RHCE Flashcards
Check current rutes
route
create a permanent rule to 172.168.1.0 using eth0
/etc/sysconfig/networ-scripts/route-eth0
172.168.1.0 via 192.168.1.100 dev eth0
restart interface
Configure server as NAT
/etc/sysctl.conf --> net.ipv4_forward =1 sysctl -p --> to read changes iptables: -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -t nat -I POSTROUTING -o eth0 -j MASQUERADE
test NAT working from other server
make sure testing server uses the other as GW
get list of wrappers
strings -f /usr/sbin/* | grep hosts_access
allow all traffic from example.net, deny rest
host.allow:
ALL : .example.net (dont forget initial .)
host.deny:
ALL : ALL
allow ssh from subnet 192.168.1.0 except 192.168.1.101
sshd : 192.168.1.0/255.255.255.0 EXCEPT 192.168.1.101 [or]
sshd : 192.168.1. EXCEPT 192.168.1.101
make an RPM that packages iptables.sh
install rpmdevtools create folder package-1.0 compress folder rpmdev-setuptree rpmdev-newspec rpmbuild --b -v SPECS/mytest.spec
test RPM package
rpm -ivh package
configure ISCSI init to 192.168.1.200
install iscsi-initiator-utils
iscsiadm -m discoverydb -t st -p host -D
make sure “iscsi”service is on
partition and mount as usual (fstab options = _netdev 0 0)
make iscsi permanent and test after reboot
as any other ext4 drive
create a report that shows CPU, blah blah usage for the last 5 mins in intervals of 1m
sar -u 1 5
generate report from a sar log
sadf -d /var/log/sa/sa32
change sas data capture for 11pm
/etc/cron.d/sysstat and restart service and on
configure 101 to send logs to 100
100: open ports tcp/udp 514
/etc/rsyslog.conf uncommend 4 ports entries
101:
/etc/rsyslog.conf: . @@blah.100
test logger at 101
logger -p warn “textto”
configure a Vhost www.mysite.com with root folder at /www/mysite/html
create folder and setup selinux permissions
create Vhost at httpd.conf
test Vhost
make sure hosts entry is in
create Vhost www.mysite2.com
nada
create a private directory denied to 101
order allow,deny
Allow ALL
Deny from 101
make dir to prompt for password for user test2
add to Directory directive: AuthType basic AuthName "provate access" AuthUserfile "whatever/.htpasswd" Require valid-user Create passw file: htpasswd -c .htpaswd test2
make mysite group folder for webdevs (add test2 to group)
chown and then chmod
Deploy CGI app at mysite
create cgi-bin folder create pl script: print "Content-type: text/html\n\n"; print "Hello"; configure permissions for folder and file and selinux add to Vhost directive: ScriptAlias /cgi-bin/ /www/mysite/html/cgi-bin/ Options +ExecCGI AddHandler cgi-script .pl .cgi
configure a caching-only name server, allow only 101 to query
open tcp/udp 53
/etc/named.conf:
listen-on port localipaddress
allow-query { localshot; ..101; };
configure it to forward DNS to 200
/named.conf :
forward only;
forwarders { 192.168.1.200; };
configure an anonymous-only download ftp
/etc/vsftpd/vsftpd.conf:
anonyous_enable = yes
local_enable=no
anon_upload_enable=no
create a file in pub and test from 101
lftp: wget bye
deny ftp access to 101
host.allow ALL except 101, deny all
test ftp from 101 and remove restriction
nada
create and NFS share /shared belonguing to webdevs group
nfs-utils should be installed /etc/sysconfig/nfs: ucomment 4 port directives and take note open ports:udp +111 tcp+2049,111 make sure setype= public_content_t /etc/exports: /shared ...101(rw) or *(rw)
testit and make perm
exportfs -ra
showmount -e
mount.nfs4 -o rw 101:/shared /mnt
add to fstabb
remove from fstabb and use automount for shared
/etc/auto.master: /mnt /etc/auto.misc /etc/auto.misc: test2 -rw.soft,initr 101:/shared restart autofs
share home-dir in Samba
install samba
open ports udp:137,138 tcp:139,445
enable sebool
create samba user: smbpasswd -a user
create /share2 for test2 and test it. prevent access from putonazo.
(user testparm to check sintax)
/etc/samba.smb.conf: [share2] valid users = test2 invalid users = putonazo write list = test2 path = /share2 writeable = yes create mask = 0775
create webshare for webdevs
[webshare] browseable = yes path = /webshare force group = +webdevs valid users = @webdevs write list = @webdevs create mask = 0770 directory mask = 2770
test access from 101 and test2, make permanent
smbclient -L ….100 -U test2
mkdir -p /webshare
mount.cifs -o rw,username=blah,password=blah //…100/webshare
prevent access to share2 from 200 and user test2 read only
[webshare]
hosts deny = …200
read list = test2
test and change to allow only 192.168.1.0 network
hosts allow = 192.168.1.
configure postfix and deny user user@gmail.com and reject network 172.168.1.0 and accept from …101
open port 25 /etc/postfix/access: user@gmail.com REJECT 172.168.1 REJECT 192.168.1.101 OK postmap access
redirect root emails to test2
/etc/aliases: root test2
newalisases
configure to accept email from …101
/etc/postfix/main.cfg:
inte_interfaces = all
$myhostname,$mudomain, $myorigin
test it from 101
telnet …100 25
configure it to relay trought 200
main.cfg:
relayhost = …200
Allow user hades sshd acess from 101 but not from 200 and deny devgroup
sshd_config:
AllowUsers hades @…101
DenyUsers @…200
DenyGroups devgroup
alow ssh connection of user hades between 100 and 101 wich key
su - hades on both
ss-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub otherip
test it
nada
configure as NTP server
open port udp 123
remove from config:
nopeer noquery
confgirue 101 to use 100 as ntp server
/etc/ntp.conf:
server my-ntp-server iburst
