User:Tom/RHCE EX300-2
< User:Tom
Jump to navigation
Jump to search
25 Configuring Kerberos
KDC Key Distribution Center. A central key server. Issues tickets. Realm All hosts taht use the same KDC to get tickets. TGT Ticket Granting Ticket
Principal name nfs/server.example.com@EXAMPLE.COM User name tom@EXAMPLE.COM
Using nslcd or sssd as Authentication Backend Service
Verify that sssd packges are installed before using the authconfig utilities.. Use a gui, sssd is then used by default. Use yum group install "Directory Client" to install sssd and related packages. Start sssd before using the authconfig utilities.
/etc/sysconfig/authconfig FORCELEGACY=no Switch off nslcd. USESSSD=yes USESSSDAUTH=yes
Commands
authconfig Configure LDAP authentication with Kerberos authorization. authconfig --test Get an overview of the current configuration and see what services are used. authconfig-tui authconfig-gtk
kinit Obtain and cache kerberos ticket-granting ticket. klist Lists cached Kerberos tickets.
Files
/etc/krb5.keytab Needed by a server hosting Kerberized services. Contains names of all service principals on that server.
/etc/nslcd.conf Alternative for sssd.
/etc/nsswitch.conf
/etc/openldap/cacerts Stores root certificate authorities
/etc/openldap/ldap.conf LDAP client configuration
/etc/pamd.d/
/etc/sssd/sssd.conf Daemon used for retrieving and caching user and authentication information.
Install sssd service before using the authcong utilities (yum install group "Directory Client").
/etc/sysconfig/authconfig
Packages
pam_krb5 krb5-workstation
26 iSCSI
Commands
targetcli firewall-cmd --add-service iscsi-target --permanent firewall-cmd --reload systemctl start target systemctl enable target
iscsiadm
Files
Packages
targetcli Target
iscsi-initiator-utils Initiator lsscsi
30 Routing and Networking
Commands
IPv6 Addresses / Networks ::1/128 Local host. :: All addresses. ::/0 The default router 2000::/3 Global unicast address. fc00::/7 Unique local address. fe80::/64 Link-local address. ff00::/8 Multicast 20001::db8/32 Addresses reserved for use in documentation.
man 5 nmcli-examples Examples how to create a team interface
man -k team
nmcli con add type team con-name team0 config '{ "runner"; {"name": "loadbalance"}}'
nmcli con mod team0 ipv4.addresses 192.168.122.131/24
nmcli con add tpye team-slave ifname eth1 master team0
nmcli con add type team-slave ifname eth2 master team0
nmcli con show et01 Shows detailed IP configuration (for example: ipv4.addresses) nmcli con add con-name eth1 type ethernet ifname eth1 ip6 2001:db8:0:1::100/64 gw6 2001:db8:0:1::1 ip4 192.168.122.131/24 gw4 192.168.122.1 mncli con mod con-name eth1 ipv6.address "2001:db8:0:1::1" nmcli con mod con-name eth1 +ipv6.address "2001:db8:0:2::1" nmcli con up team0 nmcli con show teamdctl team0 state teamdctl team0 state view teamnl team0 options ip link show
ip route show
Files
/etc/sysconfig/network-scripts/ifcfg-team0 /etc/sysconfig/network-scripts/ifcfg-team-slave-eth[12]
/etc/sysctl.d/forwarding.conf (net.ipv4.p_forward = 1) Enable forwarding to configurethe server as a router.
32 Advanced Firewall Configuration
Basic ordering rules within zones:
- Direct rules
- Port forwarding and masquerading
- Logging rules
- Allow rules
- Deny rules
For NAT the server needs to be configured as a router: /proc/sys/netipv4/ip_forward=1
Two types of NAT:
- Masquerading: IP address of a node is changed by the IP address of the NAT router.
- Port forwarding: The NAT router redirects all traffic to a public port on the NAT router to another port, and possible another host, on the private network. Masquerading needs to be activated for portforwarding to another host.
Commands
firewall-cmd --reload firewall-cmd --get-services Shows all services which are stored in /usr/lib/firewalld/services and /etc/firewalld/services
firewall-cmd --add-rich-rule=' rule ' firewall-cmd --remove-rich-rule=' rule ' firewall-cmd --query-rich-rule=' rule ' firewall-cmd --list-rich-rules
firewall-cmd --add-forward-port
firewall-cmd --timeout='xx' Lifetime of the rich rule
man firewalld.richlanguage Shows rich language examples
Files
/etc/firewalld/services /usr/lib/firewalld/services
33 Advanced Apache services
- Apache basics
- Apache SELinux related settings
- Write access to DocumentRoot
- Configuring TLS Security
- Deploying CGI Applications PHP, Python
- Configuring Private Directories
SELinux settings
httpd_sys_content_t Context type Set on directories that Apache is allowed access to httpd_syscontent_rw_t Context type Set on directories that Apache os allowed read/write access to httpd_sys_script_exec_t Context type Used for directories that contain executable scripts httpd_unified Boolean Unifies the handling of all httpd_conetn files. Disabled by default. Switch to on for relaxed access httpd_enable_cgi Boolean Switch on by default to allow Apache to run scripts httpd_tty_comm Boolean Used to determine of Apache is allowed access to a tty. Switch if you use TLS private keys that prompt for a password on startup
Commands
semanage fcontext -at httpd_sys_content_t "/var/www/html(/.*)?" restorecon -Rv /var/www/html
setfacl -R -m g:development:rwX /var/www/html -R recursive -m acl commands on commandline. setfacl -R -m d:g:development:rwx /var/www/html
man semanage-fcontext Examples
yum install httpd-manual elinks http://localhost/manual SSL/TLS Encryption yum search TLS yum install mod_ssl Creates /etc/httpd/conf.d/ssl/conf curl -L --insecure https://www.roggeware.nl Verify https
yum install mod_php For dynamic PHP content yum install mod_wsgi
Files
/etc/httpd/conf/httpd.conf /etc/httpd/conf.d/ssl.conf TLS security /etc/pki/tls/certs/www-roggeware-nl.ca-bindle root ca /etc/pki/tls/certs/www-roggeware-nl.crt public key /etc/pki/tls/private/www-roggeware-nl.key private key
/usr/share/doc/mod_wsgi Documents about WSGI configuration
...
34 DNS
Unbound is the preferred package.
interface access-control forward-zone: name: "." forward-addr: 192.168.x.x dig +dnssec DNSKEY rhatcert.com
Commands
yum install unbound systemctl start unbound systemctl enable unbound firewall-cmd --add-service dns --permanent
man unbound man unbound.conf unbound-checkconf nmtui nmcli
Files
/etc/resolv.conf /etc/unbound/unbound.conf
35 MariaDB
install mariadb mariadb-server mariadb test systemctl start mariadb systemctl enable mariadb
Italic text
firewall-cmd --add-service mysql --permanent
mysql_secure_installation
/usr/libexec/mysqld --help --verbose Information about all the settings
show databases;
use databases;
create database dbname;
create tsble tablename (name varchar(40),place varchar(40));
describe tablename;
delete from tablename where field = ' value ';
update tablename set field = value where field2 = ' value ';
insert into tablename (field1,field2) values(' value1 ',' value2 ');
where clause = <> > >= < >= BETWEEN LIKE IN
create user username@'localhost' identified by password; drop user 'username'@'localhost'; grant select,update,delete,insert on *.* to username@'localhost'; grant all priviliges on ...
mysqldump -u root =p -p database --databases >dumpfileItalic text drop database databasename; create database databasename; mysql -u root -p -p databasename <dumpfile;
36 NFS
37 Samba
man mount.cifs credentials= option
38 SMTP Server
39 Configure SSH
semanage port, man sshd_config, ssh-agent, ssh-add, ssh tunnel.
40 Time synchronisation
Chronyd daemon, chronyc command. ntp port 123. start, enable, firewall-cmd --add-service
List commands
getsebool -a List all selinux booleans
seinfo SELinux policy query tool
--all
-r List all roles
-t List all types (*-t)
-u List all users
semanage boolean --list List SELinux booleans with comments
semanage fcontext -l List all current rules