LinuxCBT_Deb5x_Edition_Notes
LinuxCBT_Deb5x_Edition_Notes
###LinuxCBT Deb5x Edition###
Topology -> Docs directory
Features:
1. Multiple platform support: i386, PowerPC, Sparc, MIPS, S390, AMD64, Intel64, IA-64, etc.
2. Obtainable via: HTTP, FTP, JIGDO, BitTorrent, CD/DVD
3. Open Source - freely available
4. Ships with thousands of packages
Tasks:
1. Download the various DVD ISO images:
' for i in `seq 5`; do wget http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/debian-504-i386-DVD-$i.iso; done '
2. Confirm the MD5SUMS of downloaded ISOs
3. Prep the VMWare environment
a. https://192.168.75.50:8333
b. Create Virtual Machine
c. Move Debian ISO images beneath top-level container that VMWare references
4. Install Debian on VMWare - from RedHat Enterprise 5x
a. Installed in full-screen, text mode
b. selected single, non-LVM, non-encrypted partition option:
b1. / - 4GB - (/etc, /usr, /var, /home, /boot (linux kernel is here) ...)
b2. swap - 250MB
5. Upgrade Debian4x -> Debian5x
a. Reclamation of existing VMWare instance, that was not in the inventory
Note: This may become our target instance
6. Install Debian via PXE
a. Download netboot.tar.gz - provides PXE code for network installation
b. 'cd /tftpboot && tar -xzvf netboot.tar.gz'
c. Configure Cisco Router DHCP server to servce 'pxelinux.0' file to client
Note: You may restrict the 'pxelinux.0' option to specific hosts and/or groups using DHCP configuration - reservations
!
ip dhcp pool linuxcbtwin1
host 192.168.75.101 255.255.255.0
hardware-address 0011.115b.7053
client-name linuxcbtwin1
!
ip dhcp pool DEFAULT75
import all
network 192.168.75.0 255.255.255.0
bootfile pxelinux.0
next-server 192.168.75.50
dns-server 68.94.156.1 68.94.157.1
option 150 ip 10.1.50.2
default-router 192.168.75.1
lease 30
!
Note: 2 Key options for PXE booting
'bootfile pxelinux.0' - PXE boot client
'next-server 192.168.75.50' - TFTPD
Note: TFTPD & DHCPD servers may be the same or different
Note: NetInstall mode eventually attmpts to pull the code for the OS from a valid mirror.
You may configure an internal mirror for your organization and point the installer there.
###Linux Boot Sequence###
Features:
1. Boot process Linux systems take to enter usable mode: 1-5
1. BIOS (indicates bootable hard drive)
2. Grand Unified Boot Loader (GRUB) -> MBR of primary HD
3. INITRD (includes drivers for hardware connected to your system)
4. Kernel (detects hardware) -> mounts '/' - root file system
5. INIT (propels your system into a usable state) - RunLevels
RunLevels: 0-6
0 -> halt
1 -> single-user mode, without concern for contending I/O
2(Debian Default) - 5 -> multi-user run-levels - networking
6 -> reboot
###Rescue - Boot Problems###
Problems:
1. GRUB
a. '/boot/grub/menu.lst' - changed (hd0,0) to (hd1,0) and (hd0,1), then fixed via runlevel 1
2. INITRD
a. Corrupt the file by breaking dependency - renamed initrd.img*
b. Forced a boot by editing GRUB menu to use new INITRD file name
3. INIT
a. Corrupt: /etc/inittab
4. Rescue Mode - Installation detection facility
###Basic Linux Commands###
Features:
1. Numerous small commands that specialize in discrete functions
Tasks:
1. Explore important commands
a. 'whoami'
b. 'id' - includes info from: 'whoami' as well as uid|gid info.
c. 'pwd' - reveals current working directory based on the maintenance of 2 vars:
c1. 'echo $PWD' - stores the current directory
c2. 'echo $OLDPWD' - stores most recently visited directory
d. 'cd' - changes directory - 'cd $OLDPWD'
d1. 'cd' - with no options, places us in our $HOME directory
Note: The following directory entries:
'.' - references the current directory
'..' - references the parent directory
e. 'ls' - lists files
e1. 'ls -l' - lists files in long format
e2. 'ls -li' - lists files in long format with INODE information
e3. 'ls -al' - reveals hidden files
Note: Nix-based systems prefix hidden files with a '.'
e4. 'ls -ld' - reveals attributes of directory entry
f. 'touch' - creates file if non-existent, otherwise updates timestamp info.
g. 'stat' - reveals FS information about a file
h. '!command' - invokes the most recent invocation of a command from the command history
i. 'echo' - prints what you tell it to
j. 'cat' - catenates content to STDOUT by default
j1. 'cat test.txt' - dumps file to STDOUT
j2. 'cat test.txt test2.txt' - catenates test.txt , then, test2.txt to STDOUT
k. 'mkdir' - creates directories
l. 'rmdir' - removes directories
m. 'rm -rf' - removes recursively ANY file entry
n. 'export VAR=value' - sets and exports for use, a variable
n1. 'export MUSIC=/home/linuxcbt/music'
o. 'history' - dumps the current SHELL's history
Note: '!item_num' executes the command with the number in the shell's history
p. 'alias ls='ls -ali' ' - allows you to make shortcuts to commands and options
Command Chaining:
'ls ; pwd ; echo "test" ' - commands are independent
'ls && pwd && echo "test" ' - logical ANDing - previous command MUST exit with exit status '0'
'ls || pwd' - command 2 executes if command 1 fails
Note: You may combine and and/or ALL of these features in a single command
q. 'more | less' - 2 common pagers - displays a page full of info.
r. 'which' - searches the $PATH for the command you are in search of
###Redirection###
Features:
1. Input - STDIN - Standard Input - /dev/fd/0 - keyboard (may also be a file)
2. Output - STDOUT - Standard Output - /dev/fd/1 - screen (may also be a file)
3. Errors - STDERR - Standard Error - /dev/fd/2 - error handling
Tasks:
1. Look at STDIN
a. '<' - explicit indication
Note: When typical STDIN is ommitted, the process usually waits on STDIN for input (keyboard)
Note: 'CTRL-D will exit STDIN stream'
Note: STDIN is typically implicitly referenced by most processes
b. '>' - explicit indication
Note: Typically routes to a file or the screen (STDOUT)
b1. 'cat test.txt test2.txt > test3.txt' - clobber mode (auto-clobbers file or creates anew)
c. '>>' - append redirection - appends to existing file or creates a new file
c1. 'cat test.txt test2.txt >> test3.txt'
d. 'STDERR' - '2> errors.txt'
d1. 'ls -l badfile' - dumps STDERR on STDOUT
d2. 'ls -l badfile 2> errors.txt' - clobbers and creates errors.txt
d3. 'ls -l badfile 2>> errors.txt' - appends errors to errors.txt
s. watch - executes and updates the output display of the process
t. tty - echoes the current TTY
Note: GUI Managers spawn Psuedo-terminals: pts0..n
Note: Each pty has a distinct mapping of: fd0(STDIN), fd1(STDOUT), fd2(STDERR), auto-generated by the environment
u. head (dispalys first n lines of file) & tail (dispalys last n lines)
u1. 'head -n 1', 'tail -n 1' - both display first and last lines
v. file - returns a file's type
v1. 'file filename' - returns types
w. seq - generates a sequence of numbers
w1. 'seq 1000'
x. for - looping mechanism
x1. ' for i in `seq 10`; do echo "Hello World"; done '
x2. ' for i in `ls -A`; do file $i; done '
y. reset - resets the buffer of the terminal so you may keep track of your activities
z. free - reveals memory usage
###Tar, Gzip, Bzip2, Zip###
Features:
1. Archiving
2. Compression
Gzip:
1. ' gzip -c filename > filename.gz '
a. 'seq 1000000 > 1million.txt && ls -lh 1mil*'
b. 'gzip -c 1million.txt > 1milliong.txt.gz'
b1. 'zcat 1million.txt.gz' - read the binary gzip format and render ASCII text
c. 'gunzip 1million.txt.gz '
d. 'gzip -l 1million.txt.gz' - enumerates stats of file
2. Bzip2
a. 'bzip2 -c 1million.txt > 1million.txt.bz2 ' - creates compressed file
b. 'bunzip2 1million.txt.bz2'
c. 'bzcat 1million.txt.bz2'
3. Zip & Unzip
a. 'zip 1million.txt.zip 1million.txt' - dest source - creates a zip file
b. 'unzip 1million.txt.zip' - decompresses
c. 'zip stuff.txt.zip *txt' - squeezes ALL *txt files in current directory
d. 'unzip -l filename.zip' - enumerates stats
e. 'zcat filename.zip' - extract on the fly and dump to STDOUT
Note: 'zcat' applies to both: zip & gzip
4. Tar - archiver - rolls one or more files (including directories) into one image
a. 'tar -cvf alltxtfiles.tar *txt' - roll ALL txt files into 'alltxtfiles.tar'
b. 'tar -tvf alltxtfiles.tar' - enumerates the contents of the tarball
c. 'tar -xvf alltxtfiles.tar' - extracts the contents of the tarball
d. 'tar -xvf alltxtfiles.tar 1000.txt 100k.txt' - extracts specific files from the archive
e. 'tar -czvf alltxtfiles.tar.gz *txt' - rolls a tarball with gzip compression
f. 'tar -cjvf alltxtfiles.tar.bz2 *txt' - rolls a tarball with bzip2 compression
###GREP###
Features:
1. Line processor
Tasks:
1. Use grep to search for interesting strings
a. 'grep cat animals.txt' - returns ALL lines containing lowercase 'cat'
b. 'grep -i cat animals.txt' - returns ALL lines containing either case of 'cat'
c. 'grep 20 animals.txt'
d. 'grep "^20" animals.txt - returns lines that are anchored with the string: '20'
e. 'grep "20$" animals.txt - returns lines that end with the string: '20'
f. 'grep "^20$" animals.txt - returns lines beginning and ending with the string: '20'
g. 'grep "^c.*" animals.txt - returns lines beginning with 'c'
h. 'grep "^[c|d]" animals.txt - returns lines beginning with 'c' OR 'd'
i. 'grep -v "kernel" /var/log/messages' - returns lines that do NOT contain 'kernel'
j. 'grep -C 2 'dog' animals.txt' - returns 2 lines above and below matched line
j1. 'grep -C 2 'ostrich' animals.txt > animals.reduced.list.txt
###AWK###
Features:
1. Field processor
2. Tokenizes lines into fields and returns them for usage
3. Matches patterns using Regular Expressions - POSIX - GREP - EGREP
Tasks:
1. Use Awk to parse fields
a. ' awk '{ print $1 }' animals.txt ' - prints field #1 using whitespace delimiters
b. ' awk '{ print $0 }' animals.txt' - prints the entire line
c. 'awk -F, '{ print $1 }' - prints field #1 from STDIN
d. 'awk -F "[,- ]" '{print $2}' - prints field #2 using 3 delimiters
e. ' awk '/dog/ { print $0 }' animals.txt ' - matches lines with 'dog' and prints the full line
f. ' awk -f "[,-; ]" '/dog/ { print $0 }' animals.txt - matches lines with dog with multiple delimiters
g. ' awk '/dog[gy]/ {print $0}' animals.txt - match lines with 'dog' followed by 'y' or 'g'
h. ' awk '{ if ($2 ~ /20/) print $0 }' animals.txt '
i. awk '{ if ($5 ~ /kernel/) print $0 }' messages - matches lines where field $5 = 'kernel'
###Sed - Stream Editor###
Features:
1. Manipulate Streams of Text
2. Support for regular expressions
3. Command-line
4. Scriptable
Tasks:
1. ' sed -n '1p' animals.txt ' - prints the first line
2. 'sed -n '$p' animals.txt ' - prints the last line
3. 'sed -n 4,9p animals.txt ' - prints lines 4-9
4. 'sed -n 10,12p animals.txt ' - prints lines 10-12
5. 'sed -n -e '/^$/d' animals.txt ' - deletes blank lines
6. 'sed -n '1,2p' animals.txt '
7. 'sed -n '1!p' animals.txt ' - prints all but line #1
8. 'sed -n '1,3!p' animals.txt - prints all but lines 1-3
9. 'sed -n -e 's/cat/BIGCAT/p' animals.txt ' - replaces 'cat' with 'BIGCAT'
10. 'sed -n -e 's/^cat$/BIGCAT/p' animals.txt' - replaces lines that begin and end with 'cat'
11. 'sed -n -e 's/\(.*\)\(;\)\(.*\)/\1\2\3/p' animals.txt - tokenizes matches into usable variables
12. 'sed -n -e 's/;/ /p' animals.txt ' - replaces ';' with space
13. 'sed -n -e 's/[,-;]/ /p' animals.txt ' - replaces ';,-' with space
14. 'sed -e 's/[,-;]/ /p' animals.txt ' - replaces ';,-' with space and prints the full doc to STDOUT
15. 'sed -e '/^$/d' animals2.txt ' - removes whitespace, dumps to STDOUT
16. 'sed -i.bak -e '/^$/d' animals2.txt' - removes whitespaces inline and backs-up original file
###Perl ###
Features:
1. Everything
Tasks:
1. Basic RegEx Usage
a. Ensure that the correct number of arguments are supplied
Note: The execution type governs parameter placement
i.e. 'perltest1.pl ' - ARGV[0] -> first parameter
i.e. '/usr/bin/perl perltest1.pl ' - ARGV[1] -> first parameter
###System Utilities###
Features:
1. Administration tools for system performance
1. 'runlevel' - reveals the current/previous runlevel
2. 'uptime' - reveals system uptime, and usage over: 1, 5, 15 minutes
3. 'ps' - enumerates a list of processes
a. 'ps' - processes tied to a TTY
b. 'ps -ef' - ALL processes
c. 'ps -aux' - ALL processes, plus %MEM, %CPU, etc.
4. 'top' - reveals - uptime, df, %MEM, %CPU, sorts, updated real-time, etc.
a. 'top' - auto-refreshes every 3 sec.
b. 'top d5' - auto-refreshes every 5 sec.
5. 'df' - reveals current filesystem usage/allocation
a. 'df -h'
6. 'mount' - reveals current mounts with key details/allows you to mount/umount
###User & Group Management###
Features:
1. Facilitates provisioning and management of users/groups
Note: Debian users are indexed @ id: 1000
Note: Debian users default to a gid that matches the uid:
Tasks:
1. Correlate GUI management tool to applicable: /etc/ files
/etc/passwd: - general account information - world readable
linuxcbt:x:1000:1000:LinuxCBT User,Stamford Conn.,888-573-4943,,:/home/linuxcbt:/bin/bash
/etc/shadow: - passwords
linuxcbt:$1$7GePLICi$WdWcehUWvY1KNwCZI7VqH/:14672:0:99999:7:::
Fields:
1. login name
2. encrypted password
3. Days since Unix epoch(19700101), password was last changed
4. Days before password may be changed: 0 = no length required
5. Days after which password must be changed
6. Days after password expires that account is disabled
7. Days since Unix epoch that account is disabled
8. Reserved
2. Add a new user via the GUI
3. Add a new user via the shell
a. 'userdel -r dean' - removes the user and $HOME/$MAIL spool directory
b. 'useradd -d /home/dean dean -g dean'
###File Permissions - Symlinks###
Features:
1. Restrictions based on organizational policy - Discretionary Access Control (DAC)
2. Ability provide multiple views of content - Symlinks
File Permissions:
1. 10-bits - used to represent permissions in Linux | Unix
1 - leftmost - d (directory), - (file), c (character) (keyboard), b (block device) (storage), l (soft-link)
2-4 - Correlate to the owner
5-7 - Correlate to the group
8-10 - Correlate to the world (everyone)
b rw- rw- --- 1 root disk 8, 1 2010-03-02 09:55 /dev/sda1
Perms Octal: 660
Possible Permissions:
r = read = 4
w = write = 2
x = execute = 1
Total Permissions: 7
Umask: Governs default permissions assigned to various objects: files & directories
Files: rw-r--r-- = 644
Directories: rwxr-xr-x = 755
drwxr-xr-x 2 linuxcbt linuxcbt 4096 2010-03-03 10:38 temp
Default Umask: 0022
Total Possible Permissions: 0777 - 0022 = 0755 (directories)
Note: Files further restrict the default umask to 644
Permissions Utilities:
1. chown - change ownership of user and/or group fields
2. chmod = change the mode (octal)
3. chgrp = changes the group ownership field
Chown Usage:
' chown dean 100.txt ' - changes ownership to user named 'dean'
' chown linuxcbt.users 100.txt' - changes both: user & group fields
Chgrp Usage:
' chgrp linuxcbt 100.txt' - changes group ownership of file named: '100.txt'
Chmod Usage:
' chmod 640 100.txt ' - denies world access
' chmod 600 100.txt ' - denies world and group access
' chmod 744 temp2/ ' - removes 'x' perm from group and world
Symbolic permissions Notation:
1. 'chmod u+x temp2' - enables 'x' permission on directory 'temp2' - owner
2. 'chmod g+x temp2' - influences group field
3. 'chmod o+x temp2' - influences other field
SETUID - Changes execute permissions on a file to that of the owner
i.e. '/usr/bin/passwd'
Octal: 4755 - leading '4'
-rwsr-xr-x 1 root root 31704 2009-11-14 09:41 /usr/bin/passwd
'find /usr/bin -4755' - find SETUID objects
SETGID - Causes files to inherit group permissions from top-level container
'chmod 2755 directory_name'
'chmod g+s directory_name'
'mkdir /project'
'chown root.users /project'
'chmod 2755 /project'
STICKY BIT - 't' in the world field - ensures users may share a common directory: '/tmp'
###Symbolic Links###
Features:
1. Create shortcuts to objects on the file system
2. Support for 2-types of symlinks: soft (file containers) & hard (inodes)
3. Soft-links support directories
4. Hard-links do NOT support directories
5. Soft-links may traverse file systems, hard-links may not - due to inodes
6. Removal of soft-links will not remove the source content
7. Removal of the only hard-link, removes the file for good
8. Soft-links are of file type: 'l'
Usage:
1. 'ln -s source target'
a. 'ln -s ../perltest1.pl .' - creates a soft-link of the same name as the source
Note: Soft-links depend heavily/entirely upon the filename container of the source file
b. 'ln -s /etc .' - creates a soft-link to /etc
2. Hard Links - omitt the 's' option
a. 'ln ../perltest1.pl' - creates a hard-link, upping the reference count
b. 'ln perltest1.pl newhardperltest1.pl' - creates a hard-link with alternate name
Note: Hard-links always reference the same inode using the same and/or alternate names
Note: Soft-links are assigned distinct inodes, which ultimately reference the source file's name
c. Create hard-links with different permissions
c1. 'ln /home/linuxcbt/Debian_5x/perltest1.pl && chmod 644 perltest1.pl'
###Partitions & File Systems###
Features:
1. Provisioning of storage
Task:
1. Provision storage for project users to be mounted @: /project
a. GParted - used to create partition and allocation FS
b. mount the newly-created file system
b1. 'mount /dev/sdb1 /project' - mounts /dev/sdb1 @ /project
Note: If data exist at the mount point, they will not be available post-mount
Note: Move data pre-mount
c. Ensure that mount is available at system restart: /etc/fstab
c1. 'mount -a' - auto-mounts entries in: /etc/fstab
2. Provision storage manually
a. fdisk
a1. 'fdisk /dev/sdc' - manages '/dev/sdc'
a2. 'n - p - 1 - +4096M' - creates a new, primary partition #1 of size: 4GB
a3. 'p - w' - print table, and write changes to the disk
b. FS overlay
b1. 'mkfs.ext3 /dev/sdc1' - creates an ext3 FS on: /dev/sdc1
c. Mount FS
c1. 'mount /dev/sdc1 /project4G' - mounts partition to: /project4G
Note: You may mount the sambe block of storage more than once: /project & /project4G
Note: This allows you to apply top-level directory container permissions individually
3. Provision: ext4 storage manually
a. fdisk
b. FS overlay
c. mount and update: /etc/fstab
###Provision of Swap Space###
Features:
1. Additional memory for processes
2. Managed by the kernel, dynamically
3. Can be allocated dynamically
4. Can be allocated as a file and/or partition (preferred)
Tasks:
1. Allocate swap with GUI
a. Allocate
b. enable - 'swapon /dev/sdd1' - enables swapping for the current uptime
c. 'swapon -s' - lists swap devices (partitions and/or files) - shows distribution of swap
Note: 'free ' simply shows the total swap and usage
d. 'swapon -a' - enables swap from /etc/fstab
e. Update: /etc/fstab to apply swap storage upon reboot
f. 'swapoff /dev/sdd1' - disables swapping on device (partition or file)
2. Allocate swap from the shell - using fdisk
a. 'fdisk /dev/sdd'
b. create swap partition - change type to 'linux swap'
c. 'mkswap /dev/sdd2' - creates swap file system on /dev/sdd2
d. 'swapon /dev/sdd2 && free -m' - makes swap available to kernel and dumps mem usage
Note: 'fdisk' will sometimes fail to update the partition table if the disk is in use
3. Allocate swap from a file
a. 'dd if=/dev/zero of=/project/swapfile bs=1024 count=524288' = generates .5G file with zeroes
b. 'mkswap /project/swapfile' - makes file usable for swapping
c. 'swapon /project/swapfile' - enables swapping
d. 'swapoff -a' - disables all swapping for entries listed in: /etc/fstab
###Logical Volume Management (LVM)###
Features:
1. Aggregates storage
2. Storage of disparate types: i.e. SATA, PATA, SCSI, FireWire, Fibre Channel, et cetera
3. Volume sets & stripe sets
4. Extendable, resizable
LVM Concepts:
Storage Hierarchy:
Logical Volume (FS goes here)
-Volume Groups (Aggregate Physical LVM Volumes)
-Physical Volumes (i.e. /dev/sdd3, /dev/sdd4, etc.)
Tasks:
1. Create an LVM volume based on 2 partitions
a. create 2 LVM paritions using fdisk - type = 8e(LVM)
b. create PVs - 'pvcreate /dev/sdd3 /dev/sdd5'
c. create VG - 'vgcreate volgroup001 /dev/sdd3 /dev/sdd5' - allocates PVs to VG
d. create LV - 'lvcreate -L 2.5GB volgroup001' - creates 2.5GB LV
e. overlay FS on LV - 'mkfs.ext3 /dev/volgroup001/lvol0'
f. Test volume accessibility and update: /etc/fstab
2. Explore '*scan' utilities
a. 'pvscan' - enumerates physical volumes
b. 'vgscan' - enumerates volume groups
c. 'lvscan' - enumerates logical volumes
d. 'lvrename name_of_volume_group old_logical_name new_logical_name' && 'lvdisplay' || 'lvscan'
d1. 'lvrename volgroup001 lvol0 logvol0 ' - renames logical volume immediately
Note: If the logical volume and/or volume group name changes, update: /etc/fstab
Note: 'umount' if necessary prior to 'mount -a'
3. Add new storage to LVM
a. 'fdisk /dev/sdd' - allocate more storage of LVM partition
b. 'pvcreate /dev/sdd6' - allocate partition for LVM
c. 'vgextend volgroup001 /dev/sdd6'
d. 'lvextend /dev/volgroup001/logvol0 -L +1G' - extends the logical volume by 1G
e. 'resize2fs device newsize'
e1. 'resize2fs /dev/volgroup001/logvol0 3G' - online resizing (ext3 only)
'
Note: Caveat: online shrinking is not supported. Shrink offline by dismounting 'umount' the volume
###Package Management###
Features:
1. Provision/maintain packages
2. Multiple tools: apt-*, dpkg, aptitude, GUI
Tasks:
1. Explore GUI - 'Synaptic' - front-end to: 'apt-get'
2. Explore 'dpkg'
a. 'dpkg -l' - enumerates all packages
b. 'dpkg -L openssh-client' - enumerates contents of package
c. 'dpkg -S /usr/bin/scp' - returns package membership of: /usr/bin/scp
d. 'dpkg -i package_name.deb - FS' - installs the .deb file from the file system
e. 'dpkg -r package_name in DB' - removes the package
3. Explore 'aptitude'
Features:
1. Interactive
2. Non-interactive
Tasks:
1. Non-interactive usage of 'aptitude'
a. 'aptitude search ssh' - returns installed/non-installed matches from DB
Note: The package DB is built by the indexed sources: /etc/apt/sources.list
b. 'aptitude install tofrodos' - queries the DB for source location and installs (prompts if media is missing)
c. 'aptitude remove tofrodos' - removes package named: 'tofrodos.*'
d. 'aptitude' - runs interactive
d1. 'search for package and toggle '+' to mark for installation
Note: A 'task' can consist of contradictory actions: install, remove, etc.
###RunLevels###
Features:
1. Ability to control system in a variety of modes
2. Profiles for services/daemons
BIOS -> GRUB -> INITRD/KERNEL -> INIT (PID=1) -> RUNLEVELS
Default Runlevel = 2: /etc/inittab
Note: Usually, multi-user runlevels are cumulative: i.e. runlevel 2 includes daemons from runlevel 1
RunLevels 0-6, 7-9(optional, seldom-used):
0 - shut down - power-off, if ACPI support or similar
1 - single user - multi-user support is disabled - networking is disabled
2 - default, multi-user mode - for Debian
3 - typical default, multi-user mode, for most distribution - identical to 2
4 - unused - identical to 2
5 - unused - identical to 2
6 - reboot - shuts services/daemons and resets the system, soft-restart
/etc/init.d - container of ALL system daemons - implemented as shell scripts
/etc/rc* - run-control directories for the various runlevels
- Scripts begin with: 'K' (Kill) or 'S' (Start)
- Scripts also include numeric identifier used for sorting: ascending
Note: /etc/rc* - are containers of: K and S scripts that are symlinked to: /etc/init.d
Note: Default runlevel = 2, however, runlevels 2-5 are identical
Note: Enter programs that MUST run with each invocation into: /etc/rc.local
Note: INIT scripts are called with prefixes of: 'S' or 'K'
Note: 'S' prefix causes the process to start
Note: 'K' prefix causes the process to stop
###Job Scheduler - Cron###
Features:
1. Job Scheduler
2. Per-user execution - /var/spool/cron/crontabs/$USER
3. System-wide execution - /etc/crontab
4. Flexibility: minute, hour, days of the month i.e. (24-28), months i.e. (9-12)
5. Cron awakes every minute, and queries for changes in schedules
6. Cron mails the owner of the job, the STDOUT of the job, if an error
Tasks:
1. 'dpkg -L cron'
2. Define a per-user crontab entry: user=linuxcbt
a. 'crontab -e' - launches default editor and allows us to setup job in: /var/spool/cron/crontabs/$USER
b. 'crontab -l' - enumerates user's cron table
3. As 'root' manipulate 'linuxcbt's' crontab entries
4. Evaluate system-wide crontab: /etc/crontab
Note: 'run-parts' executes ALL executable scripts in a directory
Note: /etc/crontab contains a field to indicate the user with which the process is to execute
/etc/anacrontab - contains schedule of missed cron items to be executed
/etc/cron.allow - if exists, account name must exist in it, in order to use cron
/etc/cron.deny - if exists, account name must NOT exist in it, in order to use cron
###Syslog - rsyslogd - rsyslog###
Features:
1. Logging via Unix domain sockets
2. Logging via TCP/IP: UDP:514 || TCP:514
3. Facilities and Levels control routing of log entries
4. Derived from 'sysklogd'
5. Auto-creates directories defined in: /etc/rsyslog.conf, unlike traditional Syslog
Primary Config File: /etc/rsyslog.conf
Tasks:
1. Explore: /etc/rsyslog.conf
Note: UDP:614, TCP:514 are both disabled by default: Enable via: /etc/rsyslog.conf
Note: Log files are flagged: 0640 by default, and permissions: root:adm
Note: Facilities & Levels are indicated using the following nomenclature:
facility.level -> Target
auth.* /var/log/auth.log - captures 'auth' facility at ALL levels and routes to file
*.* - captures ALL facilities at ALL levels
2. Route Cisco Router Traffic to rsyslogd
a. Determine the facility and level to use
a1. 'local4.info'
b. Configure rsyslog to accept Cisco router traffic at: local4.info
b1. 'local4.* /var/log/cisco/ciscorouter.log'
c. Enable rsyslog UDP listener and restart rsyslog
d. Exclude Cisco local4.* records from catch-all rules except debug: /var/log/syslog
3. Forward a copy of local4.* to remote RedHat box: 192.168.75.11
a. server: /etc/syslog.conf - 'local4.* /var/log/cisco/ciscorouter.log'
b. client: /etc/rsyslog.conf - 'local4.* /var/log/cisco/ciscorouter.log,@192.168.75.11'
Note: RedHat default Syslog doesn't create directories. However, catch-all rule captures local4.* traffic
c. Update: /etc/hosts and: /etc/rsyslog.conf to use hostname
###Syslog-NG###
Features:
1. All provided by Syslog: facilities.levels
2. Filtration of content
Tasks:
1. Install syslog-ng
Note: Removes 'rsyslog' by default
2. Explore Syslog-NG configuration
Note: a. Syslog-NG requires 3-components per configuration
Source - required - Unix Domain Sockets, UDP, etc.
1. Filter - includes facilities.levels
2. Destination - file, other syslog hosts, console, etc.
3. Log - sends source, filters to destination
filter f_local { facility(local4); };
destination d_cisco { file("/var/log/cisco/ciscorouter.log"); };
log { source(s_all); filter(f_local); destination(d_cisco); };
Note: 'invoke-rc.d' - equivalent to: 'service' in RedHat, or 'rc' prefix in SuSE Linux
4. Extend destination to route to UDP target
destination d_cisco { file("/var/log/cisco/ciscorouter.log"); udp("192.168.75.11"); };
5. Filter traffic from Cisco Router & PIX Firewall, using the same facility, to different files:
###Cisco Router Block - based on LOCAL4##
filter f_cisco_router { facility(local4) and match("192.168.75.1"); };
destination d_cisco_router { file("/var/log/cisco/ciscorouter.log"); };
log { source(s_all); filter(f_cisco_router); destination(d_cisco_router); };
###Cisco Firewall Block - based on LOCAL4##
filter f_cisco_firewall { facility(local4) and match("192.168.75.2"); };
destination d_cisco_firewall { file("/var/log/cisco/ciscofirewall.log"); };
log { source(s_all); filter(f_cisco_firewall); destination(d_cisco_firewall); };
###Log Rotation###
Features:
1. Auto-rotation of logs based on defined criteria: (size|time)
2. Compression
3. Multiple criteria
4. Supports forced rotations, overriding criteria
Tasks:
1. Explore 'logrotate' package
/etc/logrotate.d - monitored directory (Default)
/etc/logrotate.conf - primary config file - contains sensible defaults
Note: If a log file does NOT have a more specific logrotate file, the global file directives apply
/etc/cron.daily/logrotate - executes daily
Note: Logrotate will rotate any log file regardless of the source generator
2. Define Cisco log rotation rules in: /etc/logrotate.d/syslog-ng
Note: We reference the: /etc/logrotate.d/syslog-ng file because syslog-ng governs the logging of messages received from the cisco devices
Note: However, you may place your directives in ANY of the included log files
a. 'logrotate -v -d /etc/logrotate.conf' - rotate simulation
###Common Network Utilities###
Features:
1. Find other hosts - PING
2. Check service availability | ability - Telnet
3. Network statistics - netstat
4. Interface configuration - ifconfig
5. Path to remote systems - traceroute, tracepath
6. Name resolutions - nslookup , dig, host, whois
Tasks:
1. Packet Internet Network Groper (PING) - Diagnostics Utility
a. 'ping hostname' - sends an unlimited number of packets, by default
a1. 'ping -c 3 hostname' - sends 3 packets to remote host
Note: PING generates ICMP echo-requests and expects ICMP echo-replies from the target
2. Telnet - tests availability of remote ports | also provides TTYs
a. 'telnet 192.168.75.1 80' - checks connectivity to TCP:80
Note: You may test ports: 0-65535 || 2^16
3. Netstat
a. 'netstat -a' - returns ALL sockets: UDP:TCP:Unix
b. 'netstat -nulp' - reveals UDP listeners sans name resolution, but with programs/PIDs
c. 'netstat -ntlp' - "" TCP ""
d. 'netstat -i' - dumps active interfaces
e. 'netstat -rn' - dumps routing table
4. Address Resolution Protocol (ARP) - translates between layer2 & layer3 addresses
Note: Every NIC contains a unique layer-2 MAC address
a. 'arp' - dumps the ARP table
b. 'arp -n' - excludes name resolution
c. 'arp -d IP' - deletes entry from ARP table
Note: Arp will use the entry for your gateway when communicating with routed hosts
5. Traceroute - traces path between client & server || host-A & host-B
Supports multiple methods: ICMP, UDP, TCP
Uses ICMP TTL to determine number of hops between source and destination
Note: Initial ICMP TTL = 1 - for your default gateway
Note: After discerning default GW, traceroute increments ICMP TTL to 2.
Note: Default method is to use UDP:33434 & increment per hop found
Note: However, default method isn't always fruitful. Try other methods: ICMP, TCP
a. 'traceroute 192.168.75.1' - default route
b. 'traceroute www.linuxcbt.com'
ICMP TTL HOST Probe1 Probe2 Probe3
1 192.168.75.1 (192.168.75.1) 0.643 ms 0.471 ms 0.547 ms
2 bras11-l0.mrdnct.sbcglobal.net (204.60.4.47) 12.760 ms 14.205 ms 16.387 ms
c. 'tracepath www.linuxcbt.com' - returns route and MTUs if possible
Nslookup - Non-interactive | Interactive - searches default DNS servers: /etc/resolv.conf
1. 'nslookup www.linuxcbt.com' - non-interactive query
2. 'nslookup' - enters interactive mode
DIG - non-interactive
1. 'dig www.linuxcbt.com'
2. 'dig linuxcbt.com mx | ns' - returns mx | ns records respectively
3. ' dig -x IP ' - reverses the query and returns the PTR record
Host - non-interactive
1. 'host www.linuxcbt.com' - returns forward IP address
2. 'host -C linuxcbt.com' returns SOA records
Whois - Searches for various objects: IPs, domains, etc.
1. 'whois linuxcbt.com'
###IPv4 Configurations###
Features:
1. Interface Configuration - 'ifconfig'
2. DHCP and/or Static Configuration support
3. Virtual (sub) interfaces - IPv4 aliases
4. Displays important metadata for various OSI layers, errors, diagnostics, etc.
Tasks:
1. 'ifconfig' - dumps current configuration of active interfaces
Note: You should ALWAYS see the 'loopback' interface
Note: 'gnome-nettool' - provides ifconfig info., as well as various utilities
2. Use 'ifconfig' to define a new IPv4 sub-interface of: eth0
a. 'ifconifg eth0:1 192.168.75.31' - temporarily assigns the address for the uptime of the box
Note: Sub-interfaces allow applications, i.e. Apache, to bind services to them
3. Restart 'networking' service and confirm interface availability
Note: temporary sub-interface survives restart of 'networking' service, but NOT stop|start
4. Ensure that sub-interface persists reboots
a. '/etc/network/interfaces' - primary interface configuration file
'ping -I 192.168.75.32 ping 192.168.75.31'
5. Explore ALL interfaces:
a. 'ifconfig -a' - enumerates ALL active | non-active interfaces
6. Remove interfaces:
a. 'ifconfig del eth0:1 192.168.75.31' - removes for the session: eth0:1
b. 'ifconfig del eth0:2 192.168.75.32' - removes for the session: eth0:2
###IPv6 Configuration###
Features:
1. Self-configuring
2. Based on 128-bit addresses, vs. 32-bit address space for: IPv4 approx. 4billion addresses
3. Enabled by default
4. Typically configured via router
5. Incorporates the MAC address of the connecting NIC
Note: MAC addresses use 48-bits
6. IPv6 addresses are subnetted with /64, which means: /64 for nets & /64 for hosts
Tasks:
1. Explore ifconfig configuration
inet6 addr: ::1/128 Scope:Host - loopback configuration
'ifconfig'
eth0 Link encap:Ethernet HWaddr 00:0c:29:4d:e5:2c
inet addr:192.168.75.30 Bcast:192.168.75.255 Mask:255.255.255.0
inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global
inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2269277 errors:0 dropped:0 overruns:0 frame:0
TX packets:2204154 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:159602581 (152.2 MiB) TX bytes:1029103297 (981.4 MiB)
Interrupt:18 Base address:0x1400
Note: Routable IPv6 interfaces define by default a link-local address that is routable on the layer-2 broadcast domain (VLAN)
Note: Routable IPv6 interfaces will also auto-configure IPv6 addresses from edge devices: routers, firewalls, layer-3 switches
inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link
Note: IPv6 safely ignores leading zeroes
6-to-4 Address configured on router and distributed automatically:
6-to-4 Addresses include:
1. 2002 prefix - 48-bits
2. Embedded IPv4 routable address - 32-bits
3. MAC address of the host - 48-bits
inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global
Note: IPv6 address fully reveal your client's, or NIC's identity, as well as your IPv4 Internet presence if using 6-to-4 routing
Note: Edge devices, including DHCP6 servers, simply provide the IPv6 prefix. i.e. /64
###Trivial File Transfer Protocol###
Features:
1. Fast, connectionless (UDP-based) file transfers
2. Used primarily with network devices: routers, switches, firewalls, VOIP phones, PXE clients
3. PXE installations/booting support
4. Runs via INETD
Task:
1. Install 'atftpd' & 'atftp'
Note: Default installation sets-up: /etc/inetd.conf & invokes the service
Note: Default configuration binds to: UDP:69
Note: Default monitor directory: /var/lib/tftpboot
2. Backup Router configuration via ATFTPD
a. 'copy running-config tftp://192.168.75.30/ciscorouter.config'
Note: ATFTPD auto-configures the appropriate permissions to facilitate writes to directory
b. Pull configuration from ATFTPD
b1. 'copy tftp://192.168.75.30/ciscorouter.config running-config'
b2. 'wr mem' - copies running-config startup-config - for persistence across reboots
3. Backup Firewall Configuration via ATFTPD
a. 'tftp-server inside 192.168.75.30 /pixfirewall.config' - sets variable in PIX config
b. 'wr mem' - saves configuration for persistence
c. 'wr net' - dumps configuration to Net location
4. Connect from Linux TFTP client on RedHat box
a. install 'tftp' client
b. 'tftp -v 192.168.75.30 -c get ciscorouter.config' - get file from TFTP server
c. 'tftp -v 192.168.75.30 -c put scp*' - put file to TFTP server
###File Transfer Protocol Daemon Service###
Features:
1. Supports authentication
2. Connection-oriented - TCP:21 - control channel, arbitrary TCP ports for data channels
3. Supports Passive and Active communications
a. Active = fixed port - TCP:20
b. Passive = dynamically allocated ports - TCP:55000 - 56000
Tasks:
1. Explore configuration
/etc/vsftpd.conf - primary config file
/etc/logrotate.d/vsftpd
/etc/init.d/vsftpd - standalone /etc/init.d runscript
Note: Post-installation, VSFTPD runs as an anonymous, IPv4 FTPD server
2. Enable Anonymous access
a. uncomment anonymous-related directives
3. Enable local users & chroot them
a. 'local_enable=YES' - enables authenticated access
b. 'chroot_local_user=YES' - forces chroot jail
###LFTP###
Features:
1. Sophisticated FTP client access
2. FTP, FTPS, SFTP, HTTP - multiple protocols
3. Content mirroring - forward (default/pull) and reverse (put)
4. Functions: interactively/non-interactively
5. Scriptable - batch-mode
6. Maintains command-history
7. Interactive environment is BASH-like
8. Supports tab-completion
Tasks:
1. Explore package contents
/usr/bin/lftp - key binary
/etc/lftp.conf - key global config
Note: 'set -a' - produces the possible directives supported by LFTP
2. Upload/Download items
a. 'open -u linuxcbt localhost' - connects to local FTPD
Note: This simply builds the connection string. The connection will not be used until a command that requires the connection is excuted. i.e. 'ls'
Note: FTP Servers maintain control (credentials) and data (data transfers) connections
b. '!bash' - exits temporarily to the shell
3. Create a simple script to upload and download items
a. 'lftp -f lftpscript1.lftp' - executes LFTP non-interactively, batch-mode
4. Download using HTTP
a. 'lftp http://192.168.75.50/RH54' - allows you to explore HTTP server
5. Upload/Download using SSH
a. 'lftp -u linuxcbt sftp://192.168.75.50'
6. Rate-limit
a. 'set net:limit-rate 500' - limits transfers to 500Bps
7. Background/Foreground jobs
a. 'CTRL-Z'
b. 'fg' - brings the job to the foreground
c. 'jobs' - enumerates current job status
8. Mirroring
a. 'mirror -v work/' - mirrors 'work' directory by pulling to client
b. 'mirror -v -R work/' - mirrors 'work' directory remotely by putting differences
Note: If you need to pull items non-interactively, consider: 'wget' and/or 'curl'
###TelnetD###
Features:
1. Virtual Terminal Access: vty
2. Clear-text based: not secure, but fast
3. May save you in the event that SSH is unavailable
Tasks:
1. Installation - installs via INETD and enables by default
2. Test connectivity
Note: Default Debian installation does NOT install SSHD, however, SSH client is installed
Note: Succesfull Telnet authentication will echo: /etc/motd
Note: Install telnetd, but disable in: /etc/inetd.conf untill needed
Note: INETD is managed via: /etc/init.d/openbsd-inetd
Note: INETD-spawned services/daemons remain open/running until sessions have been terminated
Note: TELNETD uses the same PTS, or, pseudo-terminal allocation as SSHD
Note: TELNETD supports SSL, however, client support is sparse. Use SSHD instead
Note: TELNETD is NOT a SECURETTY, and 'root' may not use it by default
Note: SSHD shares the same pseudo-terminals, however, SSHD is inherently secure
###Dynamic Host Configuration Protocol (DHCP)###
Features:
1. Automatic client configuration
a. IP address
b. subnet mask
c. default gateway/router
d. WINS server(s)
e. NTP server(s)
f. PXE configuration
2. UDP-based
3. Broadcast-based
Tasks:
1. Disable DHCP on Cisco router
a. 'no ip dhcp pool DEFAULT75'
2. Install DHCP Server
a. 'dpkg -L dhcp3-server' - enumerates embedded files
/etc/dhcp3/dhcpd.conf - primary config file
/var/lib/dhcp3 - primary container for leases
3. Prep /etc/dhcp3/dhcpd.conf for production
# 192.168.75.x Definition
subnet 192.168.75.0 netmask 255.255.255.0 {
range 192.168.75.20 192.168.75.49;
# option domain-name-servers ns1.internal.example.org;
option domain-name "linuxcbt.internal";
option routers 192.168.75.1;
option broadcast-address 192.168.75.255;
# default-lease-time 600;
# max-lease-time 7200;
}
4. Route LOCAL7 via Syslog
5. Start DHCP server and test configuration
dhcpd.leases - primary lease file
Note: DHCP clients & servers participate in the: DORA process
Discover Offer Response Acknowledgement (DORA)
lease 192.168.75.20 {
starts 4 2010/03/18 14:47:57;
ends 5 2010/03/19 14:47:57;
cltt 4 2010/03/18 14:47:57;
binding state active;
next binding state free;
hardware ethernet 00:11:43:76:1f:67;
uid "\001\000\021Cv\037g";
client-hostname "linuxcbtwin3";
}
###BIND - DNS###
Features:
1. Name-to-IP resolution - forward DNS
2. IP-to-Name resolution - reverse DNS
Tasks:
1. Install BIND
/etc/bind/named.conf - primary config file
/usr/sbin/named - primary DNS server binary
2. Update DHCP to route clients to BIND instance
3. Default Caching-Only instance
4. Query the DNS server from multiple hosts
a. 'dig @192.168.75.30 www.linuxcbt.com'
Note: Caching-only servers hold records for the TTL duration permitted by the authoritative name servers
Note: Initial query is usually slower (considerably), than subsequent queries
Note: DNS records may share or sport distinct TTLs
5. Setup Primary DNS - NS - Authoritative server for a zone
a. Use: /etc/bind/db.local as template
b. define 'linuxcbt.internal'
c. Updated: /etc/bind/named.conf.local to reference the zone: 'linuxcbt.internal'
d. Restart named
6. Perform queries against primary DNS server from various clients
Note: Primary DNS configuration does not disable caching-only configuration. It's cumulative
6. Setup Secondary DNS - NS - Authoritative server for a zone
a. Use: /etc/bind/db.linuxcbt.internal as template
zone "linuxcbt.internal" {
type slave;
file "slaves/linuxcbt.slave.internal.zone.db";
masters { 192.168.75.30; } ;
// put slave zones in the slaves/ directory so named can update them
};
7. Reverse DNS configuration - IPv4
a. Will use: '*.in-addr.arpa'
a1. '75.168.192.in-addr.arpa'
a2. 'cp db.127 db.192.168.75' - copy template reverse file & include reverse records for NS servers
a3. update: /etc/bind/named.conf.local
zone "75.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.75";
};
a4. Restart & test with queries
a4.1 'dig @192.168.75.30 -x 192.168.75.30' - executes reverse query against specific DNS box
a5. Include more reverse records
a6. Replicate reverse IPv4 zone to secondary system
###Our Slave Zone for: 192.168.75.0/24###
zone "75.168.192.in-addr.arpa" {
type slave;
file "slaves/db.192.168.75.zone";
masters { 192.168.75.30; } ;
// put slave zones in the slaves/ directory so named can update them
};
8. Reverse zone for: IPv6
Note: Reverse IPv6 zone requires: reverse nibble notation
Note: A nibbile, is half a byte or 4-bits
2002:4687:db25:2:20c:29ff:fe4d:e52c/64
2 0 0 2 4 6 8 7...
a. Define a zone statement to handle the reverse IPv6 zone
Note: Split 128-bit address into 2-regions, subnet/host ID i.e. /64-based
Note: Reverse the bits of the network using nibble notation
Note: Be sure to expand all zeroes!
2002:4687:db25:2:
2002:4687:db25:0002
zone "2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" {
type master;
file "db.2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa";
}
b. Define individual IPv6 reverse entries based on: right-most host ID
2002:4687:db25:2: 20c:29ff:fe4d:e52c/64 - linuxcbtdeb1
c.2.5.e.d.4.e.f.f.f.9.2.c.0.2.0 IN PTR linuxcbtdeb1.linuxcbt.internal.
d. Perform reverse queries
'dig @192.168.75.30 -x 2002:4687:db25:2:20c:29ff:fe4d:e52c'
e. Insert reverse IPv6 addresses for other hosts
2002:4687:db25:2:202:b3ff:feb8:a00
'0.0.a.0.8.b.e.f.f.f.3.b.2.0.2.0 IN PTR linuxcbtsuse1.linuxcbt.internal.'
2002:4687:db25:2:20c:29ff:fe75:3bf6
' 6.f.b.3.5.7.e.f.f.f.9.2.c.0.2.0 IN PTR linuxcbtserv1.linuxcbt.internal.'
f. Replicate configuration to RedHat server
###Samba###
Features:
1. Lan Manager/NETBIOS-like server for Linux | Unix -based systems
2. Publish shares
3. Publish printers
4. Authenticate to AD
Tasks:
1. Install Samba support
Note: Either client or server requires the 'samba-common' package
Note: 'smb.conf' is the primary config file with settings for: clients & servers
2. Explore key clients
a. /usr/bin/smbtree - functions akin to network neighborhood (enumerates SMB hosts) - Uses broadcast and WINS(if defined)
- Also returns workgroups, and shares
b. 'smbtree'
/usr/bin/smbclient - permits connections to shares - interactively - FTP-like
Note: MacOSX also includes 'smbclient'
c. 'smbclient -U dean //linuxcbtwin1/LinuxCBT'
d. SMBGet - like 'wget'
d1. 'smbget -u administrator smb://linuxcbtwin1/LinuxCBT/1million.txt'
e. SMBTar - like 'smbget' but rolls items into a tarball
e1. 'smbtar -s linuxcbtwin1 -x temp2 -p "abc123" -u dean -t linuxcbtwin1.backup.tar'
3. Install Samba Server
a. Explore the configuration
Note: Samba is implemented primarily as 2 daemons:
1. 'smbd' - server message block daemon - SMB/CIFS requests for file & print services
2. 'nmbd' - name registrations - WINS connectivity
/etc/init.d/samba - INIT script for both daemons
/etc/samba - top-level container (directory) for Samba configuration files
/usr/sbin/nmbd - NETBIOS Name Daemon
/usr/sbin/smbd - SMB/CIFS - File & Print Server
/etc/samba/smb.conf - primary, monolithic config file, managed manually and/or by SWAT
Note: It is recommended that you select 1 method of: smb.conf management: SWAT or manual
Note: /var/log/samba/log.%m - each SMB/CIFS client spawns a distinct log file
b. Start Samba Server
b1. 'invoke-rc.d samba start' - this starts 'smbd' & 'nmbd'
Note: 'smbd' binds to TCP:139 for IPv4 & IPv6 for SMB service
Note: 'smbd' ALSO binds to TCP:445 for IPv4 & IPv6 for CIFS services
Note: 'nmbd' binds to UDP:137 & UDP:138 for NETBIOS Name support
Note: Samba dynamically generates $HOME shares for connecting clients
Note: These $HOME shares do NOT appear in 'smbtree' dumps
###Samba Samba Web Administration Tool (SWAT)###
Features:
1. Web-GUI to manage Samba
/usr/sbin/swat - primary binary
Tasks:
1. Explore Interface
1a. http://localhost:901
1b. Documentation
1c. Globals - globals area of: smb.conf - global directives - NETBIOS Name, Network info, etc.
Note: SWAT, upon invocation, loads directives from: smb.conf
Note: SWAT presents 2 views:
1. Basic - reflects commonly-referenced, important, directives
2. Advanced - reflects ALL Samba-supported directives
2. Manage Users using 'smbpasswd'
2a. 'smbpasswd -a linuxcbt'
###NFS####
Features:
1. Transparent access to remote file systems
2. Ability to consolidate and centralize storage
3. Roaming users
Tasks:
1. Explore client package: 'nfs-common'
1a. 'showmount linuxcbtdeb1'
2. Install NFS-Kernel-Server
3. Export directories
3a. 'nano /etc/exports' - include '/public' - read only
3b. 'showmount --all linuxcbtdeb1' - reveals currently mounted systems and shares
3c. publish content: /public with various permissions for various hosts
'nano /etc/exports' - include updates
'exportfs -r' - re-exports items listed in: /etc/exports - removes old rule(s) and publishes new rules
Note: By default, 'root_squash' is enabled on ALL NFS exports
Note: Root squashing equates the client 'root' user to the server's 'nobody' user
###File System in User Space (FUSE)###
Features:
1. Permits non-root users the ability to mount FSs into user-space
Tasks:
1. Install fuse-utils & fuseiso
1a. using Synaptic
2. Download ISO image
3. Use FUSE (fuseiso) to mount the image
3a. 'fuseiso -p filename.iso isotemp/' - auto-creates 'isotemp/' target and deletes it upon closing/unmounting
Note: FUSE mounts using i.e. 'fuseiso' are viewable by the owner of the mount only, by default
Note: /etc/
Note: non-root users must be made members of: 'fuse' group in order to use 'fuse'
4. Install SSHD - so we may generate a new environment for the user to use 'fuse'
Note: By default, event 'root', is unable to interact with FUSE-mounted virtual file systems mounted by other users
Note: http://fuse.sourceforge.net/ - explore other modules
Note: Underlying FS is ultimately responsible for DAC permissions
###Apache Web Server###
Features:
1. De facto standard HTTP server
2. Modular
3. Supports IPv6 (implies IPv4) by default
Tasks:
1. Confirm installation/explore packages
/etc/apache2 - top-level, configuration file container
/etc/apache2/conf.d - top-level configuration script container
/etc/apache2/conf.d/apache2-doc - documentation config directives
/etc/apache2/httpd.conf - primary configuration file - all other config files are called from: httpd.conf, however, in Debian, the file is: apache2.conf
###Aliases re-route user requests from web-space to file-system space###
Alias /manual /usr/share/doc/apache2-doc/manual/
<Directory "/usr/share/doc/apache2-doc/manual/">
Options Indexes FollowSymlinks
AllowOverride None /* Ensures that .htaccess directives do NOT apply */
Order allow,deny
Allow from all
AddDefaultCharset off
</Directory>
ports.conf - contains IP binding information
Note: Apache is started as 'root' and then subsequent processes (children) run as non-privileged user
ErrorLog /var/log/apache2/error.log - global error log. Applies to ALL virtual hosts if undefined at the virtual host level
Note: Apache directives flow top-down. If a directive is undefined at the virtual host level, the default host (apache2.conf|httpd.conf) directive(s) will apply
Modules:
1. 'mods-available' - repository of *.conf & *.load items
2. 'mods-enabled' - symlinked items to 'mods-available'
Note: *.load files contain 'LoadModule' statements to load the *.so file
1. 'sites-available' - repository of sites (virtual hosts)
2. 'sites-enabled' - symlinks to 'sites-available'
/etc/apache2/sites-available/default:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - /* Like alias, but permits CGI script execution */
Alias /doc/ "/usr/share/doc/" - /* permits HTTP access to system documentation */
Note: Trailing '/' MUST be preserved by connecting client
###Apache Logs###
Features:
1. Extracts from client-server communications
Tasks:
1. Explore the default log configuration
/etc/apache2/apache2.conf - contains the default formats
Note: Apache supports 2 types of logs:
1. Error log (error.log) - traps errors from: debug - emergency - bad messages
2. Access log (access.log) - traps connection messages for content - good messages
Both files are located in: /var/log/apache2
/etc/apache2/apache2.conf
Syntax: LogFormat One_or_more_vars nickname/alias
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
LogFormat Vars:
%v - name of the virtual host that created the log entry
%p - port of the virtual host
%h - connecting host's IP address, by default
%l - ident check, note: usually non-existent '-'
%u - connecting user name - will be present wherever authentication is used. i.e. Basic, digest, etc.
%t - timestamp of the connection, from the server's perspective
%r - request method - i.e. GET/POST/etc.
%s - status code returned to client - i.e. 200(good),300(redirects),400(content error),500(server error)
%b - size of content returned to client - optional '%B' - logs '0' instead of '-'
%{Referrer} - who sent you here
%{User-agent} - connecting Browser: IE, Firefox, Chrome, iPhone, Droid, etc.
Note: Apache logs synchronously, which means, you may configure a virtual host to log to separate files simultaneously
###Sample Log Entry##
127.0.0.1 - - [22/Mar/2010:12:02:48 -0400] "GET /manual/en/mod/mod_log_config.html HTTP/1.1" 200 6959 "http://localhost/manual/en/logs.html" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.18) Gecko/20080528 Epiphany/2.22"
Note: Errors pertaining to content access (400x), and server errors (500x) will appear in: /var/log/apache2/error.log
Note: 200x errors are typically reflected in the access.log file
###Virtual Hosts###
Features:
1. IP-based - one IP per site
2. Named-based - shared IP address across sites
Tasks:
1. Explore Default Host configuration
<VirtualHost IP[:Port]>
One or more directives
ServerName
DocumentRoot
<Directory *>
</Directory>
</VirtualHost>
2. Define users and setup virtual hosts for those users
Site1 (Name-based VHost):
<VirtualHost *:80>
#One or more directives
ServerName site1.linuxcbt.internal
DocumentRoot /home/site1/wwww
<Directory /home/site1/wwww>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
b. Update DNS to include new site
Repeat for second client: (site2)
Site1 (Name-based VHost):
<VirtualHost *:80>
#One or more directives
ServerName site2.linuxcbt.internal
DocumentRoot /home/site2/wwww
<Directory /home/site2/wwww>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
b. Update DNS to include new site
Note: Apache serves content from the Default Virtual host if the request URI doesn't match any of the defined virtual hosts
3. Reconfigure Name-based virtual hosts to be IP-based virtual hosts
Note: After VHosts update, be sure to update DNS
###Apache SSL###
Features:
1. Encrypted communique between client & server
2. Confidentiality and integrity of communique
3. Ability to have 3rd-party sign-off (public CA) i.e. Godaddy, Thawte, etc.
4. Ability to self-sign certificates
Tasks:
1. Explore the SSL environment
'ssl-cert' package is required
'/usr/sbin/make-ssl-cert' - generates self-signed certificate - wrapper for 'openssl'
'/usr/share/ssl-cert/ssleay.cnf' - template for generating self-signed certs
2. Enable 'default-ssl'
2a. symlink 'default-ssl' from 'sites-available' to 'sites-enabled'
2b. symlink 'ssl.*' from 'mods-available' to 'mods-enabled'
Note: Both private and public keys will appear in the same file
2c. Confirm the: /etc/apache2/ports.conf configuration to ensure: 'Listen 443' is present
2d. 'invoke-rc.d apache2 restart'
2e. Test SSL communications
Note: '_default_:443' SSL Vhost will respond to requests on ALL IPv[4|6] addresses
3. Segment SSL traffic using IP-based virtual hosts
3a. Update: /etc/apache2/ports.conf
3b. Update: /etc/apache2/sites-enabled/default-ssl
4. SSL-enable IP-based Virtual Host: site1.linuxcbt.internal
4a. site1.linuxcbt.internal
4b. 'make-ssl-cert /usr/share/ssl-cert/ssleay-site1.cnf /etc/ssl/certs/site1ssl.pem'
4c. 'cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/site1-ssl'
4d. Update '/etc/apache2/ports.conf'
4e. 'cd /etc/apache2/sites-enabled && ln -s ../sites-available/site1-ssl'
4f. Change SSL port to non-standard: TCP:4443
5. SSL-enable IP-based Virtual Host: site2.linuxcbt.internal
5a. 'make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/site2ssl.pem'
5b. 'cp /etc/apache2/sites-available/site1-ssl /etc/apache2/sites-available/site2-ssl'
5c. symlink sites-available/site2-ssl to: /etc/apaches2/sites-enabled
5d. updates: /etc/apache2/ports.conf to 'Listen 192.168.75.32:443'
###PHP###
Features:
1. Dynamic Web page generation
2. Operates from CLI. i.e. 'perl'
Tasks:
1. Explore the default configuration
2. Expose the info page
2a. '<? phpinfo(); ?>' - PHP code with short tags
###Webalizer - Log Analysis###
Features:
1. Common Log Format (CLF) - default for Apache
2. Combined Log Format - Includes CLF plus User_Agent, Referrer
3. FTP
4. Post-processor
5. Yields yearly, monthly, daily and hourly stats
6. May be executed via cron
Tasks:
1. Install 'webalizer'
2. Explore package
/usr/bin/webalizer - primary binary
/etc/webalizer/webalizer.conf - primary config
/etc/cron.daily/webalizer - runs daily
/usr/bin/webazolver - symlinked to: /usr/bin/webalizer - invokes webalizer in resolve mode
3. Process log file - default site
3a. modify: /etc/webalizer/webalizer.conf
Note: Typically users/administrators maintain 1 webalizer.conf file per site
4. Execute 'webalizer'
4a. 'webalizer
5. Setup in cron to auto-run
###Patch Manager###
Features:
1. Self-managing
2. Downloads, by default, security updates
3. References: /etc/apt/sources.list - for reference to: http://security.debian.org
Note: Debian security updates are provided: free-of-charge
4. Can be configured to serve updates internally: via /etc/apt/sources.list
###MySQL###
Features:
1. RDBMS
Tasks:
1. Install MySQL
1a. Forces the installation of the 'mysql-client-*' package, plus dependencies and empty packages
Note: Aptitude auto-resolves the latest packages from its list of sources
Note: Default super-user is named: 'root' , NOT to be confused with Linux user: 'root'
Note: MySQL maintains users internally within the default: 'mysql' DB, 'users' table.
2. Explore MySQL packages
2a. '/usr/bin/mysql' - primary client, which provides terminal, interactive | non-interactive support
2a1. 'mysql -p' - prompts for password
2a2. 'mysql -e 'command' [database]' - executes the command
Note: MySQL users are defined in the form: user@host. i.e. 'root@localhost'
Note: Default Debian MySQL implemenation disables 'anonymous access' and enforces a password for the 'root' users
2b. '/usr/bin/mysqldump' - backs-up one or more DBs
2c. '/usr/bin/mysqladmin' - start|restart|change password|etc.
2d. '/usr/bin/mysqlimport' - imports data from text files
Note: Each MySQL client reads a hierarchy of configuration files: global & local and CLI-options
3. Define simple database and data set
3a. 'create database addressBook;'
3b. ' create table contacts (`fName` char(20), `lname` char(20), `phone1` char(20), `email` char(30), PRIMARY KEY (`email`) ); '
3c. ' INSERT INTO contacts (fname,lname,phone1,email) VALUES ('Johan','Doe','888-573-4943','john.doe@linuxcbt.com'); '
3d. ' INSERT INTO contacts (fname,lname,phone1,email) VALUES ('Jane','Doe','888-573-4943','jane.doe@linuxcbt.com'); '
3e. ' UPDATE contacts SET fname='John' WHERE fname='Johan';
3f. 'DELETE FROM contacts where fname='John'; '
###PHPMyAdmin###
Features:
1. De facto Web GUI to administer MySQL
2. Echoes the resultant SQL commands per execution. i.e. click on something and the SQL statement appears. Helps you to learn SQL syntax.
Tasks:
1. Install PHPMyAdmin
2. Explore package contents
###Postfix - SMTP###
Features:
1. Message Transfer Agent
2. Derivative/improvement on SendMail
Tasks:
1. Install Postfix
/usr/sbin/postconf - used to dump/change Postfix configuration
/usr/sbin/postsuper - admin duties on running server
/usr/sbin/sendmail - drop-in replacement for original binary
/usr/lib/postfix/smtp - SMTP client used by Postfix to talk to other SMTP servers
/usr/lib/postfix/smtpd - SMTP server used to receive message and connections
/usr/bin/mailq - enumerates the contents of the mailq
/usr/lib/postfix/master - main master binary, which controls all of sendmail
2. Explore the configuration
/etc/postfix - primary, top-level configuration container
/etc/postfix/main.cf - primary config file
###Aptitude - Sources.list Update###
Features:
1. Ability to reference packages from the file system
Tasks:
1. Mount ISO image permanently and reference it via: /etc/apt/sources.list
1a. 'mount -t iso9660 -o loop /home/linuxcbt/Debian_5x/debian-504-i386-DVD-1.iso /home/linuxcbt/Debian_5x/1' - mounts ISO image in target location
1b. Update: /etc/fstab
1c. Update: /etc/apt/sources.list via Synaptic Package Manager, or manually from the shell
1d. Reload the package repository DB using Synaptic Package Manager
###IMAP/POP3 Support###
Features:
1. IMAP - stores message on the server, entirely. i.e. GMAIL, Yahoo, OWA
2. POP3 - used to download messages to client.
3. Mail-retrieval protocols
4. Support for encryption: SSL/TLS
5. Dovecot: supports both mbox and Maildirs
Tasks:
1. Install Dovecot IMAP. Removes existing IMAPD package, by default
2. Explore the contents of Dovecot
/etc/dovceot/dovecot.conf - primary config file
3. Retrieve messages using MUA: IMAPD
4. Install POP3D
5. Disable clear-text mail-retrieval support
5a. /etc/dovecot/dovecot.conf - disable 'pop3' & 'imap'
5b. 'invoke-rc.d dovecot restart' - unbinds clear-text protocols
###SquirrelMail###
Features:
1. Web GUI/Mail User Agent (MUA) for accessing mail via IMAPD - front-end
2. Virtual hosts
3. Modular
Note: To obtain the latest, navigate to: squirrelmail.org
Tasks:
1. Install Squirrelmail
2. Explore configuration
/etc/squirrelmail/apache.conf - primary Apache config file
3. Access & browse SquirrelMail interface
4. Enable IMAP (clear-text)
###GNU Privacy Guard (GPG)###
Features:
1. Implements the OpenPGP standard
2. Provides data encryption services based on PKI (asymmetric encryption)
3. Digital signatures (based on owner's private key)
4. Auto-compresses content
Tasks:
1. Explore the GPG environment
/usr/bin/gpg - primary binary used to encrypt/decrypt correspondence (files/e-mails/etc.)
1a. ' gpg --list-keys ' - enumerates public keys on key chain
1b. ' gpg --gen-key' - generates PKI pair of keys
1c. ' gpg --export ' - exports the public key, so that others may encrypt information to us
Note: Repeat the process on the remote user's side to have 2-way encryption/signature services
Note: Digital signatures prove authenticity because access to the secret/private key of the PKI pair is restricted to the owner and 'root'
Note: A passphrase adds an additional level of security to PKI in the event that the PKI pair has been compromised: physically(locally), or remotely
2. Generate usage keys on remote side
2a. 'gpg --gen-key' - generate keys as 'root'
Note: 'gpg --list-secret-keys' - enumerates private key(s) from keychain
3. Sign and encrypt data to ourself
3a. 'gpg --encrypt -r pub_key_ID 1000.txt' - generates '1000.txt.gpg' encrypted file
3b. 'gpg --decrypt 1000.txt.gpg' - decrypts, if private key is on keychain of current user
3c. 'gpg --encrypt -o 1000.txt.pgp -r pub_key_ID 1000.txt' - encrypts with '.pgp' suffix
4. Sign and encrypt with business partner (root@linuxcbtsuse1.linuxcbt.internal)
4a. ' exchange public keys'
'gpg --export ' - creates binary file
'gpg --import key_file' - imports key file
###Network Mapper (NMap)###
Features:
1. Reconnaissance Scans
2. Set a baseline configuration
3. Compare against the baseline
4. Port scans
5. Host | device detection: i.e. Jetdirect card, Dell box, Apple computer, etc.
6. Service detection: i.e. VSFTPD, SSH and optionally version
7. Multi-target scanning
8. Automation
9. IPv6 scanning
Tasks:
1. Install NMap
2. Explore package | usage
/usr/bin/nmap - primary binary
/usr/share/nmap/nmap-mac-prefixes - host | device detection
/usr/share/nmap/nmap-services - port-to-servicename conversion
3. Run 'nmap' in a variety of ways to help tighten our security posture
3a. ' nmap -v localhost'
Note: As 'root' nmap defaults to 'SYN' scans, however, as anyone else, nmap defaults to 'TCP Connect' scan.
Note: Usually, 'SYN' scans do not alert the application behind the open port, however, 'TCP Connect' scans complete the 3-way TCP handshake, alerting the listening application
Note: A scan of the loopback adapter is not indicative of what remote users will see, with some exceptions: i.e. SSH tunnels
3b. 'nmap -v 192.168.75.30-32' - scans 3-IPs, .30,.31,.32 for open ports, TCP
3c. 'nmap -v -sU 192.168.75.30-32' - scans 3-IPs, for open UDP ports
3d. 'nmap -v -sV ...' - performs a service scan, which returns: service names and versions
Note: NMap defaults to TCP scans because the majority of applications are TCP-based
Note: NMap dumps output, by default, to STDOUT, which means, you will lose valuable info. if you don't route to a log file
3e. 'nmap -v -sV -iL filename' - supply host(s) via a file
3f. 'nmap -v -oN nmap.scan.log -sV -iL filename' - creates Normal NMap output
3g. 'nmap -v -sP -oN nmap.scan.log -iL filename' - performs a quick PING scan
3h. 'nmap -v -p 3389 -oN nmap.scan.log -iL filename' - scans TCP:3389 across the subnet
Note: Ensure that centralized NMap host has unfettered access to interesting subnets
3i. 'nmap -v -O -oN nmap.scan.log -iL filename' - scans for OS detection
###TCPDump###
Features:
1. Packet capturing of myriad protocols
2. Supports: Berkeley Packet Filters (BPFs)
Tasks:
1. Install TCPDump
/usr/sbin/tcpdump - primary binary
2. Usage examples
2a. 'tcpdump -v -i eth0'
'02:08:38.419385 IP (tos 0x0, ttl 64, id 54461, offset 0, flags [DF], proto TCP (6), length 62) macbook1.local.60842 > linuxcbtdeb1.linuxcbt.internal.5900: P, cksum 0x029e (correct), 191:201(10) ack 695980 win 65535 <nop,nop,timestamp 212564549 65206757>
'
2b. 'tcpdump -w tcpdump.capture -i eth0' - creates a TCPDump file
2c. 'tcpdump -r tcpdump.capture' - reads the previously-created TCPDump file
2d. 'tcpdump -c 3 -i eth0 -w tcpdump.capture2' - captures 3 packets and exits
Note: Each packet is represented by a line, but the terminal will invariably wrap each line
2e. 'tcpdump -C 1 -w tcpdump.capture3' - captures 1-million bytes then creates a new file
2f. 'tcpdump -A -i eth0' - dumps packet payload
2g. 'tcpdump -e -i eth0' - dumps layer-2 (MAC) info.
2h. 'tcpdump -A -e -i eth0' - dumps payload and MAC info. - layers 2-7
Note: Packet capturing is a linear progression. Latest information is at the bottom of the capture.
2i. 'tcpdump -D ' - dumps the available interfaces
2n. 'tcpdump -n ...' - dumps captures without name resolution
3. Apply BPFs
Note: TCPDump supports 3 Qualifiers:
1. Type - host|net|port
2. Direction - src, dst, src or dst, src and dst
3. Protocol - ip, tcp, udp, icmp, etc.
Note: BPFs support logical Anding and Oring
3a. 'tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.1 host 192.168.75.111'
3b. 'tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.2 host 192.168.75.111 and tcp port 21'
Note: BPFs are applicable, for the most part, if a tool is TCPDump-compliant
###WireShark, formerly known as: Ethereal###
Features:
1. Packet Capture & analysis
2. Support for: BPFs (run-time) and Display Filters (post-processing)
Tasks:
1. Install WireShark
/usr/bin/wireshark - primary binary - run as 'root'
2. Explore interface
Note: Wireshark defaults to: nanosecond precision, however, TCPDump defaults to: microsecond precision
3. Perform various captures/analysis of clear-text, FTP traffic
Note: Consider deploying centralized sniffers and route files to back-end post-processor running Wireshark.
###Lockdown###
Features:
1. Improve security posture
Tasks:
1. Screensaver set based on inactivity timer
2. Secure your BIOS
2a. Setting a usage password
2b. Disabling removable boot devices: USB, Optical drives
3. Secure the bootloader: GRUB
3a. 'grub-md5-crypt' - generates an MD5 password for GRUB: /boot/grub/menu.lst
Note: Consider 'dmcrypt' or 'eCryptFS' to encrypt the FS, in the event the drive is physically compromised, and/or other measures have been circumvented.
Note: 'dmcrypt' requires a password for startup
4. /etc/login.defs - contains defaults for a variety of account variables
Note: Ensure that password encryption algo matches PAM: /etc/pam.d/*
5. Remove 'nullok' from: /etc/pam.d/* - if exists
6. Disable superfluous services/daemons:
6a. 'netstat -nutlp' - returns listeners for TCP | UDP
Checklist of daemons to disable:
1. samba-swat - INETD controlled
1a. ' update-inetd --disable swat' - disables service in INETD
2. imap - TCP:143
2a. '/etc/dovecot/dovecot.conf'
3. ssh - restrict to 1-IP
4. postgres
4a. 'update-rc.d -f postgresql-8.3 remove'
5. smbd|nmbd
5a. 'update-rc.d -f samba remove && /etc/init.d/samba stop && ps -ef | grep smb'
6. vsftpd
6a. 'update-rc.d -f vsftpd remove && /etc/init.d/vsftpd stop && ps -ef | grep vsftpd'
7. tftpd
7a. 'update-inetd --disable tftp'
8. Disable 'root' access via SSHD
Note: Consult Debian documentation for info on: harden* packages
###IPTables - Firewall###
Features:
1. Built-in firewall
2. Stateful inspection
3. Routing
4. Network Address Translation (NAT)
5. Front-end to the Netfilter Kernel firewall
Tasks:
1. Explore configuration
/sbin/iptables - primary binary to write rules and interact with firewall
/sbin/iptables-save|restore - saves & restores IPv4 rules
/sbin/ip6tables - primary binary "" for IPv6 firewall
/sbin/ip6tables-save|restore - ""
2. Use 'iptables'
2a. 'iptables -L' - lists the chains in the default 'Filter' table
Note: 'Filter' table governs traffic: inbound, outbound, and through (routing) your box
Note: There are 3 default chains in the 'Filter' table
1. INPUT - traffic sourced from external system destined for your system
2. FORWARD - router - traffic that is sent through your box
3. OUTPUT - Traffic sourced from your system to other systems
Note: There are 3 default tables:
1. NAT
2. Mangle
3. Filter (Default)
2b. Limit inbound traffic to the SMTP server to deny access from Windows server
2b1. 'iptables -A INPUT -p tcp --dport 25 -s 192.168.75.105 -j DROP'
3. Use 'ip6tables'
Note: Syntax is virtually identically to 'iptables*'
4. Write outbound rules
4a. 'iptables -A OUTPUT -d 192.168.75.105 -p tcp --dport 3389 -j DROP'
评论暂时关闭