RPM Commands
| |
rpm -i
|
to install the rpms
|
rmp -ivh
|
to install rpms with the hash complete percent
|
rpm -q
|
to query install software
|
rpm -e
|
to erase software
|
rmp -qa |grep 'pakagename'
|
to list installed rmps via grep
|
rpm -ql firefox
|
will list all files which were installed with the packed + their location say for e.g you want to uninstall a program, but you dont know which rpm does it map to, below cmds will help find that.
|
step1
|
type in which with which /gcalctool (program name)
|
step2
|
this is will give you a complete path of where the program is executing from
|
step3
|
once you have the path type in
|
rpm -qf /path
|
qf is to query filename
|
step4
|
after doing rpm -qf it will show you the exact rpm name.
|
RPM
| |
Local RPM database is stored in --/var/lib/rpm.
|
rpm is a cmd and a database for other programs such as yum , pirut
|
rpm -ivh
|
will install in verbos with hash marks of completed %
|
rpm -F
|
--will update the rpm file to a new version if needed, if it does not exsist it will skip.
|
rpm -U
|
will upgrade if exist or will install if not there.
|
rpm -ivh --replacepkgs /media/Server/firefox
|
will reinstall the same version of the package.
|
rpm -Uvh --oldpakage /media/Server/firefox
|
will downgrage the pacakge to the older version
|
rpm -evh bash-version.arch.arch.rpm
|
-will erase /remove.
|
rpm -qa |grep -i firefox
|
will list all firefox releated rpms, i usually use this to find the exact name of the rpm
|
rpm -ql pacakgename
|
will list all associated files with that pacakge,
|
rpm -qf /usr/sbin/sendmail
|
--will lost the actual rpm this file belongs to.
|
rpm -qi bash
|
--will give more info on the package, etc
|
rpm - V pam
|
--will verify if anything in pam has changed since it installed
|
rpm --import /etc/pki/rpm-gpg-/RPM-GPG-KEY-redhat-release
| |
rpm -K proper package name
|
--will import the Redhat GPG in the RPM system-wide keyring.
|
rpm -qp --scripts kernel-PAE-2.6.18-128.el5.i686.rpm
|
--will verify package integrity.
|
rpm -q --changelog openssl |grep CVE
|
will show what CVE security alerts have been addressed by querying the change log.
|
Yum Pacakge Management
| |
yum install firefox --nogpgcheck
|
will not check for gpg.
|
yum search cairo
|
will search entire repos for this
|
yum whatprovides /usr/sbin/sendmail
|
similar to rpm -ql /usr/sbin/sendmail
|
yum list kernel/*
|
-will list installed plust available pacakges from repo including updates
--
|
yum list updates
|
will list all available updates for rpms already installed
|
----Configure additional repos---
create a file in /etc/yum.repos.d ending in .repo with the following options
--[repo name]
--name = discription
--baseurl =http://
--enabled =1
--gpgcheck=1
you can copy the same from any other repos.
then run
yum clean dbcache|all
|
will clear the cache.
|
Linux General Commands
| |
ps -ef |less
|
list process
|
fdisk -lu
|
list all disks
|
df –lh
|
list all partition with human redable format
|
cat /etc *-release
|
to find out os version
|
mount -t cifs //ntserver/download -o username=vivek,password=myPassword /mnt/ntserver
|
this command is to mount windows share from linux you must install smbclient rpm first.
|
ifup eth0
|
to enable or disable ethernet cards
|
./installer.sh
|
e.g to run a script to install oracle you need to put in ./ before the file name
|
cp -R
|
sourcedir /destinationdir this cmd is used to copy the entire content of the directory.
|
ls -ltr
|
list all files
|
ls -A |wc -l
|
List how many files are in the directory.
|
source .bash_profile
|
if you change the environmental variables for your bash profile and would like to activate those changes straight away use this cmd
|
touch
|
to create a file, you can give any extention you like
|
mv
|
to move a file from one dir to another.
|
tail -f
|
use this cmd to troubleshoot scripts ./runmozila , etc,
|
sh -x
|
sh =shell and x = debug.
|
locate firefox
|
will list the location of firefox files
|
whereis
|
will list the location of firefox files (these 2 cmds [locate and whereis] get their info from a database, which is updated by a cron job daily, you can also update this datebase manually by "updatedb" command
|
updatedb
| |
Mount
|
will update the database for the above 2 commands
|
lsmod
|
will show which partions (fdisk -l) are mounted at which dir.
|
modinfo drivername
|
to list all the loaded driver
|
/lib/modules/kernalversion/drivers
|
will list the version of the driver.
|
modprob drivername
|
from this location you can see all the built in drivers which are available in the kernal
|
kill -9 pidnumber
|
will load the driver again if its not loaded
|
pidof tar
|
will kill the program completely
|
runlevel
|
will show you all pids related to the tar program
|
free -m
|
shows you Previous and current run level you are logged into
|
To check what ip adds /ports is your system listening on then run
syntax:
netstat -ntl
netstat -ntlp |grep -i squid
|
will show u which ports is squid listening to, you can use this method to check for ports when configuring
|
IPTABLES
Setting up bash to use proxy server--
syntax:
export http_proxy=http://192.168.2.100:3128 ---this will set the enrivomental variable for bash to access internet via proxy, other programs such as
---wget, ftp, etc ..you may need to set up the bash enviromenta variable if the network only permits acess
---to internet via a proxy server.
Process commands
| |
ps
|
to see only your specefic user initiated process
|
ps -e
|
to see all process
|
ps -e |grep 'whatever'
|
to filter process with specefic names
|
find / -name junk
|
this is to find file at the top level directory name junk
|
find / -name junk &
|
will run in the background instead of running in the foreground to see only your specefic user initiated process
|
ctrl + z
|
say you initiated a program or a process which is taking long from the bash and your bash prompt is not appearing, you can stop that process by 'crtl+z'
|
bg
|
and if you would like to run that process in the background and resume again, just type bg.
|
fg
|
to bring it to fore ground.
|
crtl +c
|
will terminate the process completely.
|
kill -9
|
will terminate the process abrutely.
|
nohup
|
use this to run process/programs when u want it to run independant from the bash terminal
e.g , windows disconnect (instead of logoff) is same as nohum, say u want to run oracle backups but would like to close down the bash terminal you can use the nohup command here.
|
nice
|
to prioratise process -19 is the higest priortity where as 19 is the lowest e.g to lower priority $nice -19 oraclebackup
|
renice
|
to priorties already running process.
|
jobs -l
|
will show all processes running in the background, windows equavilant (sheduled task in the background)
|
top
|
performance monitor, if you press h after you run top it will give you a couple of options (h stands for hit--diff hits u can give)
|
FileSystem
| |
fschk
|
(chkdsk) must unmount file system first
|
fschk -n
| |
fschk -p
|
read only
|
du -h
|
repair automatically
|
df -h
|
to check file space
|
mount
|
(chkdsk) must unmount file system first
|
umount
|
list partition / check partition space..
/dev/cdrom /mnt/huzcdrom
/dev/cdrom
|
\etc\fstab
|
is known as file system table, this file shows which mount points will be automatically mounted when the system reboots.
|
Rescan disk on redhat (make sure OS does not use the same drive)
|
$$ modprobe -r qla2300
$$ modprobe qla2300
|
Configuration
| |
/etc/proc
|
is a virtual directory, in the proc directory you can run the following comands
|
cat meminfo
|
which will show you ur mememory info
|
cat version
|
will show u linux version
|
cat cpuinfo
|
will show u cpu info
|
cat loadavg
|
will show you system load average, this is where top is getting its load average info from.
|
-------------------File System and LVM---------------------------------------------------
1) Add a drive to ur linux box, then you first need to create a physical partion from FDISK and change its type to LVM (8e),
fdisk /dev/sdb
n -for new partion
p -for primary
+10GB -Define size or select default (it will take entire size)
t -to change the partion to '8e' LVM
W -TO WRITE changes
partprobe /dev/sdb -to re-read the partition table
2) once its a LVM partition then you create a physical volume on it,
pvcreate /sdb1
pvs -short display
pvdisplay -log display
3) once physical volume is defined we create a Volume Group in which we define which physical volume are goin to be a part of this volume group,
vgcreate RAID0 /dev/sdb1
vgs -short display
vgdisplay -long display
4) once you create the volume group and define which physical volumes are going to be a part of that Volume group, then you start creating Logical Volumes from that Volume group.
lvcreate -L 10GB -n vol1 Raid0
lvs -short display
lvdisplay -log display
5)Create file systems on the logical volumes
mke2fs -j /dev/VolGroup02/SQLLOG1
mke2fs -j /dev/VolGroup02/SQLLOG2
mke2fs -j /dev/VolGroup01/Data
6)
Mount the logical volumes
mkdir /SQLLOG1
mkdir /SQLLOG2
mkdir /SQLDATA
Mount /dev/VolGroup02/SQLLOG1 /SQLLOG1
Mount /dev/VolGroup02/SQLLOG2 /SQLLOG2
Mount /dev/VolGroup02/SQLLOG3 /SQLDATA
7) edit \etc\fstab file with the above mount points.
8) rezie lvs, rename lvs, etc
Note: you may online resize the file system if the following are met
2.6x kernal
must be formatted with ext3
lvresize -L 1.9GB /dev/VolGroup02/SQLlOG2
ONce you resize the LVM, you will still see the same value in df -h, you will need to follow the below commds
resize2fs -f -p SqlLog2
Resizing Logical Volumes --this is how its showed in the books
Task:
extend Logical volume Data which resides in volume group RAID1, then reside the filesystem of logical volume Data
a) lvextend -L +500M /dev/RAID1/Data -- will extend the volume -L option is for size
b) resize2fs -p /dev/RAID/Data --once logical volumen is extended then u must extend the filesystem which resides on the logicalvolume -p option is for (persistant)
Task:
shrink logical volume called Data to 1000 MB from 1500MB, the difference between extending and reducing is
while extending you first extend the logical volume (Data) and then the filesystem , also when adding space you give the + SIGN
while reduceing you must first reduce the filesystem and then the (Data) volume group, also when reducing space you give NO SIGN
a) df -h --verify if the logical volume is mounted or not,
b) umount /Data --if the logical volumen is mounted , then u must unmount it first.
b) e2fsck -f /dev/RAID1/Data --must run e2fsck before reducing / shrinking volumegroups
c) resize2fs /dev/RAID1/Data 1000M --will reduce the filesysyem which resides on logical volume Data.
d) lvreduce -L 1000M /dev/RAID1/Data --will reduce the logical volume (Data)
----------xxxxxxxxx-----------------RAID---------------------xxxxxxxxxxxxxxxxxxxx----------------------------------------------------
Tasks:
1)create 2 useable raw partitions by fdisk
fdisk /dev/sdb
then create 2 partions from sdb , such as sdb1 and sdb2
2)Create a Raid 1 Device (/dev/md0..n)
a) mdadm --create /dev/md0 --level=1 --raid-device=2 /dev/sdb1 /dev/sdb2 --will create a software raid called md0, level is for raid type.
b) mdadm --manage --stop /dev/md0 --will delete software raid called md0
c) mdadm /dev/md0 -f /dev/sda1 --will fail one the disks in the software raid--first fail it ...then remove it
d)mdadm /dev/md0 -r /dev/sda1 --will fail one the disks in the software raid --hot add--dont need restart
e) mdadm /dev/md0 -a /dev/sda1 --will add a drive in a fail raid group.
f) cat /proc/mdstat --will show current status of raid partitions --use it with --watch cat/proc/mdstat
g) mdadm --query /dev/md0 --will display raid info for md0
h) mdadm --detail /dev/md0 --will show detail informtion of md0
3)create a filesystem on /dev/md0
a) mke2fs -j -b 4096 -E stride=16 /dev/md0 --will format the partion with esxt2 file system--easyway=mke2fs -j /dev/md0
Raid partitions are refered as md0 rather than sda/sdb, etc, the above command creates a raid partition called md0 with raid1, with 2 disks which are sdb1 and sdb2
------------------Basic Shell Commands1-------------------------------------------------------------------
tty -revelas the current terminal
whoami -shows which user u are loged in as
which firefox -shows the location of the program you are trying to run
echo -prints to the screen
echo $PATH -prints the enviromental varials
echo $PWD -prints the location of your current directory
set -prints shell variables
firefox& -putting a ampercent besides the command, runs that cmd into the background (check the bg command above to see the diff)
clear -clears the shell
reset -reset the buffers
hitory -reveals all the commands you have typed in your bash shell, its maintained on per user basis, these commands are stored in the .bash_hostory file in the users home directory.
pwd -prints the current directory location
------------------------BasicShell Skils2-------------------
echo $? use this command to confirm if the previous cmd was successfull, 0 means success
cp copy cmd ( it does not preserve the orignal modification time stamp of the file)
mv use this cmd to mve files from one dir to another, this will preserve modification time stamp
rm -rf to remove files, if u need to remove a dir with files under it, use the -rf commands. (recursive -force)
touch creates new files or updates time stamps.
touch -t 200901091530 123.txt will modify the time stamp of the file
stat 123.txt revelas full attributes of a file
find / -name '*fstab*' >huz.txt find files useing search patterns
alais its obvious
stat file1.txt will show you the inodes as well
--------------------------BasicShell Skills3----------------------
cat 123.txt > 456.txt out redirection -Default nature is to overwrite the target file
cat 123.txt >> 456.txt will copy content of 123.txt to 456.txt without overwriting 456.txt content
cat < 123.txt WILL understand this in sendmail
cat 123.txt 456.txt | sort will sort data from both these files and present it in proper sort order
cat 123.txt | sort |grep 3 this will sort it first then get the colum where number 3 is there.
cat 123.txt ; ls -l this runs first cmd and then the sec one reagrdless of the exit status
cat 123.txt && ls -l the sec cmd will run only if the first cmd is successfull
cat 123.txt || ls -l the sec cmd will only run if the first cmd is not successfull
seq 1000 file1.txt will fill the file from 1 to 1000
more file1.txt will display 1 page at a time
less file1.txt same as more, however less can display compress files as well.
head /var/log/messages displays the first 10 lines of the file
tail /var/log/messages displays the last 10 lines of the file
wc -l /var/log/messages counts the lines in the file
file /var/log/messages will display the type of file, e.g txt or binary
grep -i pdf /var/logs/file.txt will look for colums which has pdf.
---------------------------GzIP - Bzip ---TAR----------------------------------------------
GZIP:
Compress:
gzip -c huzeifa.txt > huzeifacompress.txt.gz will compress the file, -c option is to compress
gzip -v -c huzeifa.txt > huzeifacompress.txt.gz will compress the file, -v option is for verbos = it will tell you what compression rate it used.
gzip -l huzeifa.txt will show you what file is underneath the zip file + the compressed and non compressed rates
Uncompress:
gunzip huzeifa.txt.gz will decompress the file
gzip -d huzeifa.txt.gz will decompress too
zcat huzeifa.txt.gz will let you examine the content without deompressing, it dumps into STDOUT (STANDARD OUTPUT)
Less huzeifa.txt.gz will deompress it too, it dumps into STDOUT (STANDARD OUTPUT)
BZIP2:
Bzip2 tends to outperform gzip files (only larger files)
Compress
bzip2 -c huzeifa.txt huzeifa.txt.bzip2 will compress the file - c is to compress
bzip2 -v -c huzeifa.txt huzeifa.txt.bzip2 will compress the file -v is for verbos.
Decompress
bzip2 -d huzeifa.txt.bzip2 will decompress
bzcat huzeifa.txt.bzip2 will let you examine the content without decompressing, it dumps into stdout
less huzefia.txt.bzip2 will also let you examine the content without decompressing, it dumps into stdout
ZIP AND UNZIP :
zip differs slightly from gzip and bzip2 in that the desination file is defined before the souce, vice versa to gzip and bzip
Syntax
zip [destination file] [Source file]
zip huzeifa.txt.zip huzeifa.txt will zip the file (see syntax above)
unzip huzeifa.txt.zip will unzip the file
TAR AND GZIP /BZIP2:
Tar is used to create archives ..Note it creates non compress archives, to compress it use gzip or bzip2
syntax
tar -cvf [destination] [source path] c = create, v= verbos, f = force
tar -cvf Huzeifa.txt.zip huzeifa.txt will create a uncompress tar file called Huzeifa.txt.zip.
TAR AND GZIP
Syntax
Tar [destination file] [Source file]
tar -czvf huzeifa.txt.tar.gz huzeifa.txt will create a tar file with compression (-z option is used to compress it with gzip)
tar -cjvf huzeifa.txt.tar.bz2 huzeifa.txt will create a tar file with compression (-j option is used to compress it with bzip2)
tar -czvf huzeifa.txt.tar.gz \root\etc will create a tar file for the whole \etc directory incl sub directories, etc (z =gzip compression)
tar -cjvf huzeifa.txt.tar.gz \root\etc will create a tar file for the whole \etc directory incl sub directories, etc (j =bzip2 compression)
tar -tzvf huzeifa.txt.tar.gz will let you examine whats in the tar + gzip file
tar -tjvf huzeifa.txt.tar.gz will let you examine whats in the tar+bzip2 file
--------------xxxxx------------GREP-----------------xxxxxx--------------------------
Grep searches txt files for matches based on what you specify
grep 'linux' grp.txt will search for the word linux in grp.txt file
grep -i 'linux' grp.txt case insensitive search.
grep '^lunux' grep.txt uses anchor -- this will return results only if the line begins with lower case linux.
------------------xxxx-----System Utilities ----------------xxxx------------------------
ps shows processes, if you run ps without options it will show process's running in the TTY
ps -ef
ps -aux will show you cpu and other information
top will show you performance
df -h will show you disk info
vmstat shows you performance data of processes, cpu, I/O, etc
vmstat -p /sda1 shows you partition information.
gnome-system-monitor graphical version of top/ps/df -h/vmstat, etc ..windows = task manager.
kill -9 pidnumber will kill the program completely
pidof tar will show you all pids related to the tar program
runlevel shows you previous and current run level you are logged into
free -m will show you memory stats
system-config-user
----------------------USERS-----------------------------------------------------------
Note:
1) defualt user settings derive from /etc/login.defs
2) User account database is /etc/passwd
3) /etc/passwd is a world-wide redable file, (security threat, therefore now ppl are moving to)
4) /etc/shadow it is not a world-wide redable file plus its encrypted.
useradd student1 will add users
system-config-user graphical utility
id will show you which user you are logged in us, the uid + guid + group membership.
less /etc/passwd is a easy way to check how many users are there and their properties
usermod will give you all options.
vi /etc/shadow (edit option 5) you can edit option 5(99999) to make a user change his passwd after curtain days.
passwd to change the current user password
userdel to change users
Explanation of the content of the /etc/passwd file
<Passwd file>
--student1:x:502:503::/home/student1:/bin/bash--
Explanation:
Student1:Shadow_refrence:uid:gid:discription(gesos):$home:$shell
shadow_refrence = means that when a user logs in, it consults the shadow file to verify its cridencials.
Explanation of the content of the /etc/shadow file.
<shadow file>
student1:xxxxx:14493:0:99999:7:::
Explanation:
1.username:
2.encryped passwd:
3.days_since_unix_epoch_passwd_was_change(01/01/1970):
4.days before passwd maybe changed:
5.days after which password must be changed:
6.days before passwd is to expire that user is warned.
7.days after passwd expires that account is disabled
8.days since unix ecpoc, that the account is disabled.
9. reserved field, currently unsed.
------------------GROUPS-------------------------------------------------
Note:
Two types of group exsists,
1)primary --is used by default for users permission
2)suplimentory ---used to define effective permissions, users can be members of n numbers of groups
3) to verify if th
less /etc/group will show you groups and user membership with those groups.
groups will list groups on the system, this info comes from the /etc/group file, this file maintains grp info.
groupadd sales will add groups
usermod -G sales huzeifa will add huzeifa into the sales group.
id will show you the group membership of the users, you must login with a new shell to see new changes
ssh localhost will log you into a new shell ( make sure the sshd service is started, [service sshd status]
groupdel will delete groups
-----Book Study---
--usermod -a -G projecty student --will add projecty as a group to student 1 without removing other groups.
--usermod -s /sbin/nologin username --will make the account non interactive
--usermod -L --locks the account
--userdel -r --will delte the user including the home directory ---r = recursive
--find / -uid 500 --will find all files associated with user uid = 500
--groupmod -n newname oldname --will change the grp name.
--groupadd -r newgrpname -- -r will make sure to avoid useing GUID's within the range which is typically assined to users and their private grps.
--groupadd -g 201 newgrpname -- with -g you can manuall assign the group guid.
-------------------------------**FILE PERMISSION****-----------------------------
Note:
10 BITS represent permissions for files incl dirs in linux
1st bit = file type '-' =file , 'd' =dir
2nd to 4th bit =owners permissions
R =Read =4
W =Write =2
E =Execute =1
- =node =0 (exception to the first hyphen)
5th to 7th bit = groups owner permission
R =Read =4
W =Write =2
E =Execute =1
- =node =0 (exception to the first hyphen)
8th - 10 bit = everyone (world [samba,nhs,shh])
R =Read =4
W =Write =2
E =Execute =1
- =node =0 (exception to the first hyphen)
octal notation:
read =4
write =2
execute =1
rw=6 or 4+2 for owner
rw=6 or 4+2 for groupowner
r=4 or 4 for everyone else.(world)
chmod -x reg.pl will remove the execute permission from this file. (chmod=changemode, '-' =remove)
chmod 664 reg.pl will give read/write permissions to owner and group and read only permission to world
chmod u+x \root\huz.txt will update owners execute permision on the file
chmod g+x \root\huz.txt will update group execute permision on the file
chmod o+x \root\huz.txt will update others(world) execute permision on the file
chmod a+rwx \root\huz.txt will update all permision on the file to 777 at the same time.
chown --permits changing ownership of files and dir's--
chown root \test\hello.txt changes ownership of the OWNER to root
chown root:root \test\hello.txt changes ownership of the OWNER AND THE GROUP to root
---x--SETUID---x---
---Ability to execute file as a owner
so if you have a file or program which needs to run with the owners permission, you can use setuid, its quite common in linux enviroment that you may always want to run a program with a certain user ,
i think similar as windows service accounts ..maybe..not sure.
sytax
chmod 4722 \test\hello.pl over here the 4=is the extra bit, by adding 4 it will ensure that the pearl script always runs as linuxcbt usr or who ever was the owner while setting the file permissions, when you do -
"ls -l" it will show you "rws" instead of "rwx"
easier commands to enable setuid on files
--chmod u+s /filename
---x--SETGID--x---
is a way to share files amongst other user
Requirement:
You want to make a common directory called /SALES where all sales users can share files amoungs them
Step1
useradd sales
step2
make a /STORAGE directory, when you make a directory or a file, by default, the owner and group of the dir or file is always the user who creates them,
in this example the owner and group owner would be sales user himself
Step3
all users who want to access the /storage directory should be a part of sales group
step4
setguid on that /sales directory
syntax
2770 /sales --"2" represents the setguid bit
the above commands means that, whoever user creats a file in the storage directory, the file group owner will always remain the parent directory owner, in
this case it would be sales.
the reason we do all this is...in linux when a user creats a file or directory,
by default the user himself becomes the owner and group owner of the file or direcory, so the problem arises when other user 'Huzeifa' create files in the /storage directory, the owner and group owner of that file
will be "Huzeifa", in this case a user called shabbir may not be able to read/write/exec to that file because "Shabbir" nither is the owner of that file nor he is the group owner.
so in such cases , we set the SETGUID bit on that /storage directory, by doing this...it over comes this problem meaning,whoever user creats a file in the storage directory,
the file group owner will always remain the parent directory owner, in this case it would be sales.
easier commands to enable setgrid on directories
--chmod g+s /dirname
Sticklybit
is represented by 3
when you do ls -ld skikybit is represented by T
Stickybit is used to protect files of users in a shared directory
e.g from above, in /storage because the sales group has rwx permissions that will allow anyone from the sales grp to delete other users file...to prevent this..
.linix has somethign called stikybt....once you implement that only the file owner can delete files, not the grp owner....
syntax
chmod 3770 /sales this will make sure that only owners of the file can delete files
easier commands to enable stikybit
--chmod o+t /dirname
--------------xxxxx------------file system ACLS------------------xxxxxxx------------------------
features:
it lets muliple users have different sets of permission on the same file ---you cannot do this traditionally via setuid/setguid or stickybit.
How to turn acls on a filesystem
--tune2fs -l /dev/Raid1/Datastore1 |grep options --will show if acls is enabled on this file system or not
--tune2fs -o acl /dev/Raid1/Datastore --will enable acls on this filesystem
--getfacl /filename|directoryname --will list all acl permissions set for dir/file
--setfacl -m u:user3:rwx filename/dirname --will set rwx permissions for user3
--setfacl -x u:user3 /filename/dirname --will remove all permissions of user3 from file/dir
--setfacl -m d:u:user1:wrx filename/dirname --
-------------xxxxx----------------Quotas----------------------------------xxxxxxxxxxx---------------
features
1) limits disk usage via (blocks or inodes)
2) is tied to file system (set on per file system basis)
3) can be configured for users and groups.
Step1)
enable quota on a PER file system in /etc/fstab
a) after the "default" text, you need to add usrquota,grpquota, make sure everything is in one line
Step2)
Remount the file system
syntax:
mount -a
or
mount -o remount /
sometimes it does not remount in one go, if thats the case, reboot the system
to verify if it mounted properly
syntax:
mount
the / partition should show you the extra text (usrquota, grpquota).
Step2)
Once the quota is setup on a file system level and the file system remounted,
then we need to create the quota database and generate disk usage tables
syntax:
quotacheck -cugm / (C=create, u=users, g=groups)
once we run the above command it will generate 2 binary files (a)aquota.user and (b)aquota.group
step3)
then you run the same above command with diff paramenters to update the quota database.
syntax:
quotacheck -augv (a=all, u=users, g=groups, verbous) run this command every time you update any users quota settings.
Step4)
once the above is done , we start Assigning quotas to users and groups.
syntax:
edquota huzeifa will open a new window where you can assign quotas on a block or inodes basis.
edquota -t will let you edit grace period times for quota implementation, default is 7 days.
step5)
to verify if the quotas are assigned properly you can run
syntax:
quota huzeifa this command will show user specifc stats
Step6)
report on quotas
repquota -a (a=all, will give you a report of all users storage and quota informatino)
Note:
a)
in step 2 when i tried creating the quota database i was getting errors about gvfs permissions errors, to overcome that i just umount the gvfs mount point, that way i could move forward.
b)
block calculations = 1k that means, if u need to give 10 MB then calulate like this 10 x 1024kb = 1224 Blocks
c)
put the "quotacheck -aug" into a corn job so it can update the quota database automatically and frequently.
------------------------XXX---------------SYMLINKS---------XXX----------------------------------------------
There are 2 types of syslinks
1) softlinks
2) hardlinks
Soft Links:
a) Softlinks are similar to windows, when you create a softlink it creats another small file refrencing to the orignal file, in case you rename or remove the orignal file, all soft links will be broken.
b) you can create softlinks across different filesystems, meaning if can create a sysmlink of /root/huz.txt filesystem to /boot/huzsoftlink.txt
c)the softlink would be on a seprate inode,
Hardlinks
a) hardlinks are a bit different, when you create a hardlink it links directly to the same INODE of the orignal file, meaning it links to the exact harddrive location of the orignal file, and in case if you remove the orignal file, its not going to brake the new hardlink
b) you cannot create hardlinks between diffrent filesystems.
c) hardlink would be on the same inode as the orignal file
d) the count of the file will increase 1+
syntax
Softlinks
ln -s /source /destination
Hard links
ln /source /destination
-----------xxx-----------------------------NFS--------------------xxx------------------------------------------
Features:
NFS =network file system
Transperent access to remote file systems
Application will not know weather its a local drive or a network drive.
Installed by default,
uses RPC for comunications
etc\exports is the file where you define sharepoints, meaning you define the directories which you want to share
Syntax for exporting directories
/Path_to_directory IP_ADD(rw) first you define path, then the ip address of the clients you want to share this diretory to (rw)in brakets you define permissions such as read/write mode.
syntax example:
/nfs1/ 192.168.2.15(rw)
Steps to configure a share
1) first make a dir
mkdir nfs1 the directory which you want to share
2) define the share in the exports file
/nfs1 192.168.2.15(rw) for READ AND WRITE
/nfs1 192.168.2.15(ro) for READ Only
3) Run:
chkconfig --list nfs to verify which run level nfs in enabled on
chkconfig --level nfs 35 will enable nfs on run level 3 and 5
4)start the service
service nfs start will Start the nfs service
5)verify if it really started
ps -ef |grep -i nfs will reveal all processes associated with nfs, if you a couple of process that means nfs is on
6)Confirm if NFS is actually exporting
exportfs -v this will enumerate nfs shares with verbos
exportsfs -a will update export file entries without restartng nfs server.
7)Mount exports on a remote system
mkdir /nfslocal create a local direcoty mount point
mount -t nfs 192.168.2.15:/nfs1 /nfslocal -t option is for Type(NFS), then the nfs server ip followed by sharename follwd by local share name
echo $? will verify if the status was successfull, 0=success.
8)Verify if it mounted successfull, Run:
df -h will show you the share name / mount point
mount will show you the share name / mount point + weather its read /write, etc
9)with the above commands and all even after successfully mounting on remote systems, the root account will not be able to write to nfs1 sharename
10)allow remote local root user the ability to write to nfs1
no_root_squash in the \etc\exports file add the following entry after the (rw,no_root_squash)option.
exports -a will update the export nfs share entires
exports -v will verify by emurating nfs entires.
11)remount the nfs share on the remote system
umount /nfs1 will unmount
mount -t nfs 192.168.2.15: /nfs1 /nfslocal will remount.
12)set up mount points on remote systems so they are available upon reboot
go to \etc\fstab file
make some space below and write the following lines in exact format
192.168.2.15:/nfs1 /nfslocal1 nfs defaults 0 0 --the 0 0 options is not check mount while rebooting.
192.168.2.15:/nfs2 /nfslocal2 nfs defaults 0 0
---NFS UTils----
showmount -a ip_of_nfs_server ---will show all mounts connected to the nfs server
Note:
NFS maches remote users UID to local \etc\passwd to determine ACL's, where there is no match,it uses the annonemous users
EXAM WATCH
Configure nfs server to share the following directory /nfsshare to network 192.168.2.0/24
Step1:
start nfs
chkconfig nfs on
Step2:
configure nfs deamons ports and core nfs ports
core nfs ports
vi /etc/sysconfig/nfs
4 deamons to configure
a)mountd :4002
b)statd :4003
c)lockd:4004
d)rquotad:4005
Step3:
configure iptables
vi /etc/sysconfig/iptables
-A INPUT -p tcp -s 192.168.2.15 -d 192.168.2.100 --dport 11 -j DROP
-A INPUT -p udp -s 192.168.2.15 -d 192.168.2.100 --dport 11 -j DROP
-A INPUT -p tcp -s 192.168.2.15 -d 192.168.2.100 --dport 2049 -j DROP
-A INPUT -p udp -s 192.168.2.15 -d 192.168.2.100 --dport 2049 -j DROP
-A INPUT -p tcp -s 192.168.2.15 -d 192.168.2.100 --dport 4002:4005 -j DROP
-A INPUT -p udp -s 192.168.2.15 -d 192.168.2.100 --dport 4002:4005 -j DROP
Step4:
configure exports
vi /etc/exports
/home 192.168.2.100(rw,no_root_squash)
-----------xxxxx-----------------------AUTOFS---------------------xxx---------------------------------
Automatically mounts File systems (NFS, EXT3, NIS, SAMBA, ETC) upon I/O request.
Requrements:
You first need to install autofs
yum -install autofs i used this command to install autofs
/etc/auto.master --its the primary configuration file, it also contains mount points and their mappings such as autofs.misc file,
/etc/sysconfig/autofs --Default startup directives.
/etc/auto.misc --has all the mount points
Note:
Autofs must be running in order to auto-mount / dismount directories, bu default its not setup
Task:
Step1
Create an automount for /NFSMOUNTS, which will mount fedoranfs1 and fedoranfs2
a) mkdir NFSMOUNTS
This will be the Main container where all other NFS shres will reside, you must have a container, you cannot define it at a root level, i tried it dint work.
b)update etc/auto.master with the following lines
syntax:
/NFSMOUNTS /etc/auto.NFSMOUNTS
/NFSMOUNTS is the folder (Container) followd by the path /etc/auto.NFSMOUNTS to a new file called auto.NFSMOUNTS, in step c we will create this file from a template.
c) copy auto.misc auto.NFSMOUNTS
Syntax:
cp auto.misc auto.NFSMOUNTS
will create a template file from auto.misc
d) update the rules in /etc/auto.MFSMOUNTS
syntax:
fedoranfs1 -fstype=nfs 192.168.2.15:/fedoranfs1
[fedoranfs1] is the main mount point, you can type in any name here you like, [-fstype=nfs] is the partition type, you can do the same for ext3, etc
[192.168.2.15:/fedoranfs1] is the main path to the NFS server
STEP2
VERIFY if working
the easiest way to verify if the above config is working is to
syntax:
cd /NFSMOUNTS/fedoranfs1
first time it may return an error, sec time it shoudl work,
TO change default timeout period change the following parameters
DEFAULT_TIMEOUT=300 /etc/sysconfig/autofs
Note:
in this config we did not make fedoranfs1 folder on the local system at all, its suppose to be automatic.
-----Mounting HOME directories automatically without an NIS Domain------
Step1:
create identical users on 2 system (nfs export server and the automounter client) with the same uid
--useradd -u1000 nfs1 will create user with 1000 unique identifier
--useradd -u1001 nfs2 will create user with 1000 unique identifier
Step2:
Configure nfs server
a)vi into the /etc/exports file and define /home directory as a mount point, dont forget to give ip add and access permissions 192.168.2.0(rw,no_root_squash)
b) verify by running "exportfs -v"
c) or actually mounting it on another system by "mount -t nfs 192.168.2.15:/home /testmount
Step3:
Configure the automounter client:
a)copy template of auto.misc and make a new file called auto.home
b)edit auto.master --first define
/home /etc/auto.home ---/home is the folder where auto.home is going to mount all the mount points defined in auto.home file.
c)configure auto.home file now
syntax specifically for automounting home directories from the nfs server (fedora)
* -rw,soft 192.168.2.15:/home/&
EXAM WATCH
Configure Autofs on your local client so when any NIS user logins into this local client his home directory gets mounter automatically.
Step1:
yum install autofs
vi /etc/auto.master
/home /etc/auto.home
vi /etc.auto.home
* fstype=nfs 192.168.2.100:/home/&
-----------------------------xxxxxx------------Network Config-------------------xxx--------------------------------
Netowrking Flow,
1) if the system is Booted into multi user mode
2) then the below file is referenced by the kernal to provide muduler support for your networking interfaces
/etc/modprob.conf --contains aliases and refrences to modules to be loaded in order to provide networking
3)Then the OS checks the following file to verify if networking is suppose to be supported, IPV is enabled|disabled, Default Gatewat,DHCP|STATIC, etc
a)/etc/sysconfig/network --you can also change the system host name fromt this file
Note: this is a global network config file
b)the below file contains ifup, ifdown, ifcfg-eth0 scripts
/etc/sysconfig/network-scripts/
c)this is main file which is consulted at boot time
/etc/init.d/network --MaIN SERVICE
service network status --Gives an overview of network devices, configired devices| active divices
system-config-network ---network internface configuration
/etc/resolve.conf is the dns configuration file
/etc/host is a static list of host
How to assign Additional Ip address to 1 Interface..
--IPV4 Aliases---
ifconfig eth0:1 192.168.75.11 will assign a temporary additional ip add to eth0:1 interface. (eth0:1) :1 is the new alias
ifconfig eth0:1 10.20.30.1 will assign a temporary additional ip add to eth0:2 interface. (eth0:1) :2 is the new alias
--How to assing it PERMENANTLY--
To assign additional ip address permenantly you will need to create a new interface/alias file beniath the
/etc/sysconfig/network-scripts
easiest way to do is by copying the origanl file and renaming it
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1
then modify the changes
Note: Aliases do not work with DHCP interfaces
--Deleting an eth device / alias---
ifconfig eth0:1 del 10.20.30.20 type ifconfig followed by interface name followed by delete cmd followed by ip addres.
--IPV 6----
Features:
1) its auto configigured by default gateway
2) fe80:: -- is a link local address (Loop back address / local subnet addresss) somethig like 169 ip address in IpV4.
How to ping IPV6 address
Ping6 -I eth0 fe80xx -- -I is for Interface
tracerout6 -- used to trrace route on IPV6 network
-----------------------xxxx---------BIND---------------xxx------------------------------------------
Bind: Deamon name = NAMED
Cache only server (Default Mode)
Primary DNS server
slave server
TASKS:
1) Install Yum:
yum install bind installed bind
rpm -qa |grep bind gives you a list of all bind related software installed on your system
rpm -ql bind gives you a list of all contents installed with bind..such as named.conf (Primary config file)
2) Set up service to auto start at boot for 3 and 5 run levels
/etc/init.d is the directory where all services are queried from, if a service/server is installed it should be here.
chkconfig --list named will tell us if the service is configured to start in which run level
chkconfig --level 35 name on will turn on service on 3 and 5 run level.
3) SET UP THE SERCICE TO START,
the service will not start until u manually create a /etc/named.conf file, there is a sample provided for named.conf, to find the sample do the follwing
a) rpm -ql bind to see samples, you will also need to cp all files which are included in the named.conf file
b) you must copy the following files from
/usr/share/doc/bind-9.3.6/sample/etc to /etc directory these are the main files including named.conf
/usr/share/doc/bind-9.3.6/sample/var/named to /var/named/ these are all the zone files
/usr/share/doc/bind-9.3.6/sample/var/named/slaves to /var/named/slaves these are secendory zones files
c) Once copied, edit the /etc/named.conf file to disable the key ddns_key, hash out those 5 lines, once edited , now we are ready to start the service,
4)start the service --caching only dns server (which its default implementation)
commands:
a) service named start will start the service
b) dig @localhost www.dell.com will force a cache-only query lookup, do it a couple of times and look at the time to resolve, i will reduce every time you search due to cahce capabilities.
c)dig @localhost www.dell.com MX will return mail records.
d) nslookup www.dell.com will will query directly to the /etc/resolve.conf file, instead use nslookup - server 127.0.0.1 -www.dell.ie
Note: /etc/resolve.conf controles the dns servers that are consulted by lookup tools, such as web browser, lftp, gftp, host, nslookup, dig, etc
--------------------configuring slave server-----------------------------------
--yum install bind bind-chroot bind-utils caching-nameserver
--mv name-caching.conf name.conf --rename name-cache file to name.conf
make sure it listens on all inerfaces + allow-query {192.168.0.0;any;} direcective is properly set.
edit /etc/resolve.conf --it queries proper dns
service named checkconfig --verify if config is ok
service named start --verify is caching only name server is working as it shoudl be
once confirmed from the named.conf sample file copy paste the slave zone information and paste it inside a view in the production named.conf file
make sure the zone name is an exact match of the master zone, the db file name does not matter, the slave file gets created automatically
after doing this tailf -f to /var/log/messeges, and then restart named server, in a few mins you should see actual slave zone getting transfered, if there are any issues in terms of firewall its goign to say it over here...
make sure on the master and slave dns servers firewall is properly configured, add the following commands in /etc/sysconfig/iptables
- A RH-CLASS -p tcp --dport 53 -j ACCEPT
-A RH-CLASS -p tcp --dport 53 -j ACCEPT
how to test if zone transfer is working or not if you can not figure it out via the message log?
dig -t axfr hakimuddin.internal @192.168.2.100
xxxxxx--------------------------xxxxxxxxx----------------SYSLOG---------------------------------xxxxx--------------------------------------------
exam qustion :
configure syslog to accept log messages from remote client ?
Server side
Goto :
/etc/sysconfig/syslog
Append :
" -r "
to the following line SYSLOGD_OPTIONS="-r -m 0"
--chkconfig on
--restart
Client side:
Goto:
/etc/syslog.conf
Append:
user.* @192.168.2.100
--restart
logger -i -t yourname "this is a test msg"
-----------------------xxxxxxxxxxx------------ Primary And Sec zones--------xx-------------------------
Features..
1)Ability to service zone
2)Authurative support for zones
Task
1) create an internal zone named Huze.Internal
a) modify /etc/named.conf to include the new zones
ORIGNAL:
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "slaves/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so$
};
Change this to :
zone "hakimuddin.internal.zone" {
type master;
#allow-update { key ddns_key; };
file "hakimuddin.internal.db";
};
b) will create the corresponding zone files (hakimuddin.internal.db)
you can create this file by useing one of the sample ones located /var/named/localhost.zone
Syntax:
cp /var/name/localhost.zone var/named/hakimuddin.internal.db
change the file from the orignal syntax to with appropiate records:
$TTL 86400
@ IN SOA localhost root.localhost (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
Huze IN A 192.168.2.21
FedoraHuze IN A 192.168.2.15
c) restart named and test resolution of dns primary zone
2) Create a slave (Secondary) server (Another server)
a)yum install bind
b) you must copy the following files from
/usr/share/doc/bind-9.3.6/sample/etc to /etc directory these are the main files including named.conf
/usr/share/doc/bind-9.3.6/sample/var/named to /var/named/ these are all the zone files
/usr/share/doc/bind-9.3.6/sample/var/named/slaves to /var/named/slaves these are secendory zones files
c) Once copied, edit the /etc/named.conf file to disable the key ddns_key, hash out those 5 lines, once edited , now we are ready to start the service,
d)edit the /etc/named.conf file and add the followin zone into the internal view area
zone "hakimuddin.slave.internal.zone" {
type slave;
#allow-update { key ddns_key; };
file "slaves/hakimuddin.slave.internal.db";
masters {192.168.2.21:};
};
f)once named.conf is edited you will need to create another file with the "hakimuddin.slave.internal.db" file in the slave directory, probably with the same records as the primary zone file "hakimuddin.internal.db"
g) once named.conf is fully edited, then go into the primarry server "hakimuddin.internal.db" file and add the new name server record, update the ser# also
h)now start the named service on the slave server and also verify chkconfig settings.
i)now on the slave server verify if the new Name server record replicated or not, it should have replicated the changes made on the primary server primary zone
---------------------------------XXXXXXXXX-------------SE LINUX Intro------------------xxxx--------
Features:
1) Ristrict access by subject (users and or process's) to objects (files)
2)Provides mendotory access controls, (MACs)
3)Macs extend Discretionary access controls (DACS) ---Dacs is basically Sandard linux security / Permissions.
4)Stores macs permissions in extended atributes of file systems
5)SELINUX provies a way to seperate user/process and files/devices via labelling, and monitors / control their interactions .
6)SELINUX is embedded in the kernal,
7)SELINUX implements SAN boxes for subjects and objects,
8)Default RH5 implementation creates san boxes for targetted deamons and one San box (unconfined_t) for everytin else
9)SELINUX is implemented by RH5 by default.
10)operates in
a)Permissive---permission is always grander, however denial are logged into /var/log/messages, good way to troubleshoot.
b)enforcing --strictly enforces targeted policy rules
c)disabled.--Only dacs is applied.meaning only standard linux permissions
11)operating modes can be applied uplon startup of which the system is running,
---Config files and tools:----
1)sestatus -v -displays current SELINUX Status
policy name 'targeted' (default supported policy)
policy version '21'
operating mode 'enforcing|permissive|disable'
2)/etc/sysconfig/selinux Primary startup|config file. this file points to /etc/selinux/config
3)/etc/selinux/targeted top level container for the targeted policy
4)setenforce =0 enables the permissive mode. (1= enforcing)
5)if selinux is enable (enforcing mode) and you would like to temporary disable it, you can pass a argument in kernal while booting
a)go to /boot/grub/grub.conf
b)modify the following file with selinux = 0 at the very bottom.
kernel /vmlinuz-2.6.18-128.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet selinux =0
6) -Z can be applied to the following tools to obtain se linux contex information.
a) mv, cp, ls,ps (e.g. ls -lsZ filename, or ps-efZ
7)chcon -R -t type lable ----applies SELNIX lable to files/directories
8)when SELINUX is enabled a mount point is mounted on the system as following /selinux
Note:
if files (object) looae their SELINUX context there are multiple ways to relable them.
a) touch /.autorelable ---INIT will relable all files in the system according to the targetted policy once you reboot.
b)fixfiles ----used to relable files while the system is running.
9) List of deamons protected by targeted selinux policy includes but not limited to:
a)apache(httpd)
b)dhcpd
c)ntpd
d)named
e)syslog
f)squid
g)snmpd
h)portmap
i)nscd --name service caching deamon
j)windbind
Note: the target policy assigns all other subjects and objects to the unconfined_t domain (unconfined_t =somethig similar to a system which has no selinux installed
SELINUX Troubleshooting
Troubleshooting File Context:
--ls -lsZ
will list the file context, always make sure that you check the file context of the file matches to the directory or other config files in the same container.
--restorecon -R newfile name
if you have moved a file then that file will carry its orignal contaxt of the folder which it was previously, if so then run the above comnd.
--chcon -R -t shadow_t filename
this command will change the context of the current file to shadow_t
--chcon --reference /etc/shadow filename
you can also use this command to change context, this is a mistake free way to do it, it will append the new file with what ever the file context of the dir or file it is refrencing to.
if you create a new file , it goign to take context of its parent directory.
tried the following semanage command but dint work for me...---
--semange fcontext -a -t public_content_t 'newfilename'
this cmd is to compile the change into the binary policy--this will servive the filesystem relable.
after which i tried running
--restorecon -vvF filename
this cmd is to apply the policy--
because the semanage policy does not work , this command picks up the earlier context and applies the policy
---------------xxxxxxxxxxxxxxxxx--------------SSH--------------------------xxxxxxxxxxxxxxxxx------------------------------------------------
Password less logins --
Dynamics :
First you create a user which u think its a trusted user ---then you create a public key for that user ---then you copy the public key of that user into the remote system (assuming NIS domain syncronization)
you can do the same thing for a different user on the remote system
Step1:
login as nfs1
ssh-keygen -t dsa
Step2:
ssh-copy-id -i ~/ .ssh/id_dsa.pub 192.168.2.15
OR
ssh-copy-id ~/ .ssh/id_dsa.pub teshssh@192.168.2.15 ---in this case you should be able to login as testssh on 192.168.2.15 without requiring a password.
Step3:
test it:
ssh 192.168.2.15 --it will asume what ever user you are logged in as (NIS DOMAIN)
OR
ssh testssh@192.168.2.15 --it will login as testssh on 192.168.2.15 without requireing a pwd --why ? cause you copied your public key in testssh profile.
-------------------------xxxxxxxxxxx--------------IP TABLES-----------------------XXXXX----------------
Features:
1)Firewall for linux
2)Interface to Netfilter which is loaded by th kernal
3)Operates primarly at layer 3 and 4 of the OSI model
4)Moduler
5)Provides NAT support -- you can turn ur linux based system into a router.
6)IP tables can also access other layers, i.e.2,5,6,7 with modules.
1)IP tables is installed by Default, --Remember its an interface to Netfilter which is loaded by the kernal.
To verify if its intalled
Syntax:
cd /boot
grep -i config_netfilter /boot/config-2.6.18-53.el5
2)IP TABLES Startup config file localtion :
/etc/sysconfig/iptables-config
Note: Saves rules in /etc/sysconfig/iptables so that when IPtables is restarted, the rules will be applied Or , Update /etc/sysconfig/iptables-config to save the rules automatically.
3) iptables main commands and files
/sbin/iptables --Primary ACL modified utility
/sbin/iptables-restore --Resotes rules to current iptables instance
/sbin/iptables-save --saves rules to STOUT, by default, or to a file
a) /etc/sysconfig/iptables-config
---is the file which is consultent when booting for iptable options, in this file you can save the default options of saving on restart, saving on stop , etc
b) /etc/sysconfig/iptables
---is the file when iptables-config saves all ip rules if configured to save.
4) iptables includes 3 default tables, which you cannot remove.
a)NAT
b)Mangle --source nats , dest nats, etc
c)Filter (Default) ---filters inbound/outbound traffic based on common criteria (tcp,udp,icmp, etc)
Note:
Each tables includes chains, which include Access control entries (ACES)
5) USAGE:
a)iptables -L will list all chains/rules
a)iptables -v -L will list all chains/rules and the pcks which are drop /accepted
b)iptables -F flush all rules
c)iptables -A APPEND --to any chain (INPUT,OUTBOUND, FORWARD)
Note: The filter tables includes 3 chains:
a)INPUT Chain-- This applies to traffic destined to a service that our system is bount to
b)Forward Chain This applies to traffic being routed though the syste , e.g. if our system is a router.
c)OUTPUT Chain This applies to traffic sourced from our system, Heading Outbound
TASKS:
1) Filter inbound traffic to RH5 System TO SSH
a)iptables -A INPUT -p tcp --dport 22 -j DROP
---- -A in to append, -p for protocol --dport is for desitanation port -is for jump
b)iptables -A INPUT -j DROP
--- will drop all traffic, you dont need to specify -s or -d (source/ desitation) if u want to block for all
c)iptables -A INPUT -p tcp -s 192.168.2.15 -d 192.168.2.100 --dport 22 -j DROP
--- will drop connections from source to destination on port 22 (SSH)
To check what ip adds /ports is your system listening on then run
syntax:
netstat -ntl
2) Filter outbound traffic to ANY remote SSH drop
a)iptables -A OUTPUT -p tcp --dport 22 -j DROP
--- will block outbound connection from localhost to anywhere on port 22
3) iptables -F
---will flush all rules
4)iptables -save >iptables.rules1
--- Save iptables rules
5)iptabels -restore iptables.rules1
---Restore /reinstate iptables.rules1
----------------xxx-----------------------------APACHE SERVER---------------------xxxxx
QUICK Usage syntax:
httpd -l will list all the loaded modules
httpd -S will list the current config in effect and will also check syntax correctness.
Task :
1)install apache ---yum install httpd
Apache important files
/etc/httpd/conf --top level config container
/etc/httpd/conf/httpd.cong --Primary apache config file
/etc/httpd/conf.d --drop in configuration directory , read by apache upon startup.
2) explore /etc/httpd/cong/httpd.conf
apache runs in 2 modes
a)prefork mode --default
b)Multithreaded mode
c)apache always maintains a main server config, which is independent of virtual host , this server is the catch all for trafic that does not match to any of the virtual host.
d)<directory > directives govern file system access.
Note: the primary apache process runs as root, and has access to full filesystem, however the <Directory> directive restricts the web users view of the file system.
e)ErrorLog logs/error_log --Directive
Default error log directive for all virtual host who has not defined error log directive individually.
f)every directory outside of the <DocumentRoot> should have atleast one Directory directive defined.
3) Start apache Service
Syntax:
--service start httpd
--ps -ef |grep -i httpd
root 20778 1 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20780 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20781 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20782 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20783 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20784 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20785 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20786 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
apache 20787 20778 0 16:27 ? 00:00:00 /usr/sbin/httpd
Note:Parent apache runs as root and can see the entire file system, however , children proceses run as apache and can only see file /directories that apache:apache can see.
4)create an alias for content outsite of the webroot.(/var/www/html)
a)create content in one directory above --/var/www/testalias1
Go to the very end of the file:
Alias /testalias1 "/var/www/testalias1/"
<Directory "/var/www/testalias1">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
5) make sure Apache starts after reboot.
-----VIRTUAL HOST------
FEATURES:
ABILITY TO share content based on 1 or more IP address.
Supports 2 modes of virtual host,
a) IP Bases --- one site per ip add
b)host header names --- multiple sites per ip address
Tasks:
1)create IP BASED virtual hosts
a)ifcfg-eth0:1 = 192.168.2.200
b)configure the Virtual Host:
<VirtualHost 192.168.2.200>
ServerAdmin webmaster@huze.hakimuddin.internal
ServerName site1.hakimuddin.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site1_access_log combined
ErrorLog logs/site1_error_log
</virtualHost>
c)Create directory /var/www/site1
d)create a index page to test --reload the apache server after making changes to /etc/httpd/conf/httpd.conf file.
2)Create Named based virtual hosts useing the primary ip address
a) /etc/httpd/conf/httpd.conf:
site 3 on primary ip address
NameVirtualHost 192.168.2.100:80
<VirtualHost 192.168.2.100:80>
ServerAdmin webmaster@huze.hakimuddin.internal
ServerName site3.hakimuddin.internal
DocumentRoot /var/www/site3
<Directory /var/www/site3>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site3_access_log combined
ErrorLog logs/site3_error_log
</virtualHost>
site 4 on primary ip address --same ip same port / just different names
<VirtualHost 192.168.2.100:80>
ServerAdmin webmaster@huze.hakimuddin.internal
ServerName site4.hakimuddin.internal
DocumentRoot /var/www/site4
<Directory /var/www/site4>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site4_access_log combined
ErrorLog logs/site4_error_log
</virtualHost>
------------APACHE WITH SSL SUPPORT---------------
Requirements:
1)httpd --already installed
2)openssl --also used when sshd is installed --so already have it
3)mod_ssl --module for apache which provides ssl support
4)crypto_utils --(genkey) used to generate certificates/provate keys
--also used to create self signed certificates
TASKS:
1) Install the requirements
a) mod_ssl
--also provides certificate /etc/pki/tls/certs/localhost.crt
--however this key its not something which you should use on production server, either you should generate a key to be signed (which means we need to generate a csr) or a self signed key which measn we dont nead a csr
b) crypto utils
2) Generate SSL Usage key using : gen key
a)genkey site1.hakimuddin.internal --opens a tui interface in whic you can configure the cert and private key.
b)once generated (key and cert in the /etc/pki/tls directory)
c)edit the ssl.conf file with the appropiate names, edit dns if nessasry, reload dns zone and test https access.
Note: for multiple SSL SITES, copy the /etc/httpd/conf.d/ssl.conf file to distinct files , that matches your distinct Ip based VHosts.
EXAM WATCH:-
1) How to create a virtual host, then configure security that only users with valid passwords can see the page, then restrict users from subnet 192.100.100.0 to see this website.
Step1 --Make the virtual host
cd /etc/httpd/conf.d/
vi ejamaat.conf
<Virtualhost 192.168.2.100>
ServerAdmin webuser1@hakimuddin.internal
ServerName ejamaat1.hakimuddin.internal
DocumentRoot /websites/ejamaat1
<Directory /websites/ejamaat1>
order deny,allow
Deny from 192.100.100.0
AllowOverride Authconfig
</Directory>
Step2 --Configure htaccess
a)create a .htaccess file for the particular website , usually create this in document root of the website
cd /websites/ejamaat1
vi .htaccess
AuthName "whatever you like"
AuthType Basic
AuthFile /etc/httpd/conf/.htpasswd-ejamaat1
require valid-user
b) create a .htpasswd file (location --in /etc/httpd/conf --in the .htaccess file we have given the same path also)
cd /etc/httpd/conf
htpasswd -cm .htpasswd-ejamaat1 ej1 --c is to create , m is for md5 checksum, at the end ej1 is the user name, once u hit enter it will ask for passwords
2) How to create a NameVirtualHost ?
Step1 --Make the virtual host
cd /etc/httpd/conf.d/
vi hakimuddin.conf
NameVirtualHost 192.168.2.200:80
<VirtualHost 192.168.2.200:80>
ServerAdmin webuser1@hakimuddin.internal
ServerName ejamaat2.hakimuddin.internal
DocumentRoot /websites/ejamaat2
<Directory /websites/ejamaat2>
order deny, allow
Allow from all
</Directory>
</virtualhost>
<VirtualHost 192.168.2.200:80>
ServerAdmin webuser1@hakimuddin.internal
ServerName ejamaat3.hakimuddin.internal
DocumentRoot /websites/ejamaat3
<Directory /websites/ejamaat3>
order deny, allow
Allow from all
</Directory>
</virtualhost>
3)How to create a secure site called ejamaat4
Step1:-
make sure all install requirements are met
yum install mod_ssl
yum install crypto_util*
once mod_ssl is installed you should see the ssl.conf file created in /etc/httpd/conf.d
take a back of ssl.conf via before editing
Step2:-
genkey ejamaat4.hakimuddin.internal
then follow the steps
Step3:-
vi ssl.conf
change the following directives
<virtualhost 192.168.2.243:443>
ServerAdmin webuser1@hakimuddin.internal
Servername ejamaat4.hakimuddin.internal
DocumentRoot /websites/ejamaat4
<Directory /websites/ejamaat4>
order deny, allow
Allow from all
</Directory>
change public certificate path to the correct certificate filename
e.g.
ejamaat4.hakimuddin.internal.cert
change private key path to the correct filename
e.g
ejamaat4.hakimuddin.internal.key
change error log directive if needed
Leave the rest of the ssl.conf file directive the same.
- chkconfig httpd on
- iptables add port 80 and 443
- selinux, make sure directory context are the same for /websites as they are for /var/www/html.
---------------------xxxxxxxxxxxxxx---------------------SAMBA------------------xxx----
4 PACKEGES COMPILES SAMBA...
samba 3.0 --main server
samba-client --
samba-common --shared by main samba package and samba client
samba-swat --web based tool
1)Primary samba config file
--/etc/samba/smb.conf
----------------------------------
Clients
1)findsmb --Finds SMB hosts on the network
2)smbtree --equevivilant to network neighbourhood in windows, it enumerets worksgroups of hosts
3)smbget --similat to 'wget', in that ,it will download items from remote share.
4)smbclient --interactive utility to connect to shares.--permits uploading as well as downloading from shares.
--its more of a ftp type utility where u use 'mget' and 'mput' to send and recive files. it downloads the --file to current directory
Syntax
smbclient -U user //servername/sharename --U = username --capital U
smbclient -L servername -U huzeifa
Task:
1)Connect to a windows host shate and download a file to linux box
a)--smbclient -U huzeifa //192.168.2.254/test
this will connect you to the windows server/share
b)--mget huze.txt
will download the huze.txt file to your local directory
c)--!ls
will list files in linux local directory to verify if the file actually got downloaded.
2)download a file via smbget (if you want to use smbget, u need to know the exact file name in advance)
--smbget -u huzeifa smb://192.168.2.254/test/test.txt make sure the -u is in lower case
3) Backup SMB shares to linux box it will download to whatever ur currect directory is.
--smbtar -s 192.168.2.254 -x Test -u huzeifa -p '123' -t backup1.tar.
------------------------------------SAMBA SERVER ---------------------------------------------------------------
Features:
Will make ur linux box look like a windows box to share folders , etc.
1) /etc/samba/smb.conf --Main Samba confi/file
2) SWAT manages /etc/samba/smb.conf --via GUI.
Samba Server mOdes:
1) User
a) One samba defined user is required per linux user
b) Authentication of users is handled by samba server
2) Server/Domain (PDC/BDC)
a)Still requires a local samba-defined user accounts database
b)Authentication is handled by the windows NT/2K/2K3/2K8 server
3)ADS -Active directoru
a)Authentication is handled by active directory
b)when used with winbind, locally defined samba users are not required.
Note: Ultimately, users must authenticate to the local linux file system.
Task:
1) Install SWAT
a)yum -y install samba-swat
Starup options:
Samba swat is controlled via xinet.d
Conf file located at
/etc/xinet.d/swat
in the conf file set the
--disable = yes to >> --disable=no
and to restart the service run the following commands
--service xinetd restart. --this will restart sawt.
--natstat -ntl |grep 901 --will confim if its running and listening to the 901 port.
Info:
1)/etc/samba/smbpasswd maps Windows users to /etc/passwd.
2) Configure Samba in user authentication mode and share out user home directories
a)configure smb.conf file ---everything default, just change the workgroup
b)allow selinux to share home directories --did that via gui tool
c)Create system "user1" with no pass
--useradd user1
d)Create samba user "user1" with password
--smbpasswd user1
e)verify by connecting via another password
--smbclient -L huze -U user1
--smbclient -U huze //huze/[user1] --if you smb server has allowed home directories, define username of the user instead of sharename in the brakets[]
-----------------xxxxxxxxxxx--------------------------SQUID Proxy Server-------------------------------xxx
Features:
Cashe servers
proxy server
Filters access to the internet
Efficiant bandwidth usage
Install Squid
--yum install squid
Important files
/etc/squid --primary config container
/etc/squid/squid.conf --primary config file
/etc/sbin/squidclient --used to test squid proxy server
/etc/log/squid --primary log directory
/var/spool/squid --cache directory container.
Notes:
1)ensure emple fast disk storage is available for /var/spool/squid dir as squid stores all internet cache in this dir.
2)squid defaults to tcp 3128.
Tasks :
1)install and start squid and configure startup --chkconfig, also make sure dns is running fine or else service is not going to start.
2)configure squid.conf file to allow access
a)by default squid blocks all access to all network
b) in this section add the following lines to allow local network
---acl local_vm_phy_network src 192.168.2.0/24
---http_access allow local_vm_phy_network
3)Deny access to 192.168.2.5, but allow all other users from local subent.
acl lan_bad_user src 192.168.2.5
http_deny acl lan-bad_user
Note: make sure you put this rule above the allow rule, cause the allow rule permits the entire network to browse, it works the same as firewall.
4)test squid by squidclient
syntax:
squidclient -g 3 www.dell.com --this will download the page 3 times and print download times, etc
-----------------------------xxxx--------MESSAGING -MAIL---POSTFIX-------------xxxxx
Features:
MTA (Message transfer agent)
Moduler (Spamassasin) where as sendmail is not. post fix is easy to use.
Tasks
1) Install postfix
--yum install postfix
Important files:
/etc/postfix -Primary config container
/etc/postfix/main.cf -Primary config file
/etc/postfix/transport -contains routing rules for tables
/etc/postfix/virtual -contains virtual user mappings.
-----------------------------
log files
--------------------------
/var/log/maillog --to verify if the message actually went or not
/var/spool/mail/username ---verify size / time stamp to see if it has anything in it..
maiq is a command to see if you got any mails in the q
'mail' is a enviromentan variable which is stored in
--/var/spool/mail/huzeifa
you can list enviromental variables by running
--set
or
--set |grep -i mail
2) install 'system-switch-mail' package --by default redhat uses sendmail MTA, this package is needed to transfer config/stratup config to postfix
--yum install system-switch-mail
3)switch default MTA --TO postfix
--system-switch-mail --select postfix
Note: default postfx config bind to 127.0.0.1:25
4)Test local mail delivery.
a) use "mutt" to test local delivery.
5)configure postfix to recive messages from remote systems
a)go to servers (huze) /etc/postfix/main.cf and edit or append the following directives to:
b)change inet_interface = localhost to --inet_interface=all
c)mydestination=localhost, etc add --hakimuddin.internal
e)restart postfix --services postfix restart
6)to confirm directives are inplace and active run the following command
a)postconf |grep inet_interface --verify results
b)postconf |grep mydestination ==verify results
7)attemp to send message from fedora(client) to huze(postfix server)
a)if it fails, make sure MX records are properly configured in DNS and all hostnames are properly pingeble,
a1)to verify MX records run the follwing command at the client(fedora) machine
--dig hakimuddin.internal MX
this should return an answer with the mx record ip address, once this is done carry on to step b
b)configure client MTA (fedora) to listen to all interfaces
to do that, go into client (fedora's) /etc/mail/sendmail.mc file and updates the following:
-- DEAMON_OPTIONS('PORT=Smtp, Addr=127.0.0.1, Name=MTA')dnl
TO
-- DNL # DEAMON_OPTIONS('PORT=Smtp, Addr=127.0.0.1, Name=MTA')dnl
this will comment it out, the reson we comment out this line is : sendmail is listening to only loopback adaptor thats why it cannot route messages to any other server ...
so once we comment this line out, it will start listening to all interfaces, once this is done,
c)update /etc/mail/sendmail.mc by running the following command
--make all -C /etc/mail (see notes below)
notes:
ensure that sendmail-cf* is installed on the client (fedora) machine in order to update .mc files to .cf files.
d)verify if its listening to all interface by running
--netstat -ntlp |grep 25
you should see port 25 bind to all interface as in (0.0.0.0)
f) try to send the mail again, it should work fine now.
EXAM WATCH:
1) Configure dovecot with ssl--
Step1:-
yum install dovecot*
verify time is okay on both client and server
Step2:-
configure ssl
first delete the default certs which are already installed
search for
find /etc/ -name dovecot.pem
and remove them
Step3:-
create your new certificate
make -C /etc/pki/tls/certs/ dovecot.pem
fill in the require info
then change the default location of the default preinstalled (deleted) certs fromt the /etc/dovecot.conf file and replace it with the location of the new certs file , in both places, (certs and keys)
Step4:-
if required disable imap and pop3 protocols, only keep imaps and pop3s protocol, you can edit this in the /etc/dovecot.conf file.
Step5:-
add rules in firewall
vi /etc/sysconfig/iptables
-A INPUT -p tcp -s 192.168.2.15 -d --dport 25 -j ACCEPT
-A INPUT -p udp -s 192.168.2.15 -d --dport 25 -j ACCEPT
-A INPUT -p tcp -s 192.168.2.15 -d --dport 993 -j ACCEPT
-A INPUT -p udp -s 192.168.2.15 -d --dport 993 -j ACCEPT
-A INPUT -p tcp -s 192.168.2.15 -d --dport 995 -j ACCEPT
-A INPUT -p udp -s 192.168.2.15 -d --dport 995 -j ACCEPT
services iptables restart
services dovecot restart
chkconfig dovecot on
2) Configure postfix to send and recieve email. test if emails are being recived at huzeifa@hakimuddin.internal
also configure relaying, only allow crackers.org and example.com to relay.
Step1)
yum install postfix
then make sure iptables is configured properly to allow port 25 from required networks.
once again make sure postfix is listning to port 25 on all interface
netstat- ntlup |grep master
Step2)
in the test if you are required to send emails via the domain name and not via the host+domain name, then you must make the following changes
a) add mx records to the dns (you can install yum system-config-bind)
2) look for 'mydestination' directive in /etc/postfix/main.cf
uncomment the second line once you find the directive, the second line will enable '$mydomain' which in return will let you send email like
huzeifa@hakimuddin.internal rather then huzeifa@hostname.hakimuddin.internal
Step3)
add the followin line in /etc/postfix/main.cf to control who can relay
smtpd_client_restriction=check_client_access hash:/etc/postfix/access, reject
add the following lines in /etc/postfix/access
127.0.0.1 OK
192.168.2 OK
Checking email via imaps and ending emails via mutt
checking email via imaps:
--mutt -f imaps://huzeifa@huzeifa.hakimuddin.internal i dont whats f for, however this will check email for huzeifa
sending email via mutt
--mutt
----------------------xxxxxxxxxxxxxxx---------------- SYS LOG ----------------XXXXXXXXX------------
Features:
1) handles loggin
2) unix domain socket
3) Internet sockets (udp:514)
4) ability to log to local and remote targets.
Implemented as 'sysklogd' pacakge
Primary config file :
/etc/syslog.conf
Standard syslog.conf file contains:
1)Rules
a)Facilities -->application/deamons/network devices, etc
b)Levels --->importance of the message
Range:0 -7
7=emmergency (Less informations)
6=alert
5=critica
l
4=error
3=warning
2=notice
1=info
0=debug (More informations)
2)Targets
a) File -->/var/log/messages
b)tty -->/dev/console
c)remote hosts -->@IP_ADD_OF_REMOTE_HOST
'*' = catchall /wildcard to mean any facility or level
'.none' = exclusion rule
'man syslog.conf to learn about the support for different facilities.levels
How to enable syslogd to capute information from other remote devices.
1)enable UPD logging for remote cisco gateway (192.168.2.1)
a)netstat -nulp |grep 514 --revelas UPD:514 LISTENER only on local address
b)edit /etc/sysconfig/syslog and edit 'SYSLOGD_OPTIONS= -r'
c)edit IPTABLES to allow communication on port UDP514.
c)restart syslogd
d)configure local 0-7 for acceptiong infor from remote devices in /etc/syslog/syslog.conf
the - r option will make syslod to listen on all interface.
Exam Watch:
How to enable syslogd to capute information from other remote devices.
step1)
configure the syslog server
vi /etc/sysconfig/syslog.cong
add -r in the following line
SYSLOGD_OPTIONS="-r -m 0"
step2)
go to the client for which you want to send logs to the server
vi /etc/syslog.conf
*.user @192.168.2.100
step3)
test
logger -i -t yourname "this is a test msg"
---------------xxxxxxxxxxxxxxxxxxx----------PAM------------------xxxxXX----------------------
did not understand much of this...anyway ..
How to track failed logins.
1)vi /etc/pam.d/system-auth file
2)add the following line just after the firs one in the auth group
--auth required pam_tally.so deny=3 unlock_time=300 even_deny_root_account.
3)add the following line just after the firs one in the account group
--account required pam_tally.so
4)try 3 x time logging in with a user with a rong password
5)it will block the user--now reset the user via the below command
6)pam_tally --user huzeifa --reset
---------------xxxxxxxxxxxxxxxxxxx----------CRON------------------xxxxXX----------------------
--How to create a cron job for a user
1)make a script file with .sh (i did it in my home directory)
a)
#!/bin/bash
FILENAME =uptimeresults.txt
uptime >>$FILENAME
b) test the script if it runs
2)make a crontab job in which you will define this job to run.
--crontab -e --this will open the crontab editor for your current user.
once the vi editor opens, type in the following command
* * * * * /home/uptime/sh
this will run the script every 1 min.
--How to create a cron job for the entire system
1)make a script file ping.sh (i did it in roots home directory)
a)
#!/bin/bash
FILENAME =pingresults.txt
ping 192.168.2.100 >>$FILENAME
2)make a crontab job in which you will define this job to run.
instead of doing "crontab -e"
vi into the /etc/crontab file --this is the main file for system wide jobs
a) add a new entry
###new entry###
* * * * * root /root/ping.sh
this will run the script every min.
--------------xxxxxx---------------BIOS--Grub---INIT ------------------xxxxx
Step1
--Power on
Step2
--Bios
Step3
--Searches for bootable media , once it has consulted the bootable media it searches for MBR = MBR =512 Bytes.(in mbr all the partitions are listed)
Step4
--in MBR there is bootcode (stage 1 grub)
you power on---
the bios checks hardware,
then it sets up the default bootable media by searching its master boot record for bootcode, in the MBR you find bootcode, that boot code which is also knows as (GRUB STAGE 1) which is enough to set up the remainder of the grub enviroment,
after the grub stage 1 is lunched ---Grub stage 1.5 is consulted--which presents a menu to the user---from the main menu we select the operating system we like to boot.
The menu file is located in /boot/grub----/boot/grub has all the files which are needed to boot the system. the stage 1 file is going to be exactly 512 bytes
THIS file sit's on the bootable media --i.e. the first hard drive which is used to boot the system,
this stage 1 code is exactly 512 bytes and its enough to consult stage 1.5 ---stage 1.5 sets up the appropiate filesystem --weather booting from the cdrom / e2fs--STAGE 1.5 PROVIDES the driver information required access to e2fs filesystem in particular /boot and /...once stage 1.5 is loaded we move on to stage 2 --stage 2 sets up the enviroment and then calls the init process.
#############################Boot troubleshooting#################
a.1)
root (hd0,0) = this directive is saying that the /boot partition is at harddrive 0 partition 0,
if i change parameters in the above directive for partition number i get errors similar to "Error while parsing number" and "Cannot mount selected partition."
if i change parameters in the above directive for root = roo , i get errors similar to "Unrecognized command"
a.2)
to find the proper hard drive / partition where /boot is located go into grub commandline and type in
--root
or
--/find grub stage1
this will show u the actual boot partition.
a.3)
if your grub.conf file is missing, the system will boot straight into grub command line, by experiment i have leared that the minimum of following commands can also boot your system provided the kernal and the initrd files are not missing.
grub>root --this will show the harddrive and partition when actual /boot partition is located
grub>root (hd0,0) ---hit enter-
grub>/kernel/vmlinuz-2.8xxx ---hit tab for command completion and then hit enter
grub>/initrd/initxxx ---hit tab for command completion and then hit enter
grub>boot ---hit enter, this should boot the OS.
a.4) error similar to "setuproot: error mounting /proc: No such file or directory" or other errors indicating they cannot mount /other partitions
this means that the /boot partition has already been detected however / partition is not being detected...
in this case go into grub menu and try different options with VolGroup00 -Vol00, if none of them work, etc, then go into the grub command line and follow step a.3, this will atleast boot ur system by automatically finding the correct file system,
however if it does not, it could be a couple things rong
1)fstab file incorrectly configured (you can verify this by booting into rescue mode, if rescue mode does not find the OS automatically then most probably the fstab file is not configured correctly.
2)initrd is there but currupted.
--------------/etc/inittab------------
1)
/etc/inittab is the file where the default run level is consulted from --if there is no run leve defined explicitely in grub.conf, it picks it up from this file
2)
/etc/inittab also holds all the virtual console config.
--------------how do you know if its the fstab file missing or the initrd corrupted -----------
first and obvious just check and verify the errors when u initially boot--->
missing initrd file is easy to detect --cause if the file is missing you will get an error saying file not found just after you boot initially ..
however if the initrd file is corrupted ..it does find the file and move to the next step however half way through ...it does not mount the file system , etc....this is where it gets chalanging ...how do u know if its a currpted initrd file or a currupted FSTAB file !!!!
an easier way to figure this out would be to boot in rescue mode ---
in rescue mode first it loads the kernal --->
then it loads the initrd file--->
once it loads the initrd file --->
it searches for installed OPERATING SYSTEMS --->
if it does not find any installed OS ---> that means probably the FSTAB file is screwed or currupted--->
however if it does find the OS ..that means the / PARTION IS STILL AVAILABLE to work on ...then probably it was the initrd fiel --->
if its initrd , run the "mkinitrd" command--->
if its the fstab file then ...first in rescue mode you will have to mount to the / file system--- to mount to the (root) / file system --you should know which drive is it located on ...
an easy way to find out would be to do a fdisk -l to list all hard drive --verify which one is the root hard drive --once you know which one ..
then make a temp folder such as "mkdir /mnt/rootpartition" then mount to the hard drive to that folder and the access the folder to correct problems with fstab.
if LVM is configured, then cd into /dev and look for VolGroup, browse the directory and mount the correct LogVol
e.g mount /dev/VolGroup00/LogVol00 /mnt/rootpartition.
this will mount the root partition , now u can change the fstab file to the correct version.
----------------how to re-create a new initrd fiel-------------
1)boot system into rescue mode by -->bios-->cdrom-->linux rescue
2)once booted verify the file /boot/initrd-2.xxx file size, etc, use "stat" to verify modified date between kernel and initrd--if its diff--then probably initrd is currupted.
3)mkinitrd /boot/initrd-$(uname -r).img $(uname -r)
----------------how to reinstall the kernel-----------------
1)boot system into rescue mode by -->bios-->cdrom-->linux rescue
2)once booted verify if the vmlinuz file is there in the /boot directory, if not verify if its installed in the system by "rpm -qa grep kernel" then run "rpm -ql kernelxxx"
3)if kernel already installed try the following options --which ever suites best the situation...
a) to easily remove the kernel try "yum remove kernel"
b) to install new kernel try "rpm -ivh" or "yum install"
c) rpm -Uvh --oldpackge /media/Server/kernelxxx will downgrade the pacakge to the older pacakge.
d) rpm -ivh --replacepkg /media/Server/kernelxx will reinstall the same pacakge.
##########-----LAB TROUBLESHOOOTING------------------#########
-xxx-----------SUDO----------------xx-
when sudo does not work--
1) check the /etc/sudoeor file and verify if the hostname is correct for that particular user
2) there is also a directive for "wheel" group --- wheel is a special grp in linux usually used for sudo purposes, in the conf file one directive says that any user which is part of "wheel" grp ,
let him run all commands as sudo.. you must be root to change user group membership
so in this case verify if the user is part of "wheel"grp.
--groups usenmae ---this is show whihc gruops is this user a part of
--usermod -G user1,wheel user1 ---this is add group "wheel" to user1.
this should work
Personal Notes
Preparation for RHCE exam.
bind
|
(caching-nameserver, slave directive)
|
syslog
|
(logger -i -t yourname "testmsg", 514 udp)
|
ntpd
|
(system-config-date, port 123 tcp/udp)
|
open-ssh
|
(ssh-keygen -t dsa, ssh-copy-id -i /path-to-publickey user@hsotname)
|
http
|
(genkey site1.hakimuddin.internal)
|
postfix
|
(make -c /etc/pki/tls/ dovecot.pem, block relay )
|
nfs
|
(* rw,soft 192.168.2.100:/home/&)
|
smb
|
([data], write list =@grpname , write list =user1 user2)
|
vsftpd
|
(iptables, selinux boolens, selinux context, /etc/vsftpd/vsftpd.conf =chown=deomon)
|
squid
|
(block dstdomain, should listen on all domains)
|
nis/ssh
|
-----------------Esx Commands----------------------------------
| |
ps -auxwww |grep -i rh5
|
rh5 is the name of the vm, use this cmd for identifying vm processes if u need to kill them
|
esxcfg-mpath
|
list all esx server paths
|
watch 'ls -lh'
|
if you want to see if files sizes are changing live
|
tail -f \var\log\message
|
you will see alive version of the file
|
No comments:
Post a Comment