Notes from
Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS, & Red Hat Power Users
Christopher Negus 978-0470082911
last modification: 9/8/15
http://www.amazon.com/Fedora-Linux-Toolbox-CommandsCentOS/dp/0470082917/ref=sr_1_cc_1?ie=UTF8&qid=1283381024&sr=1-1-catcorr
Ch1: Starting with Fedora Linux
About:
Fedora (http://fedoraproject.org)
CentOS (www.centos.org)
Yellow Dog Linux (www.yellowdoglinux.com)
Backtrack http://www.backtrack-linux.org/
DistroWatch (http://distrowatch.com/dwres.php?resource=independence).
Linux Timeline: http://files.cyberciti.biz/uploads/tips/2007/06/44218-linuxdistrotimeline-7.2.png
Comparing
Fedora is the rapid-development, cutting edge Linux system
Novell Suse same basic dual-distribution
Debian a high-quality Linux distribution
Many derivative Linux distributions-- Ubuntu Linux, KNOPPIX live CD based on Debian.
Why command line?
GUIs are meant to be easy & intuitive
Almost any time something goes wrong
Remote systems administration
Features not supported by GUI
GUI is broken or not installed
Finding Commands
bash: anycommand: command not found
why?:
You mistyped the command name.
anycommand is not in your PATH.
Might need to be the root user for the command to be in your PATH.
anycommand not installed on your computer.
Command and Sample Output Description
type mount
Show the first mount command in PATH.
whereis mount Show binary, source, and man pages for mount.
locate bash.ps Find bash.ps anywhere in the file system.
which umount Find the umount command anywhere in your PATH or aliases.
rpm -qal |grep umount
Find umount in any installed package.
yum whatprovides bzfs find out which package provides some feature or file
yum search somefise
find any packages matching in the description, summary & package fields
Command Reference Info
-h or –help
ls --help | less
apropos crontab
whatis cat
man find
info ls
1
Other Notes
Installing Kali version 1.0.4 (Backtrack 6 ish)
I had display resolution problems after I did all of this, so it is a work in progress 
1. Download the correct iso from here: http://www.kali.org/downloads/
2. Open vmware (fusion or workstation)
3. Install kali from iso
I left most stuff at the default install setting except I bumped RAM to 1024
Before you do anything else copy the vmware file to a backup if possible.
4. Log in as root
5. Open terminal
6. apt-get update --fix-missing
7. apt-get install kde-plasma-desktop (from here)
I deviated from the video and set the display manager to kdm
Other instructions can be found here
8. apt-get install yakuake
Up to here it seems to work
9. apt-get install open-vm-tools (from here)
Ended up with 9GB used out of the 20GB I allocated to it
2
Ch2: Installing and Adding software
USB flash:
Get diskboot.img from one of the online mirrors then execute:
dd if=/media/cdrom/diskboot.img of=/dev/sda
Choosing how install proceeds:
boot: linux text
Other boot options (p17 -- 10%):
Boot Prompt HOWTO (www.tldp.org/HOWTO/BootPrompt-HOWTO.html)
nodmraid
norobe
selinux=0
Installation screens (p18 -- 11%)
Test media, Language, Keyboard, Install or upgrade, Disk partitions, boot loader, network, time zone, root
password, software packages, reboot
yum:
repos (p21 -- 12%)
yum list
yum info wordpress
yum search mp3
yum whatprovides ogg123
yum install wordpress
yum groupinstall XFCE
yum update
yum
yum --disablerepo=livna search yum-utils
yum --enablerepo=livna install mplayer
yum –exclude=somepackage update
http://www.xades.com/proj/fedora_repos.html
rpm:
(14%)
rpm -ivh some.rpm
rpm -Uvh some.rpm
rpm -e badpackage
rpm -q or -qa or -ql somepackage or rpm -qa | grep ogg
rpm -qi somepackage or -ql somepackage or -qlp some.rpm
3
Ch 3: Using the shell
Setup:
To get use of the function keys in your virtual machine on a Macbook: in the virtual machine’s settings under
keyboard & mouse set Mac Profile
Basic use:
gnome-terminal -x alsamixer Start terminal with alsamixer displayed
xterm
konsole
yakuake
Virtual Terminals
Ctrl-Alt-F1 to F6
ps
ps a
ps au
/etc/inittab & upstart
ps ax
ps aw
bash history
history
history 5
!!
(rum previous command)
Ctrl-r to search for string in history
Command line completion
tracer<Tab> Command completion: Completes to traceroute command
cd /home/ch<Tab> File completion: Completes to /home/chris directory
cd ~jo<Tab> User homedir completion: Completes to /home/john
echo $PA<Tab> Env variable completion: Completes to $PATH
Redirecting stdin, stdout, stderr
ls /tmp /tmpp
ls /tmp /tmmp > output.txt
ls /tmp /tmmp 2> errors.txt
ls /tmp /tmmp 2> errors.txt > output.txt
ls /tmp >> output.txt
ls /tmp 2> /dev/null
mail chris < /etc/hosts
ls /tmp | sort
ls /tmp/ /tmmp 2> /dev/null | sort
rpm -qa | grep -i sql | wc -l
Using backticks, you can execute one section of a command line first and feed the output of that
command to the rest of the command line. Here are examples:
rpm -qf `which ps`
ls -l `which traceroute`
Misc
pwd, whoami
Using alias
~/.bashrc or /etc/bashrc
alias ll="ls -lh"
alias la="ls -lah"
alias cl="cd /var/log"
alias ct=”cd /usr/local/tomcat”
Others
.bashrc
4
watch cat /proc/loadavg
su
su bob
sudo & /etc/sudoers (root ALL=(ALL) ALL)
Environment variables
export PS1='\e[1A\e[s\e[H\e[37;41;1m\e[K \e[1C\u@\h \e[5C \w \e[5C \d \e[5C [\A] \e[0m\e[u\n--> '
PS1, PS2, PS3, PS4
set & env
export ABC=123
export PATH=$PATH:/home/fcaen
NEVER NEVER put . In your path
Simple shell scripts
debugging
http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_02_03.html
java scripts
DailyQuote (~/java & ~/Dropbox/Ike/4361/Examples
/etc/crontab
/etc/cron.daily/newquote
myscript.sh
chmod u+x myscript.sh also talk about file permissions (table 4.1 22% loc 830)
#!/bin/bash
MYSTRING=abc
if [ $MYSTRING = abc ] ; then
echo “The variable is abc”
fi
To negate the condition
MYSTRING=abcd
if [ $MYSTRING != abc ] ; then
echo “The variable is not abc”
fi
Examples testing for numbers
MYNUMBER=1
if [ $MYNUMBER -eq 1 ] ; then echo “MYNUMBER equals 1”; fi
if [ $MYNUMBER -lt 2 ] ; then echo “MYNUMBER less than 2”; fi
if [ $MYNUMBER -le 1 ] ; then echo “MYNUMBER less than or equal to 1”; fi
if [ $MYNUMBER -gt 0 ] ; then echo “MYNUMBER greater than 0”; fi
if [ $MYNUMBER -ge 1 ] ; then echo “MYNUMBER greater than or equal 1”; fi
Testing File names
filename=$HOME
if [ -e $filename ] ; then echo “$filename exists”; fi
if [ -f “$filename” ] ; then
echo “$filename is a regular file”
elif [ -d “$filename” ] ; then
echo “$filename is a directory”
else
echo “I have no idea what $filename is”
fi
Other file test operators (table 3.1 p46 20% loc 728)
5
case “$VAR” in
string1)
{ action1 };;
string2)
{ action2 };;
*)
{ default action } ;;
esac
for NUMBER in 0 1 2 3 4 5 6 7 8 9
do
echo The number is $NUMBER
done
for FILE in `/bin/ls`; do echo $FILE; done
x=1
while [ $x -le 5 ]
do
echo "Welcome $x times"
x=$(( $x + 1 ))
done
VAR=0
until [ $VAR -eq 3 ]; do echo $VAR; VAR=$[$VAR+1]; done
--------------#!/bin/bash
#simple script to show command line args and if test
echo $0
echo $1
echo $2
if [ "$1" ]; then
echo string not empty
else
echo string empty
fi
Debugging
bash -x myscript.sh
Debugging on part(s) of the script
set -x
w
set +x
# activate debugging from here
# stop debugging from here
6
and yes it is wierd that it is backwards – is on + is off
The Bash Guide for Beginners http://tldp.org/LDP/Bash-Beginners-Guide/html/index.html
& man bash
DrJohn other useful things:
yakuake
fuse rpms
encfs ~/.data ~/data
sshfs bob@jrdoffice:/home/bob/Ike /Gandalf/RemoteSites/Ike
sudo mount -t cifs '//Ariel/Easy' ~/Easy -o credentials=/Gandalf/configs/.what,uid=500,gid=500
subnet scans
sudo ping -b 10.0.1.0
sudo nmap -v 10.0.1.0/16
7
Ch 4: Working with Files
Everything in a Linux file system can be viewed as a file (data files, directories, devices, pipes, etc)
Regular files: (20% loc 764)
file somefilename --determine type of file
touch /home/bob/newfile.ext -- create blank file
> /home/bob/newfile.txt -- create blank file
ls -l /usr/bin/apropos
file /usr/bin/whatis
file /bin/ls
directories
mkdir
x permission must be on or users can not use directory as their current directory
umask
umask -S
(23% loc 852)
Symbolic & Hard Links
ln -s /path/somefile.txt /newpath/symlink.txt
symbolic link – own set of permissions, can exist on different partitions, new inode number
ln /path/file.txt /newpath/hardlink.txt
hard link – same permissions, cannot exist on different partitions, same inode number
ls -li
symlinks ./
symlinks -r ./
symlinks -rv ./
--show all info and inode numbers
-- show all symbolic links in current dir
device files overview only (21% loc 800)
named pipes & sockets overview only (22% loc 807)
Permissions (Table 4.1 22% loc 830)
421421421 -- rwxrwxrwx -- usergroupother
chmod 0700
chmod 0711
chmod go+r
chmod 0777
chmod a=rwx
chmod a+rwx
original permssions
any
any
rwx-----any
any
any
chmod -R 700
new
rwx-----rwx—x--x
rwxr—r-rwxrwxrwx
rwxrwxrwx
rwxrwxrwx
recursive
first 0 in all above = set-UID = 4, set-GID = 2, sticky = 1 (
set-UID will now work for shell scripts
only on ext2, ext3, ext4 file systems (24% loc 900)
lsattr, chattr --- a (append only), c (compressed), d (no dump), i (immutable), j (data journaling), s (secure
deletion), t (no merging), u (undeletable), A ( no atime updates), D (synchronous directory updates), S
(synchronous updates), T (top of directory hierarchy)
chattr +A somefile
8
good to check the attributes once in a while for security purposes
Ownership
chown bob test/
chown bob:bob
chown -R bob /
traversing file system
cd or cd ~ -- change to user home directory
cd -- change to previous directory
cd /tmp -- change to tmp off of root
cd tmp -- change to tmp off of current dir
cd ..
-- change to parent dir
Copying files
cp -a
/var/www/html /backupdisk
cp -R /var/www/html /backupdisk
backup methods
dd (24% loc 879)
as root:
dd if=/dev/sdg bs=512 count=1 of=$BACKUPDIR/sdg_MBR
/sbin/fdisk /dev/hda -l > $BACKUPDIR/hda_partition_table.txt
Searching for files (25 % loc 917)
updatedb
/etc/updatedb.conf
locate
& locate -i
which
find / -name e100
(25% loc 925)
Other options for files
ls -l, ls -la, ls -t, ls -i
alias ll="ls -lh"
alias la="ls -lah"
alias cl="cd /var/lo"
etc
& locate -r (regluar expression)
(26% loc 955)
md5sum someFile.txt (26% loc 964)
sha1sum someFile.txt
sha1sum -c SHA1SUM.txt
lsof
---list open files
filelight ---diskusage
tripwire
9
Ch 5: Manipulating Text
Regular Expressions
a*
any set of characters. a, ab, abc, aefopq
.
any single character.
a.c matches abc adc aqc
[]
Matches a single character in the brackets
a[bcd]e abe ace ade
[^ ]
Matches a single character not in the brackets a[^bc]e aqe ade
^a
a at the beginning of a line
*a$
a at the end of a line
a.c
three character string starting with a and ending with c
[bcf]at
bat, cat, or fat
[a-d]at
aat, bat, dat ...
[A-D]at Aat ...
1[3-5]7 137, 147, 157
\tHello
a tab character preceding the word Hello
\.[tT][xX][Tt]
txt, Txt, TXt ...
http://en.wikipedia.org/wiki/Regular_expression
Editing text files
vi, vim (http://vimdoc.sourceforge.net), joe, emacs, pico, nano
Listing text files
cat myfile.txt
cat myfile.txt > newcopy.txt
cat myfile.txt >> append.txt
cat -s myfile.txt display consecutive blank lines as one
cat -n myfile.txt show numbers on lines
cat -b myfile.txt show numbers on non blank lines
head myfile
cat myfile | head
head -n 10 myfile
ps auxw | head -10
tail myfile
tail -n 25 myfile
tail -f /var/log/httpd/access_log
watch web server log continuously
more myfile.txt
less myfile.txt
/bob
/
search for a string (bob) in a file
repeat search
pr
quick text formatting tool
rpm -qa | sort | pr - -column=2 | less
Searching for text
grep francois myfile.txt
grep 404 /var/log/httpd/access_log
ps auwx | grep init
ps auwx | grep “\[*\]”
grep -Rn xdg /etc
- directory tree with line numbers in result
10
Sorting output
rpm -qa
rpm -qa
ps auxw
ps auxw
|
|
|
|
grep kernel | sort
grep kernel | sort -r
sort -k 4,4
sort -k 2,2n
reverse order
Replacing text with sed
cat myfile.txt | sed s/christopher/chris/
sed s/christopher/chris/ < myfile.txt > newmyfile.txt
Checking for differences between files with diff
diff /etc/named.conf.rpmnew /etc/named.conf
diff -u f1.txt f2.txt
-- adds modification dates and times to output
seq 1 15 > f1.txt
sed s/4/four/ < f1.txt > f2.txt
vimdiff f1.txt f2.txt
Using awk to process columns
ps auxw | awk '{print $1 $11}'
ps auxw | awk '/bob/ {print $1, $11}'
-- opens files side by side in vim
--only show columns 1 & 11
--show bob's processes
Converting text files to different Formats
unix2dos < f1.txt > f2.txt
dos2unix < f2.txt > f1.txt
Other
http://upstart.ubuntu.com/
http://upstart.ubuntu.com/wiki/UpstartOnFedora?highlight=((CategoryDistributions))
Book Excerpt: A Practical Guide to Fedora and Red Hat Enterprise Linux
11
Ch 6: Multimedia
To split avi (or other video) files: Online Documentation
ffmpeg -ss 01:09:12 -t 01:15:23 -i Family-19970512-19971225.avi ./19970702.avi
To join avi (or other video) files: Online Documentation
mencoder -ovc copy -oac copy -o 19950326-BelindaTap.avi 19950326-BelindaTap-1.avi /
19950326-BelindaTap-2.avi
To convert between types of video (Do not use on DRM files!)
transcode -y xvid -Z 720 -b 224 -i VTS_03_1.VOB -o newfile.avi
transcode -y xvid -Z 720 -b 224 -i oldfile.mpg -o newfile.avi
works ok but you loose 5.1 surround
Handbrake
Brief Audio tools
play -h
play somesong.wav
play hi.au vol .6
ogg123 mysong.ogg
ogg123 -z *.ogg
ogg123 -Z *.ogg
ogg123 /home/bob/music
--play in random order
-- play in random order forever
-- play music in music and subdirectories
mpg321 mysong.mp3
mpg321 -@ myplaylist
alsamixer
alsamixergui
cdparanoia -vsQ
cdparanoia -B
cdparanoia -B -- “5-7”
-- is CD drive capable of ripping music
-- rip tracks as wav files by track name
-- rip tracks 5, 6, 7 as seperate files
oggenc mysong.wav
oggenc ab.flac -o ab.ogg
oggenc song.wav -q 9
-- encodes mysong from wav to ogg
-- encodes flac to ogg
-- raises quality level from default of 3 to 9
oggenc song.wav -o song.ogg -a Bernstein -G Classical -d 06/05/1972 -t “Simple Song” /
-l “Album Name” -c info=”From Kennedy Center”
-- sox the Swiss army knife of audio manipulation (Online Documentation)
sox head.wav tail.wav output.wav -- concatenate two wav files
sox sound1.wav -a stat
-- display information about the file
12
Ch 7: Administering File Systems
Basic File system partitions (three basic types)
swap, boot, root
ext3 == ext2 + journaling
linux supports ext4, ext3, ext2, iso9660, Jffs21, jfs, msdos, ntfs, squashfs, swap, ufs, vfat, xfs
others nfs, sshfs, encfs, cifs & others (FUSE)
Partitioning:
install: used to be called Disk Druid
fdisk or parted
fdisk
/sbin/fdisk -l
-- shows all partitions
(After Fedora 7 all IDE, SCSI, & SATA use /dev/sd..)
(newer Fedoras use the UUID – see the /etc/fstab file & /dev/disk
/sbin/fdisk -l /dev/sda
/sbin/fdisk /dev/sda
--work on a particular disc
m
--gets command listing
n
--new partition (assumes ext3 type unless told otherwise)
d
--delete partition
w
--write changed info to disc (BE CAREFUL!)
parted
newer more functionality
GUI: gparted or qtparted
1.
sudo /sbin/parted -l /dev/sda
Model: ATA ST31000340AS (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1
32.3kB 215GB 215GB primary ext3
boot
2
215GB 429GB 215GB primary ext3
changes immediately written to disk!
man parted shows brief listing
info parted much more complete
in parted session help shows commands, mkpart creates new partition
both following will usually destroy file systems!
resize 2
will resize linux partitions (#2)
use the ntfsresize command to resize ntfs partitions
ntfsinfo
Both tools above only change parition table they do not format the partition
mkfs -t ext3 /dev/sda1
mkfs -t ext3 -v -c /dev/sda1
-- more verbose output and check for bad blocks
mkfs -t ntfs /dev/sda2
-- always put -t filesystemtype first
Working with existing partitions
Backup / Restore
13
sudo /sbin/sfdisk -d /dev/sda
# partition table of /dev/sda
unit: sectors
/dev/sda1 : start=
63, size=419424957, Id=83, bootable
/dev/sda2 : start=419425020, size=419425020, Id=83
/dev/sda3 : start=
0, size=
0, Id= 0
/dev/sda4 : start=
0, size=
0, Id= 0
-- d option above formats output for later restoration
/sbin/sfdisk /dev/sda < sda-part-table
/sbin/sfdisk -d /dev/sda | /dev/sdb
Changing partition label
sudo /sbin/e2label /dev/sda1
sudo /sbin/e2label /dev/sda2
-- restore
-- copy to new disk
yields /
yields /1
/sbin/e2label /dev/sda2 /newlable
Virtual File System
portable, liveCD, virtual OS
dd if=/dev/zero of=mydisk count=2048000
du -sh mydisk
&
df -h
(see below for more on both)
1001M mydisk
/sbin/mkfs -t ext3 mydisk
lots of info output
mkdir test
sudo mount -o loop mydisk test
mount
/home/bob/mydisk on /home/bob/test type ext3 (rw,loop=/dev/loop0)
14
Viewing & Changing file system attributes
sudo /sbin/tune2fs -l /dev/sda1 (or dumpe2fs)
lots of information
man tune2fs
-c set maximal count before fsck
-j turn ext2 fs into ext3 by adding journaling
swap partitions
mkswap /dev/sda3
virtual partition as swap
dd -if=/dev/zero of=/tmp/swapfile count=65536
chmod 600 /tmp/swapfile
mkswap /tmp/swapfile
swapon
swapoff
swapon -s
Mounting filesystems
/etc/fstab
LABEL=/
/
devpts
sysfs
/sys
proc
/proc
LABEL=SWAP-sdc1
/dev/sdf1
device
ext3
defaults
11
devpts gid=5,mode=620
sysfs
defaults
00
proc
defaults
00
swap
swap defaults
00
/Gandalf/WinXP ntfs
defaults
00
/dev/pts
mountpoint
type
options -o
dump checkorder
pseudo filesystems
mount -o options
mount
mount, mount -t ext3, mount | sort, mount -l (labels)
mount -t ext3 /dev/sda1 /Gandalf/Belinda -o=below
ro, rw, uid=xxx, gid=xxx, noexec,
--bind (new additional location), --move
mount -v -o loop -t iso9660 diskboot.img ~/diskimg
mount -v -o loop local.iso
~/imgdir
/sbin/losetup -a
-- show loopback device status
Unmounting filesystems
umount -v /dev/sda1
umount -v /Gandalf/Belinda
device is busy
/usr/sbin/lsof | grep mountpoint
Checking file systems badblocks & fsck
/sbin/badblocks -v /dev/sdc1
/sbin/badblocks -vsn /dev/sdc1
/sbin/badblocks -vsw /dev/sdc1
fsck /dev/sda1
/sbin/fsck -TV /dev/sda1
/sbin/fsck -TVy /dev/sda1
readonly test
non destructive read write test (slowest)
faster destructive read write test
do not display fsck version and be verbose
yes to all 'do I fix' questions
15
00
File system use
df -h
df -hi
df -hl
df -hT
usage summary in human readable mode
inode use also
only display local file systems
show file system type also
du -h /home/bob
du -h /home
du -sh /
du -sch /home /data /usr/local
du -sh --exclude='*.iso' /home/bob
disk use of my home directory
must be root
summarize results
multiple dirs
exclude iso files from results & summarize
16
Ch 8: Backups & Removable Media
tape archive: tar
[-]A
[-]c
[-]d
[-]r
[-]t
[-]u
[-]x
-j
-z
-v
--catenate --concatenate
--create
--diff --compare
--append
--list
--update
--extract –get
--compress using bzip2
--compress using gzip
--verbose output
tar c *.txt | gzip -c > myfiles.tar.gz
tar czvf myfiles.tar.gz *.txt
-- make tar archive then gzip it
-- same thing
gunzip myfiles.tar.gz | tar x
gunzip myfiles.tar.gz ; tar xf myfiles.tar
tar xzvf myfiles.tar.gz
-- unzip then extract
tar tvf myfiles.tar -- list files in archive
tar -tzvf myfiles.tgs
-- list files in gzip compressed archive
tar -Af archive1.tar archive2.tar -- adds archive2 to archive1
tar –delete file1.txt myfiles.tar
-- deletes file from archive
compression tools
lzop, gzip, bzip2 -- in order from fastest / least compression
rar x
-- extract
rar a
-- add file
tar cjvf myfiles.tar.bz2 *.txt
tar xjvf myfiles.tar.bz2
gzip myfile
gzip -v myfile
gzip -tv myfile.gz
gzip -lv myfile.gz
gzip -rv mydir
-- gzips myfile into myfile.gz
-- verbose output
-- tests integrity of file
-- get detailed information
-- compress all files in directory
bzip2 myfile
bzip2 -v myfile
bunzip2 myfile.bz2
bzip2 -d myfile.bz2
bzip2 -vd myfile.bz2
-- myfile into myfile.bz2
backing up over network with ssh
rsnapshot vie yum install rsnapshot (http://www.rsnapshot.org/)
mkdir mybackup ; cd mybackup
ssh bob@server1 'tar cf – myfile*' | tar xvf -
-- all files beginning with myfile are
-- copied from server into local home dir
tar cf – myfile* | ssh bob@server1 'cd /home/bob/myfolder ; tar xvf - -- OUT
17
ssh bob@server1 'tar czf – myfile*' | cat > myfiles.tgz
tar czvf – myfile* | ssh bob@server1 ' cat > myfiles.tgz
-- IN
-- OUT
backing up files over network with rsync (Detailed rsync reference)
rsync -a source/ destination/
– equal to cp -a source/. destination/
rsync -a -e ssh source/ username@remotemachine.com:/path/to/destination/
--the -e option specifies the remote shell to use
rsync -a a b
rsync -a a/ b
– assuming there is a file a/foo this gives a file b/a/foo
– gives b/foo
point is backslashes matter but only on the source
rsync -a --delete source/ destination/
– any files in /destination but not in /source are deleted
– create test-src, test-dest, test-src/somefiles
rsync –delete –backup –backup_dir=bk-`date +%A` -avz test-src/ test-dest/$(date +%F)
--mirrors remote pics directory on local system (-a run in archive mode, -v verbose, -z
remove any local files not still on server)
rsync -avz –delete bob@server1:/home/bob/pics bobspics
compresses files, --delete
-- creates /var/backups/backup-Monday etc
mkdir /var/backups
rsync –delete –backup –backup_dir=/var/backups/backup-`date +%A` \
-avz bob@server1:/home/bob/Personal/ /var/backups/current-backup/
-- create hard links instead of duplicate files (--link-dest option)
rm -rf /var/backups/backup-old/
mv /var/backups/backup-current/ /var/backups/backup-old/
rsync –delete –link-dest=/var/backups/backup-old/ -avz bob@server1:/home/bob/Personal \
/var/backups/backup-current/

longer script can be found here: http://samba.anu.edu.au/rsync/examples.html
backing up with unison
-- rsync assumes that machine being backed up in only one where data is being modified
-- when have 2 (ie desktop & laptop) unison is better
yum install unison
unison /home/bob ssh://bob@server1//home/bob
unison /home/bob /mnt/backups/bob-home
-- to force unison to run in command line mode (-ui text)
unison /home/bob ssh://bob@server1//home/bob -ui text
-- will prompt for y on every change. If you trust unison to find newest file use -auto
unison /home/bob ssh://bob@server1//home/bob -auto
-- no man pages
unison -help
18
unison -doc all | less
Backing up to removable media
mkisofs -o home.iso /home
-- all files in DOS 8.3 naming mode
mkisofs -o home2.iso -J -R /home
--Add Joliet & Rock Ridge extensions
mkisofs -o home3.iso -J -R music/ pics/ docs/
-- multiple dirs or files
-- /var/pics becomes /home/bob/Pictures on cd image
mkisofs -o home.iso -J -R -graft-points Pictures/=/var/pics/ /home/bob
-- add more information to ISO
mkisofs -o home.iso -R -J -p www.bob.org -publisher “Bob Thomas” -V “WebBackup” \
-A “mkisofs” -volset “1 of 4 backups, September 22, 2008” /home/bob
volname home.iso
isoinfo -d -i home.iso
-- display volume name
-- display all header information
mkdir /home/bob/test
mount -o loop home.iso /home/bob/test
umount /home/bob/test
Burning to CD/DVD
cdrecord –scanbus
cdrecord -dummy home.iso
cdrecord -v home.iso
cdrecord -v -eject home.iso
-- mount image in test dir
-- shows information on CD/DVD drive(s)
-- test burn without doing anything
-- multisession using growisofs
growisofs -z /dev/sr0 -R -J /home/bob
growisofs -z /dev/sr0 -R -J /home/belinda
growisofs -M /dev/sr0=/dev/zero
--Master & burn to DVD
-- Add to burn
-- Close burn
growisofs -dvd-compat -z /dev/sr0=home.iso
-- burn image to DVD
19
CH 9: Checking and Managing Running Processes
Viewing active processes with ps
ps --help
-- brief list of options
ps -A or e
-- list all processes
ps -x
-- list processes without controlling ttys
ps -u bob
-- for user bob
ps -auwwx
-- every process unlimited width BSD style
ps -ejH
ps -axjf
ps -ef --forest
pstree
-- hierarchy with process/session ids
---
custom output with the -o option page 151
Active processes with top
top
-- show processes
top -d 5
-- change update delay from 3 to 5 sec
top -u bob
-- show for user bob
top -n 10
-- update 10 times then quit
top -b
-- run in non-interactive mode, good for file directed output
Finding processes using pgrep
pgrep init
-- yeilds ... why 3?
1
3204
3205
pgrep -l init
-- long listing
1 init
3204 start_kdeinit
3205 kdeinit
Using fuser to find processes
sudo /sbin/fuser -mauv /home/bob -- show all processes with anything in /home/bob open
-- m show processes with file in . Open, v verbose, a all processes, u what user owns
sudo /sbin/fuser -k /boot
-- kill every process that has anything in /boot open
nice
-- sets process priority, regular user 19 (way low) to -20 (way high)
-- merely a suggestion
nice -n 12 gimp
-- launch gimp with low priority
renice +2 -u bob
-- set bob's process to lower priority
20
Running processes in background or forground with fg, bg, & jobs
open terminal, type gimp
-- run gimp in foreground, will die if you close the terminal
type gimp &
-- run gimp in background, ditto
<Ctrl+z>
jobs
bg 1
fg 1
<Ctrl+c>
<Ctrl+d>
--in running foreground process will stop it and put it in background
--will list running process in that terminal
--will put job 1 in background
--will put job 1 in foreground
--kills current fg process
--kills terminal session
jobs -l
-- long listing of all fg & bg process for current terminal session
kill & killall
ps -aux
kill 28665
kill -9 4985
killall spamd
-- send SIGTERM to process with PID of 28665
-- send SIGKILL to process with PID of 4985 (careful, no shutdown)
-- kill all spamd running
Running processes away from the current shell
nohup gimp &
-- run gimp with no ability to interrupt
Scheduling processes to run
at now +1 min
at>updatedb
at>Ctrl+d
at teatime
at now +5 days
at 10/05/08
atq
-- query for jobs in queue
crontab -e
-- create a crontab for current user and open in vi or vim
/etc/crontab
-- minute, hour, day, month, & day of week
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
-- simply link or put the script you want to run in one of the directories above
21
Ch 10: Managing the System
Focus in on Monitoring Resources in use
files in /proc (sudo ls -lah /proc)
might have to install sysstat packagel
Memory Use:
free (-m in megabytes, -g in gigabytes, -s 5 continuously display every 5 seconds)
free -m
free -m
total
used
free shared buffers cached
Mem: 8008
4846
3161
0
141
3793
-/+ buffers/cache:
912
7095
Swap:
16002
0
16002
top
-- Shift M
vmstat
-- view memory use over time
vmstat 3
-- update every three seconds
man vmstat
-- field discriptions, watch for io backlog if lots memory in use, wasted CPU time
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu-----r b
swpd
free
buff cache
si
so
bi
bo
in
cs us sy id wa st
CPU Usage:
iostat -c 3
-- update every 3 seconds
Linux 2.6.25.14-69.fc8 (Gandalf)
avg-cpu:
iostat -c -t
man iostat
%user
1.94
%nice %system %iowait
1.23
1.04
0.88
10/01/2008
%steal
0.00
%idle
94.91
-- print with time stamp
-- for listing of fields displayed
--> dstat -t -c 3
-- colors for different types of data
-----time----- ----total-cpu-usage---date/time
|usr sys idl wai hiq siq
01-10 17:08:41| 3
1 95
1
0
0
01-10 17:08:44| 0
1 99
0
0
0
01-10 17:08:47| 2
1 97
0
0
0
01-10 17:08:50| 0
1 99
0
0
0
01-10 17:08:53| 0
1 99
0
0
0
01-10 17:08:56| 0
1 99
0
0
0
01-10 17:08:58| 0
1 99
0
0
0
cat /proc/cpuinfo
-- lots of info about processor(s)
flags line show features cpu supports
22
Storage Devices
du & df
iostat -d
Linux 2.6.25.14-69.fc8 (Gandalf)
Device:
sda
/usr/sbin/lsof
lsof -c bash
lsof -d cwd
lsof /dev/sda1
lsof /Gandalf/data
tps
7.76
Blk_read/s
214.40
10/01/2008
Blk_wrtn/s
182.76
Blk_read
6445638
-- all open files (lots)
-- files open by bash shells
-- all directories open as current working dir in bash
-- anything open on that filesystem
-- anything open in that directory structure (and subs)
Mastering Time
system-config-date
-- date, ntpd, timezone, etc gui
cat /etc/sysconfig/clock
# The ZONE parameter is only evaluated by system-config-date.
# The time zone of the system is defined by the contents of /etc/localtime.
ZONE="America/Chicago"
UTC=false
ARC=false
/usr/share/zoneinfo/America/Chicago
-- time zone info
cp or ln -s above to /etc/localtime
--> date
Wed Oct 1 17:50:55 CDT 2008
--> date '+%A %B %d %G'
Wednesday October 01 2008
--> date --date='8 months 3 days'
Thu Jun 4 17:51:50 CDT 2009
date 081215212008 -- set date to Aug 12, 2:21pm 2008
cal
Su
5
12
19
26
-- show calendar
October
Mo Tu We
1
6 7 8
13 14 15
20 21 22
27 28 29
2008
Th Fr
2 3
9 10
16 17
23 24
30 31
Sa
4
11
18
25
--> cal 2009
2009
January
February
23
March
Blk_wrtn
5494280
Su Mo Tu We Th
1
4 5 6 7 8
11 12 13 14 15
18 19 20 21 22
25 26 27 28 29
Fr
2
9
16
23
30
/sbin/hwclock -r
/sbin/hwclock –hstosys
Sa
3
10
17
24
31
Su Mo Tu We Th
1 2 3 4 5
8 9 10 11 12
15 16 17 18 19
22 23 24 25 26
Fr
6
13
20
27
Sa
7
14
21
28
Su
1
8
15
22
29
Mo
2
9
16
23
30
Tu
3
10
17
24
31
We
4
11
18
25
Th
5
12
19
26
Fr
6
13
20
27
Sa
7
14
21
28
-- display current CMOS hardware clock setting
-- set system clock from hardware clock (root)
Using Network Time Protocol
yum install ntpd
service ntpd start
chkconfig ntpd on
/etc/sysconfig/ntpd
-- main config file
SYNC_HWCLOCK=no -- set to yes to sync
-- problem is why would you want to run a time server ?
ntpd -qg
-- q says quit after syncing, g says don't panic for way off
Managing the boot process
A detailed look at the fedora boot process
BIOS
MBR on “first” bootable partition
GRUB
/boot/grub/grub.conf
-- other configs are symbolic links to this
kernel
kernel needs root file system to load modules (block devices, etc)
devices drivers are on root file system so how does kernel get them ?
a small initial ram disk (initrd)
init process
/etc/inittab
-- runlevel, etc
/boot/grub/grub.conf
-- lots of other kernel boot options (table 2-1)
default=1
timeout=5
splashimage=(hd1,0)/boot/grub/splash.xpm.gz
title Fedora (2.6.26.3-14.fc8)
root (hd1,0)
kernel /boot/vmlinuz-2.6.26.3-14.fc8 ro root=LABEL=/ rhgb init=/sbin/bootchartd
initrd /boot/initrd-2.6.26.3-14.fc8.img
grub-install /dev/sda
mkinitrd ...
Startup & Run Levels
/sbin/runlevel
init 5 or 3 etc
init q
-- reinstall grub
-- recreate initial ram disk
-- display current and previous
-- change runlevel
-- process changes in inittab (mostly for gettys)
/sbin/chkconfig --list, smb on, --add <name>, --level <levels> <name> <on off reset> ....
/sbin/service smb
service smb restart
-- show usage statement
-- etc
24
/etc/rc.d/rc
systemd
see /etc/systemd and /lib/systemd files
man systemctl
http://www.freedesktop.org/wiki/Software/systemd/FrequentlyAskedQuestions
The Kernel
uname
dmesg
lsmod
modinfo pata_acpi
/sbin/modprobe -l | grep c-qcam
modprobe c-qcam
modprobe -r c-qcam
/etc/sysctl.conf
/sbin/sysctl -a
| less
-- Kernel sysctl configuration file for Red Hat Linux
-- list all kernel parameters
sudo /sbin/dmidecode
sudo /sbin/hdparm /dev/sda
-- list info about all hardware
-- view and change information relating to hard drive
25
Ch 11: Managing Network Connections
GUI based tools
Network Configuration via GUI works mostly
Gnome-System-->Administration-->Network
Troubleshooting
Start at bottom of TCP/IP stack
1 - Check cables on local card and on routers/gateway etc
2 - Check that card is properly installed and has the correct drivers
3 - Check the settings for the card to make sure you do not have mismatches
4 - If all else fails get a NIC that is supported in Linux
Checking Links
/sbin/ethtool
-- lots of help info
/sbin/ethtool | less
-- nothing because help output goes to stderr (ethtool 2>&1 | less)
sudo /sbin/ethtool eth1
-- settings for eth1
Settings for eth1:
Supported ports: [ MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 2
Transceiver: external
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Link detected: yes
sudo /sbin/ethtool -i eth1 -- driver information
driver: forcedeth
version: 0.61
firmware-version:
bus-info: 0000:00:12.
sudo /sbin/ethtool -S eth1 -- Statistics
sudo /sbin/ethtool -s eth1 speed 100 duplex full autoneg off -- change card settings temp.
-- /etc/sysconfig/network-scripts/ifcfg-eth1 contains “permanent” settings
-- less /usr/share/doc/initscripts-*/sysconfig.txt
sudo netstat -i
-- network statistics
sudo netstat -nap -- information about all network processes
Managing Network Connections
sudo /sbin/service
Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ]
/sbin/service network restart or status or stop or start
sudo /sbin/chkconfig
usage: chkconfig --list [name]
chkconfig --add <name>
26
chkconfig --del <name>
chkconfig --override <name>
chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>
less /usr/share/doc/initscripts-*/sysconfig.txt
sudo /sbin/ifdown eth1
sudo /sbin/ifup eth1
Viewing Ethernet Connection Information
/sbin/ifconfig
-- connection info for all active (add -a to get inactive) connections
/sbin/ip addr show eth1 -- similar information
/sbin/ip a
-- info for all interfaces
/sbin/ip help
-- (addr help, route help, tunnel help)
ipcalc -bmn 192.168.1.0/24
NETMASK=255.255.255.0
BROADCAST=192.168.1.255
NETWORK=192.168.1.0
Wireless Connections
Use the GUI if at all possible
wireless-tools, ndiswrapper, etc from rpm.livna.org
/sbin/lspci | grep wireless
-- to see wireless PCI cards
/sbin/iwconfig
-- same sort of info as ifconfig but for wireless
/sbin/iwconfig –help
-- essid, channel, sens, key, .....
Dial-Up Modems – Skipped
Checking Name Resolution
cat /etc/resolv.conf
nameserver 208.180.42.68
nameserver 208.180.42.100
dig www.google.com or www.newegg.com
-- search the servers in resolv.conf
dig www.google.com @4.1.2.1
-- search a specific server
dig + trace www.google.com
-- recursively trace DNS servers
host 208.180.42.100
-- reverse DNS lookup
More Troubleshooting
/sbin/ip route
-- like old route command
172.16.240.0/24 dev vmnet8 proto kernel scope link src 172.16.240.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
172.16.140.0/24 dev vmnet1 proto kernel scope link src 172.16.140.1
default via 192.168.1.1 dev eth1
ping gateway to see if connected
/sbin/arp -v
Address
DirectvDvr
home
Gimli
-- list ARP cache entries by name
HWtype HWaddress
Flags Mask
ether
00:50:00:d4:bb:5c
C
ether
00:15:6c:8c:61:44
C
ether
00:17:02:bb:1e:5b
C
27
Iface
eth1
eth1
eth1
traceroute www.ttu.edu
sudo traceroute -T 129.118.51.8
sudo traceroute -n ...
Network Statistics
netstat -s
netstat -tanp
netstat -uanp
Other Useful Tools
sudo /usr/sbin/tcpdump
wireshark
nmap
-- * * * probably means firewall
-- use TCP packets not default UDP (bypass firewall)
-- disable name resolution
-- summary of TCP, ICMP, UDP connections
-- TCP connection information
-- UDP
-- (-v or -vv for more stuff)
28
CH 12: Accessing Network Resources
Sometime even when a GUI is available command line commands are VERY useful
Browse the web
lynx
links
elinks
Transferring Files --
-- old text based browser
-- newer command but /usr/bin/links -> elinks
-- the current “choice” allows mouse use & colors in terminal session
-- Control Keys Table 12-1 pg. 210 (Esc toggles menu on/off)
wget
-- download files using http or ftp
wget http://rpmfind.net/linux/sourceforge/f/fe/fedorafrog/fedora_frog-1.0-8.0.3.i386.rpm
wget ftp://rpmfind.net/linux/sourceforge/f/fe/fedorafrog/fedora_frog-1.0-8.0.3.i386.rpm
wget –user=someuser –password=passwordforuser ftp://somedir.com/somefile
wget ftp://user:password@someserver.com/somefile
-- download single web page
wget http://jdurrett.ba.ttu.edu
/3351/index.html
-- download single page along with required images, etc and use local file names
wget -pk http://jdurrett.ba.ttu.edu/3351/index.html
-- append html to downloaded files so .cgi or .asp etc will work locally
wget -E http://jdurrett.ba.ttu.edu
-- recursively mirror entire site -- be careful!!!!
wget -m http://jdurrett.ba.ttu.edu
-- combining above we get
wget -mEkK http://jdurrett.ba.ttu.edu
-- restart an incomplete download
wget http://example.com/DVD.iso
--assume it is interrupted here
wget -c http://example.com/DVD.iso
-- start download
---- finish
Transferring Files -- curl
-- curl (client for URLs) is also available for single shot downloads
Transferring Files -- lftp
lftp mirrors.kernel.org
lftp bob:mypasswd@server1
lftp -u bob server1
-- anonymous connection
-- authenticated connection but bad to type pass this way
-- will ask for password
29
-- once session is open
pwd, cd, ls, get (download), put (upload), Ctl-z (set download to background,
mget (get all in.), mput (put all in), bookmark, quit
Transferring Files -- ssh
-- warning you do NOT get a warning about overwriting existing files when using some of these
scp mfile bob@server1:/home/bob/tmp
scp server1:/home/bob/myfilke ./
-- file up, will ask for password
-- file down, assumes bob is current user
scp -p ...
-- preserves permissions and timestamps
scp -P 4382 ... -- use port 4382 not the default of 22
scp -r mydir bob@server1 -- recurse mydir and copy all
-- sftp uses ssh but allows an ftp like interface ( ? for a list of commands)
sftp bob@server1
-- then use any of the ftp commands to copy & move around
Sharing remote directories -- NFS (Network File System)
-- works in some Windows ops too
service nfs start
-- starts service configs are /etc/sysconfig/nfs, /etc/exports
/usr/sbin/exportfs -v
-- shows all shared directories along with permissions
service nfs reload
-- reload nfs with changes to /etc/export
exportnfs -r
-- load changes to /etc/export
exportnfs -vr
/usr/sbin/showmount -e -- show directories available on local system
showmount -e client.server1.com -- show directories available on other system
mount server.example.com:/export/myshare /Gandalf/nfsDIR
-- mount remote (nfs3)
mount -q rw,hard, intr ... -- options can also be entered on mount line
mount -t nfs4
-- nfs4 is more versatile but less used might not work
Sharing remote directories -- SAMBA
-- SMB (server message block is old) cifs is current file system type
-- GUI config tools are availble (swap is a nice easy web interface)
1.
udo yum install samba-swat
2.
udo /sbin/chkconfig swat on
3.
udo /etc/init.d/xinetd start
4.
links http://localhost:901/
findsmb
-- scan network for shares
*=DMB
+=LMB
30
IP ADDR
NETBIOS NAME WORKGROUP/OS/VERSION
--------------------------------------------------------------------192.168.1.2
Gandalf
[WIZARDS] [Unix] [Samba 3.0.21c]
smbtree
-- text representation of network shares
Password:
WIZARDS
\\ARIEL
\\ARIEL\C$
Default share
\\ARIEL\Belinda (C)
\\ARIEL\Easy (E)
sudo smbpasswd -a bob -- add an existing Linux user as a samba user
smbclient -L Ariel
-- list services available by a server to current user or anonymous
smbclient -L Ariel -U bob
sbmclient //192.168.1.1/myshare -U bob
-- ftp style connection
-- mounting
sudo mount -t cifs -o username=bob,password=mypass //server1/myshare /where/I/mountedit
sudo mount -t cifs '//Ariel/Easy (E)' /Gandalf/Belinda/Easy /
-o credentials=/home/bob/.cred,uid=500,gid=500
smbstatus
-- current mount and lock status
nmblookup Ariel -- lookup IP for samba server Ariel
testparm
-- check samba configuration
testparm -v | less -- show default parameters you did not set
Sharing remote directories -- sshfs -yum install fuse-sshfs
sshfs bob@server1:/home/bob/myshare /Gandalf/RemoteSites/bob -- mount will as password
sudo umount /Gandalf/RemoteSites/bob
-- unmount
31
Ch 13: Remote System Admin
Most professional linux admins do not run X on production servers
Thus command line admin is a necessity
Old tools like telnet, ftp, rsh, rexec, rcp are security risks (text userid and password)
Modern tools like ssh, scp, sftp are much more secure
Legacy tools are sometimes good for troubleshooting
telnet www.google.com 80
GET / HTTP/1.0
--- extra carriage return here
HTTP/1.1 200 OK
Remote admin with ssh
Configuration
-- make sure sshd service is running by default
-- /etc/ssh/sshd_config
server configuration file
Port 1248
X11Forwarding yes
AllowTcpForwarding no
-- /etc/ssh/ssh_config
client configuration file
ForwardX11 yes (or ssh -X bob@someserver each time connect)
Regular use
ssh bob@server1
ssh server1
ssh -p 1248 bob@server1
-- the 'correct' way to change users
-- login to remote as current user
-- port other than default of 22
ssh tunneling (a good howto is here )
ssh -X or with configuration correctly setup kcalc etc
ssh -L 1234:localhost:631 remoteserver
-- tunnel CUPS server
ssh -l remoteuser -nNT -R 1100:129.118.49.11:22 remoteip -p remotesshport
ssh user@remotehost -L 24800:remotehost:25 -N
-- use myserver to connect to internet
ssh -L 12345:localhost:google.com:80 myserver
-- ssh as a SOCKS Proxy
ssh -D 12345 myserver
//look at man pages
then change connection settings in firefox to match
(preferences-advanced-settings-manual connection SOCKS:localhost port:12345)
ssh public key login
cat ~/.ssh/known_hosts -- existing public keys for previous connections
ssh-keygen
-- generate public / private keys for current user
-- leaving password prompt blank makes connections easy but is risky
copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on remote server
32
ssh-agent
-- gives the ability to store keys for duration of this session
eval 'ssh-agent' -- adds vars to environment
ssh-add
-- will add default private key (ssh-keygen) to
Using screen: A rich remote shell Cool!!!
ssh gives you one temporary screen at a time, if it times out or dies you loose everything
yum install screen (FC8 by default)
ssh into remote server
screen -- you now have a screen running on remote server
screen -ls
-- list active screens
Ctrl-a, d -- detach screen, leave it running but return to ssh terminal window
Ctrl-a, ? -- help
screen -r -- reattach to a previously detached screen (works even after quitting ssh)
screen -r 7089.pts-2.myserver -- reattach if are multiple detached screens
screen -S mysession
-- name the screen session
screen -x or screen -x mysession -- share screen session (same user logged on)
-- try this
ssh into some server
screen
top
Ctrl-a, d
exit ssh
ssh again into same server
screen -r
-- top will still be running
Using a Remote Windows Desktop
WinXP – Control Panel / System / Remote enable and add users
yum install rdesktop tsclient
tsclient &
-- graphical Terminal Server Client
rdesktop Ariel
rdesktop -u bob -p password win1
rdesktop -f win1
-- maximize display
rdesktop -0 -r sound:local win1
-- direct sound from server to client
Other remote linux apps
xhost
-- non encrypted ssh better
Sharing desktops with VNC
yum install vnc vnc-server
/etc/sysconfig/vncservers
VNCSERVERS=”1:bob 2:thomas”
vncpasswd
-- set current user vnc password
chkconfig vncserver on -- set vnc server to run
make sure to open TCP ports 590+displaynumber in iptables
vncviewer myserver:1 or myserver:2
-- connect to vncserver from client
33
-- above is a really simple window manager so on the server
edit ~/.vnc/xstartup
and add
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc
and restart the vncserver
-- on untrusted networks tunnel vnc
ssh -L 5902:localhost:5902 vncserver
Can share a vnc desktop using Vino
34
Ch 14: Locking Down Security (for working with user accounts see also Ch10 in Fedora Bible 2011 notes)
“Securing your Linux system means first restricting access to the user accounts and services on the system. After
that, security means checking that no one has gotten around the defenses you have setup.”
Fedora is designed to be secure by default:
1. no user accounts with blank passwords
2. firewall is restrictive by default
3. most network services are off
4. SELinux is set to enforcing if you do not change this on the install
Working with users and groups
ALWAYS LOG IN AS A REGULAR USER! Then use su or sudo to gain root access
/etc/ssh/sshd_config PermitRootLogin no
The GUI way for servers:
webmin: (www.webmin.com)
-- remember to change default port from 10000
cPanel (www.cpanel.com), Plesk (www.swsoft.com/plesk), Ensim (www.ensim.com)
Adding user accounts
--> sudo /usr/sbin/useradd -D
-- show useradd default values
GROUP=100
-- default group
HOME=/home
-- base home directory
INACTIVE=-1
-- password expiration is disabled
EXPIRE=
-- Don't set password expire date
SHELL=/bin/bash
-- default shell
SKEL=/etc/skel
-- copy default home config files from here
CREATE_MAIL_SPOOL=yes
-- create mail spool directory
-- fedora overrides the default group with a new group for each new user
-- above values in /etc/default/useradd
useradd bob
-- typed as root allows change of password for bob
-- root is only warned if bad password is used
-- some of the options for useradd
sudo /usr/sbin/useradd –help
-b, --base-dir /var/users
-- base directory for the new user account
-d, --home-dir /home/jj
-- home directory for the new user account
-e, --expiredate 2009-01-01
-- set account expiration date to 2009-01-01
-g 700 -u 700
-- use specific GID & UID for new user
-G students,tomcatusers -- list of supplementary groups for the new user
sudo /usr/sbin/groupadd
groups bob
bob vboxusers
-- before adding a user to a group the group must exist
-- list the groups bob belongs to
-- some of the real config files for users and groups
/etc/passwd
test:x:502:503::/home/test:/bin/bash
/etc/shadow
test:$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::
/etc/group
test:x:503:drjohn,bob
Changing default useradd values
edit /etc/default/useradd & /etc/login.defs to make changes permanent
user options above in useradd command to make temporary changes
35
add files or directories to /etc/skel to change 'startup' /home/newuser (ex public_html)
Modifying User Accounts
sudo /usr/sbin/usermod
sudo /usr/sbin/usermod
sudo /usr/sbin/usermod
sudo /usr/sbin/usermod
chsh -s /bin/sh
-c “Dr Bob” bob
-s /bin/sh bob
-L bob
-U bob
-- change bob's comment field
-- change bob's default shell
-- lock the bob user account
-- unlock the bob user account
-- change current user's shell to /bin/sh
-- change finger information
-- change office, home phone, office phone, full name
chfn -o "BA607" -h 806-687-9028 -p 806-438-2049 -f "DrJohn"
finger
Login
Name
Tty
Idle Login Time
Office
Office Phone
bob
DrJohn
*:0
Oct 20 13:30 BA607
806-438-2049
-- above information is stored in the 5th field of the /etc/passwd file
-- ONLY edit the /etc/passwd file carefully and with vipw
Deleting User accounts
/usr/sbin/userdel bob
userdel -r bob
--delete user bob
-- delete user, home directory, and mail spool
Managing Passwords
-- modify current user password
--> passwd
Changing password for user bob.
Changing password for bob.
(current) UNIX password:
New UNIX password:
I typed hi
BAD PASSWORD: it is WAY too short
New UNIX password:
I typed hello
BAD PASSWORD: it is too short
New UNIX password:
I typed password
BAD PASSWORD: it is based on a dictionary word
--> sudo passwd bob
Password:
Changing password for user bob.
New UNIX password:
I typed hi
BAD PASSWORD: it is WAY too short
Retype new UNIX password: I typed hi
passwd: all authentication tokens updated successfully.
-- moral is be VERY careful when setting/modifying passwords as root
sudo passwd -l bob
-- lock the bob user account
sudo passwd -u bob
-- unlock the bob user account
-- this is done by placing !! at the front of the password field in /etc/shadow
test:!!$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7:::
-- administrator can require users to change passwords regularly
36
passwd
passwd
passwd
passwd
-n 2 bob
-x 300 bob
-w 10 bob
-i 14 bob
-- set minimun password life to 2 days
-- set maximum password life to 300 days
-- warn of password expiration 10 days in advance
-- days after expiration that account is disabled
-- view password expiration information
--> chage -l bob
Last password change
: Oct 20, 2008
Password expires
: December 31, 2008
Password inactive
: January 31, 2009
Account expires
: never
Minimum number of days between password change
:0
Maximum number of days between password change
: 99999
Number of days of warning before password expires
:7
-- as root can use the chage command to manage password expiration
sudo chage -I 40 bob
-- make account inactive in 40 days
sudo chage -d 5 bob
-- force user's password to expire in 5 days
-- 0 above would force password change on next login
Adding Groups
-- similar commands as for users above
-- groupadd, groupdel, groupmod, groupmems (add & remove members)
groupadd Marketing
-- add group Marketing
groupadd -g 701 tomcat -- add group tomcat with GID of 701
groupmod -g 777 tomcat -- make tomcat group GID 777
groupmod -n tomcat tomcatS08 -- change name of tomcat group to tomcatS08
groupdel tomcat
-- delete tomcat group
Checking on Users
find -nouser
find -nogroup
find -uid nnn
find -user bob
-- No user corresponds to file’s numeric user ID.
-- No group corresponds to file’s numeric group ID.
-- File’s numeric user ID is nnn.
-- File is owned by user bob (numeric user ID is allowed).
--> sudo du -sh /home/test/
2.2M /home/test/
-- check on disk usage in user's home dir
-- -sh means summarize results and make human readable
-- fuser, ps, top identify running commands and can check for users (Ch 9)
sudo last
sudo lastb
sudo who -u
sudo users
-- lists the most recent successful logins
-- lists most recent unsuccessful logins
-- on zeus I get page after page after page
-- list who is currently logged in long form
-- list who is currently logged in short form
--> id ==> uid=500(bob) gid=500(bob) groups=500(bob),502(vboxusers)
--> who am i
-- long form
bob pts/4
2008-10-20 16:49 (localhost.localdomain)
--> whoami
-- short form
bob
37
--> finger -s bob -- short form
Login Name
Tty Idle Login Time Office Office Phone
...
--> finger -l bob -- long form
Login: bob
Name: DrJohn
Directory: /home/bob
Shell: /bin/bash
Office: BA607, 806-438-2049
Home Phone: 806-687-9028
On since Mon Oct 20 13:30 (CDT) on :0 (messages off)
On since Mon Oct 20 13:31 (CDT) on pts/1 from :0.0
3 hours 48 minutes idle
(messages off)
On since Mon Oct 20 13:31 (CDT) on pts/2 from :0.1 (messages off)
On since Mon Oct 20 13:31 (CDT) on pts/3 from :0
3 hours 48 minutes idle
On since Mon Oct 20 16:49 (CDT) on pts/4 from localhost.localdomain
No mail.
No Plan.
-- when ~/.project (single line) and ~/.plan (multi line) files are added results become
--> finger -l bob
Login: bob
Name: DrJohn
...
Project:
To make the Internet safer
Plan:
By teaching
students how to become
Linux professionals
Working with System Logs (for firewall info see below)
/var/log ...
-- system logs are here and in subdirectories
-- fedora uses rsyslogd (system log daemon) and rklogd (kernel log daemon)
-- started by /etc/init.d/rsyslog (a newer better version of syslogd)
-- rotation is handled by /etc/cron.daily/logrotate
-- based on settings in /etc/logrotate.conf & in /etc/logrotate.d/
logwatch
-- a system log analyzer and reporter than allows summary messaging
sudo logger Hello World from bob -- add messages to log files (new Video card)
sudo cat /var/log/messages
... Oct 20 17:38:26 localhost durrett: Hello World from bob
38
Linux Bible 2010 Edition: Boot Up to Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and 13 Other
Distributions by Christopher Negus
Last annotated on December 2, 2010
Chapter 12: Securing Linux
In This Chapter Linux security checklist Using password protection Monitoring log files Communicating with
secure shell tools Understanding attack techniques Protecting servers with certificates Using special Linux
security tools distributions
Why should you care about security? According to the Internet Storm Center (http://isc.sans.org), a computer
connected to the Internet has an average of 16 minutes
Linux Security Checklist
Control physical access
Add users and passwords—Creating separate user accounts
Set read, write, and execute permissions
Protect the root user
Use trusted software
Get software updates
Use secure applications
Use restrictive firewalls
Enable only services you need
Limit access to services
Check your system
Monitor your system
Use SELinux
your computer, then, is safer. As Red Hat continues to work out the kinks in SELinux, there has been a
tendency for users to see SELinux failures and just disable the entire SELinux service. However, a better
course is to find out whether SELinux is really stopping you from doing something that is unsafe.
Finding distribution-specific security resources
Red Hat Enterprise Linux and Fedora security—Check the Red Hat Security site (www.redhat.com/security) for
RHEL security issues (that typically relate to Fedora systems as well). From here you can look for and read about
available updates. You can also get information on security training and consulting from Red Hat, Inc. For
Fedora security issues, see the Fedora Wiki (http://fedoraproject.org/wiki/Security/Features).
Refer to the Red Hat Enterprise Linux 4 Security Guide for an in-depth look at Linux security for Red Hat
systems. You can access this guide online from the following
address:www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide
www.debian.org/doc/manuals/securing-debian-howto Ubuntu security—Find security guides and tools for
Ubuntu on the Ubuntu security page (https://help.ubuntu.com/community/Security). Gentoo security—
Included on the Gentoo Linux Security page (www.gentoo.org/security) are tools, announcements, and links to
39
security policy and project documents associated with securing Gentoo systems. Find the Gentoo security
handbook here:
Choosing good passwords
(choosing a sentence on your personal Web page is a bad idea).
Table 12-1 lists examples of strong passwords and the tricks used to remember them.
Mrci7yo!
My rusty car is 7 years old!
2emBp1ib 2 elephants make BAD pets, 1 is better
ItMc?Gib
Is that MY coat? Give it back
The passwords look like gibberish
Using a shadow password file
Checking for the shadow password file The password file is named passwd and is found in the /etc directory.
The shadow password file is named shadow and is also located in /etc. If your /etc/shadow file is missing, it is
likely that your Linux system is storing the password information in the /etc/passwd file instead.
40
A Practical Guide to Fedora and Red Hat Enterprise Linux by Mark G. Sobell
Last annotated on December 1, 2011
SELinux
NSA Security-Enhanced Linux
Traditional Linux security, called Discretionary Access Control (DAC):
In a DAC model, file and resource decisions are based solely on user identity and ownership of the
objects. Each user and program run by that user has complete discretion over the user's objects.
Malicious or flawed software can do anything with the files and resources it controls through the user
that started the process. If the user is the super-user or the application is setuid or setgid to root, the
process can have root level control over the entire file system.
The following is an example of permissions used on Linux operating systems that do not run SecurityEnhanced Linux (SELinux). The permissions and output in these examples may differ from your system.
Use the ls -l command to view file permissions:
$ ls -l file1
-rw-rw-r--. 1 user1 group1 0 May 11 10:46 file1
SELinux (Security Enhanced Linux), implements Mandatory Access Control
(MAC): A MAC system does not suffer from these problems. First, you can administratively define a
security policy over all processes and objects. Second, you control all processes and objects, in the case of
SELinux through the kernel. Third, decisions are based on all the security relevant information available,
and not just authenticated user identity.
The following is an example of the labels containing security-relevant information that are used on
processes, Linux users, and files, on Linux operating systems that run SELinux. This information is
called the SELinux context, and is viewed using the ls -Z command:
$ ls -Z file1
-rw-rw-r--. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a
level (s0). This information is used to make access control decisions. It is important to remember that
SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny
access first.
SELinux provides a combination of Role-Based Access Control (RBAC), Type Enforcement® (TE), and,
optionally, Multi-Level Security (MLS).
SELinux can be in one of three states (modes):
Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
Permissive: SELinux policy is not enforced. SELinux does not deny access, but denials are logged for
actions that would have been denied if running in enforcing mode. Warnings are issued
Disabled: SELinux is disabled. Only DAC rules are used.
SELinux implements one or more of the following policies:
Targeted—Applies to specific objects
MLS—Multilevel Security
Strict—Applies
SELinux Contexts for Processes
ps -eZ unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 13212 pts/1 00:00:00 passwd
There is always a tradeoff between security and usability.
More Information from the Fedora Project
http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/
Two ways to disable SELinux: You can modify the /etc/selinux/config file so that it includes the line
SELINUX=disabled and reboot the system, or you can use system-config-selinux (as explained on the next page).
Files on FC
 system-config-selinux (a GUI tool)
 /etc/selinux/config
 SELINUX=
(disabled, permissive, or enforcing)
 SELINUXTYPE= (targeted or strict)
 /etc/selinux/targeted/
 /usr/sbin/getenforce
 /usr/sbin/setenforce
 /usr/sbin/sestatus
 /usr/sbin/semanage
The getenforce and setenforce utilities report on and temporarily set the SELinux mode. The sestatus utility
displays a summary of the state of SELinux:
Security Contexts
 All Objects (files, interprocess communcation channels, sockets, network hosts, etc)
 and Subjects (processes)
 have a single security context associated with them
 user:role:type
(our primary focus is the type portion)
 run id in a terminal
 run ls -Z
 run ps -Z
 ps -auxZ
Type enforcement Access Control
 rule format:
 Source Type(s)
 Target Type(s)
 Object Class(es)
 Permission(s)
 allow user_t bin_t : file {read executee getattr};
 allow user_t passwd_exec_t : file {getattr execute};
sestatus results on my FC14
SELinux status:
enabled
SELinuxfs mount:
/selinux
Current mode:
enforcing
Mode from config file:
Policy version:
Policy from config file:
enforcing
24
targeted
config file on my FC14
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Blockhosts (http://www.aczoom.com/cms/blockhosts)
--> After install -- rpm -ql BlockHosts
/etc/blockhosts.cfg
/etc/logrotate.d/blockhosts
/etc/logwatch/conf/services/blockhosts.conf
/etc/logwatch/scripts/services/blockhosts
/usr/bin/bhrss.py
/usr/bin/blockhosts.py
/usr/share/doc/BlockHosts-2.4.0
/usr/share/doc/BlockHosts-2.4.0/CHANGES
/usr/share/doc/BlockHosts-2.4.0/INSTALL
/usr/share/doc/BlockHosts-2.4.0/LICENSE
/usr/share/doc/BlockHosts-2.4.0/README
/usr/share/doc/BlockHosts-2.4.0/bhrss.html
/usr/share/doc/BlockHosts-2.4.0/blockhosts.html
--- /etc/blockhosts.cfg
HOSTS_BLOCKFILE = "/etc/hosts.allow"
COUNT_THRESHOLD = 7
number of invalid attempts
AGE_THRESHOLD = 12
number of hours to block
WHITELIST
list of IPs to always allow
BLACKLIST
list of IPs to always block
LOGFILES – default list of logs to process (/var/log/secure)
--- /etc/hosts.allow
/etc/hosts.allow (or /etc/hosts.deny but only one not both files) - the hosts block file
Add following sections, in this order:
-- your permanent whitelist and blacklist of IP addresses (if needed)
-- blockhosts marker lines - two lines
-- execute command to kick off blockhosts.py on connects to services
Example below
# ---# permanent whitelist addresses - these should always be ALLOWED access – edit as needed
ALL: 127.0.0.1 : allow
ALL: 192.168.0. : allow
# permanent blacklist addresses - these should always be DENIED access – edit as needed
ALL: 10. : deny
ALL: 192. : deny
ALL: 172. : deny
# ---------------------------------------# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)
#---- BlockHosts Additions
#---- BlockHosts Additions
# ---------------------------------------# finally, the command to execute the blockhosts script, based on
# connection to particular service or services, for example, for
# sshd, proftpd, etc - if using pure-ftpd, etc, be sure to use those
# words instead - this is spread over multiple lines, so has \ at end of
# line to signal continuation:
sshd, proftpd, vsftpd: ALL: spawn /usr/bin/blockhosts.py \
--echo "%c-%s" --ipblock=iptables \
--whitelist="10\..*,127.0.0.1" --blacklist="192.168.1.1,192.168.1.2" \
#--the version on zeus
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py \
--verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow \
Other Advanced Security Features
SELinux
Central Logging
Tripwire
RMPdatabase
chkroot
Apache 2.2.6-1 Notes and 2.2.17-1
Basics
Find the server rpms: rpm -qa | grep httpd (apache to httpd)
Show files rpm -ql httpd
service httpd start or /etc/init.d/httpd restart
/sbin/chkconfig httpd on
Important files / folders in httpd-2.2.6-1.fc7 and httpd-2.2.17-1.fc14.x86_64
 /etc/httpd
 /etc/httpd/conf
 /etc/httpd/conf.d

/etc/httpd/conf/httpd.conf
for 'global environment', 'main or default server', & 'virtual hosts'






/etc/httpd/logs
/etc/httpd/modules
/etc/httpd/run
/etc/logrotate.d/httpd
/etc/rc.d/init.d/httpd
/etc/sysconfig/httpd





/usr/bin/ab
/usr/bin/htdigest
/usr/bin/htpasswd
/usr/bin/logresolve
/usr/lib64/httpd/modules




/usr/sbin/apachectl
/usr/sbin/httpd
/usr/sbin/rotatelogs
/usr/sbin/suexec



/var/www/error
/var/www/html
/var/www/icons
A limited graphical configuration utility
 system-config-httpd-1.4.3-1.fc7 and system-config-httpd-1.5.2-2.fc14.noarch
 /usr/bin/system-config-httpd
/etc/httpd/conf/httpd.conf Notes
### Section 1: Global Environment
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 120
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
#Listen 12.34.56.78:80
Listen 80
# LoadModule foo_module modules/mod_foo.so
Include conf.d/*.conf
User apache
Group apache
DSO support
### Section 2: 'Main' server configuration
ServerAdmin root@localhost
#ServerName www.example.com:80
UseCanonicalName Off
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
# Note that from this point forward you must specifically allow
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
#controls what directives may be placed in .htaccess files
Order allow,deny
Allow from all
</Directory>
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
ErrorLog logs/error_log
# The following directives define some format nicknames for use with a CustomLog directive
# http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzaie/rzaielogformat.htm
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b %f %{host}i" debug
CustomLog logs/access_log debug
CustomLog logs/access_log combined
ServerSignature On
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Alias /image /ftp/pub/image
A request for http://example.com/image/foo.gif would cause the server to return the file /ftp/pub/image/foo.gif
User directories
~public/public_html
user directory (/home/durrett) must be chmod 711, but not all of its subdirectories
public_html & all of its subdirectories must be 755
UserDir enable test (you must list the users to enable)
Doing this makes it possible to find users on the system
An alternative to the above is:
create a new /var/www/html directory (mkdir DrJohn)
change ownership to the user:apache (chown durrett:apache /var/www/html/DrJohn)
add the user link to the directory (ln -s /var/www/html/DrJohn /home/durrett/DrJohn_site)
# UserDir disable
chmod 711
mkdir /home/drjohn/public_html
chmod 755 /home/drjohn/public_html
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
#
Order allow,deny
#
Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
#
Order deny,allow
#
Deny from all
# </LimitExcept>
#</Directory>
#
# Use name-based virtual hosting.
#
NameVirtualHost *:53148
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
<VirtualHost *:53148>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/gandalf
ServerName gandalf
ErrorLog logs/gandalf-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
<VirtualHost *:53148>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/mediawiki
ServerName wiki
ErrorLog logs/wiki-error_log
# CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
Fedora firewalls / iptables notes
(partially from Negus' Fedora Linux toolbox)
Negus – Ch 10: Configuring the built in firewall
-- based on the iptables facility (www.netfilter.org)
-- lots of GUIs: sudo /usr/bin/system-config-firewall, firestarter, shorewall, fwbuilder
/etc/sysconfig/iptables
iptables -L
iptables-save
-- config file (remember to BACK it UP before changing)
-- display current iptables filter table
-- send current iptables filter table to stdout ( > somefile to save it)
------------------------------------------------------------------------Other notes:
The basic structure of iptables
mangle
(1)
(3) mangle & filter
nat
--------->Routing Decision -------> FORWARD -----POSTROUTING
PREROUTING
|
↑
|
|
| (2)
mangle
|
|
filter
OUTPUT
mangle
& nat
|
&
INPUT
| (4)
filter
|
|------> local process ----> Routing
Decision
(1) when packet enters from network kernel looks at destination
(2) if destined for this machine packet goes to INPUT chain
(3) if not destined for this machine, if FORWARD chain exists rules in it are applied and packet is sent as specified in the
rules, if FORWARD chain does not exist default policy is applied
(4) packets sent from local process are routed, then put on the OUTPUT chain
----------------------------------------------------------
iptables basic concepts
1.
ifferent sets of rules for different chains within different tables
2.
nitial tables are: NAT, FILTER, MANGLE
3.
nitial chains are: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
4.
argets to jump to are: ACCEPT, DROP, REJECT, LOG, SNAT, MASQUERADE
iptables operations to manage whole chains:
1.
2.
3.
4.
5.
Create a new chain (-N).
Delete an empty chain (-X).
Change the policy for a built-in chain. (-P).
List the rules in a chain (-L).
Flush the rules out of a chain (-F).
iptables operations on the rules inside a chain:
1.
2.
3.
4.
Append a new rule to a chain (-A).
Insert a new rule at some position in a chain (-I).
Replace a rule at some position in a chain (-R).
Delete a rule at some position in a chain, or the first that matches (-D).
individual rules:
1. Each rule specifies a set of conditions the packet must meet, and what to do if it meets them (a `target')
2. EX: wipe out (flush) all previous rules
iptables -F
3. EX: set default policies for INPUT chain
iptables -P INPUT DROP
4. EX: create a new chain in the filter table
iptables -N okay
5. EX: drop all ICMP packets coming from the IP address 127.0.0.1.
iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
6. EX: accept everything coming from the loopback address
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
7. EX: accept packets for the local web server coming from the Internet (eth0)
iptables -A INPUT -p TCP -i eth0 -s 0/0 --dport 80 -j ACCEPT
8. EX: forward all packets addressed to a web server to gandalf
iptables -t nat -A PREROUTING -p tcp -d $EXT_NIC --dport 80
--to-destination $WEB_SVR
Fedora rpm iptables files:
/sbin/iptables
\
/sbin/iptables-save
/etc/sysconfig/iptables-config
/etc/sysconfig/iptables
-- test hint “how do I find this out?”
/etc/init.d/iptables
-----------------------------------------------------steps to play with iptables:
cd ~
vi rc.firewall
WEB_SVR=”gandalf”
EXT_NIC=”eth0”
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
...
:wq
sudo rc.firewall
/sbin/iptables -L
then play
# you are not going to get much now
#an example
#!/bin/sh
# Simple masq firewall
#Assumes all modules are either loaded or compiled into kernel
#setup network for forwarding, dynamic ips
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
ANY=”0.0.0.0/0”
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
EXTIF="eth0"
INTIF="eth1"
echo "
External Interface:
echo "
Internal Interface:
#
#
#
#
Match any IP address
Class-A Private (RFC-1918) Networks
Class-B Private (RFC-1918) Networks
Class-C Private (RFC-1918) Networks
$EXTIF"
$INTIF"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES
$IPTABLES
$IPTABLES
$IPTABLES
-F
-F
-F
-F
FORWARD
INPUT
OUTPUT
-t nat
echo "FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "
Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Deny TCP
#$IPTABLES
#$IPTABLES
# Deny TCP
#$IPTABLES
and UDP packets to privileged ports
-A INPUT -i $EXTIF -d $ANY -p tcp --dport 0:1023 -j DROP
-A INPUT -i $EXTIF -d $ANY -p udp --dport 0:1023 -j DROP
connection attempts
-A INPUT -i $EXTIF -p tcp --syn -j DROP
#accept packets for the local web server coming from the Internet (eth0)
$IPTABLES -A INPUT -p TCP -i $EXTIF -s 0/0 --dport 80 -j ACCEPT
# Deny IMCP echo-requests
$IPTABLES -A INPUT -i $EXTIF -s $ANY -p icmp --icmp-type echo-request -j DROP
FireHOL, the iptables stateful packet filtering firewall builder.
FireHOL, the iptables stateful packet filtering firewall builder.
http://firehol.sourceforge.net/
1. Identify your network interfaces
sudo ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1f:c6:51:13:11 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1f:c6:51:13:12 brd ff:ff:ff:ff:ff:ff
2. Think about what each interface should do
Ignore lo, in the case above eth0 is not used and eth1 is everything
Also think about what services ie servers you want.
3. Create the FireHOL configuration structure
In my Fedora 10 system the configuration file is /etc/firehol/firehol.conf
and by default it says
version 5
# Accept all client traffic on any interface
interface any world
client all accept
You should probably rename the interface if you are going to build a “real” firewall
version 5
interface eth1 world
client all accept
4. Now add servers and clients you wish to accept
version 5
interface any world
client all accept
interface eth1 home
server dns accept
server ssh accept
server http accept
If you have special ports or have moved services you may define your own servers
server custom myservice proto/sports cports accept
If you want to move the ssh port to 41265 the above file becomes:
version 5
interface any world
client all accept
interface eth1 home
server dns accept
server custom myssh tcp/41265 default accept
server http accept
5. Checking
Run
sudo /etc/rc.d/init.d/firehol debug
And it will show you the iptables results or problems
6. Pretty much done.
You can do much more, routing tables, masquerade, NAT but this gets you started
Brief MySQL Notes and Links
1. Get started with MySQL
2. Installing Apache2 with PHP5 and MySQL Support on OpenSuse 12.2 (LAMP)
3. Installing Apache2 with PHP5 and MySQL Support on Fedora
4. Installing LAMP on Ubuntu for Newbies
5. What is MySQL Configuration File
6. Right after install root password is blank
7. Brief Database Setup Notes (ISQS 4361)
8. show tables;
9. Reference Manuals
Linux RamDisk by Van Emery (see link below)
Base system is Fedora Core 9 (or any 2.4+ kernel)
ls -l /dev/ram*
lrwxrwxrwx
brw-rw---brw-rw---...
1 root
1 root
1 root
root
disk
disk
1,
1,
4 Jun 12 00:31 /dev/ram -> ram1
0 Jan 30 2003 /dev/ram0
1 Jan 30 2003 /dev/ram1
dmesg | grep RAMDISK
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
RAMDISK: Compressed image found at block 0
To increase size of RamDisk edit entry in grub.conf
kernel /vmlinuz-2.4.20-20.9 ro root=LABEL=/ hdc=ide-scsi ramdisk_size=16000
confirmation of success of resize is in dmesg after reboot
dmesg | grep RAMDISK
Format the disk
mke2fs -m 0 /dev/ram0
Create the mount point and mount the disk
mkdir /mnt/rd
mount /dev/ram0 /mnt/rd
Now verify the new ramdisk mount:
mount | grep ram0
/dev/ram0 on /mnt/rd type ext2 (rw)
df -h | grep ram0
/dev/ram0
16M
13K
16M
1% /mnt/rd
For a detailed look at the new disk
tune2fs -l /dev/ram0
Give yourself access to the disk
chown van:root /mnt/rd
chmod 0770 /mnt/rd
ls -ald /mnt/rd
drwxrwx---
2 van
root
4096 Dec
8 11:09 /mnt/rd
To automate the creation every time you boot put the following into your
/etc/rc.d/rc.local file
# Formats, mounts, and sets permissions on my 16MB ramdisk
/sbin/mke2fs -q -m 0 /dev/ram0
/bin/mount /dev/ram0 /mnt/rd
/bin/chown van:root /mnt/rd
/bin/chmod 0750 /mnt/rd
Other links
OtherLinks/tripwire-notes.odt
OtherLinks/Apache-2.2.6-Notes.odt
http://www.vanemery.com/Linux/Ramdisk/ramdisk.html
SELinux Notes (http://www.nsa.gov/selinux/)
Potential to compartmentalize and secure every component of a Linux system
 processes, files, directories, users, devices etc
Instead of the all or nothing idea of root or not root you have LOTS of discretion
Mandatory Access Control (MAC) rather than Discretionary Access Control
Directories, files, etc in SELinux have many more attributes associated with them than in standard
Two different security models
 Type Enforcement
 All Objects are bound to a security attribute called a type
 All process are bound to an attribute called a domain
 Every user is allowed to access objects based on the domain in which they operate
 Role-Based Access Control
 each user operates in a specific role
 roles are arranged in a hierarchy with specific permissions at each level
Files:
/etc/selinux/config
 SELINUX =
(disabled, permissive, or enforcing)
 SELINUXTYPE =
(targeted, mls (multilevel security))
 targeted limits impact an attack on a single server can have on the system
 /etc/selinux/config/targeted
/usr/sbin/getenforce
– report status
/usr/sbin/setenforce
– set status
Documentation:
/usr/share/doc/selinux-doc...
/usr/share/doc/selinux-policy
--> cat /usr/share/doc/selinux-policy-3.0.8/example.fc
# myapp executable will have:
# label: system_u:object_r:myapp_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/sbin/myapp
--
gen_context(system_u:object_r:myapp_exec_t,s0)
Users:
still have passwd file, root user, etc
Tools:
checkpolicy
– looks at policy.conf file if found
yum install setools-gui
/usr/bin/apol
/usr/bin/seaudit
/usr/bin/sediffx
rpm -qa | grep selinux
Desktop Menu Specification
(http://www.freedesktop.org/wiki/)
Desktops
Two general types of desktop:
“heavyweight” like KDE & GNOME contain desktop & app dev. Frame.
And “plain” that only include desktop
Problem is getting everything to work together
XDG Base directory Specification
$XDG_DATA_HOME user specific data files ($HOME/.local/share)
$XDG_CONFIG_HOME user specific configuration files ($HOME/.config)
$XDG_DATA_DIRS preference-ordered set of directories to search for
data files (/usr/local/share/:/usr/share)
$XDG_CONFIG_DIRS preference-ordered set of base directories to search
for configuration files in addition to the $XDG_CONFIG_HOME
(/etc/xdg)
/etc/xdg/user-dirs.conf
# This controls the behaviour of xdg-user-dirs-update which is run on
user login
# You can also have per-user config in ~/.config/user-dirs.conf, or
specify
# the XDG_CONFIG_HOME and/or XDG_CONFIG_DIRS to override this
#
enabled=True
~/.config/user-dirs.dirs (default is /etc/xdg/user-dirs.defaults)
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
File locations
$XDG_CONFIG_DIRS/menus/${XDG_MENU_PREFIX}applications.menu
XML definition of the main application menu layout
$XDG_CONFIG_DIRS/menus/applications-merged/
third parties may add new <Menu> files in this location to create
their own sub-menus
$XDG_DATA_DIRS/applications/
a .desktop file for each possible menu item
$XDG_DATA_DIRS/desktop-directories/
directory entries which may be associated with folders in the menu
foo.desktop specifications
http://standards.freedesktop.org/desktop-entry-spec/latest/
look in /usr/share/applications for examples
Extensions to the desktop format above
Categories is a list of strings used to classify menu items
OnlyShowIn a list of strings identifying the environments that should
display a given menu item
NotShowIn desktops that should not display an item
Example elements in kde-applications.menu
<Menu>
<Name>Applications</Name>
<Directory>kde-unknown.directory</Directory>
<OnlyUnallocated/>
<Include>
<Not>
<!-- Don't list non-KDE core applications -->
<And>
<Category>Core</Category>
<Not><Category>KDE</Category></Not>
</And>
<Category>X-Red-Hat-Base</Category>
</Not>
</Include>
</Menu>
<Menu>
<Name>System Settings</Name>
<MergeFile>system-settings.menu</MergeFile>
</Menu>
<Menu>
<Name>X-KDE-KDevelopIDE</Name>
<Directory>kde-development-kdevelop.directory</Directory>
<Include>
<And>
<Category>Development</Category>
<Category>X-KDE-KDevelopIDE</Category>
</And>
</Include>
</Menu>
Misc Review notes
bash scripts
example script:
#!/bin/bash
#add a -v to the line above for debugging
echo "date is $(date +%F)"
echo
dte1='date +%F'
echo "dte1=$dte1"
echo
dte2="date +%F"
echo "dte2=$dte2"
echo
dte3=$(date +%F)
echo "dte3=$dte3"
echo
dte4=`date +%A`
echo "dte4=$dte4"
results:
--> test-src/dt.sh
date is 2008-11-12
dte1=date +%F
dte2=date +%F
dte3=2008-11-12
dte4=Wednesday
 after changing first line to #!/bin/bash -v
--> test-src/dt.sh
#!/bin/bash -v
#add a -v to the line above for debugging
echo "date is $(date +%F)"
date +%F
date is 2008-11-12
echo
dte1='date +%F'
echo "dte1=$dte1"
dte1=date +%F
echo
dte2="date +%F"
echo "dte2=$dte2"
dte2=date +%F
echo
dte3=$(date +%F)
date +%F
echo "dte3=$dte3"
dte3=2008-11-12
echo
dte4=`date +%A`
date +%A
echo "dte4=$dte4"
dte4=Wednesday
a backup bash script
#!/bin/bash
BACKUPDIR="/Gandalf/data/backup/"
ECHODATA="Backup done: "
EXCLUDES="--exclude=Recyled --exclude=recyler --exclude=. --exclude=..
--exclude='*Trash*' --exclude='temp*' --exclude='tmp*'"
#echo -e "\nMoving old backup to previous folder"
rm $BACKUPDIR/previous/*
mv $BACKUPDIR/current/* $BACKUPDIR/previous
echo
echo $BACKUPDATA/current/etc.tgz
tar -zhcf $BACKUPDIR/current/etc.tgz /etc
echo
echo $BACKUPDIR/current/boot.tgz
tar -chzf $BACKUPDIR/current/boot.tgz /boot /Gandalf/FC8/boot -exclude=/boot/boot
echo
echo partion tables
./backup_partition_tables.sh
a backup bash script for disk partitions
#!/bin/bash
BACKUPDIR="/Gandalf/data/backup/current"
echo $BACKUPDIR/MBR_Partion_Tables.tgz
dd if=/dev/sda bs=512 count=1 of=$BACKUPDIR/sda_MBR
dd if=/dev/sdb bs=512 count=1 of=$BACKUPDIR/sdb_MBR
/sbin/fdisk /dev/sda -l > $BACKUPDIR/sda_partition_table.txt
/sbin/fdisk /dev/sdb -l > $BACKUPDIR/sdb_partition_table.txt
tar -czf $BACKUPDIR/MBR_Partition_Tables.tgz $BACKUPDIR/hd*
$BACKUPDIR/sd*
rm $BACKUPDIR/hd*
rm $BACKUPDIR/sd*
a file system mounting bash script
(mnt)
#!/bin/bash
n=`echo $1 | tr A-Z a-z`
if [ "$0" = "/usr/local/bin/mnt" ]; then
case $n in
"kitchen" | "k" | "belinda" | "b" )
sudo mount -t cifs
'//Ariel/Easy (E)'
/Gandalf/Belinda/Easy
-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;
"safe" | "s" | "encrypt" | "e" )
encfs /Gandalf/data/.safe /Gandalf/data/safe ;;
"gimli" | "g" )
sudo mount -t cifs "//192.168.1.50/media" /Gimli/media
-o credentials=/Gandalf/Laura/configs/.what,uid=500,gid=500;;
"zeus" | "z" )
sshfs drjohn@zeus:/home/durrett/Ike Gandalf/RemoteSites/Ike ;;
* )
echo "Usage: mnt WhatToMount" ;;
esac
elif [ "$0" = "/usr/local/bin/umnt" ]; then
case $n in
"kitchen" | "k" | "belinda" | "b" )
sudo umount /Gandalf/Belinda/Easy ;
"safe" | "s" | "encrypt" | "e" )
fusermount -u /Gandalf/data/safe ;;
"gimli" | "g" | "gimlidecent" | "go" | "gimliown" | "go" )
sudo umount /Gimli/media ;
"zeus" | "z" )
sudo umount /Gandalf/RemoteSites/Ike ;;
esac
fi
to unmount
ln -s mnt umnt
a bash “data” file
username=drjohn
password=sean