频道栏目
首页 > 系统 > Linux > 正文

LinuxCBT_Deb5x_Edition_Notes

2011-08-05 13:19:42           
收藏   我要投稿

 

###LinuxCBT Deb5x Edition###

Topology -> Docs directory

Features:

 1. Multiple platform support: i386, PowerPC, Sparc, MIPS, S390, AMD64, Intel64, IA-64, etc.

 2. Obtainable via: HTTP, FTP, JIGDO, BitTorrent, CD/DVD

 3. Open Source - freely available

 4. Ships with thousands of packages

 

 

Tasks:

 1. Download the various DVD ISO images:

' for i in `seq 5`; do wget http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/debian-504-i386-DVD-$i.iso; done '

 

 2. Confirm the MD5SUMS of downloaded ISOs

 3. Prep the VMWare environment

   a. https://192.168.75.50:8333

   b. Create Virtual Machine

   c. Move Debian ISO images beneath top-level container that VMWare references

 

 4. Install Debian on VMWare - from RedHat Enterprise 5x

  a. Installed in full-screen, text mode

  b. selected single, non-LVM, non-encrypted partition option:

   b1. / - 4GB - (/etc, /usr, /var, /home, /boot (linux kernel is here) ...)

   b2. swap - 250MB

 

 5. Upgrade Debian4x -> Debian5x

  a. Reclamation of existing VMWare instance, that was not in the inventory

 

Note: This may become our target instance

 

 

 6. Install Debian via PXE

  a. Download netboot.tar.gz - provides PXE code for network installation

  b. 'cd /tftpboot && tar -xzvf netboot.tar.gz'

  c. Configure Cisco Router DHCP server to servce 'pxelinux.0' file to client

Note: You may restrict the 'pxelinux.0' option to specific hosts and/or groups using DHCP configuration - reservations

 

 

!

ip dhcp pool linuxcbtwin1

   host 192.168.75.101 255.255.255.0

   hardware-address 0011.115b.7053

   client-name linuxcbtwin1

!

ip dhcp pool DEFAULT75

   import all

   network 192.168.75.0 255.255.255.0

   bootfile pxelinux.0

   next-server 192.168.75.50 

   dns-server 68.94.156.1 68.94.157.1 

   option 150 ip 10.1.50.2 

   default-router 192.168.75.1 

   lease 30

!

 

Note: 2 Key options for PXE booting

'bootfile pxelinux.0' - PXE boot client

'next-server 192.168.75.50' - TFTPD

 

Note: TFTPD & DHCPD servers may be the same or different

Note: NetInstall mode eventually attmpts to pull the code for the OS from a valid mirror.

You may configure an internal mirror for your organization and point the installer there.

 

 

###Linux Boot Sequence###

Features:

 1. Boot process Linux systems take to enter usable mode: 1-5

 

1. BIOS (indicates bootable hard drive)

2. Grand Unified Boot Loader (GRUB) -> MBR of primary HD

3. INITRD (includes drivers for hardware connected to your system)

4. Kernel (detects hardware) -> mounts '/' - root file system

5. INIT (propels your system into a usable state) - RunLevels

 

RunLevels: 0-6

 0 -> halt

 1 -> single-user mode, without concern for contending I/O

 2(Debian Default) - 5 -> multi-user run-levels - networking

 6 -> reboot

 

###Rescue - Boot Problems###

Problems:

 1. GRUB

  a. '/boot/grub/menu.lst' - changed (hd0,0) to (hd1,0) and (hd0,1), then fixed via runlevel 1

 

 2. INITRD

  a. Corrupt the file by breaking dependency - renamed initrd.img*

  b. Forced a boot by editing GRUB menu to use new INITRD file name

 

 

 3. INIT

  a. Corrupt: /etc/inittab

 

 4. Rescue Mode - Installation detection facility

 

 

###Basic Linux Commands###

Features:

 1. Numerous small commands that specialize in discrete functions

 

Tasks:

 1. Explore important commands

  a. 'whoami'

  b. 'id' - includes info from: 'whoami' as well as uid|gid info.

  c. 'pwd' - reveals current working directory based on the maintenance of 2 vars:

   c1. 'echo $PWD' - stores the current directory

   c2. 'echo $OLDPWD' - stores most recently visited directory

  d. 'cd' - changes directory - 'cd $OLDPWD'

   d1. 'cd' - with no options, places us in our $HOME directory

Note: The following directory entries:

  '.' - references the current directory

  '..' - references the parent directory

 

 e. 'ls' - lists files

  e1. 'ls -l' - lists files in long format

  e2. 'ls -li' - lists files in long format with INODE information

  e3. 'ls -al' - reveals hidden files

Note: Nix-based systems prefix hidden files with a '.'

  e4. 'ls -ld' - reveals attributes of directory entry

 

 f. 'touch' - creates file if non-existent, otherwise updates timestamp info.

 g. 'stat' - reveals FS information about a file

 h. '!command' - invokes the most recent invocation of a command from the command history

 i. 'echo' - prints what you tell it to

 j. 'cat' - catenates content to STDOUT by default

  j1. 'cat test.txt' - dumps file to STDOUT

  j2. 'cat test.txt test2.txt' - catenates test.txt , then, test2.txt to STDOUT

 

 k. 'mkdir' - creates directories

 l. 'rmdir' - removes directories

 m. 'rm -rf' - removes recursively ANY file entry

 n. 'export VAR=value' - sets and exports for use, a variable

  n1. 'export MUSIC=/home/linuxcbt/music'

 o. 'history' - dumps the current SHELL's history

Note: '!item_num' executes the command with the number in the shell's history

 p. 'alias ls='ls -ali' ' - allows you to make shortcuts to commands and options

 

Command Chaining:

'ls ; pwd ; echo "test" ' - commands are independent

'ls && pwd && echo "test" ' - logical ANDing - previous command MUST exit with exit status '0'

'ls || pwd' - command 2 executes if command 1 fails

Note: You may combine and and/or ALL of these features in a single command

 

 q. 'more | less' - 2 common pagers - displays a page full of info.

 r. 'which' - searches the $PATH for the command you are in search of

 

###Redirection###

Features:

 1. Input - STDIN - Standard Input - /dev/fd/0 - keyboard (may also be a file)

 2. Output - STDOUT - Standard Output - /dev/fd/1 - screen (may also be a file)

 3. Errors - STDERR - Standard Error - /dev/fd/2 - error handling

 

Tasks:

 1. Look at STDIN

  a. '<' - explicit indication

Note: When typical STDIN is ommitted, the process usually waits on STDIN for input (keyboard)

Note: 'CTRL-D will exit STDIN stream'

Note: STDIN is typically implicitly referenced by most processes

  b. '>' - explicit indication

Note: Typically routes to a file or the screen (STDOUT)

   b1. 'cat test.txt test2.txt > test3.txt' - clobber mode (auto-clobbers file or creates anew)

  c. '>>' - append redirection - appends to existing file or creates a new file

   c1. 'cat test.txt test2.txt >> test3.txt'

 

  d. 'STDERR' - '2> errors.txt'

   d1. 'ls -l badfile' - dumps STDERR on STDOUT

   d2. 'ls -l badfile 2> errors.txt' - clobbers and creates errors.txt

   d3. 'ls -l badfile 2>> errors.txt' - appends errors to errors.txt

 

 s. watch - executes and updates the output display of the process

 t. tty - echoes the current TTY

Note: GUI Managers spawn Psuedo-terminals: pts0..n

Note: Each pty has a distinct mapping of: fd0(STDIN), fd1(STDOUT), fd2(STDERR), auto-generated by the environment

 

 u. head (dispalys first n lines of file) & tail (dispalys last n lines)

  u1. 'head -n 1', 'tail -n 1' - both display first and last lines

 

 v. file - returns a file's type

  v1. 'file filename' - returns types

 

 w. seq - generates a sequence of numbers

  w1. 'seq 1000'

 

 x. for - looping mechanism

  x1. ' for i in `seq 10`; do echo "Hello World"; done '

  x2. ' for i in `ls -A`; do file $i; done '

 

 y. reset - resets the buffer of the terminal so you may keep track of your activities

 

 z. free - reveals memory usage

 

 

###Tar, Gzip, Bzip2, Zip###

Features:

 1. Archiving

 2. Compression

 

Gzip:

 1. ' gzip -c filename > filename.gz '

  a. 'seq 1000000 > 1million.txt && ls -lh 1mil*' 

  b. 'gzip -c 1million.txt > 1milliong.txt.gz'

   b1. 'zcat 1million.txt.gz' - read the binary gzip format and render ASCII text

  c. 'gunzip 1million.txt.gz '

  d. 'gzip -l 1million.txt.gz' - enumerates stats of file

 

 2. Bzip2

  a. 'bzip2 -c 1million.txt > 1million.txt.bz2 ' - creates compressed file

  b. 'bunzip2 1million.txt.bz2'

  c. 'bzcat 1million.txt.bz2'

 

 3. Zip & Unzip

  a. 'zip 1million.txt.zip 1million.txt' - dest source - creates a zip file

  b. 'unzip 1million.txt.zip' - decompresses

  c. 'zip stuff.txt.zip *txt' - squeezes ALL *txt files in current directory

  d. 'unzip -l filename.zip' - enumerates stats

  e. 'zcat filename.zip' - extract on the fly and dump to STDOUT

 

Note: 'zcat' applies to both: zip & gzip

 

 4. Tar - archiver - rolls one or more files (including directories) into one image

  a. 'tar -cvf alltxtfiles.tar *txt' - roll ALL txt files into 'alltxtfiles.tar'

  b. 'tar -tvf alltxtfiles.tar' - enumerates the contents of the tarball

  c. 'tar -xvf alltxtfiles.tar' - extracts the contents of the tarball

  d. 'tar -xvf alltxtfiles.tar 1000.txt 100k.txt' - extracts specific files from the archive

  e. 'tar -czvf alltxtfiles.tar.gz *txt' - rolls a tarball with gzip compression

  f. 'tar -cjvf alltxtfiles.tar.bz2 *txt' - rolls a tarball with bzip2 compression

 

 

###GREP###

Features:

 1. Line processor

 

Tasks:

 1. Use grep to search for interesting strings

  a. 'grep cat animals.txt' - returns ALL lines containing lowercase 'cat'

  b. 'grep -i cat animals.txt' - returns ALL lines containing either case of 'cat'

  c. 'grep 20 animals.txt'

  d. 'grep "^20" animals.txt - returns lines that are anchored with the string: '20'

  e. 'grep "20$" animals.txt - returns lines that end with the string: '20'

  f. 'grep "^20$" animals.txt - returns lines beginning and ending with the string: '20'

  g. 'grep "^c.*" animals.txt - returns lines beginning with 'c'

  h. 'grep "^[c|d]" animals.txt - returns lines beginning with 'c' OR 'd'

  i. 'grep -v "kernel" /var/log/messages' - returns lines that do NOT contain 'kernel'

  j. 'grep -C 2 'dog' animals.txt' - returns 2 lines above and below matched line

   j1. 'grep -C 2 'ostrich' animals.txt > animals.reduced.list.txt

 

###AWK###

Features:

 1. Field processor

 2. Tokenizes lines into fields and returns them for usage

 3. Matches patterns using Regular Expressions - POSIX - GREP - EGREP

 

 

Tasks:

 1. Use Awk to parse fields

  a. ' awk '{ print $1 }' animals.txt ' - prints field #1 using whitespace delimiters

  b. ' awk '{ print $0 }' animals.txt' - prints the entire line

  c. 'awk -F, '{ print $1 }' - prints field #1 from STDIN

  d. 'awk -F "[,- ]" '{print $2}' - prints field #2 using 3 delimiters 

  e. ' awk '/dog/ { print $0 }' animals.txt ' - matches lines with 'dog' and prints the full line

  f. ' awk -f "[,-; ]" '/dog/ { print $0 }' animals.txt - matches lines with dog with multiple delimiters

  g. ' awk '/dog[gy]/ {print $0}' animals.txt - match lines with 'dog' followed by 'y' or 'g'

 

  h. ' awk '{ if ($2 ~ /20/) print $0 }'  animals.txt  '

  i. awk '{ if ($5 ~ /kernel/) print $0 }' messages - matches lines where field $5 = 'kernel'

 

 

 

###Sed - Stream Editor###

Features:

 1. Manipulate Streams of Text

 2. Support for regular expressions

 3. Command-line

 4. Scriptable

 

Tasks:

 1. ' sed -n '1p' animals.txt ' - prints the first line

 2. 'sed -n '$p' animals.txt ' - prints the last line

 3. 'sed -n 4,9p animals.txt ' - prints lines 4-9

 4. 'sed -n 10,12p animals.txt ' - prints lines 10-12

 5. 'sed -n -e '/^$/d' animals.txt ' - deletes blank lines

 6. 'sed -n '1,2p' animals.txt '

 7. 'sed -n '1!p' animals.txt ' - prints all but line #1

 8. 'sed -n '1,3!p' animals.txt - prints all but lines 1-3

 9. 'sed -n -e 's/cat/BIGCAT/p' animals.txt ' - replaces 'cat' with 'BIGCAT'

10. 'sed -n -e 's/^cat$/BIGCAT/p' animals.txt' - replaces lines that begin and end with 'cat'

11. 'sed -n -e 's/\(.*\)\(;\)\(.*\)/\1\2\3/p' animals.txt - tokenizes matches into usable variables

12. 'sed -n -e 's/;/ /p' animals.txt ' - replaces ';' with space

13. 'sed -n -e 's/[,-;]/ /p' animals.txt ' - replaces ';,-' with space

14. 'sed -e 's/[,-;]/ /p' animals.txt ' - replaces ';,-' with space and prints the full doc to STDOUT

15. 'sed -e '/^$/d' animals2.txt ' - removes whitespace, dumps to STDOUT

16. 'sed -i.bak -e '/^$/d' animals2.txt' - removes whitespaces inline and backs-up original file

 

 

###Perl ###

Features:

 1. Everything

 

Tasks:

 1. Basic RegEx Usage

  a. Ensure that the correct number of arguments are supplied

Note: The execution type governs parameter placement

i.e. 'perltest1.pl ' - ARGV[0] -> first parameter

i.e. '/usr/bin/perl perltest1.pl ' - ARGV[1] -> first parameter

 

 

###System Utilities###

Features:

 1. Administration tools for system performance

 

 

 1. 'runlevel' - reveals the current/previous runlevel

 2. 'uptime' - reveals system uptime, and usage over: 1, 5, 15 minutes

 3. 'ps' - enumerates a list of processes

  a. 'ps' - processes tied to a TTY

  b. 'ps -ef' - ALL processes

  c. 'ps -aux' - ALL processes, plus %MEM, %CPU, etc.

 

 4. 'top' - reveals - uptime, df, %MEM, %CPU, sorts, updated real-time, etc.

  a. 'top' - auto-refreshes every 3 sec.

  b. 'top d5' - auto-refreshes every 5 sec.

 

 5. 'df' - reveals current filesystem usage/allocation

  a. 'df -h'

 

 6. 'mount' - reveals current mounts with key details/allows you to mount/umount

 

 

###User & Group Management###

Features:

 1. Facilitates provisioning and management of users/groups

 

Note: Debian users are indexed @ id: 1000

Note: Debian users default to a gid that matches the uid:

 

Tasks:

 1. Correlate GUI management tool to applicable: /etc/ files

/etc/passwd: - general account information - world readable

linuxcbt:x:1000:1000:LinuxCBT User,Stamford Conn.,888-573-4943,,:/home/linuxcbt:/bin/bash

 

/etc/shadow: - passwords

linuxcbt:$1$7GePLICi$WdWcehUWvY1KNwCZI7VqH/:14672:0:99999:7:::

Fields:

 1. login name

 2. encrypted password

 3. Days since Unix epoch(19700101), password was last changed

 4. Days before password may be changed: 0 = no length required

 5. Days after which password must be changed

 6. Days after password expires that account is disabled

 7. Days since Unix epoch that account is disabled

 8. Reserved

 

 2. Add a new user via the GUI

 

 3. Add a new user via the shell

  a. 'userdel -r dean' - removes the user and $HOME/$MAIL spool directory

  b. 'useradd -d /home/dean dean -g dean'

 

 

###File Permissions - Symlinks###

Features:

 1. Restrictions based on organizational policy - Discretionary Access Control (DAC)

 2. Ability provide multiple views of content - Symlinks

 

File Permissions:

 1. 10-bits - used to represent permissions in Linux | Unix

  1 - leftmost - d (directory), - (file), c (character) (keyboard), b (block device) (storage), l (soft-link)

  2-4 - Correlate to the owner

  5-7 - Correlate to the group

  8-10 - Correlate to the world (everyone)

b rw- rw- --- 1 root disk 8, 1 2010-03-02 09:55 /dev/sda1

Perms Octal: 660

 

Possible Permissions:

 r = read = 4

 w = write = 2

 x = execute = 1

Total Permissions: 7

 

Umask: Governs default permissions assigned to various objects: files & directories

 Files: rw-r--r-- = 644

 Directories: rwxr-xr-x = 755

drwxr-xr-x 2 linuxcbt linuxcbt    4096 2010-03-03 10:38 temp

 

Default Umask: 0022

Total Possible Permissions: 0777 - 0022 = 0755 (directories)

Note: Files further restrict the default umask to 644

 

Permissions Utilities:

 1. chown - change ownership of user and/or group fields

 2. chmod = change the mode (octal)

 3. chgrp = changes the group ownership field

 

Chown Usage:

 ' chown dean 100.txt ' - changes ownership to user named 'dean'

 ' chown linuxcbt.users 100.txt' - changes both: user & group fields

 

Chgrp Usage:

 ' chgrp linuxcbt 100.txt' - changes group ownership of file named: '100.txt'

 

Chmod Usage:

 ' chmod 640 100.txt ' - denies world access

 ' chmod 600 100.txt ' - denies world and group access

 

 ' chmod 744 temp2/ ' - removes 'x' perm from group and world

 

Symbolic permissions Notation:

 1. 'chmod u+x temp2' - enables 'x' permission on directory 'temp2' - owner

 2. 'chmod g+x temp2' - influences group field

 3. 'chmod o+x temp2' - influences other field

 

SETUID - Changes execute permissions on a file to that of the owner

i.e. '/usr/bin/passwd'

Octal: 4755 - leading '4'

-rwsr-xr-x 1 root root 31704 2009-11-14 09:41 /usr/bin/passwd

'find /usr/bin -4755' - find SETUID objects

 

SETGID - Causes files to inherit group permissions from top-level container

'chmod 2755 directory_name'

'chmod g+s directory_name'

 

'mkdir /project'

'chown root.users /project'

'chmod 2755 /project'

 

STICKY BIT - 't' in the world field - ensures users may share a common directory: '/tmp'

 

 

###Symbolic Links###

Features:

 1. Create shortcuts to objects on the file system

 2. Support for 2-types of symlinks: soft (file containers) & hard (inodes)

 3. Soft-links support directories

 4. Hard-links do NOT support directories

 5. Soft-links may traverse file systems, hard-links may not - due to inodes

 6. Removal of soft-links will not remove the source content

 7. Removal of the only hard-link, removes the file for good

 8. Soft-links are of file type: 'l'

 

Usage:

 1. 'ln -s source target'

  a. 'ln -s ../perltest1.pl .' - creates a soft-link of the same name as the source

Note: Soft-links depend heavily/entirely upon the filename container of the source file

 

  b. 'ln -s /etc .' - creates a soft-link to /etc

 

 2. Hard Links - omitt the 's' option

  a. 'ln ../perltest1.pl' - creates a hard-link, upping the reference count

  b. 'ln perltest1.pl newhardperltest1.pl' - creates a hard-link with alternate name

Note: Hard-links always reference the same inode using the same and/or alternate names

Note: Soft-links are assigned distinct inodes, which ultimately reference the source file's name

 

  c. Create hard-links with different permissions

   c1. 'ln /home/linuxcbt/Debian_5x/perltest1.pl && chmod 644 perltest1.pl'

 

###Partitions & File Systems###

Features:

 1. Provisioning of storage

 

 

Task:

 1. Provision storage for project users to be mounted @: /project

  a. GParted - used to create partition and allocation FS

  b. mount the newly-created file system

   b1. 'mount /dev/sdb1 /project' - mounts /dev/sdb1 @ /project

Note: If data exist at the mount point, they will not be available post-mount

Note: Move data pre-mount

  c. Ensure that mount is available at system restart: /etc/fstab

   c1. 'mount -a' - auto-mounts entries in: /etc/fstab

 

 2. Provision storage manually

  a. fdisk

   a1. 'fdisk /dev/sdc' - manages '/dev/sdc'

   a2. 'n - p - 1 - +4096M' - creates a new, primary partition #1 of size: 4GB

   a3. 'p - w' - print table, and write changes to the disk

  b. FS overlay

   b1. 'mkfs.ext3 /dev/sdc1' - creates an ext3 FS on: /dev/sdc1

  c. Mount FS

   c1. 'mount /dev/sdc1 /project4G' - mounts partition to: /project4G

Note: You may mount the sambe block of storage more than once: /project & /project4G

Note: This allows you to apply top-level directory container permissions individually

 

 3. Provision: ext4 storage manually

  a. fdisk

  b. FS overlay

  c. mount and update: /etc/fstab

 

 

###Provision of Swap Space###

Features:

 1. Additional memory for processes

 2. Managed by the kernel, dynamically

 3. Can be allocated dynamically

 4. Can be allocated as a file and/or partition (preferred)

 

 

Tasks:

 1. Allocate swap with GUI

  a. Allocate

  b. enable - 'swapon /dev/sdd1' - enables swapping for the current uptime

  c. 'swapon -s' - lists swap devices (partitions and/or files) - shows distribution of swap

Note: 'free ' simply shows the total swap and usage

  d. 'swapon -a' - enables swap from /etc/fstab

  e. Update: /etc/fstab to apply swap storage upon reboot

  f. 'swapoff /dev/sdd1' - disables swapping on device (partition or file)

 

 2. Allocate swap from the shell - using fdisk

  a. 'fdisk /dev/sdd'

  b. create swap partition - change type to 'linux swap'

  c. 'mkswap /dev/sdd2' - creates swap file system on /dev/sdd2

  d. 'swapon /dev/sdd2 && free -m' - makes swap available to kernel and dumps mem usage

Note: 'fdisk' will sometimes fail to update the partition table if the disk is in use

 

 3. Allocate swap from a file

  a. 'dd if=/dev/zero of=/project/swapfile bs=1024 count=524288' = generates .5G file with zeroes

  b. 'mkswap /project/swapfile' - makes file usable for swapping

  c. 'swapon /project/swapfile' - enables swapping

  d. 'swapoff -a' - disables all swapping for entries listed in: /etc/fstab

 

 

###Logical Volume Management (LVM)###

Features:

 1. Aggregates storage

 2. Storage of disparate types: i.e. SATA, PATA, SCSI, FireWire, Fibre Channel, et cetera

 3. Volume sets & stripe sets

 4. Extendable, resizable

 

LVM Concepts:

 Storage Hierarchy:

Logical Volume (FS goes here)

  -Volume Groups (Aggregate Physical LVM Volumes)

    -Physical Volumes (i.e. /dev/sdd3, /dev/sdd4, etc.)

 

Tasks:

 1. Create an LVM volume based on 2 partitions

  a. create 2 LVM paritions using fdisk - type = 8e(LVM)

  b. create PVs - 'pvcreate /dev/sdd3 /dev/sdd5'

  c. create VG - 'vgcreate volgroup001 /dev/sdd3 /dev/sdd5' - allocates PVs to VG

  d. create LV - 'lvcreate -L 2.5GB volgroup001' - creates 2.5GB LV

  e. overlay FS on LV - 'mkfs.ext3 /dev/volgroup001/lvol0'

  f. Test volume accessibility and update: /etc/fstab

 

 

 2. Explore '*scan' utilities

  a. 'pvscan' - enumerates physical volumes

  b. 'vgscan' - enumerates volume groups

  c. 'lvscan' - enumerates logical volumes

  d. 'lvrename name_of_volume_group old_logical_name new_logical_name' && 'lvdisplay' || 'lvscan'

  d1. 'lvrename volgroup001 lvol0 logvol0 ' - renames logical volume immediately

Note: If the logical volume and/or volume group name changes, update: /etc/fstab

Note: 'umount' if necessary prior to 'mount -a'

 

 3. Add new storage to LVM

  a. 'fdisk /dev/sdd' - allocate more storage of LVM partition

  b. 'pvcreate /dev/sdd6' - allocate partition for LVM

  c. 'vgextend volgroup001 /dev/sdd6'

  d. 'lvextend /dev/volgroup001/logvol0 -L +1G' - extends the logical volume by 1G

  e. 'resize2fs device newsize'

   e1. 'resize2fs /dev/volgroup001/logvol0 3G' - online resizing (ext3 only)

'

Note: Caveat: online shrinking is not supported. Shrink offline by dismounting 'umount' the volume

 

###Package Management###

Features:

 1. Provision/maintain packages

 2. Multiple tools: apt-*, dpkg, aptitude, GUI

 

Tasks:

 1. Explore GUI - 'Synaptic' - front-end to: 'apt-get'

 2. Explore 'dpkg'

  a. 'dpkg -l' - enumerates all packages

  b. 'dpkg -L openssh-client' - enumerates contents of package

  c. 'dpkg -S /usr/bin/scp' - returns package membership of: /usr/bin/scp

  d. 'dpkg -i package_name.deb - FS' - installs the .deb file from the file system

  e. 'dpkg -r package_name in DB' - removes the package

 

 3. Explore 'aptitude'

Features:

 1. Interactive

 2. Non-interactive

 

Tasks:

 1. Non-interactive usage of 'aptitude'

  a. 'aptitude search ssh' - returns installed/non-installed matches from DB

Note: The package DB is built by the indexed sources: /etc/apt/sources.list

 

  b. 'aptitude install tofrodos' - queries the DB for source location and installs (prompts if media is missing)

  c. 'aptitude remove tofrodos' - removes package named: 'tofrodos.*'

  d. 'aptitude' - runs interactive

   d1. 'search for package and toggle '+' to mark for installation

 

Note: A 'task' can consist of contradictory actions: install, remove, etc.

 

###RunLevels###

Features:

 1. Ability to control system in a variety of modes

 2. Profiles for services/daemons

 

BIOS -> GRUB -> INITRD/KERNEL -> INIT (PID=1) -> RUNLEVELS

 

Default Runlevel = 2: /etc/inittab

Note: Usually, multi-user runlevels are cumulative: i.e. runlevel 2 includes daemons from runlevel 1

 

RunLevels 0-6, 7-9(optional, seldom-used):

 0 - shut down - power-off, if ACPI support or similar

 1 - single user - multi-user support is disabled - networking is disabled

 2 - default, multi-user mode - for Debian

 3 - typical default, multi-user mode, for most distribution - identical to 2

 4 - unused - identical to 2

 5 - unused - identical to 2

 6 - reboot - shuts services/daemons and resets the system, soft-restart

 

/etc/init.d - container of ALL system daemons - implemented as shell scripts

/etc/rc* - run-control directories for the various runlevels

 - Scripts begin with: 'K' (Kill) or 'S' (Start)

 - Scripts also include numeric identifier used for sorting: ascending

Note: /etc/rc* - are containers of: K and S scripts that are symlinked to: /etc/init.d

Note: Default runlevel = 2, however, runlevels 2-5 are identical

Note: Enter programs that MUST run with each invocation into: /etc/rc.local

Note: INIT scripts are called with prefixes of: 'S' or 'K'

Note: 'S' prefix causes the process to start

Note: 'K' prefix causes the process to stop

 

###Job Scheduler - Cron###

Features:

 1. Job Scheduler

 2. Per-user execution - /var/spool/cron/crontabs/$USER

 3. System-wide execution - /etc/crontab

 4. Flexibility: minute, hour, days of the month i.e. (24-28), months i.e. (9-12)

 5. Cron awakes every minute, and queries for changes in schedules

 6. Cron mails the owner of the job, the STDOUT of the job, if an error

 

Tasks:

 1. 'dpkg -L cron'

 2. Define a per-user crontab entry: user=linuxcbt

  a. 'crontab -e' - launches default editor and allows us to setup job in: /var/spool/cron/crontabs/$USER

  b. 'crontab -l' - enumerates user's cron table

 3. As 'root' manipulate 'linuxcbt's' crontab entries

 

 4. Evaluate system-wide crontab: /etc/crontab

Note: 'run-parts' executes ALL executable scripts in a directory

Note: /etc/crontab contains a field to indicate the user with which the process is to execute

 

/etc/anacrontab - contains schedule of missed cron items to be executed

 

/etc/cron.allow - if exists, account name must exist in it, in order to use cron

/etc/cron.deny - if exists, account name must NOT exist in it, in order to use cron

 

###Syslog - rsyslogd - rsyslog###

Features:

 1. Logging via Unix domain sockets

 2. Logging via TCP/IP: UDP:514 || TCP:514

 3. Facilities and Levels control routing of log entries

 4. Derived from 'sysklogd'

 5. Auto-creates directories defined in: /etc/rsyslog.conf, unlike traditional Syslog

 

Primary Config File: /etc/rsyslog.conf

 

Tasks:

 1. Explore: /etc/rsyslog.conf

Note: UDP:614, TCP:514 are both disabled by default: Enable via: /etc/rsyslog.conf

Note: Log files are flagged: 0640 by default, and permissions: root:adm

 

Note: Facilities & Levels are indicated using the following nomenclature:

facility.level  -> Target

auth.* /var/log/auth.log - captures 'auth' facility at ALL levels and routes to file

*.* - captures ALL facilities at ALL levels

 

 2. Route Cisco Router Traffic to rsyslogd

  a. Determine the facility and level to use

   a1. 'local4.info'

  b. Configure rsyslog to accept Cisco router traffic at: local4.info

   b1. 'local4.*  /var/log/cisco/ciscorouter.log'

  c. Enable rsyslog UDP listener and restart rsyslog

  d. Exclude Cisco local4.* records from catch-all rules except debug: /var/log/syslog

 

 3. Forward a copy of local4.* to remote RedHat box: 192.168.75.11

  a. server: /etc/syslog.conf - 'local4.*  /var/log/cisco/ciscorouter.log'

  b. client: /etc/rsyslog.conf - 'local4.* /var/log/cisco/ciscorouter.log,@192.168.75.11'

Note: RedHat default Syslog doesn't create directories. However, catch-all rule captures local4.* traffic

  c. Update: /etc/hosts and: /etc/rsyslog.conf to use hostname

 

###Syslog-NG###

Features:

 1. All provided by Syslog: facilities.levels

 2. Filtration of content

 

Tasks:

 1. Install syslog-ng

Note: Removes 'rsyslog' by default

 

 2. Explore Syslog-NG configuration

Note: a. Syslog-NG requires 3-components per configuration

 

Source - required - Unix Domain Sockets, UDP, etc.

 

1. Filter - includes facilities.levels

2. Destination - file, other syslog hosts, console, etc.

3. Log - sends source, filters to destination

 

filter f_local { facility(local4); };

destination d_cisco { file("/var/log/cisco/ciscorouter.log"); };

log { source(s_all); filter(f_local); destination(d_cisco); };

 

Note: 'invoke-rc.d' - equivalent to: 'service' in RedHat, or 'rc' prefix in SuSE Linux

 

4. Extend destination to route to UDP target

destination d_cisco { file("/var/log/cisco/ciscorouter.log"); udp("192.168.75.11"); };

 

5. Filter traffic from Cisco Router & PIX Firewall, using the same facility, to different files:

 

###Cisco Router Block - based on LOCAL4##

filter f_cisco_router { facility(local4) and match("192.168.75.1"); };

destination d_cisco_router { file("/var/log/cisco/ciscorouter.log"); };

log { source(s_all); filter(f_cisco_router); destination(d_cisco_router); };

 

###Cisco Firewall Block - based on LOCAL4##

filter f_cisco_firewall { facility(local4) and match("192.168.75.2"); };

destination d_cisco_firewall { file("/var/log/cisco/ciscofirewall.log"); };

log { source(s_all); filter(f_cisco_firewall); destination(d_cisco_firewall); };

 

 

 

###Log Rotation###

Features:

 1. Auto-rotation of logs based on defined criteria: (size|time)

 2. Compression

 3. Multiple criteria

 4. Supports forced rotations, overriding criteria

 

Tasks:

 1. Explore 'logrotate' package

/etc/logrotate.d - monitored directory (Default)

/etc/logrotate.conf - primary config file - contains sensible defaults

Note: If a log file does NOT have a more specific logrotate file, the global file directives apply

/etc/cron.daily/logrotate - executes daily

 

Note: Logrotate will rotate any log file regardless of the source generator

 

 2. Define Cisco log rotation rules in: /etc/logrotate.d/syslog-ng

Note: We reference the: /etc/logrotate.d/syslog-ng file because syslog-ng governs the logging of messages received from the cisco devices

Note: However, you may place your directives in ANY of the included log files

 

  a. 'logrotate -v -d /etc/logrotate.conf' - rotate simulation

 

 

###Common Network Utilities###

Features:

 1. Find other hosts - PING

 2. Check service availability | ability - Telnet

 3. Network statistics - netstat

 4. Interface configuration - ifconfig

 5. Path to remote systems - traceroute, tracepath

 6. Name resolutions - nslookup , dig, host, whois

 

 

Tasks:

 1. Packet Internet Network Groper (PING) - Diagnostics Utility

  a. 'ping hostname' - sends an unlimited number of packets, by default

   a1. 'ping -c 3 hostname' - sends 3 packets to remote host

Note: PING generates ICMP echo-requests and expects ICMP echo-replies from the target

 

 2. Telnet - tests availability of remote ports | also provides TTYs

  a. 'telnet 192.168.75.1 80' - checks connectivity to TCP:80

Note: You may test ports: 0-65535 || 2^16

 

 3. Netstat

  a. 'netstat -a' - returns ALL sockets: UDP:TCP:Unix

  b. 'netstat -nulp' - reveals UDP listeners sans name resolution, but with programs/PIDs

  c. 'netstat -ntlp' - "" TCP ""

  d. 'netstat -i' - dumps active interfaces

  e. 'netstat -rn' - dumps routing table

 

 4. Address Resolution Protocol (ARP) - translates between layer2 & layer3 addresses

Note: Every NIC contains a unique layer-2 MAC address

  a. 'arp' - dumps the ARP table

  b. 'arp -n' - excludes name resolution

  c. 'arp -d IP' - deletes entry from ARP table

 

Note: Arp will use the entry for your gateway when communicating with routed hosts

 

 5. Traceroute - traces path between client & server || host-A & host-B

Supports multiple methods: ICMP, UDP, TCP

Uses ICMP TTL to determine number of hops between source and destination

Note: Initial ICMP TTL = 1 - for your default gateway

Note: After discerning default GW, traceroute increments ICMP TTL to 2.

Note: Default method is to use UDP:33434 & increment per hop found

Note: However, default method isn't always fruitful. Try other methods: ICMP, TCP

  a. 'traceroute 192.168.75.1' - default route

  b. 'traceroute www.linuxcbt.com'

 

ICMP TTL HOST Probe1 Probe2 Probe3

  1  192.168.75.1 (192.168.75.1)  0.643 ms  0.471 ms  0.547 ms

 2  bras11-l0.mrdnct.sbcglobal.net (204.60.4.47)  12.760 ms  14.205 ms  16.387 ms

 

  c. 'tracepath www.linuxcbt.com' - returns route and MTUs if possible

 

Nslookup - Non-interactive | Interactive - searches default DNS servers: /etc/resolv.conf

  1. 'nslookup www.linuxcbt.com' - non-interactive query

  2. 'nslookup' - enters interactive mode

 

DIG - non-interactive

  1. 'dig www.linuxcbt.com'

  2. 'dig linuxcbt.com mx | ns' - returns mx | ns records respectively

  3. ' dig -x IP ' - reverses the query and returns the PTR record

 

Host - non-interactive

  1. 'host www.linuxcbt.com' - returns forward IP address

  2. 'host -C linuxcbt.com' returns SOA records

 

Whois - Searches for various objects: IPs, domains, etc.

  1. 'whois linuxcbt.com'

 

 

###IPv4 Configurations###

Features:

 1. Interface Configuration - 'ifconfig'

 2. DHCP and/or Static Configuration support

 3. Virtual (sub) interfaces - IPv4 aliases

 4. Displays important metadata for various OSI layers, errors, diagnostics, etc.

 

Tasks:

 1. 'ifconfig' - dumps current configuration of active interfaces

Note: You should ALWAYS see the 'loopback' interface

Note: 'gnome-nettool' - provides ifconfig info., as well as various utilities

 

 2. Use 'ifconfig' to define a new IPv4 sub-interface of: eth0

  a. 'ifconifg eth0:1 192.168.75.31' - temporarily assigns the address for the uptime of the box

Note: Sub-interfaces allow applications, i.e. Apache, to bind services to them

 

 3. Restart 'networking' service and confirm interface availability

Note: temporary sub-interface survives restart of 'networking' service, but NOT stop|start

 

 4. Ensure that sub-interface persists reboots

  a. '/etc/network/interfaces' - primary interface configuration file

   'ping -I 192.168.75.32 ping 192.168.75.31'

 5. Explore ALL interfaces:

  a. 'ifconfig -a' - enumerates ALL active | non-active interfaces

 

 6. Remove interfaces:

  a. 'ifconfig del eth0:1 192.168.75.31' - removes for the session: eth0:1

  b. 'ifconfig del eth0:2 192.168.75.32' - removes for the session: eth0:2

 

 

###IPv6 Configuration###

Features:

 1. Self-configuring

 2. Based on 128-bit addresses, vs. 32-bit address space for: IPv4 approx. 4billion addresses

 3. Enabled by default

 4. Typically configured via router

 5. Incorporates the MAC address of the connecting NIC

Note: MAC addresses use 48-bits

 6. IPv6 addresses are subnetted with /64, which means: /64 for nets & /64 for hosts

 

Tasks:

 1. Explore ifconfig configuration

inet6 addr: ::1/128 Scope:Host - loopback configuration

 

'ifconfig'

eth0      Link encap:Ethernet  HWaddr 00:0c:29:4d:e5:2c  

          inet addr:192.168.75.30  Bcast:192.168.75.255  Mask:255.255.255.0

          inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global

          inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2269277 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2204154 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:159602581 (152.2 MiB)  TX bytes:1029103297 (981.4 MiB)

          Interrupt:18 Base address:0x1400 

 

 

Note: Routable IPv6 interfaces define by default a link-local address that is routable on the layer-2 broadcast domain (VLAN)

Note: Routable IPv6 interfaces will also auto-configure IPv6 addresses from edge devices: routers, firewalls, layer-3 switches

 

inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link

Note: IPv6 safely ignores leading zeroes

 

6-to-4 Address configured on router and distributed automatically:

6-to-4 Addresses include:

 1. 2002 prefix - 48-bits

 2. Embedded IPv4 routable address - 32-bits

 3. MAC address of the host - 48-bits

inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global

 

Note: IPv6 address fully reveal your client's, or NIC's identity, as well as your IPv4 Internet presence if using 6-to-4 routing

 

Note: Edge devices, including DHCP6 servers, simply provide the IPv6 prefix. i.e. /64

 

 

###Trivial File Transfer Protocol###

Features:

 1. Fast, connectionless (UDP-based) file transfers

 2. Used primarily with network devices: routers, switches, firewalls, VOIP phones, PXE clients

 3. PXE installations/booting support

 4. Runs via INETD

 

Task:

 1. Install 'atftpd' & 'atftp'

Note: Default installation sets-up: /etc/inetd.conf & invokes the service

Note: Default configuration binds to: UDP:69

Note: Default monitor directory: /var/lib/tftpboot

 

 

 2. Backup Router configuration via ATFTPD

  a. 'copy running-config tftp://192.168.75.30/ciscorouter.config'

 

Note: ATFTPD auto-configures the appropriate permissions to facilitate writes to directory

  b. Pull configuration from ATFTPD

   b1. 'copy tftp://192.168.75.30/ciscorouter.config running-config'

   b2. 'wr mem' - copies running-config startup-config - for persistence across reboots

 

 3. Backup Firewall Configuration via ATFTPD

  a. 'tftp-server inside 192.168.75.30 /pixfirewall.config' - sets variable in PIX config

  b. 'wr mem' - saves configuration for persistence

  c. 'wr net' - dumps configuration to Net location

 

 4. Connect from Linux TFTP client on RedHat box

  a. install 'tftp' client

  b. 'tftp -v 192.168.75.30 -c get ciscorouter.config' - get file from TFTP server

  c. 'tftp -v 192.168.75.30 -c put scp*' - put file to TFTP server

 

 

###File Transfer Protocol Daemon Service###

Features:

 1. Supports authentication

 2. Connection-oriented - TCP:21 - control channel, arbitrary TCP ports for data channels

 3. Supports Passive and Active communications

  a. Active = fixed port - TCP:20

  b. Passive = dynamically allocated ports - TCP:55000 - 56000

 

Tasks:

 1. Explore configuration

/etc/vsftpd.conf - primary config file

/etc/logrotate.d/vsftpd

/etc/init.d/vsftpd - standalone /etc/init.d runscript

 

Note: Post-installation, VSFTPD runs as an anonymous, IPv4 FTPD server

 

 2. Enable Anonymous access

  a. uncomment anonymous-related directives

 

 3. Enable local users & chroot them

  a. 'local_enable=YES' - enables authenticated access

  b. 'chroot_local_user=YES' - forces chroot jail 

 

 

 

###LFTP###

Features:

 1. Sophisticated FTP client access

 2. FTP, FTPS, SFTP, HTTP - multiple protocols

 3. Content mirroring - forward (default/pull) and reverse (put)

 4. Functions: interactively/non-interactively

 5. Scriptable - batch-mode

 6. Maintains command-history

 7. Interactive environment is BASH-like

 8. Supports tab-completion

 

Tasks:

 1. Explore package contents

/usr/bin/lftp - key binary

/etc/lftp.conf - key global config

 

Note: 'set -a' - produces the possible directives supported by LFTP

 

 

 2. Upload/Download items

  a. 'open -u linuxcbt localhost' - connects to local FTPD

Note: This simply builds the connection string. The connection will not be used until a command that requires the connection is excuted. i.e. 'ls'

Note: FTP Servers maintain control (credentials) and data (data transfers) connections

 

  b. '!bash' - exits temporarily to the shell

 

 3. Create a simple script to upload and download items

  a. 'lftp -f lftpscript1.lftp' - executes LFTP non-interactively, batch-mode

 

 4. Download using HTTP

  a. 'lftp http://192.168.75.50/RH54' - allows you to explore HTTP server

 

 5. Upload/Download using SSH

  a. 'lftp -u linuxcbt sftp://192.168.75.50'

 

 6. Rate-limit

  a. 'set net:limit-rate 500' - limits transfers to 500Bps

 

 7. Background/Foreground jobs

  a. 'CTRL-Z'

  b. 'fg' - brings the job to the foreground

  c. 'jobs' - enumerates current job status

 

 8. Mirroring

  a. 'mirror -v work/' - mirrors 'work' directory by pulling to client

  b. 'mirror -v -R work/' - mirrors 'work' directory remotely by putting differences

 

Note: If you need to pull items non-interactively, consider: 'wget' and/or 'curl'

 

###TelnetD###

Features:

 1. Virtual Terminal Access: vty

 2. Clear-text based: not secure, but fast

 3. May save you in the event that SSH is unavailable

 

 

Tasks:

 1. Installation - installs via INETD and enables by default

 2. Test connectivity

Note: Default Debian installation does NOT install SSHD, however, SSH client is installed

Note: Succesfull Telnet authentication will echo: /etc/motd

Note: Install telnetd, but disable in: /etc/inetd.conf untill needed

Note: INETD is managed via: /etc/init.d/openbsd-inetd

Note: INETD-spawned services/daemons remain open/running until sessions have been terminated

Note: TELNETD uses the same PTS, or, pseudo-terminal allocation as SSHD

Note: TELNETD supports SSL, however, client support is sparse. Use SSHD instead

Note: TELNETD is NOT a SECURETTY, and 'root' may not use it by default

Note: SSHD shares the same pseudo-terminals, however, SSHD is inherently secure

 

 

###Dynamic Host Configuration Protocol (DHCP)###

Features:

 1. Automatic client configuration

  a. IP address

  b. subnet mask

  c. default gateway/router

  d. WINS server(s)

  e. NTP server(s)

  f. PXE configuration

 2. UDP-based

 3. Broadcast-based

 

 

Tasks:

 1. Disable DHCP on Cisco router

  a. 'no ip dhcp pool DEFAULT75'

 

 2. Install DHCP Server

  a. 'dpkg -L dhcp3-server' - enumerates embedded files

/etc/dhcp3/dhcpd.conf - primary config file

/var/lib/dhcp3 - primary container for leases

 

 3. Prep /etc/dhcp3/dhcpd.conf for production

 

# 192.168.75.x Definition

subnet 192.168.75.0 netmask 255.255.255.0 {

  range 192.168.75.20 192.168.75.49;

#  option domain-name-servers ns1.internal.example.org;

  option domain-name "linuxcbt.internal";

  option routers 192.168.75.1;

  option broadcast-address 192.168.75.255;

#  default-lease-time 600;

#  max-lease-time 7200;

}

 

 4. Route LOCAL7 via Syslog

 

 5. Start DHCP server and test configuration

 

dhcpd.leases - primary lease file

 

Note: DHCP clients & servers participate in the: DORA process

Discover Offer Response Acknowledgement (DORA)

 

lease 192.168.75.20 {

  starts 4 2010/03/18 14:47:57;

  ends 5 2010/03/19 14:47:57;

  cltt 4 2010/03/18 14:47:57;

  binding state active;

  next binding state free;

  hardware ethernet 00:11:43:76:1f:67;

  uid "\001\000\021Cv\037g";

  client-hostname "linuxcbtwin3";

}

 

 

###BIND - DNS###

Features:

 1. Name-to-IP resolution - forward DNS

 2. IP-to-Name resolution - reverse DNS

 

Tasks:

 1. Install BIND

/etc/bind/named.conf - primary config file

/usr/sbin/named - primary DNS server binary

 

 2. Update DHCP to route clients to BIND instance

 

 3. Default Caching-Only instance

 

 4. Query the DNS server from multiple hosts

  a. 'dig @192.168.75.30 www.linuxcbt.com'

Note: Caching-only servers hold records for the TTL duration permitted by the authoritative name servers

Note: Initial query is usually slower (considerably), than subsequent queries

Note: DNS records may share or sport distinct TTLs

 

 5. Setup Primary DNS - NS - Authoritative server for a zone

  a. Use: /etc/bind/db.local as template

  b. define 'linuxcbt.internal'

  c. Updated: /etc/bind/named.conf.local to reference the zone: 'linuxcbt.internal'

  d. Restart named

 6. Perform queries against primary DNS server from various clients

Note: Primary DNS configuration does not disable caching-only configuration. It's cumulative

 

 

 6. Setup Secondary DNS - NS - Authoritative server for a zone

  a. Use: /etc/bind/db.linuxcbt.internal as template

 

 zone "linuxcbt.internal" {

                type slave;

                file "slaves/linuxcbt.slave.internal.zone.db";

                masters { 192.168.75.30; } ;

                // put slave zones in the slaves/ directory so named can update them

        };

 

 

 

 7. Reverse DNS configuration - IPv4

  a. Will use: '*.in-addr.arpa'

  a1. '75.168.192.in-addr.arpa'

  a2. 'cp db.127 db.192.168.75' - copy template reverse file & include reverse records for NS servers

  a3. update: /etc/bind/named.conf.local

zone "75.168.192.in-addr.arpa" {

        type master;

        file "/etc/bind/db.192.168.75";

};

 a4. Restart & test with queries

  a4.1 'dig @192.168.75.30 -x 192.168.75.30' - executes reverse query against specific DNS box

 a5. Include more reverse records

 

 a6. Replicate reverse IPv4 zone to secondary system

 ###Our Slave Zone for: 192.168.75.0/24###

         zone "75.168.192.in-addr.arpa" {

                type slave;

                file "slaves/db.192.168.75.zone";

                masters { 192.168.75.30; } ;

                // put slave zones in the slaves/ directory so named can update them

        };

 

 

8. Reverse zone for: IPv6

Note: Reverse IPv6 zone requires: reverse nibble notation

Note: A nibbile, is half a byte or 4-bits

2002:4687:db25:2:20c:29ff:fe4d:e52c/64

2 0 0 2 4 6 8 7...

 

 

 a. Define a zone statement to handle the reverse IPv6 zone

Note: Split 128-bit address into 2-regions, subnet/host ID i.e. /64-based

Note: Reverse the bits of the network using nibble notation

Note: Be sure to expand all zeroes!

2002:4687:db25:2:

2002:4687:db25:0002

 

 zone "2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" {

    type master;

    file "db.2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa";

}

 

 b. Define individual IPv6 reverse entries based on: right-most host ID

2002:4687:db25:2: 20c:29ff:fe4d:e52c/64 - linuxcbtdeb1

 

 c.2.5.e.d.4.e.f.f.f.9.2.c.0.2.0    IN    PTR    linuxcbtdeb1.linuxcbt.internal.

 

 d. Perform reverse queries

  'dig @192.168.75.30 -x 2002:4687:db25:2:20c:29ff:fe4d:e52c'

 

 e. Insert reverse IPv6 addresses for other hosts

2002:4687:db25:2:202:b3ff:feb8:a00

 

  '0.0.a.0.8.b.e.f.f.f.3.b.2.0.2.0    IN    PTR    linuxcbtsuse1.linuxcbt.internal.'

 

2002:4687:db25:2:20c:29ff:fe75:3bf6

 

  ' 6.f.b.3.5.7.e.f.f.f.9.2.c.0.2.0    IN    PTR    linuxcbtserv1.linuxcbt.internal.'

 

 f. Replicate configuration to RedHat server

 

 

###Samba###

Features:

 1. Lan Manager/NETBIOS-like server for Linux | Unix -based systems

 2. Publish shares

 3. Publish printers

 4. Authenticate to AD

 

 

Tasks:

 1. Install Samba support

Note: Either client or server requires the 'samba-common' package

 

Note: 'smb.conf' is the primary config file with settings for: clients & servers

 

 2. Explore key clients

  a. /usr/bin/smbtree - functions akin to network neighborhood (enumerates SMB hosts) - Uses broadcast and WINS(if defined)

 - Also returns workgroups, and shares

  b. 'smbtree'

 

/usr/bin/smbclient - permits connections to shares - interactively - FTP-like

Note: MacOSX also includes 'smbclient'

  c. 'smbclient -U dean //linuxcbtwin1/LinuxCBT'

 

 

  d. SMBGet - like 'wget'

   d1. 'smbget -u administrator smb://linuxcbtwin1/LinuxCBT/1million.txt'

 

  e. SMBTar - like 'smbget' but rolls items into a tarball

   e1. 'smbtar -s linuxcbtwin1 -x temp2 -p "abc123" -u dean -t linuxcbtwin1.backup.tar'

 

 

 3. Install Samba Server

  a. Explore the configuration

Note: Samba is implemented primarily as 2 daemons:

 1. 'smbd' - server message block daemon - SMB/CIFS requests for file & print services

 2. 'nmbd' - name registrations - WINS connectivity

 

/etc/init.d/samba - INIT script for both daemons

/etc/samba - top-level container (directory) for Samba configuration files

/usr/sbin/nmbd - NETBIOS Name Daemon

/usr/sbin/smbd - SMB/CIFS - File & Print Server

/etc/samba/smb.conf - primary, monolithic config file, managed manually and/or by SWAT

Note: It is recommended that you select 1 method of: smb.conf management: SWAT or manual

Note: /var/log/samba/log.%m - each SMB/CIFS client spawns a distinct log file

 

  b. Start Samba Server

   b1. 'invoke-rc.d samba start' - this starts 'smbd' & 'nmbd'

 

Note: 'smbd' binds to TCP:139 for IPv4 & IPv6 for SMB service

Note: 'smbd' ALSO binds to TCP:445 for IPv4 & IPv6 for CIFS services

Note: 'nmbd' binds to UDP:137 & UDP:138 for NETBIOS Name support

Note: Samba dynamically generates $HOME shares for connecting clients

Note: These $HOME shares do NOT appear in 'smbtree' dumps

 

 

###Samba Samba Web Administration Tool (SWAT)###

Features:

 1. Web-GUI to manage Samba

 

/usr/sbin/swat - primary binary

 

Tasks:

 1. Explore Interface

  1a. http://localhost:901

  1b. Documentation

  1c. Globals - globals area of: smb.conf - global directives - NETBIOS Name, Network info, etc.

 

Note: SWAT, upon invocation, loads directives from: smb.conf

Note: SWAT presents 2 views:

 1. Basic - reflects commonly-referenced, important, directives

 2. Advanced - reflects ALL Samba-supported directives

 

 2. Manage Users using 'smbpasswd'

  2a. 'smbpasswd -a linuxcbt'

 

###NFS####

Features:

 1. Transparent access to remote file systems

 2. Ability to consolidate and centralize storage

 3. Roaming users

 

 

Tasks:

 1. Explore client package: 'nfs-common'

  1a. 'showmount linuxcbtdeb1'

 

 2. Install NFS-Kernel-Server

 

 3. Export directories

  3a. 'nano /etc/exports' - include '/public' - read only

  3b. 'showmount --all linuxcbtdeb1' - reveals currently mounted systems and shares

  3c. publish content: /public with various permissions for various hosts

    'nano /etc/exports' - include updates

    'exportfs -r' - re-exports items listed in: /etc/exports - removes old rule(s) and publishes new rules

Note: By default, 'root_squash' is enabled on ALL NFS exports

Note: Root squashing equates the client 'root' user to the server's 'nobody' user

 

 

###File System in User Space (FUSE)###

Features:

 1. Permits non-root users the ability to mount FSs into user-space

 

 

Tasks:

 1. Install fuse-utils & fuseiso

  1a. using Synaptic

 2. Download ISO image

 3. Use FUSE (fuseiso) to mount the image

  3a. 'fuseiso -p filename.iso isotemp/' - auto-creates 'isotemp/' target and deletes it upon closing/unmounting

Note: FUSE mounts using i.e. 'fuseiso' are viewable by the owner of the mount only, by default

Note: /etc/

 

Note: non-root users must be made members of: 'fuse' group in order to use 'fuse'

 

 4. Install SSHD - so we may generate a new environment for the user to use 'fuse'

Note: By default, event 'root', is unable to interact with FUSE-mounted virtual file systems mounted by other users

 

Note: http://fuse.sourceforge.net/ - explore other modules

Note: Underlying FS is ultimately responsible for DAC permissions

 

 

###Apache Web Server###

Features:

 1. De facto standard HTTP server

 2. Modular

 3. Supports IPv6 (implies IPv4) by default

 

Tasks:

 1. Confirm installation/explore packages

/etc/apache2 - top-level, configuration file container

/etc/apache2/conf.d - top-level configuration script container

/etc/apache2/conf.d/apache2-doc - documentation config directives

/etc/apache2/httpd.conf - primary configuration file - all other config files are called from: httpd.conf, however, in Debian, the file is: apache2.conf

 

###Aliases re-route user requests from web-space to file-system space###

Alias /manual /usr/share/doc/apache2-doc/manual/

 

<Directory "/usr/share/doc/apache2-doc/manual/">

    Options Indexes FollowSymlinks

    AllowOverride None /* Ensures that .htaccess directives do NOT apply */

    Order allow,deny

    Allow from all

    AddDefaultCharset off

</Directory>

 

ports.conf - contains IP binding information

Note: Apache is started as 'root' and then subsequent processes (children) run as non-privileged user

 

 

ErrorLog /var/log/apache2/error.log - global error log. Applies to ALL virtual hosts if undefined at the virtual host level

Note: Apache directives flow top-down. If a directive is undefined at the virtual host level, the default host (apache2.conf|httpd.conf) directive(s) will apply

 

Modules:

 1. 'mods-available' - repository of *.conf & *.load items

 2. 'mods-enabled' - symlinked items to 'mods-available'

Note: *.load files contain 'LoadModule' statements to load the *.so file

 

 1. 'sites-available' - repository of sites (virtual hosts)

 2. 'sites-enabled' - symlinks to 'sites-available'

 

/etc/apache2/sites-available/default:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - /* Like alias, but permits CGI script execution */

 

 

Alias /doc/ "/usr/share/doc/" - /* permits HTTP access to system documentation */

Note: Trailing '/' MUST be preserved by connecting client

 

 

###Apache Logs###

Features:

 1. Extracts from client-server communications

 

 

Tasks:

 1. Explore the default log configuration

/etc/apache2/apache2.conf - contains the default formats

Note: Apache supports 2 types of logs:

 1. Error log (error.log) - traps errors from: debug - emergency - bad messages

 2. Access log (access.log) - traps connection messages for content - good messages

Both files are located in: /var/log/apache2

 

/etc/apache2/apache2.conf

 

Syntax: LogFormat One_or_more_vars nickname/alias

 

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

#     

# Define an access log for VirtualHosts that don't define their own logfile

CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined

 

LogFormat Vars:

%v - name of the virtual host that created the log entry

%p - port of the virtual host

%h - connecting host's IP address, by default

%l - ident check, note: usually non-existent '-'

%u - connecting user name - will be present wherever authentication is used. i.e. Basic, digest, etc.

%t - timestamp of the connection, from the server's perspective

%r - request method - i.e. GET/POST/etc.

%s - status code returned to client - i.e. 200(good),300(redirects),400(content error),500(server error)

%b - size of content returned to client - optional '%B' - logs '0' instead of '-'

%{Referrer} - who sent you here

%{User-agent} - connecting Browser: IE, Firefox, Chrome, iPhone, Droid, etc.

 

Note: Apache logs synchronously, which means, you may configure a virtual host to log to separate files simultaneously

 

###Sample Log Entry##

127.0.0.1 - - [22/Mar/2010:12:02:48 -0400] "GET /manual/en/mod/mod_log_config.html HTTP/1.1" 200 6959 "http://localhost/manual/en/logs.html" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.18) Gecko/20080528 Epiphany/2.22"

 

Note: Errors pertaining to content access (400x), and server errors (500x) will appear in: /var/log/apache2/error.log

 

Note: 200x errors are typically reflected in the access.log file

 

###Virtual Hosts###

Features:

 1. IP-based - one IP per site

 2. Named-based - shared IP address across sites

 

Tasks:

 1. Explore Default Host configuration

<VirtualHost IP[:Port]>

    One or more directives

    ServerName

    DocumentRoot

    <Directory *>

    </Directory>

</VirtualHost>

 

 2. Define users and setup virtual hosts for those users

 

Site1 (Name-based VHost):

<VirtualHost *:80>

    #One or more directives

    ServerName site1.linuxcbt.internal

    DocumentRoot /home/site1/wwww

    <Directory /home/site1/wwww>

        Options -Indexes FollowSymLinks -MultiViews

                AllowOverride None

                Order allow,deny

                allow from all

    </Directory>

</VirtualHost>

 

    b. Update DNS to include new site

 

Repeat for second client: (site2)

Site1 (Name-based VHost):

<VirtualHost *:80>

    #One or more directives

    ServerName site2.linuxcbt.internal

    DocumentRoot /home/site2/wwww

    <Directory /home/site2/wwww>

        Options -Indexes FollowSymLinks -MultiViews

                AllowOverride None

                Order allow,deny

                allow from all

    </Directory>

</VirtualHost>

 

    b. Update DNS to include new site

 

Note: Apache serves content from the Default Virtual host if the request URI doesn't match any of the defined virtual hosts

 

 

3. Reconfigure Name-based virtual hosts to be IP-based virtual hosts

Note: After VHosts update, be sure to update DNS

 

 

###Apache SSL###

Features:

 1. Encrypted communique between client & server

 2. Confidentiality and integrity of communique

 3. Ability to have 3rd-party sign-off (public CA) i.e. Godaddy, Thawte, etc.

 4. Ability to self-sign certificates

 

Tasks:

 1. Explore the SSL environment

'ssl-cert' package is required

'/usr/sbin/make-ssl-cert' - generates self-signed certificate - wrapper for 'openssl'

'/usr/share/ssl-cert/ssleay.cnf' - template for generating self-signed certs

 

 2. Enable 'default-ssl'

  2a. symlink 'default-ssl' from 'sites-available' to 'sites-enabled'

  2b. symlink 'ssl.*' from 'mods-available' to 'mods-enabled'

Note: Both private and public keys will appear in the same file

  2c. Confirm the: /etc/apache2/ports.conf configuration to ensure: 'Listen 443' is present

  2d. 'invoke-rc.d apache2 restart'

  2e. Test SSL communications

 

Note: '_default_:443' SSL Vhost will respond to requests on ALL IPv[4|6] addresses

 

 3. Segment SSL traffic using IP-based virtual hosts

  3a. Update: /etc/apache2/ports.conf

  3b. Update: /etc/apache2/sites-enabled/default-ssl

 

 4. SSL-enable IP-based Virtual Host: site1.linuxcbt.internal

  4a. site1.linuxcbt.internal

  4b. 'make-ssl-cert /usr/share/ssl-cert/ssleay-site1.cnf /etc/ssl/certs/site1ssl.pem'

  4c. 'cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/site1-ssl'

  4d. Update '/etc/apache2/ports.conf'

  4e. 'cd /etc/apache2/sites-enabled && ln -s ../sites-available/site1-ssl'

  4f. Change SSL port to non-standard: TCP:4443

 

 5. SSL-enable IP-based Virtual Host: site2.linuxcbt.internal

  5a. 'make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/site2ssl.pem'

  5b. 'cp /etc/apache2/sites-available/site1-ssl /etc/apache2/sites-available/site2-ssl'

  5c. symlink sites-available/site2-ssl to: /etc/apaches2/sites-enabled

  5d. updates: /etc/apache2/ports.conf to 'Listen 192.168.75.32:443'

 

 

 

###PHP###

Features:

 1. Dynamic Web page generation

 2. Operates from CLI. i.e. 'perl'

 

Tasks:

 1. Explore the default configuration

 

 2. Expose the info page

  2a. '<? phpinfo(); ?>' - PHP code with short tags

 

 

###Webalizer - Log Analysis###

Features:

 1. Common Log Format (CLF) - default for Apache

 2. Combined Log Format - Includes CLF plus User_Agent, Referrer

 3. FTP

 4. Post-processor

 5. Yields yearly, monthly, daily and hourly stats

 6. May be executed via cron

 

 

Tasks:

 1. Install 'webalizer'

 

 2. Explore package

/usr/bin/webalizer - primary binary

/etc/webalizer/webalizer.conf - primary config

/etc/cron.daily/webalizer - runs daily

/usr/bin/webazolver - symlinked to: /usr/bin/webalizer - invokes webalizer in resolve mode

 

 3. Process log file - default site

  3a. modify: /etc/webalizer/webalizer.conf

Note: Typically users/administrators maintain 1 webalizer.conf file per site

 

 4. Execute 'webalizer'

  4a. 'webalizer 

 

 5. Setup in cron to auto-run

 

 

 

###Patch Manager###

Features:

 1. Self-managing

 2. Downloads, by default, security updates

 3. References: /etc/apt/sources.list - for reference to: http://security.debian.org

Note: Debian security updates are provided: free-of-charge

 4. Can be configured to serve updates internally: via /etc/apt/sources.list

 

 

###MySQL###

Features:

 1. RDBMS

 

Tasks:

 1. Install MySQL

  1a. Forces the installation of the 'mysql-client-*' package, plus dependencies and empty packages

Note: Aptitude auto-resolves the latest packages from its list of sources

 

Note: Default super-user is named: 'root' , NOT to be confused with Linux user: 'root'

Note: MySQL maintains users internally within the default: 'mysql' DB, 'users' table.

 

 2. Explore MySQL packages

  2a. '/usr/bin/mysql' - primary client, which provides terminal, interactive | non-interactive support

  2a1. 'mysql -p' - prompts for password

  2a2. 'mysql -e 'command' [database]' - executes the command 

 

Note: MySQL users are defined in the form: user@host. i.e. 'root@localhost'

Note: Default Debian MySQL implemenation disables 'anonymous access' and enforces a password for the 'root' users

 

  2b. '/usr/bin/mysqldump' - backs-up one or more DBs

  2c. '/usr/bin/mysqladmin' - start|restart|change password|etc.

  2d. '/usr/bin/mysqlimport' - imports data from text files

 

Note: Each MySQL client reads a hierarchy of configuration files: global & local and CLI-options

 

 

 3. Define simple database and data set

  3a. 'create database addressBook;'

  3b. ' create table contacts (`fName` char(20), `lname` char(20), `phone1` char(20), `email` char(30), PRIMARY KEY (`email`) ); '

  3c. ' INSERT INTO contacts (fname,lname,phone1,email) VALUES ('Johan','Doe','888-573-4943','john.doe@linuxcbt.com'); '

 

  3d. ' INSERT INTO contacts (fname,lname,phone1,email) VALUES ('Jane','Doe','888-573-4943','jane.doe@linuxcbt.com'); '

 

  3e. ' UPDATE contacts SET fname='John' WHERE fname='Johan';

  3f. 'DELETE FROM contacts where fname='John'; '

 

###PHPMyAdmin###

Features:

 1. De facto Web GUI to administer MySQL

 2. Echoes the resultant SQL commands per execution. i.e. click on something and the SQL statement appears. Helps you to learn SQL syntax.

 

Tasks:

 1. Install PHPMyAdmin

 

 2. Explore package contents

 

 

###Postfix - SMTP###

Features:

 1. Message Transfer Agent

 2. Derivative/improvement on SendMail

 

Tasks:

 1. Install Postfix

/usr/sbin/postconf - used to dump/change Postfix configuration

/usr/sbin/postsuper - admin duties on running server

/usr/sbin/sendmail - drop-in replacement for original binary

/usr/lib/postfix/smtp - SMTP client used by Postfix to talk to other SMTP servers

/usr/lib/postfix/smtpd - SMTP server used to receive message and connections

/usr/bin/mailq - enumerates the contents of the mailq

/usr/lib/postfix/master - main master binary, which controls all of sendmail

 

 2. Explore the configuration

/etc/postfix - primary, top-level configuration container

/etc/postfix/main.cf - primary config file

 

 

###Aptitude - Sources.list Update###

Features:

 1. Ability to reference packages from the file system

 

 

Tasks:

 1. Mount ISO image permanently and reference it via: /etc/apt/sources.list

  1a. 'mount -t iso9660 -o loop /home/linuxcbt/Debian_5x/debian-504-i386-DVD-1.iso /home/linuxcbt/Debian_5x/1' - mounts ISO image in target location

  1b. Update: /etc/fstab

  1c. Update: /etc/apt/sources.list via Synaptic Package Manager, or manually from the shell

  1d. Reload the package repository DB using Synaptic Package Manager

 

 

###IMAP/POP3 Support###

 

Features:

 1. IMAP - stores message on the server, entirely. i.e. GMAIL, Yahoo, OWA

 2. POP3 - used to download messages to client.

 3. Mail-retrieval protocols

 4. Support for encryption: SSL/TLS

 5. Dovecot: supports both mbox and Maildirs

 

Tasks:

 1. Install Dovecot IMAP. Removes existing IMAPD package, by default

 2. Explore the contents of Dovecot

/etc/dovceot/dovecot.conf - primary config file

 3. Retrieve messages using MUA: IMAPD

 

 4. Install POP3D

 5. Disable clear-text mail-retrieval support

  5a. /etc/dovecot/dovecot.conf - disable 'pop3' & 'imap'

  5b. 'invoke-rc.d dovecot restart' - unbinds clear-text protocols

 

###SquirrelMail###

Features:

 1. Web GUI/Mail User Agent (MUA) for accessing mail via IMAPD - front-end

 2. Virtual hosts

 3. Modular

 

Note: To obtain the latest, navigate to: squirrelmail.org

 

Tasks:

 1. Install Squirrelmail

 2. Explore configuration

/etc/squirrelmail/apache.conf - primary Apache config file

 3. Access & browse SquirrelMail interface

 4. Enable IMAP (clear-text)

 

###GNU Privacy Guard (GPG)###

Features:

 1. Implements the OpenPGP standard

 2. Provides data encryption services based on PKI (asymmetric encryption)

 3. Digital signatures (based on owner's private key)

 4. Auto-compresses content

 

Tasks:

 1. Explore the GPG environment

/usr/bin/gpg - primary binary used to encrypt/decrypt correspondence (files/e-mails/etc.)

  1a. ' gpg --list-keys ' - enumerates public keys on key chain

  1b. ' gpg --gen-key' - generates PKI pair of keys

  1c. ' gpg --export ' - exports the public key, so that others may encrypt information to us

Note: Repeat the process on the remote user's side to have 2-way encryption/signature services

 

Note: Digital signatures prove authenticity because access to the secret/private key of the PKI pair is restricted to the owner and 'root'

Note: A passphrase adds an additional level of security to PKI in the event that the PKI pair has been compromised: physically(locally), or remotely

 

 2. Generate usage keys on remote side

  2a. 'gpg --gen-key' - generate keys as 'root'

Note: 'gpg --list-secret-keys' - enumerates private key(s) from keychain

 

 3. Sign and encrypt data to ourself

  3a. 'gpg --encrypt -r pub_key_ID 1000.txt' - generates '1000.txt.gpg' encrypted file

  3b. 'gpg --decrypt 1000.txt.gpg' - decrypts, if private key is on keychain of current user

  3c. 'gpg --encrypt -o 1000.txt.pgp -r pub_key_ID 1000.txt' - encrypts with '.pgp' suffix

 

 4. Sign and encrypt with business partner (root@linuxcbtsuse1.linuxcbt.internal)

  4a. ' exchange public keys'

     'gpg --export ' - creates binary file

     'gpg --import key_file' - imports key file

 

###Network Mapper (NMap)###

Features:

 1. Reconnaissance Scans

 2. Set a baseline configuration

 3. Compare against the baseline

 4. Port scans

 5. Host | device detection: i.e. Jetdirect card, Dell box, Apple computer, etc.

 6. Service detection: i.e. VSFTPD, SSH and optionally version

 7. Multi-target scanning

 8. Automation

 9. IPv6 scanning

 

Tasks:

 1. Install NMap

 2. Explore package | usage

/usr/bin/nmap - primary binary

/usr/share/nmap/nmap-mac-prefixes - host | device detection

/usr/share/nmap/nmap-services - port-to-servicename conversion

 

 3. Run 'nmap' in a variety of ways to help tighten our security posture

  3a. ' nmap -v localhost'

Note: As 'root' nmap defaults to 'SYN' scans, however, as anyone else, nmap defaults to 'TCP Connect' scan.

Note: Usually, 'SYN' scans do not alert the application behind the open port, however, 'TCP Connect' scans complete the 3-way TCP handshake, alerting the listening application

 

 

Note: A scan of the loopback adapter is not indicative of what remote users will see, with some exceptions: i.e. SSH tunnels

 

  3b. 'nmap -v 192.168.75.30-32' - scans 3-IPs, .30,.31,.32 for open ports, TCP

  3c. 'nmap -v -sU 192.168.75.30-32' - scans 3-IPs, for open UDP ports

  3d. 'nmap -v -sV ...' - performs a service scan, which returns: service names and versions

 

Note: NMap defaults to TCP scans because the majority of applications are TCP-based

Note: NMap dumps output, by default, to STDOUT, which means, you will lose valuable info. if you don't route to a log file

 

  3e. 'nmap -v -sV -iL filename' - supply host(s) via a file

  3f. 'nmap -v -oN nmap.scan.log -sV -iL filename' - creates Normal NMap output

  3g. 'nmap -v -sP -oN nmap.scan.log -iL filename' - performs a quick PING scan

  3h. 'nmap -v -p 3389 -oN nmap.scan.log -iL filename' - scans TCP:3389 across the subnet

Note: Ensure that centralized NMap host has unfettered access to interesting subnets

  3i. 'nmap -v -O -oN nmap.scan.log -iL filename' - scans for OS detection

###TCPDump###

Features:

 1. Packet capturing of myriad protocols

 2. Supports: Berkeley Packet Filters (BPFs)

 

 

Tasks:

 1. Install TCPDump

/usr/sbin/tcpdump - primary binary

 

 2. Usage examples

  2a. 'tcpdump -v -i eth0'

 

'02:08:38.419385 IP (tos 0x0, ttl 64, id 54461, offset 0, flags [DF], proto TCP (6), length 62) macbook1.local.60842 > linuxcbtdeb1.linuxcbt.internal.5900: P, cksum 0x029e (correct), 191:201(10) ack 695980 win 65535 <nop,nop,timestamp 212564549 65206757>

 

 

'

 

 2b. 'tcpdump -w tcpdump.capture -i eth0' - creates a TCPDump file

 2c. 'tcpdump -r tcpdump.capture' - reads the previously-created TCPDump file

 2d. 'tcpdump -c 3 -i eth0 -w tcpdump.capture2' - captures 3 packets and exits

Note: Each packet is represented by a line, but the terminal will invariably wrap each line

 2e. 'tcpdump -C 1 -w tcpdump.capture3' - captures 1-million bytes then creates a new file

 2f. 'tcpdump -A -i eth0' - dumps packet payload

 2g. 'tcpdump -e -i eth0' - dumps layer-2 (MAC) info.

 2h. 'tcpdump -A -e -i eth0' - dumps payload and MAC info. - layers 2-7

Note: Packet capturing is a linear progression. Latest information is at the bottom of the capture.

 

 2i. 'tcpdump -D ' - dumps the available interfaces

 2n. 'tcpdump -n ...' - dumps captures without name resolution

 

 3. Apply BPFs

Note: TCPDump supports 3 Qualifiers: 

 1. Type - host|net|port

 2. Direction - src, dst, src or dst, src and dst

 3. Protocol - ip, tcp, udp, icmp, etc.

Note: BPFs support logical Anding and Oring

 

  3a. 'tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.1 host 192.168.75.111'

  3b. 'tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.2 host 192.168.75.111 and tcp port 21' 

 

Note: BPFs are applicable, for the most part, if a tool is TCPDump-compliant

 

 

###WireShark, formerly known as: Ethereal###

Features:

 1. Packet Capture & analysis

 2. Support for: BPFs (run-time) and Display Filters (post-processing)

Tasks:

 1. Install WireShark

/usr/bin/wireshark - primary binary - run as 'root'

 

 2. Explore interface

Note: Wireshark defaults to: nanosecond precision, however, TCPDump defaults to: microsecond precision

 

 3. Perform various captures/analysis of clear-text, FTP traffic

 

Note: Consider deploying centralized sniffers and route files to back-end post-processor running Wireshark.

 

 

###Lockdown###

Features:

 1. Improve security posture

 

Tasks:

 1. Screensaver set based on inactivity timer

 2. Secure your BIOS

  2a. Setting a usage password

  2b. Disabling removable boot devices: USB, Optical drives

 3. Secure the bootloader: GRUB

  3a. 'grub-md5-crypt' - generates an MD5 password for GRUB: /boot/grub/menu.lst

Note: Consider 'dmcrypt' or 'eCryptFS' to encrypt the FS, in the event the drive is physically compromised, and/or other measures have been circumvented.

Note: 'dmcrypt' requires a password for startup

 

 4. /etc/login.defs - contains defaults for a variety of account variables

Note: Ensure that password encryption algo matches PAM: /etc/pam.d/*

 

 5. Remove 'nullok' from: /etc/pam.d/* - if exists

 6. Disable superfluous services/daemons:

  6a. 'netstat -nutlp' - returns listeners for TCP | UDP

Checklist of daemons to disable:

 1. samba-swat - INETD controlled

  1a. ' update-inetd --disable swat' - disables service in INETD

 2. imap - TCP:143

  2a. '/etc/dovecot/dovecot.conf'  

 

 3. ssh - restrict to 1-IP

 4. postgres

  4a. 'update-rc.d -f postgresql-8.3 remove' 

 5. smbd|nmbd

  5a. 'update-rc.d -f samba remove && /etc/init.d/samba stop && ps -ef | grep smb'

 6. vsftpd

  6a. 'update-rc.d -f vsftpd remove && /etc/init.d/vsftpd stop && ps -ef | grep vsftpd'

 7. tftpd

  7a. 'update-inetd --disable tftp'

 

 8. Disable 'root' access via SSHD

 

Note: Consult Debian documentation for info on: harden* packages

 

 

###IPTables - Firewall###

Features:

 1. Built-in firewall

 2. Stateful inspection

 3. Routing

 4. Network Address Translation (NAT)

 5. Front-end to the Netfilter Kernel firewall

 

Tasks:

 1. Explore configuration

/sbin/iptables - primary binary to write rules and interact with firewall

/sbin/iptables-save|restore - saves & restores IPv4 rules

/sbin/ip6tables - primary binary "" for IPv6 firewall

/sbin/ip6tables-save|restore - ""

 

 2. Use 'iptables'

  2a. 'iptables -L' - lists the chains in the default 'Filter' table

Note: 'Filter' table governs traffic: inbound, outbound, and through (routing) your box

Note: There are 3 default chains in the 'Filter' table

 1. INPUT - traffic sourced from external system destined for your system

 2. FORWARD - router - traffic that is sent through your box

 3. OUTPUT - Traffic sourced from your system to other systems

 

Note: There are 3 default tables:

 1. NAT

 2. Mangle

 3. Filter (Default)

 

 

 2b. Limit inbound traffic to the SMTP server to deny access from Windows server

  2b1. 'iptables -A INPUT -p tcp --dport 25 -s 192.168.75.105 -j DROP'

 

 3. Use 'ip6tables'

Note: Syntax is virtually identically to 'iptables*'

 

 4. Write outbound rules

  4a. 'iptables -A OUTPUT -d 192.168.75.105 -p tcp --dport 3389 -j DROP'

上一篇:telnet登录Linux
下一篇: LinuxCBT feat. SUSE 10 Enterprise Edition Training Notes
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站