RED HAT LINUX CHEAT-SHEET=================================================== Author: Nitebirdz Date: November 25, 2000 v 1.0 PARTITIONING ISSUES ------------------- o Minimal recommended installation should be no lower than 250 MB. o Those mount points that can be directly accessed by the users and their applications could be mounted in their own partitions in order to avoid problems with them filling up the filesystem: /home, /tmp, /var. o It is also possible to create a copy of the root partition in another location on the hard drive to keep as a backup, so if something fails we can change the /etc/fstab file and use that copy instead. o File systems required during system initialization: - /etc configuration files - /bin user binaries - /sbin system binaries - /lib libraries needed by binaries - /dev special devices filesystem o The first logical partition will always be hda5. INSTALLATION: ------------- o The installation methods supported by Red Hat Linux are: - CD-ROM - Hard drive partition - Network via NFS, HTTP or FTP o All network installations require that we mount/copy the /redhat directory from the CD-ROM. o Regarding the use of the kickstart method: - For a network install, we can only use NFS - The postinstall section can run scripts - Use the mkkickstart command to generate kickstart config. - Modify the ks.cfg and syslinux.cfg files on disk, depending on installation method: * ks.cfg local installation * syslinux.cfg network installation o We can do a partitionless installation just to test drive Red Hat Linux: - Installs Red Hat into a virtual filesystem - Creates two files on the FAT partition: * redhat.img virtual Linux filesystem * rh-swap.img virtual swap filesystem - Boots from a floppy disk - Uses the same installation media and process, although partitioning is slightly different o Different installation disks depending on installation type: - boot.img - bootnet.img - pcmcia.img o The boot floppy only contains a copy of LILO and the kernel o Red Hat 6.0 and 6.1 did _not_ actually do MD5 encryption for the passwords, even though it was an option at install time. This was apparently due to a bug. o For systems that will be on the Internet, it is recommended that we use set the hardware clock to GMT, and then select the local time from the menu. This part of the installation appears to be buggy. o The POP2 and POP3 daemons only get installed if we also choose to install the IMAP package, which is not chosen by default. o Multisync monitors will be safe during the configuration of the X Window System, since they will simply refuse to synchronize using the wrong sync info. o Extended SVGA and 50-90 for the horizontal sync are the recommended values to play it safe during the configuration of the X Window System. LILO: ----- o Some important options to LILO are: - lilo -r Tells LILO to load as if some other directory is the root. - lilo -t Test the configuration in lilo.conf - lilo -C Tells LILO to use a different configuration file. o Some important LILO parameters are: - boot= System boot device. First stage of the boot, including: * 446 b for boot loader code * 64 b Partition Table * 2 b Magic Number - install= Pointer to the boot.b file or secondary boot loader to run. - map= Mapfile containing address to kernel mapping information. - prompt (or noprompt) Prompts for user input. - default= The default kernel to boot. - timeout= Number in tenths of a second to wait before booting default. o Every single time we run LILO we rewrite both the information into the MBR and the map file. o We can enter the following command to specify a different default for init: linux init=/bin/bash o The "linux -b" command at the LILO prompt will drop me in a bash shell prompt after boot up. o The LILO boot loader writes letters to the console that we can use to troubleshoot the process: - L First stage boot loader. It cannot find the second stage boot loader. Numerical codes may indicate hardware or media errors. - LI Second stage boot loader is loaded, but it failed to start. /boot/boot.b - LIL Second stage boot loader has been executed but it cannot load the descriptor file table from the map file. - LILO It checks the mappings and they actually work. All parts worked correctly. o After this point, the kernel itself gets loaded into memory. If it fails at this point, there is somethng wrong with the kernel itself. o The /boot/boot.0300 file is a backup of the partition table, so that we can rename it and then run lilo again to spit a new one. The backup partition table information can be saved into the boot floppy for restoring: dd if=/mnt/floppy/boot.bak of=/dev/hda POST-INSTALLATION CONFIGURATION: -------------------------------- o Run "makewhatis" right after the installation so we create a word database for the man pages. o Run "updatedb" or "locate -u" to create the slocate database. o Configure ISAPnP devices if necessary, since the OS will not autodetect them: - Run "pnpdump", which will display information on ISAPnP devices. - Dump that information into the /etc/isapnp.conf file and then edit it to add the info for IO and IRQ addresses. - You may find some useful information in the /proc filesystem: * /proc/interrupts * /proc/dma * /proc/ioports o PCI devices can be autodetected by the kernel as a part of the PCI standard. o Some of the Red Hat installation utilities can also be run after the install process: - setup menu of configuration utilities - sndconfig probes hardware and updates modules - kbdconfig keyboard configuration - mouseconfig mouse configuration - timeconfig system clock settings - authconfig enables/disables NIS, shadow, MD5 - Xconfigurator configures XFree86 o Some interesting things about linuxconf: - The combination Ctrl+X opens the menu lists in those cases where there is a scroll list (signalled with a down arrow). - linuxconf --setmod [module name] Loads a module into linuxconf o The old Red Hat Control Panel is still available by entering the command "control-panel" at the command prompt. Some of its modules can also be loaded separately: - printtool Configures printer - netcfg Configures network - modemtool Configures the modem o The /etc/sysconfig directory contains some important configuration files: - hwconf Database used by kudzu. If it reads "ignore" under the driver section is because it is compiled into the kernel. - network Some basic network configuration info, such as the hostname and gateway. - network-scripts Directory containing network config info and also some scripts that can be run. o The /etc/sysctl.conf file is being used more and more to configure the system kernel directly. Red Hat appears to be using this file more and more as the future confiuration file. o Runlevels can be customized by using one of the following utilities: - tksysv GUI utility - ntsysv Console based utility - chkconfig chkconfig --list chkconfig --level 2 sendmail off chkconfig --add [name] THE /PROC FILESYSTEM: --------------------- o It is a virtual filesystem that points to the running kernel. o Some of the most important directories and files in the /proc filesystem are: - interrupts Shows information about the interrupts. The CPU0 column lets us know how many interrupts the device sent to the kernel. - ioports I/O settings - cpuinfo CPU details - net Directory containing information about the network activity - sys Directory containing kernel configuration parameters o The /proc filesystem comprises entries that point into the kernel that is running in memory. These locations are identified by the appropriate /boot/System.map file for a particular kernel. THE /DEV FILESYSTEM: -------------------- o It displays the major and minor device numbers, which let us know about the hardware sructure (controller number, device number, etc.). o Most important device types are: - Block devices Hard disks, CD-ROM, tape drives - Character devices Terminals, ttys, ptys, serial ports - Special devices Links, sockets, named pipes (fifo) MOUNTING FILESYSTEMS: --------------------- o Several ways to use the mount command: - mount -a Mounts all filesystems listed in /etc/fstab - mount -t [fstype] [device] [mount point] [options] mount -t vfat /dev/fd0 /mnt/floppy mount -t nfs server:/usr /usr ro - mount [device|mount point] Mounts follwing /etc/fstab entry - mount -o [option] [device|mount point] mount -o remount,ro / - mount -o loop [filename.img] [mount point] To mount an ISO image without needing to burn the image itself. o Some important options of the mount command: - noauto Doesn't mount at boot time or with "mount -a" command - user Allows user to mount and unmount the filesystem - uid= gid= Sets the owner and group of the filesystem root. Sets ownership of all files in vfat and fat filesystem. o The "mount" command will write the information to the /etc/mtab file unless we use the -n option. o Mount ignores all quota options in the /etc/fstab file. The "quota" command reads the quota options from /etc/fstab to set up quotas. USER MANAGEMENT: ---------------- o Main commands to manage user accounts from the command prompt are: - useradd - usermod - userdel - chfn Change user's finger information - chsh Change user's default shell o Main commands to manage group accounts are: - groupadd - groupmod - groupdel o There are some special user accounts: - PPP user - POP user /bin/false as shell - SLIP user o By default, Red Hat Linux always creates a group with the username as we create a new user account. o The "mkpasswd" command will generate a new password or apply it to a user. INITIALIZATION PROCESS: ----------------------- o After LILO loaded, the init process is called: - /etc/inittab - /etc/rc.d/rc.sysinit - /etc/rc.d/rc#.d - /etc/rc.d/rc.local o The inittab file is responsible for the configuration of the gettys. By default, there are 6 consoles that get run through the mingetty process. GENERIC INFORMATION: -------------------- o All files in the /tmp directory will be removed if they have not been touched for over 10 days by default (it gets removed by a cron job). o The default size of the console terminal text is 80x25 o Hitting the tab twice after typing some characters at the prompt will display the commands that it can autocomplete. o The "hwclock" command can be used to write the new hardware system clock. QUOTAS: ------- o Most important features of quotas: - It is a kernel based implementation - Enabled per partition - Restrictive at the user or group level - Hard or soft: Soft allows for a grace period of 6 days (default) if the user exceeds the allotted size. Hard does not allow any grace period at all. o Enabling quotas on a partition: - Edit the fstab file usrquota,grpquota - Remount the partition mount -o remount [mount point] - Run "quotacheck" on the partition to create the quota.user file in that partition quotacheck [mount point] - Run "quotacheck" again for group quotas which will create the quota.group file: quotacheck -g [mount point] - Enable quotas on the partition: quotaon [mount point] o Key commands related to quotas: - "repquota" reports information about quotas: repquota [mount point] repquota -g [mount point] - "quota" ran by a user displays information regarding that user's quotas: quota - "quotastats" displays some stats about quotas: quotastats - "warnquota" allows to send a message via email to those users who exceeded their soft limit. warnquota INITIALIZATION PROCESS: ----------------------- o Steps in the boot process: - BIOS loads the first stage boot loader (LILO) from the hard disk MBR - Boot loader (LILO) loads the second stage boot loader (/boot/boot.b) - Boot loader (LILO) loads the kernel (and initrd, if used) into memory - Kernel mounts initrd (if used) and loads init - init starts the system processes o The init process: - Parses /etc/inittab file - Default runlevel is set in the inittab file - It calls the /etc/rc.d/rc.sysinit script - inittab calls runlevel-specific scripts in sequence - inittab activates the consoles through mingetty o The /etc/rc.d/rc.sysinit script: - Initializes logging - Mounts /proc - Sets hwclock - Loads keymap and font - Activates the swap partition - forcefsck or fastboot - Configures isapnp, if it exists - Remounts root read/write - Loads sound modules - Activates RAID devices - fsck's and mounts local filesystems - Activates quotas - Removes .LCK files - Initializes serial ports - Dumps syslog ring to /var/log/dmesg o The "mkbootdisk" utility can be used to create a boot disk o If I suspect we may be experiencing a problem with init during the boot process, we can stop it there by entering: linux init=/bin/bash linux -b RESCUE MODE: ------------ o We need to use rescue mode when the root partition itself cannot be mounted o The boot disk loads really slowly, so it is recommended that we use the rescue/install disk instead o General rescue mode troubleshooting procedure: - linux rescue - mknod /dev/hda - Mount various partitions to see which one is my root partition (the one with the /dev, /lib, /bin... directories) - Run mknod on the root partition: mknod /dev/hda5 - Check the integrity of the hard drive: e2fsck /dev/hda5 -y - We can also mount /boot and even fix LILO after using chroot: mount /dev/hda5 /mnt/root mount /dev/hda2 /mnt/root/boot cd /mnt/root chroot . (a simple "exit" takes me out) KERNEL COMPILATION: ------------------- o Red Hat kernels are customized by the vendor, therefore it is NOT possible to install a regular patch on the kernel. o Steps to building a new kernel: - Go down to the kernel root source directory: * cd /usr/src/linux - Clean the source tree if previous compilations already took place: * make mrproper - Create/edit the .config file choosing one of: * make config * make menuconfig * make xconfig - Make a backup copy of the .config file: * cp .config .config.1 - Edit the Makefile EXTRAVERSI0N field - Compile the kernel and modules: * make dep * make clean * make bzImage * make modules * make modules_install - Copy new kernel to /boot directory: * cp /usr/src/linux/arch/i386/boot/bzImage \ /boot/vmlinuz-[version number] - Copy the new System.map file to /boot: * cp System.map /boot/System.map-[version number] - Make the initial RAM disk (required for SCSI, but only if we want to run SCSI drives in a modular way, rather than compiling them into the kernel): * mkinitrd /boot/initrd-[version].img \ [new kernel number] mkinitrd /boot/initrd-2.2.14-5.0r1.img 2.2.14-5.0r1 - Edit the lilo.conf file to udpate entries - Run lilo to update boot options in the MBR o It is NOT necessary to enter the make commands separated by semicolons. We can also do it the way it is displayed on the second line: make dep; make clean; make bzImage make dep clean bzImage o Recommended good practices: - Keep the old kernel and related files that are required to load it. - Always update the EXTRAVERSION parameter in the Makefile. - Copy the .config file to /boot with an appropriate filename. - Make an emergency boot disk of every kernel. o When editing the lilo.conf, LILO will take the kernel specified in the "default" line as the default kernel to boot. If there is no default line, it will then make the first one from the top down the default kernel. RED HAT PACKAGE MANAGER (RPM): ------------------------------ o Main elements of a RPM software package: - Binary (RPM) or source code (SRPM) - Contains dependency information regarding libraries and other packages - Configuration scripts to install the program o If we wish to take a peek at the contents of a binary RPM file, we can open the directory under the Gnome File Manager, right click on it and select "Explore this RPM" o Most important query options to the rpm command: - Queries information from a package (not installed): rpm -qip [package name] - Queries information from an installed package: rpm -qi [package name] - Displays information about files installed by a package: rpm -qil [package name] - Displays all installed packages: rpm -qa - Find out what package owns a file: rpm -qf [filename] - Lists contents of a package: rpm -qlp [package name] - Verifies an installed package for integrity: rpm -V [package name] - Queries configuration files from a package: rpm -qlc [package name] - Queries documentation files from a package: rpm -qld [package name] o Most important install options to the rpm command: - Simple installation of a new package: rpm -i [package name] - Extra verbose information: rpm -ivv [package name] - To install OR upgrade the package: rpm -U [package name] - If the package is already installed, and if the installed version is older then install otherwise skip it: rpm -F [package name] - To remove a package from the system: rpm -e [package name] - Forces installation without reading dependencies: rpm -i --force [package name] - Forces uninstall without regarding dependencies: rpm -e --nodeps [package name] CRON SYSTEM: ------------ o Primary configuration files: - System wide crontab file: /etc/crontab - Directory containing cron configuration: /etc/cron.d - Directories to run scripts at regular intervals: /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly o Individual users have their own personal crontab files: - Edit the personal crontab file: crontab -e - List the contents of personal crontab file: crontab -l - List/edit crontab file for another user: crontab -u [username] -l crontab -u [username] -e SYSTEM LOGS: ------------ o Important system log files to keep an eye on: - Errors and system messages: /var/log/messages - Authentications: /var/log/secure o There are also some server-specific logs: /var/log/samba /var/log/httpd /var/log/maillog o System logging is configured through the /etc/syslog.conf file. It is possible to configure it to save the log files remotely to another system. o Crackers may use the "shred" command to totally remove any trace of the file. NETWORK SERVICES OVERVIEW: -------------------------- o Key files shared by all network services: - /etc/services - /etc/rc.d/init.d/[service] - Links in /etc/rc.d/rc[0-6].d/ o Key files for services running from inetd: - /etc/inetd.conf - /etc/hosts.allow - /etc/hosts.deny o Network services can run in either of two modes: - Standalone: The service is permanently running in the background and listening for connections - Superdaemon: The service is launched via the Internet Superdaemon or inetd o Services ran through inetd can be controlled through TCP_wrappers, which control access to the services and it also log the connections. APACHE: ------- o The package comes in three different RPM files: - apache-1.3*.rpm Basic Apache server - apache-manual-1.3*.rpm Additional documentation - apache-devel-1.3*.rpm Source code o The Apache daemon runs as httpd with other children processes too, and its init script can be found in: /etc/rc.d/init.d/httpd [start|stop|restart|reload|status] o Important configuration files: - /etc/httpd/conf/httpd.conf General configuration file - /etc/httpd/conf/access.conf Controls access to the server - /etc/httpd/conf/srm/conf Paths and resource management - /etc/httpd/conf/magic Specifies MIME types o These configuration files are inherited from the NCSA server. However, it is possible to add access restrictions and Apache directives no any of those files and it will work. Nowadays everything is configured in httpd.conf actually. o There is a GUI tool that allows to configure Apache. It is the "comanche" tool. There is also a Linuxconf module but it doesn't work and it messes the configuration files. Among other things, comanche removes all the comments from the httpd.conf file. o In order to make use of the UserDir option in Apache, we also need to give user other rx access to the whole home directory of the users, so that nobody can access the HTML access to it. FTP SERVER (WU-FTPD): --------------------- o Packages required for the anonymous FTP server: - wu-ftpd*.rpm - anonftp*.rpm o The anonymous FTP service is run from inetd by default o Configuration files for anonymous FTP: - /etc/ftpaccess General configuration file: classes of users, access definitions, logging, etc. - /etc/ftphosts Individual user host access to allow/deny a given username from an address glob - /etc/ftpgroups It allows me to set up groups of users - /etc/ftpusers Users who are NOT allowed to log in - /etc/ftpconversions Allows users to request specific on-the-fly conversions - /etc/hosts.allow and /etc/hosts.deny o Transfers get automatically logged into /var/log/xferlog o By default, the anonymous user is only allowed to download but not upload files to the server. We can use the "upload" option in the ftpaccess file to modify that behavior. SENDMAIL: --------- o Sendmail comes in two packages: - sendmail-8*.rpm Base packahe containing the daemon - sendmail-cf*.rpm Configuration package that allows user to run the M4 macro pre-processor o We can use the "mailconf" utility to configure Sendmail using a GUI. o Important configuration files: - /etc/sendmail.cf Main configuration file, recommended not to edit by hand - /etc/sendmail.cw Mailserver aliases - /etc/sendmail.mc Macro configuration file containing m4 macro definitions to generate the sendmail.cf file - /etc/aliases Aliases for local users BIND: ----- o The program comes in three different packages: - bind-8*.rpm Base BIND package - bind-util*.rpm Various DNS utilities: nslookup, etc. - caching*.rpm Optional package to allow for DNS caching o Key configuration files for name resolution: - /etc/resolv.conf List of nameservers - /etc/host.conf How host lookups should be performed - /etc/nsswitch.conf System database and name service switch configuration file - /etc/named.conf Configuration file for the nameserver o Some applications look in the /etc/hosts file first which sometimes cause problems if the information contained in that file is incorrect. We should pay special attentio to making sure that the loopback is not configured with the fully qualified domain name. o Cache files for local caching nameserver: - /var/named/named.ca - /var/named/named.local o The /etc/named.conf file will include the config: - forwarders DNS server the requests will be forwarded to if necessary (UUnet servers are always available to perform this function at 198.6.1.1, 198.6.1.2 and 198.6.1.3 - zone "." DNS zone for the root servers - zone "domain.name" Additional DNS zone the server is configured to support. It could be "type master" or "type slave". - zone "0.0.127.in-addr.arpa" Reverse mapping for local loopback TELNET: ------- o Two packages are required for telnet client and daemon: - telnet-0.16-6 Telnet client - telnet-server-0.16-6 Telnet daemon/server o Creating a /etc/nologin file will prevent ANY remote login via telnet NFS: ---- o Required packages: - nfs-utils*.rpm NFS utilities - portmap*.rpm Portmapper utilities o The NFS daemon will exit if there is no /etc/exports file, although it does not give any error message o The current version of portmapper has been compiled with the TCP_wrappers libraries, so even though it does not run through inetd it still uses the /etc/hosts.allow and /etc/hosts.deny files. o Init scripts to manipulate NFS daemon are: - /etc/rc.d/init.d/nfs [start|stop|restart|status] - /etc/rc.d/init.d/nfslock [start|stop|restart|status] - /etc/rc.d/init.d/portmap [start|stop|restart|status] o NFS connects through port 111 typically, and then portmap maps to available ports. o NFS preserves the UID and GID, which requires NIS or synchronized /etc/passwd files for deployment o Due to the way NFS acts regarding the UID and GID, it also uses a mechanism called "root squashing" where the daemon automatically maps UID 0 (root) to UID 65534 so it does not get any special privileges. This can be turned off with the no_root_squash option. o Utilities to troubleshoot NFS issues: - showmount [server name] Shows all clients currently mounting exports - rpcinfo -p [hostname] - exportfs -a Exports all shares in /etc/exports - exportfs -r Re-exports all shares in /etc/exports - exportfs -u [host:/share] Unexport a share o Read-only is always the default in the case of NFS. o NFS daemon works in two steps: - Portmap re-maps NFS traffic from port 111 to another internal port - The nfsd handles everything after portmap is complete o The nfsd does not consult DNS when parsing the information from /etc/hosts.allo and /etc/hosts.deny, although it will do lookup if /etc/exports specifies domain names. Therefore, when configuring the service it is always recommended that we use IPs instead of names. o There is a precise order we should follow when starting or stopping the NFS services: - To start the service: /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/nfs start - To stop the service: /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/portmap stop o The /etc/rc.d/init.d/nfslock script should also be launched, but it does not matter the order because this daemon only acts locally and it does not use the portmap services. o When configuring the /etc/exports file, it is advised that we use the complete netmask instead of simply the bitmask: /usr 192.168.0.0/255.255.255.0 instead of... /usr 192.168.0.0/24 SAMBA: ------ o Required packages: - samba*.rpm Server side - samba-client*.rpm Client side - samba-common*.rpm Needed by both client and server o Samba runs two daemons listening on ports 137-139: - smbd Samba daemon - nmbd NetBIOS daemon o Key Samba configuration files: - /etc/smb.conf General configuration file for smbd and nmbd - /etc/smbpasswd Samba password file - /etc/smbusers UNIX to Samba user map o We can use swat as the GUI configuration utility for Samba. It can be accessed through port 901 on the browser. However, swat removes all the comments from the file. o Both Windows98 and Windows NT Service Pack 3 encrypt passwords by default. If we choose to encrypt the passwords in Samba too, it will then create a /etc/smbpasswd that contains the encrypted passwords although in a text encrypted format. It is also possible to hack the regitry on the Windows side to pass the passwords in clear text. o The "update encrypted" configuration option will always update the Linux password whenever it is changed through Windows. o If we make a change to the printcap file we also need to restart Samba to have it read those changes o After the configuration, we can run the "testparm" command to verify that the /etc/smb.conf file is syntactically correct. o We can use the smbclient to test the Samba server: - smbclient -L [hostname] Connects as user nobody - smbclient -L [sharename] -U [username] Connects as a certain username o The "smbmount" and "smbumount" commands allow me to mount Samba shares into a Linux system. It is a very kludgy application though, and it especially experiences problems with the permissions. GENERIC INFORMATION: -------------------- o The strace command can also be run with a special option to only show calls that contain a given string: strace -e open ping www.yahoo.com NIS: ---- o Required packages: - ypbind*.rpm NIS client - yp-tools*.rpm Various NIS utilities - ypserv*.rpm Server package o Daemons that make up NIS service: - ypbind Binds to NIS server (client side) - ypserv NIS server - yppasswd Password update daemon o Init scripts are: - /etc/rc.d/init.d/ypbind [start|stop|restart|status] - /etc/rc.d/init.d/ypserv [start|stop|restart|status] - /etc/rc./dinit.d/yppasswd [start|stop|restart|status] o Important configuration files: - nsswitch.conf Controls the order that the client will use to resolve domain information - ypserv.conf General configuration file for NIS server o After configuring the NIS server through the ypserv.conf file we still have to run a command to build the /var/yp subdirectory for the current default domain: ypinit -m o The NIS service also relies on the portmapper o The nsswitch.conf file controls the order that the client will use to resolve domain information. It is important to verify its configuration on the client side. DHCP: ----- o Required packages: - dhcp*.rpm Client package - dhcpd*.rpm Server side o Red Hat 6.2 uses pump as a DHCP daemon instead of dhcpd, although it still runs as dhcpd. o Init script is: /etc/rc.d/init.d/dhcpd [start|stop|restart|status] o Key configuration files: - /etc/dhcpd.conf General configuration file (watch out because the file doesn't get created by default) - /etc/pump.conf General configuration file used by the pump package o For the DHCP daemon to function with some DHCP clients (especially Windows 95), you must add a route: route add -host 255.255.255.255 dev eth0 o We should change the BOOTPROTO line in the network configuration file for the eth0 interface to specify "BOOTPROTO=dhcp": /etc/sysconfig/network-scripts/ifcfg-eth0 NETWORKING ISSUES: ------------------ o Init script to start network services: /etc/rc.d/init.d/network [start|stop|restart] o Network configuration tools: - ifconfig Network interface configuration program (changes only apply to current session) - ifup / ifdown [interface] Scripts to bring the interfaces up or down using the configuration files in /etc/sysconfig/network-scripts - netconfig Same network configuration utility that runs during the install - netconf Linuxconf module for network configuration - netcfg Older network configuration tool that is part of the Control Panel o Network configuration files in /etc/sysconfig: - /etc/sysconfig/network Lists system network options: default gateway, IP forwarding, hostname, NIS domain name. - /etc/sysconfig/network-scripts/ifcfg-* * ifcfg-eth0 First network card * ifcfg-eth1 Second network card * ifcfg-lo Loopback (localhost) * ifcfg-ppp0 First PPP interface ROUTING: -------- o If we plane to use a Linux system as a router, we should consider optimizing the kernel too by changing the following parameters: - CONFIG_IP_ADVANCED_ROUTER=y - CONFIG_IP_ROUTER=y o Useful commands: - route Display or manipulate the kernel routing table - netstat -r[n] - cat /proc/net/route o Configuring static routes: - GUI tools to set up the static route: * netcfg * Linuxconf - CLI tools to set up the static route: * route - Editing text file: * /etc/sysconfig/static-routes o There are two main daemons to provide dynamic routing functionality: - routed Older and simpler daemon, it shares its routing table when queried - gated Newer and more advanced routing capabilities (RIP, RIP II, OSPF, EGP/BGP). Its configuration file is the /etc/gated.conf IP MASQUERADING: ---------------- o "IP Masquerading" is Linux terminology for "NAT". o IP Masquerading allows several computers to connect to the Internet through a single IP address. o IP Masquerading is implemented at the kernel level o It is implemented via the "ipchains" forward chain SQUID: ------ o Squid provides web object cache, which is a method for storing streams of HTTP, FTP or gopher based on the Internet Cache Protocol (ICPv2, RFC2186). o Multiple servers can be configured as a hierarchical, distributed cache. o Squid requires around 5GB of free space in the /var partition for caching purposes. o Squid does not store secure information (as specified by the RFC) or dynamic data. o Configuration file is: /usr/local/squid/etc/squid.conf o Daemons that are part of Squid: - squid The actual Squid daemon - dnsserver Daemon to speed up DNS lookups SECURITY ISSUES: ---------------- o Security can be understood in three different layers: - Physical security * Setting BIOS boot sequence not to access removable media * Setting a BIOS password * Setting LILO passwords * Close actual physical access to server room * Secure backup media too - User security * Enable shadow passwords and MD5 hashing * Implement a password expiration policy * Enable cracklib * Mail-only users should have no shell * Monitor the log files regularly * Test for SUID and SGID programs find / -type \(-perm 04000 -o -perm 02000\) * Test for world writeable files find / -perm 2 ! -type | -ls * Test for unowned files find / -nouser -o -nogroup -print * Test for .rhosts files find /home -name .rhosts -print * Confirm user permissions with tools like Tripwire, COPS or md5sum and diff - Network security * Use TCP_wrappers from inetd * Configure ipcchains to restrict access * Set up a firewall for the network configured with ipchains to filter by packet type (TCP, UDP, ICMP) * Implement and audit access points (dial-up and VPN IPs should be separate from the intranet IP addresses) * Test a packet sniffer on the network * Monitor the log files * Use secure, encrypted communication protocols (SSH, SSL) BASIC HOST SECURITY: -------------------- o The TCP/IP stack on a Linux box will only respond to requests on known ports specified in the /etc/services file. Therefore, removing those parameters means that the TCP/IP stack will never know which port to use for a given service, meaning that it will make it more secure. o Comment out lines for unneeded services in /etc/inetd.conf o TCP_wrappers are the most basic security measure: - TCP_wrappers are installed by default with inetd - Configuration files: * /etc/hosts.allow * /etc/hosts.deny - You may want to change the permissions on the two configuration files, since they are both world readable - The hosts.allow file takes precedence over the hosts.deny file - If we add a ALLOW EXCEPT line to the hosts.allow file, I also have to make sure that there is a matching entry in the hosts.deny file or it will not work - Pay special attention to the order of the lines in these configuration files - Two utilities can be used with TCP_wrappers: * tcpdchk -v Verifies correct syntax * tcpmatch [service] [IP] tcpmatch in.ftpd 192.168.0.5 Verifies service access for IP - Including the ALL: PARANOID line in the config files checks for forward and reverse name resolution to check for hostname spoofing IPCHAINS: --------- o Four types of ipchains: - Input chain - Forward chain - Output chain - User-defined chains o There are six possible targets or actions for a rule: - ACCEPT Pass packet to the next chain - DENY Drop the packet - REJECT Send ICMP rejection note back to host - MASQ Use kernel masquerading on packets - REDIRECT Used for transparent proxying - RETURN Return packet to next rule in previous chain o Each chain is consulted in order from top down until a match is found and then a target action is taken o ACCEPTS passes a packet to the next chain o DENY/REJECT exits the chains o Each packet must traverse all three chains (Input, Forward, Output) o ipchains command rules and syntax ipchains [command] [chain] [rule] [target] - Commands: * -A Appends rule to specified chain * -I Inserts rule in specified chain at numerical location * -D Deletes rule from specified chain * -L Lists rules for specified chain * -F Flushes rules for specified chain - Chains: * input * forward * output - Rule specifications: * -s Source * -d Destination * -p Protocol (tcp|udp|icmp) * -y SYN packets only * -I Interface * -j Jump to [target] * -l Log - Target: * ACCEPT * DENY * REJECT * MASQ * REDIRECT * RETURN o Red Hat Linux already includes an ipchains init script in the /etc/rc.d/init.d/ipchains script file. PLUGGABLE AUTHENTICATION MODULES (PAM): --------------------------------------- o PAM allows configuration of authentication for specific resources, but only acting at the user level (not at the host or port level) o All PAM modules are configured in the /etc/pam.d directory o The actual PAM modules are stored in /lib/security o Control flags in /etc/pam.d/[service]: - sufficient No subsequent libraries are checked - required Library authentication must be passed - optional Does not affect overall returned value o Red Hat configured the PAM libraries so that any console user can shutdown the system and he/she will also own the special devices in /dev after logging in. All this is configured in the /etc/security/console.apps directory. The command that the regular user can enter is "poweroff". ENCRYPTION AND SSH: ------------------- o Most encryption software using keys over 128-bit are actually archived abroad due to US export restrictions. o Various important encryption packages: - Pretty Good Privacy (PGP) - SSH (only 1.2.x is completely GPL, while 2.x is only free for personal use) - OpenSSH (open source version of the SSH protocol) o The version of OpenSSH with Blowfish generates a 1024-bit key and the server generates that key every hour for security reasons GENERIC INFORMATION: -------------------- o Root can also run the "gpasswd" command to administer the /etc/group file o The "chage" command allows the system administrator to configure a number of user settings: - Account expiration date - Minimum and maximum password age - Password expiration warning X WINDOW SYSTEM: ---------------- o Basic concept of the X Window System: - X Server The server that was selected during the installation for the specific video card - X Client Applications, window managers, desktop environments o Methods to configure XFree86: - Xconfigurator - XF86Setup - xf86config - Editing the /etc/X11/XF86Config file o Key sections of the XF86Config configuration file: - Monitor Select hardware monitor - Device Needs to match the video chipset - Screen Settings for monitor and video card display to use specific X driver at a given resolution and depth - Keyboard Layout and mappings - Pointer Mouse specifications - Files Paths to X fonts o The /etc/X11/prefdm script can be used to select the default Display Manager: - gdm - kdm - xdm o The same file can also be used to specify the default Desktop Manager by editing the /etc/sysconfig/desktop file o It is also possible to run the "switchdesk" utility I can also select the default Desktop Environment o Allowing remote X access: - xhost [+|-] [hostname] Allows a specific host xhost + whatever.domain.com - .Xauthority Key list for remote users in $HOME/ - xauth Command for adding or removing .Xauthority xauth list xauth add whataver.domain.com:0