Thursday, July 26, 2012

Chapter 10 - A Security Primer

The Layers of Linux Security

Bastion Host Systems :
A File sever or Auth server , or web server configured to add more security to your environment. We use bastion hosts to put another layer of security between corporate desktop lan and customer lans . Bastion hosts, typically provide remote access via SSH or VNC.

Software Updates for Security Fixes:
Use : gpk-update-viewer , and auto securtity updates can be done with gpk-prefs

Service Specific security
- HTTP/HTTPS
- DNS
- FTP
- NFS
- SMB
- SMTP
- SSH

Host based security limits hostnames, FQDN and IP addresses .

User Based security is limiting user access via the use of service controls, sudo, traditional unix file permissions, selinux, and other mthods.

Console Security

SELinux

The PolicyKit

Firewalls and NAT

iptables service in linux is the firewall config

Command Examples :

iptables -L = Show all rules currently in place
iptables -F = Flush all FW rules in memory

# service iptables restart

[root@server01 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5905 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


Save the current iptables rules permanently :

# iptables-save > /etc/sysconfig/iptables
# service iptables restart

 
Rule Examples

Reject all traffic from 192.168.75.0

iptables -A INPUT -s 192.168.75.0/24 -j reject

Stop a user with ip address of 192.168.25.200 from pining your system :

iptables -A INPUT -s 192.168..25.200 -p icmp -j DROP

Examples:
# allow 2 telnet connections per client host
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT

# limit the number of parallel HTTP requests to 16 for the link local network
(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT

NOTE : Need examples with ip tables masquerading and ip forwarding

The Extended Internet Super-Server

/etc/xinetd.d
/etc/xinetd.conf

[root@server01 ~]# yum install xinetd -y

[root@server01 ~]# cat /etc/xinetd.conf
#
# This is the master xinetd configuration file. Settings in the
# default section will be inherited by all service configurations
# unless explicitly overridden in the service configuration. See
# xinetd.conf in the man pages for a more detailed explanation of
# these attributes.

defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
#       enabled         =
#       disabled        =

# Define general logging characteristics.
        log_type        = SYSLOG daemon info
        log_on_failure  = HOST
        log_on_success  = PID HOST DURATION EXIT

# Define access restriction defaults
#
#       no_access       =
#       only_from       =
#       max_load        = 0
        cps             = 50 10
        instances       = 50
        per_source      = 10

# Address and networking defaults
#
#       bind            =
#       mdns            = yes
        v6only          = no

# setup environmental attributes
#
#       passenv         =
        groups          = yes
        umask           = 002

# Generally, banners are not used. This sets up their global defaults
#
#       banner          =
#       banner_fail     =
#       banner_success  =
}

includedir /etc/xinetd.d

[root@server01 ~]# cat /etc/xinetd.d/rsync
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
#       allows crc checksumming etc.
service rsync
{
        disable = yes
        flags           = IPv6
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/bin/rsync
        server_args     = --daemon
        log_on_failure  += USERID
}


[root@server01 xinetd.d]# cat /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure   += USERID
        disable         = no
}


[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd:                                           [FAILED]
Starting xinetd:                                           [  OK  ]


[root@server01 xinetd.d]# telnet localhost
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused


[root@server01 xinetd.d]# tail /var/log/messages
Jun 17 16:44:41 server01 xinetd[32726]: bad service attribute: log_on_filure [file=/etc/xinetd.d/telnet] [line=8]Jun 17 16:44:41 server01 xinetd[32726]: Must specify a server in telnet
Jun 17 16:44:41 server01 xinetd[32726]: Swapping defaults
Jun 17 16:44:41 server01 xinetd[32726]: Reconfigured: new=0 old=0 dropped=0 (services)
Jun 17 16:49:47 server01 xinetd[32726]: Exiting...
Jun 17 16:49:47 server01 xinetd[511]: Server /usr/sbin/in.telnetd is not executable [file=/etc/xinetd.d/telnet] [line=7]
Jun 17 16:49:47 server01 xinetd[511]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/telnet] [line=7]
Jun 17 16:49:47 server01 xinetd[511]: Must specify a server in telnet
Jun 17 16:49:47 server01 xinetd[511]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 16:49:47 server01 xinetd[511]: Started working: 0 available services


... typo corrected ......didn't work with what I had ... then figured out I didn;t have the telnet-server instaleld...



[root@server01 xinetd.d]# yum install telnet-server -y

Working now ...

[root@server01 xinetd.d]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login: shannon
Password:
Login incorrect


[root@server01 xinetd.d]# tail /var/log/messages
Jun 17 16:55:13 server01 xinetd[581]: START: telnet pid=587 from=::1
Jun 17 16:56:23 server01 xinetd[581]: EXIT: telnet status=0 pid=587 duration=70(sec)
Jun 17 16:57:50 server01 yum[615]: Installed: 1:telnet-server-0.17-46.el6.x86_64
Jun 17 17:02:03 server01 xinetd[581]: START: telnet pid=678 from=::1
Jun 17 17:02:33 server01 xinetd[581]: EXIT: telnet status=0 pid=678 duration=30(sec)
Jun 17 17:02:44 server01 xinetd[581]: Exiting...
Jun 17 17:02:44 server01 xinetd[700]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 17:02:44 server01 xinetd[700]: Started working: 1 available service
Jun 17 17:02:59 server01 xinetd[700]: START: telnet pid=706 from=::1
Jun 17 17:03:34 server01 xinetd[700]: EXIT: telnet status=0 pid=706 duration=35(sec)


[root@server01 xinetd.d]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect

login: rhill
Password:
Last login: Wed Jun 13 09:20:12 from 192.168.0.3
[rhill@server01 ~]$


[root@server01 ~]# utmpdump /var/log/wtmp | tail
Utmp dump of /var/log/wtmp
[6] [01948] [5   ] [LOGIN   ] [tty5        ] [                    ] [0.0.0.0        ] [Fri Jun 15 09:24:07 2012 CDT]
[6] [01950] [6   ] [LOGIN   ] [tty6        ] [                    ] [0.0.0.0        ] [Fri Jun 15 09:24:07 2012 CDT]
[7] [02148] [ts/0] [root    ] [pts/0       ] [192.168.0.3         ] [192.168.0.3    ] [Fri Jun 15 09:25:44 2012 CDT]
[7] [02134] [:0  ] [root    ] [tty1        ] [:0                  ] [0.0.0.0        ] [Fri Jun 15 09:59:54 2012 CDT]
[7] [02721] [/1  ] [root    ] [pts/1       ] [:0.0                ] [0.0.0.0        ] [Fri Jun 15 10:00:10 2012 CDT]
[8] [02116] [    ] [        ] [pts/0       ] [                    ] [0.0.0.0        ] [Sat Jun 16 04:45:06 2012 CDT]
[7] [26120] [ts/0] [root    ] [pts/0       ] [192.168.0.3         ] [192.168.0.3    ] [Sun Jun 17 04:07:02 2012 CDT]
[7] [32555] [ts/2] [root    ] [pts/2       ] [192.168.0.10        ] [192.168.0.10   ] [Sun Jun 17 16:22:12 2012 CDT]
[7] [00757] [ts/3] [root    ] [pts/3       ] [192.168.0.10        ] [192.168.0.10   ] [Sun Jun 17 17:07:23 2012 CDT]
[7] [00829] [4   ] [rhill   ] [pts/4       ] [::d8c7:7fdc:ff7f:0%384933277] [0.0.0.0        ] [Sun Jun 17 17:11:15 2012 CDT]
[root@server01 ~]#


[root@server01 ~]# tail /var/log/messages
Jun 17 17:02:33 server01 xinetd[581]: EXIT: telnet status=0 pid=678 duration=30(sec)
Jun 17 17:02:44 server01 xinetd[581]: Exiting...
Jun 17 17:02:44 server01 xinetd[700]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 17:02:44 server01 xinetd[700]: Started working: 1 available service
Jun 17 17:02:59 server01 xinetd[700]: START: telnet pid=706 from=::1
Jun 17 17:03:34 server01 xinetd[700]: EXIT: telnet status=0 pid=706 duration=35(sec)
Jun 17 17:09:23 server01 xinetd[700]: START: telnet pid=799 from=::1
Jun 17 17:10:23 server01 xinetd[700]: EXIT: telnet status=0 pid=799 duration=60(sec)
Jun 17 17:10:48 server01 xinetd[700]: START: telnet pid=828 from=::1
Jun 17 17:12:56 server01 xinetd[700]: EXIT: telnet status=0 pid=828 duration=128(sec)
[root@server01 ~]#

TCP Wrappers

[root@server01 ~]# strings /sbin/* | grep hosts_access
hosts_access
hosts_access
hosts_access
[root@server01 ~]# strings /usr/sbin/* | grep hosts_access
hosts_access
hosts_access
hosts_access
hosts_access_verbose
hosts_access
hosts_access


[root@server01 ~]# ldd /usr/sbin/sshd
        linux-vdso.so.1 =>  (0x00007fff8cfff000)
        libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007fc930e45000)
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc930c3b000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fc930a24000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007fc930817000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fc930613000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fc9303f4000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007fc93005e000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007fc92fe5b000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fc92fc46000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fc92fa2d000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fc92f7f6000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fc92f5dc000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fc92f39b000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fc92f0bc000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fc92ee90000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fc92ec8d000)
        libnss3.so => /usr/lib64/libnss3.so (0x00007fc92e952000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fc92e5c1000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fc931047000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007fc92e35f000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fc92e155000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fc92df53000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc92dd36000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007fc92db17000)
        libplc4.so => /lib64/libplc4.so (0x00007fc92d913000)
        libplds4.so => /lib64/libplds4.so (0x00007fc92d710000)
        libnspr4.so => /lib64/libnspr4.so (0x00007fc92d4d3000)


[root@server01 ~]# ldd /usr/sbin/sshd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe9d3c02000)


TCP Wrapper configuration files :

  /etc/hosts.allow
  /etc/hosts.deny

[root@server01 ~]# ls -lrt /etc/ | grep "hosts."
-rw-r--r--.  1 root root    460 Jan 12  2010 hosts.deny
-rw-r--r--.  1 root root    370 Jan 12  2010 hosts.allow


[root@server01 ~]# cat /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#


[root@server01 ~]# cat /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#


Follows format of

<daemon_list> : <client_list>

Simle rule to allow or deny all :

ALL : ALL

Allow the ip addres of 192.168.122.50 to connect to the SSH client on the local system thru SSH

/etc/hosts.allow
sshd : 192.168.122.50

Allow from domain example.com
ALL : .example.com
sshd : 192.168.122.0/255.255.255.0 EXCEPT 192.168.122.150
rpc.mountd, in.tftpd : 192.168.100.100

Lab Exercise :

[root@server01 ~]# chkconfig telnet on
[root@server01 ~]#


TCP Wrappers example with telnet :

1. Telnet server installed and setup

[root@server01 etc]# chkconfig --list | grep telnet
        telnet:         on


 
2. Activated telnet service (running under xinetd daemon)

[root@server01 etc]# cat /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no
}


[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]
 

3. No firewall rule setup blocking port 23

4. Modify /etc/hosts file

[root@server01 etc]# vi /etc/hosts
[root@server01 etc]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.12 server01
# temporarily add for tcp wrappers example
127.0.0.1   server1 server1.example.com localhost.localdomain localhost


[root@rhce01 ~]# ping server01
PING server01 (192.168.0.12) 56(84) bytes of data.
64 bytes from server01 (192.168.0.12): icmp_seq=1 ttl=64 time=1.04 ms
64 bytes from server01 (192.168.0.12): icmp_seq=2 ttl=64 time=0.566 ms
^C
--- server01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1321ms
rtt min/avg/max/mdev = 0.566/0.803/1.040/0.237 ms
[root@rhce01 ~]#


-------------from the telnet client------------

[root@rhce01 ~]# telnet server01 23
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
[root@rhce01 ~]# telnet 192.168.0.12 23
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
[root@rhce01 ~]# tcptraceroute 192.168.0.12 23
-bash: tcptraceroute: command not found
[root@rhce01 ~]#

[root@server01 xinetd.d]# mv telnet /root
[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

NOTE : This aint' working, rather than spend a few more hours of banging my head against the wall, I am noting the problem, and moving on. (In short, telnet 0 23 works, telnet 127.0.0.1 23 works, telnet localhost doesn't work, so it sure aint gonna work with TCP wrapper configured either) Will have instructor look at in the RHCE class later .


[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]#
[root@server01 etc]#
[root@server01 etc]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.


[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.


^]
telnet> quit
Connection closed.


...Ok, one last try ...

[root@server01 etc]# cat /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
ALL : ALL


[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.


[root@server01 etc]# vi /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
in.telnet.d : 127.0.0.1



[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.


[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#

Still blocking ??? hmmm.....

[root@server01 etc]# tail -20 /var/log/messages
Jun 18 10:37:06 server01 xinetd[3292]: START: telnet pid=3745 from=::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3745]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3745]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3292]: EXIT: telnet status=0 pid=3745 duration=0(sec)
Jun 18 10:37:09 server01 xinetd[3292]: START: telnet pid=3747 from=::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3747]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3747]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3292]: EXIT: telnet status=0 pid=3747 duration=0(sec)
Jun 18 10:40:55 server01 xinetd[3789]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::1
Jun 18 10:40:55 server01 xinetd[3292]: START: telnet pid=3789 from=::1
Jun 18 10:40:55 server01 xinetd[3789]: FAIL: telnet libwrap from=::1
Jun 18 10:40:55 server01 xinetd[3292]: EXIT: telnet status=0 pid=3789 duration=0(sec)
Jun 18 10:41:01 server01 xinetd[3292]: START: telnet pid=3791 from=::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3791]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3791]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3292]: EXIT: telnet status=0 pid=3791 duration=0(sec)
Jun 18 10:41:07 server01 xinetd[3292]: START: telnet pid=3795 from=::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3795]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3795]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3292]: EXIT: telnet status=0 pid=3795 duration=0(sec)

Well, the typo was the cause .. !!!

[root@server01 etc]# cat /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
in.telnet.d : 127.0.0.1

changed to

in.telnetd : 127.0.0.1


...now retry ...

[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.

[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.

[root@server01 etc]# telnet localhost 23 ....wtf ???
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#

Oho ...

[root@server01 etc]# vi hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
in.telnetd : 127.0.0.1 localhost

[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.

(Still no bloddy login prompt on localhost ??? wtf ??? )


...wait....tis slow ... :P....??!

login:

Still cannot reach from other server ? (think it is xinetd blocking , rather than tcp wrappers ??)

[root@rhce01 ~]# telnet server01
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host

[root@rhce01 ~]# telnet 192.168.0.12
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host

Firewall rule somewhere's fucking me up ?!?!?


[root@server01 etc]# iptables -F
[root@server01 etc]#

[root@rhce01 ~]# telnet server01
Trying 192.168.0.12...
Connected to server01.
Escape character is '^]'.

[root@rhce01 ~]# telnet 192.168.0.12
Trying 192.168.0.12...
Connected to 192.168.0.12.
Escape character is '^]'.
 

PAM

[root@server01 etc]# ls -lrt /etc/pam.d/ | wc -l
65
[root@server01 etc]# ls -lrt /etc/pam.d/ | head
total 236
-rw-r--r--. 1 root root 137 Feb 14  2007 su-l
-rw-r--r--. 1 root root 105 Feb 14  2007 runuser-l
-rw-r--r--. 1 root root 143 Feb 14  2007 runuser
-rw-r--r--. 1 root root 487 Feb 14  2007 su
-rw-r--r--. 1 root root  70 Jul 16  2009 ksu
-rw-r--r--. 1 root root 147 Oct  5  2009 reboot
-rw-r--r--. 1 root root 147 Oct  5  2009 poweroff
-rw-r--r--. 1 root root 147 Oct  5  2009 halt
-rw-r--r--. 1 root root 163 Oct  9  2009 dovecot
[root@server01 etc]#


[root@server01 etc]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so
[root@server01 etc]#


Only root users in this file can login from these terminals :

[root@server01 etc]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11



Booting into rescue mode to fix and error in /boot/grub/grub.conf file .

Set BIOS to look for CD-ROM device first
Select 'Rescue Installed System'
Select Rescue Method 'Local CD/DVD'
Follow onscreen options for a shell
At the shell prompt ( bash-4.1 # ) type in    'chroot /mnt/sysimage'
# vi /boot/grub/grub.conf file and make changes, :wq!
Reset the system



PAM User control :

[root@server01 ~]# grep pam_nologin.so /etc/pam.d/login
account    required     pam_nologin.so

[root@server01 ~]# echo "Sorry no access today except for root user" >> /etc/nologin
[root@server01 ~]# ls -ld /etc/nologin
-rw-r--r--. 1 root root 43 Jun 19 10:24 /etc/nologin


Try to access as another user from another termimal, from desktop hit
CTRL + ALT + F2 :


Rhill user account tried to login with error message, root can login, but also sees error message :




[root@server01 ~]# tail /var/log/secure
Jun 19 10:21:27 server01 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.25, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jun 19 10:21:33 server01 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session2 (system bus name :1.47 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 19 10:22:47 server01 sshd[2314]: Accepted password for root from 192.168.0.3 port 52685 ssh2
Jun 19 10:22:47 server01 sshd[2314]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 19 10:30:18 server01 login: Authentication failure
Jun 19 10:30:28 server01 login: Authentication failure
Jun 19 10:30:35 server01 login: Authentication failure
Jun 19 10:30:41 server01 login: Authentication failure
Jun 19 10:31:05 server01 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jun 19 10:31:05 server01 login: ROOT LOGIN ON tty2
[root@server01 ~]#


[root@server01 ~]# rm /etc/nologin
rm: remove regular file `/etc/nologin'? y

Secure Files with GPG

[rhill@server01 ~]$ gpg2 --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/rhill/.gnupg' created
gpg: new configuration file `/home/rhill/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/rhill/.gnupg/gpg.conf' are not yet active during                                                                               this run
gpg: keyring `/home/rhill/.gnupg/secring.gpg' created
gpg: keyring `/home/rhill/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Aug 2012 10:37:59 AM CDT
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.
Real name: Roger K Hill
Email address:
roger.unixman@yahoo.com
Comment: DSA and RSA Default gpg key
You selected this USER-ID:
    "Roger K Hill (DSA and RSA Default gpg key) <
roger.unixman@yahoo.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

can't connect to `/home/rhill/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[2575]: directory `/home/rhill/.gnupg/private-keys-v1.d' created
gpg-agent[2575]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: Key generation canceled.


...repeated same process, still not working ...

[rhill@server01 ~]$ gpg2 --list-key
gpg: /home/rhill/.gnupg/trustdb.gpg: trustdb created


http://www.linuxquestions.org/questions/linux-security-4/gpg-gpg-agent-cant-connect-to-root-gnupg-s-gpg-agent-611843/

[rhill@server01 ~]$ gpg2 --daemon
gpg: invalid option "--daemon"

[rhill@server01 ~]$ mkdir -p -m 700 ~/.gnupg
[rhill@server01 ~]$ mknod -m 700 ~/.gnupg/S.gpg-agent p

[rhill@server01 ~]$ gpg-agent --daemon
GPG_AGENT_INFO=/tmp/gpg-MKrMXs/S.gpg-agent:2752:1; export GPG_AGENT_INFO;


...and ...still fucked up ... ??? wth ?

[rhill@server01 ~]$ gpg2 --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Aug 2012 10:54:55 AM CDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Roger K Hill
Email address: roger.unixman@yahoo.com
Comment: gpg test defaults
You selected this USER-ID:
    "Roger K Hill (gpg test defaults) <roger.unixman@yahoo.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
can't connect to `/home/rhill/.gnupg/S.gpg-agent': Connection refused
gpg-agent[2762]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: Key generation canceled.
[rhill@server01 ~]$

...idk...might need to be root for this to work...will try again later tonight ...


 
 














Friday, June 15, 2012

Chapter 9 - RHCSA Level System Administration

Configure Access with VNC

 yum install vinagre tigetvnc tigervnc-server -y

[root@server01 ~]# tail /etc/sysconfig/vncservers
#
http://kbase.redhat.com/faq/docs/DOC-7028
# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.
# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel.  See the "-via" option in the
# `man vncviewer' manual page.

# VNCSERVERS="2:myusername"
# VNCSERVERARGS[2]="-geometry 800x600 -nolisten tcp -localhost"


[root@server01 ~]# service vncserver status
Xvnc is stopped

[root@server01 ~]# chkconfig --list vncserver
vncserver       0:off   1:off   2:off   3:off   4:off   5:off   6:off
VNC Client

NOTE : Better and more complete VNC Client + Server Config examples later !!!

# vncviewer

Configure the firewall






[root@server01 ~]# iptables -L  | grep -i vnc
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpts:vnc-server:5905
[root@server01 ~]#

Process Control :

List all of a user's processes

[root@server01 ~]# ps -u dick
  PID TTY          TIME CMD
 4638 pts/1    00:00:00 bash
 4662 pts/1    00:00:00 vim
top command

Elementary System Admin Commands

Process Displays :


[root@server01 ~]# ps -ef | head
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 09:23 ?        00:00:01 /sbin/init
root         2     0  0 09:23 ?        00:00:00 [kthreadd]
root         3     2  0 09:23 ?        00:00:00 [migration/0]
root         4     2  0 09:23 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 09:23 ?        00:00:00 [migration/0]
root         6     2  0 09:23 ?        00:00:00 [watchdog/0]
root         7     2  0 09:23 ?        00:00:00 [events/0]
root         8     2  0 09:23 ?        00:00:00 [cpuset]
root         9     2  0 09:23 ?        00:00:00 [khelper]
[root@server01 ~]# ps aux | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  19324  1504 ?        Ss   09:23   0:01 /sbin/init
root         2  0.0  0.0      0     0 ?        S    09:23   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S    09:23   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         6  0.0  0.0      0     0 ?        S    09:23   0:00 [watchdog/0]
root         7  0.0  0.0      0     0 ?        S    09:23   0:00 [events/0]
root         8  0.0  0.0      0     0 ?        S    09:23   0:00 [cpuset]
root         9  0.0  0.0      0     0 ?        S    09:23   0:00 [khelper]
[root@server01 ~]#

That was exciting....tell me I haven't run those two commands about a million times in my career ... :) ....zzzzZZZzzzzzz..Zzzz

ahhh...ooohh..(just like at the fireworks display, except two colors only :)

[root@server01 ~]# ps eux | head
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  19324  1504 ?        Ss   09:23   0:01 /sbin/init HOME=/ TERM=linux PATH=/sbin:/bin:/usr/sbin:/usr/bin
root         2  0.0  0.0      0     0 ?        S    09:23   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         4  0.0  0.0      0     0 ?        S    09:23   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S    09:23   0:00 [migration/0]
root         6  0.0  0.0      0     0 ?        S    09:23   0:00 [watchdog/0]
root         7  0.0  0.0      0     0 ?        S    09:23   0:00 [events/0]
root         8  0.0  0.0      0     0 ?        S    09:23   0:00 [cpuset]
root         9  0.0  0.0      0     0 ?        S    09:23   0:00 [khelper]
[root@server01 ~]#

[root@server01 ~]# ps axl | head
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
4     0     1     0  20   0  19324  1504 poll_s Ss   ?          0:01 /sbin/init
1     0     2     0  20   0      0     0 kthrea S    ?          0:00 [kthreadd]
1     0     3     2 -100  -      0     0 migrat S    ?          0:00 [migration/0]
1     0     4     2  20   0      0     0 ksofti S    ?          0:00 [ksoftirqd/0]
1     0     5     2 -100  -      0     0 cpu_st S    ?          0:00 [migration/0]
5     0     6     2 -100  -      0     0 watchd S    ?          0:00 [watchdog/0]
1     0     7     2  20   0      0     0 worker S    ?          0:00 [events/0]
1     0     8     2  20   0      0     0 worker S    ?          0:00 [cpuset]
1     0     9     2  20   0      0     0 worker S    ?          0:00 [khelper]
[root@server01 ~]#

System Activty Reporter


  [root@server01 ~]# sar -A | head
Linux 2.6.32-131.0.15.el6.x86_64 (server01)     06/15/2012      _x86_64_       (1 CPU)
08:33:11 AM       LINUX RESTART
08:40:01 AM     CPU      %usr     %nice      %sys   %iowait    %steal      %irq     %soft    %guest     %idle
08:50:02 AM     all     14.50      0.00     17.16      2.70      0.00      0.93     38.19      0.00     26.52
08:50:02 AM       0     14.50      0.00     17.16      2.70      0.00      0.93     38.19      0.00     26.52
09:00:01 AM     all      0.03      0.00      0.09      0.15      0.00      0.00      0.06      0.00     99.68
09:00:01 AM       0      0.03      0.00      0.09      0.15      0.00      0.00      0.06      0.00     99.68
09:10:02 AM     all      0.07      0.00      0.12      0.16      0.00      0.00      0.06      0.00     99.59
[root@server01 ~]#

Daily repots are in /var/log/sa directory

[root@server01 ~]# ls -lrt /var/log/sa
total 3992
-rw-r--r--. 1 root root  83700 Jun  6 19:30 sa06
-rw-r--r--. 1 root root 226676 Jun  7 23:50 sa07
-rw-r--r--. 1 root root 277187 Jun  7 23:53 sar07
-rw-r--r--. 1 root root 337956 Jun  8 23:50 sa08
-rw-r--r--. 1 root root 358721 Jun  8 23:53 sar08
-rw-r--r--. 1 root root 342612 Jun  9 23:50 sa09
-rw-r--r--. 1 root root 362358 Jun  9 23:53 sar09
-rw-r--r--. 1 root root 342612 Jun 10 23:50 sa10
-rw-r--r--. 1 root root 362358 Jun 10 23:53 sar10
-rw-r--r--. 1 root root  78876 Jun 11 05:20 sa11
-rw-r--r--. 1 root root 206116 Jun 12 23:50 sa12
-rw-r--r--. 1 root root 252127 Jun 12 23:53 sar12
-rw-r--r--. 1 root root 333396 Jun 13 23:50 sa13
-rw-r--r--. 1 root root 371080 Jun 13 23:53 sar13
-rw-r--r--. 1 root root  43580 Jun 14 02:40 sa14
-rw-r--r--. 1 root root  34740 Jun 15 11:10 sa15

[root@server01 ~]# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 -S DISK 1 1
# 0 * * * * root /usr/lib64/sa/sa1 -S DISK 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

IOstat usage to monitor disk activity :

[root@server01 ~]# iostat /dev/sdb1
Linux 2.6.32-131.0.15.el6.x86_64 (server01)     06/15/2012      _x86_64_        (1 CPU)
avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           0.30    0.01    0.52    0.61    0.00   98.56
Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
sdb1              0.03         0.20         0.00       1384          0
[root@server01 ~]#

Nice and Renice :

[root@server01 ~]# ps -u dick
  PID TTY          TIME CMD
 4638 pts/1    00:00:00 bash
 4890 pts/1    00:00:00 vim
[root@server01 ~]# top -u dick
top - 11:29:18 up  2:05,  3 users,  load average: 0.00, 0.04, 0.02
Tasks: 155 total,   1 running, 154 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.4%sy,  0.0%ni, 98.7%id,  0.6%wa,  0.0%hi,  0.1%si,  0.0%st
Mem:   2055876k total,   685640k used,  1370236k free,    50324k buffers
Swap:  4128760k total,        0k used,  4128760k free,   305288k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4638 dick      20   0  105m 1792 1452 S  0.0  0.1   0:00.01 bash
 4890 dick      20   0  140m 3700 2536 S  0.0  0.2   0:00.04 vim

[root@server01 ~]# renice -10 4890
4890: old priority 0, new priority -10

[root@server01 ~]# top -u dick
top - 11:32:05 up  2:08,  3 users,  load average: 0.00, 0.02, 0.01
Tasks: 155 total,   1 running, 154 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.4%sy,  0.0%ni, 98.7%id,  0.5%wa,  0.0%hi,  0.1%si,  0.0%st
Mem:   2055876k total,   685764k used,  1370112k free,    50340k buffers
Swap:  4128760k total,        0k used,  4128760k free,   305288k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4638 dick      20   0  105m 1792 1452 S  0.0  0.1   0:00.01 bash
 4890 dick      10 -10  140m 3700 2536 S  0.0  0.2   0:00.04 vim

Run the web server with less priority in scheduler (normal = 0)

[root@server01 ~]# nice -n 12 /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[root@server01 ~]#

root      4973     1  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4975  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4976  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4977  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4978  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4979  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4980  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4981  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4982  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
root      4984  2148  0 11:34 pts/0    00:00:00 grep httpd
[root@server01 ~]#

[root@server01 ~]# top -p 4973
top - 11:36:09 up  2:12,  3 users,  load average: 0.00, 0.00, 0.00
Tasks:   1 total,   0 running,   1 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   2055876k total,   726540k used,  1329336k free,    50400k buffers
Swap:  4128760k total,        0k used,  4128760k free,   309740k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4973 root      32  12  291m  12m 6700 S  0.0  0.6   0:00.06 httpd

Kill command and signals :


[root@server01 ~]# kill -l
 1) SIGHUP       2) SIGINT       3) SIGQUIT      4) SIGILL       5) SIGTRAP
 6) SIGABRT      7) SIGBUS       8) SIGFPE       9) SIGKILL     10) SIGUSR1
11) SIGSEGV     12) SIGUSR2     13) SIGPIPE     14) SIGALRM     15) SIGTERM
16) SIGSTKFLT   17) SIGCHLD     18) SIGCONT     19) SIGSTOP     20) SIGTSTP
21) SIGTTIN     22) SIGTTOU     23) SIGURG      24) SIGXCPU     25) SIGXFSZ
26) SIGVTALRM   27) SIGPROF     28) SIGWINCH    29) SIGIO       30) SIGPWR
31) SIGSYS      34) SIGRTMIN    35) SIGRTMIN+1  36) SIGRTMIN+2  37) SIGRTMIN+3
38) SIGRTMIN+4  39) SIGRTMIN+5  40) SIGRTMIN+6  41) SIGRTMIN+7  42) SIGRTMIN+8
43) SIGRTMIN+9  44) SIGRTMIN+10 45) SIGRTMIN+11 46) SIGRTMIN+12 47) SIGRTMIN+13
48) SIGRTMIN+14 49) SIGRTMIN+15 50) SIGRTMAX-14 51) SIGRTMAX-13 52) SIGRTMAX-12
53) SIGRTMAX-11 54) SIGRTMAX-10 55) SIGRTMAX-9  56) SIGRTMAX-8  57) SIGRTMAX-7
58) SIGRTMAX-6  59) SIGRTMAX-5  60) SIGRTMAX-4  61) SIGRTMAX-3  62) SIGRTMAX-2
63) SIGRTMAX-1  64) SIGRTMAX
[root@server01 ~]#


[root@server01 ~]# service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]
[root@server01 ~]# ps -ef | grep ftp
root      5043     1  0 11:39 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5046  2148  0 11:39 pts/0    00:00:00 grep ftp
[root@server01 ~]#


[root@server01 ~]# kill -1 5043
[root@server01 ~]# ps -ef | grep ftp
root      5043     1  0 11:39 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5077  2148  0 11:42 pts/0    00:00:00 grep ftp


[root@server01 ~]# kill -15 5043
[root@server01 ~]# ps -ef | grep ftp
root      5087  2148  0 11:43 pts/0    00:00:00 grep ftp


[root@server01 ~]# service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]
[root@server01 ~]# ps -ef | grep ftp
root      5101     1  0 11:43 ?        00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
root      5103  2148  0 11:43 pts/0    00:00:00 grep ftp
[root@server01 ~]#

NOTE : kill -HUP <pidno> will not 'kill the process' but will cause an internal restart of the application and re-reading of it's config files .

[root@server01 ~]# ps -ef | grep httpd
root      4973     1  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4975  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4976  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4977  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4978  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4979  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4980  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4981  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
apache    4982  4973  0 11:34 ?        00:00:00 /usr/sbin/httpd
root      5062  2148  0 11:40 pts/0    00:00:00 grep httpd
[root@server01 ~]#
[root@server01 ~]#
[root@server01 ~]# killall httpd
[root@server01 ~]# ps -ef | grep httpd
root      5065  2148  0 11:41 pts/0    00:00:00 grep httpd


Examples with gzip bzip2 and tar commands :

[root@server01 img]# ls -l IMG00673-20120601-1026.jpg
-rw-r--r--. 1 root root 327533 Jun 15 15:40 IMG00673-20120601-1026.jpg
[root@server01 img]#
[root@server01 img]# gzip IMG00673-20120601-1026.jpg
[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg
ls: cannot access IMG00673-20120601-1026.jpg: No such file or directory
[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg.gz
-rw-r--r--. 1 root root 327133 Jun 15 15:40 IMG00673-20120601-1026.jpg.gz

[root@server01 img]# ls -lrt
total 2348
-rw-r--r--. 1 root root  327133 Jun 15 15:40 IMG00673-20120601-1026.jpg.gz
-rw-r--r--. 1 root root   81084 Jun 15 15:40 rhce10.png
-rw-r--r--. 1 root root 1688479 Jun 15 15:40 rhce1.png
-rw-r--r--. 1 root root   99753 Jun 15 15:40 rhce12.png
-rw-r--r--. 1 root root   92287 Jun 15 15:40 rhce13.png
-rw-r--r--. 1 root root  103120 Jun 15 15:40 rhce11.png
[root@server01 img]#
[root@server01 img]# bzip2 rhce1.png
[root@server01 img]# ls -lrt rhce1.png
ls: cannot access rhce1.png: No such file or directory
[root@server01 img]# ls -lrt rhce1.png.bz2
-rw-r--r--. 1 root root 1689708 Jun 15 15:40 rhce1.png.bz2
[root@server01 img]#

Unpacking :

[root@server01 img]# gzip -d IMG00673-20120601-1026.jpg.gz

[root@server01 img]# ls -lrt IMG00673-20120601-1026.jpg
-rw-r--r--. 1 root root 327533 Jun 15 15:40 IMG00673-20120601-1026.jpg


[root@server01 img]# bzip2 -d rhce1.png.bz2
[root@server01 img]# ls -l rhce1.png
-rw-r--r--. 1 root root 1688479 Jun 15 15:40 rhce1.png


[root@server01 img]# tar czvf dick.home.tar.gz /home/dick
tar: Removing leading `/' from member names
/home/dick/
/home/dick/newdir4/
/home/dick/.bash_logout
/home/dick/newdir777/
/home/dick/newfile1000.txt
/home/dick/.gnome2/
/home/dick/.mozilla/
/home/dick/.mozilla/plugins/
/home/dick/.mozilla/extensions/
/home/dick/.file1.txt.swp
/home/dick/.viminfo
/home/dick/.bash_profile
/home/dick/.bashrc
/home/dick/file1.txt
/home/dick/.bash_history
/home/dick/newfile1.txt


[root@server01 img]# ls -lrt dick.home.tar.gz
-rw-r--r--. 1 root root 1381 Jun 15 16:28 dick.home.tar.gz

Just view contents inside the tar file :

[root@server01 img]# tar -tzvf dick.home.tar.gz
drwx------ dick/dick         0 2012-06-15 11:26 home/dick/
drwxrwxr-x dick/dick         0 2012-06-15 09:27 home/dick/newdir4/
-rw-r--r-- dick/dick        18 2011-01-27 07:41 home/dick/.bash_logout
drwx------ dick/dick         0 2012-06-15 09:30 home/dick/newdir777/
-rw------- dick/dick         0 2012-06-15 10:23 home/dick/newfile1000.txt
drwxr-xr-x dick/dick         0 2010-07-14 10:55 home/dick/.gnome2/
drwxr-xr-x dick/dick         0 2012-06-06 06:51 home/dick/.mozilla/
drwxr-xr-x dick/dick         0 2009-12-02 20:21 home/dick/.mozilla/plugins/
drwxr-xr-x dick/dick         0 2009-12-02 20:21 home/dick/.mozilla/extensions/
-rw-r--r-- dick/dick     12288 2012-06-15 11:26 home/dick/.file1.txt.swp
-rw------- dick/dick       761 2012-06-15 11:06 home/dick/.viminfo
-rw-r--r-- dick/dick       187 2012-06-15 09:29 home/dick/.bash_profile
-rw-r--r-- dick/dick       124 2011-01-27 07:41 home/dick/.bashrc
-rw-rw-r-- dick/dick         0 2012-06-15 09:27 home/dick/file1.txt
-rw------- dick/dick       620 2012-06-15 10:35 home/dick/.bash_history
-rw------- dick/dick         0 2012-06-15 09:30 home/dick/newfile1.txt


[root@server01 img]# yum install star -y

[root@server01 img]# star -xattr -H=exustar -c -f=dick.home.star /home/dick
star: 5 blocks + 0 bytes (total of 51200 bytes = 50.00k).


[root@server01 img]# ls dick.home.star
dick.home.star

To unpack a star archive

[root@server01 img]# cp -p dick.home.star /home/gina/
[root@server01 img]# cd /home/gina/
[root@server01 gina]# ll
total 52
-rw-r--r--. 1 root root 51200 Jun 15 16:32 dick.home.star
[root@server01 gina]# star -x -f=dick.home.star
star: WARNING: skipping leading '/' on filenames.
star: 5 blocks + 0 bytes (total of 51200 bytes = 50.00k).


[root@server01 gina]# ls -lrt
total 56
-rw-r--r--. 1 root root 51200 Jun 15 16:32 dick.home.star
drwxr-xr-x. 3 root root  4096 Jun 15 16:35 home
[root@server01 gina]#
 

Automate System Administration : cron and at

The crontab conf file is :

/etc/crontab

[root@server01 gina]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  *  command to be executed


The directory /var/spool/cron is where user cronjobs go to :

[root@server01 gina]# ls -ld /var/spool/cron/
drwx------. 2 root root 4096 Mar  4  2011 /var/spool/cron/


The anacron system in new to RHEL6, and will help run crontabs on machines that were power off at cron job time, after systems are booted back up :

[root@server01 gina]# cat /etc/anacrontab
# /etc/anacrontab: configuration file for anacron

# See anacron(8) and anacrontab(5) for details.
SHELL=/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# the maximal random delay added to the base delay of the jobs
RANDOM_DELAY=45
# the jobs will be started during the following hours only
START_HOURS_RANGE=3-22

#period in days   delay in minutes   job-identifier   command
1       5       cron.daily              nice run-parts /etc/cron.daily
7       25      cron.weekly             nice run-parts /etc/cron.weekly
@monthly 45     cron.monthly            nice run-parts /etc/cron.monthly


Also another directory for cron jobs :

[root@server01 gina]# ls -lrt /etc/cron.d
total 16
-rw-r--r--. 1 root root 459 Mar 17  2010 sa-update
-rw-r--r--. 1 root root 113 Mar  4  2011 0hourly
-rw-r--r--. 1 root root 108 Mar 28  2011 raid-check
-rw-r--r--. 1 root root 251 Mar 31  2011 sysstat


Cronjob example :

[root@server01 gina]# crontab -e
no crontab for root - using an empty one
*/3 * 15 6 * /bin/date >> /tmp/`uname -n`.date.report


every 3 minutes, every hour, on the 15th of june, dow does not matter, run following command.

[root@server01 gina]# crontab -l
*/2 * 15 6 * /bin/date >> /tmp/`uname -n`.`date +%m%d%y%H%M`.report


[root@server01 gina]# ls -lrt /tmp/*.report
ls: cannot access /tmp/*.report: No such file or directory


Ooops ...heh heh ...

[root@server01 gina]# mail
Heirloom Mail version 12.4 7/29/08.  Type ? for help.
"/var/spool/mail/root": 17 messages 15 new
    1 Cron Daemon           Wed Jun  6 08:01  25/824   "Cron <
root@server01> run-parts /etc/cron.hourly"
    2 Cron Daemon           Wed Jun  6 19:01  25/824   "Cron <
root@server01> run-parts /etc/cron.hourly"
>N  3 Cron Daemon           Thu Jun  7 06:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N  4 Cron Daemon           Fri Jun  8 05:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N  5 Cron Daemon           Fri Jun  8 06:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N  6 Cron Daemon           Tue Jun 12 08:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N  7 Cron Daemon           Wed Jun 13 05:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N  8
abrt@localhost.local  Wed Jun 13 06:00 107/2669  "[abrt] new crash was detected"
 N  9 Cron Daemon           Wed Jun 13 06:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N 10 Cron Daemon           Wed Jun 13 10:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N 11 Cron Daemon           Wed Jun 13 11:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N 12 Cron Daemon           Fri Jun 15 09:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N 13 Cron Daemon           Fri Jun 15 10:01  24/813   "Cron <
root@server01> run-parts /etc/cron.hourly"
 N 14 Cron Daemon           Fri Jun 15 17:10  22/856   "Cron <
root@server01> /bin/date >> /tmp/`uname -n`.`date +"
 N 15 Cron Daemon           Fri Jun 15 17:12  22/856   "Cron <
root@server01> /bin/date >> /tmp/`uname -n`.`date +"
 N 16 Cron Daemon           Fri Jun 15 17:14  22/856   "Cron <
root@server01> /bin/date >> /tmp/`uname -n`.`date +"
 N 17 Cron Daemon           Fri Jun 15 17:16  22/856   "Cron <
root@server01> /bin/date >> /tmp/`uname -n`.`date +"
& 17
Message 17:
From
root@server01.localdomain  Fri Jun 15 17:16:02 2012
Return-Path: <
root@server01.localdomain>
X-Original-To: root
Delivered-To:
root@server01.localdomain
From: root@server01.localdomain (Cron Daemon)
To:
root@server01.localdomain
Subject: Cron <root@server01> /bin/date >> /tmp/`uname -n`.`date +
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Date: Fri, 15 Jun 2012 17:16:02 -0500 (CDT)
Status: R

/bin/sh: -c: line 0: unexpected EOF while looking for matching ``'
/bin/sh: -c: line 1: syntax error: unexpected end of file

New mail has arrived.
Loaded 1 new message
 N 18 Cron Daemon           Fri Jun 15 17:18  22/856   "Cron <
root@server01> /bin/date >> /tmp/`uname -n`.`date +"
&
...wait for it , wait for it ...


[root@server01 gina]# watch -n 5 "ls -lrt /tmp/*.report"

...nothin...

Had to change to ...

[root@server01 gina]# crontab -l
*/2 * 15 6 * /bin/date >> /tmp/`uname -n`.$(date \+\%m\%d\%y\%H\%M).report

What a pain in the ass crontab thy are !!!

[root@server01 gina]# watch -n 5 "ls -lrt /tmp/*.report"

Every 5.0s: ls -lrt /tmp/*.report                                                                                                     Fri Jun 15 17:30:30 2012
-rw-r--r--. 1 root root 29 Jun 15 17:28 /tmp/server01.0615121728.report
-rw-r--r--. 1 root root 29 Jun 15 17:30 /tmp/server01.0615121730.report

Yeah baby...yeah ..! 

Ranges can be defined in fields like :

*/5 = Every 5 minutes, hours, whatever the field is
5,15,20 = 5, 15, 20 minutes past the hour
7-10 = 7, 8th, 9th, 10th

Crontab switches :

-u user
-l list all current crontab entries
-r removes crontab entries
-e edit crontab

Anacron job format :

# period in days        delay_in_minutes        job-id         command

At Command Examples :

[root@server01 gina]# at now + 2 minute
at> /sbin/ifconfig eth0 >> /tmp/eth0.txt
at> <EOT>
job 1 at 2012-06-15 17:34
[root@server01 gina]# atq
1       2012-06-15 17:34 a root

[root@server01 gina]# ls -lrt /tmp/eth0.txt
-rw-r--r--. 1 root root 494 Jun 15 17:34 /tmp/eth0.txt
[root@server01 gina]# cat /tmp/eth0.txt
eth0      Link encap:Ethernet  HWaddr 00:0C:29:3A:FF:14
          inet addr:192.168.0.12  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe3a:ff14/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:414016 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:29177222 (27.8 MiB)  TX bytes:1427051 (1.3 MiB)
[root@server01 gina]#

Removing an 'at' job :

[root@server01 gina]# at now + 1 hour
at> date >> /tmp/date.txt
at> <EOT>
job 2 at 2012-06-15 18:35
[root@server01 gina]# atq
2       2012-06-15 18:35 a root
[root@server01 gina]# atrm 2
[root@server01 gina]# atq
[root@server01 gina]#

Securing at and cron :

/etc/cron.allow      only users listed in here can run crontab  
/etc/cron.deny       all uses listed in here CANNOT use crontab

[root@server01 gina]# ls -lrt /etc | grep cron
drwxr-xr-x.  2 root root   4096 Dec  2  2009 cron.weekly
-rw-r--r--.  1 root root    448 Dec  2  2009 crontab
-rw-r--r--.  1 root root      0 Mar  4  2011 cron.deny
-rw-r--r--.  1 root root    541 Mar  4  2011 anacrontab
drwxr-xr-x.  2 root root   4096 Jun  6 06:56 cron.monthly
drwxr-xr-x.  2 root root   4096 Jun  6 06:57 cron.d
drwxr-xr-x.  2 root root   4096 Jun  6 06:57 cron.daily
drwxr-xr-x.  2 root root   4096 Jun  6 06:57 cron.hourly

/etc/cron.allow does NOT exist by default

 If cron.allow file exists, then you must be listed therein in order to be allowed to use this command.  If the cron.allow  file  does  not exist but the cron.deny file does exist, then you must not be listed in the cron.deny file in order to use this command.
-----------------------------------------------------------------------------
/etc/at.allow
/etc/at.deny

If the file /etc/at.allow exists, only usernames mentioned in it are allowed to use at. If /etc/at.allow does not exist, /etc/at.deny is checked, every username not mentioned in it is then allowed to use at.

Local Log File Analysis

rsyslog daemon on rhel6 handles logging :

/etc/init.d/rsyslog 
/etc/rsyslog.conf  

The main configuration file for rsyslog is /etc/rsyslog.conf. It is essentially divided in the following parts:
  • Modules
  • Global directives
  • Rules
  • Templates
  • Filter conditions
  • Output channels

Facility

Numerical Code ↓Facility ↓Description ↓
0 kern kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslogd
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 cron clock daemon
10 security security/authorization messages
11 ftp FTP daemon
12 ntp NTP subsystem
13 logaudit log audit
14 logalert log alert
15 clock clock daemon (note 2)
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)



Severity
Severity
Numerical Code ↓Severity ↓Description ↓
0 emerg system is unusable
1 alert action must be taken immediately
2 crit critical conditions
3 error error conditions
4 warning warning conditions
5 notice normal but significant condition
6 info informational messages
7 debug debug-level messages



Format is then like :

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

Log Rotation and Log File Management :

/etc/logrotate.conf
/etc/logrotate.d

Logrotate config file is fairly straightforward :

[root@server01 gina]# cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
        minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

Most servrices are logged into the /var/log directory by default .

Some services like vsftp and apache httpd have their own logging mechanisms and don't use logrotate facility .