-
Linux (RHEL6) Notes
Page#1 of 22
To complete:secure grub with passwordgpg Encryption and
Decryption
Useful files
/etc/inittab has run level definitions
Useful commands
#ifconfig#ping desktop15.example.com to get ipaddress#host Gives
DNS Name#hostname Gives the host name of the machine you are logged
in#dig -x Has Question / Answer / Authority / Additional
sections#nslookup #nsloopup It gives hostname and ip address
#man -k ftp | less Search man pages for ftp#man 8 mount go to
8th section of man help for mount command
#which ls from where ls is getting executed#rpm -qf /bin/ls
finds the package in which ls is
#cp -pvrf p for preserve, v for verbose, r for recursive and f
for force overwrite if exist
#du -h disk usage for file#du -h disk usage for individual files
in the directory#du -sh disk usage summary for the directory
#ln -s to create soft links
#who -r for current system runlevel#runlevel for current system
runlevel
#uname -a for more details about the system#uname -r for current
kernel version
#cat /proc/cpuinfo to see if CPU supports VMX#cat /proc/meminfo
to see RAM size to set swap size#cat /proc/partitions after running
partx command
#ps processes with in your current terminal#ps -a all processes
in all terminals#ps -aux | less a for all, u for user, x for
executing does not indicate parent process
#ps -ef | less Shows parent process
-
Linux (RHEL6) Notes
Page#2 of 22
#kill -l To see kill signals#kill -9 Signal Kill. Children
become Zombie "Z" processes#kill -15 Singal Term. Kill children and
then the parent so that there are no Zombie processes#kill -1
Singal hup. Restarting i.e., stopping and starting services
#top more flexibility
#parted /dev/sda edit partition table. type help for commands
that can be used#partx -d /dev/sda#partx -a /dev/sda
#fdisk -cu /dev/sdam for helpn for new partitionp for print
partitionst to change partition system idd for deleting partitionw
for write table to disk and quitq for quitting without saving
#fdisk -l | less Shows info about partitions
#mkfs -t ext4 /dev/sda5or#mkfs.ext4 /dev/sda5or#mkfs.ext4 -L
"mydisk1" /dev/sda5 L gives label while formatting
#e2label /dev/sda5 to display label#e2label /dev/sda5 "mydisk2"
to change label
#findfs LABEL="mydisk2" gives output /dev/sda5
#file to know type of file, if a file is tar file, zipped or not
etc.
#stat to know more details about file, access time, modify time,
change time etc.
User Related
#useradd user1
#useradd -u 10001 -g ftp -G adm,apache -d /var/user123 -c
"Comment" -s /bin/bash user123 g => Primary GroupG =>
Secondary Groupsd => Home directoryc => Comments => Login
shell
#vim /etc/default/useradd defaults for useradd
-
Linux (RHEL6) Notes
Page#3 of 22
#id to see the details about the user
#groups list all groups belonging to a userid
#usermod -s /sbin/nologin user123 to change login shell for
user#usermod -L user123 lock user#usermod -aG adm,ftp,student
user123 to add secondary groups #usermod -G student user123 to
replace all secondary groups with this one secondary group
#gpasswd -a u1 ftp add user to group#gpasswd -M u1,u2,u3,u4
apache add user to multiple groups#gpasswd -d u1 apache delete user
from apache group
#userdel -r u2 recursively delete all user info for u2
#chage -l List Aging parameters for userid#chage -m 0 -M 90 -W 7
-I 14 #vim /etc/login.defs has the default values
#chown #chgrp #chown :
#chown -R recursively change ownership#chgrp -R #chown :
#chmod g+rwx #chmod -R a+rwx Recursively change ownership
Setting password for user (4 ways)
#passwd #echo "" | passwd --stdin #useradd -p "" #usermod -p
""
Resetting root password if you dont know it
#init 1 If you are already logged into the system
Interrupt Linux boot process (press F12)Then enter the
followinge1 to get into single user mode. It asks root access
without password You can also user s or S instead of 1 for getting
into single user modego backb to continue to boot
-
Linux (RHEL6) Notes
Page#4 of 22
#runlevel to see runlevelor#who r to see runlevel
#passwd root This will not work because SELinux is in enforcing
mode#setenforce 0or#setenforce Permissive Now, the password can be
changed
#passwd root
set gid (Numeric value is 2)
#mkdir /mydata /mydata is owned by root root#ls -ld
/mydata#groupadd grp new group that needs to own /mydata#chgrp grp
/mydata#ls -ld /mydata#chmod g+w /mydata to make sure any user in
grp group can write to /mydata#ls -ld /mydata#chmod g+s /mydata so
that if any body belonging to grp group creates a file in /mydata,
it will have grp group (inherited from the directory)
Sticky bit (Numeric value is 1)
If you set sticky bit, only the owners of the file can delete a
file,even if the other users are in the same group as the owner and
alsothe group has write permissions
#chmod o+t /mydata to set sticky bit
ACL
#tune2fs -l /dev/sda5 | grep -i default Look for default mount
options
If defualt mount option is none, need to change to ACL for the
partition
#tune2fs -o acl,user_xattr /dev/sda5 Change it for the
partition#mount /dev/sda5 /mnt#cd /mnt#getfacl /mnt getfacle for
mount point#setfacl -m u::rwx to modify acl#setfacl -m g::rwx to
modify acl#getfacl #setfacl -x u: to remove from acl#setfacl -x g:
to remove from acl
Disk Quotas
-
Linux (RHEL6) Notes
Page#5 of 22
Create an ext4 partition and mount it as /quotadir in fstab as
follows#vim /etc/fstab/dev/sda5 /quotadir ext4
defaults,usrquota,grpquota 0 0 Note usrquota, grpquota#mount
-a#mount It will list the usrquota attribute for /quotadir mount
point
#quotacheck -cuv /quotadir to be done on mount pointc =>
Createu => User Quotav => VerboseCreates quota.user file in
/quotadir
#quotacheck -cgv /quotadir to be done on mount pointc =>
Createu => Grop Quotav => VerboseCreates quota.grop file in
/quotadir
#quotaon /quotadir Activate quota on filesystem. Need to use
mount point#quotaon -p /quotadir Print state of all file systems if
quotas are turned on or off#quota -v verbose file systems where
quotas are turned on#quota -uv verbose quota for specific
userid#repquota /quotadiror#repquota /dev/sda5
#edquota -u to set quota for the user in vim editor. Set soft
and hard blocks. hard blocks is the max limit. Soft blocks is from
where user gets waring
#edquota -t to set grace period
sudo
#visudo to edit /etc/sudoers file in vim editor (:wq for saving
the file)#visudo -c After adding entries compile the file to make
sure no errors
Groups in the file are always preceded by %
Ex: peter,bob,%mygroup ALL= NOPASSWD: ALLusers peter and bob,
group mygroup on all servers, (since there is no list in
paranthesis after ALL=, all users can sudo as root) can execute all
commands without requiring password
Ex: peter,bob,%mygroup ALL= NOPASSWD: /sbin/fdiskusers peter and
bob, group mygroup on all servers, (since there is no list in
paranthesis after ALL=, all users can sudo as root) can execute
only fdisk command without requiring password. All other commands
require password.
Creating LVM
1. Create two LVM type partition /dev/sda5 and /dev/sda62.
Create PVs
-
Linux (RHEL6) Notes
Page#6 of 22
3. Create Volume Group using the PVs4. Create LVMs with in the
Volume Group5. ext4 formatting6. mount LVM file system7. Check if
mounted8. Make mounts permanent
#fdisk -cu /dev/sda
#pvcreate /dev/sda5#pvcreate /dev/sda6
#vgcreate -s 8 myVG /dev/sda5 /dev/sda6 s is PE size#vgdisplay
myVG
#lvcreate -l 10 -n mylv1 myVG 10 extentsor#lvcreate -L 80M -n
mylv2 myVG 80M size
#mkfs.ext4 /dev/myVG/mylv1or#mkfs.ext4
/dev/mapper/myVG-mylv1
#mkdir -p /mnt/mylv1
#mount /dev/myVG/mylv1 /mnt/mylv1or#mount /dev/mapper/myVG-mylv1
/mnt/mylv1
#df -h
#vim /etc/fstab/dev/myVG/mylv1 /mnt/mylv1 ext4 defaults 0 0
Reducing LVM
1. Make sure that there are no users connected to the mount2.
Unmount the mount point3. Defrag the LVM4. Resize the LVM5. Reduce
the LVM6. Mount the LVM
#fuser -vm /home#fuser -km /home#umount /home#df -h to see the
free space#e2fsck -f /dev/vg10/lv_home#df -h to see the free
space#resize2fs /dev/vg10/lv_home 256M#lvreduce -L 256M
/dev/vg20/lv_home#df -h to see the free space#mount -a to mount all
mount points from fstab
-
Linux (RHEL6) Notes
Page#7 of 22
Extending LVM
Can be done onine. No unmounting is needed
#df -h#lvextend -L +256M /dev/vg10/lv_home Add additional 256M
to lv_home#df -h Does not show the increased size, yet#resize2fs
/dev/vg10/lv_home #df -h
Removing LVM
#lvscan#lvchange -an /dev/myVG/lv_test to make lvm
inactive#lvscan Should show lv_test inactive#lvremove
/dev/myVG/lv_test#lvscan
Reducing VG (by removing PV)
#vgs#pvmove /dev/sda5 moves data from /dev/sda5 to next
available PV#vgreduce myVG /dev/sda5#vgs
Extending VG (by adding PV)
#pvs#fdisk -cu /dev/sda add a new LVM partition (8e)#partx -a
/dev/sda#vgextend myVG /dev/sda6#vgs#pvs
Removing VG
1. Deactivate all LVMs in the VG2. Remove all LVMs in the VG3.
Remove VG
#vgremove myVG
Encrypting Partitions / LVMs using LUKSLUKS - Linux Unique Key
Setup
Steps=====1. Create partition, partx -a /dev/sda2. cryptsetup
luksFormat 3. cryptsetup luksOpen
-
Linux (RHEL6) Notes
Page#8 of 22
4. mkfs.ext4 /dev/mapper/5. cryptsetup luksClose 6. mount
/dev/mapper/7. Make an entry in /etc/fstab8. Make an entry in
/etc/crypttab
#fidsk -cu /dev/sda create a new partition sda5#partx -a
/dev/sda#cryptsetup luksFormat /dev/sda5 asks for data overwriting.
say YES#cryptsetup luksOpen /dev/sda5 cryptdata#dmsetup table List
all the volumes managed by device mapper#mkfs.ext4
/dev/mapper/cryptdata#mkdir /mnt/cryptdata#mount
/dev/mappper/cryptdata /mnt/cryptdata#df -h#umount
/mnt/cryptdata#blkid /dev/mapper/cryptdataget the UUID#vim
/etc/fstabAdd a new lineUUID="" /mnt/cryptdata ext4 defaults 0 0#df
-h#vim /etc/crypttab when you reboot, system will ask for
passphrase for sda5 Add a new linecryptdata /dev/sda5 none instead
of none, give passphrase
Networking concepts
Important files are
/etc/hosts Local resolver/etc/resolv.conf Domain Name, DNS
Server ip address must/etc/sysconfig/network Global config file.
NETWORKING should be YES, HOSTNAME, GATEWAY
must/etc/sysconfig/network-scripts/ifcfg-eth0 interface specific
file
#service NetworkManager restart#service network restart
#ifcfg
#mii-tool#setup Takes you to network setup#mii-link#ifdown
eth0#ifup eth0
ssh - Data Encryption
#ssh [email protected] After login, you will see
/root/.ssh/known_hosts in the source system for root user#ssh -X
[email protected] for X forwarding
-
Linux (RHEL6) Notes
Page#9 of 22
#system-config-date after above login will display in X
window
ssh - Key based Authentication
#ssh-keygen -t rsa At source generate rsa key pair private key
in /root/.ssh/id_rsa public key in /root/.ssh/id_rsa.pub
#ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected] This
copies public key from source to destination to
root/.ssh/authorized_keysNo password required after copying the
key. This is user specific
swap
If RAM is 0 - 4GB, then swap = 2 + (0.5 of RAM)If RAM is 4 -
8GB, then swap = 4 + (0.5 of RAM)If RAM is 8 - 16GB, then swap = 8
+ (0.5 of RAM)If RAM is 16 - 64GB, then swap = 16 + (0.5 of
RAM)
Partition based Swap
#mkswap /dev/sda6 Swap file system#swapon /dev/sda6 Activate
swap#swapoff /dev/sda6 Deactivate swap#swapon -s Show swap
summary#vim /etc/fstab Permanent swap/dev/sda6 swap swap defaults 0
0#swapon -a Activate all swaps from /etc/fstab
File based Swap
#dd if=/dev/zero of=/swapfile bs=1M count=500#du -sh
/swapfile#dd if=/dev/zero of=/swapfile-thin bs=1M count=1
seek=1000#du -sh /swapfile-thin#mkswap /swapfile#swapon
/swapfile#swapoff /swapfile#vim /etc/fstab/swapfile swap swap
defaults 0 0#swapon -a
Securing grub with password
Kernel install
#lftp 192.168.0.254/updates#mget kernel*#rpm -qRp to get
dependencies
-
Linux (RHEL6) Notes
Page#10 of 22
#rpm -U DO NOT use this. This will overwrite existing kernel#rpm
-ivh Always use i option to install new kernel#rpm -ivh
#vim /etc/grub.conf you will see new kernel here.If you
installed a kernel newer than existing kernel, new kernel will
become the defaultIf you installed a kernel older than existing
kernel, existing kernel remains as default
at
#atq Query to see if one off jobs are scheduled
#at 3:08 at>/sbin/rebootat>ctrl+d
#atq shows the above job
#atrm to remove a job
#atq to make sure that the job is gone
crontab
#crontab -e edit crontab for current user#crontab -eu edit
crontab for specified user
Look in /etc/crontab for the exact format for writing cron
entriesMake sure to use which command to get complete path of
commands to beexecuted as these need to go into crontab.
Ex: for echo command you need to use /bin/echo
#vim /etc/cron.deny add users in this file to stop them from
editing crontab#vim /etc/cron.allow add users in this file to allow
them to edit crontab
If a user exists in both files, cron.allow takes precedence over
cron.deny.
#service crond restart#chkconfig crond on
#crontab -lu list crontab for specified user
rpm
#rpm -qa Query all packages installed in the system#rpm -qa | wc
-l#rpm -q to check if package already exists or not#rpm -qRp Lists
depenedencies#rpm -qR Query installed package#rpm -qlp List all the
files included in the package
-
Linux (RHEL6) Notes
Page#11 of 22
#rpm -qldp Displays only document files#rmp -qlcp Displays only
config files#rpm -qlsp Displays only script files
#rpm -ql vsftpd
#rpm -ivh i for install, v for verbose, h for percentage
completion#rpm -Uvh U for update#rpm -e to uninstall package.
Dependencies are not removed
yum - Yellowdog Update Manager
#yum list all#yum list installed#yum list available#yum serach
vsftpd#yum install vsftpd* -y#yum remove vsftpd* -y#yum deplist
vsftpd*
#which date#yum provides /bin/date
#yum grouplist to list group packages installed in the
system
#yum localinstall --nogpgcheck
Setting up Local yum
#mount -o loop,ro /home/rhel6.iso /mnt#cp -pvrf /mnt/*
/var/ftp/pub
#vim /etc/yum.repos.d/local.repoAdd the following
lines[rhel6-64bit-local]name=rhel6 local
packagesbaseurl=file:///var/ftp/pubenabled=1gpgcheck=0
#vim /etc/yum.repos.d/rhel6.repoAdd the following
lines[rhel6-64bit-server]name=rhel6 server
packagesbaseurl=ftp://192.168.0.254/pub/rhel6/dvdenabled=1gpgcheck=0
#vim /etc/vsftpd/vsftpd.confMake sure that anonymous can login
because yum uses anonymous login
#service vsftpd restart#chkconfig vsftpd on
-
Linux (RHEL6) Notes
Page#12 of 22
#yum clean all to clean repodata cache on the client#yum list
all to see the packages available
NFS Sharing (server side - 192.168.0.254) - Share Resources
#yum install nfs* -y package is nfs-utils
#mkdir /kickstart
#vim /etc/exports/kickstart
192.168.0.0/24(ro,sync,no_root_squash) Share to ips from
192.168.0.0 to 192.168.0.24
#exportfs -rv r for re-export and v for verbose
#service nfs restart#chkconfig nfs on
NFS is done thru nfsnobody user
NFS Sharing (client side) - NFS mount shared resources
#showmount -e #mkdir /mnt/nfs#mount -t nfs
192.168.0.254:/kickstart /mnt/nfs#umount /mnt/nfs#df -h#vim
fstab192.168.0.254:/kickstart /mnt/nfs nfs defauts 0 0#mount -a
as any user, you can also perform the following without
mounting#cd /net/192.168.0.254#ls You will see kickstart
Samba Server
#yum install samba* -y
#which smbd#which nmbd
#ldd /usr/sbin/smbd | grep -i libwrap Nothing found. So,
tcp_wrappers support is NOT there for samba
#vim /etc/samba/smb.conf Samba Main config file
In Global Settings section, you may need to change the
workgroup
In Shared Settings section, add the following
-
Linux (RHEL6) Notes
Page#13 of 22
[myshare]comment = public stuffpath = /sharewriteable = yes you
can put in read only = yesvalid user = u5browseable = yes
#useradd u5#smbpasswd -a u5 a for adding password#smbpasswd -d
u5 d for deactivating password entry#smbpasswd -x u5 x for deleting
the password entry
#pdbedit -L -w list users that have samba passwords
#mkdir /share
#getenforce
#ls -ldZ /share If SELinux is Enforcing, then need to change the
context for /share directory
#chcon -t samba_share_t /share
#ls -ldZ /share
#cd /share#touch file1
#service smb restart
Logs are in /var/log/samba
CIFS Sharing (client side) - Samba mount shared resources
#smbclient -L //192.168.0.254 | lessFrom the list we can only
use "Disk" or "Print" type shares onlySharename that is shown in
the list may have a totally different name on the host. Basically,
share name hides the inside directory name on the server.
#mkdir -p /mnt/cifs#mount -t cifs //192.168.0.254/myshare
/mnt/cifs -o username=u5,password= #df -h#vim /etc/fstabAdd the
following entry//192.168.0.254/myshare /mnt/cifs cifs
defaults,username=u5,password= 0 0#umount /mnt/cifs#df -h#mount
-a#df -h
#smbclient //192.168.0.254/myshare -U u5
-
Linux (RHEL6) Notes
Page#14 of 22
smb>ls shows file1 created above
tcp_wrappers
#which vsftpd gives /usr/sbin/vsftpd#ldd /usr/sbin/vsftpd | grep
-i libwrap shows a line. It means tcp_wrappers are supported
#which httpd gives /usr/sbin/httpd#ldd /usr/sbin/httpd | grep -i
libwrap Does not show a line. It means tcp_wrappers are NOT
supported
#which sshd gives /usr/sbin/sshd#ldd /usr/sbin/sshd | grep -i
libwrap shows a line. It means tcp_wrappers are supported
tcp_wrapper Access control is done thru
/etc/hosts.deny/etc/hosts.allow
No need to restart services if you change these files
#vim /etc/hosts.denyvsftpd: desktop20.example.com desktop20 is
not allowed to FTP to this servervsftpd: ALL .example.com
.example.com domain is not allowed to FTP to this servervsftpd: ALL
EXCEPT .example.com Any other domain other than .example.com is not
allowed to FTP to this serversshd: .example.com .example.com domain
is not allowed to SSH to this serversshd: 192.168.0. 192.168.0.
domain is not allowed to SSH to this serversshd: ALL EXCEPT
.example.com Any other domain other than .example.com is not
allowed to SSH to this server
#vim /etc/hosts.allowvsftpd: desktop20.example.com desktop20 is
allowed to FTP to this server though it is prevented in
hosts.deny
LDAP
#system-config-authenticationoron Desktop --> System -->
Administration --> Authentication
Select LDAP DN - dc=example,dc=comLDAP Server -
ldap://instructor.example.comCheck TLS to encrypt
connectionsCertificate link -
http://192.168.0.254/pub/EXAMPLE-CA-CERTAuthentication Method -
LDAP PasswordClick Apply
On VMs - Look for sssd serviceOn Desktops - Look for nslcd
servive
-
Linux (RHEL6) Notes
Page#15 of 22
#service sssd status#chkconfig --list sssd
#getent passwd #su - ldapuser1
Based on the settings in /etc/nsswitch.conf, system will look in
local users and then goes for LDAP. look for
passwd: files sss
autofs (NFS mount) - No fstab entries needed
No need to install autofs. It comes in with base install
#vim /etc/sysconfig/autofs You can specify autofs parameters
like timeout. TIMEOUT 300 Timout can also be specified in
auto.master#vim /etc/auto.master Put in your own directory name and
the file that contains mount information/remote /etc/auto.remote
These can have any name#vim /etc/auto.remotekick -rw,fstype=nfs
192.168.0.254:/kickstart#service autofs stop restart will not
work#service autofs start #chkconfig autofs on#cd /remote/kick#df
-h#cd to go to your home directory, wait for the timeout period#df
-h you will not see /remote/kick mount point
autofs (Local mount) - No fstab entries needed
No need to install autofs. It comes in with base install
Create a partition /dev/sda5 and mount as /local/disk1Create an
LVM /dev/vg00/lv01 and mount as /local/lv1
#vim /etc/auto.master/local /etc/auto.local#vim
/etc/auto.localdisk1 -fstype=ext4 :/dev/sda5lv1 -fstype=ext4
:/dev/vg00/lv01#service autofs stop restart will not work#service
autofs start#chkconfig autofs on#df -h#cd /local#df -h#cd lv1#df
-h
-
Linux (RHEL6) Notes
Page#16 of 22
autofs for ldapusers - No fstab entries required
No need to install autofs. It comes in with base install
#showmount -e 192.168.0.254If /home/guests is the directory
shared on 192.168.0.254 and if this has home directories for ldap
users
#vim /etc/auto.master/home/guests /etc/auto.ldap#vim
/etc/auto.ldapldapuser1 -rw,fstype=nfs
192.168.0.254:/home/guests/ldapuser1 for single user*
-rw,fstype=nfs 192.168.0.254:/home/guests/& generic for
multiple users
autofs for samba - No fstab entries required
No need to install autofs. It comes in with base install
#vim /etc/sysconfig/autofs You can specify autofs parameters
like timeout. TIMEOUT 300 Timout can also be specified in
auto.master#vim /etc/auto.master Put in your own directory name and
the file that contains mount information/cifs /etc/auto.cifs These
can have any name#vim /etc/auto.cifscifsshare
-rw,fstype=cifs,username=u5,password=
://192.168.0.254/myshare#service autofs stop restart will not
work#service autofs start #chkconfig autofs on#cd
/cifs/cifsshare#df -h#cd to go to your home directory, wait for the
timeout period#df -h you will not see /cifs/cifsshare mount
point
SELinux
#yum install setroubleshoot* -y
#vim /etc/sysconfig/selinux Config file for
selinux#getenforce#setenforce 0 Permissive#setenforce
Permissive#setenforce 1 Enforcing#setenforce Enforcing
#semanage fcontext -l displays registry of resource contexts
Security context is#service tgtd stop applied to resources#ls
-lZ to view the security context for all files / directories #ps -Z
to view the process security context#chcon -u #chcon -r #chcon
-t
-
Linux (RHEL6) Notes
Page#17 of 22
cp (copy) a file to a destination will inherit destination
contextmv (move) a file to a destination will NOT inherit
destination context
#semanage fcontext -a -t public_contents_rw_t
"var/ftp/dropbox(/.*)?" add a new entry into the registry
#restorecon -R -v /var/ftp/dropbox R for recursive for all files
in the directory and v for verbose#chcon -Rt public_contents_rw_t
/var/ftp/dropbox#ls -ldZ /ver/ftp/dropbox
#getsebool -a | less Get process booleans#setsebool
allow_ftpd_anon_write=1 Set process booleans
For troubleshooting and error messages
#yum install setroubleshoot* -y so that you can use sealrt
command#sealert -a /var/log/audit/audit.log
#cat /var/log/messages | grep setroubleshoot copy alert from
here#sealert -l
FTP Client
#yum install ftp* -y#yum install lftp* -y#ftp 192.168.0.254
enter userid and password#lftp 192.168.0.254 does not ask for
userid and password
FTP Server - vsftpd (Very Secure FTP)
#yum remove vsftpd* -y#yum install vsftpd* -y
#vim /etc/vsftpd/vsftpd.conf config file. You can change log
file location here, if needed.#vim /etc/vsftpd/ftpusers Userids
that are NOT allowed to login thru FTP#vim /etc/vsftpd/user_list
please look at userlist_deny parameter in
/etc/vsftpd/vsftpd.conf
If userlist_deny=NO, allows only users listed in the user_list
fileIf userlist_deny=YES, NEVER allows any users listed in the
user_list file. For this case, from the client side when you are
trying to login as a user mentioned in the user_list file,no login
prompt is given.
If a user exists in both files, ftpusers file takes
precedence.
If you change any of the above files, make sure to restart ftp
service
#service vsftpd status
-
Linux (RHEL6) Notes
Page#18 of 22
#service vsftpd restart#chkconfig vsftpd on
To check messages for FTP#tail -f /var/log/messages
To track the packets, you can install wireshark#yum install
wire* -y
To stop ftp connections coming into your server#vim hosts.deny
edit this file
Uploadable FTP Server using SELinux
1. Create directory /var/ftp/dropbox2. Change the group
ownership from root to ftp group3. Make sure that ftp group can
write to that directory4. If SELinux is enforced, make sure that
context for dropbox directory is same as ftp directory5. Set
process boolean for anonymous write6. Make sure vsftp config file
for anonymous write and upload7. Restart FTP service
#mkdir -p /var/ftp/dropbox created and owned by root
#chgrp ftp /var/ftp/dropbox
#chmod g+rwx /var/ftp/dropbox
#getenforce Make sure it is SELinux enforcing#cd /var#ls -ldZ
/var/ftp to see the context for ftp directory#ls -ldZ
/var/ftp/dropbox to see the context for dropbox
directory#restorecon -R -v /var/ftp/dropboxor#chcon -Rt
public_content_rw_t /var/ftp/dropbox
#getsebool -a | grep ftpd look for
allow_ftpd_anon_write#setsebool -P allow_ftpd_anon_write=1 P
implies persistent setting
#vim
/etc/vsftpd/vsftpd.confanon_upload_enable=YESanon_nkdir_write_enable=YES
#service vsftpd status#service vsftpd restart#chkconfig vsftpd
on
HTTP/Apache server
#rpm -qa | grep httpd to see if apache is installed or not#yum
install http* -y
-
Linux (RHEL6) Notes
Page#19 of 22
Default port is 80Document root is /var/www/htmlUser is
apacheGroup is apacheAll logs are in the following
directories/etc/httpd/logs/var/log/httpd
#rpm -qc httpd* to see configuration files for httpd
httpd startup parameters are in #vim
/etc/sysconfig/httpd.conf
/etc/httpd is the main directory
#vim /etc/httpd/conf/httpd.conf main config file for httpd. You
can change log file location here, if neededDirectoryIndex
index.html index.html.var
After making changes, please make sure to restart the
service#service httpd restart#chkconfig httpd on
In browser, use the following URLshttp://localhost looks for
index.html file in /var/www/htmlhttp://127.0.0.1 looks for
index.html file in /var/www/htmlhttp:// looks for index.html file
in /var/www/html
#yum install elinks* -y#elinks --dump localhost#elinks --dump
#elinks 192.168.11.3 This worked for me and the above two URLs did
not
Name based and port based Virtual Hosting (with restricting
access to host for one of the sites)(with user based authentication
for one of the sites)
Step 1 (Server)----------------#mkdir -p /var/www/virtual#cd
/var/www/virtual#mkdir google In this directory, create
google.html. Put in some text#mkdir yahoo In this directory, create
yahoo.html. Put in some text#mkdir facebook In this directory,
create facebook.html. Put in some text#mkdir twitter In this
directory, create twitter.html. Put in some text
Step 2 (Server)----------------#vim
/etc/httpd/conf/httpd.conf
make sure that the following entries exist
-
Linux (RHEL6) Notes
Page#20 of 22
NameVirtualHost 192.168.0.250:80NameVirtualHost
192.168.0.250:8080
DirectoryIndex index.html index.html.varDirectoryIndex
google.html google.html.varDirectoryIndex yahoo.html
yahoo.html.varDirectoryIndex facebook.html
facebook.html.varDirectoryIndex twitter.html twitter.html.var
Listen 80Listen 8080
ServerAdmin [email protected]
/var/www/vrtual/googleServerame google.example.com
## AllowOverride None# Options None# Order allow,deny Allow and
then deny all others# Allow from all#
AllowOverride NoneOptions NoneOrder allow,denyAllow
desktop3.example.com Allow google site only from
desktop3.example.com.
Deny all others
ServerAdmin [email protected]
/var/www/vrtual/yahooServerame yahoo.example.com
ServerAdmin [email protected]
/var/www/vrtual/facebookServerame facebook.example.com
ServerAdmin [email protected]
/var/www/vrtual/twitterServerame twitter.example.com
AuthType basic
-
Linux (RHEL6) Notes
Page#21 of 22
AuthName "This is for user based Authentication"AuthUserFile
/etc/httpd/.htpasswd
Require user1 user2
Step 3 (Server)----------------#service httpd configtest#httpd
-t Syntax check#httpd -S virtual host syntax check
Step 4a (Server)-----------------#useradd user1#useradd
user2#htpasswd -cm /etc/httpd/.htpasswd user1 c for create and m
for add md5 encryption password for user1#htpasswd -m
/etc/httpd/.htpasswd user2 Since file already exists, no c needed.
Add md5 encryption password for user2
Step 4b (Server)----------------#vim /etc/hosts
Add the following entries192.168.0.250
google.example.com192.168.0.250 yahoo.example.com192.168.0.250
facebook.example.com192.168.0.250 twitter.example.com
Step 5 (Server)----------------#service httpd restart#chkconfig
httpd on
Step 6 (Server)----------------#tail -f
/var/log/httpd/access_log to see the hits on the apache server
Step 7 (Client)----------------In
browserhttp://google.exmaple.com only allowed from
desktop3.example.com
http://yahoo.exmaple.comhttp://facebook.exmaple.com:8080http://twitter.exmaple.com:8080
asks for userid and password. Need to enter user1 or user2 and
their http password
Step 8 (Server)----------------#elinks --dump google.example.com
only allowed from desktop3.example.com #elinks --dump
yahoo.example.com#elinks --dump facebook.example.com#elinks --dump
twitter.example.com asks for userid and password. Need to enter
user1
-
Linux (RHEL6) Notes
Page#22 of 22
or user2 and their http password
Monitoring a website
ab command is used to perform realtime performance testing on a
website
#ab http://demo.example.com You will see various things. one of
them is response time#ab -n 200 -c 10 http://demo.example.com 200
requests from 10 users. The response time increases#ab -n 1000 -c
20 http://demo.example.com 1000 requests from 20 users. The
response time further increases
iSCSI - Server side
#yum install scsi-target-utils* -y
#vim /etc/tgt/targets.conf
Add the following entries
backing-store /dev/sda5initiator-address 192.168.0.16
backing-store /dev/sda6initiator-address 192.168.0.117
#service tgtd stop#service tgtd start#chkconfig tgtd on
Default port for tgtd is 3260Make sure that the port is open by
issuing the following command
#netstat -ntlp | less
iSCSI - Client side
Go to one of the clients mentioned in the server's
/etc/tgt/targets.conf file
#yum install iscsi-initiator-utils* -y
#iscsiadm -m discovery -t st -p 192.168.0.1 This is to get iqn
number of the iscsi drive shared for the client by the serverm
=> modet => typest => send targets
-
Linux (RHEL6) Notes
Page#23 of 22
p => portalip address of server that is sharing the disk
#iscsiadm -m node -T
iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -lT
=> Target iqn numberl => login
If you get success message then the disk is attached. To check
if the disk is attached
#tail /var/log/messages | less
#fdisk -l | less Show /dev/sdb attached. You can now partition
it
#fdisk -cu /dev/sdb Add new partitions#partx -d /dev/sdb#partx
-a /dev/sdb#cat /proc/partitions#mkfs.ext4 /dev/sdb1
For mounting always use blkid. Do not use /dev/sdb1
#mkdir /mnt/iscsi#blkid /dev/sdb1 get UUID
#vim /etc/fstabAdd the following entryUUID="......." /mnt/iscsi
ext4 _netdev 0 0
#mount -a
#iscsiadm -m node -T
iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -u
-o deleteu => logouto => cache it to delete it. No data is
deleted
File Searching (examples)
#find -name snow.png#find / -name '*.txt'#find /etc -name
'*pass*'#find /home -user joe -group joe files owned by user joe
and group joe#find /home -user joe -not -group joe files owned by
user joe and not by group joe#find /home -user joe -o -user jane
files owned by user joe or user jane#find /home -not\(-user joe -o
-user jane) files NOT owned by user joe or user jane#find / -user
joe -o -uid 500 files owned by user joe or user with uid 500#find /
-perm 755 files that have 755 permissions#find / -perm +222 files
that anyone can write#find / -perm -222 files that every one can
write#find / -perm -002 files that others can write#find / -size
10M files exactly 10M in size#find / -size +10M files > 10M in
size#find / -size -10M files < 10M in size#find /tmp -ctime +10
files changed more than 10 days ago
-
Linux (RHEL6) Notes
Page#24 of 22
#find -size +100M -ok mv {} /tmp/largefiles/ \; files that are
more than 100M size are moved to a different directory Prompts for
each file move#find -size -100M -exec mv {} /tmp/smallfiles/ \;
files that are less than 100M size are moved to a different
directory NO PROMPT
#find / -type f -group ftp -not -user root -exec cp -p {}
/tmp/ftpfiles/ \;#find / -type f -perm -002 -exec chmod o-w {}
\;#find / -not -perm +111 -name '*.sh' -ok chmod 755 {} \;
Virtual Machine
#virsh destroy #virsh undefine
#virt-manager to launch Virtual Machine Manager
tar and compression
Order of compression.
#tar -cvf etc.tar /etc#du -h etc.tar to see how much space it
occupies
#tar -czvf etc.tar.gz /etc#du -h etc.tar.gz to see how much
space it occupies
#tar -cjvf etc.tar.bz /etc#du -h etc.tar.bz to see how much
space it occupies
#tar -cJvf etc.tar.xz /etc#du -h etc.tar.xz to see how much
space it occupies
c => Createv => verbosef => file tarz => gzipj =>
bzip2
tar is the only command where destination is given first and
source later.
iptables
#iptables -F Flush default iptables. Default are filter
tables#iptables -t filter -F Flush filter tables#iptables -t nat -F
Flush nat tables#iptables -t mangle -F Flush mangle tables
-
Linux (RHEL6) Notes
Page#25 of 22
#service iptables save Save the iptables#service iptables
stop#service iptables start#service iptables restart
VNC Server and Viewer
Did not look into it. Is it covered in the exam?
gpg GNU Privacy Guard