Notes from Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS, & Red Hat Power Users Christopher Negus 978-0470082911
Ch 11: Managing Network Connections
Download 295.94 Kb.
|
- Navigate this page:
- CH 12: Accessing Network Resources
- Ch 13: Remote System Admin
- Ch 14: Locking Down Security
- Chapter 12: Securing Linux
Ch 11: Managing Network Connections GUI based tools Network Configuration via GUI works mostly Gnome-System-->Administration-->Network Troubleshooting Start at bottom of TCP/IP stack 1 - Check cables on local card and on routers/gateway etc 2 - Check that card is properly installed and has the correct drivers 3 - Check the settings for the card to make sure you do not have mismatches 4 - If all else fails get a NIC that is supported in Linux Checking Links /sbin/ethtool -- lots of help info /sbin/ethtool | less -- nothing because help output goes to stderr (ethtool 2>&1 | less)
Settings for eth1: Supported ports: [ MII ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: MII PHYAD: 2 Transceiver: external Auto-negotiation: on Supports Wake-on: g Wake-on: d Link detected: yes sudo /sbin/ethtool -i eth1 -- driver information driver: forcedeth version: 0.61 firmware-version: bus-info: 0000:00:12.
sudo /sbin/ethtool -s eth1 speed 100 duplex full autoneg off -- change card settings temp. -- /etc/sysconfig/network-scripts/ifcfg-eth1 contains “permanent” settings -- less /usr/share/doc/initscripts-*/sysconfig.txt sudo netstat -i -- network statistics sudo netstat -nap -- information about all network processes Managing Network Connections sudo /sbin/service Usage: service < option > | --status-all | [ service_name [ command | --full-restart ] ] /sbin/service network restart or status or stop or start sudo /sbin/chkconfig usage: chkconfig --list [name] chkconfig --add chkconfig --del chkconfig --override chkconfig [--level less /usr/share/doc/initscripts-*/sysconfig.txt sudo /sbin/ifdown eth1 sudo /sbin/ifup eth1 Viewing Ethernet Connection Information /sbin/ifconfig -- connection info for all active (add -a to get inactive) connections /sbin/ip addr show eth1 -- similar information /sbin/ip a -- info for all interfaces /sbin/ip help -- (addr help, route help, tunnel help)
NETMASK=255.255.255.0 BROADCAST=192.168.1.255 NETWORK=192.168.1.0 Wireless Connections Use the GUI if at all possible wireless-tools, ndiswrapper, etc from rpm.livna.org
/sbin/iwconfig -- same sort of info as ifconfig but for wireless /sbin/iwconfig –help -- essid, channel, sens, key, .....
cat /etc/resolv.conf nameserver 208.180.42.68 nameserver 208.180.42.100 dig www.google.com or www.newegg.com -- search the servers in resolv.conf dig www.google.com @4.1.2.1 -- search a specific server dig + trace www.google.com -- recursively trace DNS servers host 208.180.42.100 -- reverse DNS lookup More Troubleshooting /sbin/ip route -- like old route command 172.16.240.0/24 dev vmnet8 proto kernel scope link src 172.16.240.1 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 172.16.140.0/24 dev vmnet1 proto kernel scope link src 172.16.140.1 default via 192.168.1.1 dev eth1 ping gateway to see if connected /sbin/arp -v -- list ARP cache entries by name Address HWtype HWaddress Flags Mask Iface DirectvDvr ether 00:50:00:d4:bb:5c C eth1 home ether 00:15:6c:8c:61:44 C eth1 Gimli ether 00:17:02:bb:1e:5b C eth1 traceroute www.ttu.edu -- * * * probably means firewall sudo traceroute -T 129.118.51.8 -- use TCP packets not default UDP (bypass firewall) sudo traceroute -n ... -- disable name resolution Network Statistics netstat -s -- summary of TCP, ICMP, UDP connections netstat -tanp -- TCP connection information netstat -uanp -- UDP Other Useful Tools sudo /usr/sbin/tcpdump -- (-v or -vv for more stuff) wireshark nmap
CH 12: Accessing Network Resources Sometime even when a GUI is available command line commands are VERY useful Browse the web lynx -- old text based browser links -- newer command but /usr/bin/links -> elinks elinks -- the current “choice” allows mouse use & colors in terminal session -- Control Keys Table 12-1 pg. 210 (Esc toggles menu on/off) Transferring Files -- wget -- download files using http or ftp wget http://rpmfind.net/linux/sourceforge/f/fe/fedorafrog/fedora_frog-1.0-8.0.3.i386.rpm wget ftp://rpmfind.net/linux/sourceforge/f/fe/fedorafrog/fedora_frog-1.0-8.0.3.i386.rpm wget –user=someuser –password=passwordforuser ftp://somedir.com/somefile wget ftp://user:password@someserver.com/somefile -- download single web page wget http://jdurrett.ba.ttu.edu /3351/index.html -- download single page along with required images, etc and use local file names wget -pk http://jdurrett.ba.ttu.edu/3351/index.html
wget -E http://jdurrett.ba.ttu.edu -- recursively mirror entire site -- be careful!!!! wget -m http://jdurrett.ba.ttu.edu -- combining above we get wget -mEkK http://jdurrett.ba.ttu.edu -- restart an incomplete download wget http://example.com/DVD.iso -- start download --- assume it is interrupted here --- wget -c http://example.com/DVD.iso -- finish Transferring Files -- curl -- curl (client for URLs) is also available for single shot downloads Transferring Files -- lftp lftp mirrors.kernel.org -- anonymous connection lftp bob:mypasswd@server1 -- authenticated connection but bad to type pass this way lftp -u bob server1 -- will ask for password -- once session is open pwd, cd, ls, get (download), put (upload), Ctl-z (set download to background, mget (get all in.), mput (put all in), bookmark, quit
-- warning you do NOT get a warning about overwriting existing files when using some of these scp mfile bob@server1:/home/bob/tmp -- file up, will ask for password scp server1:/home/bob/myfilke ./ -- file down, assumes bob is current user scp -p ... -- preserves permissions and timestamps scp -P 4382 ... -- use port 4382 not the default of 22 scp -r mydir bob@server1 -- recurse mydir and copy all
sftp bob@server1 -- then use any of the ftp commands to copy & move around Sharing remote directories -- NFS (Network File System) -- works in some Windows ops too service nfs start -- starts service configs are /etc/sysconfig/nfs, /etc/exports /usr/sbin/exportfs -v -- shows all shared directories along with permissions service nfs reload -- reload nfs with changes to /etc/export exportnfs -r -- load changes to /etc/export exportnfs -vr /usr/sbin/showmount -e -- show directories available on local system showmount -e client.server1.com -- show directories available on other system
mount -q rw,hard, intr ... -- options can also be entered on mount line mount -t nfs4 -- nfs4 is more versatile but less used might not work Sharing remote directories -- SAMBA -- SMB (server message block is old) cifs is current file system type -- GUI config tools are availble (swap is a nice easy web interface) sudo yum install samba-swat sudo /sbin/chkconfig swat on sudo /etc/init.d/xinetd start elinks http://localhost:901/ findsmb -- scan network for shares *=DMB +=LMB
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION --------------------------------------------------------------------- 192.168.1.2 Gandalf [WIZARDS] [Unix] [Samba 3.0.21c]
Password: WIZARDS \\ARIEL
\\ARIEL\C$ Default share \\ARIEL\Belinda (C) \\ARIEL\Easy (E) sudo smbpasswd -a bob -- add an existing Linux user as a samba user smbclient -L Ariel -- list services available by a server to current user or anonymous smbclient -L Ariel -U bob sbmclient //192.168.1.1/myshare -U bob -- ftp style connection
sudo mount -t cifs -o username=bob,password=mypass //server1/myshare /where/I/mountedit sudo mount -t cifs '//Ariel/Easy (E)' /Gandalf/Belinda/Easy / -o credentials=/home/bob/.cred,uid=500,gid=500 smbstatus -- current mount and lock status nmblookup Ariel -- lookup IP for samba server Ariel testparm -- check samba configuration testparm -v | less -- show default parameters you did not set Sharing remote directories -- sshfs -- yum install fuse-sshfs sshfs bob@server1:/home/bob/myshare /Gandalf/RemoteSites/bob -- mount will as password sudo umount /Gandalf/RemoteSites/bob -- unmount
Thus command line admin is a necessity Old tools like telnet, ftp, rsh, rexec, rcp are security risks (text userid and password) Modern tools like ssh, scp, sftp are much more secure Legacy tools are sometimes good for troubleshooting telnet www.google.com 80 GET / HTTP/1.0 --- extra carriage return here HTTP/1.1 200 OK
Configuration -- make sure sshd service is running by default -- /etc/ssh/sshd_config server configuration file Port 1248 X11Forwarding yes AllowTcpForwarding no -- /etc/ssh/ssh_config client configuration file ForwardX11 yes (or ssh -X bob@someserver each time connect)
ssh bob@server1 -- the 'correct' way to change users ssh server1 -- login to remote as current user ssh -p 1248 bob@server1 -- port other than default of 22 ssh tunneling (a good howto is here ) ssh -X or with configuration correctly setup kcalc etc ssh -L 1234:localhost:631 remoteserver -- tunnel CUPS server
ssh user@remotehost -L 24800:remotehost:25 -N -- use myserver to connect to internet ssh -L 12345:localhost:google.com:80 myserver -- ssh as a SOCKS Proxy ssh -D 12345 myserver //look at man pages then change connection settings in firefox to match (preferences-advanced-settings-manual connection SOCKS:localhost port:12345) ssh public key login cat ~/.ssh/known_hosts -- existing public keys for previous connections ssh-keygen -- generate public / private keys for current user -- leaving password prompt blank makes connections easy but is risky copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys2 on remote server ssh-agent -- gives the ability to store keys for duration of this session eval 'ssh-agent' -- adds vars to environment ssh-add -- will add default private key (ssh-keygen) to Using screen: A rich remote shell Cool!!! ssh gives you one temporary screen at a time, if it times out or dies you loose everything yum install screen (FC8 by default) ssh into remote server screen -- you now have a screen running on remote server screen -ls -- list active screens Ctrl-a, d -- detach screen, leave it running but return to ssh terminal window Ctrl-a, ? -- help screen -r -- reattach to a previously detached screen (works even after quitting ssh) screen -r 7089.pts-2.myserver -- reattach if are multiple detached screens screen -S mysession -- name the screen session screen -x or screen -x mysession -- share screen session (same user logged on) -- try this ssh into some server screen top
Ctrl-a, d exit ssh
ssh again into same server screen -r -- top will still be running Using a Remote Windows Desktop WinXP – Control Panel / System / Remote enable and add users yum install rdesktop tsclient
rdesktop Ariel rdesktop -u bob -p password win1 rdesktop -f win1 -- maximize display rdesktop -0 -r sound:local win1 -- direct sound from server to client Other remote linux apps xhost -- non encrypted ssh better Sharing desktops with VNC yum install vnc vnc-server /etc/sysconfig/vncservers VNCSERVERS=”1:bob 2:thomas”
make sure to open TCP ports 590+displaynumber in iptables vncviewer myserver:1 or myserver:2 -- connect to vncserver from client -- above is a really simple window manager so on the server edit ~/.vnc/xstartup and add unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc and restart the vncserver -- on untrusted networks tunnel vnc ssh -L 5902:localhost:5902 vncserver Can share a vnc desktop using Vino Ch 14: Locking Down Security (for working with user accounts see also Ch10 in Fedora Bible 2011 notes) “Securing your Linux system means first restricting access to the user accounts and services on the system. After that, security means checking that no one has gotten around the defenses you have setup.” Fedora is designed to be secure by default: no user accounts with blank passwords firewall is restrictive by default most network services are off SELinux is set to enforcing if you do not change this on the install Working with users and groups ALWAYS LOG IN AS A REGULAR USER! Then use su or sudo to gain root access /etc/ssh/sshd_config PermitRootLogin no The GUI way for servers: webmin: (www.webmin.com) -- remember to change default port from 10000 cPanel (www.cpanel.com), Plesk (www.swsoft.com/plesk), Ensim (www.ensim.com)
--> sudo /usr/sbin/useradd -D -- show useradd default values GROUP=100 -- default group HOME=/home -- base home directory INACTIVE=-1 -- password expiration is disabled EXPIRE= -- Don't set password expire date SHELL=/bin/bash -- default shell SKEL=/etc/skel -- copy default home config files from here CREATE_MAIL_SPOOL=yes -- create mail spool directory -- fedora overrides the default group with a new group for each new user -- above values in /etc/default/useradd useradd bob -- typed as root allows change of password for bob -- root is only warned if bad password is used
sudo /usr/sbin/useradd –help -b, --base-dir /var/users -- base directory for the new user account -d, --home-dir /home/jj -- home directory for the new user account -e, --expiredate 2009-01-01 -- set account expiration date to 2009-01-01 -g 700 -u 700 -- use specific GID & UID for new user -G students,tomcatusers -- list of supplementary groups for the new user
groups bob -- list the groups bob belongs to bob vboxusers
-- some of the real config files for users and groups /etc/passwd test:x:502:503::/home/test:/bin/bash /etc/shadow test:$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7::: /etc/group test:x:503:drjohn,bob
edit /etc/default/useradd & /etc/login.defs to make changes permanent user options above in useradd command to make temporary changes
sudo /usr/sbin/usermod -c “Dr Bob” bob -- change bob's comment field sudo /usr/sbin/usermod -s /bin/sh bob -- change bob's default shell sudo /usr/sbin/usermod -L bob -- lock the bob user account sudo /usr/sbin/usermod -U bob -- unlock the bob user account
-- change finger information -- change office, home phone, office phone, full name chfn -o "BA607" -h 806-687-9028 -p 806-438-2049 -f "DrJohn" finger Login Name Tty Idle Login Time Office Office Phone bob DrJohn *:0 Oct 20 13:30 BA607 806-438-2049 -- above information is stored in the 5th field of the /etc/passwd file -- ONLY edit the /etc/passwd file carefully and with vipw Deleting User accounts /usr/sbin/userdel bob --delete user bob userdel -r bob -- delete user, home directory, and mail spool
-- modify current user password --> passwd Changing password for user bob. Changing password for bob. (current) UNIX password: New UNIX password: I typed hi BAD PASSWORD: it is WAY too short New UNIX password: I typed hello BAD PASSWORD: it is too short New UNIX password: I typed password BAD PASSWORD: it is based on a dictionary word --> sudo passwd bob Password: Changing password for user bob. New UNIX password: I typed hi BAD PASSWORD: it is WAY too short Retype new UNIX password: I typed hi passwd: all authentication tokens updated successfully.
sudo passwd -l bob -- lock the bob user account sudo passwd -u bob -- unlock the bob user account -- this is done by placing !! at the front of the password field in /etc/shadow test:!!$1$cvOBzy34DGAgHfr3XcdeAmEJ1:14134:0:99999:7::: -- administrator can require users to change passwords regularly passwd -n 2 bob -- set minimun password life to 2 days passwd -x 300 bob -- set maximum password life to 300 days passwd -w 10 bob -- warn of password expiration 10 days in advance passwd -i 14 bob -- days after expiration that account is disabled -- view password expiration information --> chage -l bob Last password change : Oct 20, 2008 Password expires : December 31, 2008 Password inactive : January 31, 2009 Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
sudo chage -I 40 bob -- make account inactive in 40 days sudo chage -d 5 bob -- force user's password to expire in 5 days -- 0 above would force password change on next login Adding Groups -- similar commands as for users above -- groupadd, groupdel, groupmod, groupmems (add & remove members) groupadd Marketing -- add group Marketing groupadd -g 701 tomcat -- add group tomcat with GID of 701 groupmod -g 777 tomcat -- make tomcat group GID 777 groupmod -n tomcat tomcatS08 -- change name of tomcat group to tomcatS08
Checking on Users find -nouser -- No user corresponds to file’s numeric user ID. find -nogroup -- No group corresponds to file’s numeric group ID. find -uid nnn -- File’s numeric user ID is nnn. find -user bob -- File is owned by user bob (numeric user ID is allowed). --> sudo du -sh /home/test/ -- check on disk usage in user's home dir 2.2M /home/test/ -- -sh means summarize results and make human readable -- fuser, ps, top identify running commands and can check for users (Ch 9)
sudo lastb -- lists most recent unsuccessful logins -- on zeus I get page after page after page sudo who -u -- list who is currently logged in long form sudo users -- list who is currently logged in short form
--> who am i -- long form bob pts/4 2008-10-20 16:49 (localhost.localdomain) --> whoami -- short form bob --> finger -s bob -- short form Login Name Tty Idle Login Time Office Office Phone ...
--> finger -l bob -- long form Login: bob Name: DrJohn Directory: /home/bob Shell: /bin/bash Office: BA607, 806-438-2049 Home Phone: 806-687-9028 On since Mon Oct 20 13:30 (CDT) on :0 (messages off) On since Mon Oct 20 13:31 (CDT) on pts/1 from :0.0 3 hours 48 minutes idle (messages off) On since Mon Oct 20 13:31 (CDT) on pts/2 from :0.1 (messages off) On since Mon Oct 20 13:31 (CDT) on pts/3 from :0 3 hours 48 minutes idle On since Mon Oct 20 16:49 (CDT) on pts/4 from localhost.localdomain No mail. No Plan.
-- when ~/.project (single line) and ~/.plan (multi line) files are added results become --> finger -l bob Login: bob Name: DrJohn ...
Project: To make the Internet safer Plan: By teaching students how to become Linux professionals Working with System Logs (for firewall info see below) /var/log ... -- system logs are here and in subdirectories -- fedora uses rsyslogd (system log daemon) and rklogd (kernel log daemon) -- started by /etc/init.d/rsyslog (a newer better version of syslogd) -- rotation is handled by /etc/cron.daily/logrotate -- based on settings in /etc/logrotate.conf & in /etc/logrotate.d/ logwatch -- a system log analyzer and reporter than allows summary messaging sudo logger Hello World from bob -- add messages to log files (new Video card) sudo cat /var/log/messages ... Oct 20 17:38:26 localhost durrett: Hello World from bob Linux Bible 2010 Edition: Boot Up to Ubuntu, Fedora, KNOPPIX, Debian, openSUSE, and 13 Other Distributions by Christopher Negus Last annotated on December 2, 2010 Chapter 12: Securing Linux In This Chapter Linux security checklist Using password protection Monitoring log files Communicating with secure shell tools Understanding attack techniques Protecting servers with certificates Using special Linux security tools distributions Why should you care about security? According to the Internet Storm Center (http://isc.sans.org), a computer connected to the Internet has an average of 16 minutes Linux Security Checklist Control physical access Add users and passwords—Creating separate user accounts Set read, write, and execute permissions Protect the root user Use trusted software Get software updates Use secure applications Use restrictive firewalls Enable only services you need Limit access to services Check your system Monitor your system Use SELinux your computer, then, is safer. As Red Hat continues to work out the kinks in SELinux, there has been a tendency for users to see SELinux failures and just disable the entire SELinux service. However, a better course is to find out whether SELinux is really stopping you from doing something that is unsafe.
Finding distribution-specific security resources Red Hat Enterprise Linux and Fedora security—Check the Red Hat Security site (www.redhat.com/security) for RHEL security issues (that typically relate to Fedora systems as well). From here you can look for and read about available updates. You can also get information on security training and consulting from Red Hat, Inc. For Fedora security issues, see the Fedora Wiki (http://fedoraproject.org/wiki/Security/Features). Refer to the Red Hat Enterprise Linux 4 Security Guide for an in-depth look at Linux security for Red Hat systems. You can access this guide online from the following address:www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Security_Guide www.debian.org/doc/manuals/securing-debian-howto Ubuntu security—Find security guides and tools for Ubuntu on the Ubuntu security page (https://help.ubuntu.com/community/Security). Gentoo security—Included on the Gentoo Linux Security page (www.gentoo.org/security) are tools, announcements, and links to security policy and project documents associated with securing Gentoo systems. Find the Gentoo security handbook here: Choosing good passwords (choosing a sentence on your personal Web page is a bad idea). Table 12-1 lists examples of strong passwords and the tricks used to remember them. Mrci7yo! My rusty car is 7 years old! 2emBp1ib 2 elephants make BAD pets, 1 is better ItMc?Gib Is that MY coat? Give it back The passwords look like gibberish
Using a shadow password file Checking for the shadow password file The password file is named passwd and is found in the /etc directory. The shadow password file is named shadow and is also located in /etc. If your /etc/shadow file is missing, it is likely that your Linux system is storing the password information in the /etc/passwd file instead. A Practical Guide to Fedora and Red Hat Enterprise Linux by Mark G. Sobell Last annotated on December 1, 2011 Directory: 3351 -> Notes Notes -> Fedora Core 5 Security Notes 3351 -> Bridge to success 1824 N. Pearl Street*Jacksonville, Florida 32209*(904) 520-7640 …i am Moving Forward! Graduation Information 2014 Download 295.94 Kb. Share with your friends:
|