REDHAT CE
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NOTE: 01. Package Installation using yum
02. Config Files Changes
03. Daemon And Services Should Turned On using chkconfig
04. Security -> Selinux - TCPWrappers
05. Local Testing (i.e Virtual machine)
06. Remote Testing (i.e Physical Host)
Use The Foll Above Guidelines For All The NW Qs Below :
Open a new xterm on the physical host from where you can do remote testing.
Now Onwards, (RT) is for Remote Testing ie. You Have To Go To
Other/Physical Host xterm
Which you have opened before.
Now Open A New xterm and This is for Your Virtual Machine.
=============================================================================
You will be given DHCP or static IP in the paper.
* Start youe virtual machine in single user mode.
* #setup
* if DHCP then put (*) on dhcp / if static IP given uncheck DHCP n enter the IP given
* # lokkit --disabled
* cd /etc/yum.repo.d
* vi base.repo
[base]
baseurl=ftp://server.example.com/pub/packages
enabled=1
gpgcheck=0
* reboot
* By default your virtual machine will start in GUI
* Login with the username and password givin the the exam.txt
**********************************************************************************
1> Set SELinux in Enforcing mode.
Answer:
# setstatus
# lokkit --selinux=enforcing
# getenforce (Verify ) Should show Enforcing
Note: If SElinux was in Disabled, then Do The Above Step And reboot your system.
*****************************************************************************
2> Configure your host such that it can forward ipv4packets.
Answer:
# vi /etc/sysctl.conf (Open file and change)
net.ipv4.ip_forward=1
# sysctl -p
or
# cat /proc/sys/net/ipv4/ip_forward (Verify)
*******************************************************************************
3> Setup a mail server such that natasha's mail should be spooled to
/var/spool/mail/natasha.
your server should also accept mail remotely.
Answer:
# yum -y install sendmail*
# vi /etc/mail/sendmail.mc (Search for "127" and put dnl)
dnl DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1,Name=MTA') dnl
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
(Changes in mc are made to cf file)
# vi /etc/mail/access (Open and enter this)
.example.com RELAY
# /etc/init.d/sendmail restart
# chkconfig sendmail on
# netstat -antp | grep sendmail
Or
# yum -y postfix*
# vi /etc/postfix/main.cf
inet_address=all
myhostname=station11.example.com
mydomian=example.com
# /etc/init.d/postfix restart
# chkconfig postfix on
(RT) # mail -v natasha@192.168.0.11 (use . to end subject)
******************************************************************************
4> Do email aliasing in such a way that all mail to admin should be received by natasha.
Answer:
# vi /etc/aliases (Open file, go to last line and enter)
admin: natasha
# newaliases (To make changes work)
(RT) # sendmail -bv admin@192.168.0.11
******************************************************************************
5> Create a script in bash /root/script.sh such that, If the script is run in
the following manner
#/root/script.sh python
o/p ----> perl
#/root/script.sh perl
o/p ----> python
Make sure that if no argument is provided, then error o/p should be
displayed as
o/p ----> invalid argument
If wrong argument is provided, then error o/p should be
displayed(/directed)
o/p ----> python|perl
Answer:
# vim script.sh
#!/bin/bash
if [$# -ne 1]
then
echo -e "\n Invalid arguement" >&2
elif [$1="perl"]
then
echo -e "\n python"
elif [$1="pyhon"]
then
echo -e "\n perl"
else
echo -e "\n python|perl" >&2
fi
*******************************************************************************
6> Configure a ftp server such that user natasha can login via ftp anonymous
user can download. Access is allowed from example.com.
Everyone should be denied from cracker.org.
Answer:
# yum -y install vsftpd*
# vi /etc/vsftpd/vsftpd.conf (Verify for anonymous access/tcp wrappers)
anonymous_enable=yes
local_enable=yes
no_anon_password=yes
tcp_wrapper_enable=yes
# vi /etc/hosts.deny (To deny cracker.org make an entry)
vsftpd : .cracker.org
# /etc/init.d/vsftpd restart
# chkconfig vsftpd on
# setsebool -P ftp_home_dir 1 (Set boolean value of selinux as 1 for ftp)
# getsebool -a | grep ftp_home_dir (Verify)
(RT) # ftp 192.168.0.11 (ftp yourself)
user: anonymous
password: (No password)
# bye (Quit)
*******************************************************************************
7> Setup a NFS server and export /common such that it is only
accessible by example.com domain.Your share can be remotely tested from
your physical host in /net/desktopx
Answer:
# yum -y install nfs*
# vi /etc/exports (By default empty file, so make an entry)
/common *.example.com(rw,sync)
# /etc/init.d/portmap restart
# /etc/init.d/nfs restart
# chkconfig --level 35 portmap on
# chkconfig --level 35 nfs on
# showmount -e (Verify This Is For Local Testing)
Should Show
>> /common
(RT)# showmount -e 192.168.0.11
Should Show /common This Is For Remote Testing.
Now your Local and Remote Testing are OK.
***************************************************************************************************
8> Mount an .iso file /root/boot.iso on /disk. This mount should be persistent across system restart.
Answer:
# vim /etc/fstab
/root/boot.iso /disk auto defaults,loop 0 0
# mount -av
# df -h
********************************************************************************
9> Setup a ssh server such that only users from example.com are allowed.
Answer:
# yum -y install openssh*
# vi /etc/hosts.deny (Edit same file )
sshd : ALL EXCEPT .example.com
# /etc/init.d/sshd restart
# chkconfig sshd on
# netstat -antp | grep sshd
(RT)# ssh john@192.168.0.11 (just login and logout)
*****************************************************************************
10> Create a website by your hostname ie. "http://station11.example.com".
Copy station.html from server1.example.com/pub/
Rename this as index.html
Move it to standard document root of apache
Pre-resolution is provided by DNS server ####
Answer:
# yum -y install httpd*
# vi /etc/httpd/conf/httpd.conf (Open config file and just change this)
ServerName station11.example.com (In Section 2)
NameVirtualHost station11.example.com (In Section 3 - VH)
<VirtualHost station11.example.com>
ServerAdmin webmaster@station11.example.com
DocumentRoot /var/www/html
ServerName station11.example.com
ErrorLog logs/station11.example.com-error_log
CustomLog logs/station11.example.com-access_log common
</VirtualHost>
# /etc/init.d/httpd restart
# chkconfig httpd on
# httpd -t (To test syntax of config file)
# gftp (download station.html from server)
# mv station.html /var/www/html/index.html
# restorecon -R /var/www/html/index.html (To overcome an obstacle from SELinux)
(RT)# elinks station11.example.com
*****************************************************************************
11> Import an ISCSI disk from the server server1.example.com. The ISCI disk
must be mounted as /mnt/isci
This mount should be persistent across reboot.
Answer:
# rpm -qa |grep isci
# yum install isci-initiator-utils ( # yum search isci )
# iscsiadm -m discovery -t st -p server1.example.com
( The above cmd will give you the IQN no. )
# iscsiadm -m node -T {copy the iqn no.} -p server1.example.com -l
# tail -f /var/log/messages <------ to see iscsi device sda or sdb
# fdisk -cu /dev/sda <------ ISCI disk
# mkfs.ext4 /dev/sda1
# blkid /dev/sda1 <------ For UUID
# vi fstab
UUID=0077-afcd-db4 /mnt/iscsi ext4 defaults,_netdev 0 0
# chkconf iscsi --level 35 on
# chkconf iscsid --level 35 on
# mount -av
*****************************************************************************
12> Extend your web server to host virtual site www11.example.com.
Doc root should be /var/www/virtual.
Copy from dir - server1/pub/www.html as index.html.
Harry should be able to write contents to /var/www/virtual.
Answer:
# mkdir /var/www/virtual
# gftp (Download www.html)
# mv www.html /var/www/virtual/index.html
# vi /etc/httpd/conf/httpd.conf (Open and do foll changes)
<VirtualHost www11.example.com:80>
ServerAdmin webmaster@www11.example.com
DocumentRoot /var/www/virtual
ServerName www11.example.com
ErrorLog logs/www11.example.com-error_log
CustomLog logs/www11.example.com-access_log common
</VirtualHost>
# /etc/init.d/httpd restart
# httpd -t
# restorecon -R /var/www/virtual/index.html
# chcon -R --reference=/var/www/html /var/www/virtual
# chown -R harry /var/www/virtual
(RT)# elinks http://www1.example.com
********************************************************************************
13> Create a samba share /common.
Harry should be only able to read the content of /common.
If required harry can be asked for authentication.
Workgroup should be set to STAFF.
The share /common should be accessible and browseable only from .example.com
Password for harry is "password".
Answer:
# yum -y install samba*
# vi /etc/samba/smb.conf (Open config file and do following changes)
workgroup = STAFF (This is in global section)
encrypt passwords = yes
security = user
[common]
path = /common
read list = harry
browseable = yes
hosts allow = .example.com
# /etc/init.d/smb restart
# chkconfig smb on
# testparm (To verify)
# smbpasswd -a harry (Add a new samba user "harry" and set his password)
# pdbedit -L (Lists all samba users)
# setsebool -P samba_enable_home_dirs on (To enable sharing Home Dir of user)
# chcon -t samba_share_t /common (To overcome an obstacle from SELinux)
(RT)# smbclient //station11.example.com/common -U harry
*****************************************************************************
14> The user jean should not be allowed to add a cron job for herself.
Answer:
#vim /etc/con.deny
jean
*****************************************************************************
15> Copy the file boot.iso to /var/www/html/secure. Secure the file & make it
available to only local host over apache webserver.
Answer:
# cp boot.iso /var/www/html/secure
# vim /etc/httpd/conf/httpd.conf
/cgi-bin <---- Search for cgi-bin
<Directory "/var/www/html/secure/boot.iso">
Allow Override None
Order deny,allow
Allow from .example.com
Deny from All
</Directory>
******************************************************************************
16> Pass a parameter sysvctl=1 to your kernel at boot time changes made should
be persistent.
Answer:
# vim /boot/grub/grub.conf
boot=/dev/vda
default=0
timeout=5
splashimage=(vd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux (2.6.32-71.el6.x86_64)
root (vd0,0)
kernel /vmlinuz-2.6.32-71.el6.x86_64 ro
root=UUID=2bb2d321-06a8-4a71-b5c5-74fd7f5d2607 rd_NO_LUKS rd_NO_LVM rd_NO_MD
rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc
KEYTABLE=us nomodeset crashkernel=auto rhgb quiet sysvctl=1 <-------add this
initrd /initramfs-2.6.32-71.el6.x86_64.img
# cat /proc/cmdline
******************************All THE BEST**************************************
No comments:
Post a Comment