Wireless Connections
Use the GUI if at all possible
wireless-tools, ndiswrapper, etc from rpm.
/sbin/lspci | grep wireless -- to see wireless PCI cards
/sbin/iwconfig -- same sort of info as ifconfig but for wireless
/sbin/iwconfig –help -- essid, channel, sens, key, .....
Dial-Up Modems – Skipped
Checking Name Resolution
cat /etc/resolv.conf
nameserver 208.180.42.68
nameserver 208.180.42.100
dig or -- search the servers in resolv.conf
dig @4.1.2.1 -- search a specific server
dig + trace -- recursively trace DNS servers
host 208.180.42.100 -- reverse DNS lookup
More Troubleshooting
/sbin/ip route -- like old route command
172.16.240.0/24 dev vmnet8 proto kernel scope link src 172.16.240.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
172.16.140.0/24 dev vmnet1 proto kernel scope link src 172.16.140.1
default via 192.168.1.1 dev eth1
ping gateway to see if connected
/sbin/arp -v -- list ARP cache entries by name
Address HWtype HWaddress Flags Mask Iface
DirectvDvr ether 00:50:00:d4:bb:5c C eth1
home ether 00:15:6c:8c:61:44 C eth1
Gimli ether 00:17:02:bb:1e:5b C eth1
traceroute ttu.edu -- * * * probably means firewall
sudo traceroute -T 129.118.51.8 -- use TCP packets not default UDP (bypass firewall)
sudo traceroute -n ... -- disable name resolution
Network Statistics
netstat -s -- summary of TCP, ICMP, UDP connections
netstat -tanp -- TCP connection information
netstat -uanp -- UDP
Other Useful Tools
sudo /usr/sbin/tcpdump -- (-v or -vv for more stuff)
wireshark
nmap
CH 12: Accessing Network Resources
Sometime even when a GUI is available command line commands are VERY useful
Browse the web
lynx -- old text based browser
links -- newer command but /usr/bin/links -> elinks
elinks -- the current “choice” allows mouse use & colors in terminal session
-- Control Keys Table 12-1 pg. 210 (Esc toggles menu on/off)
Transferring Files -- wget
-- download files using http or ftp
wget
wget
wget –user=someuser –password=passwordforuser
wget
-- download single web page
wget /3351/index.html
-- download single page along with required images, etc and use local file names
wget -pk
-- append html to downloaded files so .cgi or .asp etc will work locally
wget -E
-- recursively mirror entire site -- be careful!!!!
wget -m
-- combining above we get
wget -mEkK
-- restart an incomplete download
wget -- start download
--- assume it is interrupted here ---
wget -c -- finish
Transferring Files -- curl
-- curl (client for URLs) is also available for single shot downloads
Transferring Files -- lftp
lftp mirrors. -- anonymous connection
lftp bob:mypasswd@server1 -- authenticated connection but bad to type pass this way
lftp -u bob server1 -- will ask for password
-- once session is open
pwd, cd, ls, get (download), put (upload), Ctl-z (set download to background,
mget (get all in.), mput (put all in), bookmark, quit
Transferring Files -- ssh
-- warning you do NOT get a warning about overwriting existing files when using some of these
scp mfile bob@server1:/home/bob/tmp -- file up, will ask for password
scp server1:/home/bob/myfilke ./ -- file down, assumes bob is current user
scp -p ... -- preserves permissions and timestamps
scp -P 4382 ... -- use port 4382 not the default of 22
scp -r mydir bob@server1 -- recurse mydir and copy all
-- sftp uses ssh but allows an ftp like interface ( ? for a list of commands)
sftp bob@server1 -- then use any of the ftp commands to copy & move around
Sharing remote directories -- NFS (Network File System)
-- works in some Windows ops too
service nfs start -- starts service configs are /etc/sysconfig/nfs, /etc/exports
/usr/sbin/exportfs -v -- shows all shared directories along with permissions
service nfs reload -- reload nfs with changes to /etc/export
exportnfs -r -- load changes to /etc/export
exportnfs -vr
/usr/sbin/showmount -e -- show directories available on local system
showmount -e client. -- show directories available on other system
mount server.:/export/myshare /Gandalf/nfsDIR -- mount remote (nfs3)
mount -q rw,hard, intr ... -- options can also be entered on mount line
mount -t nfs4 -- nfs4 is more versatile but less used might not work
Sharing remote directories -- SAMBA
-- SMB (server message block is old) cifs is current file system type
-- GUI config tools are availble (swap is a nice easy web interface)
1. sudo yum install samba-swat
2. sudo /sbin/chkconfig swat on
3. sudo /etc/init.d/xinetd start
4. elinks
findsmb -- scan network for shares
*=DMB
+=LMB
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
---------------------------------------------------------------------
192.168.1.2 Gandalf [WIZARDS] [Unix] [Samba 3.0.21c]
smbtree -- text representation of network shares
Password:
WIZARDS
\\ARIEL
\\ARIEL\C$ Default share
\\ARIEL\Belinda (C)
\\ARIEL\Easy (E)
sudo smbpasswd -a bob -- add an existing Linux user as a samba user
smbclient -L Ariel -- list services available by a server to current user or anonymous
smbclient -L Ariel -U bob
sbmclient //192.168.1.1/myshare -U bob -- ftp style connection
-- mounting
sudo mount -t cifs -o username=bob,password=mypass //server1/myshare /where/I/mountedit
sudo mount -t cifs '//Ariel/Easy (E)' /Gandalf/Belinda/Easy /
-o credentials=/home/bob/.cred,uid=500,gid=500
smbstatus -- current mount and lock status
nmblookup Ariel -- lookup IP for samba server Ariel
testparm -- check samba configuration
testparm -v | less -- show default parameters you did not set
Sharing remote directories -- sshfs --
yum install fuse-sshfs
sshfs bob@server1:/home/bob/myshare /Gandalf/RemoteSites/bob -- mount will as password
sudo umount /Gandalf/RemoteSites/bob -- unmount
Ch 13: Remote System Admin
Most professional linux admins do not run X on production servers
Thus command line admin is a necessity
Old tools like telnet, ftp, rsh, rexec, rcp are security risks (text userid and password)
Modern tools like ssh, scp, sftp are much more secure
Legacy tools are sometimes good for troubleshooting
telnet 80
GET / HTTP/1.0
--- extra carriage return here
HTTP/1.1 200 OK
Remote admin with ssh
Configuration
-- make sure sshd service is running by default
-- /etc/ssh/sshd_config server configuration file
Port 1248
X11Forwarding yes
AllowTcpForwarding no
-- /etc/ssh/ssh_config client configuration file
ForwardX11 yes (or ssh -X bob@someserver each time connect)
Regular use
ssh bob@server1 -- the 'correct' way to change users
ssh server1 -- login to remote as current user
ssh -p 1248 bob@server1 -- port other than default of 22
ssh tunneling (a good howto is here )
ssh -X or with configuration correctly setup kcalc etc
ssh -L 1234:localhost:631 remoteserver -- tunnel CUPS server
ssh -l remoteuser -nNT -R 1100:129.118.49.11:22 remoteip -p remotesshport
ssh user@remotehost -L 24800:remotehost:25 -N
-- use myserver to connect to internet
ssh -L 12345:localhost::80 myserver
-- ssh as a SOCKS Proxy
ssh -D 12345 myserver //look at man pages
then change connection settings in firefox to match
(preferences-advanced-settings-manual connection SOCKS:localhost port:12345)
ssh public key login
cat ~/.ssh/known_hosts -- existing public keys for previous connections
ssh-keygen -- generate public / private keys for current user
-- leaving password prompt blank makes connections easy but is risky
copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on remote server
ssh-agent -- gives the ability to store keys for duration of this session
eval 'ssh-agent' -- adds vars to environment
ssh-add -- will add default private key (ssh-keygen) to
Using screen: A rich remote shell Cool!!!
ssh gives you one temporary screen at a time, if it times out or dies you loose everything
yum install screen (FC8 by default)
ssh into remote server
screen -- you now have a screen running on remote server
screen -ls -- list active screens
Ctrl-a, d -- detach screen, leave it running but return to ssh terminal window
Ctrl-a, ? -- help
screen -r -- reattach to a previously detached screen (works even after quitting ssh)
screen -r 7089.pts-2.myserver -- reattach if are multiple detached screens
screen -S mysession -- name the screen session
screen -x or screen -x mysession -- share screen session (same user logged on)
-- try this
ssh into some server
screen
top
Ctrl-a, d
exit ssh
ssh again into same server
screen -r -- top will still be running
Using a Remote Windows Desktop
WinXP – Control Panel / System / Remote enable and add users
yum install rdesktop tsclient
tsclient & -- graphical Terminal Server Client
rdesktop Ariel
rdesktop -u bob -p password win1
rdesktop -f win1 -- maximize display
rdesktop -0 -r sound:local win1 -- direct sound from server to client
Other remote linux apps
xhost -- non encrypted ssh better
Sharing desktops with VNC
yum install vnc vnc-server
/etc/sysconfig/vncservers
VNCSERVERS=”1:bob 2:thomas”
vncpasswd -- set current user vnc password
chkconfig vncserver on -- set vnc server to run
make sure to open TCP ports 590+displaynumber in iptables
vncviewer myserver:1 or myserver:2 -- connect to vncserver from client
-- above is a really simple window manager so on the server
edit ~/.vnc/xstartup and add
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
and restart the vncserver
-- on untrusted networks tunnel vnc
ssh -L 5902:localhost:5902 vncserver
Can share a vnc desktop using Vino
Ch 14: Locking Down Security (for working with user accounts see also Ch10 in Fedora Bible 2011 notes)
“Securing your Linux system means first restricting access to the user accounts and services on the system. After that, security means checking that no one has gotten around the defenses you have setup.”
Fedora is designed to be secure by default:
1. no user accounts with blank passwords
2. firewall is restrictive by default
3. most network services are off
4. SELinux is set to enforcing if you do not change this on the install
Working with users and groups
ALWAYS LOG IN AS A REGULAR USER! Then use su or sudo to gain root access
/etc/ssh/sshd_config PermitRootLogin no
The GUI way for servers:
webmin: () -- remember to change default port from 10000
cPanel (), Plesk (plesk), Ensim ()
Adding user accounts
--> sudo /usr/sbin/useradd -D -- show useradd default values
GROUP=100 -- default group
HOME=/home -- base home directory
INACTIVE=-1 -- password expiration is disabled
EXPIRE= -- Don't set password expire date
SHELL=/bin/bash -- default shell
SKEL=/etc/skel -- copy default home config files from here
CREATE_MAIL_SPOOL=yes -- create mail spool directory
-- fedora overrides the default group with a new group for each new user
-- above values in /etc/default/useradd
useradd bob -- typed as root allows change of password for bob
-- root is only warned if bad password is used
-- some of the options for useradd
sudo /usr/sbin/useradd –help
-b, --base-dir /var/users -- base directory for the new user account
-d, --home-dir /home/jj -- home directory for the new user account
-e, --expiredate 2009-01-01 -- set account expiration date to 2009-01-01
-g 700 -u 700 -- use specific GID & UID for new user
-G students,tomcatusers -- list of supplementary groups for the new user
sudo /usr/sbin/groupadd -- before adding a user to a group the group must exist
groups bob -- list the groups bob belongs to
bob vboxusers
-- some of the real config files for users and groups
/etc/passwd test:x:502:503::/home/test:/bin/bash
/etc/shadow test:$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::
/etc/group test:x:503:drjohn,bob
Changing default useradd values
edit /etc/default/useradd & /etc/login.defs to make changes permanent
user options above in useradd command to make temporary changes
add files or directories to /etc/skel to change 'startup' /home/newuser (ex public_html)
Modifying User Accounts
sudo /usr/sbin/usermod -c “Dr Bob” bob -- change bob's comment field
sudo /usr/sbin/usermod -s /bin/sh bob -- change bob's default shell
sudo /usr/sbin/usermod -L bob -- lock the bob user account
sudo /usr/sbin/usermod -U bob -- unlock the bob user account
chsh -s /bin/sh -- change current user's shell to /bin/sh
-- change finger information
-- change office, home phone, office phone, full name
chfn -o "BA607" -h 806-687-9028 -p 806-438-2049 -f "DrJohn"
finger
Login Name Tty Idle Login Time Office Office Phone
bob DrJohn *:0 Oct 20 13:30 BA607 806-438-2049
-- above information is stored in the 5th field of the /etc/passwd file
-- ONLY edit the /etc/passwd file carefully and with vipw
Deleting User accounts
/usr/sbin/userdel bob --delete user bob
userdel -r bob -- delete user, home directory, and mail spool
Managing Passwords
-- modify current user password
--> passwd
Changing password for user bob.
Changing password for bob.
(current) UNIX password:
New UNIX password: I typed hi
BAD PASSWORD: it is WAY too short
New UNIX password: I typed hello
BAD PASSWORD: it is too short
New UNIX password: I typed password
BAD PASSWORD: it is based on a dictionary word
--> sudo passwd bob
Password:
Changing password for user bob.
New UNIX password: I typed hi
BAD PASSWORD: it is WAY too short
Retype new UNIX password: I typed hi
passwd: all authentication tokens updated successfully.
-- moral is be VERY careful when setting/modifying passwords as root
sudo passwd -l bob -- lock the bob user account
sudo passwd -u bob -- unlock the bob user account
-- this is done by placing !! at the front of the password field in /etc/shadow
test:!!$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::
-- administrator can require users to change passwords regularly
passwd -n 2 bob -- set minimun password life to 2 days
passwd -x 300 bob -- set maximum password life to 300 days
passwd -w 10 bob -- warn of password expiration 10 days in advance
passwd -i 14 bob -- days after expiration that account is disabled
-- view password expiration information
--> chage -l bob
Last password change : Oct 20, 2008
Password expires : December 31, 2008
Password inactive : January 31, 2009
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
-- as root can use the chage command to manage password expiration
sudo chage -I 40 bob -- make account inactive in 40 days
sudo chage -d 5 bob -- force user's password to expire in 5 days
-- 0 above would force password change on next login
Adding Groups
-- similar commands as for users above
-- groupadd, groupdel, groupmod, groupmems (add & remove members)
groupadd Marketing -- add group Marketing
groupadd -g 701 tomcat -- add group tomcat with GID of 701
groupmod -g 777 tomcat -- make tomcat group GID 777
groupmod -n tomcat tomcatS08 -- change name of tomcat group to tomcatS08
groupdel tomcat -- delete tomcat group
Checking on Users
find -nouser -- No user corresponds to file’s numeric user ID.
find -nogroup -- No group corresponds to file’s numeric group ID.
find -uid nnn -- File’s numeric user ID is nnn.
find -user bob -- File is owned by user bob (numeric user ID is allowed).
--> sudo du -sh /home/test/ -- check on disk usage in user's home dir
2.2M /home/test/ -- -sh means summarize results and make human readable
-- fuser, ps, top identify running commands and can check for users (Ch 9)
sudo last -- lists the most recent successful logins
sudo lastb -- lists most recent unsuccessful logins
-- on zeus I get page after page after page
sudo who -u -- list who is currently logged in long form
sudo users -- list who is currently logged in short form
--> id ==> uid=500(bob) gid=500(bob) groups=500(bob),502(vboxusers)
--> who am i -- long form
bob pts/4 2008-10-20 16:49 (localhost.localdomain)
--> whoami -- short form
bob
--> finger -s bob -- short form
Login Name Tty Idle Login Time Office Office Phone
...
--> finger -l bob -- long form
Login: bob Name: DrJohn
Directory: /home/bob Shell: /bin/bash
Office: BA607, 806-438-2049 Home Phone: 806-687-9028
On since Mon Oct 20 13:30 (CDT) on :0 (messages off)
On since Mon Oct 20 13:31 (CDT) on pts/1 from :0.0
3 hours 48 minutes idle
(messages off)
On since Mon Oct 20 13:31 (CDT) on pts/2 from :0.1 (messages off)
On since Mon Oct 20 13:31 (CDT) on pts/3 from :0
3 hours 48 minutes idle
On since Mon Oct 20 16:49 (CDT) on pts/4 from localhost.localdomain
No mail.
No Plan.
-- when ~/.project (single line) and ~/.plan (multi line) files are added results become
--> finger -l bob
Login: bob Name: DrJohn
...
Project:
To make the Internet safer
Plan:
By teaching
students how to become
Linux professionals
Working with System Logs (for firewall info see below)
/var/log ... -- system logs are here and in subdirectories
-- fedora uses rsyslogd (system log daemon) and rklogd (kernel log daemon)
-- started by /etc/init.d/rsyslog (a newer better version of syslogd)
-- rotation is handled by /etc/cron.daily/logrotate
-- based on settings in /etc/logrotate.conf & in /etc/logrotate.d/
logwatch -- a system log analyzer and reporter than allows summary messaging
sudo logger Hello World from bob -- add messages to log files (new Video card)
sudo cat /var/log/messages
... Oct 20 17:38:26 localhost durrett: Hello World from bob
Linux Bible 2010 Edition: Boot Up to Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and 13 Other Distributions by Christopher Negus
Last annotated on December 2, 2010
Chapter 12: Securing Linux
In This Chapter Linux security checklist Using password protection Monitoring log files Communicating with secure shell tools Understanding attack techniques Protecting servers with certificates Using special Linux security tools distributions
Why should you care about security? According to the Internet Storm Center (), a computer connected to the Internet has an average of 16 minutes
Linux Security Checklist
Control physical access
Add users and passwords—Creating separate user accounts
Set read, write, and execute permissions
Protect the root user
Use trusted software
Get software updates
Use secure applications
Use restrictive firewalls
Enable only services you need
Limit access to services
Check your system
Monitor your system
Use SELinux
your computer, then, is safer. As Red Hat continues to work out the kinks in SELinux, there has been a tendency for users to see SELinux failures and just disable the entire SELinux service. However, a better course is to find out whether SELinux is really stopping you from doing something that is unsafe.
Finding distribution-specific security resources
Red Hat Enterprise Linux and Fedora security—Check the Red Hat Security site (security) for RHEL security issues (that typically relate to Fedora systems as well). From here you can look for and read about available updates. You can also get information on security training and consulting from Red Hat, Inc. For Fedora security issues, see the Fedora Wiki ().
Refer to the Red Hat Enterprise Linux 4 Security Guide for an in-depth look at Linux security for Red Hat systems. You can access this guide online from the following address:docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide
doc/manuals/securing-debian-howto Ubuntu security—Find security guides and tools for Ubuntu on the Ubuntu security page (). Gentoo security—Included on the Gentoo Linux Security page (security) are tools, announcements, and links to security policy and project documents associated with securing Gentoo systems. Find the Gentoo security handbook here:
Choosing good passwords
(choosing a sentence on your personal Web page is a bad idea).
Table 12-1 lists examples of strong passwords and the tricks used to remember them.
Mrci7yo! My rusty car is 7 years old!
2emBp1ib 2 elephants make BAD pets, 1 is better
ItMc?Gib Is that MY coat? Give it back
The passwords look like gibberish
Using a shadow password file
Checking for the shadow password file The password file is named passwd and is found in the /etc directory. The shadow password file is named shadow and is also located in /etc. If your /etc/shadow file is missing, it is likely that your Linux system is storing the password information in the /etc/passwd file instead.
A Practical Guide to Fedora and Red Hat Enterprise Linux by Mark G. Sobell
Last annotated on December 1, 2011
SELinux
NSA Security-Enhanced Linux
Traditional Linux security, called Discretionary Access Control (DAC):
In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system.
The following is an example of permissions used on Linux operating systems that do not run Security-Enhanced Linux (SELinux). The permissions and output in these examples may differ from your system. Use the ls -l command to view file permissions:
$ ls -l file1
-rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1
SELinux (Security Enhanced Linux), implements Mandatory Access Control
(MAC): A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity.
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:
$ ls -Z file1
-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and, optionally, Multi-Level Security (MLS).
SELinux can be in one of three states (modes):
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for actions that would have been denied if running in enforcing mode. Warnings are issued
Disabled: SELinux is disabled. Only DAC rules are used.
SELinux implements one or more of the following policies:
Targeted—Applies to specific objects
MLS—Multilevel Security
Strict—Applies
SELinux Contexts for Processes
ps -eZ unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
There is always a tradeoff between security and usability.
More Information from the Fedora Project
Two ways to disable SELinux: You can modify the /etc/selinux/config file so that it includes the line SELINUX=disabled and reboot the system, or you can use system-config-selinux (as explained on the next page).
Files on FC
• system-config-selinux (a GUI tool)
• /etc/selinux/config
← SELINUX= (disabled, permissive, or enforcing)
← SELINUXTYPE= (targeted or strict)
• /etc/selinux/targeted/
• /usr/sbin/getenforce
• /usr/sbin/setenforce
• /usr/sbin/sestatus
• /usr/sbin/semanage
The getenforce and setenforce utilities report on and temporarily set the SELinux mode. The sestatus utility displays a summary of the state of SELinux:
Security Contexts
• All Objects (files, interprocess communcation channels, sockets, network hosts, etc)
• and Subjects (processes)
• have a single security context associated with them
• user:role:type (our primary focus is the type portion)
← run id in a terminal
← run ls -Z
← run ps -Z
← ps -auxZ
Type enforcement Access Control
• rule format:
← Source Type(s)
← Target Type(s)
← Object Class(es)
← Permission(s)
• allow user_t bin_t : file {read executee getattr};
• allow user_t passwd_exec_t : file {getattr execute};
sestatus results on my FC14
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
config file on my FC14
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Blockhosts ()
--> After install -- rpm -ql BlockHosts
/etc/blockhosts.cfg
/etc/logrotate.d/blockhosts
/etc/logwatch/conf/services/blockhosts.conf
/etc/logwatch/scripts/services/blockhosts
/usr/bin/bhrss.py
/usr/bin/blockhosts.py
/usr/share/doc/BlockHosts-2.4.0
/usr/share/doc/BlockHosts-2.4.0/CHANGES
/usr/share/doc/BlockHosts-2.4.0/INSTALL
/usr/share/doc/BlockHosts-2.4.0/LICENSE
/usr/share/doc/BlockHosts-2.4.0/README
/usr/share/doc/BlockHosts-2.4.0/bhrss.html
/usr/share/doc/BlockHosts-2.4.0/blockhosts.html
--- /etc/blockhosts.cfg
HOSTS_BLOCKFILE = "/etc/hosts.allow"
COUNT_THRESHOLD = 7 number of invalid attempts
AGE_THRESHOLD = 12 number of hours to block
WHITELIST list of IPs to always allow
BLACKLIST list of IPs to always block
LOGFILES – default list of logs to process (/var/log/secure)
--- /etc/hosts.allow
/etc/hosts.allow (or /etc/hosts.deny but only one not both files) - the hosts block file
Add following sections, in this order:
-- your permanent whitelist and blacklist of IP addresses (if needed)
-- blockhosts marker lines - two lines
-- execute command to kick off blockhosts.py on connects to services
Example below
# ----
# permanent whitelist addresses - these should always be ALLOWED access – edit as needed
ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow
# permanent blacklist addresses - these should always be DENIED access – edit as needed
ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny
# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ----------------------------------------
# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd, proftpd, etc - if using pure-ftpd, etc, be sure to use those
# words instead - this is spread over multiple lines, so has \ at end of
# line to signal continuation:
sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \
--echo "%c-%s" --ipblock=iptables \
--whitelist="10\..*,127.0.0.1" --blacklist="192.168.1.1,192.168.1.2" \
#---
the version on zeus
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py \
--verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \
Other Advanced Security Features
SELinux
Central Logging
Tripwire
RMPdatabase
chkroot
Apache 2.2.6-1 Notes and 2.2.17-1
Basics
Find the server rpms: rpm -qa | grep httpd (apache to httpd)
Show files rpm -ql httpd
service httpd start or /etc/init.d/httpd restart
/sbin/chkconfig httpd on
Important files / folders in httpd-2.2.6-1.fc7 and httpd-2.2.17-1.fc14.x86_64
• /etc/httpd most of the config files or links to them
• /etc/httpd/conf
• /etc/httpd/conf.d module specific config files, see README
• /etc/httpd/conf/httpd.conf main apache server config file
for 'global environment', 'main or default server', & 'virtual hosts'
• /etc/httpd/logs link to /var/log/httpd
• /etc/httpd/modules link to /usr/lib64/httpd/modules
• /etc/httpd/run link to /var/run
• /etc/logrotate.d/httpd how often to rotate logs
• /etc/rc.d/init.d/httpd startup script
• /etc/sysconfig/httpd basic service config file for httpd startup script
• /usr/bin/ab benchmarking tool
• /usr/bin/htdigest manage user files for digest automation
• /usr/bin/htpasswd manage user files for basic authentication
• /usr/bin/logresolve resolve IP addresses to host names in log files
• /usr/lib64/httpd/modules apache modules for added functionality
• /usr/sbin/apachectl server control interface
• /usr/sbin/httpd man server binary
• /usr/sbin/rotatelogs
• /usr/sbin/suexec switch user before executing, allows apache user not root
• /var/www/error where error files are
• /var/www/html main server html root
• /var/www/icons server icons
A limited graphical configuration utility
• system-config-httpd-1.4.3-1.fc7 and system-config-httpd-1.5.2-2.fc14.noarch
• /usr/bin/system-config-httpd
/etc/httpd/conf/httpd.conf Notes
### Section 1: Global Environment
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
#Listen 12.34.56.78:80
Listen 80
# LoadModule foo_module modules/mod_foo.so DSO support
Include conf.d/*.conf
User apache
Group apache
### Section 2: 'Main' server configuration
ServerAdmin root@localhost
#ServerName :80
UseCanonicalName Off
DocumentRoot "/var/www/html"
Options FollowSymLinks
AllowOverride None
# Note that from this point forward you must specifically allow
Options Indexes FollowSymLinks
AllowOverride None #controls what directives may be placed in .htaccess files
Order allow,deny
Allow from all
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
ErrorLog logs/error_log
# The following directives define some format nicknames for use with a CustomLog directive
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b %f %{host}i" debug
CustomLog logs/access_log debug
CustomLog logs/access_log combined
ServerSignature On
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Alias /image /ftp/pub/image
A request for would cause the server to return the file /ftp/pub/image/foo.gif
User directories
~public/public_html
user directory (/home/durrett) must be chmod 711, but not all of its subdirectories
public_html & all of its subdirectories must be 755
UserDir enable test (you must list the users to enable)
Doing this makes it possible to find users on the system
An alternative to the above is:
create a new /var/www/html directory (mkdir DrJohn)
change ownership to the user:apache (chown durrett:apache /var/www/html/DrJohn)
add the user link to the directory (ln -s /var/www/html/DrJohn /home/durrett/DrJohn_site)
# UserDir disable
chmod 711
mkdir /home/drjohn/public_html
chmod 755 /home/drjohn/public_html
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#
# Order allow,deny
# Allow from all
#
#
# Order deny,allow
# Deny from all
#
#
#
# Use name-based virtual hosting.
#
NameVirtualHost *:53148
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#
# ServerAdmin webmaster@dummy-host.
# DocumentRoot /www/docs/dummy-host.
# ServerName dummy-host.
# ErrorLog logs/dummy-host.-error_log
# CustomLog logs/dummy-host.-access_log common
#
# ServerAdmin webmaster@dummy-host.
DocumentRoot /var/www/gandalf
ServerName gandalf
ErrorLog logs/gandalf-error_log
# CustomLog logs/dummy-host.-access_log common
# ServerAdmin webmaster@dummy-host.
DocumentRoot /var/www/mediawiki
ServerName wiki
ErrorLog logs/wiki-error_log
# CustomLog logs/dummy-host.-access_log common
Fedora firewalls / iptables notes
(partially from Negus' Fedora Linux toolbox)
Negus – Ch 10: Configuring the built in firewall
-- based on the iptables facility ()
-- lots of GUIs: sudo /usr/bin/system-config-firewall, firestarter, shorewall, fwbuilder
/etc/sysconfig/iptables -- config file (remember to BACK it UP before changing)
iptables -L -- display current iptables filter table
iptables-save -- send current iptables filter table to stdout ( > somefile to save it)
-------------------------------------------------------------------------
Other notes:
The basic structure of iptables
mangle (1) (3) mangle & filter nat
--------->Routing Decision -------> FORWARD -----POSTROUTING
PREROUTING | ↑
| |
| (2) mangle |
| filter OUTPUT
mangle & nat |
& INPUT | (4)
filter |
|------> local process ----> Routing
Decision
1) when packet enters from network kernel looks at destination
2) if destined for this machine packet goes to INPUT chain
3) if not destined for this machine, if FORWARD chain exists rules in it are applied and packet is sent as specified in the rules, if FORWARD chain does not exist default policy is applied
4) packets sent from local process are routed, then put on the OUTPUT chain
----------------------------------------------------------
iptables basic concepts
1. different sets of rules for different chains within different tables
2. initial tables are: NAT, FILTER, MANGLE
3. initial chains are: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
4. targets to jump to are: ACCEPT, DROP, REJECT, LOG, SNAT, MASQUERADE
iptables operations to manage whole chains:
1. Create a new chain (-N).
2. Delete an empty chain (-X).
3. Change the policy for a built-in chain. (-P).
4. List the rules in a chain (-L).
5. Flush the rules out of a chain (-F).
iptables operations on the rules inside a chain:
1. Append a new rule to a chain (-A).
2. Insert a new rule at some position in a chain (-I).
3. Replace a rule at some position in a chain (-R).
4. Delete a rule at some position in a chain, or the first that matches (-D).
individual rules:
1. Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target')
2. EX: wipe out (flush) all previous rules
iptables -F
3. EX: set default policies for INPUT chain
iptables -P INPUT DROP
4. EX: create a new chain in the filter table
iptables -N okay
5. EX: drop all ICMP packets coming from the IP address 127.0.0.1.
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
6. EX: accept everything coming from the loopback address
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
7. EX: accept packets for the local web server coming from the Internet (eth0)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 -j ACCEPT
8. EX: forward all packets addressed to a web server to gandalf
iptables -t nat -A PREROUTING -p tcp -d $EXT_NIC --dport 80 \
--to-destination $WEB_SVR
Fedora rpm iptables files:
/sbin/iptables
/sbin/iptables-save
/etc/sysconfig/iptables-config
/etc/sysconfig/iptables -- test hint “how do I find this out?”
/etc/init.d/iptables
------------------------------------------------------
steps to play with iptables:
cd ~
vi rc.firewall
WEB_SVR=”gandalf”
EXT_NIC=”eth0”
/sbin/iptables -F
/sbin/iptables -P INPUT DROP # you are not going to get much now
...
:wq
sudo rc.firewall
/sbin/iptables -L
then play
#an example
#!/bin/sh
# Simple masq firewall
#Assumes all modules are either loaded or compiled into kernel
#setup network for forwarding, dynamic ips
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
ANY=”0.0.0.0/0” # Match any IP address
CLASS_A="10.0.0.0/8" # Class-A Private (RFC-1918) Networks
CLASS_B="172.16.0.0/12" # Class-B Private (RFC-1918) Networks
CLASS_C="192.168.0.0/16" # Class-C Private (RFC-1918) Networks
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F -t nat
echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Deny TCP and UDP packets to privileged ports
#$IPTABLES -A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP
#$IPTABLES -A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP
# Deny TCP connection attempts
#$IPTABLES -A INPUT -i $EXTIF -p tcp --syn -j DROP
#accept packets for the local web server coming from the Internet (eth0)
$IPTABLES -A INPUT -p TCP -i $EXTIF -s 0/0 --dport 80 -j ACCEPT
# Deny IMCP echo-requests
$IPTABLES -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP
FireHOL, the iptables stateful packet filtering firewall builder.
FireHOL, the iptables stateful packet filtering firewall builder.
1. Identify your network interfaces
sudo ip link show
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1f:c6:51:13:11 brd ff:ff:ff:ff:ff:ff
3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1f:c6:51:13:12 brd ff:ff:ff:ff:ff:ff
2. Think about what each interface should do
Ignore lo, in the case above eth0 is not used and eth1 is everything
Also think about what services ie servers you want.
3. Create the FireHOL configuration structure
In my Fedora 10 system the configuration file is /etc/firehol/firehol.conf
and by default it says
version 5
# Accept all client traffic on any interface
interface any world
client all accept
You should probably rename the interface if you are going to build a “real” firewall
version 5
interface eth1 world
client all accept
4. Now add servers and clients you wish to accept
version 5
interface any world
client all accept
interface eth1 home
server dns accept
server ssh accept
server http accept
If you have special ports or have moved services you may define your own servers
server custom myservice proto/sports cports accept
If you want to move the ssh port to 41265 the above file becomes:
version 5
interface any world
client all accept
interface eth1 home
server dns accept
server custom myssh tcp/41265 default accept
server http accept
5. Checking
Run sudo /etc/rc.d/init.d/firehol debug
And it will show you the iptables results or problems
6. Pretty much done.
You can do much more, routing tables, masquerade, NAT but this gets you started
Brief MySQL Notes and Links
1. Get started with MySQL
2. Installing Apache2 with PHP5 and MySQL Support on OpenSuse 12.2 (LAMP)
3. Installing Apache2 with PHP5 and MySQL Support on Fedora
4. Installing LAMP on Ubuntu for Newbies
5. What is MySQL Configuration File
6. Right after install root password is blank
7. Brief Database Setup Notes (ISQS 4361)
8. show tables;
9. Reference Manuals
Linux RamDisk by Van Emery (see link below)
Base system is Fedora Core 9 (or any 2.4+ kernel)
ls -l /dev/ram*
lrwxrwxrwx 1 root root 4 Jun 12 00:31 /dev/ram -> ram1
brw-rw---- 1 root disk 1, 0 Jan 30 2003 /dev/ram0
brw-rw---- 1 root disk 1, 1 Jan 30 2003 /dev/ram1
...
dmesg | grep RAMDISK
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
RAMDISK: Compressed image found at block 0
To increase size of RamDisk edit entry in grub.conf
kernel /vmlinuz-2.4.20-20.9 ro root=LABEL=/ hdc=ide-scsi ramdisk_size=16000
confirmation of success of resize is in dmesg after reboot
dmesg | grep RAMDISK
Format the disk
mke2fs -m 0 /dev/ram0
Create the mount point and mount the disk
mkdir /mnt/rd
mount /dev/ram0 /mnt/rd
Now verify the new ramdisk mount:
mount | grep ram0
/dev/ram0 on /mnt/rd type ext2 (rw)
df -h | grep ram0
/dev/ram0 16M 13K 16M 1% /mnt/rd
For a detailed look at the new disk
tune2fs -l /dev/ram0
Give yourself access to the disk
chown van:root /mnt/rd
chmod 0770 /mnt/rd
ls -ald /mnt/rd
drwxrwx--- 2 van root 4096 Dec 8 11:09 /mnt/rd
To automate the creation every time you boot put the following into your /etc/rc.d/rc.local file
# Formats, mounts, and sets permissions on my 16MB ramdisk
/sbin/mke2fs -q -m 0 /dev/ram0
/bin/mount /dev/ram0 /mnt/rd
/bin/chown van:root /mnt/rd
/bin/chmod 0750 /mnt/rd
Other links
OtherLinks/tripwire-notes.odt
OtherLinks/Apache-2.2.6-Notes.odt
SELinux Notes ()
Potential to compartmentalize and secure every component of a Linux system
– processes, files, directories, users, devices etc
Instead of the all or nothing idea of root or not root you have LOTS of discretion
Mandatory Access Control (MAC) rather than Discretionary Access Control
Directories, files, etc in SELinux have many more attributes associated with them than in standard
Two different security models
– Type Enforcement
– All Objects are bound to a security attribute called a type
– All process are bound to an attribute called a domain
– Every user is allowed to access objects based on the domain in which they operate
– Role-Based Access Control
– each user operates in a specific role
– roles are arranged in a hierarchy with specific permissions at each level
Files:
/etc/selinux/config
– SELINUX = (disabled, permissive, or enforcing)
– SELINUXTYPE = (targeted, mls (multilevel security))
– targeted limits impact an attack on a single server can have on the system
– /etc/selinux/config/targeted
/usr/sbin/getenforce – report status
/usr/sbin/setenforce – set status
Documentation:
/usr/share/doc/selinux-doc...
/usr/share/doc/selinux-policy
--> cat /usr/share/doc/selinux-policy-3.0.8/example.fc
# myapp executable will have:
# label: system_u:object_r:myapp_exec_t
# MLS sensitivity: s0
# MCS categories:
/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
Users:
still have passwd file, root user, etc
Tools:
checkpolicy – looks at policy.conf file if found
yum install setools-gui
/usr/bin/apol
/usr/bin/seaudit
/usr/bin/sediffx
rpm -qa | grep selinux
Desktop Menu Specification
()
Desktops
Two general types of desktop:
“heavyweight” like KDE & GNOME contain desktop & app dev. Frame.
And “plain” that only include desktop
Problem is getting everything to work together
XDG Base directory Specification
$XDG_DATA_HOME user specific data files ($HOME/.local/share)
$XDG_CONFIG_HOME user specific configuration files ($HOME/.config)
$XDG_DATA_DIRS preference-ordered set of directories to search for data files (/usr/local/share/:/usr/share)
$XDG_CONFIG_DIRS preference-ordered set of base directories to search for configuration files in addition to the $XDG_CONFIG_HOME (/etc/xdg)
/etc/xdg/user-dirs.conf
# This controls the behaviour of xdg-user-dirs-update which is run on user login
# You can also have per-user config in ~/.config/user-dirs.conf, or specify
# the XDG_CONFIG_HOME and/or XDG_CONFIG_DIRS to override this
#
enabled=True
~/.config/user-dirs.dirs (default is /etc/xdg/user-dirs.defaults)
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
File locations
$XDG_CONFIG_DIRS/menus/${XDG_MENU_PREFIX}applications.menu
XML definition of the main application menu layout
$XDG_CONFIG_DIRS/menus/applications-merged/
third parties may add new files in this location to create their own sub-menus
$XDG_DATA_DIRS/applications/
a .desktop file for each possible menu item
$XDG_DATA_DIRS/desktop-directories/
directory entries which may be associated with folders in the menu
foo.desktop specifications
look in /usr/share/applications for examples
Extensions to the desktop format above
Categories is a list of strings used to classify menu items
OnlyShowIn a list of strings identifying the environments that should display a given menu item
NotShowIn desktops that should not display an item
Example elements in kde-applications.menu
Applications
kde-unknown.directory
Core
KDE
X-Red-Hat-Base
System Settings
system-settings.menu
X-KDE-KDevelopIDE
kde-development-kdevelop.directory
Development
X-KDE-KDevelopIDE
Misc Review notes
bash scripts
example script:
#!/bin/bash
#add a -v to the line above for debugging
echo "date is $(date +%F)"
echo
dte1='date +%F'
echo "dte1=$dte1"
echo
dte2="date +%F"
echo "dte2=$dte2"
echo
dte3=$(date +%F)
echo "dte3=$dte3"
echo
dte4=`date +%A`
echo "dte4=$dte4"
results:
--> test-src/dt.sh
date is 2008-11-12
dte1=date +%F
dte2=date +%F
dte3=2008-11-12
dte4=Wednesday
– after changing first line to #!/bin/bash -v
--> test-src/dt.sh
#!/bin/bash -v
#add a -v to the line above for debugging
echo "date is $(date +%F)"
date +%F
date is 2008-11-12
echo
dte1='date +%F'
echo "dte1=$dte1"
dte1=date +%F
echo
dte2="date +%F"
echo "dte2=$dte2"
dte2=date +%F
echo
dte3=$(date +%F)
date +%F
echo "dte3=$dte3"
dte3=2008-11-12
echo
dte4=`date +%A`
date +%A
echo "dte4=$dte4"
dte4=Wednesday
a backup bash script
#!/bin/bash
BACKUPDIR="/Gandalf/data/backup/"
ECHODATA="Backup done: "
EXCLUDES="--exclude=Recyled --exclude=recyler --exclude=. --exclude=.. --exclude='*Trash*' --exclude='temp*' --exclude='tmp*'"
#echo -e "\nMoving old backup to previous folder"
rm $BACKUPDIR/previous/*
mv $BACKUPDIR/current/* $BACKUPDIR/previous
echo
echo $BACKUPDATA/current/etc.tgz
tar -zhcf $BACKUPDIR/current/etc.tgz /etc
echo
echo $BACKUPDIR/current/boot.tgz
tar -chzf $BACKUPDIR/current/boot.tgz /boot /Gandalf/FC8/boot --exclude=/boot/boot
echo
echo partion tables
./backup_partition_tables.sh
a backup bash script for disk partitions
#!/bin/bash
BACKUPDIR="/Gandalf/data/backup/current"
echo $BACKUPDIR/MBR_Partion_Tables.tgz
dd if=/dev/sda bs=512 count=1 of=$BACKUPDIR/sda_MBR
dd if=/dev/sdb bs=512 count=1 of=$BACKUPDIR/sdb_MBR
/sbin/fdisk /dev/sda -l > $BACKUPDIR/sda_partition_table.txt
/sbin/fdisk /dev/sdb -l > $BACKUPDIR/sdb_partition_table.txt
tar -czf $BACKUPDIR/MBR_Partition_Tables.tgz $BACKUPDIR/hd* $BACKUPDIR/sd*
rm $BACKUPDIR/hd*
rm $BACKUPDIR/sd*
a file system mounting bash script (mnt)
#!/bin/bash
n=`echo $1 | tr A-Z a-z`
if [ "$0" = "/usr/local/bin/mnt" ]; then
case $n in
"kitchen" | "k" | "belinda" | "b" )
sudo mount -t cifs
'//Ariel/Easy (E)'
/Gandalf/Belinda/Easy
-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;
"safe" | "s" | "encrypt" | "e" )
encfs /Gandalf/data/.safe /Gandalf/data/safe ;;
"gimli" | "g" )
sudo mount -t cifs "//192.168.1.50/media" /Gimli/media
-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;
"zeus" | "z" )
sshfs drjohn@zeus:/home/durrett/Ike Gandalf/RemoteSites/Ike ;;
* )
echo "Usage: mnt WhatToMount" ;;
esac
elif [ "$0" = "/usr/local/bin/umnt" ]; then
case $n in
"kitchen" | "k" | "belinda" | "b" )
sudo umount /Gandalf/Belinda/Easy ;
"safe" | "s" | "encrypt" | "e" )
fusermount -u /Gandalf/data/safe ;;
"gimli" | "g" | "gimlidecent" | "go" | "gimliown" | "go" )
sudo umount /Gimli/media ;
"zeus" | "z" )
sudo umount /Gandalf/RemoteSites/Ike ;;
esac
fi
to unmount
ln -s mnt umnt
a bash “data” file
username=drjohn
password=sean
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- father john s medicine at walgreens
- big john s pfi seattle
- dr john holland career test
- big john s pfi seattle wa
- dr john parks veterinary surgeon
- john s muscle cars nebraska
- john s muscle car salvage
- dr evil s son scott evil
- dr john henrik clarke books
- dr john henrik clarke quotes
- saint john s university tuition
- dr john henrik clarke