RHEL NOTES FOR RH253 ==================== Unit 2 :System Service Access Controls INIT Serial console modem /etc/inittab

rc - initialization scripts X11 respawn: co:23:respawn:/sbin/agetty -f etc/issue.serial 19200 ttyS1 /etc/init.d example: /etc/init.d/network status service network status CHKCONFIG manages services chkconfig cups on system-config-services chkconfig --list chkconfig cups --list chkconfig standalone_service on/off --> 2,3,4,5 runlevels chkconfig transient_service on/off --> xinetd chkconfig service --add/del ---> start /kill symbolic links are set or removed.

To check which initialization scripts will run: grep 'chkconfig:[[:space]][[:digit:]]\+' /etc/init.d/* XINETD /etc/xinetd.conf , /etc/xinetd.d/service

example: /etc/xinetd.d/tftp libwrap.so --> tcpwrapper library chkconfig tftp on /etc/services Access controls: Example for telnet only_from = 192.168.0.0/24 no_access = 192.168.0.1 /etc/sysconfig/files SELinux: Mandatory access control (MAC) files and process have a security context Users: user:role:type:sensitivity:category user_u:object_r:tmp_t:s0:c0 Processes: system_u system_r ls -Z, ls-Zd ps -Zax, ps -eZ chcon -t tmp_t /etc/hosts restorecon /etc/hosts chcon --reference -> used for applying security context from one object to another. chcon --reference /etc/shadow anaconda-ks.cfg strict policy -> targeted policy -> multilevel security

MODES: enforcing, permissive, disables getenforce setenfoce 0 | 1 disable 1) from GRUB : selinux=0 2) SELINUX=disabled in /etc/sysconfig/selinux system-config-securitylevel system-config-selinux errors in /var/log/audit/audit.log /var/log/messages settroubleshootd semanage fcontext -l ---> lists contexts

Unit 3 : Network Service Access Controls Routing: route -n mtr - ping + traceroute

IPV6: /etc/rc.d/init.d/network /etc/sysconfig/network --> NETWORKING_IPV6=yes /etc/sysconfig/network-scripts/ifcfg-ethx --> IPV6INIT=yes ZERO CONF --> 169.254.0.0 GATEWAY OF LAST RESORT --> 192.168.0.254 /etc/modprobe.conf alias net-pf-10 off alias ipv6 off ip -6 addr show dhcp6c DHCPV6C=yes IPV6ADDR= --> ip6v ethernet address IPV6ADDR= --> additional virtual interfaces on the primary IP. IPV6_DEFAULTGW= IPV6_DEFAULTDEV= Loopback address-> ::1 /sbin/ifup /sbin/ifdown ip -6 route add /etc/hosts.allow --> ALL: [::1] ping6 traceroute6 tracepath6 ip -6 host -t AAAA hostname6.domain6 NETFILTER: Logs in klogd enable firewall: system-config-securitylevel (GUI) or lokkit (MENU) service iptables save --> will save it in /etc/sysconfig/iptables file. /etc/init.d/iptables start

iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables

-A INPUT -p icmp -j DROP -A OUTPUT -p icmp -j DROP -t fileter -A INPUT -s 192.168.0.1 -j DROP -F INPUT --> flush all input rules -L INPUT -D INPUT 4 -I INPUT -s 192.168.0.0/24 -j ACCEPT -I OUTPUT -o eth0 -d 192.168.0.0/24 -j ACCEPT -I INPUT -i lo -j ACCEPT -I INPUT -s '!' 192.168.0.1/24 -j DROP -I INPUT -p tcp -s 192.168.0.1 --sport 123 -d 192.168.0.2 --dport 1024: -j ACCEPT -I INPUT -p icmp --icmp-type echo-request -j DROP -I INPUT -p icmp --icmp-type edestination-unreachable -j ACCEPT -Z INPUT --> zeros out counters NOTE: View with iptables -vL INPUT to verify -P INPUT DROP --> sets a DROP policy for all INPUTS! Better to use a catch all RULE:

iptables -A INPUT -j DROP

Flush NAT Tables: iptables -t nat -F iptables -A INPUT -P icmp -s 192.168.0.8 -j DROP iptables -t nat -L iptables -A FORWARD -s 192.168.0.0/24 -j DROP iptabels -I FORWARD -s 192.168.0.0/24 -j ACCEPT ANTISPOOGING RULES: iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j DROP iptables -A FORWARD -i eth0 '!' 192.168.0.0/24 -j DROP DROP WEB TRAFFIC: iptables -A FORWARD -i eth0 -s 192.168.0.8 -p tcp -dport 80 -j DROP Check Network traffic using: tshark -ni eth0 host station8 CHANGE POLICY: iptables -P FORWARD DROP --> All forwards dropped! iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -d 64.233.167.99 -j ACCEPT IP) iptables -P FORWARD ACCEPT CUSTOMIZE: iptables -N BAD_LIST iptables -A FORWARD -s 192.168.0.8 -j BAD_LIST iptables -x BAD_LIST --> (Allow google.com (incoming) (outgoing)

EXAMPLES: ========== iptables -A INPUT -s BAD_LIST -j REJECT iptabels -A INPUT -p tcp --dport 22 -j DROP iptables -A INPUT -p tcp --dport 22 -j REJECT

iptables -D INPUT EXAMPLES OF A BASIC FIREWALL: using connection tracking iptables -P INPUT DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT connections iptables -A INPUT -i lo -j ACCEPT

--> permit established

iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i rht0 -j ACCEPT --> open httpd iptables -A INPUT -m state -p udp --state NEW --dport 53 -i eth0 -j ACCEPT --> open dns iptables -A INPUT -p icmp --icmp-type echo-request -i rht0 -s 192.168.0.8/24 -m limit --limit 1/s --> limit ping to 1 iptables -A FORWARD -m random --average 50 -j DROP

CONNECTION TRACKING: less /proc/net/ip/ip-conntrack states : NEW, ESTABLISHED, RELATED,INVALID iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT iptables -A INPUT -m state --state NEW -j DROP modules: ip_conntrack_ftp, tftp, ip_nat_ftp, tftp /etc/sysconfig/iptables-config

[root@secure iptables]# more /etc/sysconfig/iptables-config|grep MODULE IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_tftp ip_nat_ftp" IPTABLES_MODULES_UNLOAD="yes" [root@secure iptables]# more /etc/sysconfig/iptables-config|grep SAVE IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. IPTABLES_SAVE_COUNTER="no"

NAT: SNAT --> for fixed IPs MASQUERADE --> for DHCP DNAT: iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 192.168.0.20 192.168.0.21 --> http dnat/snat --to-dest

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192.168.0.200:3128 --> with destination port outbound: iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-dest 192.168.0.200:3128 SNAT: iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45 iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45:1234 iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45-1.2.3.55 iptables -t nat -A POSTROUTING -j SNAT --to-source 1.2.3.45:1234-1334

MASQUERADE: (used for dial up connections. Note that connections are not remebered across differnt connections.) iptables -t nat -A POSTROUTING - o eth0 -j MASQUERADE restorecon -R /etc/sysconfig

Unit 4 : DNS ========= Hostname services: /etc/hosts, /etc/networks, DNS, NIS Client-side resolvers: stub, dig, host, nslookup resolver lib: gethostbyname(), glib functions /etc/nsswitch.conf --> hosts: files dns NIS and DNS domain names should be different. DNS Resolvers: host --> nameserver and search lines in /etc/resolv.conf dig --> nameserver in /etc/resolv.conf dig +trace redhat.com

Resource records Fields: domain - Names ttl - cached class - IN , CH, HS type - A or NS, CNAME, MX, PTR, SOA rdata - data to which domain field is mapped.

NOTE: NS is the referrals, A is the final answer. forward lookup - dig redhat.com reverse lookup - dig -x 123.234.123.87 or dig -t ptr 87.123.234.123.in-addr.arpa mail exchanger lookups - dig -t mx redhat.com Master authority - dig -t soa redhat.com dig +trace redhat.com Everything lookup - dig -t axfr example.com. @192.168.0.254 Using host command: delegation - host -rt ns redhat.com force iterative - host -r redhat.com reverse lookup - host 209.132.177.50 MX lookup - host -t mx redhat.com SOA lookup - host -t soa redhat.com Zone transfer - host -t axtr redhat.com 192.168.0.254 host -t ixfr=serial example.com 192.168.0.254 or

DNS: packages bind, bind-utils, bind-chroot Daemons: /usr/sbin/named, /usr/sbin/rndc /etc/init.d/named

ports - 53, 953 config: /var/named/chroot /etc/named.conf /var/named/*, /etc/rndc.key caching-nameserver, openssl ldd `which named` |grep libwrap strings `which named`|grep hosts grep named /etc/selinux/targeted/contexts/files/file_contexts restorecon -R /var/named/chroot getsebool -a|grep named

service named configtest service named start chkconfig named on

Stub Resolver: /etc/resolv.conf --> nameserver 127.0.0.1 /etc/sysconfig/network-scripts/ifcfg-ethx --> PEERDNS=no /var/lib/dhclient/dhclient-eth0.leases bind-chroot /etc/sysconfig/named name.caching.nameserver.conf named.ca named.conf

NOTE: Always set allow-query to localhost for troubleshooting!

named-checkconf -t /var/named/chroot named-checkzone redhat.com /var/named/chroot/var/named/redhat.com/zone

rndc: /etc/rndc.key flush servers cache: rndc flush Named verifies key using rndc NOTE: Use rndc just like apachectl! DNS CLIENT: /etc/hosts --> 127.0.0.1 enterprise5 localhost.localdomain localhost /etc/resolv.conf --> nameserver 1.2.3.4 (Don't forget to edit resolv.conf for resolution). /etc/nsswitch.conf --> hosts: files, dns DNS CONFIG FILES: (locations) /etc/sysconfig/named NOTE: If ROOTDIR=/var/named/chroot then the following will apply /var/named/chroot/etc/named.conf /var/named/chroot/etc/named-caching-nameserver.conf /var/named/chroot/etc/named.rfc.1912.zones /var/named/chroot/etc/rndc.key /var/named/chroot/var/named/my.internal.zone.db /var/named/chroot/var/named/slaves/my.slave.internal.zone.db /var/named/chroot/var/named/my.ddns.internal.zone.db /var/named/chroot/var/named/localdomain.zone /var/named/chroot/var/named/localhost.zone /var/named/chroot/var/named/named.ca /var/named/chroot/var/named/named.local /var/named/chroot/var/named/named.ip6.local /var/named/chroot/var/named/named.broadcast /var/named/chroot/var/named/named.root /var/named/chroot/var/named/named.zero /var/named/chroot/var/named/data/named.stats.txt

rndc dump --> dumps the database rnds stats --> statistics rndc-confgen

host -l egsampleisnot.com man -k named|grep selinux makewhatis & --> makes man pages. NOTES: named.conf global options (additional parameters to remember) allow-transfer { localhost; IP_ADDRESS_OF_INTERFACE; }; forwarders { INTERFACE }; forward only; In views section: match-clients { localhost; 192.168.0.0/24; }; Checking zone transfers: dig -t axfr domainx.example.com dig +norecurse stationX.example.com @localhost

DHCP: /usr/sbin/dhcpd .etc.init.d/dhcpd ports: 67, 68 /etc/sdhcpd.conf /var/lib/dhcpd/dhcpd.leases service dhcpd configtest /etc/sysconfig/dhcpd

Unit 5 : File Sharing ============== FTP: vsftpd - /etc/vsftpd/vsftpd.conf anonymous: /var/ftp (chrooted)

Directives: allow_ftpd_anon_write allow_ftpd_use_cifs allow_fttp_use_nfs ftp_is_daemon ftp_home_directory --> activate read write access on user home: setsebool -P ftp_home_directory 1 anonymous_enable=NO anon_upload_enable=YES users: deny -> ftpusers userlist_enable=YES # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. package --> vsftpd /usr/sbin/vsftpd /etc/init.d/vsftpd ports: 21, 20 /etc/pam.d/vsftpd /va/log/xferlog tcp_wrappers, ip_conntrack_ftp, ip_nat_ftp ======================================================== more /etc/pam.d/vsftpd #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ft pusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so ======================================================== Clients: lftp chkconfig vsftpd on chkconfig --list vsftpd service vsftpd start Security: anonymous_enable=YES --> SElinux context is: public_content_rw-t

local_enable=YES write_enable=YES chroot_list_enable=YES pam_service_name=vsftp userlist_enable=YES tcp_wrappers=YES (/etc/hosts.allow and deny files)

NFS: FILES: /etc/exports, /etc/init.d/nfs , /etc/init.d/nfslock, /etc/fstab, /etc/init.d/netfs (mount network filesystems at boot) exportfs -r service nfs reload/start, service nfs ststatus mount requires portmap (rpc service) portmap nfs rpc.mountd rpcinfo -p or service portmap status or service nfs status exportfs -r --> refresh exports

exportfs -v --> list exports exportfs -a --> export all shares exportfs -u --> unexport shares showmount -e host --> show moounted exports portmap, rpc.nfsd, rpc.mountd,rpc.lockd, rpc.quotad, rpc.statd required for NFS ports: 2049,111 (netstat -tulpn |grep 111 or use lsof -i:111 tcp_wrappers capable --> mountd, portmap p: 192.168.0. nfsstat chkconfig nfs on autofs system-config-nfs --> GUI tool

Examples: options: ro,sync,rw,root_squash,insecure, no_root_squash /etc/exports

/var/ftp/pub

*.example.com(ro,sync)

server1.redhat.com(rw,sync)

/root/presentations server2.example.com(rw,sync) /data 192.168.10.0/255.255.255.0(sync)

NFS and SElinux: allow_gsd_read_tmp allow_nfsd_anon_write nfs-export_all_ro nfs-export_all_rw example: setsebool -P nfs_export_all-rw 1

Client side: /etc/fstab server1:/var/ftp/pub /etc/init.d/netfs autofs rsize=8192, wsize=8192 perf tuning soft hard intr nolock /etc/auto.master, /etc/auto.misc showmount -e <servername> /mnt/pub nfs defaults 0 0

security issues: authentication, privacy, portmap insfrastructure /etc/sysconfig/nfs: MOUNTD_PORT="32756" STAD_PORT="32766"

LOCKD_TCPPORT="32765" LOCKD_UDPPORT=32765" Note: both lockds are in same port. SAMBA: cifs or smbfs (kernel components, CONFIG_CIFS_FS and CONFIG_SMB_FS) winbindd ,wins, smbclient nmbd.smbd packages: samba, samba-common, samba-client ports: 137,138,139, 445 webadmin: port 901 /etc/samba/*, smb.conf system-config-samba, testparm, samba-swat Example: testparm /etc/samba/smb.conf server1 <ip address>

Starting Samba: chkconfig smb on service smb start service smb status mount.cifs, umount.cifs, smbprint, testparm, smbstatus smbpasswd, smbusers smbclient -L <hostname> -U 'userjoe@passwd' smbclient //machine/service user should be in /etc/passwd. nmblookup -U WINS_server -R name nmblookup \* mount -t cifs service mountpoint -o option1,option2.... mount -t cifs //stationx /mnt/samba -o user=user, dom=domain, uid=500, file_mode=644 smbmount //server/share /mnt/smb_mountpoint -o username=smbuser smbumount mount-point Also in /etc/fstab: //stationX/homes /mnt/homes cifs username=bob,uid=bob 0 0 //servername/share /mntpt cifs credentials=/etc/samba/cred.txt 0 0 //station1/homes /mnt/homes cifs username=bob,uid=bob,noauto 0 0 (this will not ask for password during reboot) Use winbindd daemon if windows usernames and password are to be used.

SElinux support for Samba:

allow_smb_anon_write --> public_content_rw_t samba_enable_home_dirs samba_share_nfs use_samba_home_dirs setsebool -P samba_enable_home_dirs 1 Note: You can share the exutables for users by setting SUID the following: chmod u+x /sbin/mount/cifs chmod u=s /sbin/umount/cifs /sbin/mount.cifs //enterprise5a/tmp test -o username=michael%abc123 /sbin/umount.cifs test add the above command to the user's : .bashrc and .bash_logout files respectively. SAMBA CONFIGURATION: /etc/samba/smb.conf ============================================= #============================ Global Settings: ============================== workgroup = MYGROUP netbios name = enterprise5a server string = Samba Server security = user ## security can be user for local, domain for a domain controller, ads for atcive directory, ### server for another computer, or share for peer-to-peer workgroup ; hosts allow = 192.168.1. 192.168.2. 127. load printers = yes printcap name = /etc/printcap ; printcap name = lpstat ; printing = cups cups options = raw ; guest account = pcguest log file = /var/log/samba/%m.log ## Log size is in KB max log size = 50 # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # or to auto-locate the domain controller/s # password server = * ; password server = <NT-Server-Name> # Use the realm option only with security = ads # Specifies the Active Directory realm the host is part of ; realm = MY_REALM # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. ; passdb backend = tdbsam ; include = /usr/local/samba/lib/smb.conf.%m ## more than one NIC ; interfaces = 192.168.12.2/24 192.168.13.2/24 ; local master = no ; os level = 33 ### Don't use this # if you already have a Windows NT domain controller doing this job ; domain master = yes ; preferred master = yes # Windows95 workstations. ; domain logons = yes

# if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) ; logon script = %m.bat # run a specific logon batch file per username ; logon script = %U.bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ; wins support = yes ; wins server = w.x.y.z ; wins proxy = yes dns proxy = no username map = /etc/samba/smbusers # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts ; add user script = /usr/sbin/useradd %u ; add group script = /usr/sbin/groupadd %g ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u ; delete user script = /usr/sbin/userdel %u ; delete user from group script = /usr/sbin/deluser %u %g ; delete group script = /usr/sbin/groupdel %g #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writeable = yes # Un-comment the following and create the netlogon directory for Domain Logons ; [netlogon] ; comment = Network Logon Service ; path = /usr/local/samba/lib/netlogon ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ; path = /usr/local/samba/profiles ; browseable = no ; guest ok = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /usr/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print ; guest ok = no ; writeable = no

printable = yes # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes ;[public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes ; printable = no ; write list = @staff # A private printer, usable only by fred. Spool data will be placed in fred's # home directory. Note that fred must have write access to the spool directory, # wherever it is. ;[fredsprn] ; comment = Fred's Printer ; valid users = fred ; path = /homes/fred ; printer = freds_printer ; public = no ; writable = no ; printable = yes # A private directory, usable only by fred. Note that fred requires write # access to the directory. ;[fredsdir] ; comment = Fred's Service ; path = /home/fred ; valid users = fred ; public = no ; writable = yes ; printable = no # a service which has a different directory for each machine that connects # this allows you to tailor configurations to incoming machines. You could # also use the %U option to tailor it by user name. # The %m gets replaced with the machine name that is connecting. ;[pchome] ; comment = PC Directories ; path = /home/pc/%m ; public = no ; writable = yes ;[public] ; path = /usr/somewhere/else/public ; public = yes ; only guest = yes ; writable = yes ; printable = no # The following two entries demonstrate how to share a directory so that two

# users can place files there that will be owned by the specific users. In this # setup, the directory should be writable by both users and should have the # sticky bit set on it to prevent abuse. Obviously this could be extended to # as many users as required. ;[myshare] ; comment = Mary's and Fred's stuff ; path = /usr/somewhere/shared ; valid users = mary fred ; public = no ; writable = yes ; printable = no ; create mask = 0765 #============================ Share Definitions ============================== Joining a Domain: net rpc join -U root net rpc join -S DC -U root Setting up accounts and passwords similar to Windows: useradd username smbpasswd -a newUser more /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest mksmbpasswd.sh --> adds all passwords to /etc/samba/smbpasswd file NOTE: don't forget to set the sticky bit for a publicshare! chmod 1777 /home/publicshare

Unit 6 :Apache /etc/httpd/conf/httpd.conf MOdular directive files via: Include conf.d/*.conf mod_perl, mod_ssl Packages: httpd,httpd-devel,httpd-manual Installation: yum install httpd yum install system-config-httpd yum groupinstall "Web Server" yum grouplist ->will list groups of packages available. yum install mod_ssl squid chkconfig --list httpd chkconfig --level 35 httpd on service httpd configtest (or httpd -t or apachectl configtest apachectl stop apachectl start

service httpd reload NOTE: If links pakage is required, install elinks package. yum install elinks test webserver page: elinks 127.0.0.1 Custom error page: /etc/httpd/conf.d/welcome.conf /usr/sbin/httpd /etc/init.d/httpd /etc/httpd/* , /var/www/* system-config-httpd mod_ssl DocumentRoot /var/www/html ServerRoot "/etc/httpd" Selinux Contexts: system_u:object_r:httpd_config_t system_u:objec_r:httpd_log_t system_u:objec_r:httpd_modules_t system_u:objec_r:httpd_content_t NOte: restore contexts before configuring! chcon -R --reference=/var/www/html /var/www/html/data restorecon -R /var/www/html Configuration: Min & MAx spare servers log files hostname modules virtual hosts user and group /etc/httpd/modules User Directory: UserDir public_html example: /home/bob/public_html restorecon -R /home restorecon ~/public_html

MIME types: AddType application/x-httpd-php .phtml AddType text/html .htm Index Files: DirectoryIndex index.html default.htm

Virtual hosts: NameVirtualHost 192.168.0.100:80

<virtualHost 192.168.0.100:80> ServerName virt1.com DocumentRoot /virt1 ServerAlias www.virt1.com </VirtualHost>

<virtualHost 192.168.0.100:80> ServerName virt1.com DocumentRoot /virt1 ServerAlias www.virt2.com </VirtualHost>

SSL Virtual hosts: /etc/httpd/conf.d/ssl.conf Access Control: mod_access order allow,deny --> Note: clients matched by both allow and deny are denied! order deny, allow --> Note: clients matched by both allow and deny are allowed! .htaccess:

AuthUserFile htpasswd examples: htpasswd -cm /etc/httpd/.htpasswd bob htpasswd -m /etc/httpd/.htpasswd alice AllowOverride Authconfig --> CGI : ScriptAlias /cgi-bin/ //path_to/cgi-bin/ mod_perl, mod_php,mod_speling SSL: mod_ssl /etc/httpd/conf.d/ssl.conf Encryption: certificate: /etc/pki/tls/certs/your_host.crt private key: /etc/pki/tls/private/your_host.key /etc/pki/tls/certs/MakefileSelf-signed cert: make testcert CSR: make certreq SSLCErtificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SQUID: /etc/squid/squid.conf: http_port 3128 cache_mem 8 MB cache_dir ufs /var/spool/squid 100 16 256 hierarchy_stoplist --> forwards requests directly refresh_pattern .... acl local_net src 192.168.0.0/24 http_access allow local_net http_reply_access allow all

icp_access allow all visible_hostname server1 Build cache directories: squid -z iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128 setsebool -P squid_connect_any 1 /usr/sbin/squid, /etc/init.d/squid port: 3128 connections only on loopback interface. cache_dir http_access cahce_mem acl http_port /etc/sysconfig/squid: SQUID_OPTS="-D" --> diables DNS checking

SQUID_SHUTDOWN_TIMEOUT=100

Unit 7 : Mail ========= Mial server packages: cryrus-imapd* cyrus-sasl dovecot exim mailman postfix sednmail sednmail-cf spamassasin squirrelmail system-switch-mail --> switch between sendmail and postfix system-switch-mail-gnome DOVECOT: /etc/dovecot.conf

mail_location mbox_read_locks and mbox_write_locks setting If you're using /var/mail/ directory for INBOXes, you may need to set mail_extra_groups = mail so Dovecot can create dotlocks there. For better performance you may want to set mbox_very_dirty_syncs = yes option. If you intend to use SSL, set ssl_cert_file and ssl_key_file settings. Otherwise set ssl_disable = yes. Easiest way to get SSL certificates built is to use Dovecot's doc/mkcert.sh script. If you're using NFS or some other remote filesystem that's shared between multiple computers, you'll need to set mmap_disable = yes. Testing: mutt -f pops://root@secure:995 openssl s_client -connect secure:995 user test pass mypassword stat retr 1 dele 1 quit SENDMAIL: In /etc/mail sendmail.cf --> for incoming mail sendmail.mc access --> REJECT, DISCARD, RELAY domaintable --> forward to differenet domains helpfile local-host-names mailertable Makefile spamassasin submit.cf --> for outgoing mail submit.mc trusted-users virtusertable /etc/aliases In /var/log/mail --> statistics has data which is read by mailstats program. dnl is used to comment a line. Local computer email access: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl If no DNS: FEATURE(`accept_unresolvable_domains')dnl TO make the server relay for other domains, add in /etc/mail/access 192.168.30 RELAY make -C /etc/mail/ or m4 /etc/mail/sendmail.mc > sendmail.cf service sendmail restart --> will run make -C /etc/mail of sendmail-cf package is installed. sendmail -d0 < /dev/null ==========================================

MASQUERADE: EXPOSED_USER(`root')dnl FEATURE(masquerade_envelope)dnl MASQUERADE_DOMAIN(mydomain.lan)dnl ========================================== /etc/smrsh --> sendmail restricted shell /etc/aliases newaliases ========================================== Address rewrite: FEATURE(genericstable)dnl FEATURE(always_add_domain)dnl GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl ========================================== ========================================== Address rewrite: FEATURE(genericstable)dnl FEATURE(always_add_domain)dnl GENERICS_DOMAIN_FILE(`/etc/mail/local-host-names')dnl ========================================== FEATURE(`blacklist_recipients')dnl Switchiong MTAs: a;ternatives --display mta a;ternatives --config mta alternatives --set mta /usr/sbin/sendmail.postfix POSTFIX: postconf -d postconf -n postconf -e key=value postconf -m man 5 postconf mydomain = example.com myhostname = secure.example.com myorigin = $mydomain inet_interfaces = all mynetworks = 168.100.189.0/28, 127.0.0.0/8 masquerade_exceptions = root virtual_alias_maps = hash:/etc/postfix/virtual postmap /etc/postfix/virtual (rehash the file) postalias PROCMAIL: postconf -e "mailbox_command = /usr/bin/procmail"

Unit 8 : Security (04/06/08) Need for security:

insecure protocols with insecure password - telnet, ftp,pop3 insecure info - sendmail, nfs,nis insecure auth - rsh, rcp

Cryptography: (openssl,gpg) random numbers and entropy sources - /dev/random, /dev/urandom , /var/lib/random-seed, openssl rand [-base64} num one way hashes - md2.md5.mdc2.md160,sha,sha1 Utilities: sum, sha1sum, md5sum etc. symmetric algorithms (3des,cast3,blowfish, rc2,rc4,rc5,IDEA) - passwd, gpg, openssl assymetric algorithms - private/public keys pki - signed public key is called a certificate, trusted 3rd part is a Certificate Authority. generating digital certs: public/private key pair: openssl genrsa -out server1.key.pem 1024 CSR:openssl req -new -key server1.key.pem -out server1.csr.pem From CA: server1.crt.pem Self-signed cert: openssl req -new -key server1.key.pem -out server1.crt.pem -x509 make dovecot.pem openssh: /etc/ssh ssh-keygen, ssh-askpass Types of auth: passwd, RSA,DSA keys, Kerberos, s/key and SecureIF, host auth using system key pairs /usr/sbin/sshd, /etc/init.d/sshd, /etc/ssh*, $HOME/.ssh, /etc/ssh/ssh_config /etc/ssh/sshd_config protocol listenaddress permitrootlogin banner

ssh-add --> collects key passphrases aah-agent --> manages key passphrases rpm --verify package_name rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat* rpm --checksig packages_file_name Unit 9: PAM /etc/nsswitch.conf --> passwd: files nis ldap getent services getent passwd smith libpam library PAM modules in /lib/security /etc/pamd.d /etc/securetty --> check for the ttys use /etc/pam.d/other if there is no PAM configuration for an application

TYPES of PAM modules: auth --> identity account --> account policies password --> password changes session --> opens,closes and logs session NOTE: look in system-auth file for entries. control flags: required --> proceeds to next cmd requisite --> stops process suffcient --> no other cmds need processed optional --> ignores include --> ALL modules system-config-authentication

messages in : /var/log/secure and /var/log/messages Some Modules: pam_unix.so --> NSS , password history,md5, shadow passwords etc pam_securetty.so --> will allow only user ttys in /etc/securetty pam_nologin.so --> if /etc/nologin exists, users cannot log in. pam_listfile.so --> checks authentication against a list in a file. example: auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed pam_permit.so --> allows all users! (Never have this in a secure system, but only for laptops). pam_cracklib.so --> password strength pam_passwdqc.so --> password strength (without dictoionary word checking) pam_tally.so --> failed login monitoring in /var/log/faillog pam_limits.so --> resource limits, /etc/security/limits.conf pam_console.so --> permissions on local devices, /etc/security/console.perms pam_selinux.so --> sets selinux context root:system_t:unconfined_t user_t:system_t:unconfined_t pam_mkhomedir.so --> creates home directory if it does not exist pam_rootok.so --> passes if runninmg as root. Allows su without a password pam_timestamp.so --> sudo , /var/run/sudo pam_xauth.so --> forwards xauth cookies

change password aging: chage -M 90 username