Friday, August 30, 2013

RHCE COMPLETE COMPLETE LINUX EXAM QUESTIONS PREPRATIONS PRACTICALS BY GORVAM SADDAR



Learn RHCE
Red hat Linux The Redhat Certification Program is most mature and respected Training Program on Linux. The World’s Leading Linux Certification. The RHCE certificate is a validation of your competency, undeniable proof of your skills, the standard track consist of RH-033, RH-133 and RH-253. It’s the leading choice of the IT professionals and their employers.
RHCE:RedHat Certified Engineer
RH-033:Red Hat Linux Essentials:
Course Duration
Normal Track – 2 weeks
Fast  Track – 3 Days
Designed for Beginners, and covers all skills to become a productive user, including installation and command line essentials                    
more…
RH-133:Red Hat Linux System Administration:
Course Duration
Normal Track – 2 Weeks
Fast Track     - 3 Days
In this module, you will start building skills in system administration on Red Hat Enterprise Linux, to a level where you can attach and configure a workstation on an existing network with virtualization.             more…
RH-253:Red Hat Linux Networking and Security Administration
Course Duration
Normal Track – 2 Weeks
Fast Track – 4 Days
In this module you will learn how to configure common Red Hat Enterprise Linux network services server-side setup, configuration, and basic administration. (DNS, NTP, NIS, Apache, SMB, DHCP, Send mail, FTP. Other common services: tftp, pppd,proxy                                            more…
RHCSS:Red Hat Certified Security Specialist
RHS 333:Enterprise Network Services Security
Course Duration- 1 Week
RHCSS shares common ground with RHCA—both credentials require skills
and competencies taught in RHS333 and RH423. RHCSS additionally requires the skills covered in the RH429 course                                      
more…
RH-423: Enterprise Directory Services and Authentication
Course Duration- 1 Week
The Red Hat Enterprise Directory Services and Authentication Endorsement Exam is a performance-based test of the skills covered in RH423 Red Hat Enterprise Directory Services and Authentication. In order to enroll in this exam, you must have an RHCE on a current release at the time of the exam. Upon passing the exam, you will have earned an additional endorsement to your RHCE certification. This endorsement is one of the five required in order to earn the designation Red Hat Certified Architect.          more…
RHS-429:Red Hat Enterprise SELinux Policy Administration
Course Duration- 1 Week
RHS429 introduces advanced system administrators,security administrators, and applications programmers to SELinux policy writing. Participants in this course will learn how SELinux works; how to manage SELinux; and how to write an SELinux policy. This class culiminates in a major project to scope out and then write policies for previously unprotected services. more…
RH 300:RHCE Rapid Track
Course Duration – 1 week
Designed for those who already possess significant systems administration experience and knowledge in a Linux/UNIX environment, and who desire the fastest path to RHCE certification.                

 

RHCE Exam Pattern

Recently from 1st May 2009 RHCE(Red Hat Certified Engineer) exam pattern has been changed. Some of the high lights are as follows.. The examination time has been reduced to 3.5 hours from 5.5 hours as it was previously
  1. Previously, there will be two sessions one with 2.5hour(for basic troubleshooting) session and 3hours session(for server and security configurations)
  2. But this time The content has be consolidated and reorganized into a single section.
  3. Every thing will be installed and given along with Visualization, the candidate should complete that exam is one stretch that is 3.5hrs.
  4. As you know RHCE5 SElinux is enabled so prepare along that lines.
  5. Main thing to pass this exam is just practice practice practice
Get counseling on how to pass RHCE, just fill this form for any quires dont hegitate its totally free..

Study Points for the RHCE Exam

Prerequisite skills for RHCT and RHCE

Candidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:
  • use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories
  • use grep, sed, and awk to process text streams and files
  • use a terminal-based text editor, such as vim or nano, to modify text files
  • use input/output redirection
  • understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6
  • use su to switch user accounts
  • use passwd to set passwords
  • use tar, gzip, and bzip2
  • configure an email client on Red Hat Enterprise Linux
  • use text and/or graphical browser to access HTTP/HTTPS URLs
  • use lftp to access FTP URLs

RHCT skills

Troubleshooting and System Maintenance

RHCTs should be able to:
  • boot systems into different run levels for troubleshooting and system maintenance
  • diagnose and correct misconfigured networking
  • diagnose and correct hostname resolution problems
  • configure the X Window System and a desktop environment
  • add new partitions, filesystems, and swap to existing systems
  • use standard command-line tools to analyze problems and configure system

Installation and Configuration

RHCTs must be able to:
  • perform network OS installation
  • implement a custom partitioning scheme
  • configure printing
  • configure the scheduling of tasks using cron and at
  • attach system to a network directory service, such as NIS or LDAP
  • configure autofs
  • add and manage users, groups, quotas, and File Access Control Lists
  • configure filesystem permissions for collaboration
  • install and update packages using rpm
  • properly update the kernel package
  • configure the system to update/install packages from remote repositories using yum or pup
  • modify the system bootloader
  • implement software RAID at install-time and run-time
  • use /proc/sys and sysctl to modify and set kernel run-time parameters
  • use scripting to automate system maintenance tasks
  • configure NTP for time synchronization with a higher-stratum server

RHCE skills

Troubleshooting and System Maintenance

RHCEs must demonstrate the RHCT skills listed above, and should be able to:
  • use the rescue environment provided by first installation CD
  • diagnose and correct boot failures arising from bootloader, module, and filesystem errors
  • diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)
  • add, remove, and resize logical volumes
  • diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

Installation and Configuration

RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services:
  • HTTP/HTTPS
  • SMB
  • NFS
  • FTP
  • Web proxy
  • SMTP
  • IMAP, IMAPS, and POP3
  • SSH
  • DNS (caching name server, slave name server)
  • NTP
For each of these services, RHCEs must be able to:
  • install the packages needed to provide the service
  • configure SELinux to support the service
  • configure the service to start when the system is booted
  • configure the service for basic operation
  • Configure host-based and user-based security for the service




Speed Firefox
Description: Postby alok on Thu Oct 29, 2009 10:44 am
Just fit the NOS in your firefox (The Fast and the Furious)
1. Open Firefox and in the address bar type about:config.
2. Click on “I’ll be careful, I promise“
3. Use the search bar above to look for network.http.pipelining and double click on it to set it’s value to True.
4. Create a new boolean value named network.http.pipelining.firstrequest and set that to True, as well.
5. Find network.http.pipelining.maxrequests, double click on it, and change its value to 8.
6. Look for network.http.proxy.pipelining and set it to True.
7. Create two new integers named nglayout.initialpaint.delay and content.notify.interval, set them to 0.
8. Restart your browser.
All done. You should feel the browser is 5x more responsive than before while navigating websites.
God Bless.
See you on TOP.
We are also in “facebook” search for “networknuts”




NIS Domain

Scenario

To understand the benefits of NFS, consider an example. A school wants to set up a small computer lab for its students.
  • The main Linux server, bigboy, has a large amount of disk space and will be used as both the NIS server and NFS-based file server for the Linux PCs in the lab.
  • Users logging into the PCs will be assigned home directories on bigboy and not on the PCs themselves.
  • Each user’s home directory will be automatically mounted with each user login on the PCs using NFS.
  • The lab instructor will practice with a Linux PC named smallfry before implementing NIS on all the remaining PCs.
  • The suite of NIS RPMs have been installed on the server and client: ypserve and yp-tools are on the server, and ypbind and yp-tools are on the client.
Downloading and installing RPMs isn’t hard, as discussed in Chapter 6, “Installing Linux Software“. When searching for the RPMs, remember that the filename usually starts with the software package name followed by a version number, as in yp-tools-2.8-3.i386.rpm.
The lab instructor did some research and created an implementation plan:
  1. Configure bigboy as an NFS server to make its /home directory available to the Linux workstations.
  2. Configure smallfry as an NFS client that can access bigboy’s /home directory.
  3. Configure bigboy as an NIS server.
  4. Create a user account (nisuser) on bigboy that doesn’t exist on smallfry. Convert the account to a NIS user account.
  5. Configure smallfry as an NIS client.
  6. Test a remote login from bigboy to smallfry using the username and password of the account nisuser.
You have the scenario and the plan, it’s time to get to work.

Configuring The NFS Server

Here are the steps to configure the NFS server in this scenario:
1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.
/home                   *(rw,sync)
2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.
[root@bigboy tmp]# exportfs -a
[root@bigboy tmp]#
3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.
[root@bigboy tmp]# chkconfig nfslock on
[root@bigboy tmp]# chkconfig nfs on
[root@bigboy tmp]# chkconfig portmap on
[root@bigboy tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@bigboy tmp]# service nfslock start
Starting NFS statd: [  OK  ]
[root@bigboy tmp]# service nfs start
Starting NFS services:  [  OK  ]
Starting NFS quotas: [  OK  ]
Starting NFS daemon: [  OK  ]
Starting NFS mountd: [  OK  ]
[root@bigboy tmp]#
After configuring the NFS server, we have to configure its clients, This will be covered next.

Configuring The NFS Client

You also need to configure the NFS clients to mount their /home directories on the NFS server.
These steps archive the /home directory. In a production environment in which the /home directory would be actively used, you’d have to force the users to log off, backup the data, restore it to the NFS server, and then follow the steps below. As this is a lab environment, these prerequisites aren’t necessary.
1. Make sure the required netfs, nfslock, and portmap daemons are running and configured to start after the next reboot.
[root@smallfry tmp]# chkconfig nfslock on
[root@smallfry tmp]# chkconfig netfs on
[root@smallfry tmp]# chkconfig portmap on
[root@smallfry tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@smallfry tmp]# service netfs start
Mounting other filesystems:  [  OK  ]
[root@smallfry tmp]# service nfslock start
Starting NFS statd: [  OK  ]
[root@smallfry tmp]#
2. Keep a copy of the old /home directory, and create a new directory /home on which you’ll mount the NFS server’s directory.
[root@smallfry tmp]# mv /home /home.save
[root@smallfry tmp]# mkdir /home
[root@smallfry tmp]# ll /
...
...
drwxr-xr-x    1 root   root     11 Nov 16 20:22 home
drwxr-xr-x    2 root   root   4096 Jan 24  2003 home.save
...
...
[root@smallfry tmp]#
3. Make sure you can mount bigboy’s /home directory on the new /home directory you just created. Unmount it once everything looks correct.
[root@smallfry tmp]# mount 192.168.1.100:/home /home/
[root@smallfry tmp]# ls /home
ftpinstall  nisuser  quotauser  smallfry  www
[root@smallfry tmp]# umount /home
[root@smallfry tmp]#
4. Start configuring autofs automounting. Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.
#/etc/auto.master
/home      /etc/auto.home --timeout 600
5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.
#/etc/auto.home
*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
   192.168.1.100:/home/&
6. Start autofs and make sure it starts after the next reboot with the chkconfig command.
[root@smallfry tmp]# chkconfig autofs on
[root@smallfry tmp]# service autofs restart
Stopping automount:[  OK  ]
Starting automount:[  OK  ]
[root@smallfry tmp]#
After doing this, you won’t be able to see the contents of the /home directory on bigboy as user root. This is because by default NFS activates the root squash feature, which disables this user from having privileged access to directories on remote NFS servers. You’ll be able to test this later after NIS is configured.
Note: This automounter feature doesn’t appear to function correctly in my preliminary testing of Fedora Core 3. See Chapter 29, “Remote Disk Access with NFS“, for details.
All newly added Linux users will now be assigned a home directory under the new remote /home directory. This scheme will make the users feel their home directories are local, when in reality they are automatically mounted and accessed over your network.

Configuring The NIS Server

NFS only covers file sharing over the network. You now have to configure NIS login authentication for the lab students before the job is done. The configuration of the NIS server is not difficult, but requires many steps that you may overlook. Don’t worry, we’ll review each one in detail.
Note: In the early days, NIS was called Yellow Pages. The developers had to change the name after a copyright infringement lawsuit, yet many of the key programs associated with NIS have kept their original names beginning with yp.

Install the NIS Server Packages

All the packages required for NIS clients are a standard part of most Fedora installations. The ypserv package for servers is not. Install the package according to the steps outlined in Chapter 6,”Installing Linux Software“.

Edit Your /etc/sysconfig/network File

You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the school, call the domain NIS-SCHOOL-NETWORK.
#/etc/sysconfig/network
NISDOMAIN="NIS-SCHOOL-NETWORK"

Edit Your /etc/yp.conf File

NIS servers also have to be NIS clients themselves, so you’ll have to edit the NIS client configuration file /etc/yp.conf to list the domain’s NIS server as being the server itself or localhost.
# /etc/yp.conf - ypbind configuration file
ypserver 127.0.0.1

Start The Key NIS Server Related Daemons

Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.
[root@bigboy tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@bigboy tmp]# service yppasswdd start
Starting YP passwd service: [  OK  ]
[root@bigboy tmp]# service ypserv start
Setting NIS domain name NIS-SCHOOL-NETWORK:  [  OK  ]
Starting YP server services: [  OK  ]
[root@bigboy tmp]# 
 
[root@bigboy tmp]# chkconfig portmap on
[root@bigboy tmp]# chkconfig yppasswdd on
[root@bigboy tmp]# chkconfig ypserv on
Table 30.1 lists a summary of the daemon’s functions.

Table 30-1 Required NIS Server Daemons

Daemon Name
Purpose
portmap
The foundation RPC daemon upon which NIS runs.
yppasswdd
Lets users change their passwords on the NIS server from NIS clients
ypserv
Main NIS server daemon
ypbind
Main NIS client daemon
ypxfrd
Used to speed up the transfer of very large NIS maps
Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this.
[root@bigboy tmp]# rpcinfo -p localhost
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100009    1   udp    681  yppasswdd
    100004    2   udp    698  ypserv
    100004    1   udp    698  ypserv
    100004    2   tcp    701  ypserv
    100004    1   tcp    701  ypserv
[root@bigboy tmp]#
The ypbind and ypxfrd daemons won’t start properly until after you initialize the NIS domain. You’ll start these daemons after initialization is completed.

Initialize Your NIS Domain

Now that you have decided on the name of the NIS domain, you’ll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server, which in this case is bigboy.
With this procedure, all nonprivileged accounts are automatically accessible via NIS.
[root@bigboy tmp]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers.  bigboy is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a .
        next host to add:  bigboy
        next host to add:
The current list of NIS servers looks like this:
 
bigboy
 
Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/NIS-SCHOOL-NETWORK/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
 
bigboy has been set up as a NIS master server.
 
Now you can run ypinit -s bigboy on all slave server.
[root@bigboy tmp]#
Note: Make sure portmap is running before trying this step or you’ll get errors, such as:
failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...
You will have to delete the /var/yp/NIS-SCHOOL-NETWORK directory and restart portmap, yppasswd, and ypserv before you’ll be able to do this again successfully.

Start The ypbind and ypxfrd Daemons

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created.
[root@bigboy tmp]# service ypbind start
Binding to the NIS domain: [  OK  ]
Listening for an NIS domain server.
[root@bigboy tmp]# service ypxfrd start
Starting YP map server: [  OK  ]
[root@bigboy tmp]# chkconfig ypbind on
[root@bigboy tmp]# chkconfig ypxfrd on

Make Sure The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.
[root@bigboy tmp]# rpcinfo -p localhost
    program vers proto   port
     100000    2   tcp    111  portmapper
     100000    2   udp    111  portmapper
     100003    2   udp   2049  nfs
     100003    3   udp   2049  nfs
     100021    1   udp   1024  nlockmgr
     100021    3   udp   1024  nlockmgr
     100021    4   udp   1024  nlockmgr
     100004    2   udp    784  ypserv
     100004    1   udp    784  ypserv
     100004    2   tcp    787  ypserv
     100004    1   tcp    787  ypserv
     100009    1   udp    798  yppasswdd
  600100069    1   udp    850  fypxfrd
  600100069    1   tcp    852  fypxfrd
     100007    2   udp    924  ypbind
     100007    1   udp    924  ypbind
     100007    2   tcp    927  ypbind
     100007    1   tcp    927  ypbind
[root@bigboy tmp]#

Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new user account. In this case, you’ll create a user account called nisuser and give it a new password.
Once this is complete, you then have to update the NIS domain’s authentication files by executing the make command in the /var/yp directory.
This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible via NIS, not just newly created ones. It also exports all the user’s characteristics stored in the /etc/passwd and /etc/group files, such as the login shell, the user’s group, and home directory.
[root@bigboy tmp]# useradd -g users nisuser
[root@bigboy tmp]# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]# cd /var/yp
[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
[root@bigboy yp]#
You can check to see if the user’s authentication information has been updated by using the ypmatch command, which should return the user’s encrypted password string.
[root@bigboy yp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash
[root@bigboy yp]
You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn’t provide an encrypted password when run on an NIS server, it just provides the user’s entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.
[root@bigboy yp]# getent passwd nisuser
nisuser:x:504:100::/home/nisuser:/bin/bash
[root@bigboy yp]#

Configuring The NIS Client

Now that the NIS server is configured, it’s time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.

Run authconfig

The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.
[root@smallfry tmp]# authconfig-tui
Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.
# /etc/yp.conf - ypbind configuration file
domain NIS-SCHOOL-NETWORK server 192.168.1.100
 
#/etc/sysconfig/network
NISDOMAIN=NIS-SCHOOL-NETWORK
In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login files.
#/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
Note: You can also locate a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools* directory.

Start The NIS Client Related Daemons

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.
[root@smallfry tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@smallfry tmp]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.
[root@smallfry tmp]#
 
[root@smallfry tmp]# chkconfig ypbind on
[root@smallfry tmp]# chkconfig portmap on
Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.

Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostnames, you’ll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both Linux boxes.
#
# File: /etc/hosts (smallfry)
#
192.168.1.100    bigboy
 
#
# File: /etc/hosts (bigboy)
#
192.168.1.102    smallfry

Test NIS Access To The NIS Server

You can run the ypcat, ypmatch, and getent commands to make sure communication to the server is correct.
[root@smallfry tmp]# ypcat passwd
nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash
quotauser:!!:503:100::/home/quotauser:/bin/bash
ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash
www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash
smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash
[root@smallfry tmp]#
 
[root@smallfry tmp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#
 
[root@smallfry tmp]# getent passwd nisuser
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#
Possible sources of error would include:
  • Incorrect authconfig setup resulting in errors in the /etc/yp.conf, /etc/sysconfig/network and /etc/nsswitch.conf files
  • Failure to run the ypinit command on the NIS server
  • NIS not being started on the NIS server or client.
  • Poor routing between the server and client, or the existence of a firewall that’s blocking traffic
Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.

Test Logins via The NIS Server

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.

Logging In Via Telnet

Try logging into the NIS client via telnet if it is enabled
[root@bigboy tmp]# telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-6 on an i686
login: nisuser
Password:
Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com
[nisuser@smallfry nisuser]$

Logging In Via SSH

Try logging into the NIS client via SSH.
[root@bigboy tmp]# ssh -l nisuser 192.168.1.102
nisuser@192.168.1.102's password:
[nisuser@smallfry nisuser]$
In some versions of Linux, the NIS client’s SSH daemon doesn’t re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won’t query the NIS server until this is done. Restart SSH on the NIS client.
[root@smallfry root]# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:[  OK  ]
[root@smallfry root]#

























DNS  WITH   ME*

Most DNS servers are schizophrenic – they may be masters (authoritative) for some zones, slaves for others and provide caching or forwarding for all others. Many observers object to the concept of DNS types partly because of the schizophrenic behaviour of most DNS servers and partly to avoid confusion with the name.conf zone parameter ‘type’ which only allows master, slave, stub, forward, hint). Nevertheless, the following terms are commonly used to describe the primary function or requirement of DNS servers.
Notes:
  1. Running any DNS server that does not need to support recursive queries for external users (an Open DNS) is a bad idea. While it may look like a friendly and neighbourly thing to do it carries with it a possible threat that it may be used in DDoS attacks as well as an increased risk of cache poisoning. The various configurations have been modified to ensuure that the DNS stays Closed to non-permitted users.
  2. One of the basic rules of security is that only the minimum services necessary to meet the objectives should be deployed. This means that a secure DNS server should provide only a single function, for instance, authoritative only, or caching only, not both capabilities in the same system. This is a correct but idealistic position generally possible only in larger organizations. In practice many of us run mixed mode DNS servers. While much can be done to mitigate any security implications it must always be accepted that, in mixed configurations, increased risk is the downside of flexibility.

Contents

4.1 Master (a.k.a. Primary) DNS Server
4.2 Slave (Secondary) DNS Server
4.3 Caching (a.k.a. hint) DNS Server
4.4 Forwarding (a.k.a Proxy, Client, Remote) DNS Server
4.5 Stealth (a.k.a. DMZ, Split or Hidden Master) DNS Server
4.6 Authoritative Only DNS Server
4.7 Split Horizon DNS Server

4.1 Master (Primary) Name Servers

A Master DNS contains one or more zone files for which this DNS is Authoritative (‘type master’). The zone has been delegated (via an NS Resource Record) to this DNS.
The term ‘master’ was introduced in BIND 8.x and replaced the term ‘primary’.
Master status is defined in BIND by including ‘type master’ in the zone declaration section of the named.conf file) as shown by the following fragment.
// example.com fragment from named.conf
// defines this server as a zone master
zone "example.com" in{
        type master;
        file "pri.example.com";
};
Notes:
  1. The terms Primary and Secondary DNS entries in Windows TCP/IP network properties mean nothing, they may reflect the ‘master’ and ‘slave’ name-server or they may not – you decide this based on operational need, not BIND configuration.
  2. It is important to understand that a zone ‘master’ is a server which gets its zone data from a local source as opposed to a ‘slave’ which gets its zone data from an external (networked) source (the ‘master’). This apparently trivial point means that you can have any number of ‘master’ servers for any zone if it makes operational sense. You have to ensure (by a manual or other process) that the zone files are synchronised but apart from this there is nothing to prevent it.
  3. Just to confuse things still further you may run across the term ‘Primary Master’ this has a special meaning in the context of dynamic DNS updates and is defined to be the name server that appears in the SOA RR record.
When a master DNS receives Queries for a zone for which it is authoritative then it will respond as ‘Authoritative’ (AA bit is set in a query response).
When a DNS server receives a query for a zone which it is neither a Master nor a Slave then it will act as configured (in BIND this behaviour is defined in the named.conf file):
  1. If caching behaviour is permitted and recursive queries are allowed the server will completely answer the request or return an error.
  2. If caching behaviour is permitted and Iterative (non-recursive) queries are allowed the server can respond with the complete answer (if it is already in the cache because of another request), a referral or return an error.
  3. If caching behaviour NOT permitted (an ‘Authoritative Only’ DNS server) the server will return a referral or return an error.
A master DNS server can export (NOTIFY) zone changes to defined (typically slave) servers. This ensures zone changes are rapidly propagated to the slaves (interrupt driven) rather than rely on the slave server polling for changes. The BIND default is to notify the servers defined in NS records for the zone.
If you are running Stealth Servers and wish them to be notified you will have to add an also-notify parameter as shown in the BIND named.conf file fragment below:
// example.com fragment from named.conf
// defines this server as a zone master
// 192.168.0.2 is a stealth server NOT listed in a NS record
zone "example.com" in{
        type master;
        also-notify {192.168.0.2;};
        file "pri/pri.example.com";
};
You can turn off all NOTIFY operations by specifying ‘notify no’ in the zone declaration.
Example configuration files for a master DNS are provided.
Description: up icon

4.2 Slave (Secondary) Name Servers

A Slave DNS gets its zone file information from a zone master and it will respond as authoritative for those zones for which it is defined to be a ‘slave’ and for which it has a currently valid zone configuration.
The term ‘slave’ was introduced in BIND 8.x and replaced the term ‘secondary’.
Slave status is defined in BIND by including ‘type slave’ in the zone declaration section of the named.conf file) as shown by the following fragment.
// example.com fragment from named.conf
// defines this server as a zone slave
zone "example.com" in{
        type slave;
        file "sec/sec.example.com";
        masters {192.168.23.17;};
};
Notes:
  1. The master DNS for each zone is defined in the ‘masters’ zone section and allows slaves to refresh their zone record when the ‘expiry’ parameter of the SOA Record is reached. If a slave cannot reach the master DNS when the ‘expiry’ time has been reached it will stop responding to requests for the zone. It will NOT use time-expired data.
  2. The file parameter is optional and allows the slave to write the transferred zone to disc and hence if BIND is restarted before the ‘expiry’ time the server will use the saved data. In large DNS systems this can save a considerable amount of network traffic.
Assuming NOTIFY is allowed in the master DNS for the zone (the default behaviour) then zone changes are propagated to all the slave servers defined with NS Records in the master zone file. There can be any number of slave DNS’s for any given ‘master’ zone. The NOTIFY process is open to abuse. BIND’s default behaviour is to only allow NOTIFY from the ‘master’ DNS. Other acceptable NOTIFY sources can be defined using the allow-notify parameter in named.conf.
Example configuration files for a slave DNS are provided.
Description: up icon

4.3 Caching Name Servers

A Caching Server obtains information from another server (a Zone Master) in response to a host query and then saves (caches) the data locally. On a second or subsequent request for the same data the Caching Server will respond with its locally stored data (the cache) until the time-to-live (TTL) value of the response expires at which time the server will refresh the data from the zone master.
If the caching server obtains its data directly from a zone master it will respond as ‘authoritative’, if the data is supplied from its cache the response is ‘non-authoritative’.
The default BIND behaviour is to cache and this is associated with the recursion parameter (the default is ‘recursion yes’). There are many configuration examples which show caching behaviour being defined using a type hint statement in a zone declaration. These configurations confuse two distinct but related functions. If a server is going to provide caching services then it must provide recursive queries and recursive queries need access to the root servers which is provided via the ‘type hint’ statement. A caching server will typically have a named.conf file which includes the following fragment:
// options section fragment of named.conf
// recursion yes is the default and may be omitted
options {
        directory "/var/named";
        version "not currently available";
        recursion yes;
};
// zone section
....
// the DOT indicates the root domain = all domains
zone "." IN {
        type hint;
        file "root.servers";
};
Notes:
  1. BIND defaults to recursive queries which by definition provides caching behaviour. The named.conf recursion parameter controls this behaviour.
  2. The zone ‘.’ is shorthand for the root domain which translates to ‘any domain not defined as either a master or slave in this named.conf file’.
  3. cache data is discarded when BIND is restarted.
The most common DNS server caching configurations are:
  • A DNS server acting as master or slave for one or more zones (domains) and as cache server for all other requests. A general purpose DNS server.
  • A caching only local server – typically used to minimise external access or to compensate for slow external links. This is sometimes called a Proxy server though we prefer to associate the term with a Forwarding server
To cache or not is a crucial question in the world of DNS. BIND is regarded as the reference implementation of the DNS specification. As such it provides excellent – if complex to configure – functionality. The down side of generality is suboptimal performance on any single function – in particular caching involves a non-trivial performance overhead.
For general usage the breadth of BIND functionality typically offsets any performance concerns. However if the DNS is being ‘hit’ thousands of times per second performance is a major factor. There are now a number of alternate Open Source DNS servers some of which stress performance. These servers typically do NOT provide caching services (they are said to be ‘Authoritative only’ servers).
Example configuration files for a caching DNS are provided.
Note: The response to a query is Authoritative under three conditions:
  1. The response is received from a Zone master.
  2. The response is received from a Zone slave with non time-expired zone data.
  3. The response is received by a caching server directly from either a Zone master or slave. If the response is read from the cache directly it is not authoritative.
Description: up icon

4.4 Forwarding (a.k.a Proxy) Name Servers

A forwarding (a.k.a. Proxy, Client, Remote) server is one which simply forwards all requests to another DNS and caches the results. On its face this look a pretty pointless exercise. However a forwarding DNS sever can pay-off in two ways where access to an external network is slow or expensive:
  1. Local DNS server caching – reduces external access and both speeds up responses and removes unnecessary traffic.
  2. Remote DNS server provides recursive query support – reduction in traffic across the link – results in a single query across the network.
Forwarding servers also can be used to ease the burden of local administration by providing a single point at which changes to remote name servers may be managed, rather than having to update all hosts.
Forwarding can also be used as part of a Split Server configuration for perimeter defence.
BIND allows configuration of forwarding using the forward and forwarders parameters either at a ‘global’ level (in an options section) or on a per-zone basis in a zone section of the named.conf file. Both configurations are shown in the examples below:

Global Forwarding – All Requests

// options section fragment of named.conf
// forwarders can have multiple choices
options {
        directory "/var/named";
        version "not currently available";
        forwarders {10.0.0.1; 10.0.0.2;};
        forward only;
};
// zone file sections
....

Per Domain Forwarding

// zone section fragment of named.conf
zone "example.com" IN {
        type forward;
        forwarders {10.0.0.1; 10.0.0.2;};
};
Where dial-up links are used with DNS forwarding servers BIND’s general purpose nature and strict standards adherence may not make it an optimal solution. A number of the Alternate DNS solutions specifically target support for such links. BIND provides two parameters dialup and heartbeat-interval (neither of which is currently supported by BIND 9) as well as a number of others which can be used to minimise connection time.
Example configuration files for a forwarding DNS are provided.
Description: up icon

4.5 Stealth (a.k.a. DMZ or Split) Name Server

A stealth server is defined as being a name server which does not appear in any publicly visible NS Records for the domain. The stealth server is normally used in a configuration called Split Severs which can be roughly defined as having the following characteristics:
  1. The organisation needs a public DNS to enable access to its public services e.g. web, mail ftp etc..
  2. The organisation does not want the world to see any of its internal hosts either by interrogation (query or zone transfer) or should the DNS service be compromised.
A Split Server configuration is shown in Figure 4.1.
Description: Split (Stealth) Server configuration
Figure 4.1 Split Server configuration
The external server(s) is(are) configured to provide Authoritative Only responses and no caching (no recursive queries accepted). The zone file for this server would be unique and would contain ONLY those systems or services that are publicly visible e.g. SOA, NS records for the public (not stealth) name servers, MX record(s) for mail servers and www and ftp service A records. Zone transfers can be allowed between between the public servers as required but they MUST NOT transfer or accept transfers from the Stealth server. While this may seem to create more work, the concern is that should the host running the external service be compromised then inspection of the named.conf or zone files must provide no more information than is already publically visible. If ‘master’, ‘allow-notify’,'allow-transfer’ options are present in named.conf (each of which will contain a private IP) then the attacker has gained more knowledge about the organisation – they have penetrated the ‘veil of privacy’.
There are a number of articles which suggest that the view statement may be used to provide similar functionality using a single server but this does not address the problem of the DNS host system being compromised and by simple inspection of the named.conf file additional data about the organisation could be discovered. In our opinion ‘view’ does not provide adequate security in a ‘Split DNS’ solution.
A minimal public zone file is shown below:
; public zone master file
; provides minimal public visibility of external services
example.com.  IN      SOA   ns.example.com. root.example.com. (
                              2003080800 ; se = serial number
                              3h         ; ref = refresh
                              15m        ; ret = update retry
                              3w         ; ex = expiry
                              3h      ; min = minimum
                              )
              IN      NS      ns1.example.com.
              IN      NS      ns2.example.com.
              IN      MX  10  mail.example.com.
ns1           IN      A       192.168.254.1
ns2           IN      A       192.168.254.2
mail          IN      A       192.168.254.3
www           IN      A       192.168.254.4
ftp           IN      A       192.168.254.5
The internal server (the Stealth Server) can be configured to make visible internal and external services, provide recursive queries and all manner of other services. This server would use a private zone master file which could look like this:
; private zone master file used by stealth server(s)
; provides public and private services and hosts
example.com.  IN      SOA   ns.example.com. root.example.com. (
                              2003080800 ; se = serial number
                              3h         ; ref = refresh
                              15m        ; ret = update retry
                              3w         ; ex = expiry
                              3h         ; min = minimum
                              )
              IN      NS      ns1.example.com.
              IN      NS      ns2.example.com.
              IN      MX  10  mail.example.com.
; public hosts
ns1           IN      A       192.168.254.1
ns2           IN      A       192.168.254.2
mail          IN      A       192.168.254.3
www           IN      A       192.168.254.4
ftp           IN      A       192.168.254.5
; private hosts
joe           IN      A       192.168.254.6
bill          IN      A       192.168.254.7
fred          IN      A       192.168.254.8
....
accounting    IN      A       192.168.254.28
payroll       IN      A       192.168.254.29
Using BIND 9′s view statement can provide different services to internal and external requests can reduce further the Stealth server’s visibility e.g. forwarding all DNS internal requests to the external server.
Example configuration files for a stealth DNS are provided.
Description: up icon

4.6 Authoritative Only Server

The term Authoritative Only is normally used to describe two concepts:
  1. The server will deliver Authoritative Responses – it is a zone master or slave for one or more domains.
  2. The server will NOT cache.
There are two configurations in which Authoritative Only servers are typically used:
  1. As the public or external server in a Split (a.k.a. DMZ or Stealth) DNS used to provide perimeter security.
  2. High Performance DNS servers. In this context general purpose DNS servers such as BIND may not provide an ideal solution and there are a number of Open Source Alternatives some of which specialise in high performance Authoritative only solutions.
You cannot completely turn off caching in BIND but you can control it and provide the functionality described above by simply turning off recursion in the ‘option’ section of named.conf as shown in the example below.
// options section fragment of named.conf
// recursion no = limits caching
options {
        directory "/var/named";
        version "not currently available";
        recursion no;
};
// zone file sections
....
BIND provides three more parameters to control caching ,max-cache-size and max-cache-ttl neither of which will have much effect on performance in this particular case and allow-recursion which uses a list of hosts that are permitted to use recursion (all others are not).
Example configuration files for a authoritative-only DNS are provided.
Description: up icon

4.7 Split Horizon DNS Server

This section was introduced at the suggestion of Maren Leizaola – many thanks for both taking the time and for providing interesting usage examples.
The term Split Horizon is normally used to describe a DNS server that will give different responses (IP addresses) based on the source address, or some other characteristic, of the query. While it has similar configuration properties to the Stealth DNS it can also be used in a varity of unique situations such as:
  1. Geographic Dispersal: Assume that, for example, a web service is replicated in a number of locations (for either performance or access latency reduction) then a specific IP address may be returned based on the source address of the query to ensure the shortest possible path from the user to the service. For those familiar with anycast you could consider this as a poor man’s anycast service.
  2. Naming Consistency: Assume that you have, say, a corporate in-house LDAP service and that for reasons of security you want to keep certain highly secure data on one server only accessible to certain individuals or organizational sections, which have unique or identifiable IP addresses or address ranges, but for resons of consistency (scripts, configuration files etc) you want both the secure and insecure LDAP services to be named, say, ldap.example.com.
Other possibilities may strike imaginative readers. The unifying element is that some characteristic of the incoming query will cause the DNS to generate a query-dependent result.
BIND’s view clause provides a method that can be used to build such configurations and example files are provided .









What Is iptables?

How do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?
Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.
Description: http://c.cyberciti.biz/cbzcache/3rdparty/rhlogo.gif

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:
  • /etc/sysconfig/iptables – The system scripts that activate the firewall by reading this file.
Description: http://c.cyberciti.biz/cbzcache/3rdparty/firewall.png

Task: Display Default Rules

Type the following command:
iptables --line-numbers -n -L
Sample outputs:
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
 
Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Task: Turn On Firewall

Type the following two commands to turn on firewall:
chkconfig iptables on
service iptables start
# restart the firewall
service iptables restart
# stop the firewall
service iptables stop

Understanding Firewall

There are total 4 chains:
  1. INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
  2. OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
  3. FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
  4. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Packet Matching Rules

  1. Each packet starts at the first rule in the chain .
  2. A packet proceeds until it matches a rule.
  3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

  1. The target ACCEPT means allow packet.
  2. The target REJECT means to drop the packet and send an error message to remote host.
  3. The target DROP means drop the packet and do not send an error message to remote host or sending host.

/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
You will see default rules as follows:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Drop All Traffic

Find lines:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:
-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s 169.254.0.0/16  -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 0.0.0.0/8  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  240.0.0.0/4  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  255.255.255.255/32  -j LOG --log-prefix "IP DROP  "
-A INPUT -i eth0 -s 168.254.0.0/16  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 248.0.0.0/5  -j LOG --log-prefix "IP DROP "

Log And Drop All Traffic

Find the lines:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Update it as follows:
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

Open Port

To open port 80 (Http server) add the following before COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
To open port 53 (DNS Server) add the following before COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT
To open port 443 (Https server) add the following before COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
To open port 25 (smtp server) add the following before COMMIT line:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

Only allow SSH traffic From 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

Enable Printing Access For 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

Allow Legitimate NTP Clients to Access the Server

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Open FTP Port 21 (FTP)

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Save and close the file. Edit /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Make sure ftp module is loaded with the space-separated list of modules:
IPTABLES_MODULES="ip_conntrack_ftp"
To restart firewall, type the following commands:
# service iptables restart
# iptables -vnL --line-numbers

Edit /etc/sysctl.conf For DoS and Syn Protection

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:
et.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
See previous FAQ, “Linux Kernel /etc/sysctl.conf Security Hardening” for more details.

Alternate Configuration Option

You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:
#!/bin/bash
# A sample firewall shell script
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
BLOCKEDIPS="/root/scripts/blocked.ips.txt"
 
# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
 
echo "Starting IPv4 Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
 
# load modules
modprobe ip_conntrack
 
[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}")
 
# interface connected to the Internet
PUB_IF="eth0"
 
#Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
 
if [ -f "${BLOCKEDIPS}" ];
then
# create a new iptables list
$IPT -N $SPAMLIST
 
for ipblock in $BADIPS
do
   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG "
   $IPT -A $SPAMLIST -s $ipblock -j DROP
done
 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
fi
 
# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 
# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
 
# Block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT
 
# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT
 
# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Open port 110 (pop3) / 143
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT
 
##### Add your rules below ######
#
#
##### END your rules ############
 
# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
 
# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
 
exit 0















NAT

 ME .
Linux Guru

If you are running a recent 2.6 Linux Kernel this four step process should work for you. This has been specifically tested on Fedora Core 3, 4, 5, and 6, but should work on any modern Linux distribution. All of these commands must be executed as the root user. First you need to tell your kernel that you want to allow IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
Then you’ll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0. You do this will the following commands:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
You should now be NATing. You can test this by pinging an external address from one of your internal hosts. The last step is to ensure that this setup survives over a reboot. Obviously you should only do these last two steps if your test is a success.
You will need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. Notice how this is similar to step number one? This essentially tells your kernel to do step one on boot.
Ok last step for Fedora/RHEL users. In order for your system to save the iptables rules we setup in step two you have to configure iptables correctly. You will need to edit /etc/sysconfig/iptables-config and make sure IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART are all set to ‘yes’.
For non-Fedora/RHEL users you can simply setup an init script for this or simply append these commands to the existing rc.local script so they are executed on boot. Or if you want to get even more fancy, you can use the commands iptables-save and iptables-restore to save/restore the current state of your iptables rules.
After all that is done, you should probably do a test reboot to ensure that you’ve done everything correctly. If you find any errors on this page or this does not work for you please feel free to E-mail m







Mount NTFS

How to mount partition with ntfs file system and read write access
Article Index
1. Introduction
2. Mount NTFS file system with read only access
2.1. NTFS kernel support
2.2. Identifying partition with NTFS file system
2.3. Mount NTFS partition
3. Mount NTFS file system with read write access
3.1. Install addition software
3.1.1. Fuse Install
3.1.2. ntfs-3g install
3.2. Mount ntfs partition with read write access

1. Introduction

Purpose of this article is to provide to reader step by step guide, how to mount partition with NTFS file system on the Linux operating system. This article consists of two parts:
  • mount NTFS file system read only access
  • mount NTFS file system with read write access

2. Mount NTFS file system with read only access

2.1. NTFS kernel support

Majority of current Linux distributions supports NTFS file system out of the box. To be more specific, support for NTFS file system is more feature of Linux kernel modules rather than Linux distributions. First verify if we have NTFS modules installed on our system.
ls /lib/modules/2.6.18-5-686/kernel/fs/ | grep ntfs
Description: check for NTFS kernel support
NTFS module is presented. Let’s identify NTFS partition.

2.2. Identifying partition with NTFS file system

One simple way to identify NTFS partition is:
fdisk -l | grep NTFS
Description: Identifying partition with NTFS file system
There it is: /dev/sdb1

2.3. Mount NTFS partition

First create a mount point:
mkdir /mnt/ntfs
Then simply use mount command to mount it:
mount -t ntfs /dev/sdb1 /mnt/ntfs
Description: Mount NTFS partition using linux
Now we can access NTFS partition and its files with read write access.

3. Mount NTFS file system with read write access

Mounting NTFS file system with read write access permissions is a bit more complicated. This involves installation of addition software such as fuse and ntfs-3g. In both cases you probably need to use your package management tool such as yum, apt-get, synaptic etc.. and install it from your standard distribution repository. Check for packages ntfs-3g and fuse. We take the other path which consists of manual compilation and installation fuse and ntfs-3g from source code.

3.1. Install addition software

3.1.1. Fuse Install

Download source code from: http://fuse.sourceforge.net/
wget http://easynews.dl.sourceforge.net/sourceforge/fuse/fuse-2.7.1.tar.gz
Compile and install fuse source code:
Extract source file:
tar xzf fuse-2.7.1.tar.gz
Compile and install
cd fuse-2.7.1
./configure --exec-prefix=/; make; make install
Description: Compile and install fuse source code

3.1.2. ntfs-3g install

Download source code from: http://www.ntfs-3g.org/index.html#download
wget http://www.ntfs-3g.org/ntfs-3g-1.1120.tgz
Extract source file:
tar xzf ntfs-3g-1.1120.tgz
Compile and install ntfs-3g source code
NOTE: Make sure that you have pkg-config package installed, otherwise you get this error message:
checking for pkg-config... no
checking for FUSE_MODULE... configure: error: FUSE >= 2.6.0 was not found. Either it's not fully
installed (e.g. fuse, fuse-utils, libfuse, libfuse2, libfuse-dev, etc packages) or files from an old
version are still present. See FUSE at http://fuse.sf.net/
cd ntfs-3g-1.1120
./configure; make; make install
Description: Compile and install ntfs-3g source code

3.2. Mount ntfs partition with read write access

mount -t ntfs-3g /dev/sdb1 /mnt/ntfs/
NOTE: ntfs-3g recommends to have at least kernel version 2.6.20 and higher.
linuxconfig.org~# mount -t ntfs-3g /dev/sdb1 /mnt/ntfs/
WARNING: Deficient Linux kernel detected. Some driver features are
         not available (swap file on NTFS, boot from NTFS by LILO), and
         unmount is not safe unless it's made sure the ntfs-3g process
         naturally terminates after calling 'umount'. If you wish this
         message to disappear then you should upgrade to at least kernel
         version 2.6.20, or request help from your distribution to fix
         the kernel problem. The below web page has more information:
 
http://ntfs-3g.org/support.html#fuse26


All Commands
 ME .
Linux Admin
This is a list of commands that gives you just enough information to decide what command you want to use.
A
  • alias – allows you to create shorter or more familiar names for commonly used commands
  • apropos – search the manual page names and descriptions
  • at – execute a command-line task at a specified future time
  • awk – print only the nth word of an input line and more
B
  • badblocks – a command disk utility
  • bash – a shell
  • beep – customized audible alerts
  • bunzip2 – unpack files packed with bzip2
  • bzip2 – a pack utility
C
  • cat – receive strings from stdin or a file and output them to stdout or a file
  • chgrp – change the group ownership of a file
  • chmod – change the permission mode of a file
  • chown – change the owner of a file
  • chroot – change the position of a root directory in filesystem
  • chsh – change the shell of a user
  • cp – copy a file
  • cpio – pack or unpack files in cpio archives or tarballs
  • cron – schedule tasks to be executed regularly at a specific time
  • crontab – control the cron service
  • cut – display specific coloumns of a file delimited by a character
  • cvs – a version management system
D
  • date – output or set date and time
  • dd – dump a disk to/from a file and more
  • df – show how much free disk space there is
  • diff – show the difference between two files and more
  • dig – show answer of DNS lookup of queried name server
  • disown – disowns a job (removes the pid of the job). Even when the shell exits, the job won’t stop running
  • du – show how much disc space is used up
E
  • echo – echo a string/value to stdout
  • env – show all environment variables
  • exit – exit most shells
  • export – set an environment variable in the bash or zsh
F
  • fdisk – partition a disc
  • fg – fetch a process from the background to the foreground
  • file (command) – determine a file’s type
  • find – find a file depending on its name, size, change date or other attributes
  • ftp – get files from the internet
G
  • g++ – compile C++ code
  • gcc – compile C code
  • grep – grab for patterns in a file and more
  • groups – show what groups your user is in
  • gunzip – unpack files from a special format
  • gzip – pack files in a special format
H
  • halt – shut down your computer
  • head – show only the first n lines of a file and more
  • hexdump – show a file’s content in hexadecimal numbers and more
  • history (command) – show a command history in the bash shell
  • hostname – show your computer’s name
  • hwinfo – show your available hardware
I
  • id – show your user and groups ids
  • ifconfig – show your ip address and more
  • info – show info about a given command
  • init – reboot or change runlevel
  • iptables – show your firewall configuration
  • iptraf – Interactive IP LAN monitor
J
  • jobs – gives a list of current background jobs (processes)
K
  • kill – kill a process
  • killall – kill all processes with a given name
L
  • ldd – show dynamic libraries needed by an executable
  • less – show output in a viewer where you can scroll and search
  • ln – link a file
  • ls – list a file
  • lsmod – list loaded kernel modules
  • lsof – list open files and listening sockets
  • lspci – list all pci devices
  • lsusb – list usb devices
M
  • make – compile software and more
  • man – get help on questions that you never wanted to ask
  • md5sum – compute the md5 sum of a file and more
  • mkdir – make a directory
  • mkfs – format a device
  • minicom – communicate over your RS232 interface
  • more – show input in a searchable pager
  • mount – prepare a device for reading and writing
  • mv – move a file (can also be renaming)
N
  • netcat – Send some bytes to the network
  • netstat – get information on listening sockets, open ports and more
  • nice – set a process’ priority
  • nm – list the names of functions in an object file
  • nmap – network and port scanner tool
O
  • objdump – show information about object files
  • openssl – create cryptographic server certificates and more
P
  • passwd – change your and other’s password
  • ping – show if a given computer is up and running
  • ps – show running processes
  • pwd – show your current working directory
Q
  • quota – manage how much resources the user is allowed to consume
R
  • rar – rar files/directories
  • read – read a string from your keyboard and more
  • reboot – reboot the computer
  • rename – rename a file
  • rm – delete a file
  • route – manage your network routing table
  • rpm – a package management backend for Redhat and Fedora
  • rsync – synchronize your folders over the network
S
  • scp – (secure copy) over a network
  • screen – a terminal multiplexer
  • sed – manipulate a stream of characters (scripting language)
  • setenv – change the value of an environment variable in the csh
  • shuf – generate random permutations
  • shutdown – shutdowns/reboots the system
  • sleep – wait/delay some time
  • ssh – login into / execute commands in a remote host
  • su – change user
  • sudo – execute the command as another user (usually root- /etc/sudoers)
T
  • tail – show only the last n lines of a file and more
  • tar – pack files in a special format
  • tcpdump – dump the tcp network traffic
  • tee – multiplex cli output
  • time – show the time needed by a command to finish
  • top – show the top CPU consuming processes and more
  • touch – create a file or update its time stamp
  • traceroute – show the route a package takes over the network
  • tac – print the file in reverse. (opposite of cat) (cat X tac)
U
  • ulimit – show the limits of your user
  • umount – unmount a device (Often requires sudo permissions)
  • uname – show the running kernel’s version and more
  • uniq – remove repeated lines in a sorted file
  • unzip – unpack files
  • uptime – show the time since your computer was last switched on
  • useradd – add a user
  • userdel – delete a user
  • usermod – modify a user
V
  • Vgcreate – create lvm volume groups
  • Vgdisplay – display lvm volume groups
  • Vgs – show information about lvm volume groups
  • Vgscan – scan for lvm volume groups
  • vim – its not a text editor like Notepad, it is an IDE
  • Vmstat – show input/output values, swap, memory consumption and more
W
  • w – print who is logged in to your system
  • wc – word count (word,line,char)
  • which – print the path where you find an executable file
  • whoami – print your effective user name
X
  • xargs – hand over stdin as a parameter
  • xev – show information about your keystrokes and more
  • xkill – kill a window that is in your way
  • xosview – show CPU/memory/hard Drive activity and more
Y
  • yacc – A C parser generator
  • yes – repeatedly output a string
  • yum – a package management frontend for Redhat & Fedora
  • yast – a package management frontend for SUSE
Z
  • zip – pack a file












Encryption tools

  • gpg - Encrypts data using GNU Privacy Guard.
  • mcrypt - Encrypts the specified file.
  • mimencode - Encodes the specified binary file to on eof the ASCII encoding formats.
  • mpack - Pack a file in MIME format.
  • uuencode - Encodes the specified binary file so that it can be transferred over a medium which does not support non-ASCII characters.

Decryption tools

  • gpg - Decrypts data using GNU Privacy Guard.
  • mdecrypt - Decrypts any file with the .enc suffix, that was encrypted by mcrypt.
  • munpack - unpack messages in MIME or split-uuencode format.
  • uudecode - Decodes the uuencode coded file.
  • uudeview - a powerful decoder for binary files.
Directory Commands
  • cd - Change directories
  • df - print the free space available in a directory
  • du - print the size of a directory
  • ln - Create a link to a file or directory
  • ls - Lists the files contained in the directory
  • mkdir - Create a new directory
  • pwd - Print the current working directory
  • rmdir – Remove the specified directory
  • symlinks - Find symbolic links

Partitioning

  • cfdisk - Interactive hard disc partition utility for text mode.
  • fdisk - Launches a menu-driven program that partitions a hard disk.
  • parted - command line partitioning tool. (parted sometimes complains about boundaries of partitions created with fdisk. parted can format a partition of type ext2 or fat32 partition while creating it.)

Formatting

  • mkfs - front-end to various filesystem-creation tools
    • parted can create a filesystem while partitioning
    • mkfs.vfat /dev/sde1 to format a fat32 partition sde1
    • mkfs.ext2 /dev/sde2 to format an ext2 partition sde2

Tuning

  • tune2fs - command to tune ext2/ext3 filesystems
    • tune2fs -j /dev/sde2 to convert an ext2 filesystem sde2 to ext3 by adding a journal
    • tune2fs -L /dev/sde2 bulkdata to set the volume label of sde2 to “bulkdata”
  • debugfs - Interactive utility to repair the ext2 filesystem on specified drive.
  • e2fsck- Performs an analysis of the filesystem’s integrity and optionally repairs errors.
  • badblocks - Scans the specified drive for bad blocks.

Using a configured hard drive or tape

  • df - Displays the amount of disc space used and remaining on all mounted filesystems.
  • hwinfo - Automatically recognizes all available CD-ROM drives.
  • mount - Attaches the device to a specified directory, which will serve as the filesystem’s mount point.
  • sync - Flushes the filesystem buffers.
  • umount - Unmounts the filesystem specified by the device.
  • du - Displays the amount of disc space used in the current directory.
    • duchs – Lists the largest directories in human readable format
  • eject - Ejects the media in the specified drive.

Rescuing

  • mc (midnight commander) – Command line file manager. Can undelete files in unmounted ext2 filesystems.

Backing-up

  • partimage - Backs up disk partitions into image files and restores them.

Logical Volume Management

See LVM.

File Search

  • find - Versatile tool for searching for files based on name, size, date, etc.
  • locate - Lists all files with a given word in the name
  • whereis - Finds commands, source, and manpages
  • which - Finds commands on the path
  • grep - Searches for text/patterns within a file

File Analysis

  • cksum - Calculate the checksum of a file.
  • diff - Find differences between two files.
  • file - Determine file type.
  • ls - List the contents of a directory.
  • lsattr - List the attributes of a file.
  • md5sum - Calculate or check the MD5 checksum of a file
  • wc - Displays line, word and character count for specified filename.

File Manipulation

  • cp - Copy a file from one location to another.
  • dd - Copies a file and performs various conversions at the same time.
  • some dd examples – This is good stuff. Must read for anyone serious about Linux
  • du - Shows disk usage of files
  • install - Copy file(s), preserving permissions.
  • ln - Create a link to a file.
  • mv - Rename or move a file.
  • rename - Another renaming tool
  • rm - Remove (delete) a file.

File Attribute Manipulation

  • chgrp - Change the group ownership of a file or directory.
  • chmod - Change the mode (access permissions) of a file or directory.
  • chown - Change the ownership of a file or directory.
  • getfacl - View the acl permissions associated with the file or directory.
  • setfacl - Change the acl permissions associated with the file or directory.
  • touch - Update access times or, potentially, create a file.

File usage

  • lsof - List all currently opened files
  • fuser - List which processes that are currently using a specific file
ethtool command to show if a network cable is plugged in e.a.
ftp Used to establish a connection with a specified host using the File Transfer Protocol. ifconfig Displays/establishes information about the network interfaces.
ifup Bring up network interface.
ifdown Bring up network interface.
iptraf Interactive IP LAN monitor
iwconfig Displays/establishes information about the wireless interfaces.
ip Used to manage IP network interfaces.
lsof Command to show what processes are making use of a port e.a.
nmap Command to show which ports are open e.a.
netstat Displays information about the Linux networking subsystem.
nslookup Looks up the numerical IP address of the specified host.
ping Sends a packet to a designated address and waits for a response.
route Configure IP4 routing sCp Copy files over the network.
showmount Displays the Network Filesystem mounts available.
smbclient Launches an interactive samba utility which resembles ftp.
smbmount Mounts a remote Samba service at the specified mount point.
smbumount Unmounts the specified Samba mount point.
ssh Control a remote computer over the network.
telnet Opens a terminal window on the remote host and starts an interactive session. traceroute Prints the route that packets take to network host
wvdial Initiates a PPP dial-up connection.

Managing Sessions

  • login - prompts the user for username and password.
  • nohup - Prevents programs from getting killed on logout.
  • rlogin - enables you to establish a user session on another computer connected to the LAN. Deprecated, safety-hazard. Use ssh instead.
  • screen - Terminal multiplexer. This is somewhat like a virtual terminal, only much more powerful.
  • shutdown - Shuts down the system.
  • startx - This shell script, enables you to start a X session.
  • tty - Displays the number of the terminal device that is currently in use.
  • xdm, kdm, gdm - Starting the X (KDE, Gnome) Display Manager
  • xterm - Starts the xterm terminal emulation program. requires the X window system.

See also

  • shared session
  • terminal server

Packing files

To pack means to unite several files in one file, called an archive. Typical commands for packing under Linux are
  • zip — for .zip files
Example:
zip -r targetfile sourcedirectory
  • tar — for .tar and .tar.gz files
Example (creates a .tar.gz file):
tar cvzf targetfile.tar.gz sourcedirectory
  • bzip2 — for .bz2 files
Example:
bzip2 sourcefile

Unpacking files

How to unpack files depends on their suffix:
  • .tar.gz
unpack with the command
tar xvzf archive.tar.gz
where archive is the archive’s name without suffix
  • .tar
unpack with the command
tar xvf archive.tar
where archive is the archive’s name without suffix
  • .zip
unpack with the command
unzip archive.zip
where archive is the archive’s name without suffix
  • .bz2
unpack with the command
bunzip2 archive.bz2
where archive is the archive’s name without suffix
  • .rar
unpack with the command
unrar x archive.rar
where archive is the archive’s name without suffix
Some programming-related commands:
  • compiling
    • g++ — C++ front-end to GCC.
    • gcc — “GNU Compiler Collection”. Also C compiler.
    • gcj — Java front-end to GCC.
    • as – the portable GNU assembler
  • linking and libraries (see also Library-related_Commands_and_Files)
    • ar – tool for creating, modifying, and extracting from archives
    • ld – the GNU linker
    • ldconfig
    • ldd
    • ld.so
    • pkg-config – tool for outputting linker and compiler flags for a given library
  • dealing with object files (see also binutils)
    • nm – lists symbols from object files
    • objcopy – copies and translates object files
    • objdump – display information from object files
    • readelf – displays information about ELF files
  • lexical analyzer and parser
    • bison (the yacc replacement)
    • flex (the lex replacement)
  • debugging
    Main article: debuggers
    • ddd
    • gdb
    • lint
    • valgrind
    • gprof – fight performance problems using profiling
  • build tools
    • autoconf – generates configuration scripts
    • automake – automatically generates ‘Makefile.in’s from ‘Makefile.am’s
    • ant
    • jam
    • libtool
    • make, makefile, configure script
    • scons
  • source code tagging
    • ctags — for vim- and NEdit-compatible tag files
    • etags — for emacs-compatible tag files
  • revision control
    • GNU Arch
    • Bazaar-NG — aka “Bazaar 2, aka “bzr”
    • CVS
    • git
    • RCS
    • Subversion
  • misc
    • addr2line – converts addresses into file names and line numbers
    • file – find out file type (like “link”, “executable” or shared object)
    • strings – finds printable strings in a file

Bash scripting

Main article: bash tips

Hello world

The minimal bash script that only outputs “hello world” looks like this:
#!/bin/bash
echo "hello world"

Find out your distribution

Main article: find out your distribution
The following script tells you what distribution you have installed on your computer.
#!/bin/bash
found=0;
if [ -e /etc/SuSE-release ]; then echo "You have a SUSE distro"; export found=1; fi
if [ -e /etc/redhat-release ]; then echo "You have a Red Hat distro"; export found=1; fi
if [ -e /etc/fedora-release ]; then echo "You have a Fedora distro"; export found=1; fi
if [ -e /etc/debian-version ]; then echo "You have a Debian, Ubuntu, Kubuntu, Edubuntu or Flubuntu distro"; export found=1; fi
if [ -e /etc/slackware-version ]; then echo "You have a SlackWare distro"; export found=1; fi
if ! [ $found = 1 ]; then echo "I could not find out your distro"; fi
It looks if the respective files exist (if [ -e /etc/SuSE-release ];) and prints the distribution they flag (using the command echo).

Tonka Script

Changes your console to some other colours.
#!/bin/bash
 
function tonka {
 
#   Named "Tonka" because of the colour scheme
 
local WHITE="\[33[1;37m\]"
local LIGHT_BLUE="\[33[1;34m\]"
local YELLOW="\[33[1;33m\]"
local NO_COLOUR="\[33[0m\]"
 
case $TERM in
    xterm*|rxvt*)
        TITLEBAR='\[33]0;\u@\h:\w07\]'
        ;;
    *)
        TITLEBAR=""
        ;;
esac
 
PS1="$TITLEBAR\
$YELLOW-$LIGHT_BLUE-(\
$YELLOW\u$LIGHT_BLUE@$YELLOW\h\
$LIGHT_BLUE)-(\
$YELLOW\$PWD\
$LIGHT_BLUE)-$YELLOW-\
\n\
$YELLOW-$LIGHT_BLUE-(\
$YELLOW\$(date +%H%M)$LIGHT_BLUE:$YELLOW\$(date \"+%a,%d %b %y\")\
$LIGHT_BLUE:$WHITE\\$ $LIGHT_BLUE)-$YELLOW-$NO_COLOUR "
 
PS2="$LIGHT_BLUE-$YELLOW-$YELLOW-$NO_COLOUR "
 
}

Get your ip

#!/bin/bash
# get ip
/sbin/ifconfig $1 | grep inet | awk '{print $2}' | sed 's/^addr://g'
To get your Internet address if you are behind a NAT:
## The -n option retrieves the Internet IP address
## if you are behind a NAT
if [ "$1" = "-n" ]
then
  ip=$(lynx -dump http://cfaj.freeshell.org/ipaddr.cgi)
else
  if=$1   ## specify which interface, e.g. eth0, fxp0
  system=$(uname)
  case $system in
      FreeBSD) sep="inet " ;;
      Linux) sep="addr:" ;;
  esac
  temp=$(ifconfig $if)
  temp=${temp#*"$sep"}
  ip=${temp%% *}
fi
 
printf "%s\n" "$ip"
### CFAJ ###
A shell, also known as a command interpreter, is a specialized program for accepting typed user commands, translating those into programs to run, running those programs, and displaying (or doing something) with the results. A “common” example of a shell is the DOS shell, called COMMAND.COM, which was the complete user interface before Windows.
Different shells exist, offering different feature sets. Two main families of shell exist: the Bourne shell and its variants (sh, bash, ksh) and the C shell and its variants (csh, tcsh). Though many shells have features common to others, the way they make use of those features is unique, so that (for example) Bourne shell conventions don’t usually apply to C shells.
  • bash – The Bourne-Again SHell – feature-rich default Linux shell.
  • csh - A shell with C-like syntax, with file name completion and command line editing – usually tcsh on modern Linux.
  • fish - ‘friendly’ interactive shell
  • ksh - Korn SHell – part of the sh rather than csh family.
  • sh - the original shell, often a symlink to bash on modern Linux and the most portable.
  • tcsh - An extended version of csh, with all its features and some additional ones.
  • zsh - One of the newest and most feature-rich shells.

General System Information Tools/Utilities

  • cat /var/log/messages — is the same as dmesg
  • dmesg – kernel messages given during booting.
  • kinfocenter – good overview
  • tail -f /var/log/messages — show the last couple of lines and keep outputting new lines
  • uname -a — brief OS and kernel information.

Memory Diagnostic Tools/Utilities

  • cat /proc/meminfo — static information about your RAM
  • ksysguard – real-time RAM and CPU utilization printout and process table
  • top – real-time RAM and CPU utilization printout
  • free – current memory/swap utilization.

CPU Diagnostic Tools/Utilities

  • cat /proc/cpuinfo – static information about your CPU
  • hwinfo --cpu — static information about your CPU

Disk and File System Diagnostic Tools/Utilities

  • cat /etc/fstab — show configuration file for file system mounting.
  • df -h — current disk space usage (“-h” gives human-readable output)
  • du -h — determine how much disk space is being used by Cwd, or any directory you specify after the du command (as in df, the “-h” means human-readable)
  • fdisk -l [/dev/hda] — show partition table(s), leave off device name to list all
  • mount or cat /etc/mtab — show currently mounted file systems.

Local Devices Diagnostic Tools/Utilities

  • dmidecode – get all bios information, e.g. computer type.
  • hwinfo --pci — list devices on the pci bus.
  • hwinfo --scsi — list all scsi devices.
  • hwinfo --usb — list all usb devices.
  • lsdev – list all installed hardware.
  • lspci – list devices on the pci bus.
  • lsscsi – list all scsi devices.
  • lsusb – list all usb devices.
  • setserial -bg /dev/ttyS[0-9]* — list all active serial devices(/dev/ttyS*).

Kernel and Kernel Module Diagnostic Tools/Utilities

  • lsmod – list kernel modules currently loaded.

Network Diagnostic Tools/Utilities

  • Directory /proc/net/
    • File arp: arp cache. Maps IP address to MAC address
    • File dev: byte and packet statistics on a per device basis.
    • File netstat: various statistics
    • File tcp: established connections.
  • Directory /proc/sys/net/ipv4/
    • File: ip_forward: read/write. Whether or not the kernal will forward IP packets from one interface to another. This is turned on if you want the machine to work as a router or a firewall.
  • ethtool $interface — show the card’s speed, capabilities and if a link is detected
  • hwinfo --netcard — show the module name, driver activation command, network card name etc.
  • ifconfig -a — show all current network interface information
  • ifconfig $interface — show the information for $interface (usually something like ifconfig eth0)
  • ping $host — use ping to determine if $host is alive on the network (for troubleshooting your local machine $host can equal “127.0.0.1 or “localhost”
  • route -n — show routing table, using numerical addresses.
If you want to set up a proxy firewall, this should be off, as it will be the application that forwards traffic, not the kernel.
  • File: ip_local_port_range: read/write. The range of ports that are used as source ports for outgoing connections.
  • File: tcp_sack: read/write. Whether or not TCP connections use selective acknowledgement. One=yes, zero=no.
  • File: tcp_timestamps: read/write. Whether or not TCP connections add timestamps to their connections. One=yes, zero=no.

Dynamic information

Or: What does my hardware do?
  • ethereal – a network sniffer
  • lm-sensors — read CPU temperature etc.
  • ksysguard – CPU, network load etc. comprehensively
  • top – top CPU consuming processes
  • vmstat – CPU load, swapping and I/O
  • xosview – CPU, network load etc. to get an overview

X-Windows Troubleshooting Tools/Utilities

  • cat /var/log/XFree86.0.log — print out the XFree86 error log.
    • Note that some systems do not store this log in /var/log. Use either locate XFree86.0.log or find / -name XFree86.0.log to find it.
  • glxinfo – show the status of your OpenGL subsystem.
Startup/Shutdown
This is a list of startup/shutdown-related commands:
  • dmesg - display bootup messages.
  • halt - halt the system. (not recommened – use shutdown -h now instead)
  • init - set runlevel, or define processes that are begun on a specific runlevel.
  • reboot - reboot the system.
  • runlevel - show the current system runlevel.
  • shutdown - shutdown the system.
  • swapoff - disable the paging hardware.
  • swapon - enable the paging hardware.
  • sync - write buffered memory out to disk.
  • telinit - move the system to a new runlevel.
Processing Tools
  • awk - A utility and scripting language
  • cat - Con-cat-enate file(s) to stdout
  • cut - Extract portions of lines
  • diff - Compare differences of files
  • ed - The editor. ED!
  • egrep - See grep
  • fgrep - See grep
  • grep - Global/regular expression/print (print lines matching an expression)
  • head - View the top of a file
  • less - A more powerful pager
  • more - A less powerful pager
  • nl - Number lines of files
  • sed - Stream editor (non-interactive programmatic editor)
  • sort - Sort input
  • tac - Cat lines in reverse
  • rev - Cat characters in reverse
  • tail - View the bottom of a file
  • tr - Transform/transliterate text
  • uniq - Manipulate duplicate lines of a sorted file
Text processors in file utils’ clothing
  • basename - cut a line to the right from the last slash (works with any input)
  • dirname - cut a line to the left from the last slash (works with any input)
User Commands
  • date - Print or set the system date and time.
  • finger - Display information about a user. May be turned off by default.
  • id - Display UID and group info about a user.
  • passwd - Change a user’s password.
  • quota - Assign quota for users and groups.
  • su - Change to root or another user id.
  • useradd - Add a new user to the system.
  • userdel - Delete a user from the system.
  • usermod - Modify user information on the system.
  • users - Display a list of current users.
  • who - Display a list of current users.
  • whoami - Print the user name associated with the effective UID.
  • w - Display who is logged on and what they are doing.




Kernel Compiling
Step # 1 Get Latest Linux kernel code
Visit http://kernel.org/ and download the latest source code. File name would be linux-x.y.z.tar.bz2, where x.y.z is actual version number. For example file inux-2.6.25.tar.bz2 represents 2.6.25 kernel version. Use wget command to download kernel source code:
$ cd /tmp
$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2
Note: Replace x.y.z with actual version number.
Step # 2 Extract tar (.tar.bz3) file
Type the following command:
# tar -xjvf linux-2.6.25.tar.bz2 -C /usr/src
# cd /usr/src
Step # 3 Configure kernel
Before you configure kernel make sure you have development tools (gcc compilers and related tools) are installed on your system. If gcc compiler and tools are not installed then use apt-get command under Debian Linux to install development tools.
# apt-get install gcc
Now you can start kernel configuration by typing any one of the command:
  • $ make menuconfig – Text based color menus, radiolists & dialogs. This option also useful on remote server if you wanna compile kernel remotely.
  • $ make xconfig – X windows (Qt) based configuration tool, works best under KDE desktop
  • $ make gconfig – X windows (Gtk) based configuration tool, works best under Gnome Dekstop.
For example make menuconfig command launches following screen:
$ make menuconfig
You have to select different options as per your need. Each configuration option has HELP button associated with it so select help button to get help.
Step # 4 Compile kernel
Start compiling to create a compressed kernel image, enter:
$ make
Start compiling to kernel modules:
$ make modules
Install kernel modules (become a root user, use su command):
$ su -
# make modules_install
Step # 5 Install kernel
So far we have compiled kernel and installed kernel modules. It is time to install kernel itself.
# make install
It will install three files into /boot directory as well as modification to your kernel grub configuration file:
  • System.map-2.6.25
  • config-2.6.25
  • vmlinuz-2.6.25
Step # 6: Create an initrd image
Type the following command at a shell prompt:
# cd /boot
# mkinitrd -o initrd.img-2.6.25 2.6.25
initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires initrd, but it is safe to create one.
Step # 7 Modify Grub configuration file – /boot/grub/menu.lst
Open file using vi:
# vi /boot/grub/menu.lst
title           Debian GNU/Linux, kernel 2.6.25 Default
root            (hd0,0)
kernel          /boot/vmlinuz root=/dev/hdb1 ro
initrd          /boot/initrd.img-2.6.25
savedefault
boot
Remember to setup correct root=/dev/hdXX device. Save and close the file. If you think editing and writing all lines by hand is too much for you, try out update-grub command to update the lines for each kernel in /boot/grub/menu.lst file. Just type the command:
# update-grub
Neat. Huh?
Step # 8 : Reboot computer and boot into your new kernel
Just issue reboot command:
# reboot






Shh
 ME .
Linux Administrator
Many of us use the excellent OpenSSH (see Resources later in this article) as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH’s more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.
SSH, specifically OpenSSH (a completely free implementation of SSH), is an incredible tool. Like telnet or rsh, the ssh client can be used to log in to a remote machine. All that’s required is for this remote machine to be running sshd, the ssh server process. However, unlike telnet, the ssh protocol is very secure. It uses special algorithms to encrypt the data stream, ensure data stream integrity and even perform authentication in a safe and secure way.
However, while ssh is really great, there is a certain component of ssh functionality that is often ignored, dangerously misused, or simply misunderstood. This component is OpenSSH’s RSA/DSA key authentication system, an alternative to the standard secure password authentication system that OpenSSH uses by default.
OpenSSH’s RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it’s possible to establish secure connections without having to manually type in a password.
While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we’ll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I’ll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security. If you’ve always wanted to get the hang of the more advanced authentication features of OpenSSH, then read on.


Here’s a quick general overview of how RSA/DSA keys work. Let’s start with a hypothetical scenario where we’d like to use RSA authentication to allow a local Linux workstation (named localbox) to open a remote shell on remotebox, a machine at our ISP. Right now, when we try to connect to remotebox using the ssh client, we get the following prompt:
% ssh drobbins@remotebox
drobbins@remotebox's password:
Here we see an example of the ssh default way of handling authentication. Namely, it asks for the password of the drobbins account on remotebox. If we type in our password for remotebox, ssh uses its secure password authentication protocol, transmitting our password over to remotebox for verification. However, unlike what telnet does, here our password is encrypted so that it can not be intercepted by anyone sniffing our data connection. Once remotebox authenticates our supplied password against its password database, if successful, we’re allowed to log on and are greeted with a remotebox shell prompt. While the ssh default authentication method is quite secure, RSA and DSA authentication open up some new possibilities.
However, unlike the ssh secure password authentication, RSA authentication requires some initial configuration. We need to perform these initial configuration steps only once. After that, RSA authentication between localbox and remotebox will be totally painless. To set up RSA authentication, we first need to generate a pair of keys, one private and one public. These two keys have some very interesting properties. The public key can be used to encrypt a message, and only the holder of the private key can decrypt it. The public key can only be used for encryption, and the private key can only be used for decryption of a message encoded by the matching public key. The RSA (and DSA) authentication protocols use the special properties of key pairs to perform secure authentication, without needing to transmit any confidential information over the network.
To get RSA or DSA authentication working, we perform a single one-time configuration step. We copy our public key over to remotebox. The public key is called “public” for a reason. Since it can only be used to encrypt messages for us, we don’t need to be too concerned about it falling into the wrong hands. Once our public key has been copied over to remotebox and placed in a special file (~/.ssh/authorized_keys) so that remotebox’s sshd can locate it, we’re ready to use RSA authentication to log onto remotebox.
To do this, we simply type ssh drobbins@remotebox at localbox’s console, as we always have. However, this time, ssh lets remotebox’s sshd know that it would like to use the RSA authentication protocol. What happens next is rather interesting. Remotebox’s sshd generates a random number, and encrypts it using our public key that we copied over earlier. Then, it sends this encrypted random number back to the ssh running on localbox. In turn, our ssh uses our private key to decrypt this random number, and then sends it back to remotebox, saying in effect “See, I really do hold the matching private key; I was able to successfully decrypt your message!” Finally, sshd concludes that we should be allowed to log in, since we hold a matching private key. Thus, the fact that we hold a matching private key grants us access to remotebox.


There are two important observations about the RSA and DSA authentication. The first is that we really only need to generate one pair of keys. We can then copy our public key to the remote machines that we’d like to access and they will all happily authenticate against our single private key. In other words, we don’t need a key pair for every system we’d like to access. Just one pair will suffice.
The other observation is that our private key should not fall into the wrong hands. The private key is the one thing that grants us access to our remote systems, and anyone that possesses our private key is granted exactly the same privileges that we are. Just as we wouldn’t want strangers to have keys to our house, we should protect our private key from unauthorized use. In the world of bits and bytes, this means that no one should be able to read or copy our private key.
Of course, the ssh developers are aware of the private keys’ importance, and have built a few safeguards into ssh and ssh-keygen so that our private key is not abused. First, ssh is configured to print out a big warning message if our key has file permissions that would allow it to be read by anyone but us. Secondly, when we create our public/private key pair using ssh-keygen, ssh-keygen will ask us to enter a passphrase. If we do, our private key will be encrypted using this passphrase, so that even if it is stolen, it will be useless to anyone who doesn’t happen to know the passphrase. Armed with that knowledge, let’s take a look at how to configure ssh to use the RSA and DSA authentication protocols.


The first step in setting up RSA authentication begins with generating a public/private key pair. RSA authentication is the original form of ssh key authentication, so RSA should work with any version of OpenSSH, although I recommend that you install the most recent version available, which was openssh-2.9_p2 at the time this article was written. Generate a pair of RSA keys as follows:
% ssh-keygen
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/drobbins/.ssh/identity): (hit enter)
Enter passphrase (empty for no passphrase): (enter a passphrase)
Enter same passphrase again: (enter it again)
Your identification has been saved in /home/drobbins/.ssh/identity.
Your public key has been saved in /home/drobbins/.ssh/identity.pub.
The key fingerprint is:
a4:e7:f2:39:a7:eb:fd:f8:39:f1:f1:7b:fe:48:a1:09 drobbins@localbox
When ssh-keygen asks for a default location for the key, we hit enter to accept the default of /home/drobbins/.ssh/identity. ssh-keygen will store the private key at the above path, and the public key will be stored right next to it, in a file called identity.pub.
Also note that ssh-keygen prompted us to enter a passphrase. When prompted, we entered a good passphrase (seven or more hard-to-predict characters). ssh-keygen then encrypted our private key (~/.ssh/identity) using this passphrase so that our private key will be useless to anyone who does not know it.


When we specify a passphrase, it allows ssh-keygen to secure our private key against misuse, but it also creates a minor inconvenience. Now, every time we try to connect to our drobbins@remotebox account using ssh, ssh will prompt us to enter the passphrase so that it can decrypt our private key and use it for RSA authentication. Again, we won’t be typing in our password for the drobbins account on remotebox, we’ll be typing in the passphrase needed to locally decrypt our private key. Once our private key is decrypted, our ssh client will take care of the rest. While the mechanics of using our remote password and the RSA passphrase are completely different, in practice we’re still prompted to type a “secret phrase” into ssh.
# ssh drobbins@remotebox
Enter passphrase for key '/home/drobbins/.ssh/identity': (enter passphrase)
Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

%
Here’s where people are often mislead into a quick compromise. A lot of the time, people will create unencrypted private keys just so that they don’t need to type in a password. That way, they simply type in the ssh command, and they’re immediately authenticated via RSA (or DSA) and logged in.
# ssh drobbins@remotebox
Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

%
However, while this is convenient, you shouldn’t use this approach without fully understanding its security impact. With an unencrypted private key, if anyone ever hacks into localbox, they’ll also get automatic access to remotebox and any other systems that have been configured with the public key.
I know what you’re thinking. Passwordless authentication, despite being a bit risky does seem really appealing. I totally agree. But there is a better way! Stick with me, and I’ll show you how to gain the benefits of passwordless authentication without compromising your private key security. I’ll show you how to masterfully use ssh-agent (the thing that makes secure passwordless authentication possible in the first place) in my next article. Now, let’s get ready to use ssh-agent by setting up RSA and DSA authentication. Here step-by-step directions.


To set up RSA authentication, we’ll need to perform the one-time step of generating a public/private key pair. We do this by typing:
% ssh-keygen
Accept the default key location when prompted (typically ~/.ssh/identity and ~/.ssh/identity.pub for the public key), and provide ssh-keygen with a secure passphrase. Once ssh-keygen completes, you’ll have a public key as well as a passphrase-encrypted private key.


Next, we’ll need to configure remote systems running sshd to use our public RSA key for authentication. Typically, this is done by copying the public key to the remote system as follows:
% scp ~/.ssh/identity.pub drobbins@remotebox:
Since RSA authentication isn’t fully set up yet, we’ll be prompted to enter our password on remotebox. Do so. Then, log in to remotebox and append the public key to the ~/.ssh/authorized_keys file like so:
% ssh drobbins@remotebox
drobbins@remotebox's password: (enter password)
Last login: Thu Jun 28 20:28:47 2001 from localbox.gentoo.org

Welcome to remotebox!

% cat identity.pub >> ~/.ssh/authorized_keys
% exit
Now, with RSA authentication configured, we should be prompted to enter our RSA passphrase (rather than our password) when we try to connect to remotebox using ssh.
% ssh drobbins@remotebox
Enter passphrase for key '/home/drobbins/.ssh/identity':
Hurray, RSA authentication configuration complete! If you weren’t prompted for a passphrase, here are a few things to try. First, try logging in by typing ssh -1 drobbins@remotebox. This will tell ssh to only use version 1 of the ssh protocol, and may be required if for some reason the remote system is defaulting to DSA authentication. If that doesn’t work, make sure that you don’t have a line that reads RSAAuthentication no in your /etc/ssh/ssh_config. If you do, comment it out by pre-pending it with a “#”. Otherwise, try contacting the remotebox system administrator and verifying that they have enabled RSA authentication on their end and have the appropriate settings in /etc/ssh/sshd_config.


While RSA keys are used by version 1 of the ssh protocol, DSA keys are used for protocol level 2, an updated version of the ssh protocol. Any modern version of OpenSSH should be able to use both RSA and DSA keys. Generating DSA keys using OpenSSH’s ssh-keygen can be done similarly to RSA in the following manner:
% ssh-keygen -t dsa
Again, we’ll be prompted for a passphrase. Enter a secure one. We’ll also be prompted for a location to save our DSA keys. The default, normally ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub, should be fine. After our one-time DSA key generation is complete, it’s time to install our DSA public key to remote systems.


Again, DSA public key installation is almost identical to RSA. For DSA, we’ll want to copy our ~/.ssh/id_dsa.pub file to remotebox, and then append it to the ~/.ssh/authorized_keys2 on remotebox. Note that this file has a different name than the RSA authorized_keys file. Once configured, we should be able to log in to remotebox by typing in our DSA private key passphrase rather than typing in our actual remotebox password.


Right now, you should have RSA or DSA authentication working, but you still need to type in your passphrase for every new connection. In my next article, we’ll see how to use ssh-agent, a really nice system that allows us to establish connections without supplying a password, but also allows us to keep our private keys encrypted on disk. I’ll also introduce keychain, a very handy ssh-agent front-end that makes ssh-agent even more secure, convenient, and fun to use. Until then, check out the handy resources below to keep yourself on track.



Interview Topic
 ME . (Linux Administrator)
My Experience
Some Interview Topics
If you are preparing for interviews for linux admin jobs you should be familiar with below concepts..
1) Port number of different servers {cat /etc/services}
2) Linux Installation(through FTP,HTTP,NFS)
3) Boot process
4) Diff b/w ext3 and ext2
5) RAID LEVELS and Selection of raid
6) backup methods
7) Package management such as Yum server
Description: 8)Kernel Tuning
9) IPTABLES
10) TCP WRAPPERS
11) DIFFERENT RUN LEVELS
12) USER AND GROUP MANAGEMENT
13) QUOTA SETTING(user and group)
14) DIFF B/W CRON AND AT
15) BASIC SHELL SCRIPTING
16) Troubleshooting different issues.
17) Tell me why we should hire you?
18) DAILY ACTIVITES IN YOUR CURRENT COMPANY
19) RECENTLY SOLVED CRITICAL ISSUE
20) LVM (Very Imp)
21) vertias Volume manager
22) cluster basic like HAD , GAB , LLT , HEARTBEAT , CONFIG FILES , RESOURSE , SERVICE GROUPS etc
23 ) kernel panic troubleshooting
24) Process management
25)Configuration part of NFS , NIS , Samba , DHCP , DNS,Apache, Sendmail etc.
26)Remote administration experience.
And many more depending on your job profile. You should know each topics what you mentioned in your resume . If you are not sure about anything , dont mention in your resume and your resume should reflect your skills.





NMAP(Port Chacker)
 ME . (Linux Admin)
Nmap With Example
NMAP is one of the most important tool. Which checks which ports are open on a machine.
Some important to note about NMAP
  1. NMAP abbreviation is network mapper
  2. NMAP is used to scan ports on a machine, either local or remote machine (just you require ip/hostname to scan).
  3. NMAP is can be installed on windows, Sun Solaris machines too.
  4. NMAP can be used to scan large networks, remember I am saying large networks.
  5. NMAP can be used to get operating system details, uptime, software used for a service and its version no, vender of network card and uptime of that system too(Don’t worry we will see all these things in this post.
  6. Please do not try to use NMAP on machines which you don’t have permission.
  7. Can be used by hackers to scan for systems for venerability.
  8. Just a funny note : You can see this NMAP used by trinity in Matrix-II, when she tries to hack in to electric grid super computer.
Note : NMAP man pages one of the best man pages I have come across. It is explained in such a way that even new user can understand it easily and one more thing it is even having examples in to how to use NMAP in different situations, when you have time read it. You will get lots of information.

Example1 :
Using NMAP in normal way, i.e. to scan a particular system for open ports
#nmap hostname
Example2 : Scanning for a single port on a machine
#nmap –p 22 hostname
This will scan for 22 port is open on a host or not. And here –p indicates port.
Example3 : For scanning only ports
#nmap –F hostname
-F is for fast scan and this will not do any other scanning like IP address, hostname, operating system, and uptime etc. It’s very much fast as it said in man pages.
Example4 : For scanning only TCP ports
#nmap –sT hostname
Here s is for scanning and T is for only scanning of TCP ports
Example5 : For scanning only UDP ports
#nmap –sU hostname
Here U indicates UDP port scanning
Exmaple6 : Scanning for ports and to get what is the version of different services running on that machine
#nmap –sV hostname
V indicates version of each network service running on that host
Example7 : To check which protocol is supported by the remote machine
#nmap –sO hostname
Example8 : To scan a system for operating system and uptime details
# nmap -O hostname
-O
is for operating system scan along with default port scan
Example9 : Scanning a network
#nmap networkID/subnetmask
For the above command you can try in this way
#nmap 192.168.0.0/24


















ICMP Block With IPTABLES


 ME . (Linux Admin)
How to use IPtables to block ICMP (Internet Control Message Protocol) requests?
Ans : To do this we have understand why we require this thing should be done.
When Hackers try to hack in to any machine first thing they will do is a basic ping test.
Code :
#ping target-machine

If this is succeed they will come to a conclusion that system is up and they can go forward and they can do DDOS attacks or try to find some other open ports using NMAP command.
Code :
#nmap target-machine
So if you are exposing a machine to outer world from your network, first disable incoming ping requests to your machine as follows.
So this can be done by two ways through IPtables 1. Reject the ICMP packets.2. Drop the ICMP packets.

In the above mentioned methods best thing is to drop the ICMP packets, by doing this we are not giving any clue to hacker whether the system is alive or not. Where as if we do reject definitely hacker will come to know that ICMP packets are blocked and the system is live.
Step1 : Executing following command to drop all the incoming ICMP packets
#iptables –A INPUT –p icmp –icmp-type echo-request –j DROP
Let me explain this command
-A
is to append this rule to already existing one.
INPUT specifies that it’s a
Step2 : Save this changes to IPtables file (/etc/sysconfig/iptables), restart the IPtables service and check your IPtables status whether your IPtables chain is updated or not.
#service iptables save
#service iptables restart
#iptables –L

How to allow icmp ping request in case you want them,First we have to remove the rule which we created for blocking the icmp ping.
#iptables –D INPUT –p icmp –icmp-type echo-request –j DROP

Then execute the following commands

#iptables –A INPUT –p icmp –icmp-type echo-request –j ACCEPT
#service iptables save
#service iptables restart

Some points to be noted

What are the methods used by hackers using this ICMP ping?
Though these are old denial-of-service attack (DoS attack), worth to learn them
Ping flood
Smurf attack
Ping to death

Please comment your thoughts regarding this post:-)

0 comments:

Post a Comment
// <![CDATA[// 





Mount SMB
 ME . (Linux Admin)
How to Mount smbfs (SAMBA file system) permanently in Linux.In this post I am going to give some examples how to do SMB (Server Message Block) mounts..
Type1 : Listing SMB shared folder through command prompt
#smbclient –L ipadd –U username
Here –L will specify listing of SMB share for the server with ipadd
Or
#smbclient //192.168.0.1/share1 –U username
Example :
#smbclient –L 192.168.0.1 –U root
Type2 : Mounting SMB share on local folder by using smbmount command
#smbmount //ipadd/sharename /mountpoint –o username=userid,workgroup=workgroupname
Example :
#smbmount //192.168.0.1/share1 /mnt –o username=steev,workgroup=test
Type3 : Mounting SMB share by using mount command
#mount –t smbfs ipadd:/sharename /mountpoint –o username=userid,workgroup=workgroupname
Or
#mount –t smbfs //ipadd/sharename /mountpoint –o username=userid,workgroup=workgroupname
Example :
#mount –t smbfs 192.168.0.1:/share1 /mnt –o username=surendra,workgroup=test
Type4 : Mounting CIFS (Common Internet File System) is nothing but a advanced SMB file system implementation which support RAP (Remote Access Protocol)
#mount –t cifs ipadd:/sharename /mountpoint –o username=userid,workgroup=workgroupname
Example :
#mount –t cifs 192.168.0.1:/share1 /test –o username=Surendra,workgroup=test
Type5 : All the above commands will ask password to display/mount the share name, however we can specify the password in command itself as below
#mount -t smbfs -o username=userid,workgroup=workgroupname,password=XXXXX //ipadd/sharepoint /mountpoint/
Example :
#mount –t smbfs –o username=Surendra,workgroup=test,password=xylBJRS8 //192.168.0.1/share1 /test
Type6 : Mounting permanently by editing /etc/fstab file, below is the fstab file entry example
#vi /etc/fstab//192.168.0.1/share1 /test smbfs rw,user,username=surendra,password=xylBJRS8 0 0
Save and exit the file and conform that you edited fstab file properly. By below commands
#mount –a
This command should not through any error,
#df –H
This command should show mount from 192.168.0.1 server
Type7 : Mounting a share where user belongs to a domain permanently by editing /etc/fstab file
The above command will not work properly for domain users so we have to specify domain as well when specifying username
So now username will be changed to domain\username
#vi /etc/fstab
//192.168.0.1/share1 /mnt smbfs rw,user,username=test\surendra,password=xylBJRS8 0 0
Save the file and exit then execute mount –a and df –H for just conformation if the mount is done successfully.
Type8:As you people know /etc/fstab file is visible to all the users who logged in, so specifying user password in /etc/fstab file is not that much good procedure.. So there is a work around to resolve this issue, just create a credential file in users home directory and point that file in /etc/fstab file entry as mention below.
#cd ~
#echo username=surendra > .smbfile
#echo password=xylBJRS8 >> .smbfile
#chmod 600 .smbfile
Then edit the /etc/fstab file and specify the entries as below
#vi /etc/fstab
//192.168.0.1/share1 /mnt smbfs credentials=/home/myhomedirectoryofuser/. smbfile,rw,user 0 0
Save and exit the file and execute mount –a, df –H to check if you did any mistakes..










Info System
 ME . (Linux Admin)
How to get the BIOS (Basic Input Output System) information and other information such as
1.Hardware
2.CPU information
3.Drivers installed in Linux machine.
For every operation/work in Linux there will be one command, this is true.(all you need to find out that command is use. Google to get it). So how to get BIOS info without rebooting the system. The command for this is dmidecode(DMI table decoder). Some times BIOS is called as DMI too. Just execute the command, It will just dump lots and lots of information about the sytem.
#dmidecode
To get more presised/cliped information for particular category such as only BIOS or only hardware or only RAM details or just only CPU info we have to specify the type(–tyep or -t option), here are the types list for your reference.
DMI TYPES
The SMBIOS specification defines the following DMI types:
Type Information
—————————————-
0 BIOS
1 System
2 Base Board
3 Chassis
4 Processor
5 Memory Controller
6 Memory Module
7 Cache
8 Port Connector
9 System Slots
10 On Board Devices
11 OEM Strings
12 System Configuration Options
13 BIOS Language
14 Group Associations
15 System Event Log
16 Physical Memory Array
17 Memory Device
18 32-bit Memory Error
19 Memory Array Mapped Address
20 Memory Device Mapped Address
21 Built-in Pointing Device
22 Portable Battery
23 System Reset
24 Hardware Security
25 System Power Controls
26 Voltage Probe
27 Cooling Device
28 Temperature Probe
29 Electrical Current Probe
30 Out-of-band Remote Access
31 Boot Integrity Services
32 System Boot
33 64-bit Memory Error
34 Management Device
35 Management Device Component
36 Management Device Threshold Data
37 Memory Channel
38 IPMI Device
39 Power Supply
Here is some examples.
Note : In RHEL4 there are no options for dmidecode command.
To find only BIOS info
#dmidecode –t 0
[root@test ~]# dmidecode –type 0
# dmidecode 2.7
SMBIOS 2.5 present.

Handle 0×0000, DMI type 0, 24 bytes.
BIOS Information
Vendor : Phoenix Technologies, LTD
Version : MS7352 1.14
Release Date : 09/03/2008
Address : 0xE0000
Runtime Size : 128 kB
ROM Size : 1024 kB
Characteristics:
ISA is supported
PCI is supported
PNP is supported
APM is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
BIOS ROM is socketed
EDD is supported
5.25″/360 KB floppy services are supported (int 13h)
5.25″/1.2 MB floppy services are supported (int 13h)
3.5″/720 KB floppy services are supported (int 13h)
3.5″/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
LS-120 boot is supported
ATAPI Zip drive boot is supported
BIOS boot specification is supported
Function key-initiated network boot is supported
Targeted content distribution is supported
BIOS Revision: 1.14
Even we can specify keyword for specifying type if you forget the type number, so just type the keyword to check particular property of the styem.
Keyword Types
——————————
bios 0, 13
system 1, 12, 15, 23, 32
baseboard 2, 10
chassis 3
processor 4
memory 5, 6, 16, 17
cache 7
connector 8
slot 9

Suppose we want to see system details
[root@test ~]# dmidecode –type system
# dmidecode 2.7
SMBIOS 2.5 present.
Handle 0×0001, DMI type 1, 27 bytes.
System Information :
Manufacturer : Hewlett-Packard
Product Name : HP Compaq dx7400 Microtower
Version:
Serial Number: SGH83801NJ
UUID: 809AF9C0-17F0-1310-9511-C4681D1F835D
Wake-up Type: Power Switch
SKU Number: GD384AV
Family: 103C_53307F
Handle 0×0024, DMI type 32, 11 bytes.
System Boot Information
Status: No errors detected
[root@test ~]#
Some other useful commands to get system info are
To get CPU info
#cat /etc/cpuinfo
To get HW info
#lshal

or
#lshw
To get PCI info
#lspci
To get USB info
#lsusb











Virt File

 ME .(Linux Admin)
Can we create a file system (i.e. formatting a drive/partition) with in a file system?
Looks little bit strange is int it? So follow me I will show you how to create a virtual partition and file system within a partition.
Step1 : Create a empty file with /dev/zero with size equal to 50Mb.
#dd if=/dev/zero of=/temp/vf0 count=102400

Note :
1. By default “dd” command(dataset definition) uses block of 512bytes so the size will be 102400*512=52 428 800=~50MB
2. /dev/zero is a device files which will be used create a file which conations “0″ i.e. an empty file.

Clipped output:
[root@test6 ~]# dd if=/dev/zero of=/temp/vf0 count=102400
102400+0 records in
102400+0 records out
[root@test ~]# ls -lh /temp/vf0
-rw-r–r– 1 root root 50M Nov 7 12:08 /temp/vf0

Step2 : Create ext3 file system for this virtual partition.
#mkfs -t ext3 /temp/vf0

Here it will ask “do you want to format the file or not”?, just say yes.
Step3 : Now we have to create a mount point (nothing but a directory) and mount the created partition.
# mkdir /virtdrive
# mount -o loop=/dev/loop0 /temp/vf0 /virtdrive

Note:
/dev/loop is special hardware device used to mount ISO files and virtual file systems. In Linux there are total 8 loop devices numbering from 0 to 7. So you can mount only 8 ISO files/virtual file systems by default.
Step4 : Edit /etc/fstab file to mount permanently, so that it be auto mounted at boot time too. Specify following entry in fstab file.
/temp/vf0 /virtdrive ext3 rw,loop=/dev/loop0 0 0

Step5 : Specify the fstab changes to kernel.
#mount -a

Step6 : Conform Weather mounting happen perfectly or not.
Way1 :
#cat /etc/mtab

Way2 : Change the directory to mount point you have to see lost+found folder
[root@test ~]# cd /virtdrive/
[root@test virtdrive]# ls
lost+found
[root@test virtdrive]#











DNS LOG

 ME .(Linux Admin)
How to log DNS server activity?
Ans : Sometimes you require DNS server activity to be logged to a file for future reference to analyze the activity on DNS server and whether DNS server is properly resolving accurately or not. rndc is the command to use for DNS server activity logging. Let’s have a look how to log DNS server activity. In order to log DNS server entries just execute below command (you have to do this one as root user)
#rndc querylog
Note : When you execute the above command DNS server activity is logged on to server /var/log/messages file.
Example output of the clipped log file bash-2.05b# /usr/sbin/rndc querylog
bash-2.05b# tail -f /var/log/messages
Nov 18 18:00:16 ns1.abc.in named[29413]: query logging is now on
Nov 18 18:00:18 ns1.abc.in named[29413]: client 194.158.122.34#43071: query: abc.co.in IN MX
Nov 18 18:00:18 ns1.abc.in named[29413]: client 194.158.122.6#43587: query: smtp.abc.co.in IN A
Nov 18 18:00:19 ns1.abc.in named[29413]: client 82.8.211.193#19305: query: MX2.abc.co.in IN A
Nov 18 18:00:20 ns1.abc.in named[29413]: client 200.49.130.26#4111: query: abc.co.in IN MX
Nov 18 18:00:21 ns1.abc.in named[29413]: client 212.24.128.8#46547: query: abc.co.in IN MX
Nov 18 18:00:22 ns1.abc.in named[29413]: client 200.75.51.132#26540: query: MX2.abc.co.in IN A
In order to stop DNS logging activity please execute below command
#rndc querylog
Note : If you observe this command it is same as for starting the log activity, it is similar way how walky-talky works.. You have to press same button for both on/off operations.
Example output of how it is stopped
bash-2.05b# /usr/sbin/rndc querylog
bash-2.05b# tail -f messages
Nov 18 18:08:53 ns1.abc.com named[29413]: client 200.12.232.4#60450: query: abc.co.in IN MX
Nov 18 18:08:59 ns1.abc.com named[29413]: client 212.54.35.233#39027: query: ns1.abc.co.in IN A
Nov 18 18:08:59 ns1.abc.com named[29413]: client 212.54.35.233#10163: query: ns1.abc.co.in IN A
Nov 18 18:09:00 ns1.abc.com named[29413]: client 88.156.63.9#3661: query: abc.co.in IN MX
Nov 18 18:09:00 ns1.abc.com named[29413]: client 89.2.2.146#44622: query: abc.co.in IN MX
Nov 18 18:09:05 ns1.abc.com named[29413]: client 203.199.147.5#14678: query: cmex01.clairmail.local.intranet.abc.co.in IN A
Nov 18 18:09:06 ns1.abc.com named[29413]: client 117.98.17.34#1766: query: abc.co.in IN MX
Nov 18 18:09:06 ns1.abc.com named[29413]: client 203.119.8.106#28142: query: abc.co.in IN MX
Nov 18 18:09:11 ns1.abc.com named[29413]: client 217.171.113.9#4861: query: MX2.abc.co.in IN A
Nov 18 18:09:11 ns1.abc.com named[29413]: query logging is now off
Some FAQ’s:
1.Is it advaisable to restart a production DNS server?

Ans : No, Never try to restart a production DNS server with out prior notice from your higher officials.
2.Then how can I update any changes I made to DNS server?
Ans :
You can use rndc command to update the changes to dns server.
3.I want to update DNS server zone file entries to DNS server without restarting the named/bind server?
Ans :
We can do it by using rndc command
#rndc reload
4.I want to reload named.conf file with out restarting DNS server?
#rndc refresh.



N.A.G.I.O.S

 ME . (Linux Admin)
NAGIOS is a system and network monitoring application that watches host and services that we specify as well as alerting when finds any error.
NAGIOS is implemented by using SNMP protocol, so which ever devices support SNMP we can monitor that device using NAGIOS.
NAGIOS can do following things
1.Monitor wide range of hosts like Servers,Switches,Routers etc.
2.Monitor network services (Like : SMTP, POP3, HTTP, NNTP, ICMP, SNMP, FTP, SSH.)
3.Monitor Host resources (Processor load, Running processes, Disk usage, System logs, etc)
4.Monitor Host environments(Temperature, Alarms etc).
Can alert you through e-mail, SMS, Pager etc.
NAGIOS can not do Monitoring of Bandwidth utilization in network.
Installing NAGIOS:
Step1: Before installing NAGIOS we required some packages to be installed, These are listed as below.
Apache(For accessing NAGIOS web interface),
gcc compiler,glibc, glibc-common and gd development library(for compiling source code which we are going download ).
# yum install httpd
# yum install gcc
# yum install glibc*
# yum install gd*

Step2 : First we have Create a new NAGIOS user account , group and its password.
# useradd nagios
# passwd nagios
# groupadd nagcmd
# usermod -G nagcmd nagios
# usermod -G nagcmd apache

We are adding “nagcmd” as secondary group to both “nagios” and “apache” user because some times we require to execute commands through web interface.
Step3 : Create a directory called download and download Nagios and its pluggins.
# mkdir ~/download
# cd ~/download
# cd
# wget
http://osdn.dl.sourceforge.net/sourceforge/nagios/nagios-3.0.2.tar.gz
# wget
http://osdn.dl.spurceforge.net/sourceforge/nagiosplug/nagios-pluggins-1.4.11.tar.gz
If you are unable to download using wget then use the following link to download nagios through GUI and nagiosplug:- http://www.nagios.org/download
Step4 : Now its time to Compile and install Nagios, to do this uncompress the tarball file and do as follows:
# cd /root/download
# tar -xvzf nagios-3.1.2.tar.gz ## extract the tar file.
# cd nagio-3.1.2
# ./configure –with-command-group=nagcmd
# make all

Stpe5 : Now Install binaries, init script, sample config file and set permissions on the external command(make install-commandmod) directory.
# make install
# make install-init
# make install-config
# make install-commandmod

Now NAGIOS is installed and the configuring files are stored in /usr/local/nagios/etc
Step6 : Install the NAGIOS web config file in the Apache conf.d directory.
# make install-webconf

Step7 : Create a nagiosadmin account for logging into the Nagios web interface.
# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Here it will ask for new password, enter the password and remember it in order to access NAGIOS web interface.
Step8 : Start nagios service by using below commands and add the nagios service to run at system start-up time.
# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

When we execute the above command the output will be as below.
Output like this:-
Nagios 3.0.2
Copyright (c) 1999-2008 Ethan Galstad (http://www.nagios.org/)
Last Modified: 05-19-2008
License: GPL
Reading configuration data…
Running pre-flight check on configuration data…
Checking services…
Checked 35 services.
Checking hosts…
Checked 4 hosts.
Checking host groups…
Checked 1 host groups.
Checking service groups…
Checked 0 service groups.
Checking contacts…
Checked 1 contacts.
Checking contact groups…
Checked 1 contact groups.
Checking service escalations…
Checked 0 service escalations.
Checking service dependencies…
Checked 0 service dependencies.
Checking host escalations…
Checked 0 host escalations.
Checking host dependencies…
Checked 0 host dependencies.
Checking commands…
Checked 25 commands.
Checking time periods…
Checked 5 time periods.
Checking for circular paths between hosts…
Checking for circular host and service dependencies…
Checking global event handlers…
Checking obsessive compulsive processor commands…
Checking misc settings…
Total Warnings: 0
Total Errors: 0
Things look okay – No serious problems were detected during the pre-flight check.
If output comes like this, it means there is no error.
Step9 : start the nagios service and configure the service to run at start-up time of the system
# service nagios start
# chkconfig –add nagios
# chkconfig nagios on

Stpe10 : Use the following command to run the CGIs under the SElinux enforcing/targated mode. This will eliminate security loopholes.
# chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/
# chcon -R -t httpd_sys_content_t /usr/local/nagios/share/

Stpe11 : Now change the contact details in /usr/local/nagios/etc/objects/contacts.cfg, you will find nagiosadmin, change the e-mail id associated to it with your required e-mail id, so that alerts .
Step12 : Now restart the apache server
# service httpd restart
Step13 : Access the Nagios web interface through your web browser:
http://localhost/nagios/
Note:- Here you will be prompted for the username (nagiosadmin) and password that is given by you at step7 ).
I will update the blog how to monitor different devices such as Servers, Network devices and System resources and how to get alerts through SMS, e-mail and Pager. Please keep us visiting





Backup MBR

 ME . (Linux Guru)
1.How to take the backup and restore MBR? Why do you require to take the backup of your MBR?
Ans :
MBR (Master Boot Recorder) is a vital part of your hard disk which contains booting information, without it its difficult to boot the system. Suppose you have windows and Linux duel boot on your machine and as you know windows is more porn to virus attacks. So it’s always better to backup your MBR to be in safe place.
2. How to take backup of your MBR?
Ans :
Using dd command (dataset definition). Here are the steps to take backup of you MBR and keep it in safe place to restore your system if it get corrupted.
#dd if=/dev/hdx of=/safe/location bs=512 count=1
Let me explain the above command how it will work.
“If”
in the command is nothing but to specify Input File, here we are specifying our input file as hard disk(if the hard disk is /dev/hda it is primary master, so for general purpose I given ‘x’). “of” in the command is nothing but to specify Output File, here we are specifying our output file as /safe/location. Then “bs” this is nothing but block size to write in to hard disk. And then “count” nothing but how many times you want to write date this many block sizes. Here in this example count=1 that means first 512 bytes of the hard disk is copied to the specified location.
3.How to restore the MBR?
#dd if=/safe/location of=/dev/hdx bs=512 count=1

Note : Please replace “hdx” with your hard disk name.
This is bit complex, Is there any other way to restore MBR?
Yes, if you have Linux or Windows bootable CD, we can easily restore your MBR if you forgot to take backup(And this method is very much easy to do restoration of MBR when compared to previous method).
Method1 : With Redhat Linux bootable CD.
For this you have to boot your system to rescue mode, then mount your file system to rescue mode and execute below command to restore your MBR
#grub-install /dev/hdx
Note : Please replace hdx with your hard disk name. After that you just reboot your system. Your system will be live and working.
Method2 : With Windows XP bootable CD.
Step1 : Boot the system with XP bootable cd
Step2 : Press f8 to go to repair mode in Windows
Step3 : Once you got the c drive prompt just type below command
Fixmbr
This command will fix the MBR record.
Some FAQ’s
1. What is the MBR size?
Ans :
MBR size is just 512 bytes.
2.What MBR conations?
Ans :
Mainly MBR can be divided in two parts
a.Boot loader information block(which is of 448 bytes)
b. Partition table information(which is of just 64 bytes)
3.How many partition we can create on a hard disk?
Ans :
Totally we can create four partitions as below
a.Four primary parathions.
b.Three primary and one extended partition.
c.Two primary and one extended parathion.
d.One primary and one extended parathion.
Note : In extended parathion we can create logical partitions up to 24 in number.
4.Why we cannot create more then 4 partition as mention above?
Ans :
In MBR, the partition table info is just stored in 64 bytes, and one parathion information to store in MBR requires 16 bytes of space. So at most you can create only 4 partitions as mention above.



.




IPV6 Info

IPv6 With ?………  ME

First things first. Each PC – more properly each network interface – may have more than one IPv6 address – IPv6 is naturally multi-homed. Second, an IPv6 address has a scope, that is, it can be restricted to a single LAN or a private network or be globally unique. The following table defines the types of IPv6 addresses that can be supported and contrasts them with the closest IPv4 functional equivalent.
IPv6 Name
Scope/Description
IPv4 Equivalent
Notes
Link-Local
Local LAN only. Automatically assigned based on MAC. Cannot be routed outside local LAN.
No real equivalent. Assigned IPv4 over ARP’d MAC.
Scoped address concept new to IPv6. Format.
Site-Local
Optional. Local Site only. Cannot be routed over Internet. Assigned by user.
Private network address with multi-homed interface is closest equivalent.
Scoped address concept new to IPv6. Unlike the IPv4 private network address the IPv6 device can have, and most likely will have, Link-Local, Site-Local and a Global Unicast address. Site-Local while continuing to exist in the IPv6 specification is the subject of on-going work in the IETF and is currently not supported. The address block used for this purpose has been marked Reserved by IANA.
Global Unicast
Globally unique. Fully routable. Assigned by IANA/delegated Aggregators.
Global IP address.
IPv6 and IPv4 similar but IPv6 can have other scoped addresses. Format.
Multicast
One-to-many. Hierarchy of multicasting.
Similar to IPv4 Class D.
Significantly more powerful than IPv4 version. No broadcast in IPv6, replaced by multicast. Format.
Anycast
One-to-nearest. Uses Global Unicast Addresses. Routers only. Discovery uses.
Unique protocols in IPv4 e.g. IGMP.
Some anycast addresses reserved for special functions.
Loopback
Local interface scope.
Same as IPv4 127.0.0.1
Same function

IPv6 Address Notation

An IPv6 address consists of 128 bits – an IPv4 address consists of 32 bits – and is written as a series of 8 hexadecimal strings separated by colons. Examples:
# all the following refer to the same address
2001:0000:0234:C1AB:0000:00A0:AABC:003F
# leading zeros can be omitted
2001:0:234:C1AB:0:A0:AABC:3F
# not case sensitive - any mixture allowed
2001:0:0234:C1ab:0:A0:aabc:3F
One or more zeros entries can be omitted entirely but only once in an address. The user can choose the most efficient place to omit multiple zero entries. Examples:
# raw ipv6 address
2001:0000:0234:C1AB:0000:00A0:AABC:003F
# address with single 0 dropped
2001::0234:C1ab:0:A0:aabc:003F
# alternate version - address with single 0 dropped
2001:0:0234:C1ab::A0:aabc:003F
# the following is INVALID
2001::0234:C1ab::A0:aabc:003F
Multiple zeros can be omitted entirely but only once in an address. Examples:
# omitting multiple 0's in address
2001:0:0:0:0:0:0:3F
# can be written as
2001::3F
# lots of zeros (loopback address)
0:0:0:0:0:0:0:1
# can be written as
::1
# all zeros (unspecified a.k.a unassigned IP)
0:0:0:0:0:0:0:0
# can be written as
::
# but this address
2001:0:0:1:0:0:0:3F
# cannot be reduced to this
2001::1::3F  # INVALID
# instead it can only be reduced to
2001::1:0:0:0:3F
# or
2001:0:0:1::3F
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Prefix or Slash Notation

IPv6 uses a similar / (forward slash) notation to IPv4 CIDR (Classless Interdomain Routing) which describes the number of contiguous bits used. Formally this way of writing and address is called an IP prefix but more commonly called the slash format. Examples:
# single user address
2001:db8::1/128
# normal user IPv6 address allocation
# allows the user to control the low order 80 bits
2001:db8::/48
# global routing prefix - top 3 bits only with fixed value 001 (binary)
2::/3
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Address Types

The type of IP address is defined by a variable number of the top bits known as the binary prefix (BP). Only as many bits as required are used to identify the address type as shown in the following table (defined in RFC 3513):
Use
Binary Prefix
Slash
Description/Notes
Unspecified
00…0
::/128
IPv6 address = 0:0:0:0:0:0:0:0 (or ::) Used before an address allocated by DHCP (equivalent of IPv4 0.0.0.0)
Loopback
00…1
::1/128
IPv6 address = 0:0:0:0:0:0:0:1 (or ::1) Local PC Loopback (equivalent of IPv4 127.0.0.1)
Multicast
1111 1111
FF::/8
Link-Local unicast
1111 1110 10
FE8::/10
Local LAN scope. Lower bits created from MAC address. Format.
Site-Local unicast
1111 1110 11
FEC::/10
Local Site scope. Lower bits assigned by user. This binary prefix has been marked Reserved by IANA to reflect the currently unsupported state of Site-Local addressing.
Global Unicast
All other values
2::/3
A note in RFC 3513 suggests that IANA should continue to allocate only from the binary prefix 001 (as in RFC 2373 version) for the time being. Format.
The revised definition is a conceptual change and is both more flexible and cleaner than the previous (RFC 2373) definition. IPv4 and NSAP prefixes are still allowed for but are now simply unicast addresses.
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Global Unicast Address Format

The IPv6 Global Unicast 128 bits are divided into a 48 bit global routing prefix (a.k.a site prefix) which is assigned by various authorities and 80 bits which define the subnet ID and interface ID as follows:
Site Prefix of 48 bits – assigned by IANA/Aggregator.
Name
Size
Description/Notes
global routing prefix
48 bits
Variable format depending on Binary Prefix e.g. if 001 – Global Unicast Address (assigned by IANA) uses this format.
subnet ID
16 bits
Used for subnet routing.
interface ID
64 bits
The unique interface identifier (host address equivalent in IPv4).
The current IPv6 address allocation policy adopted by the various Internet Registries is based on the IETF/IAB recomendation (in RFC 3177) and allows for:
Name
Allocation
Description/Notes
Normal User
/48
The user controls the full 80 bits addresses comprising the subnet ID and interface ID
Single subnet
/64
Where it is known that only a single subnet can be used the user is assigned control of the interface ID part only
Single Device
/128
Where it is known that only one device can be used the user is assigned a single interface ID

IPv6 End-User Address Format

End-User addresses are assigned from Global Unicast pool and currently only with the binary prefix 001 (or 2::/3). The IETF 6bone currently uses a special range of 3FFe::/16 but the 6bone is being disbanded (reflecting the production ready state of IPv6) and the address range is planned to be returned to the IANA Reserved pool by June 2006. The 128 bits breakdown as follows:
global routing prefix of 48 bits – assigned by IANA/Aggregator.
Name
Size
Description/Notes
reserved
3 bits
001 – Global Unicast Address (assigned by IANA)
TLA ID
13 bits
0 0000 0000 00001 (address block 2001::/16) Top Level Aggregator (TLA). Assigned by IANA for use by the Regional Internet Registries (RIRs)
Sub-TLA
13 bits
Assigned by IANA to the RIRs. The RIRs assign blocks from this range to the National or Local Internet Registries.
NLA
19 bits
Assigned by RIR to Next Level Aggregator (NLA) (either a National or Local Internet Registry or in some cases an ISP). The NLA assigns blocks from its allocated range to end-users
80 bits – typically assigned by the user
Name
Size
Description/Notes
subnet ID
16 bits
Used for subnet routing
interface ID
64 bits
Equivalent to IPv4 host address – since this field alone is bigger that the whole IPv4 address space it is fairly generous!
IPv6 Addresses may be assigned to interfaces using one of three methods:
  1. Stateful – Statically assigned = manual configuration
  2. Stateful – DHCPv6 – Automatically assigned
  3. Stateless – Automatically assigned
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Link-Local Address Format

Link-Local addresses are automatically assigned by the end user equipment and require no external configuration. The address format uses a unique binary prefix (FE8::/10) and the remaining bits (118) are built from the local interface identifier. In the case of ethernet the MAC (48 bits) is used to create the EUI-64 value as shown below. If an interface identifier has more than 118 bits the link-local address cannot be generated and the unit must be manually configured. Link-local addresses are not routable outside the local LAN. The 128 bits of a link-local address for an ethernet interface breakdown as follows:
10 bits – Binary Prefix
Name
Size
Description/Notes
Binary Prefix
10 bits
1111 1110 10 or FE8::/10 Link-Local Prefix
118 bits – constructed from interface MAC (EUI-64)
Name
Size
Description/Notes
-
54 bits
all zeros – padding from 64 to 118 bits
MAC
24 bits
top 24 bits of the 48 bit interface MAC. Vendor ID
ID
16 bits
Fixed value of FFFE inserted
MAC
24 bits
low 24 bits of the 48 bit interface MAC. Serial number.
Example
# Interface MAC
00-40-63-ca-9a-20
# IPv6 Interface ID (EUI-64)
::0040:63FF:FECA:9A20
# or
::40:63FF:FECA:9A20
# link local
FE80::40:63FF:FECA:9A20
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Multicast Address Format

The Multicast format (which also replaces broadcast in IPv4) is defined by RFC 3513 Section 2.7. The fomat of a multicast address is defined below:
Name
Bits
Size
Value
Description/Notes
Binary Prefix
0 – 7
8
1111 1111
Fixed value a.k.a the routing prefix
flags
8-11
4
000T
Where T may be either:
0 = “well-known” or permanently (IANA) assigned group
1 = “transient” group which has no IANA assignment
scope
12-15
4
-
May take one of the following assigned values:
0 – reserved
1 – interface-local scope
2 – link-local scope
3 – reserved
4 – admin-local scope
5 – site-local scope
6 – (unassigned)
7 – (unassigned)
8 – organization-local scope
9 – (unassigned)
A – (unassigned)
B – (unassigned)
C – (unassigned)
D – (unassigned)
E – global scope
F – reserved
Group ID
16 – 127
112
-
Uniquely assigned by IANA if “well-known” bit = 0 set in flags above. IANA IPv6 Multicast assignments
The following lists some of the more common multicast groups:
Address
Description/Notes
FF01::1
Interface local – all nodes
FF02::1
Link local – all nodes
FF01::2
Interface local – all routers
FF02::2
Link local – all routers
Description: http://www.zytrax.com/images/go_up.gif

IPv6 – IPv4 Interworking

IPv6 allows transport of IPv4 addresses using two methods. The methods are described in RFC 2893.
The first method is termed an “IPv4-compatible IPv6 address” and must use a globally unique IPv4 address. Please note: To avoid publication of a global IPv4 the example below shows a private (non-globally unique) IPv4 address purely to illustrate the principle:
# IPv4-compatible IPv6 address
# assume the host has an IPv4 address of:
192.168.0.5
# this is represented by the hex value
C0A80005
# the IPv4-compatible IPv6 address would be
::C0A8:5
# or
0:0:0:0:0:0:C0A8:5
The IPv4-compatible IPv6 address format is used when the end interface supports both IPv6 and IPv4 (a dual stack interface). This method is now deprecated (RFC 4291).
The second method is termed an “IPv4-mapped IPv6 address” and must use a globally unique IPv4 address. Please note: To avoid publication of a global IPv4 the example below shows a private (non-globally unique) IPv4 address purely to illustrate the principle:
# IPv4-mapped IPv6 address
# assume the host has an IPv4 address of:
192.168.0.5
# this is represented by the hex value
C0A80005
# the IPv4-mapped IPv6 address would be
::FFFF:C0A8:5
# or
0:0:0:0:0:FFFF:C0A8:5
The IPv4-mapped IPv6 address format is used when the end interface supports only IPv4 and indicates that a configured IPv6 system e.g. a router will have to perform conversion to the IPv4 protocol prior to communicating with the interface.
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Frame Format

IPv6 headers are daisy chained. The Next Header field – present in every header except the upper layer header – indicates which header comes next as shown in the diagram below:
Description: IPv6 Daisy chained headers
Notes:
  1. Zero or more Extension headers may be present.
  2. Multiple Extension headers of any type may be present.
  3. All Extension headers are assumed to be of variable length and contain a length value (expressed in multiples of 8 octets).
  4. Only one upper layer header may be present and is unchanged from IPv4 e.g. tcp with the exception of the format of the ‘pseudo-header’ used to generate the checksum.
  5. Data (MTU) length is defined to be a minimum of 1280 octets with a recommendation of 1500+ octets. If any routing link cannot carry this size of MTU, link specific fragmentation must be carried out below (i.e. invisible to) IPv6.
  6. When carrying UDP traffic in the upper layers the optional (in IPv4) UDP checksum MUST be present.
  7. The pseudo header used in TCP, UDP and IPv6 ICMP is assumed be a 40 octet field and have the following format:
Name
Size
Description/Notes
Source
128 bits
IPv6 source address
Destination
128 bits
IPv6 destination address
Packet Length
32 bits
Length in octets of the upper layer data packet plus associated header.
-
24 bits
Must be zeros
Next Header
8 bits
Assumed to contain the value of the protocol carried in the upper layer e.g. 6 = TCP etc..
Description: http://www.zytrax.com/images/go_up.gif

IPv6 Header Format

IPv6 Header Format
Name
Length
Description/Notes
version
4 bits
value = 6. Same location as IPv4 – everything after this changes.
traffic class
8 bits
None formally defined with IANA (late 2004). When used with Explicit Congestion Notification (ECN) (RFC 3168) may take values defined here and here.
Flow Label
20 bits
-
payload length
16 bits
unsigned length in octets of payload (excludes header but includes extensions)
next header
8 bits
Identifier in following header – same values as IPv4 Protocol field Some common values:
0 (0×00) IPv6 Hop-by-Hop Option
1 (0×01) ICMP protocol
2 (0×02) IGMP protocol
4 (0×04) IP over IP
6 (0×06) TCP protocol
17 (0×11) UDP protocol
41 (0×29) IPv6 protocol
58 (0x3A) IPv6 ICMP protocol
59 (0x3B) IPv6 No Next Header (terminates a no upper layer frame)
Definitive list is here
hop limit
8 bits
Maximum number of hops. Formalises the current practice when using the TTL in IPv4.
source IP
128 bits
-
destination IP
128 bits
-
Description: http://www.zytrax.com/images/go_up.gif

Order of Headers

Where multiple headers are present the recommended sender order is (but the receiver must accept in any order):
IPv6 Header
Hop-by-Hop Header
Destination Options
Routing Headers
Fragment Headers
Authentication Headers
Encapsulation Security Payload (ESP) Header
Destination Options
Upper Layer Header + data
Description: http://www.zytrax.com/images/go_up.gif

Extension Headers

Extension headers are always multiples of 8 octets. To allow skipping and processing of extension headers they all begin with the following 16 bit stub format:
IPv6 Extension Header – Stub format
Name
Length
Description/Notes
Next Header
8 bits
Same values as IPv6 Next Header
Extension Hdr Len
8 bits
Unsigned integer. The total length of the extension header in multiples of 8 octets, excluding the first 8 octets e.g. a value of 0 = 8 octet header length, value = 2 = 24 octet header length etc. NB the length field in ICMPv6 does not use this convention – it’s always good to have consistency in standards.
Description: http://www.zytrax.com/images/go_up.gif

Header Options

The Hop-By-Hop and Destination Headers carry a variable number of options within the header and use a classic TLD (or TLV in the standards paralance) format as shown below:
Name
Length
Description/Notes
Type
8 bits
The two high order (or low order depending on your numbering convention) bits indicate what action to take if the option is not recognized and may take one of the following values: 00 = skip option – keep processing
01 = discard packet
10 = discard packet and send ICMPv6 Parameter Problem (Code 2) message
11 = discard packet and, if not Multicast address, send ICMPv6 Parameter Problem (Code 2) message
The third high order bit indicates whether the option can change before reaching its destination 0 = data will not change, 1 = data may change. If the bit is set and an Authentication Header is present then an all zero option value must be assumed when computing any digest.
Length
8 bits
Length in octets of the option data – does not include the type or length value.
Data
variable
Depends on Type
In order to force so-called natural alignment of option fields two padding options are provided. An Option Type of 0 indicates a 1 octet pad (and does not have associated length or data fields), a standard Option with a Type of 1 allows for multiple octet padding. NB in this case a 2 octet pad will have an Option Length of 0.

IPv6 Hop-By-Hop Header

Description: http://www.zytrax.com/images/go_up.gif

IPv6 Destination Header

Description: http://www.zytrax.com/images/go_up.gif

IPv6 Configuration

IPv6 systems are typically multi-homed by default and have a link-local address configured by the host and may have a global unicast address which may be configured by one of three methods:
  1. Stateful – Statically assigned = manual configuration
  2. Stateful – DHCPv6 – Automatically assigned
  3. Stateless – Automatically assigned

IPv6 Stateless Autoconfiguration

IPv6 systems may be configured to provide global unicast addresses using stateless autconfiguation. Stateless autoconfiguration requires a router to be present but not a DHCP server. In stateless autoconfiguration a default router address is provided but not a DNS and other information that is normally provided by DHCP. The process of creating a stateless IPv6 address is as follows:
  1. Host sends a Router Solicitation message
  2. Host waits for a Router Advertisement message.
  3. Host takes top 64 bits from Subnet Prefix part of Router Advertisement and combines it with the 64 bit EUI-64 address (created from the MAC) to greate a Global Unicast address. The host also takes the default gateway address from the Router Advertisement message.
  4. Host then performs a Duplicate Address Detection to ensure the address is unique. If this check fails the host immediately aborts the autoconfiguration process and must be manually configured.
Description: http://www.zytrax.com/images/go_up.gif

IPv6 RFCs

The following RFCs define IPv6. Wow is this a list. You can get the RFCs from the IETF.
RFC
Description/Status
Using the Flow Label Field in IPv6. C. Partridge. June 1995. (Format: TXT=13591 bytes) (Status: INFORMATIONAL)
IPv6 Address Allocation Management. IAB, IESG. December 1995. (Format: TXT=3215 bytes) (Status: INFORMATIONAL)
Internet Protocol, Version 6 (IPv6) Specification. S. Deering, R. Hinden. December 1995. (Format: TXT=82089 bytes) (Obsoleted by RFC2460) (Status: PROPOSED STANDARD)
Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6). A. Conta, S. Deering. December 1995. (Format: TXT=32214 bytes) (Obsoleted by RFC2463) (Status: PROPOSED STANDARD)
An Architecture for IPv6 Unicast Address Allocation. Y. Rekhter, T. Li, Eds.. December 1995. (Format: TXT=66066 bytes) (Status: INFORMATIONAL)
OSI NSAPs and IPv6. J. Bound, B. Carpenter, D. Harrington, J. Houldsworth, A. Lloyd. August 1996. (Format: TXT=36469 bytes) (Status: EXPERIMENTAL)
A Compact Representation of IPv6 Addresses. R. Elz. Apr-01-1996. (Format: TXT=10409 bytes) (Status: INFORMATIONAL)
IP over ATM: A Framework Document. R. Cole, D. Shur, C. Villamizar. April 1996. (Format: TXT=68031 bytes) (Status: INFORMATIONAL)
RIPng for IPv6. G. Malkin, R. Minnear. January 1997. (Format: TXT=47534 bytes) (Status: PROPOSED STANDARD)
IPv6 Multicast Address Assignments. R. Hinden, S. Deering. July 1998. (Format: TXT=14356 bytes) (Status: INFORMATIONAL)
FTP Extensions for IPv6 and NATs. M. Allman, S. Ostermann, C. Metz. September 1998. (Format: TXT=16028 bytes) (Status: PROPOSED STANDARD)
Internet Protocol, Version 6 (IPv6) Specification. S. Deering, R. Hinden. December 1998. (Format: TXT=85490 bytes) (Obsoletes RFC1883) (Status: DRAFT STANDARD)
Neighbor Discovery for IP Version 6 (IPv6). T. Narten, E. Nordmark, W. Simpson. December 1998. (Format: TXT=222516 bytes) (Obsoletes RFC1970) (Status: DRAFT STANDARD)
IPv6 Stateless Address Autoconfiguration. S. Thomson, T. Narten. December 1998. (Format: TXT=61210 bytes) (Obsoletes RFC1971) (Status: DRAFT STANDARD)
Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. A. Conta, S. Deering. December 1998. (Format: TXT=34190 bytes) (Obsoletes RFC1885) (Status: DRAFT STANDARD)
Transmission of IPv6 Packets over Ethernet Networks. M. Crawford. December 1998. (Format: TXT=12725 bytes) (Obsoletes RFC1972) (Status: PROPOSED STANDARD)
Management Information Base for IP Version 6: Textual Conventions and General Group. D. Haskin, S. Onishi. December 1998. (Format: TXT=77339 bytes) (Status: PROPOSED STANDARD)
Management Information Base for IP Version 6: ICMPv6 Group. D. Haskin, S. Onishi. December 1998. (Format: TXT=27547 bytes) (Status: PROPOSED STANDARD)
Transmission of IPv6 Packets over FDDI Networks. M. Crawford. December 1998. (Format: TXT=16028 bytes) (Obsoletes RFC2019) (Status: PROPOSED STANDARD)
IPv6 over ATM Networks. G. Armitage, P. Schulter, M. Jork. January 1999. (Format: TXT=21199 bytes) (Status: PROPOSED STANDARD)
Reserved IPv6 Subnet Anycast Addresses. D. Johnson, S. Deering. March 1999. (Format: TXT=14555 bytes) (Status: PROPOSED STANDARD)
Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. B. Carpenter, C. Jung. March 1999. (Format: TXT=21049 bytes) (Status: PROPOSED STANDARD)
Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing. P. Marques, F. Dupont. March 1999. (Format: TXT=10209 bytes) (Status: PROPOSED STANDARD)
Binary Labels in the Domain Name System. M. Crawford. August 1999. (Format: TXT=12379 bytes) (Updated by RFC3363, RFC3364) (Status: EXPERIMENTAL)
IPv6 Jumbograms. D. Borman, S. Deering, R. Hinden. August 1999. (Format: TXT=17320 bytes) (Obsoletes RFC2147) (Status: PROPOSED STANDARD)
Multicast Listener Discovery (MLD) for IPv6. S. Deering, W. Fenner, B. Haberman. October 1999. (Format: TXT=46838 bytes) (Updated by RFC3590, RFC3810) (Status: PROPOSED STANDARD)
IPv6 Router Alert Option. C. Partridge, A. Jackson. October 1999. (Format: TXT=11973 bytes) (Status: PROPOSED STANDARD)
Format for Literal IPv6 Addresses in URL’s. R. Hinden, B. Carpenter, L. Masinter. December 1999. (Format: TXT=7984 bytes) (Updates RFC2396) (Status: PROPOSED STANDARD)
OSPF for IPv6. R. Coltun, D. Ferguson, J. Moy. December 1999. (Format: TXT=189810 bytes) (Status: PROPOSED STANDARD)
Network Address Translation – Protocol Translation (NAT-PT). G. Tsirtsis, P. Srisuresh. February 2000. (Format: TXT=49836 bytes) (Updated by RFC3152) (Status: PROPOSED STANDARD)
Transition Mechanisms for IPv6 Hosts and Routers. R. Gilligan, E. Nordmark. August 2000. (Format: TXT=62731 bytes) (Obsoletes RFC1933) (Status: PROPOSED STANDARD)
Router Renumbering for IPv6. M. Crawford. August 2000. (Format: TXT=69135 bytes) (Status: PROPOSED STANDARD)
Initial IPv6 Sub-TLA ID Assignments. R. Hinden, S. Deering, R. Fink, T. Hain. September 2000. (Format: TXT=11882 bytes) (Status: INFORMATIONAL)
Privacy Extensions for Stateless Address Autoconfiguration in IPv6. T. Narten, R. Draves. January 2001. (Format: TXT=44446 bytes) (Status: PROPOSED STANDARD)
Connection of IPv6 Domains via IPv4 Clouds. B. Carpenter, K. Moore. February 2001. (Format: TXT=54902 bytes) (Status: PROPOSED STANDARD)
Service Location Protocol Modifications for IPv6. E. Guttman. May 2001. (Format: TXT=25543 bytes) (Status: PROPOSED STANDARD)
Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification. A. Conta. June 2001. (Format: TXT=40416 bytes) (Status: PROPOSED STANDARD)
Transmission of IPv6 Packets over IEEE 1394 Networks. K. Fujisawa, A. Onoe. October 2001. (Format: TXT=16569 bytes) (Status: PROPOSED STANDARD)
Delegation of IP6.ARPA. R. Bush. August 2001. (Format: TXT=5727 bytes) (Obsoleted by RFC3596) (Updates RFC2874, RFC2772, RFC2766, RFC2553, RFC1886) (Also BCP0049) (Status: BEST CURRENT PRACTICE)
RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001. (Format: TXT=20492 bytes) (Status: PROPOSED STANDARD)
Aggregation of RSVP for IPv4 and IPv6 Reservations. F. Baker, C. Iturralde, F. Le Faucheur, B. Davie. September 2001. (Format: TXT=88681 bytes) (Status: PROPOSED STANDARD)
IAB/IESG Recommendations on IPv6 Address Allocations to Sites. IAB, IESG. September 2001. (Format: TXT=23178 bytes) (Status: INFORMATIONAL)
Support for IPv6 in Session Description Protocol (SDP). S. Olson, G. Camarillo, A. B. Roach. June 2002. (Format: TXT=8693 bytes) (Updates RFC2327) (Status: PROPOSED STANDARD)
Unicast-Prefix-based IPv6 Multicast Addresses. B. Haberman, D. Thaler. August 2002. (Format: TXT=12713 bytes) (Status: PROPOSED STANDARD)
Allocation Guidelines for IPv6 Multicast Addresses. B. Haberman. August 2002. (Format: TXT=15742 bytes) (Status: PROPOSED STANDARD)
Recommendations for IPv6 in Third Generation Partnership Project (3GPP) Standards. M. Wasserman, Ed.. September 2002. (Format: TXT=48168 bytes) (Status: INFORMATIONAL)
Dynamic Host Configuration Protocol for IPv6 (DHCPv6). R. Droms, Ed., J. Bound, B. Volz, T. Lemon, C. Perkins, M. Carney. July 2003. (Format: TXT=231402 bytes) (Status: PROPOSED STANDARD)
Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS). R. Bush, A. Durand, B. Fink, O. Gudmundsson, T. Hain. August 2002. (Format: TXT=11055 bytes) (Updates RFC2673, RFC2874) (Status: INFORMATIONAL)
Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6). R. Austein. August 2002. (Format: TXT=26544 bytes) (Updates RFC2673, RFC2874) (Status: INFORMATIONAL)
Default Address Selection for Internet Protocol version 6 (IPv6). R. Draves. February 2003. (Format: TXT=55076 bytes) (Status: PROPOSED STANDARD)
Internet Protocol Version 6 (IPv6) Addressing Architecture. R. Hinden, S. Deering. April 2003. (Format: TXT=53920 bytes) (Obsoletes RFC2373) (Status: obsoleted by RFC4291)
IPv6 Global Unicast Address Format. R. Hinden, S. Deering, E. Nordmark. August 2003. (Format: TXT=8783 bytes) (Obsoletes RFC2374) (Status: INFORMATIONAL)
DNS Extensions to Support IP Version 6. S. Thomson, C. Huitema, V. Ksinant, M. Souissi. October 2003. (Format: TXT=14093 bytes) (Obsoletes RFC3152, RFC1886) (Status: DRAFT STANDARD)
IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6. O. Troan, R. Droms. December 2003. (Format: TXT=45308 bytes) (Status: PROPOSED STANDARD)
DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6). R. Droms, Ed.. December 2003. (Format: TXT=13312 bytes) (Status: PROPOSED STANDARD)
IPv6 Flow Label Specification. J. Rajahalme, A. Conta, B. Carpenter, S. Deering. March 2004. (Format: TXT=21296 bytes) (Status: PROPOSED STANDARD)
Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6. R. Droms. April 2004. (Format: TXT=18510 bytes) (Status: PROPOSED STANDARD)
Mobility Support in IPv6. D. Johnson, C. Perkins, J. Arkko. June 2004. (Format: TXT=393514 bytes) (Status: PROPOSED STANDARD)
Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents. J. Arkko, V. Devarapalli, F. Dupont. June 2004. (Format: TXT=87076 bytes) (Status: PROPOSED STANDARD)
Multicast Listener Discovery Version 2 (MLDv2) for IPv6. R. Vida, Ed., L. Costa, Ed.. June 2004. (Format: TXT=153579 bytes) (Updates RFC2710) (Status: PROPOSED STANDARD)
Transmission of IPv6 Packets over Fibre Channel. C. DeSanti. July 2004. (Format: TXT=53328 bytes) (Status: PROPOSED STANDARD)
IPv6 Address Prefix Reserved for Documentation. G. Huston, A. Lord, P. Smith. July 2004. (Format: TXT=7872 bytes) (Status: INFORMATIONAL)
DNS IPv6 Transport Operational Guidelines. A. Durand, J. Ihren. September 2004. (Format: TXT=10025 bytes) (Also BCP0091) (Status: BEST CURRENT PRACTICE)
Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address. P. Savola, B. Haberman. November 2004. (Format: TXT=40136 bytes) (Updates RFC3306) (Status: PROPOSED STANDARD)
IPv6 Scoped Address Architecture. S. Deering, B. Haberman, T. Jinmei, E. Nordmark, B. Zill. March 2005. (Format: TXT=53555 bytes) (Status: PROPOSED STANDARD)
Common Misbehavior Against DNS Queries for IPv6 Addresses. Y. Morishita, T. Jinmei. May 2005. (Format: TXT=13073 bytes) (Status: INFORMATIONAL)
Unique Local IPv6 Unicast Addresses. R. Hinden, B. Haberman. October 2005. (Format: TXT=35908 bytes) (Status: PROPOSED STANDARD)
Basic Transition Mechanisms for IPv6 Hosts and Routers. E. Nordmark, R. Gilligan. October 2005. (Format: TXT=58575 bytes) (Obsoletes RFC2893) (Status: PROPOSED STANDARD)
Analysis on IPv6 Transition in Third Generation Partnership Project (3GPP) Networks. J. Wiljakka, Ed.. October 2005. (Format: TXT=52903 bytes) (Status: INFORMATIONAL)
Information Refresh Time Option for Dynamic Host Configuration Protocol for IPv6 (DHCPv6). S. Venaas, T. Chown, B. Volz. November 2005. (Format: TXT=14759 bytes) (Status: PROPOSED STANDARD)
Mobile IPv6 Fast Handovers for 802.11 Networks. P. McCann. November 2005. (Format: TXT=35276 bytes) (Status: INFORMATIONAL)
Mobile Node Identifier Option for Mobile IPv6 (MIPv6). A. Patel, K. Leung, M. Khalil, H. Akhtar, K. Chowdhury. November 2005. (Format: TXT=14653 bytes) (Status: PROPOSED STANDARD)
Mobile Node Identifier Option for Mobile IPv6 (MIPv6). A. Patel, K. Leung, M. Khalil, H. Akhtar, K. Chowdhury. November 2005. (Format: TXT=14653 bytes) (Status: PROPOSED STANDARD)
IP Version 6 Addressing Architecture. R. Hinden, S. Deering. February 2006. (Format: TXT=52897 bytes) (Obsoletes RFC3513) (Status: DRAFT STANDARD)
Mobile IPv6 Management Information Base. G. Keeni, K. Koide, K. Nagami, S. Gundavelli. April 2006. (Format: TXT=209038 bytes) (Status: PROPOSED STANDARD)
IPv6 Host-to-Router Load Sharing. R. Hinden, D. Thaler. November 2005. (Format: TXT=10156 bytes) (Updates RFC2461) (Status: PROPOSED STANDARD)
IPv6 Host Configuration of DNS Server Information Approaches. J. Jeong, Ed.. February 2006. (Format: TXT=60803 bytes) (Status: INFORMATIONAL)
Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs). C. Huitema. February 2006. (Format: TXT=132607 bytes) (Status: PROPOSED STANDARD)
Optimistic Duplicate Address Detection (DAD) for IPv6. N. Moore. April 2006. (Format: TXT=33123 bytes) (Status: PROPOSED STANDARD)
Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. A. Conta, S. Deering, M. Gupta, Ed.. March 2006. (Format: TXT=48969 bytes) (Obsoletes RFC2463) (Updates RFC2780) (Status: DRAFT STANDARD)
Securing Mobile IPv6 Route Optimization Using a Static Shared Key. C. Perkins. June 2006. (Format: TXT=15080 bytes) (Status: PROPOSED STANDARD)
A Method for Generating Link-Scoped IPv6 Multicast Addresses. J-S. Park, M-K. Shin, H-J. Kim. April 2006. (Format: TXT=12224 bytes) (Updates RFC3306) (Status: PROPOSED STANDARD)
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option. B. Volz. August 2006. (Format: TXT=10940 bytes) (Status: PROPOSED STANDARD)
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option. B. Volz. October 2006. (Format: TXT=32359 bytes) (Status: PROPOSED STANDARD)
http://www.zytrax.com/images/go_up.gif

SSL(CA)

Creating a sample CA
Preamble
In contemporary days digital certificates are wide spread for purpose of security communication with web sites, VPN and other purposes. One of the problems is how to create own CA to establish additional level of security in your infrastructure. So, the purpose of this document is to give brief information how to create sample CA for private usage. The main instruments will be OpenSSL and Linux. If SSL package you use and/or operating system are different, format of some or all commands may vary. In the document is used OpenSSL 0.9.8h, if your version is different, please refer to the documentation for changes over the versions.
Creation
  1. The first step of creation is to choose repository where the CA files will reside. For me /etc/localCA look enough self-expain and good as location. Directory /opt is not bad choose too, but because of idea or /etc to store config files will be better to use it:
# mkdir –p /etc/localCA
  1. Next we should create two directories to keep certificates issued by authority and keep own certificate. It is highly recommended to keep them in separate “storages”. For example /etc/localCA/certs and /etc/localCA/own looks good.
# mkdir –p /etc/localCA/own /etc/localCA/certs
  1. Then we should create a file, used by OpenSSL to track the serial numbers of certificates, issued by CA and file (empty at the start) to keep track of those certificates
# echo  0001 > /etc/localCA/serial
# > /etc/localCA/list_cert
  1. It’s time to create config file for our CA with name of the file openssl.cnf and put in root directory of our CA. Do not forget to change default parameters as crl_days, days, md and CA policies according to rules of your company (if company usage). Maybe somewhere on your system exist other config file, but we will use much sample one, but enough for our task. For explanations about the different options, please refer the documentation of OpenSSL or SLL package you use.
[ ca ]
default_ca = localCA
[ localCA ]
dir = /etc/localCA
certificate = $dir/cacert.pem
database = $dir/list_cet
new_certs_dir = $dir/certs
private_key = $dir/own/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 730
default_md = sha1
policy = localCA_policy
x509_extensions = certificate_extensions
[ localCA_policy ]
commonName = supplied
countryName = optional
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
  1. Tell OpenSSL where the config file is located:
# export OPENSSL_CONF=/etc/localCA/openssl.cnf
  1. Next step is to create self-signed certificate for our CA. For this task we will create “response file”, because always exist possibility of error when you enter information by hand, so we will add those lines below to our config file
[ req ]
default_bits = 2048
default_keyfile = /etc/localCA/own/cakey.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_local
x509_extensions = root_ca_extensions
[ root_ca_local ]
commonName = Local CA
emailAddress = ca@example.org
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
  1. Lets generate self-signet certificate for our CA:
# openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM –days 730
Generating a 2048 bit RSA private key
……….+++
…………………………………+++
writing new private key to ‘/etc/localCA/own/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
  1. Et voila, our CA is ready to issue certificates for our local usage. Let’s test and create one. First we need to “clear” the environment variable for config file
# unset OPENSSL_CONF
  1. Then let’s create request
# openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM
Generating a 1024 bit RSA private key
..++++++
…………………………………..++++++
writing new private key to ‘testkey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:BG
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Test
Email Address []:test@example.org
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. Issue the certificate from this request:
# export OPENSSL_CONF=/etc/localCA/openssl.cnf
# openssl ca -in testreq.pem
Using configuration from /etc/localCA/openssl.cnf
Enter pass phrase for /etc/localCA/own/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           Description: :PRINTABLE:’BG’
organizationName      Description: :PRINTABLE:’Local’
commonName            Description: :PRINTABLE:’Test’
emailAddress          :IA5STRING:’test@example.org’
Certificate is to be certified until Aug  2 21:40:51 2010 GMT (730 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0×2)
Serial Number: 1 (0×1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Local CA/emailAddress=ca@example.org, O=Root Certification Authority
  1. Now in directory /etc/localCA/certs we have file with name of serial number of certificate and extension pem from the output format. And that’s all.
Final notes
This manual is just a simplified example of process of creation of CA and do not replace the need of read and understand the documentation. Of course there are many products, simplifying most of the work, but to understand better the process nothing can replace old fashion command line tools.

YUM

TO Install Yum Server With Vsftpd
1. install Rhel5 DVD in dvd drive,
2. install vaftpd and createrepos RPM find in DVD,
3. Run this command # service vsftpd restart,
4. copy all data packages in dvd are copy on /var/ftp/pub directory,
#mount /dev/dvd /mnt
#cp -r /mnt/* /var/ftp/pub
5. run createrepo command for create repository on /var/ftp/pub directory
#createrepo -v /var/ftp/pub (3min time)
6. now configure and edit yum.conf file
#vim /etc/yum.conf
[gpg]
name=your server name
baseurl=ftp://your ftp ip/pub
gpgcheck=0
enabled=1
:wq (save the file)
7. #service vsftpd restart
#chkconfig vsftpd on
8. chack the yum repo service
#yum list all
#yum clean all
#yum update all
#yum -y install vnc*

transperent Proxy

Linux: Setup a transparent proxy with Squid in three easy steps

Setup Squid proxy as a transparent server.
Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

My Setup:

i) System: HP dual Xeon CPU system with 8 GB RAM (good for squid).
ii) Eth0: IP:192.168.1.1
iii) Eth1: IP: 192.168.2.1 (192.168.2.0/24 network (around 150 windows XP systems))
iv) OS: Red Hat Enterprise Linux  (Following instruction should work with Debian and all other Linux distros)
Eth0 connected to internet and eth1 connected to local lan i.e. system act as router.

Server Configuration

  • Step #1 : Squid configuration so that it will act as a transparent proxy
  • Step #2 : Iptables configuration
    • a) Configure system as router
    • b) Forward all http requests to 3128 (DNAT)
  • Step #3: Run scripts and start squid service
First, Squid server installed (use up2date squid) and configured by adding following directives to file:
# vi /etc/squid/squid.conf
Modify or add following squid directives:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan

Where,
  • httpd_accel_host virtual: Squid as an httpd accelerator
  • httpd_accel_port 80: 80 is port you want to act as a proxy
  • httpd_accel_with_proxy on: Squid act as both a local httpd accelerator and as a proxy.
  • httpd_accel_uses_host_header on: Header is turned on which is the hostname from the URL.
  • acl lan src 192.168.1.1 192.168.2.0/24: Access control list, only allow LAN computers to use squid
  • http_access allow localhost: Squid access to LAN and localhost ACL only
  • http_access allow lan: — same as above –
Here is the complete listing of squid.conf for your reference (grep will remove all comments and sed will remove all empty lines, thanks to David Klein for quick hint ):
# grep -v "^#" /etc/squid/squid.conf | sed -e '/^$/d'
OR, try out sed (thanks to kotnik for small sed trick)
# cat /etc/squid/squid.conf | sed '/ *#/d; /^ *$/d'
Output:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
cache_mem 1024 MB
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl lan src 192.168.1.1 192.168.2.0/24
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myclient.hostname.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid

Iptables configuration

Next, I had added following rules to forward all http requests (coming to port 80) to the Squid server port 3128 :
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Here is complete shell script. Script first configure Linux system as router and forwards all http request to port 3128 (Download the fw.proxy shell script):
#!/bin/sh
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/
ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -
m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Save shell script. Execute script so that system will act as a router and forward the ports:
# chmod +x /etc/fw.proxy
# /etc/fw.proxy
# service iptables save
# chkconfig iptables on

Start or Restart the squid:
# /etc/init.d/squid restart
# chkconfig squid on

Desktop / Client computer configuration

Point all desktop clients to your eth1 IP address (192.168.2.1) as Router/Gateway (use DHCP to distribute this information). You do not have to setup up individual browsers to work with proxies.

How do I test my squid proxy is working correctly?

See access log file /var/log/squid/access.log:
# tail -f /var/log/squid/access.log
Above command will monitor all incoming request and log them to /var/log/squid/access_log file. Now if somebody accessing a website through browser, squid will log information.

Problems and solutions

(a) Windows XP FTP Client

All Desktop client FTP session request ended with an error:
Illegal PORT command.
I had loaded the ip_nat_ftp kernel module. Just type the following command press Enter and voila!
# modprobe ip_nat_ftp
Please note that modprobe command is already added to a shell script (above).

(b) Port 443 redirection

I had block out all connection request from our router settings except for our proxy (192.168.1.1) server. So all ports including 443 (https/ssl) request denied. You cannot redirect port 443, from debian mailing list, “Long answer: SSL is specifically designed to prevent “man in the middle” attacks, and setting up squid in such a way would be the same as such a “man in the middle” attack. You might be able to successfully achive this, but not without breaking the encryption and certification that is the point behind SSL“.
Therefore, I had quickly reopen port 443 (router firewall) for all my LAN computers and problem was solved.

(c) Squid Proxy authentication in a transparent mode

You cannot use Squid authentication with a transparently intercepting proxy.
You have a typo in your header line for the “Transperent proxy.”
Good article. The only things I think I’d also include would be:
1) That you would want to configure your Internet firewall rule set to allow only the transparent proxy to connect to the Internet on port 80, so that they have no choice but to use the transparent proxy.
2) You probably want to include support for FTP as well.
3) This configuration is for RHEL 4 and should be updated for RHEL 5.
4) You can test if squid is working on the proxy server by using the squidclient program.









































































































IMP RHCE

 ME . (RedHat Certified Engineer)

You have a system installed Red Hat Enterprise Linux os.  The system must be configured with a set of locally-defined administrators and bound to an NIS domain, RHCE for additional user accounts.  Your machine will be a member of the DNS domain example.com.  All the systems in the example.com DNS domain are in the 172.16.0.0/16 subnet & all systems in that subnet are in example.com.
Your system will be rebooted before it is graded, so make sure that all changes you implement are persistent across reboots.  You should also be aware the scoring items will be evaluated by whether they work as specified.  Consequently, a correctly configured networking service will earn no points if networking itself is broken.
If your hostname is station1.example.com then you can log in to this system with the username guest1 & the password is password. You will not be able to log in successfully to any other account on that system.
The requirements for this section include configuration of security restrictions on various network services.  You should be aware tht making the services available for permitted hosts & networks is a higher priority than restricting any prohibited networks, because you will not receive credit for successful configuration of services if the implemented restrictions block access to permitted hosts & networks. If you choose to use kernel level firewalling, you must REJECT rather than DROP unwanted packets.
Be aware that you are not permitted to communicate with other examinees during the course of this exam. You are also prohibited from connecting to the hosts of other examinees. The testing system and the network will be monitored, & misuse of either will result in a grade of zero on this section.
Your distribution is avilable via YUM:
http://172.16.0.254/rhel5/Server
SELinux & firewall must be enabled. Default gateway is 172.16.0.254/16.
You will note that some requirements specify that a service should not be avilable from the DNS domain my133t.org.  All the systems in that domain are in the 172.17.0.0/16 subnet.

 

RHCT SECTION


1Set the root password as rW9ySX. Install the dialog RPM package.
2Create the following users, groups & group memberships:
a. A group named admin
b. A user andrew who belongs to admin as a secondary group
c. A user brad who also belongs to admin as a secondary group
d. A user smith who does not have access to an interactive shell on           the system, & who is not a memer of admin
e. andrew, brad & smith shold all have the password passwd.
3Create a collaborative directory /shared/sysusers with the
Following characteristics:
a. Group ownership of /shared/sysusers is admin
b. The directory should be readable, writable & accessible to              members of admin, but not to any other user.
c. Files created in /shared/sysusers automatically have group              ownership set to the sysusers group
4.  Install the appropriate kernel update from
ftp://server.example.com/pub/updates.
The following criteria must also be met.
a.  The older kernel is the default kernel when the system is
rebooted
b. The original kernel remains available & bootable on the system
5.  Enabled IP forwarding on your machine.

6.  Set up the default print queue to forward jobs to the IPP print   queue stationx on server.example.com, where x is your station           number.  Configure printer as “Generic – text-only” print queue.
Note: the queue stationx on server dumps print jobs into the file       http://server/printers/stationx. This file can be examined to           confirm that you have configured the print queue correctly.
7.  The user andrew must be configure a cronjob that runs daily at 15:25 local time & executes – /bin/echo hello at terminal 8.
8. Bind to the NIS domain example.com provided by 172.16.0.254 for
user authentication.  Note the following:
a. nisuserz should be able to log into your system, where z is your     station number, but will not have a homedirectory until

you have completed the autofs requirement below
b. All NIS users have a password of passwd.
c. server.example.com NFS-exports /rhome to your system
d. nisuserz’s home directory is server.example.com:/rhome/nisuserz   where z is your station number.
e. nisuserz’s home directory should be automounted locally beneath
/rhome as /rhome/nisuserz.
f. while you are able to log in as any of the users nisuser1
through nisuser10, the only home directory that is accessible from
your system is nisuserz.
9. Configure your system so that is is an NTP client of              server.example.com.
10. One logical volume LogVol00 is created under GrpVol00. The initial      size of this logical volume is 350MB. successfully extend it to    650MB. (range condierable is 570MB to 630MB).
11. One partition is mounted under /quota. brad user has full access on           this directory. When he tried
dd if=/dev/zero of=/quota/somefile bs=1k count=60
he has successfully created the file. Again he tried
dd if=/dev/zero of=/quota/somefile bs=1k count=85
he has successfully created the file upto 80kb.

RHCE SECTION


1.  Configure SSH access as follows:
a. andrew has remote SSH access to your machine from within                example.com
b. Clients within my133t.org should NOT have access to ssh on your         system.
2.  Configure FTP access on your system:
a. Clients within the example.com domain should have anonymous FTP         access to your machine.
b. Clients outside example.com should NOT have access to your FTP          service
3.  Share the /shared directory via SMB:
a. Your SMB server must be a member of the SMBGROUP workgroup
b. The share’s name must be shared
c. The shared share must be avilable to example.com domain clients         only
d. The shared share must be browseable
e. brad must have read access to the share, authenticating with the        same password password, if necessary
4.  Implement a web server for the site http://stationx.example.com
Then perform the following steps:
a. Download ftp://server.example.com/pub/rhce/station.html
b. Rename the downloaded file to index.html
c. Copy this index.html to the DocumentRoot of your web server
d. Do not make any modifications to the contents of index.html
e. Download ftp://server.example.com/pub/rhce/www.html & rename the              file to index.html at DocumentRoot /var/www/virtual
f. Extend your web server to include a virtual host for site
http://stationxx.example.com which are mapped to one ip.
g. The site http://stationx.example.com is accessibel only in              example.com
5.  Configure SMTP mail service according to the following
requirements:
Your mail server should accept mail from remote hosts &
localhost
b. Brad must be able to receive mail from remote hosts
c. mail delivered to brad should spool into the default mail spool         for brad /var/spool/mail/susan.
d. Configure email alias for your MTA such that mail sent to
acctmgr is received by the local user andrew.
6. Configure POP3 email on your system according to these criteria:
a. brad must be able to retrieve email from your machine using POP3        from within example.com
b. Clients within the my133t.org domain should not have access to          your POP3 service.
ADDITIONAL RHCE REQUIREMENTS:

Implement a web proxy server bound to port 8080.  Clients within example.com should have access to your proxy server.  Clients             outside of example.com should not have access to your proxy server.

2.  Export /shared directory only within example.com.

BEST OF LUCK

























No comments:

Post a Comment

Note: Only a member of this blog may post a comment.