Linux (RHEL6) Notes

To complete:
secure grub with password
gpg Encryption and Decryption
Useful files
/etc/inittab

has run level definitions

Useful commands
#ifconfig
#ping desktop15.example.com
#host <ipaddress>
#hostname
#dig -x <ipaddress>
#nslookup <ipaddress>
#nsloopup <DNS Name>

to get ipaddress
Gives DNS Name
Gives the host name of the machine you are logged in
Has Question / Answer / Authority / Additional sections

It gives hostname and ip address

#man -k ftp | less

#man 8 mount

Search man pages for ftp

go to 8th section of man help for mount command

#which ls
#rpm -qf /bin/ls

from where ls is getting executed

finds the package in which ls is

#cp -pvrf <source> <dest>

overwrite if exist
#du -h <filename>
#du -h <directory>
#du -sh <directory>

p for preserve, v for verbose, r for recursive and f for force

disk usage for file

disk usage for individual files in the directory

disk usage summary for the directory

#ln -s <source with path name> <link name>
to create soft links
#who -r
#runlevel

for current system runlevel

for current system runlevel

#uname -a
#uname -r

for more details about the system

for current kernel version

#cat /proc/cpuinfo
#cat /proc/meminfo
#cat /proc/partitions

to see if CPU supports VMX

to see RAM size to set swap size

after running partx command

#ps
#ps -a
#ps -aux | less

processes with in your current terminal

all processes in all terminals

a for all, u for user, x for executing
does not indicate parent process

#ps -ef | less

Shows parent process

Page#1 of

22

Linux (RHEL6) Notes

#kill -l
#kill -9 <pid>
#kill -15 <parent pid>
no Zombie processes
#kill -1 <pid>

To see kill signals

Signal Kill. Children become Zombie "Z" processes

Singal Term. Kill children and then the parent so that there are

#top

more flexibility

#parted /dev/sda
#partx -d /dev/sda
#partx -a /dev/sda

edit partition table. type help for commands that can be used

Singal hup.

Restarting i.e., stopping and starting services

#fdisk -cu /dev/sda

m for help
n for new partition
p for print partitions
t to change partition system id
d for deleting partition
w for write table to disk and quit
q for quitting without saving
#fdisk -l | less

Shows info about partitions

#mkfs -t ext4 /dev/sda5

or
#mkfs.ext4 /dev/sda5
or
#mkfs.ext4 -L "mydisk1" /dev/sda5
L gives label while formatting
#e2label /dev/sda5
#e2label /dev/sda5 "mydisk2"

to display label

to change label

#findfs LABEL="mydisk2"

gives output /dev/sda5

#file <fileName>

to know type of file,

#stat <fileName>

to know more details about file,

if a file is tar file, zipped or not etc.

access time, modify time, change time etc.

User Related
#useradd user1
#useradd -u 10001 -g ftp -G adm,apache -d /var/user123 -c "Comment" -s /bin/bash user123
g => Primary Group
G => Secondary Groups
d => Home directory
c => Comment
s => Login shell
#vim /etc/default/useradd

Page#2 of

22

defaults for useradd

Linux (RHEL6) Notes

#id <userid>

to see the details about the user

#groups <userid>

list all groups belonging to a userid

#usermod
#usermod
#usermod
#usermod
group

-s /sbin/nologin user123
-L user123
-aG adm,ftp,student user123
-G student user123

to change login shell for user

lock user
to add secondary groups
to replace all secondary groups with this one secondary

#gpasswd -a u1 ftp
#gpasswd -M u1,u2,u3,u4 apache
#gpasswd -d u1 apache

add user to group

add user to multiple groups

delete user from apache group

#userdel -r u2

recursively delete all user info for u2

List Aging parameters for userid

#chage -l <userid>
#chage -m 0 -M 90 -W 7 -I 14 <userid>
#vim /etc/login.defs

has the default values
#chown <newOwner> <resource>
#chgrp <newGroup> <file/directory>
#chown <newOwner>:<newGroup> <resource>
#chown -R <newOwner> <directory>

recursively change ownership
#chgrp -R <newGroup> <directory>
#chown <newOwner>:<newGroup> <directory>
#chmod g+rwx <file/directory>
#chmod -R a+rwx <directory>

Recursively change ownership

Setting password for user (4 ways)

#passwd <userid>
#echo "<password>" | passwd --stdin <userName>
#useradd -p "<password>" <userName>
#usermod -p "<password>" <userName>

Resetting root password if you dont know it

If you are already logged into the system

#init 1

Interrupt Linux boot process (press F12)

Then enter the following
e
1

to get into single user mode. It asks root access without password
You can also user s or S instead of 1 for getting into
single user mode
go back
b

to continue to boot

Page#3 of

22

Linux (RHEL6) Notes

#runlevel
or
#who r

to see runlevel

to see runlevel

This will not work because SELinux is in enforcing mode

#passwd root
#setenforce 0
or
#setenforce Permissive
Now, the password can be changed
#passwd root

set gid (Numeric value is 2)

#mkdir /mydata
#ls -ld /mydata
#groupadd grp
#chgrp grp /mydata
#ls -ld /mydata
#chmod g+w /mydata
#ls -ld /mydata
#chmod g+s /mydata

/mydata is owned by root root

new group that needs to own /mydata

to make sure any user in grp group can write to /mydata

so that if any body belonging to grp group creates a file
in /mydata, it will have grp group (inherited from the

directory)

Sticky bit (Numeric value is 1)

If you set sticky bit, only the owners of the file can delete a file,
even if the other users are in the same group as the owner and also
the group has write permissions
#chmod o+t /mydata

to set sticky bit

ACL
#tune2fs -l /dev/sda5 | grep -i default

Look for default mount options

If defualt mount option is none, need to change to ACL for the partition
#tune2fs -o acl,user_xattr /dev/sda5
#mount /dev/sda5 /mnt
#cd /mnt
#getfacl /mnt
#setfacl -m u:<userid>:rwx <file/directory>
#setfacl -m g:<group>:rwx <file/directory>
#getfacl <file/directory>
#setfacl -x u:<userid> <file/directory>
#setfacl -x g:<group> <file/directory>

Disk Quotas

Page#4 of

22

Change it for the partition

getfacle for mount point

to modify acl

to modify acl

to remove from acl

to remove from acl

Linux (RHEL6) Notes

Create an ext4 partition and mount it as /quotadir in fstab as follows
#vim /etc/fstab
/dev/sda5
/quotadir
ext4
defaults,usrquota,grpquota 0 0
Note usrquota, grpquota
#mount -a

It will list the usrquota attribute for /quotadir mount point
#mount
#quotacheck -cuv /quotadir
to be done on mount point
c => Create
u => User Quota
v => Verbose
Creates quota.user file in /quotadir
#quotacheck -cgv /quotadir
to be done on mount point
c => Create
u => Grop Quota
v => Verbose
Creates quota.grop file in /quotadir
#quotaon /quotadir
#quotaon -p /quotadir
#quota -v
#quota -uv <userid>
#repquota /quotadir
or
#repquota /dev/sda5

#edquota -u <userid>

to set quota for the user in vim editor.

#edquota -t

to set grace period

Activate quota on filesystem. Need to use mount point

Print state of all file systems if quotas are turned on or off
verbose file systems where quotas are turned on
verbose quota for specific userid

Set soft and hard blocks. hard blocks is the max limit.
Soft blocks is from where user gets waring

sudo
#visudo

to edit /etc/sudoers file in vim editor (:wq for saving the file)
#visudo -c
After adding entries compile the file to make sure no errors
Groups in the file are always preceded by %
Ex: peter,bob,%mygroup ALL= NOPASSWD: ALL
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute all commands without requiring password
Ex: peter,bob,%mygroup ALL= NOPASSWD: /sbin/fdisk
users peter and bob, group mygroup on all servers, (since there is no list in paranthesis
after ALL=, all users can sudo as root) can execute only fdisk command without requiring password.
All other commands require password.

Creating LVM
1. Create two LVM type partition /dev/sda5 and /dev/sda6
2. Create PVs

Page#5 of

22

Linux (RHEL6) Notes

3.
4.
5.
6.
7.
8.

Create Volume Group using the PVs

Create LVMs with in the Volume Group
ext4 formatting
mount LVM file system
Check if mounted
Make mounts permanent

#fdisk -cu /dev/sda

#pvcreate /dev/sda5
#pvcreate /dev/sda6
#vgcreate -s 8 myVG /dev/sda5 /dev/sda6
s is PE size
#vgdisplay myVG
#lvcreate -l 10 -n mylv1 myVG
or
#lvcreate -L 80M -n mylv2 myVG

10 extents

80M size

#mkfs.ext4 /dev/myVG/mylv1
or
#mkfs.ext4 /dev/mapper/myVG-mylv1
#mkdir -p /mnt/mylv1
#mount /dev/myVG/mylv1 /mnt/mylv1
or
#mount /dev/mapper/myVG-mylv1 /mnt/mylv1
#df -h
#vim /etc/fstab
/dev/myVG/mylv1 /mnt/mylv1 ext4 defaults 0 0

Reducing LVM
1.
2.
3.
4.
5.
6.

Make sure that there are no users connected to the mount

Unmount the mount point
Defrag the LVM
Resize the LVM
Reduce the LVM
Mount the LVM

#fuser -vm /home

#fuser -km /home
#umount /home
#df -h

to see the free space
#e2fsck -f /dev/vg10/lv_home

to see the free space
#df -h
#resize2fs /dev/vg10/lv_home 256M
#lvreduce -L 256M /dev/vg20/lv_home

to see the free space
#df -h
#mount -a
to mount all mount points from fstab

Page#6 of

22

Linux (RHEL6) Notes

Extending LVM
Can be done onine.

No unmounting is needed

#df -h
#lvextend -L +256M /dev/vg10/lv_home
Add additional 256M to lv_home
#df -h

Does not show the increased size, yet
#resize2fs /dev/vg10/lv_home
#df -h

Removing LVM
#lvscan
#lvchange -an /dev/myVG/lv_test
to make lvm inactive

Should show lv_test inactive
#lvscan
#lvremove /dev/myVG/lv_test
#lvscan

Reducing VG (by removing PV)

#vgs
#pvmove /dev/sda5
#vgreduce myVG /dev/sda5
#vgs

moves data from /dev/sda5 to next available PV

Extending VG (by adding PV)

#pvs
#fdisk -cu /dev/sda
#partx -a /dev/sda
#vgextend myVG /dev/sda6
#vgs
#pvs

add a new LVM partition (8e)

Removing VG
1. Deactivate all LVMs in the VG
2. Remove all LVMs in the VG
3. Remove VG
#vgremove myVG

Encrypting Partitions / LVMs using LUKS

LUKS - Linux Unique Key Setup
Steps
=====
1. Create partition, partx -a /dev/sda
2. cryptsetup luksFormat <partition>
3. cryptsetup luksOpen
<partition> <cryptLogicalName>

Page#7 of

22

Linux (RHEL6) Notes

4.
5.
6.
7.
8.

mkfs.ext4 /dev/mapper/<cryptLogicalName>
cryptsetup luksClose <crptLogicalName>
mount /dev/mapper/<cryptLogicalName>
Make an entry in /etc/fstab
Make an entry in /etc/crypttab

#fidsk -cu /dev/sda

create a new partition sda5
#partx -a /dev/sda
#cryptsetup luksFormat /dev/sda5
asks for data overwriting. say YES
#cryptsetup luksOpen /dev/sda5 cryptdata

List all the volumes managed by device mapper
#dmsetup table
#mkfs.ext4 /dev/mapper/cryptdata
#mkdir /mnt/cryptdata
#mount /dev/mappper/cryptdata /mnt/cryptdata
#df -h
#umount /mnt/cryptdata
#blkid /dev/mapper/cryptdata
get the UUID
#vim /etc/fstab
Add a new line
UUID="<from blkid command>" /mnt/cryptdata ext4 defaults 0 0
#df -h
#vim /etc/crypttab

when you reboot, system will ask for passphrase

for sda5 Add a new line

instead of none, give passphrase

cryptdata /dev/sda5 none

Networking concepts
Important files are

Local resolver

Domain Name, DNS Server ip address must

Global config file. NETWORKING should be YES,

/etc/hosts
/etc/resolv.conf
/etc/sysconfig/network

HOSTNAME, GATEWAY must

/etc/sysconfig/network-scripts/ifcfg-eth0
interface specific file

#service NetworkManager restart
#service network restart
#ifcfg
#mii-tool
#setup
#mii-link
#ifdown eth0
#ifup eth0

ssh -

Takes you to network setup

Data Encryption

#ssh [email protected]

After login, you will see /root/.ssh/known_hosts in the source

system for root user

#ssh -X [email protected]
for X forwarding

Page#8 of

22

Linux (RHEL6) Notes

after above login will display in X window

#system-config-date

ssh - Key based Authentication

#ssh-keygen -t rsa

At source generate rsa key pair

private key in /root/.ssh/id_rsa
public key in /root/.ssh/id_rsa.pub

#ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

This copies public key from source to destination to root/.ssh/authorized_keys
No password required after copying the key. This is user specific

swap
If
If
If
If

RAM
RAM
RAM
RAM

is
is
is
is

0
4
8
16

4GB,
8GB,
16GB,
64GB,

then
then
then
then

swap
swap
swap
swap

=
=
=
=

2
4
8
16

+
+
+
+

(0.5
(0.5
(0.5
(0.5

of
of
of
of

RAM)
RAM)
RAM)
RAM)

Partition based Swap

#mkswap /dev/sda6
#swapon /dev/sda6
#swapoff /dev/sda6
#swapon -s
#vim /etc/fstab
/dev/sda6 swap swap defaults 0 0
#swapon -a

Swap file system

Activate swap
Deactivate swap
Show swap summary
Permanent swap

Activate all swaps from /etc/fstab

File based Swap

#dd if=/dev/zero of=/swapfile bs=1M count=500
#du -sh /swapfile
#dd if=/dev/zero of=/swapfile-thin bs=1M count=1 seek=1000
#du -sh /swapfile-thin
#mkswap /swapfile
#swapon /swapfile
#swapoff /swapfile
#vim /etc/fstab
/swapfile swap swap defaults 0 0
#swapon -a

Securing grub with password

Kernel install
#lftp 192.168.0.254/updates
#mget kernel*
#rpm -qRp <Kernel Package Name>

Page#9 of

22

to get dependencies

Linux (RHEL6) Notes

#rpm -U <kernel>

DO NOT use this. This will overwrite existing kernel
#rpm -ivh <Kernel firmware package>
Always use i option to install new kernel
#rpm -ivh <Kernel package>

you will see new kernel here.
#vim /etc/grub.conf
If you installed a kernel newer than existing kernel, new kernel will become the default
If you installed a kernel older than existing kernel, existing kernel remains as default

at

Query to see if one off jobs are scheduled

#atq
#at 3:08
at>/sbin/reboot
at>ctrl+d
#atq

shows the above job

#atrm <jobid from atq command>
to remove a job

to make sure that the job is gone

#atq

crontab

edit crontab for current user

edit crontab for specified user

#crontab -e
#crontab -eu <userid>

Look in /etc/crontab for the exact format for writing cron entries
Make sure to use which command to get complete path of commands to be
executed as these need to go into crontab.
Ex: for echo command you need to use /bin/echo

add users in this file to stop them from editing crontab

add users in this file to allow them to edit crontab

#vim /etc/cron.deny
#vim /etc/cron.allow

If a user exists in both files, cron.allow takes precedence over cron.deny.

#service crond restart
#chkconfig crond on

list crontab for specified user

#crontab -lu <userid>

rpm
#rpm
#rpm
#rpm
#rpm
#rpm
#rpm

-qa
-qa | wc -l
-q <packageName>
-qRp <packageName>
-qR <packageName>
-qlp <packageName>

Page#10 of

22

Query all packages installed in the system

to check if package already exists or not

Lists depenedencies
Query installed package
List all the files included in the package

Linux (RHEL6) Notes

#rpm -qldp <packageName>
Displays only document files
#rmp -qlcp <packageName>
Displays only config files
#rpm -qlsp <packageName>
Displays only script files
#rpm -ql vsftpd
#rpm -ivh <packageName>
#rpm -Uvh <packageName>
#rpm -e <packageName>

i for install, v for verbose, h for percentage completion

U for update

to uninstall package. Dependencies are not removed

yum - Yellowdog Update Manager

#yum
#yum
#yum
#yum
#yum
#yum
#yum

list all
list installed
list available
serach vsftpd
install vsftpd* -y
remove vsftpd* -y
deplist vsftpd*

#which date
#yum provides /bin/date
#yum grouplist

to list group packages installed in the system

#yum localinstall <packagename> --nogpgcheck

Setting up Local yum

#mount -o loop,ro /home/rhel6.iso /mnt
#cp -pvrf /mnt/* /var/ftp/pub
#vim /etc/yum.repos.d/local.repo
Add the following lines
[rhel6-64bit-local]
name=rhel6 local packages
baseurl=file:///var/ftp/pub
enabled=1
gpgcheck=0
#vim /etc/yum.repos.d/rhel6.repo
Add the following lines
[rhel6-64bit-server]
name=rhel6 server packages
baseurl=ftp://192.168.0.254/pub/rhel6/dvd
enabled=1
gpgcheck=0
#vim /etc/vsftpd/vsftpd.conf
Make sure that anonymous can login because yum uses anonymous login
#service vsftpd restart
#chkconfig vsftpd on

Page#11 of

22

Linux (RHEL6) Notes

#yum clean all

#yum list all

to clean repodata cache on the client

to see the packages available

NFS Sharing (server side - 192.168.0.254) - Share Resources

package is nfs-utils

#yum install nfs* -y

#mkdir /kickstart

#vim /etc/exports
/kickstart 192.168.0.0/24(ro,sync,no_root_squash)
Share to ips from 192.168.0.0 to 192.168.0.24

r for re-export and v for verbose

#exportfs -rv
#service nfs restart
#chkconfig nfs on
NFS is done thru nfsnobody user

NFS Sharing (client side) - NFS mount shared resources

#showmount -e <ipaddress of NFS Server>
#mkdir /mnt/nfs
#mount -t nfs 192.168.0.254:/kickstart /mnt/nfs
#umount /mnt/nfs
#df -h
#vim fstab
192.168.0.254:/kickstart /mnt/nfs nfs defauts 0 0
#mount -a
as any user, you can also perform the following without
mounting
#cd /net/192.168.0.254
#ls

You will see kickstart

Samba Server
#yum install samba* -y
#which smbd
#which nmbd
#ldd /usr/sbin/smbd | grep -i libwrap
Nothing found.

there for samba

#vim /etc/samba/smb.conf

So, tcp_wrappers support is NOT

Samba Main config file

In Global Settings section, you may need to change the workgroup

In Shared Settings section, add the following

Page#12 of

22

Linux (RHEL6) Notes

[myshare]
comment
path
writeable
valid user
browseable

=
=
=
=
=

public stuff
/share
yes
u5
yes

you can put in read only = yes

#useradd u5
#smbpasswd -a u5
#smbpasswd -d u5
#smbpasswd -x u5

a for adding password

d for deactivating password entry

x for deleting the password entry

#pdbedit -L -w

list users that have samba passwords

#mkdir /share
#getenforce
#ls -ldZ /share

If SELinux is Enforcing, then need to

change the context for /share directory

#chcon -t samba_share_t /share

#ls -ldZ /share
#cd /share
#touch file1
#service smb restart
Logs are in /var/log/samba

CIFS Sharing (client side) - Samba mount shared resources

#smbclient -L //192.168.0.254 | less
From the list we can only use "Disk" or "Print" type shares only
Sharename that is shown in the list may have a totally different name on the host.
share name hides the inside directory name on the server.

Basically,

#mkdir -p /mnt/cifs
#mount -t cifs //192.168.0.254/myshare /mnt/cifs -o username=u5,password=<sambaPassword>
#df -h
#vim /etc/fstab
Add the following entry
//192.168.0.254/myshare
/mnt/cifs cifs defaults,username=u5,password=<sambaPassword> 0 0
#umount /mnt/cifs
#df -h
#mount -a
#df -h
#smbclient //192.168.0.254/myshare -U u5

Page#13 of

22

Linux (RHEL6) Notes

shows file1 created above

smb>ls

tcp_wrappers
#which vsftpd

gives /usr/sbin/vsftpd
#ldd /usr/sbin/vsftpd | grep -i libwrap
shows a line. It means tcp_wrappers are supported
#which httpd
#ldd /usr/sbin/httpd | grep -i libwrap
supported

gives /usr/sbin/httpd

Does not show a line. It means tcp_wrappers are NOT

#which sshd
#ldd /usr/sbin/sshd

gives /usr/sbin/sshd

shows a line. It means tcp_wrappers are supported

| grep -i libwrap

tcp_wrapper Access control is done thru

/etc/hosts.deny
/etc/hosts.allow
No need to restart services if you change these files
#vim /etc/hosts.deny
vsftpd: desktop20.example.com

desktop20 is not allowed to FTP to this server
vsftpd: ALL .example.com

.example.com domain is not allowed to FTP to this server
vsftpd: ALL EXCEPT .example.com
Any other domain other than .example.com is not allowed to

FTP to this server

sshd: .example.com
sshd: 192.168.0.
sshd: ALL EXCEPT .example.com

.example.com domain is not allowed to SSH to this server

192.168.0. domain is not allowed to SSH to this server

Any other domain other than .example.com is not allowed to

SSH to this server

#vim /etc/hosts.allow
vsftpd: desktop20.example.com

desktop20 is allowed to FTP to this server though it is

prevented in hosts.deny

LDAP
#system-config-authentication
or
on Desktop --> System --> Administration --> Authentication
Select LDAP
DN - dc=example,dc=com
LDAP Server - ldap://instructor.example.com
Check TLS to encrypt connections
Certificate link - http://192.168.0.254/pub/EXAMPLE-CA-CERT
Authentication Method - LDAP Password
Click Apply
On VMs
- Look for sssd service
On Desktops - Look for nslcd servive

Page#14 of

22

Linux (RHEL6) Notes

#service sssd status

#chkconfig --list sssd
#getent passwd <ldapuserid>
#su - ldapuser1
Based on the settings in /etc/nsswitch.conf, system will look in
local users and then goes for LDAP. look for
passwd: files sss

autofs (NFS mount) - No fstab entries needed

No need to install autofs.

It comes in with base install

#vim /etc/sysconfig/autofs
You can specify autofs parameters like timeout.

TIMEOUT 300

Timout can also be specified in auto.master
#vim /etc/auto.master

Put in your own directory name and the file that

contains mount information

/remote /etc/auto.remote

These can have any name
#vim /etc/auto.remote
kick -rw,fstype=nfs 192.168.0.254:/kickstart

restart will not work
#service autofs stop
#service autofs start
#chkconfig autofs on
#cd /remote/kick
#df -h
#cd

to go to your home directory, wait for the timeout period
#df -h

you will not see /remote/kick mount point

autofs (Local mount) - No fstab entries needed

No need to install autofs.

It comes in with base install

Create a partition /dev/sda5 and mount as /local/disk1

Create an LVM /dev/vg00/lv01 and mount as /local/lv1
#vim /etc/auto.master
/local /etc/auto.local
#vim /etc/auto.local
disk1 -fstype=ext4 :/dev/sda5
lv1
-fstype=ext4 :/dev/vg00/lv01
#service autofs stop
#service autofs start
#chkconfig autofs on
#df -h
#cd /local
#df -h
#cd lv1
#df -h

Page#15 of

22

restart will not work

Linux (RHEL6) Notes

autofs for ldapusers - No fstab entries required
No need to install autofs.

It comes in with base install

#showmount -e 192.168.0.254
If /home/guests is the directory shared on 192.168.0.254 and if this has home directories for
ldap users
#vim /etc/auto.master
/home/guests /etc/auto.ldap
#vim /etc/auto.ldap
ldapuser1 -rw,fstype=nfs 192.168.0.254:/home/guests/ldapuser1
for single user
* -rw,fstype=nfs 192.168.0.254:/home/guests/&

generic for multiple users

autofs for samba - No fstab entries required

No need to install autofs.

It comes in with base install

#vim /etc/sysconfig/autofs
You can specify autofs parameters like timeout.

TIMEOUT 300

Timout can also be specified in auto.master
#vim /etc/auto.master

Put in your own directory name and the file that contains mount
information

These can have any name
/cifs /etc/auto.cifs
#vim /etc/auto.cifs
cifsshare -rw,fstype=cifs,username=u5,password=<sambaPassword> ://192.168.0.254/myshare
#service autofs stop

restart will not work
#service autofs start
#chkconfig autofs on
#cd /cifs/cifsshare
#df -h
#cd

to go to your home directory, wait for the timeout period
#df -h

you will not see /cifs/cifsshare mount point

SELinux
#yum install setroubleshoot* -y
#vim /etc/sysconfig/selinux
#getenforce
#setenforce 0
#setenforce Permissive
#setenforce 1
#setenforce Enforcing

Config file for selinux

#semanage fcontext -l

displays registry of resource contexts

Permissive

Enforcing

Security context is#service tgtd stop applied to resources

#ls -lZ

to view the security context for all files / directories
#ps -Z

to view the process security context
#chcon -u <newUserContext> <resourceName>
#chcon -r <newRoleContext> <resourceName>
#chcon -t <newTypeContext> <resourceName>

Page#16 of

22

Linux (RHEL6) Notes

cp (copy) a file to a destination will inherit destination context

mv (move) a file to a destination will NOT inherit destination context
#semanage fcontext -a -t public_contents_rw_t "var/ftp/dropbox(/.*)?"
add a new entry

into the registry

#restorecon -R -v /var/ftp/dropbox
R for recursive for all files in the directory and v for
verbose
#chcon -Rt public_contents_rw_t /var/ftp/dropbox
#ls -ldZ /ver/ftp/dropbox

Get process booleans
#getsebool -a | less
#setsebool allow_ftpd_anon_write=1
Set process booleans
For troubleshooting and error messages

so that you can use sealrt command
#yum install setroubleshoot* -y
#sealert -a /var/log/audit/audit.log
#cat /var/log/messages | grep setroubleshoot
#sealert -l <alert copied above>

copy alert from here

FTP Client
#yum install ftp* -y
#yum install lftp* -y
#ftp 192.168.0.254
#lftp 192.168.0.254

enter userid and password

does not ask for userid and password

FTP Server - vsftpd (Very Secure FTP)

#yum remove vsftpd* -y
#yum install vsftpd* -y
#vim /etc/vsftpd/vsftpd.conf
config file.

You can change log file

location here, if needed.

#vim /etc/vsftpd/ftpusers
#vim /etc/vsftpd/user_list

Userids that are NOT allowed to login thru FTP

please look at userlist_deny parameter in

/etc/vsftpd/vsftpd.conf

If userlist_deny=NO, allows only users listed in the user_list file

If userlist_deny=YES, NEVER allows any users listed in the user_list file. For this case,
from the client side when you are trying to login as a user mentioned in the user_list file,
no login prompt is given.
If a user exists in both files, ftpusers file takes precedence.
If you change any of the above files, make sure to restart ftp service
#service vsftpd status

Page#17 of

22

Linux (RHEL6) Notes

#service vsftpd restart
#chkconfig vsftpd on
To check messages for FTP
#tail -f /var/log/messages
To track the packets, you can install wireshark
#yum install wire* -y
To stop ftp connections coming into your server
#vim hosts.deny

edit this file

Uploadable FTP Server using SELinux

1.
2.
3.
4.

Create directory /var/ftp/dropbox

Change the group ownership from root to ftp group
Make sure that ftp group can write to that directory
If SELinux is enforced, make sure that context for dropbox directory is same
as ftp directory
5. Set process boolean for anonymous write
6. Make sure vsftp config file for anonymous write and upload
7. Restart FTP service
#mkdir -p /var/ftp/dropbox

created and owned by root

#chgrp ftp /var/ftp/dropbox

#chmod g+rwx /var/ftp/dropbox
#getenforce

Make sure it is SELinux enforcing
#cd /var

to see the context for ftp directory
#ls -ldZ /var/ftp
#ls -ldZ /var/ftp/dropbox

to see the context for dropbox directory
#restorecon -R -v /var/ftp/dropbox
or
#chcon -Rt public_content_rw_t /var/ftp/dropbox

look for allow_ftpd_anon_write
#getsebool -a | grep ftpd
#setsebool -P allow_ftpd_anon_write=1
P implies persistent setting
#vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_nkdir_write_enable=YES
#service vsftpd status
#service vsftpd restart
#chkconfig vsftpd on

HTTP/Apache server
#rpm -qa | grep httpd
#yum install http* -y

Page#18 of

22

to see if apache is installed or not

Linux (RHEL6) Notes

Default port is 80
Document root is /var/www/html
User is apache
Group is apache
All logs are in the following directories
/etc/httpd/logs
/var/log/httpd

to see configuration files for httpd

#rpm -qc httpd*

httpd startup parameters are in
#vim /etc/sysconfig/httpd.conf
/etc/httpd is the main directory
#vim /etc/httpd/conf/httpd.conf

main config file for httpd.

You can change log file location

here, if needed
DirectoryIndex index.html index.html.var

After making changes, please make sure to restart the service

#service httpd restart
#chkconfig httpd on
In browser, use the following URLs
http://localhost

looks for index.html file in /var/www/html
http://127.0.0.1

looks for index.html file in /var/www/html
http://<ipaddress of http server>
looks for index.html file in /var/www/html
#yum install elinks* -y
#elinks --dump localhost
#elinks --dump <ip address of http server>

This worked for me and the above two URLs did not
#elinks 192.168.11.3

Name based and port based Virtual Hosting

(with restricting access to host for one of the sites)
(with user based authentication for one of the sites)
Step 1 (Server)
---------------#mkdir -p /var/www/virtual
#cd /var/www/virtual
#mkdir google

In this
#mkdir yahoo

In this
#mkdir facebook

In this
#mkdir twitter

In this

directory,
directory,
directory,
directory,

create
create
create
create

Step 2 (Server)
---------------#vim /etc/httpd/conf/httpd.conf
make sure that the following entries exist

Page#19 of

22

google.html.
yahoo.html.
facebook.html.
twitter.html.

Put
Put
Put
Put

in
in
in
in

some
some
some
some

text
text
text
text

Linux (RHEL6) Notes

NameVirtualHost 192.168.0.250:80
NameVirtualHost 192.168.0.250:8080
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex
DirectoryIndex

index.html
google.html
yahoo.html
facebook.html
twitter.html

index.html.var
google.html.var
yahoo.html.var
facebook.html.var
twitter.html.var

Listen 80
Listen 8080
<VirtualHost 192.168.0.250:80>
ServerAdmin [email protected]
DocumentRoot /var/www/vrtual/google
Serverame
google.example.com
</VirtualHost>
#<Directory "/var/www/virtual/google">
#
AllowOverride None
#
Options
None
#
Order
allow,deny

Allow and then deny all others
#
Allow from all
#</Directory>
<Directory "/var/www/virtual/google">
AllowOverride None
Options
None
Order
allow,deny
Allow desktop3.example.com
Allow google site only from desktop3.example.com.

Deny all others

</Directory>
<VirtualHost 192.168.0.250:80>
ServerAdmin [email protected]
DocumentRoot /var/www/vrtual/yahoo
Serverame
yahoo.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
ServerAdmin [email protected]
DocumentRoot /var/www/vrtual/facebook
Serverame
facebook.example.com
</VirtualHost>
<VirtualHost 192.168.0.250:8080>
ServerAdmin [email protected]
DocumentRoot /var/www/vrtual/twitter
Serverame
twitter.example.com
</VirtualHost>
<Directory "/var/www/virtual/twitter">
AuthType
basic

Page#20 of

22

Linux (RHEL6) Notes

AuthName
"This is for user based Authentication"
AuthUserFile
/etc/httpd/.htpasswd
Require user1 user2
</Directory>
Step 3 (Server)
---------------#service httpd configtest
#httpd -t
#httpd -S

Syntax check

virtual host syntax check

Step 4a (Server)
----------------#useradd user1
#useradd user2
#htpasswd -cm /etc/httpd/.htpasswd user1
c for create and m for add md5 encryption password
for user1
#htpasswd -m /etc/httpd/.htpasswd user2
Since file already exists, no c needed.

Add md5 encryption password for user2

Step 4b (Server)
---------------#vim /etc/hosts
Add the following entries
192.168.0.250 google.example.com
192.168.0.250 yahoo.example.com
192.168.0.250 facebook.example.com
192.168.0.250 twitter.example.com
Step 5 (Server)
---------------#service httpd restart
#chkconfig httpd on
Step 6 (Server)
---------------#tail -f /var/log/httpd/access_log
Step 7 (Client)
---------------In browser
http://google.exmaple.com
http://yahoo.exmaple.com
http://facebook.exmaple.com:8080
http://twitter.exmaple.com:8080

Step 8 (Server)
---------------#elinks --dump google.example.com
#elinks --dump yahoo.example.com
#elinks --dump facebook.example.com
#elinks --dump twitter.example.com

Page#21 of

22

to see the hits on the apache server

only allowed from desktop3.example.com

asks for userid and password.

or user2 and their http password

Need to enter user1

only allowed from desktop3.example.com

asks for userid and password.

Need to enter user1

Linux (RHEL6) Notes

or user2 and their http password
Monitoring a website
ab command is used to perform realtime performance testing on a website
#ab http://demo.example.com

You will see various things.

#ab -n 200 -c 10 http://demo.example.com

200 requests from 10 users.

one of them is response time

The response time increases

#ab -n 1000 -c 20 http://demo.example.com
1000 requests from 20 users.

The response time further increases

iSCSI - Server side

#yum install scsi-target-utils* -y
#vim /etc/tgt/targets.conf
Add the following entries
<target iqn.2011-12.com.example:server1.desktop16.disk1>
backing-store /dev/sda5
initiator-address 192.168.0.16
</target>
<target iqn.2011-12.com.example:server1.server17.disk1>
backing-store /dev/sda6
initiator-address 192.168.0.117
</target>
#service tgtd stop
#service tgtd start
#chkconfig tgtd on
Default port for tgtd is 3260
Make sure that the port is open by issuing the following command
#netstat -ntlp | less

iSCSI - Client side

Go to one of the clients mentioned in the server's /etc/tgt/targets.conf file
#yum install iscsi-initiator-utils* -y
#iscsiadm -m discovery -t st -p 192.168.0.1

This is to get iqn number of the iscsi drive

shared for the client by the server

m => mode
t => type
st => send targets

Page#22 of

22

Linux (RHEL6) Notes

p => portal
ip address of server that is sharing the disk
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -l
T => Target iqn number
l => login
If you get success message then the disk is attached.

To check if the disk is attached

#tail /var/log/messages | less

#fdisk -l | less

Show /dev/sdb attached.

You can now partition it

#fdisk -cu /dev/sdb
Add new partitions

#partx -d /dev/sdb
#partx -a /dev/sdb
#cat /proc/partitions
#mkfs.ext4 /dev/sdb1
For mounting always use blkid.
#mkdir /mnt/iscsi
#blkid /dev/sdb1

Do not use /dev/sdb1

get UUID

#vim /etc/fstab
Add the following entry
UUID="......." /mnt/iscsi ext4 _netdev 0 0
#mount -a
#iscsiadm -m node -T iqn.2011-12.com.example:server1.desktop16.disk1 -p 192.168.0.1 -u -o delete
u => logout
o => cache it to delete it. No data is deleted

File Searching (examples)

#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find
#find

-name snow.png
/ -name '*.txt'
/etc -name '*pass*'
/home -user joe -group joe
/home -user joe -not -group joe
/home -user joe -o -user jane
/home -not\(-user joe -o -user jane)
/ -user joe -o -uid 500
/ -perm 755
/ -perm +222
/ -perm -222
/ -perm -002
/ -size 10M
/ -size +10M
/ -size -10M
/tmp -ctime +10

Page#23 of

22

files
files
files
files
files
files
files
files
files
files
files
files
files

owned by user joe and group joe

owned by user joe and not by group joe
owned by user joe or user jane
NOT owned by user joe or user jane
owned by user joe or user with uid 500
that have 755 permissions
that anyone can write
that every one can write
that others can write
exactly 10M in size
> 10M in size
< 10M in size
changed more than 10 days ago

Linux (RHEL6) Notes

#find -size +100M -ok mv {} /tmp/largefiles/ \;

files that are more than 100M size are

moved to a different directory

Prompts
for each file move
#find -size -100M -exec mv {} /tmp/smallfiles/ \;
files that are less than 100M size are

moved to a different directory

NO
PROMPT
#find / -type f -group ftp -not -user root -exec cp -p {} /tmp/ftpfiles/ \;
#find / -type f -perm -002 -exec chmod o-w {} \;
#find / -not -perm +111 -name '*.sh' -ok chmod 755 {} \;

Virtual Machine
#virsh destroy <vserverName>
#virsh undefine <vserverName>

to launch Virtual Machine Manager

#virt-manager

tar and compression

Order of compression.
#tar -cvf etc.tar
#du -h etc.tar

/etc

to see how much space it occupies

#tar -czvf etc.tar.gz /etc

#du -h etc.tar.gz

to see how much space it occupies

#tar -cjvf etc.tar.bz /etc

#du -h etc.tar.bz

to see how much space it occupies

#tar -cJvf etc.tar.xz /etc

#du -h etc.tar.xz

to see how much space it occupies

c
v
f
z
j

=>
=>
=>
=>
=>

Create
verbose
file tar
gzip
bzip2

tar is the only command where destination is given first and source later.

iptables
#iptables
#iptables
#iptables
#iptables

-F
-t filter -F
-t nat -F
-t mangle -F

Page#24 of

22

Flush
Flush
Flush
Flush

default iptables.
filter tables
nat tables
mangle tables

Default are filter tables

Linux (RHEL6) Notes

#service
#service
#service
#service

iptables
iptables
iptables
iptables

save

Save the iptables
stop
start
restart

VNC Server and Viewer

Did not look into it.

Is it covered in the exam?

gpg GNU Privacy Guard

Page#25 of

22