Scenario

Learn RHCE

Red hat Linux The Redhat Certification Program is most mature and respected Training Program on Linux. The World’s Leading Linux Certification. The RHCE certificate is a validation of your competency, undeniable proof of your skills, the standard track consist of RH-033, RH-133 and RH-253. It’s the leading choice of the IT professionals and their employers.

RHCE:RedHat Certified Engineer

RH-033:Red Hat Linux Essentials:
Course Duration
Normal Track – 2 weeks
Fast Track – 3 Days
Designed for Beginners, and covers all skills to become a productive user, including installation and command line essentials more…

RH-133:Red Hat Linux System Administration:
Course Duration
Normal Track – 2 Weeks
Fast Track - 3 Days

In this module, you will start building skills in system administration on Red Hat Enterprise Linux, to a level where you can attach and configure a workstation on an existing network with virtualization. more…

RH-253:Red Hat Linux Networking and Security Administration
Course Duration
Normal Track – 2 Weeks
Fast Track – 4 Days

In this module you will learn how to configure common Red Hat Enterprise Linux network services server-side setup, configuration, and basic administration. (DNS, NTP, NIS, Apache, SMB, DHCP, Send mail, FTP. Other common services: tftp, pppd,proxy more…

RHCSS:Red Hat Certified Security Specialist

RHS 333:Enterprise Network Services Security
Course Duration- 1 Week

RHCSS shares common ground with RHCA—both credentials require skills
and competencies taught in RHS333 and RH423. RHCSS additionally requires the skills covered in the RH429 course more…

RH-423: Enterprise Directory Services and Authentication
Course Duration- 1 Week

The Red Hat Enterprise Directory Services and Authentication Endorsement Exam is a performance-based test of the skills covered in RH423 Red Hat Enterprise Directory Services and Authentication. In order to enroll in this exam, you must have an RHCE on a current release at the time of the exam. Upon passing the exam, you will have earned an additional endorsement to your RHCE certification. This endorsement is one of the five required in order to earn the designation Red Hat Certified Architect. more…

RHS-429:Red Hat Enterprise SELinux Policy Administration
Course Duration- 1 Week

RHS429 introduces advanced system administrators,security administrators, and applications programmers to SELinux policy writing. Participants in this course will learn how SELinux works; how to manage SELinux; and how to write an SELinux policy. This class culiminates in a major project to scope out and then write policies for previously unprotected services. more…

RH 300:RHCE Rapid Track

Course Duration – 1 week

Designed for those who already possess significant systems administration experience and knowledge in a Linux/UNIX environment, and who desire the fastest path to RHCE certification.

RHCE Exam Pattern

Recently from 1st May 2009 RHCE(Red Hat Certified Engineer) exam pattern has been changed. Some of the high lights are as follows.. The examination time has been reduced to 3.5 hours from 5.5 hours as it was previously

Previously, there will be two sessions one with 2.5hour(for basic troubleshooting) session and 3hours session(for server and security configurations)
But this time The content has be consolidated and reorganized into a single section.
Every thing will be installed and given along with Visualization, the candidate should complete that exam is one stretch that is 3.5hrs.
As you know RHCE5 SElinux is enabled so prepare along that lines.
Main thing to pass this exam is just practice practice practice

Get counseling on how to pass RHCE, just fill this form for any quires dont hegitate its totally free..

Study Points for the RHCE Exam

Prerequisite skills for RHCT and RHCE

Candidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:

use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories
use grep, sed, and awk to process text streams and files
use a terminal-based text editor, such as vim or nano, to modify text files
use input/output redirection
understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6
use su to switch user accounts
use passwd to set passwords
use tar, gzip, and bzip2
configure an email client on Red Hat Enterprise Linux
use text and/or graphical browser to access HTTP/HTTPS URLs
use lftp to access FTP URLs

RHCT skills

Troubleshooting and System Maintenance

RHCTs should be able to:

boot systems into different run levels for troubleshooting and system maintenance
diagnose and correct misconfigured networking
diagnose and correct hostname resolution problems
configure the X Window System and a desktop environment
add new partitions, filesystems, and swap to existing systems
use standard command-line tools to analyze problems and configure system

Installation and Configuration

RHCTs must be able to:

perform network OS installation
implement a custom partitioning scheme
configure printing
configure the scheduling of tasks using cron and at
attach system to a network directory service, such as NIS or LDAP
configure autofs
add and manage users, groups, quotas, and File Access Control Lists
configure filesystem permissions for collaboration
install and update packages using rpm
properly update the kernel package
configure the system to update/install packages from remote repositories using yum or pup
modify the system bootloader
implement software RAID at install-time and run-time
use /proc/sys and sysctl to modify and set kernel run-time parameters
use scripting to automate system maintenance tasks
configure NTP for time synchronization with a higher-stratum server

RHCE skills

Troubleshooting and System Maintenance

RHCEs must demonstrate the RHCT skills listed above, and should be able to:

use the rescue environment provided by first installation CD
diagnose and correct boot failures arising from bootloader, module, and filesystem errors
diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)
add, remove, and resize logical volumes
diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

Installation and Configuration

RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services:

HTTP/HTTPS
SMB
NFS
FTP
Web proxy
SMTP
IMAP, IMAPS, and POP3
SSH
DNS (caching name server, slave name server)
NTP

For each of these services, RHCEs must be able to:

install the packages needed to provide the service
configure SELinux to support the service
configure the service to start when the system is booted
configure the service for basic operation
Configure host-based and user-based security for the service

Speed Firefox

Improve Firefox speed by 5x

by alok on Thu Oct 29, 2009 10:44 am

Just fit the NOS in your firefox (The Fast and the Furious)

1. Open Firefox and in the address bar type about:config.
2. Click on “I’ll be careful, I promise“
3. Use the search bar above to look for network.http.pipelining and double click on it to set it’s value to True.
4. Create a new boolean value named network.http.pipelining.firstrequest and set that to True, as well.
5. Find network.http.pipelining.maxrequests, double click on it, and change its value to 8.
6. Look for network.http.proxy.pipelining and set it to True.
7. Create two new integers named nglayout.initialpaint.delay and content.notify.interval, set them to 0.
8. Restart your browser.

All done. You should feel the browser is 5x more responsive than before while navigating websites.

God Bless.

See you on TOP.

We are also in “facebook” search for “networknuts”

NIS Domain

Scenario

To understand the benefits of NFS, consider an example. A school wants to set up a small computer lab for its students.

The main Linux server, bigboy, has a large amount of disk space and will be used as both the NIS server and NFS-based file server for the Linux PCs in the lab.
Users logging into the PCs will be assigned home directories on bigboy and not on the PCs themselves.
Each user’s home directory will be automatically mounted with each user login on the PCs using NFS.
The lab instructor will practice with a Linux PC named smallfry before implementing NIS on all the remaining PCs.
The suite of NIS RPMs have been installed on the server and client: ypserve and yp-tools are on the server, and ypbind and yp-tools are on the client.

Downloading and installing RPMs isn’t hard, as discussed in Chapter 6, “Installing Linux Software“. When searching for the RPMs, remember that the filename usually starts with the software package name followed by a version number, as in yp-tools-2.8-3.i386.rpm.
The lab instructor did some research and created an implementation plan:

Configure bigboy as an NFS server to make its /home directory available to the Linux workstations.
Configure smallfry as an NFS client that can access bigboy’s /home directory.
Configure bigboy as an NIS server.
Create a user account (nisuser) on bigboy that doesn’t exist on smallfry. Convert the account to a NIS user account.
Configure smallfry as an NIS client.
Test a remote login from bigboy to smallfry using the username and password of the account nisuser.

You have the scenario and the plan, it’s time to get to work.

Configuring The NFS Server

Here are the steps to configure the NFS server in this scenario:
1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.

/home                   *(rw,sync)

2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.

[root@bigboy tmp]# exportfs -a

[root@bigboy tmp]#

3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.

[root@bigboy tmp]# chkconfig nfslock on

[root@bigboy tmp]# chkconfig nfs on

[root@bigboy tmp]# chkconfig portmap on

[root@bigboy tmp]# service portmap start

Starting portmapper: [  OK  ]

[root@bigboy tmp]# service nfslock start

Starting NFS statd: [  OK  ]

[root@bigboy tmp]# service nfs start

Starting NFS services:  [  OK  ]

Starting NFS quotas: [  OK  ]

Starting NFS daemon: [  OK  ]

Starting NFS mountd: [  OK  ]

[root@bigboy tmp]#

After configuring the NFS server, we have to configure its clients, This will be covered next.

Configuring The NFS Client

You also need to configure the NFS clients to mount their /home directories on the NFS server.
These steps archive the /home directory. In a production environment in which the /home directory would be actively used, you’d have to force the users to log off, backup the data, restore it to the NFS server, and then follow the steps below. As this is a lab environment, these prerequisites aren’t necessary.
1. Make sure the required netfs, nfslock, and portmap daemons are running and configured to start after the next reboot.

[root@smallfry tmp]# chkconfig nfslock on

[root@smallfry tmp]# chkconfig netfs on

[root@smallfry tmp]# chkconfig portmap on

[root@smallfry tmp]# service portmap start

Starting portmapper: [  OK  ]

[root@smallfry tmp]# service netfs start

Mounting other filesystems:  [  OK  ]

[root@smallfry tmp]# service nfslock start

Starting NFS statd: [  OK  ]

[root@smallfry tmp]#

2. Keep a copy of the old /home directory, and create a new directory /home on which you’ll mount the NFS server’s directory.

[root@smallfry tmp]# mv /home /home.save

[root@smallfry tmp]# mkdir /home

[root@smallfry tmp]# ll /

...

...

drwxr-xr-x    1 root   root     11 Nov 16 20:22 home

drwxr-xr-x    2 root   root   4096 Jan 24  2003 home.save

...

...

[root@smallfry tmp]#

3. Make sure you can mount bigboy’s /home directory on the new /home directory you just created. Unmount it once everything looks correct.

[root@smallfry tmp]# mount 192.168.1.100:/home /home/

[root@smallfry tmp]# ls /home

ftpinstall  nisuser  quotauser  smallfry  www

[root@smallfry tmp]# umount /home

[root@smallfry tmp]#

4. Start configuring autofs automounting. Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.

#/etc/auto.master

/home      /etc/auto.home --timeout 600

5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.

#/etc/auto.home

*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \

   192.168.1.100:/home/&

6. Start autofs and make sure it starts after the next reboot with the chkconfig command.

[root@smallfry tmp]# chkconfig autofs on

[root@smallfry tmp]# service autofs restart

Stopping automount:[  OK  ]

Starting automount:[  OK  ]

[root@smallfry tmp]#

After doing this, you won’t be able to see the contents of the /home directory on bigboy as user root. This is because by default NFS activates the root squash feature, which disables this user from having privileged access to directories on remote NFS servers. You’ll be able to test this later after NIS is configured.
Note: This automounter feature doesn’t appear to function correctly in my preliminary testing of Fedora Core 3. See Chapter 29, “Remote Disk Access with NFS“, for details.
All newly added Linux users will now be assigned a home directory under the new remote /home directory. This scheme will make the users feel their home directories are local, when in reality they are automatically mounted and accessed over your network.

Configuring The NIS Server

NFS only covers file sharing over the network. You now have to configure NIS login authentication for the lab students before the job is done. The configuration of the NIS server is not difficult, but requires many steps that you may overlook. Don’t worry, we’ll review each one in detail.
Note: In the early days, NIS was called Yellow Pages. The developers had to change the name after a copyright infringement lawsuit, yet many of the key programs associated with NIS have kept their original names beginning with yp.

Install the NIS Server Packages

All the packages required for NIS clients are a standard part of most Fedora installations. The ypserv package for servers is not. Install the package according to the steps outlined in Chapter 6,”Installing Linux Software“.

Edit Your /etc/sysconfig/network File

You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the school, call the domain NIS-SCHOOL-NETWORK.

#/etc/sysconfig/network

NISDOMAIN="NIS-SCHOOL-NETWORK"

Edit Your /etc/yp.conf File

NIS servers also have to be NIS clients themselves, so you’ll have to edit the NIS client configuration file /etc/yp.conf to list the domain’s NIS server as being the server itself or localhost.

# /etc/yp.conf - ypbind configuration file

ypserver 127.0.0.1

Start The Key NIS Server Related Daemons

Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.

[root@bigboy tmp]# service portmap start

Starting portmapper: [  OK  ]

[root@bigboy tmp]# service yppasswdd start

Starting YP passwd service: [  OK  ]

[root@bigboy tmp]# service ypserv start

Setting NIS domain name NIS-SCHOOL-NETWORK:  [  OK  ]

Starting YP server services: [  OK  ]

[root@bigboy tmp]#

[root@bigboy tmp]# chkconfig portmap on

[root@bigboy tmp]# chkconfig yppasswdd on

[root@bigboy tmp]# chkconfig ypserv on

Table 30.1 lists a summary of the daemon’s functions.

Table 30-1 Required NIS Server Daemons

Daemon Name	Purpose
portmap	The foundation RPC daemon upon which NIS runs.
yppasswdd	Lets users change their passwords on the NIS server from NIS clients
ypserv	Main NIS server daemon
ypbind	Main NIS client daemon
ypxfrd	Used to speed up the transfer of very large NIS maps

Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this.

[root@bigboy tmp]# rpcinfo -p localhost

   program vers proto   port

    100000    2   tcp    111  portmapper

    100000    2   udp    111  portmapper

    100009    1   udp    681  yppasswdd

    100004    2   udp    698  ypserv

    100004    1   udp    698  ypserv

    100004    2   tcp    701  ypserv

    100004    1   tcp    701  ypserv

[root@bigboy tmp]#

The ypbind and ypxfrd daemons won’t start properly until after you initialize the NIS domain. You’ll start these daemons after initialization is completed.

Initialize Your NIS Domain

Now that you have decided on the name of the NIS domain, you’ll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server, which in this case is bigboy.
With this procedure, all nonprivileged accounts are automatically accessible via NIS.

[root@bigboy tmp]# /usr/lib/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS

servers.  bigboy is in the list of NIS server hosts.  Please continue to add

the names for the other hosts, one per line.  When you are done with the

list, type a .

        next host to add:  bigboy

        next host to add:

The current list of NIS servers looks like this:

bigboy

Is this correct?  [y/n: y]  y

We need a few minutes to build the databases...

Building /var/yp/NIS-SCHOOL-NETWORK/ypservers...

Running /var/yp/Makefile...

gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'

Updating passwd.byname...

Updating passwd.byuid...

Updating group.byname...

Updating group.bygid...

Updating hosts.byname...

Updating hosts.byaddr...

Updating rpc.byname...

Updating rpc.bynumber...

Updating services.byname...

Updating services.byservicename...

Updating netid.byname...

Updating protocols.bynumber...

Updating protocols.byname...

Updating mail.aliases...

gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'

bigboy has been set up as a NIS master server.

Now you can run ypinit -s bigboy on all slave server.

[root@bigboy tmp]#

Note: Make sure portmap is running before trying this step or you’ll get errors, such as:

failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...

You will have to delete the /var/yp/NIS-SCHOOL-NETWORK directory and restart portmap, yppasswd, and ypserv before you’ll be able to do this again successfully.

Start The ypbind and ypxfrd Daemons

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created.

[root@bigboy tmp]# service ypbind start

Binding to the NIS domain: [  OK  ]

Listening for an NIS domain server.

[root@bigboy tmp]# service ypxfrd start

Starting YP map server: [  OK  ]

[root@bigboy tmp]# chkconfig ypbind on

[root@bigboy tmp]# chkconfig ypxfrd on

Make Sure The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.

[root@bigboy tmp]# rpcinfo -p localhost

    program vers proto   port

     100000    2   tcp    111  portmapper

     100000    2   udp    111  portmapper

     100003    2   udp   2049  nfs

     100003    3   udp   2049  nfs

     100021    1   udp   1024  nlockmgr

     100021    3   udp   1024  nlockmgr

     100021    4   udp   1024  nlockmgr

     100004    2   udp    784  ypserv

     100004    1   udp    784  ypserv

     100004    2   tcp    787  ypserv

     100004    1   tcp    787  ypserv

     100009    1   udp    798  yppasswdd

  600100069    1   udp    850  fypxfrd

  600100069    1   tcp    852  fypxfrd

     100007    2   udp    924  ypbind

     100007    1   udp    924  ypbind

     100007    2   tcp    927  ypbind

     100007    1   tcp    927  ypbind

[root@bigboy tmp]#

Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new user account. In this case, you’ll create a user account called nisuser and give it a new password.
Once this is complete, you then have to update the NIS domain’s authentication files by executing the make command in the /var/yp directory.
This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible via NIS, not just newly created ones. It also exports all the user’s characteristics stored in the /etc/passwd and /etc/group files, such as the login shell, the user’s group, and home directory.

[root@bigboy tmp]# useradd -g users nisuser

[root@bigboy tmp]# passwd nisuser

Changing password for user nisuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@bigboy tmp]# cd /var/yp

[root@bigboy yp]# make

gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'

Updating passwd.byname...

Updating passwd.byuid...

Updating netid.byname...

gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'

[root@bigboy yp]#

You can check to see if the user’s authentication information has been updated by using the ypmatch command, which should return the user’s encrypted password string.

[root@bigboy yp]# ypmatch nisuser passwd

nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash

[root@bigboy yp]

You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn’t provide an encrypted password when run on an NIS server, it just provides the user’s entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.

[root@bigboy yp]# getent passwd nisuser

nisuser:x:504:100::/home/nisuser:/bin/bash

[root@bigboy yp]#

Configuring The NIS Client

Now that the NIS server is configured, it’s time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.

Run authconfig

The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.

[root@smallfry tmp]# authconfig-tui

Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.

# /etc/yp.conf - ypbind configuration file

domain NIS-SCHOOL-NETWORK server 192.168.1.100

#/etc/sysconfig/network

NISDOMAIN=NIS-SCHOOL-NETWORK

In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login files.

#/etc/nsswitch.conf

passwd:     files nis

shadow:     files nis

group:      files nis

Note: You can also locate a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools* directory.

Start The NIS Client Related Daemons

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.

[root@smallfry tmp]# service portmap start

Starting portmapper: [  OK  ]

[root@smallfry tmp]# service ypbind start

Binding to the NIS domain:

Listening for an NIS domain server.

[root@smallfry tmp]#

[root@smallfry tmp]# chkconfig ypbind on

[root@smallfry tmp]# chkconfig portmap on

Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.

Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostnames, you’ll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both Linux boxes.

# File: /etc/hosts (smallfry)

192.168.1.100    bigboy

# File: /etc/hosts (bigboy)

192.168.1.102    smallfry

Test NIS Access To The NIS Server

You can run the ypcat, ypmatch, and getent commands to make sure communication to the server is correct.

[root@smallfry tmp]# ypcat passwd

nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash

quotauser:!!:503:100::/home/quotauser:/bin/bash

ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash

www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash

smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash

[root@smallfry tmp]#

[root@smallfry tmp]# ypmatch nisuser passwd

nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash

[root@smallfry tmp]#

[root@smallfry tmp]# getent passwd nisuser

nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash

[root@smallfry tmp]#

Possible sources of error would include:

Incorrect authconfig setup resulting in errors in the /etc/yp.conf, /etc/sysconfig/network and /etc/nsswitch.conf files
Failure to run the ypinit command on the NIS server
NIS not being started on the NIS server or client.
Poor routing between the server and client, or the existence of a firewall that’s blocking traffic

Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.

Test Logins via The NIS Server

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.

Logging In Via Telnet

Try logging into the NIS client via telnet if it is enabled

[root@bigboy tmp]# telnet 192.168.1.201

Trying 192.168.1.201...

Connected to 192.168.1.201.

Escape character is '^]'.

Red Hat Linux release 9 (Shrike)

Kernel 2.4.20-6 on an i686

login: nisuser

Password:

Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com

[nisuser@smallfry nisuser]$

Logging In Via SSH

Try logging into the NIS client via SSH.

[root@bigboy tmp]# ssh -l nisuser 192.168.1.102

nisuser@192.168.1.102's password:

[nisuser@smallfry nisuser]$

In some versions of Linux, the NIS client’s SSH daemon doesn’t re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won’t query the NIS server until this is done. Restart SSH on the NIS client.

[root@smallfry root]# service sshd restart

Stopping sshd:[  OK  ]

Starting sshd:[  OK  ]

[root@smallfry root]#

DNS WITH ME*

Most DNS servers are schizophrenic – they may be masters (authoritative) for some zones, slaves for others and provide caching or forwarding for all others. Many observers object to the concept of DNS types partly because of the schizophrenic behaviour of most DNS servers and partly to avoid confusion with the name.conf zone parameter ‘type’ which only allows master, slave, stub, forward, hint). Nevertheless, the following terms are commonly used to describe the primary function or requirement of DNS servers.
Notes:

Running any DNS server that does not need to support recursive queries for external users (an Open DNS) is a bad idea. While it may look like a friendly and neighbourly thing to do it carries with it a possible threat that it may be used in DDoS attacks as well as an increased risk of cache poisoning. The various configurations have been modified to ensuure that the DNS stays Closed to non-permitted users.
One of the basic rules of security is that only the minimum services necessary to meet the objectives should be deployed. This means that a secure DNS server should provide only a single function, for instance, authoritative only, or caching only, not both capabilities in the same system. This is a correct but idealistic position generally possible only in larger organizations. In practice many of us run mixed mode DNS servers. While much can be done to mitigate any security implications it must always be accepted that, in mixed configurations, increased risk is the downside of flexibility.

4.1 Master (Primary) Name Servers

A Master DNS contains one or more zone files for which this DNS is Authoritative (‘type master’). The zone has been delegated (via an NS Resource Record) to this DNS.
The term ‘master’ was introduced in BIND 8.x and replaced the term ‘primary’.
Master status is defined in BIND by including ‘type master’ in the zone declaration section of the named.conf file) as shown by the following fragment.

// example.com fragment from named.conf

// defines this server as a zone master

zone "example.com" in{

        type master;

        file "pri.example.com";

};

Notes:

The terms Primary and Secondary DNS entries in Windows TCP/IP network properties mean nothing, they may reflect the ‘master’ and ‘slave’ name-server or they may not – you decide this based on operational need, not BIND configuration.
It is important to understand that a zone ‘master’ is a server which gets its zone data from a local source as opposed to a ‘slave’ which gets its zone data from an external (networked) source (the ‘master’). This apparently trivial point means that you can have any number of ‘master’ servers for any zone if it makes operational sense. You have to ensure (by a manual or other process) that the zone files are synchronised but apart from this there is nothing to prevent it.
Just to confuse things still further you may run across the term ‘Primary Master’ this has a special meaning in the context of dynamic DNS updates and is defined to be the name server that appears in the SOA RR record.

When a master DNS receives Queries for a zone for which it is authoritative then it will respond as ‘Authoritative’ (AA bit is set in a query response).
When a DNS server receives a query for a zone which it is neither a Master nor a Slave then it will act as configured (in BIND this behaviour is defined in the named.conf file):

If caching behaviour is permitted and recursive queries are allowed the server will completely answer the request or return an error.
If caching behaviour is permitted and Iterative (non-recursive) queries are allowed the server can respond with the complete answer (if it is already in the cache because of another request), a referral or return an error.
If caching behaviour NOT permitted (an ‘Authoritative Only’ DNS server) the server will return a referral or return an error.

A master DNS server can export (NOTIFY) zone changes to defined (typically slave) servers. This ensures zone changes are rapidly propagated to the slaves (interrupt driven) rather than rely on the slave server polling for changes. The BIND default is to notify the servers defined in NS records for the zone.
If you are running Stealth Servers and wish them to be notified you will have to add an also-notify parameter as shown in the BIND named.conf file fragment below:

// example.com fragment from named.conf

// defines this server as a zone master

// 192.168.0.2 is a stealth server NOT listed in a NS record

zone "example.com" in{

        type master;

        also-notify {192.168.0.2;};

        file "pri/pri.example.com";

};

You can turn off all NOTIFY operations by specifying ‘notify no’ in the zone declaration.
Example configuration files for a master DNS are provided.

4.2 Slave (Secondary) Name Servers

A Slave DNS gets its zone file information from a zone master and it will respond as authoritative for those zones for which it is defined to be a ‘slave’ and for which it has a currently valid zone configuration.
The term ‘slave’ was introduced in BIND 8.x and replaced the term ‘secondary’.
Slave status is defined in BIND by including ‘type slave’ in the zone declaration section of the named.conf file) as shown by the following fragment.

// example.com fragment from named.conf

// defines this server as a zone slave

zone "example.com" in{

        type slave;

        file "sec/sec.example.com";

        masters {192.168.23.17;};

};

Notes:

The master DNS for each zone is defined in the ‘masters’ zone section and allows slaves to refresh their zone record when the ‘expiry’ parameter of the SOA Record is reached. If a slave cannot reach the master DNS when the ‘expiry’ time has been reached it will stop responding to requests for the zone. It will NOT use time-expired data.
The file parameter is optional and allows the slave to write the transferred zone to disc and hence if BIND is restarted before the ‘expiry’ time the server will use the saved data. In large DNS systems this can save a considerable amount of network traffic.

Assuming NOTIFY is allowed in the master DNS for the zone (the default behaviour) then zone changes are propagated to all the slave servers defined with NS Records in the master zone file. There can be any number of slave DNS’s for any given ‘master’ zone. The NOTIFY process is open to abuse. BIND’s default behaviour is to only allow NOTIFY from the ‘master’ DNS. Other acceptable NOTIFY sources can be defined using the allow-notify parameter in named.conf.
Example configuration files for a slave DNS are provided.

4.3 Caching Name Servers

A Caching Server obtains information from another server (a Zone Master) in response to a host query and then saves (caches) the data locally. On a second or subsequent request for the same data the Caching Server will respond with its locally stored data (the cache) until the time-to-live (TTL) value of the response expires at which time the server will refresh the data from the zone master.
If the caching server obtains its data directly from a zone master it will respond as ‘authoritative’, if the data is supplied from its cache the response is ‘non-authoritative’.
The default BIND behaviour is to cache and this is associated with the recursion parameter (the default is ‘recursion yes’). There are many configuration examples which show caching behaviour being defined using a type hint statement in a zone declaration. These configurations confuse two distinct but related functions. If a server is going to provide caching services then it must provide recursive queries and recursive queries need access to the root servers which is provided via the ‘type hint’ statement. A caching server will typically have a named.conf file which includes the following fragment:

// options section fragment of named.conf

// recursion yes is the default and may be omitted

options {

        directory "/var/named";

        version "not currently available";

        recursion yes;

};

// zone section

....

// the DOT indicates the root domain = all domains

zone "." IN {

        type hint;

        file "root.servers";

};

Notes:

BIND defaults to recursive queries which by definition provides caching behaviour. The named.conf recursion parameter controls this behaviour.
The zone ‘.’ is shorthand for the root domain which translates to ‘any domain not defined as either a master or slave in this named.conf file’.
cache data is discarded when BIND is restarted.

The most common DNS server caching configurations are:

A DNS server acting as master or slave for one or more zones (domains) and as cache server for all other requests. A general purpose DNS server.
A caching only local server – typically used to minimise external access or to compensate for slow external links. This is sometimes called a Proxy server though we prefer to associate the term with a Forwarding server

To cache or not is a crucial question in the world of DNS. BIND is regarded as the reference implementation of the DNS specification. As such it provides excellent – if complex to configure – functionality. The down side of generality is suboptimal performance on any single function – in particular caching involves a non-trivial performance overhead.
For general usage the breadth of BIND functionality typically offsets any performance concerns. However if the DNS is being ‘hit’ thousands of times per second performance is a major factor. There are now a number of alternate Open Source DNS servers some of which stress performance. These servers typically do NOT provide caching services (they are said to be ‘Authoritative only’ servers).
Example configuration files for a caching DNS are provided.
Note: The response to a query is Authoritative under three conditions:

The response is received from a Zone master.
The response is received from a Zone slave with non time-expired zone data.
The response is received by a caching server directly from either a Zone master or slave. If the response is read from the cache directly it is not authoritative.

4.4 Forwarding (a.k.a Proxy) Name Servers

A forwarding (a.k.a. Proxy, Client, Remote) server is one which simply forwards all requests to another DNS and caches the results. On its face this look a pretty pointless exercise. However a forwarding DNS sever can pay-off in two ways where access to an external network is slow or expensive:

Local DNS server caching – reduces external access and both speeds up responses and removes unnecessary traffic.
Remote DNS server provides recursive query support – reduction in traffic across the link – results in a single query across the network.

Forwarding servers also can be used to ease the burden of local administration by providing a single point at which changes to remote name servers may be managed, rather than having to update all hosts.
Forwarding can also be used as part of a Split Server configuration for perimeter defence.
BIND allows configuration of forwarding using the forward and forwarders parameters either at a ‘global’ level (in an options section) or on a per-zone basis in a zone section of the named.conf file. Both configurations are shown in the examples below:

Global Forwarding – All Requests

// options section fragment of named.conf

// forwarders can have multiple choices

options {

        directory "/var/named";

        version "not currently available";

        forwarders {10.0.0.1; 10.0.0.2;};

        forward only;

};

// zone file sections

....

Per Domain Forwarding

// zone section fragment of named.conf

zone "example.com" IN {

        type forward;

        forwarders {10.0.0.1; 10.0.0.2;};

};

Where dial-up links are used with DNS forwarding servers BIND’s general purpose nature and strict standards adherence may not make it an optimal solution. A number of the Alternate DNS solutions specifically target support for such links. BIND provides two parameters dialup and heartbeat-interval (neither of which is currently supported by BIND 9) as well as a number of others which can be used to minimise connection time.
Example configuration files for a forwarding DNS are provided.

4.5 Stealth (a.k.a. DMZ or Split) Name Server

A stealth server is defined as being a name server which does not appear in any publicly visible NS Records for the domain. The stealth server is normally used in a configuration called Split Severs which can be roughly defined as having the following characteristics:

The organisation needs a public DNS to enable access to its public services e.g. web, mail ftp etc..
The organisation does not want the world to see any of its internal hosts either by interrogation (query or zone transfer) or should the DNS service be compromised.

A Split Server configuration is shown in Figure 4.1.
Description: Split (Stealth) Server configuration

Figure 4.1 Split Server configuration
The external server(s) is(are) configured to provide Authoritative Only responses and no caching (no recursive queries accepted). The zone file for this server would be unique and would contain ONLY those systems or services that are publicly visible e.g. SOA, NS records for the public (not stealth) name servers, MX record(s) for mail servers and www and ftp service A records. Zone transfers can be allowed between between the public servers as required but they MUST NOT transfer or accept transfers from the Stealth server. While this may seem to create more work, the concern is that should the host running the external service be compromised then inspection of the named.conf or zone files must provide no more information than is already publically visible. If ‘master’, ‘allow-notify’,'allow-transfer’ options are present in named.conf (each of which will contain a private IP) then the attacker has gained more knowledge about the organisation – they have penetrated the ‘veil of privacy’.
There are a number of articles which suggest that the view statement may be used to provide similar functionality using a single server but this does not address the problem of the DNS host system being compromised and by simple inspection of the named.conf file additional data about the organisation could be discovered. In our opinion ‘view’ does not provide adequate security in a ‘Split DNS’ solution.
A minimal public zone file is shown below:

; public zone master file

; provides minimal public visibility of external services

example.com.  IN      SOA   ns.example.com. root.example.com. (

                              2003080800 ; se = serial number

                              3h         ; ref = refresh

                              15m        ; ret = update retry

                              3w         ; ex = expiry

                              3h      ; min = minimum

              IN      NS      ns1.example.com.

              IN      NS      ns2.example.com.

              IN      MX  10  mail.example.com.

ns1           IN      A       192.168.254.1

ns2           IN      A       192.168.254.2

mail          IN      A       192.168.254.3

www           IN      A       192.168.254.4

ftp           IN      A       192.168.254.5

The internal server (the Stealth Server) can be configured to make visible internal and external services, provide recursive queries and all manner of other services. This server would use a private zone master file which could look like this:

; private zone master file used by stealth server(s)

; provides public and private services and hosts

example.com.  IN      SOA   ns.example.com. root.example.com. (

                              2003080800 ; se = serial number

                              3h         ; ref = refresh

                              15m        ; ret = update retry

                              3w         ; ex = expiry

                              3h         ; min = minimum

              IN      NS      ns1.example.com.

              IN      NS      ns2.example.com.

              IN      MX  10  mail.example.com.

; public hosts

ns1           IN      A       192.168.254.1

ns2           IN      A       192.168.254.2

mail          IN      A       192.168.254.3

www           IN      A       192.168.254.4

ftp           IN      A       192.168.254.5

; private hosts

joe           IN      A       192.168.254.6

bill          IN      A       192.168.254.7

fred          IN      A       192.168.254.8

....

accounting    IN      A       192.168.254.28

payroll       IN      A       192.168.254.29

Using BIND 9′s view statement can provide different services to internal and external requests can reduce further the Stealth server’s visibility e.g. forwarding all DNS internal requests to the external server.
Example configuration files for a stealth DNS are provided.

4.6 Authoritative Only Server

The term Authoritative Only is normally used to describe two concepts:

The server will deliver Authoritative Responses – it is a zone master or slave for one or more domains.
The server will NOT cache.

There are two configurations in which Authoritative Only servers are typically used:

As the public or external server in a Split (a.k.a. DMZ or Stealth) DNS used to provide perimeter security.
High Performance DNS servers. In this context general purpose DNS servers such as BIND may not provide an ideal solution and there are a number of Open Source Alternatives some of which specialise in high performance Authoritative only solutions.

You cannot completely turn off caching in BIND but you can control it and provide the functionality described above by simply turning off recursion in the ‘option’ section of named.conf as shown in the example below.

// options section fragment of named.conf

// recursion no = limits caching

options {

        directory "/var/named";

        version "not currently available";

        recursion no;

};

// zone file sections

....

BIND provides three more parameters to control caching ,max-cache-size and max-cache-ttl neither of which will have much effect on performance in this particular case and allow-recursion which uses a list of hosts that are permitted to use recursion (all others are not).
Example configuration files for a authoritative-only DNS are provided.

4.7 Split Horizon DNS Server

This section was introduced at the suggestion of Maren Leizaola – many thanks for both taking the time and for providing interesting usage examples.
The term Split Horizon is normally used to describe a DNS server that will give different responses (IP addresses) based on the source address, or some other characteristic, of the query. While it has similar configuration properties to the Stealth DNS it can also be used in a varity of unique situations such as:

Geographic Dispersal: Assume that, for example, a web service is replicated in a number of locations (for either performance or access latency reduction) then a specific IP address may be returned based on the source address of the query to ensure the shortest possible path from the user to the service. For those familiar with anycast you could consider this as a poor man’s anycast service.
Naming Consistency: Assume that you have, say, a corporate in-house LDAP service and that for reasons of security you want to keep certain highly secure data on one server only accessible to certain individuals or organizational sections, which have unique or identifiable IP addresses or address ranges, but for resons of consistency (scripts, configuration files etc) you want both the secure and insecure LDAP services to be named, say, ldap.example.com.

Other possibilities may strike imaginative readers. The unifying element is that some characteristic of the incoming query will cause the DNS to generate a query-dependent result.
BIND’s view clause provides a method that can be used to build such configurations and example files are provided .

What Is iptables?

How do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?
Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:

/etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.

Description: http://c.cyberciti.biz/cbzcache/3rdparty/firewall.png

Task: Display Default Rules

Type the following command:
iptables --line-numbers -n -L
Sample outputs:

Chain INPUT (policy ACCEPT)

num  target     prot opt source               destination

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)

num  target     prot opt source               destination

1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)

num  target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)

num  target     prot opt source               destination

1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255

3    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353

4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53

5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53

8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Task: Turn On Firewall

Type the following two commands to turn on firewall:

chkconfig iptables on

service iptables start

# restart the firewall

service iptables restart

# stop the firewall

service iptables stop

Understanding Firewall

There are total 4 chains:

INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Packet Matching Rules

Each packet starts at the first rule in the chain .
A packet proceeds until it matches a rule.
If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send an error message to remote host.
The target DROP means drop the packet and do not send an error message to remote host or sending host.

/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
You will see default rules as follows:

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Drop All Traffic

Find lines:

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:

-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "

-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "

-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "

-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "

-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "

-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "

-A INPUT -i eth0 -s 169.254.0.0/16  -j LOG --log-prefix "IP DROP MULTICAST "

-A INPUT -i eth0 -s 0.0.0.0/8  -j LOG --log-prefix "IP DROP "

-A INPUT -i eth0 -s  240.0.0.0/4  -j LOG --log-prefix "IP DROP "

-A INPUT -i eth0 -s  255.255.255.255/32  -j LOG --log-prefix "IP DROP  "

-A INPUT -i eth0 -s 168.254.0.0/16  -j LOG --log-prefix "IP DROP "

-A INPUT -i eth0 -s 248.0.0.0/5  -j LOG --log-prefix "IP DROP "

Log And Drop All Traffic

Find the lines:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

Update it as follows:

-A RH-Firewall-1-INPUT -j LOG

-A RH-Firewall-1-INPUT -j DROP

COMMIT

Open Port

To open port 80 (Http server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open port 53 (DNS Server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT

-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT

To open port 443 (Https server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open port 25 (smtp server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

Only allow SSH traffic From 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

Enable Printing Access For 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

Allow Legitimate NTP Clients to Access the Server

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Open FTP Port 21 (FTP)

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Make sure ftp module is loaded with the space-separated list of modules:

IPTABLES_MODULES="ip_conntrack_ftp"

To restart firewall, type the following commands:
# service iptables restart
# iptables -vnL --line-numbers

Edit /etc/sysctl.conf For DoS and Syn Protection

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

et.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.icmp_ignore_bogus_error_messages = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

See previous FAQ, “Linux Kernel /etc/sysctl.conf Security Hardening” for more details.

Alternate Configuration Option

You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:

#!/bin/bash

# A sample firewall shell script

IPT="/sbin/iptables"

SPAMLIST="blockedip"

SPAMDROPMSG="BLOCKED IP DROP"

SYSCTL="/sbin/sysctl"

BLOCKEDIPS="/root/scripts/blocked.ips.txt"

# Stop certain attacks

echo "Setting sysctl IPv4 settings..."

$SYSCTL net.ipv4.ip_forward=0

$SYSCTL net.ipv4.conf.all.send_redirects=0

$SYSCTL net.ipv4.conf.default.send_redirects=0

$SYSCTL net.ipv4.conf.all.accept_source_route=0

$SYSCTL net.ipv4.conf.all.accept_redirects=0

$SYSCTL net.ipv4.conf.all.secure_redirects=0

$SYSCTL net.ipv4.conf.all.log_martians=1

$SYSCTL net.ipv4.conf.default.accept_source_route=0

$SYSCTL net.ipv4.conf.default.accept_redirects=0

$SYSCTL net.ipv4.conf.default.secure_redirects=0

$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1

$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1

$SYSCTL net.ipv4.tcp_syncookies=1

$SYSCTL net.ipv4.conf.all.rp_filter=1

$SYSCTL net.ipv4.conf.default.rp_filter=1

$SYSCTL kernel.exec-shield=1

$SYSCTL kernel.randomize_va_space=1

echo "Starting IPv4 Firewall..."

$IPT -F

$IPT -X

$IPT -t nat -F

$IPT -t nat -X

$IPT -t mangle -F

$IPT -t mangle -X

# load modules

modprobe ip_conntrack

[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}")

# interface connected to the Internet

PUB_IF="eth0"

#Unlimited traffic for loopback

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic

$IPT -P INPUT DROP

$IPT -P OUTPUT DROP

$IPT -P FORWARD DROP

if [ -f "${BLOCKEDIPS}" ];

then

# create a new iptables list

$IPT -N $SPAMLIST

for ipblock in $BADIPS

do

   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG "

   $IPT -A $SPAMLIST -s $ipblock -j DROP

done

$IPT -I INPUT -j $SPAMLIST

$IPT -I OUTPUT -j $SPAMLIST

$IPT -I FORWARD -j $SPAMLIST

fi

# Block sync

$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"

$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments

$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"

$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff

$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT

# Allow http / https (open port 80 / 443)

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT

# allow incomming ICMP ping pong stuff

$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)

$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT

$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open port 110 (pop3) / 143

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT

##### Add your rules below ######

##### END your rules ############

# Do not log smb/windows sharing packets - too much logging

$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT

$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT

# log everything else and drop

$IPT -A INPUT -j LOG

$IPT -A FORWARD -j LOG

$IPT -A INPUT -j DROP

exit 0

NAT

ME .
Linux Guru
If you are running a recent 2.6 Linux Kernel this four step process should work for you. This has been specifically tested on Fedora Core 3, 4, 5, and 6, but should work on any modern Linux distribution. All of these commands must be executed as the root user. First you need to tell your kernel that you want to allow IP forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then you’ll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0. You do this will the following commands:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

You should now be NATing. You can test this by pinging an external address from one of your internal hosts. The last step is to ensure that this setup survives over a reboot. Obviously you should only do these last two steps if your test is a success.
You will need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. Notice how this is similar to step number one? This essentially tells your kernel to do step one on boot.
Ok last step for Fedora/RHEL users. In order for your system to save the iptables rules we setup in step two you have to configure iptables correctly. You will need to edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to ‘yes’.
For non-Fedora/RHEL users you can simply setup an init script for this or simply append these commands to the existing rc.local script so they are executed on boot. Or if you want to get even more fancy, you can use the commands iptables-save and iptables-restore to save/restore the current state of your iptables rules.
After all that is done, you should probably do a test reboot to ensure that you’ve done everything correctly. If you find any errors on this page or this does not work for you please feel free to E-mail m

Mount NTFS

How to mount partition with ntfs file system and read write access

Article Index

1. Introduction

2. Mount NTFS file system with read only access

2.1. NTFS kernel support

2.2. Identifying partition with NTFS file system

2.3. Mount NTFS partition

3. Mount NTFS file system with read write access

3.1. Install addition software

3.1.1. Fuse Install

3.1.2. ntfs-3g install

3.2. Mount ntfs partition with read write access

1. Introduction

Purpose of this article is to provide to reader step by step guide, how to mount partition with NTFS file system on the Linux operating system. This article consists of two parts:

mount NTFS file system read only access
mount NTFS file system with read write access

2. Mount NTFS file system with read only access

2.1. NTFS kernel support

Majority of current Linux distributions supports NTFS file system out of the box. To be more specific, support for NTFS file system is more feature of Linux kernel modules rather than Linux distributions. First verify if we have NTFS modules installed on our system.

ls /lib/modules/2.6.18-5-686/kernel/fs/ | grep ntfs

NTFS module is presented. Let’s identify NTFS partition.

2.2. Identifying partition with NTFS file system

One simple way to identify NTFS partition is:

fdisk -l | grep NTFS

There it is: /dev/sdb1

2.3. Mount NTFS partition

First create a mount point:

mkdir /mnt/ntfs

Then simply use mount command to mount it:

mount -t ntfs /dev/sdb1 /mnt/ntfs

Description: Mount NTFS partition using linux

Now we can access NTFS partition and its files with read write access.

3. Mount NTFS file system with read write access

Mounting NTFS file system with read write access permissions is a bit more complicated. This involves installation of addition software such as fuse and ntfs-3g. In both cases you probably need to use your package management tool such as yum, apt-get, synaptic etc.. and install it from your standard distribution repository. Check for packages ntfs-3g and fuse. We take the other path which consists of manual compilation and installation fuse and ntfs-3g from source code.

3.1. Install addition software

3.1.1. Fuse Install

Download source code from: http://fuse.sourceforge.net/

wget http://easynews.dl.sourceforge.net/sourceforge/fuse/fuse-2.7.1.tar.gz

Compile and install fuse source code:
Extract source file:

tar xzf fuse-2.7.1.tar.gz

Compile and install

cd fuse-2.7.1

./configure --exec-prefix=/; make; make install

Description: Compile and install fuse source code

3.1.2. ntfs-3g install

Download source code from: http://www.ntfs-3g.org/index.html#download

wget http://www.ntfs-3g.org/ntfs-3g-1.1120.tgz

Extract source file:

tar xzf ntfs-3g-1.1120.tgz

Compile and install ntfs-3g source code
NOTE: Make sure that you have pkg-config package installed, otherwise you get this error message:

checking for pkg-config... no

checking for FUSE_MODULE... configure: error: FUSE >= 2.6.0 was not found. Either it's not fully

installed (e.g. fuse, fuse-utils, libfuse, libfuse2, libfuse-dev, etc packages) or files from an old

version are still present. See FUSE at http://fuse.sf.net/

cd ntfs-3g-1.1120

./configure; make; make install

Description: Compile and install ntfs-3g source code

3.2. Mount ntfs partition with read write access

mount -t ntfs-3g /dev/sdb1 /mnt/ntfs/

NOTE: ntfs-3g recommends to have at least kernel version 2.6.20 and higher.

linuxconfig.org~# mount -t ntfs-3g /dev/sdb1 /mnt/ntfs/

WARNING: Deficient Linux kernel detected. Some driver features are

         not available (swap file on NTFS, boot from NTFS by LILO), and

         unmount is not safe unless it's made sure the ntfs-3g process

         naturally terminates after calling 'umount'. If you wish this

         message to disappear then you should upgrade to at least kernel

         version 2.6.20, or request help from your distribution to fix

         the kernel problem. The below web page has more information:

http://ntfs-3g.org/support.html#fuse26

All Commands

ME .

Linux Admin

This is a list of commands that gives you just enough information to decide what command you want to use.

A

alias – allows you to create shorter or more familiar names for commonly used commands
apropos – search the manual page names and descriptions
at – execute a command-line task at a specified future time
awk – print only the n^th word of an input line and more

B

badblocks – a command disk utility
bash – a shell
beep – customized audible alerts
bunzip2 – unpack files packed with bzip2
bzip2 – a pack utility

C

cat – receive strings from stdin or a file and output them to stdout or a file
chgrp – change the group ownership of a file
chmod – change the permission mode of a file
chown – change the owner of a file
chroot – change the position of a root directory in filesystem
chsh – change the shell of a user
cp – copy a file
cpio – pack or unpack files in cpio archives or tarballs
cron – schedule tasks to be executed regularly at a specific time
crontab – control the cron service
cut – display specific coloumns of a file delimited by a character
cvs – a version management system

D

date – output or set date and time
dd – dump a disk to/from a file and more
df – show how much free disk space there is
diff – show the difference between two files and more
dig – show answer of DNS lookup of queried name server
disown – disowns a job (removes the pid of the job). Even when the shell exits, the job won’t stop running
du – show how much disc space is used up

E

echo – echo a string/value to stdout
env – show all environment variables
exit – exit most shells
export – set an environment variable in the bash or zsh

F

fdisk – partition a disc
fg – fetch a process from the background to the foreground
file (command) – determine a file’s type
find – find a file depending on its name, size, change date or other attributes
ftp – get files from the internet

G

g++ – compile C++ code
gcc – compile C code
grep – grab for patterns in a file and more
groups – show what groups your user is in
gunzip – unpack files from a special format
gzip – pack files in a special format

H

halt – shut down your computer
head – show only the first n lines of a file and more
hexdump – show a file’s content in hexadecimal numbers and more
history (command) – show a command history in the bash shell
hostname – show your computer’s name
hwinfo – show your available hardware

I

id – show your user and groups ids
ifconfig – show your ip address and more
info – show info about a given command
init – reboot or change runlevel
iptables – show your firewall configuration
iptraf – Interactive IP LAN monitor

J

jobs – gives a list of current background jobs (processes)

K

kill – kill a process
killall – kill all processes with a given name

L

ldd – show dynamic libraries needed by an executable
less – show output in a viewer where you can scroll and search
ln – link a file
ls – list a file
lsmod – list loaded kernel modules
lsof – list open files and listening sockets
lspci – list all pci devices
lsusb – list usb devices

M

make – compile software and more
man – get help on questions that you never wanted to ask
md5sum – compute the md5 sum of a file and more
mkdir – make a directory
mkfs – format a device
minicom – communicate over your RS232 interface
more – show input in a searchable pager
mount – prepare a device for reading and writing
mv – move a file (can also be renaming)

N

netcat – Send some bytes to the network
netstat – get information on listening sockets, open ports and more
nice – set a process’ priority
nm – list the names of functions in an object file
nmap – network and port scanner tool

O

objdump – show information about object files
openssl – create cryptographic server certificates and more

P

passwd – change your and other’s password
ping – show if a given computer is up and running
ps – show running processes
pwd – show your current working directory

Q

quota – manage how much resources the user is allowed to consume

R

rar – rar files/directories
read – read a string from your keyboard and more
reboot – reboot the computer
rename – rename a file
rm – delete a file
route – manage your network routing table
rpm – a package management backend for Redhat and Fedora
rsync – synchronize your folders over the network

S

scp – (secure copy) over a network
screen – a terminal multiplexer
sed – manipulate a stream of characters (scripting language)
setenv – change the value of an environment variable in the csh
shuf – generate random permutations
shutdown – shutdowns/reboots the system
sleep – wait/delay some time
ssh – login into / execute commands in a remote host
su – change user
sudo – execute the command as another user (usually root- /etc/sudoers)

T

tail – show only the last n lines of a file and more
tar – pack files in a special format
tcpdump – dump the tcp network traffic
tee – multiplex cli output
time – show the time needed by a command to finish
top – show the top CPU consuming processes and more
touch – create a file or update its time stamp
traceroute – show the route a package takes over the network
tac – print the file in reverse. (opposite of cat) (cat X tac)

U

ulimit – show the limits of your user
umount – unmount a device (Often requires sudo permissions)
uname – show the running kernel’s version and more
uniq – remove repeated lines in a sorted file
unzip – unpack files
uptime – show the time since your computer was last switched on
useradd – add a user
userdel – delete a user
usermod – modify a user

V

Vgcreate – create lvm volume groups
Vgdisplay – display lvm volume groups
Vgs – show information about lvm volume groups
Vgscan – scan for lvm volume groups
vim – its not a text editor like Notepad, it is an IDE
Vmstat – show input/output values, swap, memory consumption and more

W

w – print who is logged in to your system
wc – word count (word,line,char)
which – print the path where you find an executable file
whoami – print your effective user name

X

xargs – hand over stdin as a parameter
xev – show information about your keystrokes and more
xkill – kill a window that is in your way
xosview – show CPU/memory/hard Drive activity and more

Y

yacc – A C parser generator
yes – repeatedly output a string
yum – a package management frontend for Redhat & Fedora
yast – a package management frontend for SUSE

Z

zip – pack a file

Encryption tools

gpg - Encrypts data using GNU Privacy Guard.
mcrypt - Encrypts the specified file.
mimencode - Encodes the specified binary file to on eof the ASCII encoding formats.
mpack - Pack a file in MIME format.
uuencode - Encodes the specified binary file so that it can be transferred over a medium which does not support non-ASCII characters.

Decryption tools

gpg - Decrypts data using GNU Privacy Guard.
mdecrypt - Decrypts any file with the .enc suffix, that was encrypted by mcrypt.
munpack - unpack messages in MIME or split-uuencode format.
uudecode - Decodes the uuencode coded file.
uudeview - a powerful decoder for binary files.

Directory Commands

cd - Change directories
df - print the free space available in a directory
du - print the size of a directory
ln - Create a link to a file or directory
ls - Lists the files contained in the directory
mkdir - Create a new directory
pwd - Print the current working directory
rmdir – Remove the specified directory
symlinks - Find symbolic links

Partitioning

cfdisk - Interactive hard disc partition utility for text mode.
fdisk - Launches a menu-driven program that partitions a hard disk.
parted - command line partitioning tool. (parted sometimes complains about boundaries of partitions created with fdisk. parted can format a partition of type ext2 or fat32 partition while creating it.)

Formatting

mkfs - front-end to various filesystem-creation tools

parted can create a filesystem while partitioning
mkfs.vfat /dev/sde1 to format a fat32 partition sde1
mkfs.ext2 /dev/sde2 to format an ext2 partition sde2

Tuning

tune2fs - command to tune ext2/ext3 filesystems

tune2fs -j /dev/sde2 to convert an ext2 filesystem sde2 to ext3 by adding a journal
tune2fs -L /dev/sde2 bulkdata to set the volume label of sde2 to “bulkdata”

debugfs - Interactive utility to repair the ext2 filesystem on specified drive.
e2fsck- Performs an analysis of the filesystem’s integrity and optionally repairs errors.
badblocks - Scans the specified drive for bad blocks.

Using a configured hard drive or tape

df - Displays the amount of disc space used and remaining on all mounted filesystems.
hwinfo - Automatically recognizes all available CD-ROM drives.
mount - Attaches the device to a specified directory, which will serve as the filesystem’s mount point.
sync - Flushes the filesystem buffers.
umount - Unmounts the filesystem specified by the device.
du - Displays the amount of disc space used in the current directory.

duchs – Lists the largest directories in human readable format

eject - Ejects the media in the specified drive.

Rescuing

mc (midnight commander) – Command line file manager. Can undelete files in unmounted ext2 filesystems.

Backing-up

partimage - Backs up disk partitions into image files and restores them.

Logical Volume Management

See LVM.

File Search

find - Versatile tool for searching for files based on name, size, date, etc.
locate - Lists all files with a given word in the name
whereis - Finds commands, source, and manpages
which - Finds commands on the path
grep - Searches for text/patterns within a file

File Analysis

cksum - Calculate the checksum of a file.
diff - Find differences between two files.
file - Determine file type.
ls - List the contents of a directory.
lsattr - List the attributes of a file.
md5sum - Calculate or check the MD5 checksum of a file
wc - Displays line, word and character count for specified filename.

File Manipulation

cp - Copy a file from one location to another.
dd - Copies a file and performs various conversions at the same time.
some dd examples – This is good stuff. Must read for anyone serious about Linux
du - Shows disk usage of files
install - Copy file(s), preserving permissions.
ln - Create a link to a file.
mv - Rename or move a file.
rename - Another renaming tool
rm - Remove (delete) a file.

File Attribute Manipulation

chgrp - Change the group ownership of a file or directory.
chmod - Change the mode (access permissions) of a file or directory.
chown - Change the ownership of a file or directory.
getfacl - View the acl permissions associated with the file or directory.
setfacl - Change the acl permissions associated with the file or directory.
touch - Update access times or, potentially, create a file.

File usage

lsof - List all currently opened files
fuser - List which processes that are currently using a specific file

ethtool command to show if a network cable is plugged in e.a.

ftp Used to establish a connection with a specified host using the File Transfer Protocol. ifconfig Displays/establishes information about the network interfaces.

ifup Bring up network interface.

ifdown Bring up network interface.

iptraf Interactive IP LAN monitor

iwconfig Displays/establishes information about the wireless interfaces.

ip Used to manage IP network interfaces.

lsof Command to show what processes are making use of a port e.a.

nmap Command to show which ports are open e.a.

netstat Displays information about the Linux networking subsystem.

nslookup Looks up the numerical IP address of the specified host.

ping Sends a packet to a designated address and waits for a response.

route Configure IP4 routing sCp Copy files over the network.

showmount Displays the Network Filesystem mounts available.

smbclient Launches an interactive samba utility which resembles ftp.

smbmount Mounts a remote Samba service at the specified mount point.

smbumount Unmounts the specified Samba mount point.

ssh Control a remote computer over the network.

telnet Opens a terminal window on the remote host and starts an interactive session. traceroute Prints the route that packets take to network host

wvdial Initiates a PPP dial-up connection.

Managing Sessions

login - prompts the user for username and password.
nohup - Prevents programs from getting killed on logout.
rlogin - enables you to establish a user session on another computer connected to the LAN. Deprecated, safety-hazard. Use ssh instead.
screen - Terminal multiplexer. This is somewhat like a virtual terminal, only much more powerful.
shutdown - Shuts down the system.
startx - This shell script, enables you to start a X session.
tty - Displays the number of the terminal device that is currently in use.
xdm, kdm, gdm - Starting the X (KDE, Gnome) Display Manager
xterm - Starts the xterm terminal emulation program. requires the X window system.

Packing files

To pack means to unite several files in one file, called an archive. Typical commands for packing under Linux are

zip — for .zip files

Example:

zip -r targetfile sourcedirectory

tar — for .tar and .tar.gz files

Example (creates a .tar.gz file):

tar cvzf targetfile.tar.gz sourcedirectory

bzip2 — for .bz2 files

Example:

bzip2 sourcefile

Unpacking files

How to unpack files depends on their suffix:

.tar.gz

unpack with the command

tar xvzf archive.tar.gz

where archive is the archive’s name without suffix

.tar

unpack with the command

tar xvf archive.tar

where archive is the archive’s name without suffix

.zip

unpack with the command

unzip archive.zip

where archive is the archive’s name without suffix

.bz2

unpack with the command

bunzip2 archive.bz2

where archive is the archive’s name without suffix

.rar

unpack with the command

unrar x archive.rar

where archive is the archive’s name without suffix
Some programming-related commands:

compiling

g++ — C++ front-end to GCC.
gcc — “GNU Compiler Collection”. Also C compiler.
gcj — Java front-end to GCC.
as – the portable GNU assembler

linking and libraries (see also Library-related_Commands_and_Files)

ar – tool for creating, modifying, and extracting from archives
ld – the GNU linker
ldconfig
ldd
ld.so
pkg-config – tool for outputting linker and compiler flags for a given library

dealing with object files (see also binutils)

nm – lists symbols from object files
objcopy – copies and translates object files
objdump – display information from object files
readelf – displays information about ELF files

lexical analyzer and parser

bison (the yacc replacement)
flex (the lex replacement)

debugging
Main article: debuggers

ddd
gdb
lint
valgrind
gprof – fight performance problems using profiling

build tools

autoconf – generates configuration scripts
automake – automatically generates ‘Makefile.in’s from ‘Makefile.am’s
ant
jam
libtool
make, makefile, configure script
scons

source code tagging

ctags — for vim- and NEdit-compatible tag files
etags — for emacs-compatible tag files

revision control

GNU Arch
Bazaar-NG — aka “Bazaar 2″, aka “bzr”
CVS
git
RCS
Subversion

misc

addr2line – converts addresses into file names and line numbers
file – find out file type (like “link”, “executable” or shared object)
strings – finds printable strings in a file

Bash scripting

Main article: bash tips

Hello world

The minimal bash script that only outputs “hello world” looks like this:

#!/bin/bash

echo "hello world"

Find out your distribution

Main article: find out your distribution
The following script tells you what distribution you have installed on your computer.

#!/bin/bash

found=0;

if [ -e /etc/SuSE-release ]; then echo "You have a SUSE distro"; export found=1; fi

if [ -e /etc/redhat-release ]; then echo "You have a Red Hat distro"; export found=1; fi

if [ -e /etc/fedora-release ]; then echo "You have a Fedora distro"; export found=1; fi

if [ -e /etc/debian-version ]; then echo "You have a Debian, Ubuntu, Kubuntu, Edubuntu or Flubuntu distro"; export found=1; fi

if [ -e /etc/slackware-version ]; then echo "You have a SlackWare distro"; export found=1; fi

if ! [ $found = 1 ]; then echo "I could not find out your distro"; fi

It looks if the respective files exist (if [ -e /etc/SuSE-release ];) and prints the distribution they flag (using the command echo).

Tonka Script

Changes your console to some other colours.

#!/bin/bash

function tonka {

#   Named "Tonka" because of the colour scheme

local WHITE="\[33[1;37m\]"

local LIGHT_BLUE="\[33[1;34m\]"

local YELLOW="\[33[1;33m\]"

local NO_COLOUR="\[33[0m\]"

case $TERM in

    xterm*|rxvt*)

        TITLEBAR='\[33]0;\u@\h:\w07\]'

;;

*)

        TITLEBAR=""

;;

esac

PS1="$TITLEBAR\

$YELLOW-$LIGHT_BLUE-(\

$YELLOW\u$LIGHT_BLUE@$YELLOW\h\

$LIGHT_BLUE)-(\

$YELLOW\$PWD\

$LIGHT_BLUE)-$YELLOW-\

\n\

$YELLOW-$LIGHT_BLUE-(\

$YELLOW\$(date +%H%M)$LIGHT_BLUE:$YELLOW\$(date \"+%a,%d %b %y\")\

$LIGHT_BLUE:$WHITE\\$ $LIGHT_BLUE)-$YELLOW-$NO_COLOUR "

PS2="$LIGHT_BLUE-$YELLOW-$YELLOW-$NO_COLOUR "

Get your ip

#!/bin/bash

# get ip

/sbin/ifconfig $1 | grep inet | awk '{print $2}' | sed 's/^addr://g'

To get your Internet address if you are behind a NAT:

## The -n option retrieves the Internet IP address

## if you are behind a NAT

if [ "$1" = "-n" ]

then

  ip=$(lynx -dump http://cfaj.freeshell.org/ipaddr.cgi)

else

  if=$1   ## specify which interface, e.g. eth0, fxp0

  system=$(uname)

  case $system in

      FreeBSD) sep="inet " ;;

      Linux) sep="addr:" ;;

  esac

  temp=$(ifconfig $if)

  temp=${temp#*"$sep"}

  ip=${temp%% *}

fi

printf "%s\n" "$ip"

### CFAJ ###

A shell, also known as a command interpreter, is a specialized program for accepting typed user commands, translating those into programs to run, running those programs, and displaying (or doing something) with the results. A “common” example of a shell is the DOS shell, called COMMAND.COM, which was the complete user interface before Windows.
Different shells exist, offering different feature sets. Two main families of shell exist: the Bourne shell and its variants (sh, bash, ksh) and the C shell and its variants (csh, tcsh). Though many shells have features common to others, the way they make use of those features is unique, so that (for example) Bourne shell conventions don’t usually apply to C shells.

bash – The Bourne-Again SHell – feature-rich default Linux shell.
csh - A shell with C-like syntax, with file name completion and command line editing – usually tcsh on modern Linux.
fish - ‘friendly’ interactive shell
ksh - Korn SHell – part of the sh rather than csh family.
sh - the original shell, often a symlink to bash on modern Linux and the most portable.
tcsh - An extended version of csh, with all its features and some additional ones.
zsh - One of the newest and most feature-rich shells.

General System Information Tools/Utilities

cat /var/log/messages — is the same as dmesg
dmesg – kernel messages given during booting.
kinfocenter – good overview
tail -f /var/log/messages — show the last couple of lines and keep outputting new lines
uname -a — brief OS and kernel information.

Memory Diagnostic Tools/Utilities

cat /proc/meminfo — static information about your RAM
ksysguard – real-time RAM and CPU utilization printout and process table
top – real-time RAM and CPU utilization printout
free – current memory/swap utilization.

CPU Diagnostic Tools/Utilities

cat /proc/cpuinfo – static information about your CPU
hwinfo --cpu — static information about your CPU

Disk and File System Diagnostic Tools/Utilities

cat /etc/fstab — show configuration file for file system mounting.
df -h — current disk space usage (“-h” gives human-readable output)
du -h — determine how much disk space is being used by Cwd, or any directory you specify after the du command (as in df, the “-h” means human-readable)
fdisk -l [/dev/hda] — show partition table(s), leave off device name to list all
mount or cat /etc/mtab — show currently mounted file systems.

Local Devices Diagnostic Tools/Utilities

dmidecode – get all bios information, e.g. computer type.
hwinfo --pci — list devices on the pci bus.
hwinfo --scsi — list all scsi devices.
hwinfo --usb — list all usb devices.
lsdev – list all installed hardware.
lspci – list devices on the pci bus.
lsscsi – list all scsi devices.
lsusb – list all usb devices.
setserial -bg /dev/ttyS[0-9]* — list all active serial devices(/dev/ttyS*).

Kernel and Kernel Module Diagnostic Tools/Utilities

lsmod – list kernel modules currently loaded.

Network Diagnostic Tools/Utilities

Directory /proc/net/

File arp: arp cache. Maps IP address to MAC address
File dev: byte and packet statistics on a per device basis.
File netstat: various statistics
File tcp: established connections.

Directory /proc/sys/net/ipv4/

File: ip_forward: read/write. Whether or not the kernal will forward IP packets from one interface to another. This is turned on if you want the machine to work as a router or a firewall.

ethtool $interface — show the card’s speed, capabilities and if a link is detected
hwinfo --netcard — show the module name, driver activation command, network card name etc.
ifconfig -a — show all current network interface information
ifconfig $interface — show the information for $interface (usually something like ifconfig eth0)
ping $host — use ping to determine if $host is alive on the network (for troubleshooting your local machine $host can equal “127.0.0.1″ or “localhost”
route -n — show routing table, using numerical addresses.

If you want to set up a proxy firewall, this should be off, as it will be the application that forwards traffic, not the kernel.

File: ip_local_port_range: read/write. The range of ports that are used as source ports for outgoing connections.
File: tcp_sack: read/write. Whether or not TCP connections use selective acknowledgement. One=yes, zero=no.
File: tcp_timestamps: read/write. Whether or not TCP connections add timestamps to their connections. One=yes, zero=no.

Dynamic information

Or: What does my hardware do?

ethereal – a network sniffer
lm-sensors — read CPU temperature etc.
ksysguard – CPU, network load etc. comprehensively
top – top CPU consuming processes
vmstat – CPU load, swapping and I/O
xosview – CPU, network load etc. to get an overview

X-Windows Troubleshooting Tools/Utilities

cat /var/log/XFree86.0.log — print out the XFree86 error log.

Note that some systems do not store this log in /var/log. Use either locate XFree86.0.log or find / -name XFree86.0.log to find it.

glxinfo – show the status of your OpenGL subsystem.

Startup/Shutdown

This is a list of startup/shutdown-related commands:

dmesg - display bootup messages.
halt - halt the system. (not recommened – use shutdown -h now instead)
init - set runlevel, or define processes that are begun on a specific runlevel.
reboot - reboot the system.
runlevel - show the current system runlevel.
shutdown - shutdown the system.
swapoff - disable the paging hardware.
swapon - enable the paging hardware.
sync - write buffered memory out to disk.
telinit - move the system to a new runlevel.

Processing Tools

awk - A utility and scripting language
cat - Con-cat-enate file(s) to stdout
cut - Extract portions of lines
diff - Compare differences of files
ed - The editor. ED!
egrep - See grep
fgrep - See grep
grep - Global/regular expression/print (print lines matching an expression)
head - View the top of a file
less - A more powerful pager
more - A less powerful pager
nl - Number lines of files
sed - Stream editor (non-interactive programmatic editor)
sort - Sort input
tac - Cat lines in reverse
rev - Cat characters in reverse
tail - View the bottom of a file
tr - Transform/transliterate text
uniq - Manipulate duplicate lines of a sorted file

Text processors in file utils’ clothing

basename - cut a line to the right from the last slash (works with any input)
dirname - cut a line to the left from the last slash (works with any input)

User Commands

date - Print or set the system date and time.
finger - Display information about a user. May be turned off by default.
id - Display UID and group info about a user.
passwd - Change a user’s password.
quota - Assign quota for users and groups.
su - Change to root or another user id.
useradd - Add a new user to the system.
userdel - Delete a user from the system.
usermod - Modify user information on the system.
users - Display a list of current users.
who - Display a list of current users.
whoami - Print the user name associated with the effective UID.
w - Display who is logged on and what they are doing.

Kernel Compiling

Step # 1 Get Latest Linux kernel code

Visit http://kernel.org/ and download the latest source code. File name would be linux-x.y.z.tar.bz2, where x.y.z is actual version number. For example file inux-2.6.25.tar.bz2 represents 2.6.25 kernel version. Use wget command to download kernel source code:
$ cd /tmp
$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2

Note: Replace x.y.z with actual version number.

Step # 2 Extract tar (.tar.bz3) file

Type the following command:
# tar -xjvf linux-2.6.25.tar.bz2 -C /usr/src
# cd /usr/src

Step # 3 Configure kernel

Before you configure kernel make sure you have development tools (gcc compilers and related tools) are installed on your system. If gcc compiler and tools are not installed then use apt-get command under Debian Linux to install development tools.
# apt-get install gcc

Now you can start kernel configuration by typing any one of the command:

$ make menuconfig – Text based color menus, radiolists & dialogs. This option also useful on remote server if you wanna compile kernel remotely.
$ make xconfig – X windows (Qt) based configuration tool, works best under KDE desktop
$ make gconfig – X windows (Gtk) based configuration tool, works best under Gnome Dekstop.

For example make menuconfig command launches following screen:
$ make menuconfig

You have to select different options as per your need. Each configuration option has HELP button associated with it so select help button to get help.

Step # 4 Compile kernel

Start compiling to create a compressed kernel image, enter:
$ make
Start compiling to kernel modules:
$ make modules

Install kernel modules (become a root user, use su command):
$ su -
# make modules_install

Step # 5 Install kernel

So far we have compiled kernel and installed kernel modules. It is time to install kernel itself.
# make install

It will install three files into /boot directory as well as modification to your kernel grub configuration file:

System.map-2.6.25
config-2.6.25
vmlinuz-2.6.25

Step # 6: Create an initrd image

Type the following command at a shell prompt:
# cd /boot
# mkinitrd -o initrd.img-2.6.25 2.6.25

initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires initrd, but it is safe to create one.

Step # 7 Modify Grub configuration file – /boot/grub/menu.lst

Open file using vi:
# vi /boot/grub/menu.lst

title Debian GNU/Linux, kernel 2.6.25 Default

root (hd0,0)

kernel /boot/vmlinuz root=/dev/hdb1 ro

initrd /boot/initrd.img-2.6.25

savedefault

boot

Remember to setup correct root=/dev/hdXX device. Save and close the file. If you think editing and writing all lines by hand is too much for you, try out update-grub command to update the lines for each kernel in /boot/grub/menu.lst file. Just type the command:
# update-grub
Neat. Huh?

Step # 8 : Reboot computer and boot into your new kernel

Just issue reboot command:
# reboot

Shh

ME .

Linux Administrator

Many of us use the excellent OpenSSH (see Resources later in this article) as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH’s more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.

What is RSA/DSA authentication?

SSH, specifically OpenSSH (a completely free implementation of SSH), is an incredible tool. Like telnet or rsh, the ssh client can be used to log in to a remote machine. All that’s required is for this remote machine to be running sshd, the ssh server process. However, unlike telnet, the ssh protocol is very secure. It uses special algorithms to encrypt the data stream, ensure data stream integrity and even perform authentication in a safe and secure way.

However, while ssh is really great, there is a certain component of ssh functionality that is often ignored, dangerously misused, or simply misunderstood. This component is OpenSSH’s RSA/DSA key authentication system, an alternative to the standard secure password authentication system that OpenSSH uses by default.

OpenSSH’s RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it’s possible to establish secure connections without having to manually type in a password.

While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we’ll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I’ll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security. If you’ve always wanted to get the hang of the more advanced authentication features of OpenSSH, then read on.

How RSA/DSA keys work

Here’s a quick general overview of how RSA/DSA keys work. Let’s start with a hypothetical scenario where we’d like to use RSA authentication to allow a local Linux workstation (named localbox) to open a remote shell on remotebox, a machine at our ISP. Right now, when we try to connect to remotebox using the ssh client, we get the following prompt:

% ssh drobbins@remotebox

drobbins@remotebox's password:

Here we see an example of the ssh default way of handling authentication. Namely, it asks for the password of the drobbins account on remotebox. If we type in our password for remotebox, ssh uses its secure password authentication protocol, transmitting our password over to remotebox for verification. However, unlike what telnet does, here our password is encrypted so that it can not be intercepted by anyone sniffing our data connection. Once remotebox authenticates our supplied password against its password database, if successful, we’re allowed to log on and are greeted with a remotebox shell prompt. While the ssh default authentication method is quite secure, RSA and DSA authentication open up some new possibilities.

However, unlike the ssh secure password authentication, RSA authentication requires some initial configuration. We need to perform these initial configuration steps only once. After that, RSA authentication between localbox and remotebox will be totally painless. To set up RSA authentication, we first need to generate a pair of keys, one private and one public. These two keys have some very interesting properties. The public key can be used to encrypt a message, and only the holder of the private key can decrypt it. The public key can only be used for encryption, and the private key can only be used for decryption of a message encoded by the matching public key. The RSA (and DSA) authentication protocols use the special properties of key pairs to perform secure authentication, without needing to transmit any confidential information over the network.

To get RSA or DSA authentication working, we perform a single one-time configuration step. We copy our public key over to remotebox. The public key is called “public” for a reason. Since it can only be used to encrypt messages for us, we don’t need to be too concerned about it falling into the wrong hands. Once our public key has been copied over to remotebox and placed in a special file (~/.ssh/authorized_keys) so that remotebox’s sshd can locate it, we’re ready to use RSA authentication to log onto remotebox.

To do this, we simply type ssh drobbins@remotebox at localbox’s console, as we always have. However, this time, ssh lets remotebox’s sshd know that it would like to use the RSA authentication protocol. What happens next is rather interesting. Remotebox’s sshd generates a random number, and encrypts it using our public key that we copied over earlier. Then, it sends this encrypted random number back to the ssh running on localbox. In turn, our ssh uses our private key to decrypt this random number, and then sends it back to remotebox, saying in effect “See, I really do hold the matching private key; I was able to successfully decrypt your message!” Finally, sshd concludes that we should be allowed to log in, since we hold a matching private key. Thus, the fact that we hold a matching private key grants us access to remotebox.

Two observations

There are two important observations about the RSA and DSA authentication. The first is that we really only need to generate one pair of keys. We can then copy our public key to the remote machines that we’d like to access and they will all happily authenticate against our single private key. In other words, we don’t need a key pair for every system we’d like to access. Just one pair will suffice.

The other observation is that our private key should not fall into the wrong hands. The private key is the one thing that grants us access to our remote systems, and anyone that possesses our private key is granted exactly the same privileges that we are. Just as we wouldn’t want strangers to have keys to our house, we should protect our private key from unauthorized use. In the world of bits and bytes, this means that no one should be able to read or copy our private key.

Of course, the ssh developers are aware of the private keys’ importance, and have built a few safeguards into ssh and ssh-keygen so that our private key is not abused. First, ssh is configured to print out a big warning message if our key has file permissions that would allow it to be read by anyone but us. Secondly, when we create our public/private key pair using ssh-keygen, ssh-keygen will ask us to enter a passphrase. If we do, our private key will be encrypted using this passphrase, so that even if it is stolen, it will be useless to anyone who doesn’t happen to know the passphrase. Armed with that knowledge, let’s take a look at how to configure ssh to use the RSA and DSA authentication protocols.

ssh-keygen up close

The first step in setting up RSA authentication begins with generating a public/private key pair. RSA authentication is the original form of ssh key authentication, so RSA should work with any version of OpenSSH, although I recommend that you install the most recent version available, which was openssh-2.9_p2 at the time this article was written. Generate a pair of RSA keys as follows:

% ssh-keygen

Generating public/private rsa1 key pair.

Enter file in which to save the key (/home/drobbins/.ssh/identity): (hit enter)

Enter passphrase (empty for no passphrase): (enter a passphrase)

Enter same passphrase again: (enter it again)

Your identification has been saved in /home/drobbins/.ssh/identity.

Your public key has been saved in /home/drobbins/.ssh/identity.pub.

The key fingerprint is:

a4:e7:f2:39:a7:eb:fd:f8:39:f1:f1:7b:fe:48:a1:09 drobbins@localbox

When ssh-keygen asks for a default location for the key, we hit enter to accept the default of /home/drobbins/.ssh/identity. ssh-keygen will store the private key at the above path, and the public key will be stored right next to it, in a file called identity.pub.

Also note that ssh-keygen prompted us to enter a passphrase. When prompted, we entered a good passphrase (seven or more hard-to-predict characters). ssh-keygen then encrypted our private key (~/.ssh/identity) using this passphrase so that our private key will be useless to anyone who does not know it.

The quick compromise

When we specify a passphrase, it allows ssh-keygen to secure our private key against misuse, but it also creates a minor inconvenience. Now, every time we try to connect to our drobbins@remotebox account using ssh, ssh will prompt us to enter the passphrase so that it can decrypt our private key and use it for RSA authentication. Again, we won’t be typing in our password for the drobbins account on remotebox, we’ll be typing in the passphrase needed to locally decrypt our private key. Once our private key is decrypted, our ssh client will take care of the rest. While the mechanics of using our remote password and the RSA passphrase are completely different, in practice we’re still prompted to type a “secret phrase” into ssh.

# ssh drobbins@remotebox

Enter passphrase for key '/home/drobbins/.ssh/identity': (enter passphrase)

Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

%

Here’s where people are often mislead into a quick compromise. A lot of the time, people will create unencrypted private keys just so that they don’t need to type in a password. That way, they simply type in the ssh command, and they’re immediately authenticated via RSA (or DSA) and logged in.

# ssh drobbins@remotebox

Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

%

However, while this is convenient, you shouldn’t use this approach without fully understanding its security impact. With an unencrypted private key, if anyone ever hacks into localbox, they’ll also get automatic access to remotebox and any other systems that have been configured with the public key.

I know what you’re thinking. Passwordless authentication, despite being a bit risky does seem really appealing. I totally agree. But there is a better way! Stick with me, and I’ll show you how to gain the benefits of passwordless authentication without compromising your private key security. I’ll show you how to masterfully use ssh-agent (the thing that makes secure passwordless authentication possible in the first place) in my next article. Now, let’s get ready to use ssh-agent by setting up RSA and DSA authentication. Here step-by-step directions.

RSA key pair generation

To set up RSA authentication, we’ll need to perform the one-time step of generating a public/private key pair. We do this by typing:

% ssh-keygen

Accept the default key location when prompted (typically ~/.ssh/identity and ~/.ssh/identity.pub for the public key), and provide ssh-keygen with a secure passphrase. Once ssh-keygen completes, you’ll have a public key as well as a passphrase-encrypted private key.

RSA public key install

Next, we’ll need to configure remote systems running sshd to use our public RSA key for authentication. Typically, this is done by copying the public key to the remote system as follows:

% scp ~/.ssh/identity.pub drobbins@remotebox:

Since RSA authentication isn’t fully set up yet, we’ll be prompted to enter our password on remotebox. Do so. Then, log in to remotebox and append the public key to the ~/.ssh/authorized_keys file like so:

% ssh drobbins@remotebox

drobbins@remotebox's password: (enter password)

Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

% cat identity.pub >> ~/.ssh/authorized_keys

% exit

Now, with RSA authentication configured, we should be prompted to enter our RSA passphrase (rather than our password) when we try to connect to remotebox using ssh.

% ssh drobbins@remotebox

Enter passphrase for key '/home/drobbins/.ssh/identity':

Hurray, RSA authentication configuration complete! If you weren’t prompted for a passphrase, here are a few things to try. First, try logging in by typing ssh -1 drobbins@remotebox. This will tell ssh to only use version 1 of the ssh protocol, and may be required if for some reason the remote system is defaulting to DSA authentication. If that doesn’t work, make sure that you don’t have a line that reads RSAAuthentication no in your /etc/ssh/ssh_config. If you do, comment it out by pre-pending it with a “#”. Otherwise, try contacting the remotebox system administrator and verifying that they have enabled RSA authentication on their end and have the appropriate settings in /etc/ssh/sshd_config.

DSA key generation

While RSA keys are used by version 1 of the ssh protocol, DSA keys are used for protocol level 2, an updated version of the ssh protocol. Any modern version of OpenSSH should be able to use both RSA and DSA keys. Generating DSA keys using OpenSSH’s ssh-keygen can be done similarly to RSA in the following manner:

% ssh-keygen -t dsa

Again, we’ll be prompted for a passphrase. Enter a secure one. We’ll also be prompted for a location to save our DSA keys. The default, normally ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub, should be fine. After our one-time DSA key generation is complete, it’s time to install our DSA public key to remote systems.

DSA public key install

Again, DSA public key installation is almost identical to RSA. For DSA, we’ll want to copy our ~/.ssh/id_dsa.pub file to remotebox, and then append it to the ~/.ssh/authorized_keys2 on remotebox. Note that this file has a different name than the RSA authorized_keys file. Once configured, we should be able to log in to remotebox by typing in our DSA private key passphrase rather than typing in our actual remotebox password.

Next time

Right now, you should have RSA or DSA authentication working, but you still need to type in your passphrase for every new connection. In my next article, we’ll see how to use ssh-agent, a really nice system that allows us to establish connections without supplying a password, but also allows us to keep our private keys encrypted on disk. I’ll also introduce keychain, a very handy ssh-agent front-end that makes ssh-agent even more secure, convenient, and fun to use. Until then, check out the handy resources below to keep yourself on track.

Interview Topic

ME . (Linux Administrator)

My Experience

Some Interview Topics

If you are preparing for interviews for linux admin jobs you should be familiar with below concepts..

1) Port number of different servers {cat /etc/services}
2) Linux Installation(through FTP,HTTP,NFS)
3) Boot process
4) Diff b/w ext3 and ext2
5) RAID LEVELS and Selection of raid
6) backup methods
7) Package management such as Yum server

Kernel Tuning
9) IPTABLES
10) TCP WRAPPERS
11) DIFFERENT RUN LEVELS
12) USER AND GROUP MANAGEMENT
13) QUOTA SETTING(user and group)
14) DIFF B/W CRON AND AT
15) BASIC SHELL SCRIPTING
16) Troubleshooting different issues.
17) Tell me why we should hire you?
18) DAILY ACTIVITES IN YOUR CURRENT COMPANY
19) RECENTLY SOLVED CRITICAL ISSUE
20) LVM (Very Imp)
21) vertias Volume manager
22) cluster basic like HAD , GAB , LLT , HEARTBEAT , CONFIG FILES , RESOURSE , SERVICE GROUPS etc
23 ) kernel panic troubleshooting
24) Process management
25)Configuration part of NFS , NIS , Samba , DHCP , DNS,Apache, Sendmail etc.

26)Remote administration experience.

And many more depending on your job profile. You should know each topics what you mentioned in your resume . If you are not sure about anything , dont mention in your resume and your resume should reflect your skills.

NMAP(Port Chacker)

ME . (Linux Admin)

Nmap With Example

NMAP is one of the most important tool. Which checks which ports are open on a machine.

Some important to note about NMAP

NMAP abbreviation is network mapper
NMAP is used to scan ports on a machine, either local or remote machine (just you require ip/hostname to scan).
NMAP is can be installed on windows, Sun Solaris machines too.
NMAP can be used to scan large networks, remember I am saying large networks.
NMAP can be used to get operating system details, uptime, software used for a service and its version no, vender of network card and uptime of that system too(Don’t worry we will see all these things in this post.
Please do not try to use NMAP on machines which you don’t have permission.
Can be used by hackers to scan for systems for venerability.
Just a funny note : You can see this NMAP used by trinity in Matrix-II, when she tries to hack in to electric grid super computer.

Note : NMAP man pages one of the best man pages I have come across. It is explained in such a way that even new user can understand it easily and one more thing it is even having examples in to how to use NMAP in different situations, when you have time read it. You will get lots of information.

Example1 : Using NMAP in normal way, i.e. to scan a particular system for open ports
#nmap hostname

Example2 : Scanning for a single port on a machine
#nmap –p 22 hostname
This will scan for 22 port is open on a host or not. And here –p indicates port.

Example3 : For scanning only ports
#nmap –F hostname
-F is for fast scan and this will not do any other scanning like IP address, hostname, operating system, and uptime etc. It’s very much fast as it said in man pages.

Example4 : For scanning only TCP ports
#nmap –sT hostname
Here s is for scanning and T is for only scanning of TCP ports

Example5 : For scanning only UDP ports
#nmap –sU hostname
Here U indicates UDP port scanning

Exmaple6 : Scanning for ports and to get what is the version of different services running on that machine
#nmap –sV hostname
V indicates version of each network service running on that host

Example7 : To check which protocol is supported by the remote machine
#nmap –sO hostname

Example8 : To scan a system for operating system and uptime details
# nmap -O hostname
-O is for operating system scan along with default port scan

Example9 : Scanning a network
#nmap networkID/subnetmask
For the above command you can try in this way
#nmap 192.168.0.0/24

ICMP Block With IPTABLES

ME . (Linux Admin)
How to use IPtables to block ICMP (Internet Control Message Protocol) requests?
Ans : To do this we have understand why we require this thing should be done.
When Hackers try to hack in to any machine first thing they will do is a basic ping test.
Code :
#ping target-machine
If this is succeed they will come to a conclusion that system is up and they can go forward and they can do DDOS attacks or try to find some other open ports using NMAP command.
Code :
#nmap target-machine
So if you are exposing a machine to outer world from your network, first disable incoming ping requests to your machine as follows.
So this can be done by two ways through IPtables 1. Reject the ICMP packets.2. Drop the ICMP packets.

In the above mentioned methods best thing is to drop the ICMP packets, by doing this we are not giving any clue to hacker whether the system is alive or not. Where as if we do reject definitely hacker will come to know that ICMP packets are blocked and the system is live.
Step1 : Executing following command to drop all the incoming ICMP packets
#iptables –A INPUT –p icmp –icmp-type echo-request –j DROP
Let me explain this command
-A is to append this rule to already existing one.
INPUT specifies that it’s a
Step2 : Save this changes to IPtables file (/etc/sysconfig/iptables), restart the IPtables service and check your IPtables status whether your IPtables chain is updated or not.
#service iptables save
#service iptables restart
#iptables –L

How to allow icmp ping request in case you want them,First we have to remove the rule which we created for blocking the icmp ping.
#iptables –D INPUT –p icmp –icmp-type echo-request –j DROP

Then execute the following commands
#iptables –A INPUT –p icmp –icmp-type echo-request –j ACCEPT
#service iptables save
#service iptables restart

Some points to be noted
What are the methods used by hackers using this ICMP ping?
Though these are old denial-of-service attack (DoS attack), worth to learn them
Ping flood
Smurf attack
Ping to death
Please comment your thoughts regarding this post:-)

0 comments:

Virt File

ME .(Linux Admin)
Can we create a file system (i.e. formatting a drive/partition) with in a file system?
Looks little bit strange is int it? So follow me I will show you how to create a virtual partition and file system within a partition.
Step1 : Create a empty file with /dev/zero with size equal to 50Mb.
#dd if=/dev/zero of=/temp/vf0 count=102400

Note :
1. By default “dd” command(dataset definition) uses block of 512bytes so the size will be 102400*512=52 428 800=~50MB
2. /dev/zero is a device files which will be used create a file which conations “0″ i.e. an empty file.

Clipped output:
[root@test6 ~]# dd if=/dev/zero of=/temp/vf0 count=102400
102400+0 records in
102400+0 records out
[root@test ~]# ls -lh /temp/vf0
-rw-r–r– 1 root root 50M Nov 7 12:08 /temp/vf0

Step2 : Create ext3 file system for this virtual partition.
#mkfs -t ext3 /temp/vf0

Here it will ask “do you want to format the file or not”?, just say yes.
Step3 : Now we have to create a mount point (nothing but a directory) and mount the created partition.
# mkdir /virtdrive
# mount -o loop=/dev/loop0 /temp/vf0 /virtdrive

Note:
/dev/loop is special hardware device used to mount ISO files and virtual file systems. In Linux there are total 8 loop devices numbering from 0 to 7. So you can mount only 8 ISO files/virtual file systems by default.
Step4 : Edit /etc/fstab file to mount permanently, so that it be auto mounted at boot time too. Specify following entry in fstab file.
/temp/vf0 /virtdrive ext3 rw,loop=/dev/loop0 0 0

Step5 : Specify the fstab changes to kernel.
#mount -a

Step6 : Conform Weather mounting happen perfectly or not.
Way1 :
#cat /etc/mtab

Way2 : Change the directory to mount point you have to see lost+found folder
[root@test ~]# cd /virtdrive/
[root@test virtdrive]# ls
lost+found
[root@test virtdrive]#

DNS LOG

ME .(Linux Admin)
How to log DNS server activity?
Ans : Sometimes you require DNS server activity to be logged to a file for future reference to analyze the activity on DNS server and whether DNS server is properly resolving accurately or not. rndc is the command to use for DNS server activity logging. Let’s have a look how to log DNS server activity. In order to log DNS server entries just execute below command (you have to do this one as root user)
#rndc querylog
Note : When you execute the above command DNS server activity is logged on to server /var/log/messages file.
Example output of the clipped log file bash-2.05b# /usr/sbin/rndc querylog
bash-2.05b# tail -f /var/log/messages
Nov 18 18:00:16 ns1.abc.in named[29413]: query logging is now on
Nov 18 18:00:18 ns1.abc.in named[29413]: client 194.158.122.34#43071: query: abc.co.in IN MX
Nov 18 18:00:18 ns1.abc.in named[29413]: client 194.158.122.6#43587: query: smtp.abc.co.in IN A
Nov 18 18:00:19 ns1.abc.in named[29413]: client 82.8.211.193#19305: query: MX2.abc.co.in IN A
Nov 18 18:00:20 ns1.abc.in named[29413]: client 200.49.130.26#4111: query: abc.co.in IN MX
Nov 18 18:00:21 ns1.abc.in named[29413]: client 212.24.128.8#46547: query: abc.co.in IN MX
Nov 18 18:00:22 ns1.abc.in named[29413]: client 200.75.51.132#26540: query: MX2.abc.co.in IN A
In order to stop DNS logging activity please execute below command
#rndc querylog
Note : If you observe this command it is same as for starting the log activity, it is similar way how walky-talky works.. You have to press same button for both on/off operations.
Example output of how it is stopped
bash-2.05b# /usr/sbin/rndc querylog
bash-2.05b# tail -f messages
Nov 18 18:08:53 ns1.abc.com named[29413]: client 200.12.232.4#60450: query: abc.co.in IN MX
Nov 18 18:08:59 ns1.abc.com named[29413]: client 212.54.35.233#39027: query: ns1.abc.co.in IN A
Nov 18 18:08:59 ns1.abc.com named[29413]: client 212.54.35.233#10163: query: ns1.abc.co.in IN A
Nov 18 18:09:00 ns1.abc.com named[29413]: client 88.156.63.9#3661: query: abc.co.in IN MX
Nov 18 18:09:00 ns1.abc.com named[29413]: client 89.2.2.146#44622: query: abc.co.in IN MX
Nov 18 18:09:05 ns1.abc.com named[29413]: client 203.199.147.5#14678: query: cmex01.clairmail.local.intranet.abc.co.in IN A
Nov 18 18:09:06 ns1.abc.com named[29413]: client 117.98.17.34#1766: query: abc.co.in IN MX
Nov 18 18:09:06 ns1.abc.com named[29413]: client 203.119.8.106#28142: query: abc.co.in IN MX
Nov 18 18:09:11 ns1.abc.com named[29413]: client 217.171.113.9#4861: query: MX2.abc.co.in IN A
Nov 18 18:09:11 ns1.abc.com named[29413]: query logging is now off
Some FAQ’s:
1.Is it advaisable to restart a production DNS server?
Ans : No, Never try to restart a production DNS server with out prior notice from your higher officials.
2.Then how can I update any changes I made to DNS server?
Ans : You can use rndc command to update the changes to dns server.
3.I want to update DNS server zone file entries to DNS server without restarting the named/bind server?
Ans : We can do it by using rndc command
#rndc reload
4.I want to reload named.conf file with out restarting DNS server?
#rndc refresh.

N.A.G.I.O.S

ME . (Linux Admin)
NAGIOS is a system and network monitoring application that watches host and services that we specify as well as alerting when finds any error.
NAGIOS is implemented by using SNMP protocol, so which ever devices support SNMP we can monitor that device using NAGIOS.
NAGIOS can do following things
1.Monitor wide range of hosts like Servers,Switches,Routers etc.
2.Monitor network services (Like : SMTP, POP3, HTTP, NNTP, ICMP, SNMP, FTP, SSH.)
3.Monitor Host resources (Processor load, Running processes, Disk usage, System logs, etc)
4.Monitor Host environments(Temperature, Alarms etc).
Can alert you through e-mail, SMS, Pager etc.
NAGIOS can not do Monitoring of Bandwidth utilization in network.
Installing NAGIOS:
Step1: Before installing NAGIOS we required some packages to be installed, These are listed as below.
Apache(For accessing NAGIOS web interface),
gcc compiler,glibc, glibc-common and gd development library(for compiling source code which we are going download ).
# yum install httpd
# yum install gcc
# yum install glibc*
# yum install gd*

Step2 : First we have Create a new NAGIOS user account , group and its password.
# useradd nagios
# passwd nagios
# groupadd nagcmd
# usermod -G nagcmd nagios
# usermod -G nagcmd apache

We are adding “nagcmd” as secondary group to both “nagios” and “apache” user because some times we require to execute commands through web interface.
Step3 : Create a directory called download and download Nagios and its pluggins.
# mkdir ~/download
# cd ~/download
# cd
# wget http://osdn.dl.sourceforge.net/sourceforge/nagios/nagios-3.0.2.tar.gz
# wget http://osdn.dl.spurceforge.net/sourceforge/nagiosplug/nagios-pluggins-1.4.11.tar.gz
If you are unable to download using wget then use the following link to download nagios through GUI and nagiosplug:- http://www.nagios.org/download
Step4 : Now its time to Compile and install Nagios, to do this uncompress the tarball file and do as follows:
# cd /root/download
# tar -xvzf nagios-3.1.2.tar.gz ## extract the tar file.
# cd nagio-3.1.2
# ./configure –with-command-group=nagcmd
# make all

Stpe5 : Now Install binaries, init script, sample config file and set permissions on the external command(make install-commandmod) directory.
# make install
# make install-init
# make install-config
# make install-commandmod
Now NAGIOS is installed and the configuring files are stored in /usr/local/nagios/etc
Step6 : Install the NAGIOS web config file in the Apache conf.d directory.
# make install-webconf

Step7 : Create a nagiosadmin account for logging into the Nagios web interface.
# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Here it will ask for new password, enter the password and remember it in order to access NAGIOS web interface.
Step8 : Start nagios service by using below commands and add the nagios service to run at system start-up time.
# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

When we execute the above command the output will be as below.
Output like this:-
Nagios 3.0.2
Copyright (c) 1999-2008 Ethan Galstad (http://www.nagios.org/)
Last Modified: 05-19-2008
License: GPL
Reading configuration data…
Running pre-flight check on configuration data…
Checking services…
Checked 35 services.
Checking hosts…
Checked 4 hosts.
Checking host groups…
Checked 1 host groups.
Checking service groups…
Checked 0 service groups.
Checking contacts…
Checked 1 contacts.
Checking contact groups…
Checked 1 contact groups.
Checking service escalations…
Checked 0 service escalations.
Checking service dependencies…
Checked 0 service dependencies.
Checking host escalations…
Checked 0 host escalations.
Checking host dependencies…
Checked 0 host dependencies.
Checking commands…
Checked 25 commands.
Checking time periods…
Checked 5 time periods.
Checking for circular paths between hosts…
Checking for circular host and service dependencies…
Checking global event handlers…
Checking obsessive compulsive processor commands…
Checking misc settings…
Total Warnings: 0
Total Errors: 0
Things look okay – No serious problems were detected during the pre-flight check.
If output comes like this, it means there is no error.
Step9 : start the nagios service and configure the service to run at start-up time of the system
# service nagios start
# chkconfig –add nagios
# chkconfig nagios on

Stpe10 : Use the following command to run the CGIs under the SElinux enforcing/targated mode. This will eliminate security loopholes.
# chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
# chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

Stpe11 : Now change the contact details in /usr/local/nagios/etc/objects/contacts.cfg, you will find nagiosadmin, change the e-mail id associated to it with your required e-mail id, so that alerts .
Step12 : Now restart the apache server
# service httpd restart
Step13 : Access the Nagios web interface through your web browser:
http://localhost/nagios/
Note:- Here you will be prompted for the username (nagiosadmin) and password that is given by you at step7 ).
I will update the blog how to monitor different devices such as Servers, Network devices and System resources and how to get alerts through SMS, e-mail and Pager. Please keep us visiting

Backup MBR

ME . (Linux Guru)
1.How to take the backup and restore MBR? Why do you require to take the backup of your MBR?
Ans : MBR (Master Boot Recorder) is a vital part of your hard disk which contains booting information, without it its difficult to boot the system. Suppose you have windows and Linux duel boot on your machine and as you know windows is more porn to virus attacks. So it’s always better to backup your MBR to be in safe place.
2. How to take backup of your MBR?
Ans : Using dd command (dataset definition). Here are the steps to take backup of you MBR and keep it in safe place to restore your system if it get corrupted.
#dd if=/dev/hdx of=/safe/location bs=512 count=1
Let me explain the above command how it will work.
“If” in the command is nothing but to specify Input File, here we are specifying our input file as hard disk(if the hard disk is /dev/hda it is primary master, so for general purpose I given ‘x’). “of” in the command is nothing but to specify Output File, here we are specifying our output file as /safe/location. Then “bs” this is nothing but block size to write in to hard disk. And then “count” nothing but how many times you want to write date this many block sizes. Here in this example count=1 that means first 512 bytes of the hard disk is copied to the specified location.
3.How to restore the MBR?
#dd if=/safe/location of=/dev/hdx bs=512 count=1
Note : Please replace “hdx” with your hard disk name.
This is bit complex, Is there any other way to restore MBR?
Yes, if you have Linux or Windows bootable CD, we can easily restore your MBR if you forgot to take backup(And this method is very much easy to do restoration of MBR when compared to previous method).
Method1 : With Redhat Linux bootable CD.
For this you have to boot your system to rescue mode, then mount your file system to rescue mode and execute below command to restore your MBR
#grub-install /dev/hdx
Note : Please replace hdx with your hard disk name. After that you just reboot your system. Your system will be live and working.
Method2 : With Windows XP bootable CD.
Step1 : Boot the system with XP bootable cd
Step2 : Press f8 to go to repair mode in Windows
Step3 : Once you got the c drive prompt just type below command
Fixmbr
This command will fix the MBR record.
Some FAQ’s
1. What is the MBR size?
Ans : MBR size is just 512 bytes.
2.What MBR conations?
Ans : Mainly MBR can be divided in two parts
a.Boot loader information block(which is of 448 bytes)
b. Partition table information(which is of just 64 bytes)
3.How many partition we can create on a hard disk?
Ans : Totally we can create four partitions as below
a.Four primary parathions.
b.Three primary and one extended partition.
c.Two primary and one extended parathion.
d.One primary and one extended parathion.
Note : In extended parathion we can create logical partitions up to 24 in number.
4.Why we cannot create more then 4 partition as mention above?
Ans : In MBR, the partition table info is just stored in 64 bytes, and one parathion information to store in MBR requires 16 bytes of space. So at most you can create only 4 partitions as mention above.

.

IPV6 Info

IPv6 With ?……… ME

First things first. Each PC – more properly each network interface – may have more than one IPv6 address – IPv6 is naturally multi-homed. Second, an IPv6 address has a scope, that is, it can be restricted to a single LAN or a private network or be globally unique. The following table defines the types of IPv6 addresses that can be supported and contrasts them with the closest IPv4 functional equivalent.

IPv6 Name	Scope/Description	IPv4 Equivalent	Notes
Link-Local	Local LAN only. Automatically assigned based on MAC. Cannot be routed outside local LAN.	No real equivalent. Assigned IPv4 over ARP’d MAC.	Scoped address concept new to IPv6. Format.
Site-Local	Optional. Local Site only. Cannot be routed over Internet. Assigned by user.	Private network address with multi-homed interface is closest equivalent.	Scoped address concept new to IPv6. Unlike the IPv4 private network address the IPv6 device can have, and most likely will have, Link-Local, Site-Local and a Global Unicast address. Site-Local while continuing to exist in the IPv6 specification is the subject of on-going work in the IETF and is currently not supported. The address block used for this purpose has been marked Reserved by IANA.
Global Unicast	Globally unique. Fully routable. Assigned by IANA/delegated Aggregators.	Global IP address.	IPv6 and IPv4 similar but IPv6 can have other scoped addresses. Format.
Multicast	One-to-many. Hierarchy of multicasting.	Similar to IPv4 Class D.	Significantly more powerful than IPv4 version. No broadcast in IPv6, replaced by multicast. Format.
Anycast	One-to-nearest. Uses Global Unicast Addresses. Routers only. Discovery uses.	Unique protocols in IPv4 e.g. IGMP.	Some anycast addresses reserved for special functions.
Loopback	Local interface scope.	Same as IPv4 127.0.0.1	Same function

IPv6 Address Notation

An IPv6 address consists of 128 bits – an IPv4 address consists of 32 bits – and is written as a series of 8 hexadecimal strings separated by colons. Examples:

# all the following refer to the same address

2001:0000:0234:C1AB:0000:00A0:AABC:003F

# leading zeros can be omitted

2001:0:234:C1AB:0:A0:AABC:3F

# not case sensitive - any mixture allowed

2001:0:0234:C1ab:0:A0:aabc:3F

One or more zeros entries can be omitted entirely but only once in an address. The user can choose the most efficient place to omit multiple zero entries. Examples:

# raw ipv6 address

2001:0000:0234:C1AB:0000:00A0:AABC:003F

# address with single 0 dropped

2001::0234:C1ab:0:A0:aabc:003F

# alternate version - address with single 0 dropped

2001:0:0234:C1ab::A0:aabc:003F

# the following is INVALID

2001::0234:C1ab::A0:aabc:003F

Multiple zeros can be omitted entirely but only once in an address. Examples:

# omitting multiple 0's in address

2001:0:0:0:0:0:0:3F

# can be written as

2001::3F

# lots of zeros (loopback address)

0:0:0:0:0:0:0:1

# can be written as

::1

# all zeros (unspecified a.k.a unassigned IP)

0:0:0:0:0:0:0:0

# can be written as

::

# but this address

2001:0:0:1:0:0:0:3F

# cannot be reduced to this

2001::1::3F  # INVALID

# instead it can only be reduced to

2001::1:0:0:0:3F

# or

2001:0:0:1::3F

IPv6 Prefix or Slash Notation

IPv6 uses a similar / (forward slash) notation to IPv4 CIDR (Classless Interdomain Routing) which describes the number of contiguous bits used. Formally this way of writing and address is called an IP prefix but more commonly called the slash format. Examples:

# single user address

2001:db8::1/128

# normal user IPv6 address allocation

# allows the user to control the low order 80 bits

2001:db8::/48

# global routing prefix - top 3 bits only with fixed value 001 (binary)

2::/3

IPv6 Address Types

The type of IP address is defined by a variable number of the top bits known as the binary prefix (BP). Only as many bits as required are used to identify the address type as shown in the following table (defined in RFC 3513):

Use	Binary Prefix	Slash	Description/Notes
Unspecified	00…0	::/128	IPv6 address = 0:0:0:0:0:0:0:0 (or ::) Used before an address allocated by DHCP (equivalent of IPv4 0.0.0.0)
Loopback	00…1	::1/128	IPv6 address = 0:0:0:0:0:0:0:1 (or ::1) Local PC Loopback (equivalent of IPv4 127.0.0.1)
Multicast	1111 1111	FF::/8	Format.
Link-Local unicast	1111 1110 10	FE8::/10	Local LAN scope. Lower bits created from MAC address. Format.
Site-Local unicast	1111 1110 11	FEC::/10	Local Site scope. Lower bits assigned by user. This binary prefix has been marked Reserved by IANA to reflect the currently unsupported state of Site-Local addressing.
Global Unicast	All other values	2::/3	A note in RFC 3513 suggests that IANA should continue to allocate only from the binary prefix 001 (as in RFC 2373 version) for the time being. Format.

The revised definition is a conceptual change and is both more flexible and cleaner than the previous (RFC 2373) definition. IPv4 and NSAP prefixes are still allowed for but are now simply unicast addresses.

IPv6 Global Unicast Address Format

The IPv6 Global Unicast 128 bits are divided into a 48 bit global routing prefix (a.k.a site prefix) which is assigned by various authorities and 80 bits which define the subnet ID and interface ID as follows:

Site Prefix of 48 bits – assigned by IANA/Aggregator.
Name	Size	Description/Notes
global routing prefix	48 bits	Variable format depending on Binary Prefix e.g. if 001 – Global Unicast Address (assigned by IANA) uses this format.
subnet ID	16 bits	Used for subnet routing.
interface ID	64 bits	The unique interface identifier (host address equivalent in IPv4).

The current IPv6 address allocation policy adopted by the various Internet Registries is based on the IETF/IAB recomendation (in RFC 3177) and allows for:

Name	Allocation	Description/Notes
Normal User	/48	The user controls the full 80 bits addresses comprising the subnet ID and interface ID
Single subnet	/64	Where it is known that only a single subnet can be used the user is assigned control of the interface ID part only
Single Device	/128	Where it is known that only one device can be used the user is assigned a single interface ID

IPv6 End-User Address Format

End-User addresses are assigned from Global Unicast pool and currently only with the binary prefix 001 (or 2::/3). The IETF 6bone currently uses a special range of 3FFe::/16 but the 6bone is being disbanded (reflecting the production ready state of IPv6) and the address range is planned to be returned to the IANA Reserved pool by June 2006. The 128 bits breakdown as follows:

global routing prefix of 48 bits – assigned by IANA/Aggregator.
Name	Size	Description/Notes
reserved	3 bits	001 – Global Unicast Address (assigned by IANA)
TLA ID	13 bits	0 0000 0000 00001 (address block 2001::/16) Top Level Aggregator (TLA). Assigned by IANA for use by the Regional Internet Registries (RIRs)
Sub-TLA	13 bits	Assigned by IANA to the RIRs. The RIRs assign blocks from this range to the National or Local Internet Registries.
NLA	19 bits	Assigned by RIR to Next Level Aggregator (NLA) (either a National or Local Internet Registry or in some cases an ISP). The NLA assigns blocks from its allocated range to end-users
80 bits – typically assigned by the user
Name	Size	Description/Notes
subnet ID	16 bits	Used for subnet routing
interface ID	64 bits	Equivalent to IPv4 host address – since this field alone is bigger that the whole IPv4 address space it is fairly generous!

IPv6 Addresses may be assigned to interfaces using one of three methods:

Stateful – Statically assigned = manual configuration
Stateful – DHCPv6 – Automatically assigned
Stateless – Automatically assigned

IPv6 Link-Local Address Format

Link-Local addresses are automatically assigned by the end user equipment and require no external configuration. The address format uses a unique binary prefix (FE8::/10) and the remaining bits (118) are built from the local interface identifier. In the case of ethernet the MAC (48 bits) is used to create the EUI-64 value as shown below. If an interface identifier has more than 118 bits the link-local address cannot be generated and the unit must be manually configured. Link-local addresses are not routable outside the local LAN. The 128 bits of a link-local address for an ethernet interface breakdown as follows:

10 bits – Binary Prefix
Name	Size	Description/Notes
Binary Prefix	10 bits	1111 1110 10 or FE8::/10 Link-Local Prefix
118 bits – constructed from interface MAC (EUI-64)
Name	Size	Description/Notes
-	54 bits	all zeros – padding from 64 to 118 bits
MAC	24 bits	top 24 bits of the 48 bit interface MAC. Vendor ID
ID	16 bits	Fixed value of FFFE inserted
MAC	24 bits	low 24 bits of the 48 bit interface MAC. Serial number.

Example

# Interface MAC

00-40-63-ca-9a-20

# IPv6 Interface ID (EUI-64)

::0040:63FF:FECA:9A20

# or

::40:63FF:FECA:9A20

# link local

FE80::40:63FF:FECA:9A20

IPv6 Multicast Address Format

The Multicast format (which also replaces broadcast in IPv4) is defined by RFC 3513 Section 2.7. The fomat of a multicast address is defined below:

Name	Bits	Size	Value	Description/Notes
Binary Prefix	0 – 7	8	1111 1111	Fixed value a.k.a the routing prefix
flags	8-11	4	000T	Where T may be either: 0 = “well-known” or permanently (IANA) assigned group 1 = “transient” group which has no IANA assignment
scope	12-15	4	-	May take one of the following assigned values: 0 – reserved 1 – interface-local scope 2 – link-local scope 3 – reserved 4 – admin-local scope 5 – site-local scope 6 – (unassigned) 7 – (unassigned) 8 – organization-local scope 9 – (unassigned) A – (unassigned) B – (unassigned) C – (unassigned) D – (unassigned) E – global scope F – reserved
Group ID	16 – 127	112	-	Uniquely assigned by IANA if “well-known” bit = 0 set in flags above. IANA IPv6 Multicast assignments

The following lists some of the more common multicast groups:

Address	Description/Notes
FF01::1	Interface local – all nodes
FF02::1	Link local – all nodes
FF01::2	Interface local – all routers
FF02::2	Link local – all routers

IPv6 – IPv4 Interworking

IPv6 allows transport of IPv4 addresses using two methods. The methods are described in RFC 2893.
The first method is termed an “IPv4-compatible IPv6 address” and must use a globally unique IPv4 address. Please note: To avoid publication of a global IPv4 the example below shows a private (non-globally unique) IPv4 address purely to illustrate the principle:

# IPv4-compatible IPv6 address

# assume the host has an IPv4 address of:

192.168.0.5

# this is represented by the hex value

C0A80005

# the IPv4-compatible IPv6 address would be

::C0A8:5

# or

0:0:0:0:0:0:C0A8:5

The IPv4-compatible IPv6 address format is used when the end interface supports both IPv6 and IPv4 (a dual stack interface). This method is now deprecated (RFC 4291).
The second method is termed an “IPv4-mapped IPv6 address” and must use a globally unique IPv4 address. Please note: To avoid publication of a global IPv4 the example below shows a private (non-globally unique) IPv4 address purely to illustrate the principle:

# IPv4-mapped IPv6 address

# assume the host has an IPv4 address of:

192.168.0.5

# this is represented by the hex value

C0A80005

# the IPv4-mapped IPv6 address would be

::FFFF:C0A8:5

# or

0:0:0:0:0:FFFF:C0A8:5

The IPv4-mapped IPv6 address format is used when the end interface supports only IPv4 and indicates that a configured IPv6 system e.g. a router will have to perform conversion to the IPv4 protocol prior to communicating with the interface.

IPv6 Frame Format

IPv6 headers are daisy chained. The Next Header field – present in every header except the upper layer header – indicates which header comes next as shown in the diagram below:
Description: IPv6 Daisy chained headers

Notes:

Zero or more Extension headers may be present.
Multiple Extension headers of any type may be present.
All Extension headers are assumed to be of variable length and contain a length value (expressed in multiples of 8 octets).
Only one upper layer header may be present and is unchanged from IPv4 e.g. tcp with the exception of the format of the ‘pseudo-header’ used to generate the checksum.
Data (MTU) length is defined to be a minimum of 1280 octets with a recommendation of 1500+ octets. If any routing link cannot carry this size of MTU, link specific fragmentation must be carried out below (i.e. invisible to) IPv6.
When carrying UDP traffic in the upper layers the optional (in IPv4) UDP checksum MUST be present.
The pseudo header used in TCP, UDP and IPv6 ICMP is assumed be a 40 octet field and have the following format:

Name	Size	Description/Notes
Source	128 bits	IPv6 source address
Destination	128 bits	IPv6 destination address
Packet Length	32 bits	Length in octets of the upper layer data packet plus associated header.
-	24 bits	Must be zeros
Next Header	8 bits	Assumed to contain the value of the protocol carried in the upper layer e.g. 6 = TCP etc..

IPv6 Header Format

IPv6 Header Format
Name	Length	Description/Notes
version	4 bits	value = 6. Same location as IPv4 – everything after this changes.
traffic class	8 bits	None formally defined with IANA (late 2004). When used with Explicit Congestion Notification (ECN) (RFC 3168) may take values defined here and here.
Flow Label	20 bits	-
payload length	16 bits	unsigned length in octets of payload (excludes header but includes extensions)
next header	8 bits	Identifier in following header – same values as IPv4 Protocol field Some common values: 0 (0×00) IPv6 Hop-by-Hop Option 1 (0×01) ICMP protocol 2 (0×02) IGMP protocol 4 (0×04) IP over IP 6 (0×06) TCP protocol 17 (0×11) UDP protocol 41 (0×29) IPv6 protocol 58 (0x3A) IPv6 ICMP protocol 59 (0x3B) IPv6 No Next Header (terminates a no upper layer frame) Definitive list is here
hop limit	8 bits	Maximum number of hops. Formalises the current practice when using the TTL in IPv4.
source IP	128 bits	-
destination IP	128 bits	-

Order of Headers

Where multiple headers are present the recommended sender order is (but the receiver must accept in any order):
IPv6 Header
Hop-by-Hop Header
Destination Options
Routing Headers
Fragment Headers
Authentication Headers
Encapsulation Security Payload (ESP) Header
Destination Options
Upper Layer Header + data

Extension Headers

Extension headers are always multiples of 8 octets. To allow skipping and processing of extension headers they all begin with the following 16 bit stub format:

IPv6 Extension Header – Stub format
Name	Length	Description/Notes
Next Header	8 bits	Same values as IPv6 Next Header
Extension Hdr Len	8 bits	Unsigned integer. The total length of the extension header in multiples of 8 octets, excluding the first 8 octets e.g. a value of 0 = 8 octet header length, value = 2 = 24 octet header length etc. NB the length field in ICMPv6 does not use this convention – it’s always good to have consistency in standards.

Header Options

The Hop-By-Hop and Destination Headers carry a variable number of options within the header and use a classic TLD (or TLV in the standards paralance) format as shown below:

Name	Length	Description/Notes
Type	8 bits	The two high order (or low order depending on your numbering convention) bits indicate what action to take if the option is not recognized and may take one of the following values: 00 = skip option – keep processing 01 = discard packet 10 = discard packet and send ICMPv6 Parameter Problem (Code 2) message 11 = discard packet and, if not Multicast address, send ICMPv6 Parameter Problem (Code 2) message The third high order bit indicates whether the option can change before reaching its destination 0 = data will not change, 1 = data may change. If the bit is set and an Authentication Header is present then an all zero option value must be assumed when computing any digest.
Length	8 bits	Length in octets of the option data – does not include the type or length value.
Data	variable	Depends on Type

In order to force so-called natural alignment of option fields two padding options are provided. An Option Type of 0 indicates a 1 octet pad (and does not have associated length or data fields), a standard Option with a Type of 1 allows for multiple octet padding. NB in this case a 2 octet pad will have an Option Length of 0.

IPv6 Hop-By-Hop Header

IPv6 Destination Header

IPv6 Configuration

IPv6 systems are typically multi-homed by default and have a link-local address configured by the host and may have a global unicast address which may be configured by one of three methods:

Stateful – Statically assigned = manual configuration
Stateful – DHCPv6 – Automatically assigned
Stateless – Automatically assigned

IPv6 Stateless Autoconfiguration

IPv6 systems may be configured to provide global unicast addresses using stateless autconfiguation. Stateless autoconfiguration requires a router to be present but not a DHCP server. In stateless autoconfiguration a default router address is provided but not a DNS and other information that is normally provided by DHCP. The process of creating a stateless IPv6 address is as follows:

Host sends a Router Solicitation message
Host waits for a Router Advertisement message.
Host takes top 64 bits from Subnet Prefix part of Router Advertisement and combines it with the 64 bit EUI-64 address (created from the MAC) to greate a Global Unicast address. The host also takes the default gateway address from the Router Advertisement message.
Host then performs a Duplicate Address Detection to ensure the address is unique. If this check fails the host immediately aborts the autoconfiguration process and must be manually configured.

IPv6 RFCs

The following RFCs define IPv6. Wow is this a list. You can get the RFCs from the IETF.

RFC	Description/Status
RFC 1809	Using the Flow Label Field in IPv6. C. Partridge. June 1995. (Format: TXT=13591 bytes) (Status: INFORMATIONAL)
RFC 1881	IPv6 Address Allocation Management. IAB, IESG. December 1995. (Format: TXT=3215 bytes) (Status: INFORMATIONAL)
RFC 1883	Internet Protocol, Version 6 (IPv6) Specification. S. Deering, R. Hinden. December 1995. (Format: TXT=82089 bytes) (Obsoleted by RFC2460) (Status: PROPOSED STANDARD)
RFC 1885	Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6). A. Conta, S. Deering. December 1995. (Format: TXT=32214 bytes) (Obsoleted by RFC2463) (Status: PROPOSED STANDARD)
RFC 1887	An Architecture for IPv6 Unicast Address Allocation. Y. Rekhter, T. Li, Eds.. December 1995. (Format: TXT=66066 bytes) (Status: INFORMATIONAL)
RFC 1888	OSI NSAPs and IPv6. J. Bound, B. Carpenter, D. Harrington, J. Houldsworth, A. Lloyd. August 1996. (Format: TXT=36469 bytes) (Status: EXPERIMENTAL)
RFC 1924	A Compact Representation of IPv6 Addresses. R. Elz. Apr-01-1996. (Format: TXT=10409 bytes) (Status: INFORMATIONAL)
RFC 1932	IP over ATM: A Framework Document. R. Cole, D. Shur, C. Villamizar. April 1996. (Format: TXT=68031 bytes) (Status: INFORMATIONAL)
RFC 2080	RIPng for IPv6. G. Malkin, R. Minnear. January 1997. (Format: TXT=47534 bytes) (Status: PROPOSED STANDARD)
RFC 2375	IPv6 Multicast Address Assignments. R. Hinden, S. Deering. July 1998. (Format: TXT=14356 bytes) (Status: INFORMATIONAL)
RFC 2428	FTP Extensions for IPv6 and NATs. M. Allman, S. Ostermann, C. Metz. September 1998. (Format: TXT=16028 bytes) (Status: PROPOSED STANDARD)
RFC 2460	Internet Protocol, Version 6 (IPv6) Specification. S. Deering, R. Hinden. December 1998. (Format: TXT=85490 bytes) (Obsoletes RFC1883) (Status: DRAFT STANDARD)
RFC 2461	Neighbor Discovery for IP Version 6 (IPv6). T. Narten, E. Nordmark, W. Simpson. December 1998. (Format: TXT=222516 bytes) (Obsoletes RFC1970) (Status: DRAFT STANDARD)
RFC 2462	IPv6 Stateless Address Autoconfiguration. S. Thomson, T. Narten. December 1998. (Format: TXT=61210 bytes) (Obsoletes RFC1971) (Status: DRAFT STANDARD)
RFC 2463	Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. A. Conta, S. Deering. December 1998. (Format: TXT=34190 bytes) (Obsoletes RFC1885) (Status: DRAFT STANDARD)
RFC 2464	Transmission of IPv6 Packets over Ethernet Networks. M. Crawford. December 1998. (Format: TXT=12725 bytes) (Obsoletes RFC1972) (Status: PROPOSED STANDARD)
RFC 2465	Management Information Base for IP Version 6: Textual Conventions and General Group. D. Haskin, S. Onishi. December 1998. (Format: TXT=77339 bytes) (Status: PROPOSED STANDARD)
RFC 2466	Management Information Base for IP Version 6: ICMPv6 Group. D. Haskin, S. Onishi. December 1998. (Format: TXT=27547 bytes) (Status: PROPOSED STANDARD)
RFC 2467	Transmission of IPv6 Packets over FDDI Networks. M. Crawford. December 1998. (Format: TXT=16028 bytes) (Obsoletes RFC2019) (Status: PROPOSED STANDARD)
RFC 2492	IPv6 over ATM Networks. G. Armitage, P. Schulter, M. Jork. January 1999. (Format: TXT=21199 bytes) (Status: PROPOSED STANDARD)
RFC 2526	Reserved IPv6 Subnet Anycast Addresses. D. Johnson, S. Deering. March 1999. (Format: TXT=14555 bytes) (Status: PROPOSED STANDARD)
RFC 2529	Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. B. Carpenter, C. Jung. March 1999. (Format: TXT=21049 bytes) (Status: PROPOSED STANDARD)
RFC 2545	Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing. P. Marques, F. Dupont. March 1999. (Format: TXT=10209 bytes) (Status: PROPOSED STANDARD)
RFC 2673	Binary Labels in the Domain Name System. M. Crawford. August 1999. (Format: TXT=12379 bytes) (Updated by RFC3363, RFC3364) (Status: EXPERIMENTAL)
RFC 2675	IPv6 Jumbograms. D. Borman, S. Deering, R. Hinden. August 1999. (Format: TXT=17320 bytes) (Obsoletes RFC2147) (Status: PROPOSED STANDARD)
RFC 2710	Multicast Listener Discovery (MLD) for IPv6. S. Deering, W. Fenner, B. Haberman. October 1999. (Format: TXT=46838 bytes) (Updated by RFC3590, RFC3810) (Status: PROPOSED STANDARD)
RFC 2711	IPv6 Router Alert Option. C. Partridge, A. Jackson. October 1999. (Format: TXT=11973 bytes) (Status: PROPOSED STANDARD)
RFC 2732	Format for Literal IPv6 Addresses in URL’s. R. Hinden, B. Carpenter, L. Masinter. December 1999. (Format: TXT=7984 bytes) (Updates RFC2396) (Status: PROPOSED STANDARD)
RFC 2740	OSPF for IPv6. R. Coltun, D. Ferguson, J. Moy. December 1999. (Format: TXT=189810 bytes) (Status: PROPOSED STANDARD)
RFC 2766	Network Address Translation – Protocol Translation (NAT-PT). G. Tsirtsis, P. Srisuresh. February 2000. (Format: TXT=49836 bytes) (Updated by RFC3152) (Status: PROPOSED STANDARD)
RFC 2893	Transition Mechanisms for IPv6 Hosts and Routers. R. Gilligan, E. Nordmark. August 2000. (Format: TXT=62731 bytes) (Obsoletes RFC1933) (Status: PROPOSED STANDARD)
RFC 2894	Router Renumbering for IPv6. M. Crawford. August 2000. (Format: TXT=69135 bytes) (Status: PROPOSED STANDARD)
RFC 2928	Initial IPv6 Sub-TLA ID Assignments. R. Hinden, S. Deering, R. Fink, T. Hain. September 2000. (Format: TXT=11882 bytes) (Status: INFORMATIONAL)
RFC 3041	Privacy Extensions for Stateless Address Autoconfiguration in IPv6. T. Narten, R. Draves. January 2001. (Format: TXT=44446 bytes) (Status: PROPOSED STANDARD)
RFC 3056	Connection of IPv6 Domains via IPv4 Clouds. B. Carpenter, K. Moore. February 2001. (Format: TXT=54902 bytes) (Status: PROPOSED STANDARD)
RFC 3111	Service Location Protocol Modifications for IPv6. E. Guttman. May 2001. (Format: TXT=25543 bytes) (Status: PROPOSED STANDARD)
RFC 3122	Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification. A. Conta. June 2001. (Format: TXT=40416 bytes) (Status: PROPOSED STANDARD)
RFC 3146	Transmission of IPv6 Packets over IEEE 1394 Networks. K. Fujisawa, A. Onoe. October 2001. (Format: TXT=16569 bytes) (Status: PROPOSED STANDARD)
RFC 3152	Delegation of IP6.ARPA. R. Bush. August 2001. (Format: TXT=5727 bytes) (Obsoleted by RFC3596) (Updates RFC2874, RFC2772, RFC2766, RFC2553, RFC1886) (Also BCP0049) (Status: BEST CURRENT PRACTICE)
RFC 3162	RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001. (Format: TXT=20492 bytes) (Status: PROPOSED STANDARD)
RFC 3175	Aggregation of RSVP for IPv4 and IPv6 Reservations. F. Baker, C. Iturralde, F. Le Faucheur, B. Davie. September 2001. (Format: TXT=88681 bytes) (Status: PROPOSED STANDARD)
RFC 3177	IAB/IESG Recommendations on IPv6 Address Allocations to Sites. IAB, IESG. September 2001. (Format: TXT=23178 bytes) (Status: INFORMATIONAL)
RFC 3266	Support for IPv6 in Session Description Protocol (SDP). S. Olson, G. Camarillo, A. B. Roach. June 2002. (Format: TXT=8693 bytes) (Updates RFC2327) (Status: PROPOSED STANDARD)
RFC 3306	Unicast-Prefix-based IPv6 Multicast Addresses. B. Haberman, D. Thaler. August 2002. (Format: TXT=12713 bytes) (Status: PROPOSED STANDARD)
RFC 3307	Allocation Guidelines for IPv6 Multicast Addresses. B. Haberman. August 2002. (Format: TXT=15742 bytes) (Status: PROPOSED STANDARD)
RFC 3314	Recommendations for IPv6 in Third Generation Partnership Project (3GPP) Standards. M. Wasserman, Ed.. September 2002. (Format: TXT=48168 bytes) (Status: INFORMATIONAL)
RFC 3315	Dynamic Host Configuration Protocol for IPv6 (DHCPv6). R. Droms, Ed., J. Bound, B. Volz, T. Lemon, C. Perkins, M. Carney. July 2003. (Format: TXT=231402 bytes) (Status: PROPOSED STANDARD)
RFC 3363	Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS). R. Bush, A. Durand, B. Fink, O. Gudmundsson, T. Hain. August 2002. (Format: TXT=11055 bytes) (Updates RFC2673, RFC2874) (Status: INFORMATIONAL)
RFC 3364	Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6). R. Austein. August 2002. (Format: TXT=26544 bytes) (Updates RFC2673, RFC2874) (Status: INFORMATIONAL)
RFC 3484	Default Address Selection for Internet Protocol version 6 (IPv6). R. Draves. February 2003. (Format: TXT=55076 bytes) (Status: PROPOSED STANDARD)
RFC 3513	Internet Protocol Version 6 (IPv6) Addressing Architecture. R. Hinden, S. Deering. April 2003. (Format: TXT=53920 bytes) (Obsoletes RFC2373) (Status: obsoleted by RFC4291)
RFC 3587	IPv6 Global Unicast Address Format. R. Hinden, S. Deering, E. Nordmark. August 2003. (Format: TXT=8783 bytes) (Obsoletes RFC2374) (Status: INFORMATIONAL)
RFC 3596	DNS Extensions to Support IP Version 6. S. Thomson, C. Huitema, V. Ksinant, M. Souissi. October 2003. (Format: TXT=14093 bytes) (Obsoletes RFC3152, RFC1886) (Status: DRAFT STANDARD)
RFC 3633	IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6. O. Troan, R. Droms. December 2003. (Format: TXT=45308 bytes) (Status: PROPOSED STANDARD)
RFC 3646	DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6). R. Droms, Ed.. December 2003. (Format: TXT=13312 bytes) (Status: PROPOSED STANDARD)
RFC 3697	IPv6 Flow Label Specification. J. Rajahalme, A. Conta, B. Carpenter, S. Deering. March 2004. (Format: TXT=21296 bytes) (Status: PROPOSED STANDARD)
RFC 3736	Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6. R. Droms. April 2004. (Format: TXT=18510 bytes) (Status: PROPOSED STANDARD)
RFC 3775	Mobility Support in IPv6. D. Johnson, C. Perkins, J. Arkko. June 2004. (Format: TXT=393514 bytes) (Status: PROPOSED STANDARD)
RFC 3776	Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents. J. Arkko, V. Devarapalli, F. Dupont. June 2004. (Format: TXT=87076 bytes) (Status: PROPOSED STANDARD)
RFC 3810	Multicast Listener Discovery Version 2 (MLDv2) for IPv6. R. Vida, Ed., L. Costa, Ed.. June 2004. (Format: TXT=153579 bytes) (Updates RFC2710) (Status: PROPOSED STANDARD)
RFC 3831	Transmission of IPv6 Packets over Fibre Channel. C. DeSanti. July 2004. (Format: TXT=53328 bytes) (Status: PROPOSED STANDARD)
RFC 3849	IPv6 Address Prefix Reserved for Documentation. G. Huston, A. Lord, P. Smith. July 2004. (Format: TXT=7872 bytes) (Status: INFORMATIONAL)
RFC 3901	DNS IPv6 Transport Operational Guidelines. A. Durand, J. Ihren. September 2004. (Format: TXT=10025 bytes) (Also BCP0091) (Status: BEST CURRENT PRACTICE)
RFC 3956	Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address. P. Savola, B. Haberman. November 2004. (Format: TXT=40136 bytes) (Updates RFC3306) (Status: PROPOSED STANDARD)
RFC 4007	IPv6 Scoped Address Architecture. S. Deering, B. Haberman, T. Jinmei, E. Nordmark, B. Zill. March 2005. (Format: TXT=53555 bytes) (Status: PROPOSED STANDARD)
RFC 4074	Common Misbehavior Against DNS Queries for IPv6 Addresses. Y. Morishita, T. Jinmei. May 2005. (Format: TXT=13073 bytes) (Status: INFORMATIONAL)
RFC 4193	Unique Local IPv6 Unicast Addresses. R. Hinden, B. Haberman. October 2005. (Format: TXT=35908 bytes) (Status: PROPOSED STANDARD)
RFC 4213	Basic Transition Mechanisms for IPv6 Hosts and Routers. E. Nordmark, R. Gilligan. October 2005. (Format: TXT=58575 bytes) (Obsoletes RFC2893) (Status: PROPOSED STANDARD)
RFC 4215	Analysis on IPv6 Transition in Third Generation Partnership Project (3GPP) Networks. J. Wiljakka, Ed.. October 2005. (Format: TXT=52903 bytes) (Status: INFORMATIONAL)
RFC 4242	Information Refresh Time Option for Dynamic Host Configuration Protocol for IPv6 (DHCPv6). S. Venaas, T. Chown, B. Volz. November 2005. (Format: TXT=14759 bytes) (Status: PROPOSED STANDARD)
RFC 4260	Mobile IPv6 Fast Handovers for 802.11 Networks. P. McCann. November 2005. (Format: TXT=35276 bytes) (Status: INFORMATIONAL)
RFC 4283	Mobile Node Identifier Option for Mobile IPv6 (MIPv6). A. Patel, K. Leung, M. Khalil, H. Akhtar, K. Chowdhury. November 2005. (Format: TXT=14653 bytes) (Status: PROPOSED STANDARD)
RFC 4283	Mobile Node Identifier Option for Mobile IPv6 (MIPv6). A. Patel, K. Leung, M. Khalil, H. Akhtar, K. Chowdhury. November 2005. (Format: TXT=14653 bytes) (Status: PROPOSED STANDARD)
RFC 4291	IP Version 6 Addressing Architecture. R. Hinden, S. Deering. February 2006. (Format: TXT=52897 bytes) (Obsoletes RFC3513) (Status: DRAFT STANDARD)
RFC 4295	Mobile IPv6 Management Information Base. G. Keeni, K. Koide, K. Nagami, S. Gundavelli. April 2006. (Format: TXT=209038 bytes) (Status: PROPOSED STANDARD)
RFC 4311	IPv6 Host-to-Router Load Sharing. R. Hinden, D. Thaler. November 2005. (Format: TXT=10156 bytes) (Updates RFC2461) (Status: PROPOSED STANDARD)
RFC 4339	IPv6 Host Configuration of DNS Server Information Approaches. J. Jeong, Ed.. February 2006. (Format: TXT=60803 bytes) (Status: INFORMATIONAL)
RFC 4380	Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs). C. Huitema. February 2006. (Format: TXT=132607 bytes) (Status: PROPOSED STANDARD)
RFC 4429	Optimistic Duplicate Address Detection (DAD) for IPv6. N. Moore. April 2006. (Format: TXT=33123 bytes) (Status: PROPOSED STANDARD)
RFC 4443	Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. A. Conta, S. Deering, M. Gupta, Ed.. March 2006. (Format: TXT=48969 bytes) (Obsoletes RFC2463) (Updates RFC2780) (Status: DRAFT STANDARD)
RFC 4449	Securing Mobile IPv6 Route Optimization Using a Static Shared Key. C. Perkins. June 2006. (Format: TXT=15080 bytes) (Status: PROPOSED STANDARD)
RFC 4489	A Method for Generating Link-Scoped IPv6 Multicast Addresses. J-S. Park, M-K. Shin, H-J. Kim. April 2006. (Format: TXT=12224 bytes) (Updates RFC3306) (Status: PROPOSED STANDARD)
RFC 4649	Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option. B. Volz. August 2006. (Format: TXT=10940 bytes) (Status: PROPOSED STANDARD)
RFC 4704	The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option. B. Volz. October 2006. (Format: TXT=32359 bytes) (Status: PROPOSED STANDARD)

SSL(CA)

Creating a sample CA

Preamble

In contemporary days digital certificates are wide spread for purpose of security communication with web sites, VPN and other purposes. One of the problems is how to create own CA to establish additional level of security in your infrastructure. So, the purpose of this document is to give brief information how to create sample CA for private usage. The main instruments will be OpenSSL and Linux. If SSL package you use and/or operating system are different, format of some or all commands may vary. In the document is used OpenSSL 0.9.8h, if your version is different, please refer to the documentation for changes over the versions.

Creation

The first step of creation is to choose repository where the CA files will reside. For me /etc/localCA look enough self-expain and good as location. Directory /opt is not bad choose too, but because of idea or /etc to store config files will be better to use it:

# mkdir –p /etc/localCA

Next we should create two directories to keep certificates issued by authority and keep own certificate. It is highly recommended to keep them in separate “storages”. For example /etc/localCA/certs and /etc/localCA/own looks good.

# mkdir –p /etc/localCA/own /etc/localCA/certs

Then we should create a file, used by OpenSSL to track the serial numbers of certificates, issued by CA and file (empty at the start) to keep track of those certificates

# echo 0001 > /etc/localCA/serial

# > /etc/localCA/list_cert

It’s time to create config file for our CA with name of the file openssl.cnf and put in root directory of our CA. Do not forget to change default parameters as crl_days, days, md and CA policies according to rules of your company (if company usage). Maybe somewhere on your system exist other config file, but we will use much sample one, but enough for our task. For explanations about the different options, please refer the documentation of OpenSSL or SLL package you use.

[ ca ]

default_ca = localCA

[ localCA ]

dir = /etc/localCA

certificate = $dir/cacert.pem

database = $dir/list_cet

new_certs_dir = $dir/certs

private_key = $dir/own/cakey.pem

serial = $dir/serial

default_crl_days = 7

default_days = 730

default_md = sha1

policy = localCA_policy

x509_extensions = certificate_extensions

[ localCA_policy ]

commonName = supplied

countryName = optional

emailAddress = supplied

organizationName = supplied

organizationalUnitName = optional

[ certificate_extensions ]

basicConstraints = CA:false

Tell OpenSSL where the config file is located:

# export OPENSSL_CONF=/etc/localCA/openssl.cnf

Next step is to create self-signed certificate for our CA. For this task we will create “response file”, because always exist possibility of error when you enter information by hand, so we will add those lines below to our config file

[ req ]

default_bits = 2048

default_keyfile = /etc/localCA/own/cakey.pem

default_md = sha1

prompt = no

distinguished_name = root_ca_local

x509_extensions = root_ca_extensions

[ root_ca_local ]

commonName = Local CA

emailAddress = ca@example.org

organizationName = Root Certification Authority

[ root_ca_extensions ]

basicConstraints = CA:true

Lets generate self-signet certificate for our CA:

# openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM –days 730

Generating a 2048 bit RSA private key

……….+++

…………………………………+++

writing new private key to ‘/etc/localCA/own/cakey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

—–

Et voila, our CA is ready to issue certificates for our local usage. Let’s test and create one. First we need to “clear” the environment variable for config file

# unset OPENSSL_CONF

Then let’s create request

# openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM

Generating a 1024 bit RSA private key

..++++++

…………………………………..++++++

writing new private key to ‘testkey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:BG

State or Province Name (full name) [Some-State]:.

Locality Name (eg, city) []:.

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local

Organizational Unit Name (eg, section) []:.

Common Name (eg, YOUR name) []:Test

Email Address []:test@example.org

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Issue the certificate from this request:

# export OPENSSL_CONF=/etc/localCA/openssl.cnf

# openssl ca -in testreq.pem

Using configuration from /etc/localCA/openssl.cnf

Enter pass phrase for /etc/localCA/own/cakey.pem:

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName

RINTABLE:’BG’

organizationName

RINTABLE:’Local’

commonName

RINTABLE:’Test’

emailAddress :IA5STRING:’test@example.org’

Certificate is to be certified until Aug 2 21:40:51 2010 GMT (730 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Certificate:

Data:

Version: 3 (0×2)

Serial Number: 1 (0×1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: CN=Local CA/emailAddress=ca@example.org, O=Root Certification Authority

Now in directory /etc/localCA/certs we have file with name of serial number of certificate and extension pem from the output format. And that’s all.

Final notes

This manual is just a simplified example of process of creation of CA and do not replace the need of read and understand the documentation. Of course there are many products, simplifying most of the work, but to understand better the process nothing can replace old fashion command line tools.

YUM

TO Install Yum Server With Vsftpd
1. install Rhel5 DVD in dvd drive,
2. install vaftpd and createrepos RPM find in DVD,
3. Run this command # service vsftpd restart,
4. copy all data packages in dvd are copy on /var/ftp/pub directory,
#mount /dev/dvd /mnt
#cp -r /mnt/* /var/ftp/pub
5. run createrepo command for create repository on /var/ftp/pub directory
#createrepo -v /var/ftp/pub (3min time)
6. now configure and edit yum.conf file
#vim /etc/yum.conf
[gpg]
name=your server name
baseurl=ftp://your ftp ip/pub
gpgcheck=0
enabled=1
:wq (save the file)
7. #service vsftpd restart
#chkconfig vsftpd on
8. chack the yum repo service
#yum list all
#yum clean all
#yum update all
#yum -y install vnc*

transperent Proxy

Linux: Setup a transparent proxy with Squid in three easy steps

Setup Squid proxy as a transparent server.
Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux (Following instruction should work with Debian and all other Linux distros)
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

Step #1 : Squid configuration so that it will act as a transparent proxy
Step #2 : Iptables configuration

a) Configure system as router
b) Forward all http requests to 3128 (DNAT)

Step #3: Run scripts and start squid service

First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
Where,

httpd_accel_host virtual: Squid as an httpd accelerator
httpd_accel_port 80: 80 is port you want to act as a proxy
httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
http_access allow localhost: Squid access to LAN and localhost ACL only
http_access allow lan: — same as above –

Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):

# grep -v "^#"
/etc/squid/squid.conf | sed -e '/^$/d'

OR, try out sed (thanks to kotnik for small sed trick)

# cat /etc/squid/squid.conf | sed '/ *#/d;
/^ *$/d'

Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :

iptables -t nat -A PREROUTING -i eth1 -p
tcp --dport 80 -j DNAT --to 192.168.1.1:3128

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp

echo 1 >
/proc/sys/net/ipv4/

ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m

 state --state
ESTABLISHED,RELATED -j
ACCEPT

# set this system as a router for Rest of LAN

iptables --table nat --append POSTROUTING --out-interface $INTERNET
-j MASQUERADE

iptables --append FORWARD --in-interface $LAN_IN -j
ACCEPT

# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy

iptables -t nat -A PREROUTING -i
$LAN_IN -p
tcp --dport 80
-j DNAT --to
$SQUID_SERVER:$SQUID_PORT

# if it is same system

iptables -t nat -A PREROUTING -i
$INTERNET -p
tcp --dport 80
-j REDIRECT --to-port $SQUID_PORT

# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on
Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.

You have a typo in your header line for the “Transperent proxy.”

Good article. The only things I think I’d also include would be:
1) That you would want to configure your Internet firewall rule set to allow only the transparent proxy to connect to the Internet on port 80, so that they have no choice but to use the transparent proxy.
2) You probably want to include support for FTP as well.
3) This configuration is for RHEL 4 and should be updated for RHEL 5.
4) You can test if squid is working on the proxy server by using the squidclient program.

IMP RHCE

ME . (RedHat Certified Engineer)

You have a system installed Red Hat Enterprise Linux os. The system must be configured with a set of locally-defined administrators and bound to an NIS domain, RHCE for additional user accounts. Your machine will be a member of the DNS domain example.com. All the systems in the example.com DNS domain are in the 172.16.0.0/16 subnet & all systems in that subnet are in example.com.
Your system will be rebooted before it is graded, so make sure that all changes you implement are persistent across reboots. You should also be aware the scoring items will be evaluated by whether they work as specified. Consequently, a correctly configured networking service will earn no points if networking itself is broken.
If your hostname is station1.example.com then you can log in to this system with the username guest1 & the password is password. You will not be able to log in successfully to any other account on that system.
The requirements for this section include configuration of security restrictions on various network services. You should be aware tht making the services available for permitted hosts & networks is a higher priority than restricting any prohibited networks, because you will not receive credit for successful configuration of services if the implemented restrictions block access to permitted hosts & networks. If you choose to use kernel level firewalling, you must REJECT rather than DROP unwanted packets.
Be aware that you are not permitted to communicate with other examinees during the course of this exam. You are also prohibited from connecting to the hosts of other examinees. The testing system and the network will be monitored, & misuse of either will result in a grade of zero on this section.
Your distribution is avilable via YUM:
http://172.16.0.254/rhel5/Server
SELinux & firewall must be enabled. Default gateway is 172.16.0.254/16.
You will note that some requirements specify that a service should not be avilable from the DNS domain my133t.org. All the systems in that domain are in the 172.17.0.0/16 subnet.

RHCT SECTION

1. Set the root password as rW9ySX. Install the dialog RPM package.
2. Create the following users, groups & group memberships:
a. A group named admin
b. A user andrew who belongs to admin as a secondary group
c. A user brad who also belongs to admin as a secondary group
d. A user smith who does not have access to an interactive shell on           the system, & who is not a memer of admin
e. andrew, brad & smith shold all have the password passwd.
3. Create a collaborative directory /shared/sysusers with the
Following characteristics:
a. Group ownership of /shared/sysusers is admin
b. The directory should be readable, writable & accessible to              members of admin, but not to any other user.
c. Files created in /shared/sysusers automatically have group              ownership set to the sysusers group
4. Install the appropriate kernel update from
ftp://server.example.com/pub/updates.
The following criteria must also be met.
a. The older kernel is the default kernel when the system is
rebooted
b. The original kernel remains available & bootable on the system
5. Enabled IP forwarding on your machine.

6. Set up the default print queue to forward jobs to the IPP print queue stationx on server.example.com, where x is your station           number. Configure printer as “Generic – text-only” print queue.
Note: the queue stationx on server dumps print jobs into the file       http://server/printers/stationx. This file can be examined to           confirm that you have configured the print queue correctly.
7. The user andrew must be configure a cronjob that runs daily at 15:25 local time & executes – /bin/echo hello at terminal 8.
8. Bind to the NIS domain example.com provided by 172.16.0.254 for
user authentication. Note the following:
a. nisuserz should be able to log into your system, where z is your     station number, but will not have a homedirectory until
you have completed the autofs requirement below
b. All NIS users have a password of passwd.
c. server.example.com NFS-exports /rhome to your system
d. nisuserz’s home directory is server.example.com:/rhome/nisuserz where z is your station number.
e. nisuserz’s home directory should be automounted locally beneath
/rhome as /rhome/nisuserz.
f. while you are able to log in as any of the users nisuser1
through nisuser10, the only home directory that is accessible from
your system is nisuserz.
9. Configure your system so that is is an NTP client of              server.example.com.
10. One logical volume LogVol00 is created under GrpVol00. The initial      size of this logical volume is 350MB. successfully extend it to    650MB. (range condierable is 570MB to 630MB).
11. One partition is mounted under /quota. brad user has full access on           this directory. When he tried
dd if=/dev/zero of=/quota/somefile bs=1k count=60
he has successfully created the file. Again he tried
dd if=/dev/zero of=/quota/somefile bs=1k count=85
he has successfully created the file upto 80kb.

RHCE SECTION

1. Configure SSH access as follows:
a. andrew has remote SSH access to your machine from within                example.com
b. Clients within my133t.org should NOT have access to ssh on your         system.
2. Configure FTP access on your system:
a. Clients within the example.com domain should have anonymous FTP         access to your machine.
b. Clients outside example.com should NOT have access to your FTP          service
3. Share the /shared directory via SMB:
a. Your SMB server must be a member of the SMBGROUP workgroup
b. The share’s name must be shared
c. The shared share must be avilable to example.com domain clients         only
d. The shared share must be browseable
e. brad must have read access to the share, authenticating with the        same password password, if necessary
4. Implement a web server for the site http://stationx.example.com
Then perform the following steps:
a. Download ftp://server.example.com/pub/rhce/station.html
b. Rename the downloaded file to index.html
c. Copy this index.html to the DocumentRoot of your web server
d. Do not make any modifications to the contents of index.html
e. Download ftp://server.example.com/pub/rhce/www.html & rename the              file to index.html at DocumentRoot /var/www/virtual
f. Extend your web server to include a virtual host for site
http://stationxx.example.com which are mapped to one ip.
g. The site http://stationx.example.com is accessibel only in              example.com
5. Configure SMTP mail service according to the following
requirements:
Your mail server should accept mail from remote hosts &
localhost
b. Brad must be able to receive mail from remote hosts
c. mail delivered to brad should spool into the default mail spool         for brad /var/spool/mail/susan.
d. Configure email alias for your MTA such that mail sent to
acctmgr is received by the local user andrew.
6. Configure POP3 email on your system according to these criteria:
a. brad must be able to retrieve email from your machine using POP3        from within example.com
b. Clients within the my133t.org domain should not have access to          your POP3 service.
ADDITIONAL RHCE REQUIREMENTS:

Implement a web proxy server bound to port 8080. Clients within example.com should have access to your proxy server. Clients             outside of example.com should not have access to your proxy server.

2. Export /shared directory only within example.com.

Friday, August 30, 2013

RHCE COMPLETE COMPLETE LINUX EXAM QUESTIONS PREPRATIONS PRACTICALS BY GORVAM SADDAR

RHCE Exam Pattern

Study Points for the RHCE Exam

Prerequisite skills for RHCT and RHCE

RHCT skills

Troubleshooting and System Maintenance

Installation and Configuration

RHCE skills

Troubleshooting and System Maintenance

Installation and Configuration

NIS Domain

Scenario

Configuring The NFS Server

Configuring The NFS Client

Configuring The NIS Server

Install the NIS Server Packages

Edit Your /etc/sysconfig/network File

Edit Your /etc/yp.conf File

Start The Key NIS Server Related Daemons

Table 30-1 Required NIS Server Daemons

Initialize Your NIS Domain

Start The ypbind and ypxfrd Daemons

Make Sure The Daemons Are Running

Adding New NIS Users

Configuring The NIS Client

Run authconfig

Start The NIS Client Related Daemons

Verify Name Resolution

Test NIS Access To The NIS Server

Test Logins via The NIS Server

Logging In Via Telnet

Logging In Via SSH

DNS WITH ME*

Contents

4.1 Master (Primary) Name Servers

4.2 Slave (Secondary) Name Servers

4.3 Caching Name Servers

4.4 Forwarding (a.k.a Proxy) Name Servers

Global Forwarding – All Requests

Per Domain Forwarding

4.5 Stealth (a.k.a. DMZ or Split) Name Server

4.6 Authoritative Only Server

4.7 Split Horizon DNS Server

What Is iptables?

Iptables Config File

Task: Display Default Rules

Task: Turn On Firewall

Understanding Firewall

Packet Matching Rules

Target Meanings

/etc/sysconfig/iptables

Drop All Traffic

Log and Drop Spoofing Source Addresses

Log And Drop All Traffic

Open Port

Only allow SSH traffic From 192.168.1.0/24

Enable Printing Access For 192.168.1.0/24

Allow Legitimate NTP Clients to Access the Server

Open FTP Port 21 (FTP)

Edit /etc/sysctl.conf For DoS and Syn Protection

Alternate Configuration Option

NAT

Mount NTFS

1. Introduction

2. Mount NTFS file system with read only access

2.1. NTFS kernel support

2.2. Identifying partition with NTFS file system

2.3. Mount NTFS partition

3. Mount NTFS file system with read write access

3.1. Install addition software

3.1.1. Fuse Install

3.1.2. ntfs-3g install

3.2. Mount ntfs partition with read write access

Encryption tools

Decryption tools

Partitioning

Formatting

Tuning

Using a configured hard drive or tape