LinuxCBT_EL-6_Editio
e. day of the week (Sun, Mon, Tue, etc. OR 0-7)
f. command to execute (shell, perl, PHP, etc.)
3. Wakes up every minute in search of programs to execute
4. Reads cron entries from multiple files
5. Maintains per-user and system-wide (/etc/crontab
/etc:
cron.d/
cron.deny - denies cron executinb by user
cron.monthly/ - runs jobs monthly
cron.weekly/ - runs jobs weekly
cron.daily/ - runs jobs daily
cron.hourly/ - runs jobs hourly
crontab - contains system-wide scheduers
Note: '*' wildcard in a time column means to run for all values
Per-user Crontabs:
Stored in: /var/spool/cron
Task:
1. Create a cron entry for the user 'student1'
a. 'su student1'
b. 'crontab -e'
c. create an entry, minus the name of the user
Note: 'crontab -l' enumerates per-user cront entries
System-wide Crontab:
Stored in: /etc/crontab
Task:
1. Create a cron entry in: /etc/crontab
Note: 'crontab -l -u username' - enumerates per-usercron entries
###SyslogD###
Features:
1. Handles logging
2. Unix Domain Sockets (/dev/log)
3. Internet Sockets (UDP:514)
4. Ability to log to local and remote targets
Implented as 'sysklogd' package
Primary configure file: /etc/syslog.conf
Standard syslog.conf file contains:
1. Rules
a. facilities -> applications/daemons/network device/etc.
b. levels -> Importance of message
Range: 0-7
7 = emergency
6 = alert
5 = critical
4 = error
3 = warning
2 = notice
1 = info
0 = debug (more infORMation)
2. Targets
a. file - /var/log/messages
b. tty - /dev/console
c. remotes host - @IP_ADDR_of_REMOTE_HOST
'*' = catchall/wildcard to mean any facilities or level
'.none' = exclusion rule
'man syslog.conf' to learn about the support facilities.levels
Task:
1. Enable UDP logging for remote Cisco gateway (192.168.75.1)
a. netstat -nul | grep 514 - reveals UDP:514 listener
b. nano /etc/sysconfig/syslog
b1. 'SYSLOGD_OPTIONS="-m 0 -r"
c. restart syslog and confirm UDP:514 listener
c1. 'service syslog restart'
c2. 'netstat -nul | grep 514'
d. Configure the router using facility 'local0' and level 'info'
e. configure /etc/syslog.conf to accept 'local0.info'
f. restart or reload 'syslog'
###Log Rotation###
Features:
1. Rotation of logs based on criteria
a. size
b. age (daily, weekly, monthly)
2. Compression
3. Maintain logs for a defined period
/etc/logrotate.conf - primary (global) config file for all logs
- can be overriden by context-sensitive files. i.e. apache
run 'man logrotate' to get help paper
/etc/logrotate.d - directory for logs to be rotated
-Httpd - used to rotate Apache logs
/var/log/httpdsample/* to /etc/* and /var/named/
c. Modify /etc/named.conf - disable DDNS_KeyGen sections
d. Start the server -service named start
4. Query the server
a. dig @localhost www.linuxcbt.com
a1. Returns: question, answer, authoritative DNS servers, query time
b. nslookup www.linuxcbt.com OR nslookup - server 127.0.0.1 - www.linuxcbt.com
Note: The server has cached: www.linuxcbt.com, evidenced by the decrementing TTL value for the various record associated with the zone
c. host www.linuxcbt.com - also preforms a lookup
Note: /etc/resolv.conf controls the DNS servers that are consulted by lookup tools such as: WEB browser, GFTP, LFTP, nslookup, dig, host, etc.
d. dig linuxcbt.com MX - queries the domain for mail exchangers
Note: DNS is organized into an inverted tree, with '.' representing the root of the DNS tree. e.g.
dig mail1.linuxgenius.com
-- . = root
-- .com = top level
-- .linuxgenius = second level
-- mail = third level
Note: A trailing '.' in a DNS query is implied, and may optionally be indicated if desired in any standard Internet application (web browser, FTP client, wget, nslookup, dig, host, etc.)
4. Start 'named' as a caching-only DNS server (Default)
a. service named start
b. dig @192.168.75.199 www.linux.com' - forces a caching-only lookup query
Primary & Secondary Zones:
Features:
1. Ability to service zones
b. Authoritative support for a zone
Tasks:
1. Create internal zone name 'linuxcbt.internal'
a. modify /etc/named.conf to include the new zone
zone "linux.internal" IN {
type master;
file "linux.internal.db";
allow-update { none; };
};
b. create the corresponding zone file
c. restart named
d. test resolution of DNS primary zone
Note: Install 'caching-nameserver*' for Caching-only DNS server
2. Create a slave (Secondary) server
a. yum -y install bind
b. copy sample files from primary server to secondary server
c. modify /etc/named.conf and set 'linuxcbt.internal' zone to slave
d. start named service ' service named start
e. chkconfig --level 35 named on
f. Update: /var/named/linux.internal.db to reflect new name server
3. Create a primary zone on the 'secondary" server
a. Create a zone for: linuxcbt.external - in /etc/named.conf
b. copy/create 'linuxcbt.external.db' zone file
c. setup 'linuxcbtserv4' to be a slave for the zone: linuxcbt.external
Forware IPv6 REcords:
Implemented primarily as AAAA records
Test IPv6 resolution using:
1. ping6 linuxcbtrouter1.linuxcbt.internal
2. dig @192.168.75.10 linuxcbtrouter1.linuxcbt.internal
Reverse Zones:
Features:
1. The ability to resolv a name, given an IPv4 or IPv6 address
Tasks:
1. Define an IPv4 reverse zone for the local subnet:
a. Define zone name: '75.168.192.in-addr.arpa' - /etc/named.conf
b. Update: /etc/named.conf
c. Create zone file in: /var/named
d. update configuration
e. restart named:wq
f. test using 'dig @192.168.75.1 -x 192.168.75.1'
Note: Reverse zones are built from the prefix in IPv4 subnets
IPv6 Reverse Zone:
Requirements:
1. /etc/named.conf entry
zone "3.0.0.0.3.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
Note: IPv6 reverse zone names are in nibble fromat, with ALL zeros expanded for the network prefix portion of the address, which is usually 64-bits in length
2002:4689:db23:3:202:b3ff:fe98:4104/64
2002:4689:db23:3:202:b3ff:fe98:4108
2. /var/named/zone_file
a. Include entries using the last 64-bits or IPv6 host part
4.0.1.4.8.9.e.f.f.f.3.b.2.0.2.0 IN PTR rhel5-1.linux.internal.
Note: When creating reverse IPv6 entries for hosts, do the following:
a. reverse the 64-bit portion of the address that corresponds to the host, expanding all zeros
b. Create PTR record based on the reverse, nibble-format of the address
Test using dig
a. dig -x @192.168.75.1 2002:4689:db23:3:202:b3ff:fe98:4108
###Network File System (NFS)###
Features:
1. Transparent access to remote file systems
2. Installed by default
3. Uses rpc for communications
Tasks:
1. Export a directory on the server using: /etc/exports
a. /path_to_directory IP_ADDR(rw/ro)
b. /nfs1 192.168.75.10(rw)
c. mkdir /nfs1
d. start NFS server - 'service nfs start'
e. Confirm export(s) - 'exportfs -v'
Note: NFS matches remote user's UID to local /etc/passwd to determine ACLs
2. Export /nfs2
a. Create entry in /etc/exports
b. Update current exports using: exportfs -a
3. Mount both exports on a remote system
a. mount -t nfs 192.168.75.199:/nfs1 /nfs1
b. mount -t nfs 192.168.75.199:/nfs1 /nfs2
4. Allow local 'root' user the ability to write to /nfs1 export
a. /etc/exports: (rw, no_root_squash)
5. Setup mount points so that they're available upon reboot
a. /etc/fstab
b. Umount and confirm that NFS mount points will be available when the client system changes runlevels ( reboots, starts, etc.) - 'mount -a'
showmount -a 192.168.75.199 - shows mounts on this system (connected NFS clients)
6. Attempt to mount /nfs1 and /nfs2 from an unauthorized system
a. Fails because client's IP does not match server's /etc/exports
b. Update server's /etc/exports to allow additionial hosts/subnet/etc.
c. exportfs -a - to update the export table
###AutoFS###
Features:
1. Automativally mounts file systems (NFS, local, SMBFS, etc.) upon I/O request
Requirements:
1. autofs-*rpm must be installed
/etc/auto.master -primary configuration file /etc/
- also contains mount points and their mappings
/etc/sysconfig/autofs - default setartup directives
Note: AutoFS must be running in order to auto-mount directories
Task:
1. Create an automount for /shares, which will mount /nfs1 & /nfs2
a. update /etc/auto.master - '/shares /etc/auto.shares'
b. cp /etc/auto.misc /etc/auto.shares
c. update the rules in /etc/auto.shares
d. Create AutoFS tree: /shares/
e. Restart the autofs service
f. Umount /nfs1 & /nfs2 if necessary
Note: Do NOT auto-mount directories that are already mounted
g. Test access to AutoFS controlled directory
g1. 'ls -l /shares/nfs1'
Note: syntax for auto-mount files is as follows:
<mount-point> [<options>] <location>
nfs1 -fstype=nfs 192.168.75.199:/nfs1
###Samba###
Features:
1. Provides windows features (file & print) on Linux | Unix
/etc/samba/smb.conf - primary config file
Clients
1. findsmb - finds SMB hosts on the network
2. smbtree - equivalent to Network Neighborhood/My Network Places (prints workgroups, hosts, and shares)
3. smbget - similar to 'wget', in that, it will download file from the remote share
a. smbget -u dean smb://linuxcbtwin1/mtemp/20070504.test
4. smbclient - interactive (FTP-like) utility to connect to shares - permits uploads/ downloads from shares
a. smbclient -U dean //linuxcbtwin2/mtemp
b. mget file* - downloads file(s)
c. mput file* - uploads file(s)
5. smbtar - backs-up smb shares to a TAR arcHive
a. smbtar -s linuxcbtwin1 -x mtemp -u dean -t backup1.tar
Samba Server:
/etc/samba/smb.conf - primary config file
SWAT manages /etc/samba/smb.conf
Samba Server Modes:
1. User
a. One Samba-defined user is required per Linux user
b. Authentication of users is handled by Sambe server
2. Server/Domain (PDC/BDC)
a. Authentication is handled by the Windows NT/2K/2K3/2K8 server
b. Still requires a local Samba-defined user accounts database
3. ADS - Active directory
a. authentication is handled by Active Directory
2. When used with Winbind, locally-defined Samba users are NOT required
Note: Ultimately, users must authenticate to the local Linux file system
Task:
1. Install SWAT
a. yum -y install samba-swat
b. nano /etc/xinetd.d/swat - set 'disable = no'
c. service xinetd restart
d. netstat -ntl | grep 901
/etc/samba/smbpasswd maps Windows users to /etc/passwd
2. Install rdesktop and connect to Windows XP to test connectivity to Samba
a. yum -y install rdesktop
Winbind:
Features:
1. Windows AD intergration
2. Avoids having to define users in 2 places: Windows, Linux
3. Uses Kerberos for authentication
Requirements:
1. krb5-* packages
2. Properly configured Kerberos environment:
a. /etc/krb5.conf
[libdefaults]
default_realm = AD2.LINUXCBT.INTERNAL
[realms]
AD2.LINUXCBT.INTERNAL = {
kdc = linuxcbtwin3.linuxcbt.internal
admin_server = linuxcbtwin3
}
[domain_realm]
.linuxcbtwin3.ad2.linuxcbt.internal = AD2.LINUXCBT.INTERNAL
Steps:
1. Update: /etc/krb5.conf
2. Update Samba configuration to use ADS authentication
3. Update Sambe server's DNS to point to ADS server
a. /etc/resolv.conf
b. /etc/hosts - including a pointer to ADS server (linuxcbtwin3)
4. Join AD domain:
a. 'net ads join -U administrator'
5. Confirm AD membership using: 'Acrive Directory Users & computers' Tool
6. Setup Winbind to authenticate using ADS:
a. /etc/pam.d/system-auth - account & auth settings
auth sufficient /lib/security/pam_winbind.so - place before 'pam_unix.so'
account sufficient /lib/security/pam_winbind.so
b. /etc/nsswitch.conf
passwd: files winbind
group: files winbind
c. Configure 'idmap' 'uid & gid' mappings - 10000 - 20000
Use SWAT to update idmap settings for 'uid & gid'
Note: If you want ADS users to be able to loGon to your Samba-Winbind Linux box using ssh, Telnet, mingetty, etc., change 'Template Shell' directive to a valid shell, i.e. /bin/bash
d. Create 'Template homedir' $D (Domain) directory beneath '/home'
mkdir /home/LINUXGENIUS
7. Test Winbind Integration using: wbinfo
a. wbinfo -u - this enumerates users in AD
b. wbinfo -g - this enumerates groups in AD
c. ssh into LINUXCBTSERV1 (Winbind) as ADS user
Task1:
1. Authenticate using ADS, as 'administrator' from Windows box
2. Create a user named 'linuxcbt' in AD
3. Create shared directory on the Samba box, and provide access (Share it)
###Apache Web Server###
Features:
1. WWW Web Server
2. Modular
Tasks:
1. Install Apache 2.2x
a. httpd*.rpm
/etc/httpd - top-level configuration container on RH5
/etc/httpd/conf - primary configuration directory
/etc/httpd/conf/httpd.conf - primary Apache configuration file
/etc/httpd/conf.d - drop in configuration directory, read by Apache upon startup
2. Explorer: /etc/httpd/conf/httpd.conf
a. HTTPD run as: apache:apache
b. Apache maintains, always, a 'main' server, which is independent of Virtual Hosts. This server is a catch-all for traffic that doesn't match any of the defined virtual hosts.
c. <Directory> directove governs file system access
Note: The primary Apache process runs as 'root', and has access to the full file system. Homever, <Directory> directive restricts the web-user's view of the file system
d. Test access to '.ht*' file from web root
e. Errorlog logs/error_log - default error log file for ALL hosts
f. logs/access_log - default log file for default server
Note: Every directory, outside of the 'DocumentRoot' should have at least one: <Directory> directive defined.
3. Start Appache and continue to explore
a. service httpd start
root 2861 1 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2863 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2864 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2865 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2866 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2867 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2868 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2869 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
apache 2870 2861 0 13:16 ? 00:00:00 /usr/sbin/httpd
Note: Parent Apache runs as 'root' and can see the entire file system
Note: However, children processes run as "apache" and can only see files/ directories that 'apache:apache' can see
4. Create an Alias for content outside of the web root (/var/www/html)
a. Alias /testalias1 /var/www/testalias1
<Directory /var/www/testalias1>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
5. Ensure that Apache will start when the system boots
a. chkconfig --level 35 httpd on && chkconfig --list httpd
Virtual Hosts Configuration:
Features:
1. Ability to share/serve content based on 1 or more IP addresses
2. Supports 2 modes of Virtual Hosts:
a. IP Based - one site per IP address
b. Host header names - multiple sites per IP address
Tasks:
1. Create IP Based Virtual Hosts
a. ifconfig eth0:1 192.168.75.210
b. Configure the Virtual Host:
<VirtualHost 192.168.75.210>
ServerAdmin webmaster@rhel5.linux.internal
ServerName site1.linux.internal
DocumentRoot /var/www/site1
<Directory /var/www/site1>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site1.linux.internal.access.log combined
ErrorLog logs/site1.linux.internal.error.log
</VirtualHost>
c. Create: /var/www/site1 and content
d. Update: /etc/httpd/conf/httpd.conf with VHost information
2. Create Name-based Virtual Hosts using the primary IP address
a. /etc/httpd/conf/httpd.conf:
NameVirtualHost 192.168.75.199:80
<VirtualHost 192.168.75.199:80>
ServerAdmin webmaster@rhel5.linux.internal
ServerName site3.linux.internal
DocumentRoot /var/www/site3
<Directory /var/www/site3>
Order allow,deny
Allow from all
</Directory>
CustomLog logs/site3.linux.internal.access.log combined
ErrorLog logs/site3.linux.internal.error.log
</VirtualHost>
###Apache with SSL Support###
Features:
1. Sccure/Encrypted communications
Requirements:
1. httpd
2. openssl
3. mod_ssl
4. crypto-utils (genkey) - used to generate certificates/private keys/CSRs
a. also used to create a sself-signed certificate
Tasks:
1. Install the requirements
a. mod_ssl - module for Apache, which provides SSL support
yum -y install mod_ssl
/etc/httpd/conf.d/ssl.conf - includes key SSL directives
b. crypto-utils - provies /usr/bin/genkey
2. Generate SSL usage keys using: genkey
a. genkey site1.linuxcbt.internal - creates text-gui interface
3. Update /etc/httpd/conf.d/ssl.conf to reference the new keys (public/private)
4. Restart the HTTPD server
a. service httpd restart
b. httpd -S
5. Test https connectivity
a. https://192.168.75.199
Note: For mutliple SSL sites, copy the: /etc/httpd/confid/ssl.conf file to distinct file, that match your distinct IP-based VHosts
###Mysql###
Features:
1. DBMS Engine
2. Compabtible with various frout-ends:
a. Perl
b. php
c. ODBC
d. GUI Management
Tasks:
1. Install mysql Client & Server
a. yum -y install mysql
/etc/my.cnf - primary config file
/usr/bin/mysql - primary client used to interact with the server
/usr/bin/mysqladmin - primary admin utility to returns sueful info, and perform admin tasks from the shell
相关文章