User:Tom/RHCE EX300: Difference between revisions
| Line 140: | Line 140: | ||
===== Firewall Command | ===== Firewall Command Options for Zone Management ===== | ||
firewall-cmd --get-default-zone or --set-default-zone | firewall-cmd --get-default-zone or --set-default-zone | ||
Revision as of 21:20, 31 May 2016
RHCSA & RHCE Red Hat Enterprise Linux 7: Training and Exam Preparation Guide (EX200 and EX300) third edition march 2015 by Asghar Ghori
RHCE
Hoofdstuk 14 Writing Shell Scripts
nl Number lines of files bash -x Debug script
Command line arguments $0 $1, $#, $*, $$ (scriptname,first argument, # of arguments, all arguments,PID of the script). ${10} for arguments above 9.
shift Move arguments
echo -e Enables interprestation of backslash escapes
read Var Read user input from the keyboard
$? Exit code test Test conditions (man test) int1 -eq int2 if condition then action else action fi if condition then action elif condition then action else action fi
for-do done while do done until do done
Hoofdstuk 15 Configuring Bonding, Teaming, IPv6 and Routing
Link Aggregation
Link aggregation is a term to combine the capabilities of two or more physical or virtual Ethernet network interfacesto function as a single network pip. RHEL7 supports two link aggregation methods that are referred to as bonding and teaming.
Interface Bonding
Interface bonding provides the ability to bind two or mor network interfaces together into a single logical bonded channel that acts as the master for all slave interfaces that are added to it. The support for bonding is integrated entirely into the kernel as a loadable module. This module is called bonding.
Interface Teaming
Interface teaming is introduced in RHEL7 as an additional choice to implement enhance troughput and fault tolerance at the network interface level. Teaming is a new implementation. Teaming handels the flow of network packets faster that bonding does.And, unline bonding, which is accomplished purely in the kernel space and provides no user control over its operation, teaming only requires the integration of the essential code into the kernel and the rest is implemented via the teamd daemon, whihc gives users the ability to control it with the teamdctl command.
modprobe bonding Add and remove modules from the kernel modinfo bonding Show information about a kernel module uuidgen eth2 Generate UUIDs
systemctl status NetworkManager nmcli dev status nmcli con add type bond con-name bond0 ifname bond0 mode balance-rr ip4 192.168.122.112 gw4 192.168.122.1 nmcli con add type bond-slave ifname eth1 master bond0 nmcli con up bond0 nmcli con show nmtui Indien NetworkManager aktief is
yum install teamd software modprobe team modinfo team nmcli con add type team con-name team0 ifname team0 ip4 192.168.122.122/24 gw4 192.168.122.1 nmcli con add type team-slave con-name eth4 ifname eth4 master team0
nmtui nm-connection-editor Graphical Network Administration Tool, including bonding and teaming teamd teamdctl teamnl IPv6 128bit 1204:bab1:21d1:bb43:23a1:9bde:87df:bac9 Zowel IPv4 als IPv6 adressen kunnen op een adapter gezet worden. ping6
RIP Routing Information protocol OSPF Open Shortest Path First ip route, route, netstat -rn ip route add ip route del
Files
/etc/sysconfig/network-scripts/ifcfg-bond0
/ifcfg-eth2
/ifcfg-eth3
Hoofdstuk 16 Synchronzing Time with NTP
ntpd used UDP over well-known port 123
NTP roles: Primary NTP server, Secondary NTP server, NTP peer, NTP client.
NTP Client can be configured as a polling, broadcast, multicast or manycast client.
Packages ntp and ntpdate Commands ntpdate, ntpq, ntpd and ntpstat.
NTP Configuration file /etc/ntp.conf. Key directives driftfile, logfile restrict, server, peer, broadcast, crypto, includefile, keys. See man ntp.conf. firewall-cmd --permanent --add-service ntp;reload
Package system-config-date for system-config-date tool Output ntpq -p is important
Hoofdstuk 17 Working with Firewalld and Kerberos
Network Zones
Firewalld zones classify incoming network traffic for simplified firewall management. Zones define the level of trust for network connections based on principles such as a source IP or network interface for incoming network traffic. The inbound traffic is checked against zone settings and it is handled appropiately as per configured riles in the zone. Each zone can have its own list of services and ports that are opened or closed.
Firewalld proves nine zones by default. These system-defined zones file are XML-formatted and are located in the /usr/lib/firewalld/zones directory. By default, the public zone is the default zone.
Services
A service typically contains a port number, protocol, and an IP address. Service configuration is stored in separate XML files located in /usr/lib/firewalld/services. The configuration files in the user-defined service directory take precedence over the ones located in the other directory.
Ports can also be defined directly without using the service configuration technique. In essence, defining network ports does not require the presence of a service or a service configuration file.
Direct Interface and Rich Language
Firewalld offers the possibility to pass security rles directly to iptables using the direct interface mode, but these rules are not persistent. To address this problem, Firewalld provides the support for a high-level language, called the rich language, that allows us to build complex rules without the knowledge of iptables syntax.
Rich Language uses several elements to set rules and name them. These elements includes a source address or tange with an appropiate netmask, destination address or range, service name, port number or range, protocol, masquerade (enable ordisable); forward-port (destination port or rangeto divert traffic to), log and loglevel, and an action (accept, reject, drop).
Network Address Translation and IP Masquerading
Network Address Translation (NAT) refers to the process of altering the IP address of a source or destination network that is enclosed in a datagram packet header while it passes through a device that supports this type of modification. In other words, NAT allows a system on the internal network (home or corporate network) to access an external network (the internet) usign a single registered IP address configured on an intermediary device (a router or firewall).
IP Masquerading is a variant of NAT and it allows several systems on the internal network (192.168.0.0) to access the Internet using that single IP of the intermediary device.
Port Forwarding
We may have to redirect inbound traffic to a port to access an application servicing on that port on our internal system. This port is defined on the intermediary device (router or netfilter module on RHEL). For example, to allow external access to the HTTP service listening on port 8080 on an internal system, both internal system IP and port number are defined on the intermediary device to ensure inbound requests are forwarded to the desired destination. This feature is referred to as port forwarding or port mapping.
Managing Firewalld
Firewalld Commands
firewall-cmd --state Check if firewalld is running. firewall-cmd --reload Reload the permanent rules.
systemctl status firewalld Check if firewalld is running. systemctl restart firewalld Restart the service.
Firewall Command Options for Zone Management
firewall-cmd --get-default-zone or --set-default-zone
--get-active-zones or --get-zones
--list-all or --list-all-zones
--new-zone or --delete-zone
--permanent Used to male a permanent change. Creates or updates appropiatezone files.
--zone Used for operations on a non-default zone.
Firewall Command Options for Service Management
firewall-cmd --get-services Displays available services.
--list-services List services for a zone.
--query-services Tells wether a service is added.
--add-service Adds a service to the zone.
--remove-service Removes a service from a zone.
--new-service Adds a new service.
--delete-service Deletes an existing service.
--zone Used for operations on a non-defailt zone.
Firewall Command Options for Port Management
firewall-cmd --list-ports Lists ports added to a zone.
--add-port Adds a port to a zone.
--remove-port Removes a port from a zone.
--query-port Checks whether a port is added to a zone.
--permanent Used with the add and remove options for persistence.
--zone Used for operations on a non-default zone.
Firewall Command Options for Using Rich Language Rules
firewall-cmd --list-rich-rules
--add-rich-rule
--remove-rich-rule
--query-rich-rule
--permanent
--zone
Add a persistent rich rule to the default zone to allow inbound HTTP access from network 192.168.3.0/24. This rule should log messages with prefix "HTTP Allow rule" at the info level.
firewall-cmd --add-rich-rule 'rule family=ïpv4" source addres="192.168.3.0/24" \
service name="http" log prefix="HTTP Allow Rule" level="info" accept --permanent
Firewalld Command Options for Masquerade Management
firewall-cmd --add-masquerade Adds a masquerade to a zone.
--remove-masquerade
--query-masquerade
--permanent
--zone
Add masquerading support to the external zone:
firewall-cmd --add-masquerade --zone external
Firewalld Command Options for Port Forwarding
firewall-cmd --list-forward-ports
--add-forward-port
--remove-forward-port
--query-forward-port
--permanent
--zone
Forward inbound telnet traffic to port 1000 on the same system:
firewall-cmd --zone external --add-forward-port port=23:proto=tcp:toport=1000 --permanent
Forward inbound ftp traffic to port range 1001 to 1005 on the same system:
firewall-cmd --zone external --permanent --add-forward-port port=21:proto=tcp:toport=1001-1005
Forward inbound smtp traffic to the same port number but to IP 192.168.0.121:
firewall-cmd --zone -external --permanent --add-forward-port port=25:proto=tcp:toaddr=192.168.0.121
Forward inbound tftp traffic to 192.168.0.121:1010
firewall-cmd --zone external --permanent --add-forward-port port=69:proto=tcp:toport=1010:toaddr=192.168.0.121
Firewalld Command Summary
firewall-config Firewalld GUI configuration tool.
firewall-cmd --state, --get-default-zone, --get-active-zones, --get-zones, --list-all, --list-all-zones
--list-all -zone public,
--net-zone testzone --permanent, --delete-zone testzone --permanent
--get-services
--list-services
--query-service
--list-ports --add-port --remove-port --query-port --permanent --zone
--list-rich-rules --add-rich-rule --remove-rich-rule --query-rich-rule --permanent --zone
--add-masquerade --remove-masquerade --query-masquerade --permanent --zone
--list-forward-ports --add-forward-port --remove-forward-port query-forward-port --permanent --zone
Firewalld Files
firewall-config Firewalld GUI configuration tool.
/etc/firewalld Firewalld configuration files. /etc/firewalld/zones User-defines zones. /etc/firewalld/services User-defined services.
/usr/lib/firewalld/zones System-defined zones. /usr/lib/firewalld/services Service configuration.
/var/log/messages /var/log/secure
Understanding and Managing Kerberos
Kerberos uses port 88 for general communication and port 749 for the administration of Kerberos database via commands such as kadmin and kpasswd. The Kerberos ticketing system relies heavily on resolving hostanmes and on accurate timestamps to issue and expire tickets. Therefore it requires adequate clock synchronisation and a working DNS or an accurate /etc/hosts too function correctly.
Terminology
- Authentication: The proces of verifying the identity of a user or service.
- Authentication Service (AS): A service that runs on the Key Distribution Center (KDC) server to authenticate clients and issue initial tickets.
- Client: A user or service (suchs as NFS or Samba) that requests for the issuance of tickets to use network services.
- Credentials: A ticket along with relevant encryption keys.
- Principal: A verified client (user or service) that is recorded in the KDC databaseand to which the KDC can assign tickets.
- Realm: The administrative territory of a KDC, with one or more KDCs and several principals.
- Service Host: A system that runs a kerberized service that clients can use.
- Session key: An encrypted key that is used to secure communication among clients, KDCs and service hosts.
- Service Ticket: An encrypted digital certificate used to authenticate a uuser to a specific network service. It is issued by the TGS after validating a user's TGT and it contains a session key, the principal name, and expiration time and more.
- Ticket Granting Service (TGS): A service that runs on the KDC to generate and issue service tickets to clients.
- Ticket Granting Ticket (TGT): An initial encrypted digital certificate that is used to identify tha client to TGS at the time of requesting service tickets. It is issued by the AS after validationg the client's presence in the KDC database.
How Kerberos Authenticates clients
The Kerberos authentication process can be separated into three parts; an initial stage of getting a TGT (passport), a service stage to obtain a service ticket (visa) and access the service (travel to the visa issuing country).
A user contacts the AS for initial authentication via the kinit command. The AS asks for the user's password, validates it and generates a TGT for the user. The AS aslo produces a sesion key using the user's password. The AS returns the credentials (TGT plus session key) to the user. THe credentials are saved in he clients credential cache.
Later, when the user needs to access a service running on a remote service host, they send the TGT and the session key to the TGS asking to grant the desired access. The TGS verfies the user's credentials by decrypting the TGT and assembles a service ticket for the desired service and encrypts it with the hosts secret key. It transmits the service ticket to the user along with a session key. The user stors the service ticket in their credential cache. Yhe user presents these credentials to the service host, which decrypts the service ticket with iits secret key and validatees the users identy and the authorisation to access the service. The user is then allowed to access the service.
Kerberos Packages and Utilities
Packages krb5-server krb5-workstation Commands kinit, kdestroy, klist, passwd, kadmin, kadmin.local
Hoofdstuk 18 Tuning Kernel Parameters, Reporting System Usage and Logging Remotely
sysctl -a, sysctl -p
/proc/cmdline /proc/sys
echo 18 >/proc/sys/...
/etc/sysctl.conf /usr/lib/sysctl.d/00-system.conf
/boot/grub2/grub.cfg /proc/cmdline Boot-Time parameters aka command-line options
df, vmstat, top
Package sysstat: cifsiostat, iostat, mpstat,nfsiostat, pidstat, sa1, sa2, sadc, sadf, sar, dstat /etc/sysconfig/sysstat /etc/sysconfig/sysstat.ioconf
Package dstat, dstat
Chapter 19 Sharing Block Storage with iSCSI
targetcli for target administration, package targetclt targetcli saveconfig iscsiadm for initiator administration, package iscsi-initiator-utils
iscsiadm -m discovery -t st -p 192.168.122.102 Locate available targets iscsiadm -m node -T iqn.2016-01.roggeware.nl.server2:iscsidisk1 -p 192.168.122.102 -l Login (-l) to target (-T) in node mode (-m) at portal (-p) iscsiadm -m session
systemctl enable iscsid
/etc/iscsi/iscsi.conf /var/lib/iscsi/
Chapter 20 Sharing File Storage with NFS
yum install nfs-utils
getsebool -a|grep nfs_export setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1 firewall-cmd --add-service nfs firewall-cmd --reload firewall-cmd --list-services
systemctl enable rpcbind nfs-server
/etc/exports /common server2.example.com(rw,no_root_squash) /etc/fstab server1.example.com:/common /nfsrhcemnt nfs _netdev,rw 0 0 /var/lib/nfs/etab /etc/sysconfig/nfs exportfs -avr exportfs -u server2.example.com:/common
man exports
nfsstat nfsiostat mountstats
Chapter 21 Sharing File Storage with Samba
Server Message Block (SMB) now widely known as the Common Internet File System (CIFS). The Samba daemon smbd uses TCP port 445
Samba Commands
mount Mounts a Samba share. Adds an entry to /etc/mtab mount.cifs Mounts a Samba share on the client. pdbedit Maintains a local user database in /var/lib/samba/private/smbpasswd on the server. smbclient Connects to a Samba share to perform FTP-like operations. smbpasswd Changes Samba user passwords. testparm Tests syntax of smb.conf file/ umount
smbclient -L //server1/common -U user10
Samba Configuration and functional files
/etc/samba/smb.conf Samba server configuration file. /etc/samba/smbusers Maintains Samba and Linux user mappings. /etc/sysconfig/samba Contains directives used at Samba startup. /var/lib/samba/private/smbpasswd Maintains Samba user passwords. /var/log/samba Directory location for Samba logs.
Samba Software Packages
samba Provides the Samba server support. samba-client Includes utilities for performing various operations on server and client. samba-common Provides Samba man pages, commands and configuration files. samba-libs Contains library routines used by Samba server and client. cifs-utils Client-side utilities for mounting and managing CIFS shares.
SELinux Requirements for Samba Operation
....
Chapter 22 Hosting Websites with Apache
Apache Commands
apachectl Starts, stops and checks status of the httpd process. Systemctl may also be used.
htpasswd Create and updates files to store usernames and passwords for basic authentication of Apache users.
httpd Server program for the Apache webservice.
-t verify configuration file
-D vhosts verify vhost configuration file
Apache Configuration Files
/etc/httpd Default directory for all configuration files. /run/httpd Runtime information. /usr/lib64/httpd/modules Additional Apache modules. /var/log/httpd Apache logfiles. /usr/share/doc/httpd-2.4.6
Apache Software Packages
httpd httpd-manual html pages in /usr/share/httpd/manual accessible with links or elinks. httpd-tools
Configuring Apache Web Servers
system-config-selinux SELinux Configuration Tool getsebool -a|grep httpd
firewall-cmd --permanent -add-service=http firewall-cmd --reload firewall-cmd --permanent -add-port 8900/tcp semanage fcontext -at httpd_sys_content_t "/var/vhost2(/.*)?" restorecon -Rv /var/vhost2
elinks http://localhost
Understanding and Configuring Apache Web Servers over SSL/TLS
CA Certificate Authority. CSR Certificate Signing Request.
OpenSSL logfiles are in /etc/httpd/logs which is a symbolic link to /var/log/httpd/
Software Packages
mod_ssl openssl
Commands
openssl list-standard-commands openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out server1.example.com.key Generate private key. openssl req -new -key server1.example.com.key -out server1.example.com.csr openssl x509 -req -days 120 -signkey server1.example.com.key -in server1.example.com.csr -out server1.example.com.crt openssl s_client -coonect localhost:443 -state httpd -D DUMP_VHOSTS restorecon -Rv /var/www/html firewall-cmd --permanent --add-servce https
Files
/etc/httpd/conf.d/ssl.conf Installed by package mod_ssl. /etc/pki/tls/certs Default location for certificates.
Chapter 23 Sending and Receiving Electronic Mail
MUA Mail User Agent. MSA Mail Submission Agent. MTA Mail transport Agent. MDA Mail Delivery Agent
POP Post Office Protocol. IMAP Internet Message Access Protocol.
Postfix daemons
master, nqmgr, pickup, smtpd
Postfix Commands
alternatives Displays and sets the default MTA.
--set mta
--display mta
mail/mailx Sends and receives email.
postalias/newalias Processes the alias database (/etc/aliases by default).
postconf Displays and modifies the Postfix configuration stored in the main.cf file.
-d Display default settings.
-n Display settings defined in main.cf.
postfix Controls operation of Postfix servcies, including start, stop, health, and reload config.
check Check main.cf for syntax errors.
postmap Process and converts some configuration files into Postfix-compatible databases.
postqueue/mailq Lists and controls Postfix queue.
Files
/etc/postfix Postfix directory with configuration files. /etc/postfix/access Establish access control based on emailaddress, hosts, domains or network address. man 5 access. /etc/postfix/access.db Run postmap /etc/postfix/access to update this database. /etc/postfix/canonical Run postmap /etc/postfix/canonical to update this database. man 5 canonical. /etc/postfix/generic establish mapping for local and non-local mailaddresses. Syntax identical to canonical. /etc/postfix/main.cf /etc/postfix/master.cf /etc/postfix/relocated /etc/postfix/transport /etc/postfix/virtual
/etc/aliases
/var/lib/postfix /var/log/maillog
/var/spool/postfix /var/spool/mail
Managing Postfix
SElinux requirements for the postfix operation
ps -eZ|grep postfix ls -lZd /etc/postfix /var/lib/postfix /var/spool/postfix semanage port -l|grep smtp getsebool -a|grep postfix
Packages
postfix
Configuring DNS
Determining the IP address of a hostname is referred to as forward name resolution or simply name resolution and determining the hostname associated with an IP address is reffered to as reverse name resolution.
DNS Name Space and Domains
The DNS Name Space is an hierarchical organization of all the domains on the internet. The root of the name space is represented by a dot. The hierarchy right below the root represents top-level domains (TLD) that are either generic, such as .com, .net , .org and .gov, and referred to as gTLDs or specific to a two-letter country-code, such as .ca and .uk and referred to as ccTLDs. Sub-domains fall under domains and are separated by a dot.
BIND Software Packages and Service Daemon
bind Provides software to configure a DNS server. bind-libs Contains library files for bind and bind-utils packages. bind-utils Comprises of resolver tools, such as dig, host and nslookup
Daemon named listens on well-know port 53 and supports both TCP and UDP protocols for operation. See /usr/share/doc/bind for example named configuration files.
DNS Commands
systemctl enable named systemctl start named named-checkconf
/etc/named.conf /usr/share/doc/bind /var/log/messages /var/named.rfc1912.zones /var/named/ Zone files
SeLinux requirements
ps -eZ |grep named shows domain type named_t. semanage port -l|grep dns getsebool -a |grep ^named
Chapter 25 Managing MariaDB
Packages
mariadb Provides MariaDB client programs and a configuration file mariadb-server Contains MariaDB server, tools, and configuration and logfiles mariadb-libs Comprises of essential library files for MariaDB client programs
The MariaDB server package also loads the mysql daemon binary file . This daeom process listens on port 3306 and supports both TCP and UDP protocols for operation.. It must run on the system to allow client access.
MariaDB Commands
mysql Command line shell interface for administration and query. mysql_secure_installation Improves the security of MariaDB installation. mysqldump Backs up or restores one or more tables or database.
Maria DB Configuration Files
/etc/my.cnf Global defaults. Primary configuration file /etc/my.cnf.d/ Directory for configuration files. /etc/my.cnf.d/client.cnf /etc/my.cnf.d/mysql-clients.cnf /etc/my.cnf.d/server.cnf
/var/log/mariadb/mariadb.log
SELinux Requirements for MariaDB Operation
By default the mysqld daemon runs confined in its own domain with domain-type mysqld_t.
ps -eZ|grep mysqld --> system_u:system_r:mysqld_t:s0 5245 ? 00:06:00 mysqld
The SELinux filetype associated with the mysqld daemon file is mysql_exec_t, configuration files in the /etc/my.cnf.d directory is etc_t, database files in the /var/lib/mysql directory is mysqld_db_t and logfiles in /var/log/mariadb is mysql_log_t.
ll -dZ /usr/libexec/mysqld /etc/my.cnf.d /var/lib/mysql /var/log/mariadb drwxr-xr-x. root root system_u:object_r:mysqld_etc_t:s0 /etc/my.cnf.d -rwxr-xr-x. root root system_u:object_r:mysqld_exec_t:s0 /usr/libexec/mysqld drwxr-xr-x. mysql mysql system_u:object_r:mysqld_db_t:s0 /var/lib/mysql drwxr-x---. mysql mysql system_u:object_r:mysqld_log_t:s0 /var/log/mariadb
semanage port -l|grep mysql mysqld_port_t tcp 1186, 3306, 63132-63164
getsebool -a|grep mysql mysql_connect_any --> off selinuxuser_mysql_connect_enabled --> off
Install MariaDB
yum install mariadb-server systemctl enable mariadb mysql_secure_installation firewall-cmd --permanent --add-service mysql;firewall-cmd --reload systemctl start mariadb
Start the MariaDB Shell and Understand its Usage
mysql -u root -p Start the MariaDB shell help status
Subcommands for Database and Table Operations
create, drop, show delete, describe insert, rename, select , update
show databases; create database database; use database;
create table scientists(Sno int,FirstName varchar(20), LastName varchar(20), City varchar(20),Country varchar(20),Age int);
describe scientists;
insert into scientists values('1','Albert','Einstein','Ulm','Germany','76');
select * from scientists where FirstName='Albert';
select * from scientists where Age>77;
select * from scientists where Country='Poland' or Country='Germany';
select * from scientists order by FirstName;
select * from scientists order by LastName desc;
select * from scientists where Contry like 'U%'; where Age like '7%';
rename table scientists to science; update science set FirstName='Benjamin',LastName='Franklin' where Sno='1'; delete from science where Sno='1' or Sno='7';
Backing Up and Restoring a Database or Table
mysqldump -u root -p --all-databases >db.all.sql Backup all. mysqldump -u root -p rhce1 >db.rhce1.sql Backup specific database. mysql: create database rhce1 Create database to be restored (if it does not exists). mysql -u root -p rhce1 <db.all.sql Restore specific database. mysqldump -u root -p DB1 tbl1 tbl2 >db.tbl12.sql Backup specific tables. mysql -u root -p DB1 tbl1 <db.tbl12.sql Restore specific table.