[ Machiavelli... @ 24.08.2010. 19:08 ] @
ACL - Access Control Lists

Prvo mora da se u fstab doda

Code:
LABEL=/home             /home                   ext3    defaults,acl    0 0


ili na nekom drugom mount point-u.

zatim

Code:
mount -o remount -o acl LABEL=/home


da vidimo trenutni ACL na /home/folderu

Code:
getfacl /home/djordje


sada treba da podesiti prvo acl za folder u kom je file

Code:
setfacl -m user:djordje:r-x /home/djordje


Code:
setfacl -m mask:r-x /home/djordje



maska je vazna jer ona dozvoljava svima sa acl liste odredjeni pristup, kako smo je vec podesili.

Da objasnim malo ovo

Imamo folder test, gde je useru(root) dozvoljeno rwx, grupu i other su oduzeta sva prava.

Code:
drwx------   3 root root 4096 Aug 24 08:22 test


Izlistacemo ACL

Code:
getfacl test

# file: test
# owner: root
# group: root
user::rwx
group::---
other::---


Sada dozvolimo useru djordje da pristupi folderu

Code:
setfacl -m u:djordje:rx test/


namestimo masku samo read

Code:
setfacl -m m:r test/


dobijamo sledeci ACL na test

Code:
getfacl test
# file: test
# owner: root
# group: root
user::rwx
user:djordje:r-x                #effective:r--
group::---
mask::r--
other::---


U ovoj situaciji i pored rx premisija za usera djordje on ne moze da pristupi folderu zbog effective premisije maske!
__________________________________________

For example, to give read and write permissions to user andrius:

Citat:
setfacl -m u:andrius:rw /project/somefile


For example, to remove all permissions from the user with UID 500:

Code:
setfacl -x u:500 /project/somefile

_______________________________________________

To set a default ACL, add d: before the rule and specify a directory instead of a file name.

For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):

Code:
setfacl -m d:o:rx /share


____________________________________

Code:
setfacl -m u::rx,g::rw,m:---,u:djordje:rw dir

:: izmedju usera i prava znaci da se odnose na sve usere
da se izbrise dafault

Code:
setfacl -k dir

_______________________________________________________
##########################################################


Quotas

ide samo na particije znaci podesi se u fstab
Code:
/dev/VolGroup00/LogVol00 /                       ext3    defaults,grpquota,usrquota        1 1


posle promene a mora i remount (mount -o remount /home) ako je / onda mora restart

zatim izvrsite sledecu komandu

Code:
quotacheck -avcm


zatim dodeljumemo koliko prostora moze svako da koristi

Code:
edquota user_name

Code:
edquota -t
(grace period za soft, posle toga ne user ne moze nista da dodaje nego mora da obrise nesto da bi oslobodio prostor)
Citat:
repquota -s /
("/" je mout na kom je namestena quota, ova komanda ce izlistati kvote za sve usere na mount pointu)

Code:
edquota -up bora aleksa vesna
(ovo ce da iskopira quota settings bore na aleksu i vesnu)

_______________________________________________________________________________
SUDOERS

Code:
visudo


se koristi za izmenu ovog file

/etc/sudoers

Automount/fstab

automount

Code:
cd              -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
nfs             -fstype=nfs 192.168.1.10:/nfs_homes/home
project         -fstype=ext3 :/dev/sdb1        (to mount localfilesystem)
samba           -fstype=cifs,username=djordje,password=djordje ://192.168.1.10/samba_shares



fstab

Code:
//192.168.1.10/samba_shares     /root/samba     cifs    username=djordje,password=djordje 0 0
192.168.1.10:/nfs_homes/home /root/nfs          nfs     soft,timeo=300 0 0


Vrlo je vazno da se zapamti tacan format za automount i fstab, ovo "://" nije "//" ili ":/", ukoliko pogresimo jednostavno se to nece mountovati.



Grub

/boot/grub/grub.conf

____________________________________________


ako hocemo da stavimo sifru

Code:
grub-md5-crypt


zatim u grub.conf

will lok like:

password --md5 copy-of-the-output

Da se ukuca sifra u Grub, pritisnite "p"
____________________________________________
komande u grub.conf

Code:
grub> find (hd0,0)/grub/grub.conf
(i menjamo ovu drugu "0" redom dok ne dobijemo pravu particiju)

komande redom

Citat:
root
kernel vmlinuz (tab za complete)
initrd (tab za complete)
boot



_________________________________________

LVs , VGs , PVs


Krenucemo redom. Imamo disk/particije sdb1 i sdc1

Prvo kreiramo Phisical Volumes

Code:
pvcreate /dev/sdc1
pvcreate /dev/sdb1


__________________________________________________________________________________


kada kreiramo 2 ili vise physical volume onda kreiramo

Volume group

vgcreate imekojehocemozagrupu /dev/sdc1 /dev/sdb1

mozemo da dodajemo nove particije na VG

vgextend imegrupe /dev/sdf1 (recimo)

onda kreiramo logical volumes u grupi koje posle mozemo da formatiramo kao obicne diskove (zise, type..)

lvcreate -l number_of_pes imegrupe -n logvol(imeparticije)

ili sa odgovarajucom velicinom

lvcreate -L 200m imegrupe -n flex

da vidimo sta imamo i gde se nalazi LV i GV

vgdisplay
lvdisplay
lvscan


onda kreiramo filesistem za logilac volume

mkfs -t ext3 /dev/prvagrupa/logvol

vgreduce --removemissing VolGroup00
_______________________________________

da dodamo novi prostor

lvextend -L+2M /putanja_koju_vidimo_sa_lvscan

resize2fs /putanja_koju_vidimo_sa_lvscan

( ako ovo nece onda mora umount pa e2fsck -f /putanja_koju_vidimo_sa_lvscan)


_________________________________________________

zatim u fstab mozemo da kucamo
LABEL=/home/mj /home/mj ext3 defaults 1 2

ali da bi ovo koristili moramo da naprvimo label za isti

e2label /dev/prvagrupa/logvol /home/mj

ili u fstab umesto

LABEL=/home/mj

kucamo

/dev/prvagrupa/logvol

##########################################################

9. Apache

rpm -q httpd

rpm -q mod_ssl



da se instalira

httpd
httpd-manual

http://localhost/


directory

/etc/httpd/

main config file

/etc/httpd/conf/httpd.conf

______________________

document root za website je

/var/www/

uglavnom se kreiraju diretorijumi za odredjene domene

recimo

mkdir /var/www/virtuallab.internal

_________________________________________________________________________________

alias za bilo koji folder a u folderu treba da se nalazi index.html, index.htm ...



alias /www.virtuallab.middle /var/www/virtuallab.middle (ne mora isto ime da vude sa folderom)

<VirtualHost www.virtuallab.middle>
ServerName www.virtuallab.middle
DocumentRoot "/var/www/virtuallab.middle"
ServerAdmin [email protected]
ErrorLog logs/virtuallab.external-error_log (napravimo ove file)
CustomLog logs/virtuallab.external-access_log common (napravimo ove file)
</VirtualHost>

<Directory "/var/www/virtuallab.middle">
# Order deny,allow (if we set up order allow,deny access is denied by default)
# Allow from all
AuthType Basic
AuthName "Unesite svoju Sifru."
AuthUserFile /etc/httpd/webpass
require valid-user
</Directory>

htpasswd -c /etc/httpd/webpass djordje (-c kreira file user_pass)

_____________________________________________________________________________


SAmo djordju useru dozvoliti pristup

Require user djordje (ovo isto ide u DIRECOTRY continer)


DA se regulise pristup grupi dodaju se ovi :

AuthGroupFile /etc/httpd/webgroups (naravimo ovaj fle Ime_grupe: user1 user2 ..)
Require group Design

_____________________________________________________________________________
_____________________________________________________________________________
LOG

/etc/httpd/logs

access_log error_log
__________________________________________________________________

SELINUX (man httpd_selinux)

chcon -R -u system_u /var/virtuallab
chcon -R -t httpd_sys_content_t /var/virtuallab

__________________________________________________________________


kad dodamo ovo
ServerAlias vituallab.external www2.virtuallab.external

SSL

<NameVirtualHost *:443>


________________________________

Ako koristimo .htaccess file moramo u Directory container da ubacimo opciju

AllowOverride Options

A inace htaccess se smesta u web directory

____________________________________________


Everthing HAS TO BE accesible by user apache!
_____________________________________________
########################################################

10. Named

instalira se

yum install bind
yum install system-config-bind

__________________________________

zatim ici na system-config-bind

onda snimiti default i to je up and running cahing onliy server (to se recrusive=yes)

ovaj ce generisati named.conf u /etc/named.conf
___________________________________

chkconfig named on

_______________________________________

kada kreiramo novu zonu svi fileovi ce biti u /var/named

ako hocemo drugu lokaciju mora da se specificira tacno

_____________________________________

port je UDP 53

#######################################################

11. Network mix

ovo znaci da kad se zeli komunicirati sa 12.14.543.32 uvek ide preko 192.168.1.101

route add -host 12.14.543.32 gw 192.168.1.101 (na primer)
route del 12.14.543.32 (samo adresa koja se bise je dovoljna)

_________________________________________________________

kada hocemo da komuniciramo sa celim subnet

route add -net 12.14.543.0 netmask 255.0.0.0 gw 192.168.1.101

_________________________________________________________________



dig informacije o serverima (primer:dig www.yahoo.com MX)


___________________________________________________________________
netstat -antu -c(za refresh svake sekunde) | less ( za procese ukljucujuci tcp i udp)

65535 portova postoji

-s | less (statistical information about tcp stack)

-l (listening)

-r routing table isto kao i "route")

Kompjuteri nikad nece slati zahteve ispod porta 1024 =, uvek je taj port veci ka poru na racunaru koji je uglavnom ispod 1024.


___________________________________________________________________

nmap -v -O -sS -p 22 192.168.1.10

________________________

w ko je logovan trenutno
who -a (preciznija je za vreme logovanja u minut)
last (govori o login/logout usera) i koliko je puta system restart)

_____________________________________________
/etc/issue kernel i os informacije
/etc/motd (informacija koja se ispisuje kad s eneko loguje )
_________________________________________
rdesktop -g 550x450 za remote desktop
_______________________________________________
########################################################

12. Nfs

/etc/exports

primer

/temp_dir *(rw,sync,no_root_squash)
/temp_dir 192.168.1.11(rw,sync) 192.168.1.12(ro) 192.168.1.0/24(ro,sync)
/temp_dir *.virtuallab.internal(ro,sync)


no_root_squash (remote root users will not be treated as a root once they connect to the server)
_____________________________________________

onda mount


remote ip

mount -t nfs 192.168.1.10:/remote_dir /local_dir/
_____________________________________________

showmount -e (da se vidi shareovano)

_____________________________________________

################################

AUTOMOUNT

da nfs share bude permanent

/etc/fstab
192.168.1.10:/nfs_homes/home /home nfs rw,soft,timeo=100 0 0



______________________________________________________________________________

Primer za auto.misc

nfs_centos1 -rw,soft,intr centos1:/nfs_homes/home

/etc/auto.net ime_servera
______________________________________________________________________________

########################################

after changes in /etc/exports

exportfs -a (za sve)
exportfs -r (procitaj sta je"r") kada dodamo dir run this command da se dodaju u shares

_____________________

iptables
111 TCP/UDP
2049 TCP/UDP

rpcinfo -p

onda gledamo 4 deamon

locked (TCP)
locked (UDP)
mountd (TCP)
statd (TCP)


Da se staticki konfigurisu portovi.

/etc/sysconfig/nfs (da se odkomentuju svi portovi koje koristi - mogu i da s epromene po zelji)

U suprotnom portovi se menjaju random kad se restart!
__________________________________
support to write access

setsebool -P nfs_export_all_rw 1
_____________________________________

fstab line

192.168.1.10:/nfs_homes/home /home/vesna/nfs_home nfs rw,soft,intr 0 0
______________________________________________________________________

Host acces se regulise u /etc/exports
User Acces preko acl!

_____________________________________
########################################################

13. NIS/LDAP

NIS

edit /etc/yp.conf

domain domain_name server server_name
chkconfig ypbind on

edit /etc/nsswitch.conf

passwd: files nis
shadow: fils nis
group: files nis

man ypbind_selinux

setsebool -P allow_ypbind 1


#########################################################

LDAP

we need
openldap-clients, openldap, nss_ldap

da se konfigurise klijent treba da se modifikuje ldap.conf na dva mesta

/etc/ldap.conf
/etc/openldap/ldap.conf

____________________________________________________


/etc/openldap/ldap.conf

base dc=example,dc=com
URI ldap://127.0.0.1 (zameniti 127 sa ip ldap servera a examplesa imenom domena)

########################################################

14. NTP

/etc/ntp.conf

_____________




ovi da se comment out

#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
#restrict 127.0.0.1
#restrict -6 ::1

takodje

#server 127.127.1.0

odnosno svi restrict - comment out

takodje

izbrise se

nopeer noquery
__________________________________

dodajes servere

server ip/server_name

kad hoces da bude server onda se aktivira ovaj restrict za odredjeni subnet

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

SElinux da se iskljuci za ntp

setsebool -P ntpd_disable_trans 1
___________________________________

chkconfig ntpd on

________________________________


ntpq -np (to query status of time sync) no "n" da vidmo imena servera
ntptrace

ntpq -n (interactive mode)
ntpdate -u 192.168.1.10 (za update)

PORT 123

########################################################

15. PAM


knjiga 305

dokumentacja
cd /usr/share/doc/pam-0.99.6.2/txts/


/etc/pam.d/login

moduli su

/etc/security/

applications are PAM aware, tako da samo aktiviramo pam i on radi

PAM moze da disable access userma shodno vremenu, password expiration, ili lista restricted usera

ako ne moze da seloguje user treba proveriti

/var/log/secure da vidmo dal PAM zabranjuje????




.so fileovi
/lib/security/

_________________________________________________________________________________________________

e /etc/pam.d/ su deamons koji mogu da se kontrolisu preko conf file-ova u /etc/security, a u same deamons ubacujemo .so file:

recimo

account required /lib/security/pam_access.so

ciji je config file u /etc/security/access.conf

_________________________________________________________________________________________________
_________________________________________________________________________________________________


primeri

/usr/share/doc/pam-0.99.6.2/txts

recmo da zabranimo bori da se loguje koristeci sshd

/etc/security/time.conf
sshd;*;bora;!Al2200-0400
a onda u

/etc/pam.d/sshd
ubacimo

account required pam_time.so
______________________________________________


15.4 Custom PAM Example

This example limits who can use SSH based on a list of users.

1. In /etc/pam.d/sshd, add the following line:

auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users

The above will allow a user to login via sshd if they are listed in the /etc/sshd_users file. The options specified have the following meanings:

* onerr=fail - If an error occurs (file specified isn't found, or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for "onerr" is "succeed".

* item=user - This states that we are testing or verifying the user's login name.

* sense=allow - This means that if the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for "sense" is "deny".

* file=/etc/sshd_users - This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.




15.5 Time Based Restrictions

These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:

account required /lib/security/pam_time.so

The remaining lines should be placed in /etc/security/time.conf.

1. Only allow user steve to login during on weekdays between 7 am and 5 pm.

login;*;steve;Wd0700-1700

2. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for Sunday.

login;*;bilbo|frodo;AlSu0800-1700

If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.




15.6 Access Based Restrictions

/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:

account required /lib/security/pam_access.so

1. Deny steve login access on all terminals except for tty1:

-:steve:ALL EXCEPT tty1

2. Users in the group jedi are only allowed to login from a local terminal:

-:jedi:ALL EXCEPT LOCAL

3. Allow user gandalf to only login from a trusted server:

-:gandalf:ALL EXCEPT trusted.somedomain.com

_______________________________________________________

/lib/security/pam_access.so account required
/lib/security/pam_listfile.so auth required
/lib/security/pam_time.so account required
/lib/security/pam_wheel.so auth required use_uid (limiting use of su za wheel group)


##############################################################
##############################################################

16. Postfix malo

/etc/postfix/main.cf

#myhostname = host.domain.tld
#mydomain=domain.tld
#myorigin =$mydomain
inet_interfaces = all
mynetworks =192.168.1.0/24, 127.0.0.0/8

__________________________________________________________

/etc/aliases (se dodaje za redirect)


username: username01, username 02
groupname: username01, username 02, othergroupname

____________________________________________________

alternatives --config mta (da se odabere default mail agent)

#########################################################

17. Kvote

prvo se dad u fstab

usrquota,grpquota

____________________

zatim se remount ta particija

mount -o remount,rw /home
mount -o remount / (Primeri)


*******************

1mb = 1000 u edquota soft i hard

************************

______________________

zatim se run

quotacheck -cugm /home (ova komanda nam pravi dva file aquota.user i aquota.group ovi fileovi bi trebaloda budu u root-u particije za koju smo aktivirali )



edquota -t djordje (za grace period)
_______________________

onda

edquota -u djordje
################################################################

da se uzme kao template quota za user djordje i podesi za sotale

edquota -up djordje bora vesna aleksa adriana

########################################################

quota za grupe

edquota -g djordje

###########################################################


________________________________

soft - limit that can be exceededfor certain number of days or grace period

hard - they can never exceed hard limit

_____________________________________________

repquota -a (da izlista sve usere i quote - lepota :-)

______________________________________
##########################################################

18. RAID

RAID 0 koristi oba diska da pise po njima ne obezbedjuje data redudancy (ako jedan rikne ide sve u ku***)


RAID 1 mirroring izmedju 2 ili vise diskova

RAID 4 (requires 3 or more disks) jedan sluzi kao parity disk ostala dva za podatke, obezbedjena data redudancy

RAID 5 (requires 3 or more disks) slicno kao RAID 4 ali se parity nformacije pisu na svm diskovma , obezbedjena data redudancy

RAID 6 (requires 4 or more disks) two levels of parity, 2 moguda riknu i podaci da budu sigurni


################################################

da se vidi poostojeci RAID

cat /proc/mdstat

to find more about array

mdadm --detail /dev/md0 (il md1 ili koji vec)

#################################################

da se kreira RAID

mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdd1 /dev/sde1 (od ova 2 diska)


#################################################

remove disk from raid

mdadm --verbose /dev/md0 -f /dev/sdd1 -r /dev/sdd1

add partition to RAID array

mdadm --verbose /dev/md0 -a /dev/sdd1

##################################################

then it is necessary to create the /etc/raidtab file

###################################################

zatm se formatira RADI devixce

mkfs.ext3 /dev/md0

##################################################

19. Samba

instaliraju se

samba
samba-client
samba-common
samba-swat (alat za upravljanje)
system-config-samba
_____________________________________________

Dodavanje user-a

smbpasswd –a user_name

zatim dodati usere u /etc/samba/smbusers
_____________________________________________


onda u /etc/xinetd.d/swat se podesi disable=no

onda idemo na http://localhost:901

ispodesavamo

napravimo share ....

onda na

service smb start (automatski startuje i nmb)

_______________________________________________

/etc/samba/smb.conf



_______________________________________________
SELINUX!!!!!!

Selinux je objasnjeno u OBAVEZNO!!!!!!!!!!!!!

man samba_selinux OBAVEZNO!!!!!!!!!!!!!


Kada se share novi folder ide ova komanda da mu se obezbedi pristup

chcon -t samba_share_t putanja_foldera
semanage fcontext -a -t samba_share_t "putanja_foldera(/.*)?" (ovo da bude permanent change)
restorecon -R -v putanja_foldera (da se apply promena)
_____________________________________________________________________________

da mogu useri da koriste

chmod +s /sbin/mount.cifs

onda

mount.cifs //192.168.1.10/samba4 /root/test2 -o username=djordje


_____________________________________________________________________________

chmod 1777 putanja_foldera

(svi mogu da pisu u folder ali samo mozes da izbrises folder koji si ti napravio ne tudje)
_____________________________________________________________________________
testparm (da se tesrita samba za greske u syntax)
_____________________________________________________________________________

Samba client

smbclient -L centos1 -U aleksa (da se vide share-ovi na centos1 user djordje)


da ove dve komande napravimo exectuable

chmod +s /sbin/mount.cifs
chmod +s /sbin/umount.cifs


onda isprobamo

automount za directory sa linux i 2003

sa kog mount lokalni folder

mount.cifs //server2003/Test_Share /proba_mount -o username=djordje%sifra
umount.cifs proba_mount

zatim

onda mozemo
da ubacimo linije u .bashrc (odredjenog usera)
.bash_logout (istog usera)


___________________________________________________________________
To mount a Samba share to be mounted when a Linux system comes up after reboot edit the
/etc/fstab file and put entry as follows for your Windows/Samba share:

//ntserver/share /mnt/samba cifs username=username,password=password 0 0
___________________________________________________________________



GUI system/prefrences/more prefrences/sessions i add isto /sbin/mount.cifs ....

________________________________________________________________________________



General:

In the /etc/services file you will find a few lines that refer to Samba services

netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service

-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

______________________________________
host access u /etc/smb.conf
user acess takodje u smb.conf
_________________________________________
########################################################

20. Selinux


Privremena promena selinux

To se into passive(premisive) mode

echo 0 >/selinux/enforce

You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r

To enforce mode

echo 1 >/selinux/enforce
____________________________________________________

setenforce 1 | 0 isto ko ovo gore sa echo
getenforce da se vidi da koji je!

____________________________________________________

videti koji je mod

cat /etc/selinux/config

____________________________________________________
____________________________________________________

Stalna promena

/etc/selinux/config

SELINUX=enforcing ili SELINUX=permissive

_____________________________________________________

brzi switch

echo 0 >/selinux/enforce (permissive)

echo 1 >/selinux/enforce (enforce)


____________________________________________________

You may never need to relabel an entire file system. This usually occurs only when labeling a file system for SELinux for the first time, or when switching between different kinds of policy, such as going from the targeted to the strict policy.

There is one good method for relabeling the file system. You may also hear about two other methods, both of which are not recommended. Here they are in order:


The best and cleanest method to relabel is to let init do it for you on boot.

touch /.autorelabel
reboot


By allowing the relabeling to occur early in the reboot process, you ensure that applications have the right labels when they are started and that they are started in the right order. If you relabel a live file system without rebooting, you may have processes running under the incorrect context. Making sure all the daemons are restarted and running in the right context can be difficult.

It is possible to relabel a live file system using fixfiles, or to relabel based on the RPM database:

fixfiles relabel
fixfiles -R packagename restore

________________________
###########################################################

21. Sendmail

Sendmail

_________________
ovi trebaju da budu install

sendmail
sendmail-cf

_____________________________

mail is stored

/var/spool/mail/

_____________________________
aliases are in

/etc/aliases i /etc/aliases.db

________________________________


/etc/mail



sendmail.cf (ovaj nikad da se ne dira)

sendmail.mc (ovaj treba da se modifikuje jer je makro pa ce on da napravi sendmail.cf)

i oako hocemo da menjamo ovaj .mc samo izbacimo 'dnl' na pocetku i promenimo sta vec hocemo

zatm

cp sendmail.cf sendmail.cf.bak

Ovo treba da se promeni


dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl da se komentuje ili promeni u odgovarajuci IP


zatim da starrujemo macro

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

zatim u access file u /etc/mail/access

ubacimo CONNECT:192.168.1 RELAY

zatim

makemap hash /etc/mail/access.db < /etc/mail/access

__________________________________________________________

zatim local-host-names

tu se ubacuje domain

virtuallab.internal (recimo)_______________________________________________________________________________

/etc/mail/virtusertable (sadrzi mapping btween smtp and local user names)

[email protected] djordje
[email protected] aleksa

kada promenimo mora komanda

makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
_______________________________________________________________________________


For example, if you want all email addressed to any domain.com account to be delivered to <[email protected]>, you need to add a line to the virtusertable file:

@domain.com [email protected]

Then, to add this new information to the virtusertable.db file, execute makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable as root. This will create a new virtusertable.db that contains the new configuration.

_________________________________________________________________________

Command line koricsenje

sendmail -v username

pisemo stavec

pa ctrl+d

_____________________________
/etc/mail/local-host-names (sadrzi domen koji senadmail handle)
________________________________


u /etc/aliases

pera-zdera: root, djordje

ovo posle svake promene

newaliases (updates newaliases.db)

_______________________________

IPtables port 25 TCP

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

________________________________

alternatives --config mta (da se odabere default mail agent)
_________________________________

###############################

domaintable je za redirect domain

jedno.com drugo.com

##############################

virtusertable (redirect mail lokalnog usera na neki drugi mail)

vesna@CeClean [email protected]

##############################################

POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
Secure SMTP (SSMTP) - port 465
Secure IMAP (IMAP4-SSL) - port 585
IMAP4 over SSL (IMAPS) - port 993
Secure POP3 (SSL-POP) - port 995

__________________________________________________
#############################################################

22. Squid

/etc/squid/squid.conf

Doda se u conf file

visible_hostname 192.168.1.10
acl local_net src 192.168.1.0/24
http_access allow local_net

_______________________________________

file executable se nalazi u

/usr/sbin/squid

_______________________________________

port je default 3128 TCP

moze da se otvori port

moze i

iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128

________________________________________

selinux

setsebool -P squid_connect_any 1

________________________________________

zatim

squid -z (da se kreira squid chache dir)


_______________________________________

chkconfig squid on

_______________________________________

Blokirati odredjenu rec u url

acl porn_block url_regex -i porn
http_access deny porn_block


TIME

acl work_days time M T W H F 14:20-14:37
http_access deny work_days


_____________________________________
########################################################

22. SSH

scp file_name user@ip: (default root)

_____________________________________

ssh-keygen -t dsa
ssh-keygen -t rsa

napravi se file authorized_keys

iskopirati dva pub i presnimiti u /root/.ssh (ili koji vec user)
_________________________

/etc/ssh/ssh_config

____________________________

known_hosts se moze iskopira u /etc/ssh/ssh_known_host da bude za sve (global accesible dir)

_____________________________________________________

man sshd_config (config file)

___________________________________________________

Port forwarding

ssh -L 8080:www.linuxcbt.net:80 www.linuxcbt.net

zatim sve sto se na lokalu obrati na 8080 ide na linuxcbt

http://localhost:8080 port bound to 127.0.0.0

ovo slusa samo lokalno na zahteve

za ceo subnet znaci i spolja

ssh -g -L 8080:www.linuxcbt.net:80 www.linuxcbt.net

port ce u ovom slucaju biti boundovan za 0.0.0.0 - sve ip

___________________________________________________________
fileovi

port 22

openssh-server
openssh-clients
openssh-askpass
openssh

____________________
########################################################

23. TCP Wrappers




primer
/etc/hosts.deny

sshd: 192.168.1.1
vsftpd: 192.168.1.13

In the following example from a hosts.allow file, all example.com hosts are allowed to connect to all services except cracker.example.com:

ALL: .example.com EXCEPT cracker.example.com

In the another example from a hosts.allow file, clients from the 192.168.0.x network can use all services except for FTP:

ALL EXCEPT vsftpd: 192.168.0.

ALL: .example.com EXCEPT cracker.example.com


It is also possible to specify a facility using the severity option. The following example logs any SSH connection attempts by hosts from the example.com domain to the local0 facility with a priority of alert:

sshd : .example.com : severity local0.alert


##############################################################

24. Malo User sdministration


useradd -c "Proba" username
usermod -option username (usermod -G PrvaGrupa,DrugaGrua username)
userdel -option username

usermod -e 2009-16-06 username
chage username -M 2 (maximum number of days for one passwd)

chpasswd < file (username:passsword)
passwd username
groupadd groupname
groupdel groupname
groups username (list all the gruops user exists)
chmod u,g,o,-+rwx

Premmisions for Directories

execute u atributu - to enter dir

chown username.groupname file/directory
newgrp groupname ( i kada se prebais u grupu sve se automatsk podesava za tu grupu)

chage


gpasswd -A user groupname (tada user moze da kontolise ko ce da bude u grupi ko ne)
gpasswd -a username groupname (da taj userdoda usere u grupu)
gpasswd -d username groupname (da se izbrise iz grupe)

usermod -e 07/06/2009 vesna
_______________________________________


_____________________________________
##############################################################

25. Change Desktop from Gnome to Kde

Open /etc/sysconfig/desktop file:
# vi /etc/sysconfig/desktop

Set DESKTOP variable to kde:
DESKTOP="KDE"
DISPLAYMANAGER="KDE"

############################################################

26. Cron

/etc/crontab (main conf file)

da se ecituje crontab

crontab -e

editovati za posebnog usera

crontab -u username -e
___________________________________________________________________________

da file/script bude exetuable

chmod +x imescript.sh


___________________________________________________________________________
every userthat creates cron entry will have a file in

/var/spool/cron
___________________________________________________________________________

ako napravimo u /etc/

cron.allow (samo userima koji su ovde je dozvoljeno da naprave cron entry)
cron.deny
___________________________________________________________________________

-l da vidimo koji zadaci su zadati

___________________________________________________________________________

je prakticno backup za cron (jel ako se restart sistem pa posle anacron proverava i startuje sa odredjenim delay)

/etc/anacrontab

___________________________________________________
at now

zatim at da startuje script

at> putanja do scripte

at now, at 21:21, at midnight, atq (da se vidi que)

ctrl+d izlaz iz at
___________________________________________

batch (isto ko at ali kad sistem nije zauzet onda se start)
_____________________

minute, hour, day of the month, month, day of the week

* * * * *
_____________________________________________________
########################################################

27. VsFTpd

cd /etc/vsftpd/vsftpd.conf

vazni


default directory

/var/ftp (ovde idu anonymous, ostali kad se loguju idu u svoje home directory)
___________________________________

da testiramo ftp

ftp localhost (ili ip)

user anonymous
pass [email protected] (samo da bude format email)

_____________________________________

lcd (local directory)
!lcd (da se lista lokalno)

___________________________________

log file
/var/log/vsftpd.log

______________________________________
xinetd i vsftpd

/usr/share/doc/vsftpd(verzija/vsftpd.xinetd

kopiramo ovaj file u /etc/xinet.d/vsftpd

promeniti na disable da se ne bi startovao, jer ce da ga startuje xinetd

zatim se treba da se stopira vsftpd da ne bi se kosile sa xinetd

u vsftpd.conf moramo da komentujemo #listen

moramo da uputimo xinetd da koristi vsftpd.conf (ln -s /etc/vsftpd/vsftpd.conf .) u /etc/pravimo

zatim restartujemo xinetd

______________________________________________

set up download speed, ubaciti posle listen=

anon_max_rate=10000 (za anonymous 10000bytes=10k/s)
local_max_rate=15000 (lokalni)

______________________________________________

restrict IP addresses that can access - ovo moze i preko TCP wrapers

vsftpd.conf

deny_email_enable=yes

then go /etc/ i touch vsftpd.banned_emails (inace ovo je default file koji vsftpd.conf pretrazuje)

samo redjas email jedan za drugim
________________________________________________
zanimljive komande

listen_port=
max_clients=
max_per_ip= max nubmer of conection from one ip

_______________________________________________________
SELinux issue

/usr/sbin/setsebool -P ftp_home_dir=1 (allow to change user dir for ordinary users)
_________________________________________________________
Useri se kontrolisu preko ftpusers i user_list file-ova u /etc/vsftpd/

host access preko TCP Wrapers

_________________________
############################################################

Svasta

Vazno - Gledaj Cesto (tako se meni zove file)


kad se doda disk u Vmvare da se scanira za hardware changes za hard disk
echo "- - -" > /sys/class/scsi_host/host#/scan (broj hosta je u pomenutom dir)

i onda da vidimo

fdisk -l
____________________________________________________________________________________
chmod g+s folder/file (da bude executable)
chmod uog-s folder/file (da se skine executable)

_____________________________________________________________________________________

cat /etc/services (spisak srvisa i odgovarajucih portova)

___________________________________
Samo primer. sjajno, da vidis razliku izmedju dva ili vise file, u ovom slucaju vidis koje portove zauzima servis samba)

# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*

_____________________________________________________

rucno dodavanje da se vide po imenu bez BIND

/etc/hosts
ip [tab] ime_kompjutera

192.168.1.10 centos1

_____________________________________________________

da vidmo dal service radi

ps -aux | grep ime_servisa

______________________________________________________
koprati dir home sa svim poddirektorijumima u current dir

cp -r /home/ .
______________________
date -s "05/15/2009 18:35" podesavanje vremena i datuma

_________________________
find /dirtolook -name *.txt recimo

find -amin -10 (za sve fileove kojima je pristupljeno pre 10 minuta) + posle 10 min, samo 10 tacno minuta

___________________________________________________________________

SED

sed 's/djordje/abrahim/g' sed_test > sed_output (da djordje zamenimao sa abrahim u sed_test i output u file sed_output)






__________

tail -n20 messages (pretrazuje messages dvadeset zadnjih 20 linija)
tail -f imefilea (gleda log u realnom vremenu)

_________________________________

/etc/sysconfig (vazan folder za sistemska podesavanja ) keyoard, clok, iptables, network, static-routes, /etc/sysconfig/network-scripts/ifcfg-eth0, system-config-securitylevel (lista sve otvorene portove iz firewall inace je GUI)

_____________

kill -9 procesid ubija :)

____________

Secure copy

scp user@host:remote-path local-path

scp -r [email protected]:~/tutorial ~/ (za ceo dir koristi se "-r")
_____________

cat /root/install.log (sta je instalirano)

/var/log/dmesg (o memoriji, cpu, a lot of nformation at boot time)

_____________________________

PATH=$PATH:/directory_to_add
export PATH

_______________________

kad se napravi user kreira se linija u
/etc/passwd
/etc/groups
i
/etc/shadow
/etc/gshadow

da bi sifru konvertovali u /etc/passwd i gpasswd

pwconv username
oposite
pwunconv username

grpconv
grpunconv

_______________

free (komanda) koliko ima free memorije

__________________________________________

da e napravi novi SWAP file

dd if=/dev/zero of=/swapfile bs=1024 count=1024
mkswap /swapfile
swapon /swapfile

nece da bude tu posle restart - mora da se ubaci u fstab
_________________________________________

reread fstab
mount -a
______________________________

env lista sve varijable
vrijable podesavamo

export TERM=vt100
export PATH=$PATH:/dir_za_path

________________________________
_________________________________
___________________________________

XORG, XFS


xfs (xorg-x11-xfs-1.0.2-4.i386.rpm paket za eventualno --force install)
je vazan za X11 (GU) da se startuje. Config file je u /etc/X11/fs/config. Proveriti dal postoji ...
dal je startivan servic chkconfi --list xfs

system-config display se nalazi u /etc/X11/xorg.config

fontovi /usr/share/X11/fonts/misc

log file /var/log/Xorg.0.log

da se podesi env DISPLAY

export DISPLAY=localhost:0.0

or

export DISPLAY=:0.0

______________________________________
______________________________________

DA se doda virtuelna IP adresa na adapteru

ifconfig eth0 add 192.168.1.101

_________________________________________

***********************************************
***********************************************

Example to create a 1GB file:

dd if=/dev/zero of=file_1GB bs=1024 count=1000
/or/
dd if=/dev/zero of=file_1GB bs=4096 count=250
/or/
dd if=/dev/zero of=file_1GB bs=2048 count=500

Example to create a 2GB file:

dd if=/dev/zero of=file_2GB bs=2048 count=1000
/or/
dd if=/dev/zero of=file_2GB bs=1024 count=2000

Example to create a 512MB file:

dd if=/dev/zero of=file_512MB bs=1024 count=500
/or/
dd if=/dev/zero of=file_1GB bs=512 count=1000

************************************************
**************************************************
AWK za sve usere uid veci od 500

awk -F: '{if ($3>=500 && $3<=1000) print}' /etc/passwd | cut -d: -f1

_____________________________________________________________________________
#########################################################

Nesto Administracije


mkfs za (create, edit, move, rename partition)
fdisk (create, edit, move, rename partition)
fsck (no running at mounted systems)

df (filsystems, space, mounted)

du (disk usage)
du --max-depth=1 -h
cp -ar /home/* /root/test (sve fajlove i direktorijume)

To preserve the Ownerships of the files while copying it to some other location you can use the -pR switch as below:

cp -pR /path/of the/source /path/of the/destination
____________________________________________________________________________________________

scp postojeci_folder [email protected]:/root/ (-r se koristi ako je folder)
___________________________________________
symbolic link

ln -s fileOrFolderpostojeci novifile (soft moze da ide preko razlicitih diskova, hard ne moze)
___________________________________________

grep '\<50.\>' /etc/group (da izlista sve koji imaju 50 i jos jedan broj -500, 501, . se koristi umesto asteriksa)

______________________________________________


watch comand (svake dve sekunde komanda startuje opet)

_________________________

rpm -ivh za instalaciju
rpm -Uvh instalira ako ne postoji i update
rpm -Fvh samo refresh-update

_______________________________________________

ntsysv (moze da se on/off procesi ali samo za current runlevel)

_______________________________________

BACKUP

tar -cvzf ime_file.tar.gz /directory_to_tar /more_directory (kad se radi i gzip bez "z" samo tar)

tar -cvpf ime_file.tar --newer 16jun09 /directory_to_tar /another_directory

to see through tar

tar -tvpf ime_file.tar | less

_______________________________________________________________
################################################

Dovecot

/etc/dovecot.conf

#protocols - imap imaps pop3 pop3s (ostavimo koji nam trebaju)

#listen =192.168.1.100:10110

#ssl_disable = no (dve negacije znaci DA)

For SSL

#ssl_cert_file =
#ssl_key_file =


Moguce da nam zatreba da koristmo

mail_location

u suprotnom dovecotu ce biti problem sa userima koji nemaju home dir

_______________________________________________________________________

Napravimo sertifikate

prvo izbrisemo generisane sertifikate

/etc/pki/dovecot/certs/dovecot.pem

i

/etc/pki/dovecot/private/dovecot.pem

zatim napravimo sertifikate

/usr/share/doc/dovecot-1.0.7/examples/mkcert.sh

__________________________________________________________

portovi

110
995 ssl

IMAP
143
993
___________

#############################################################
Ima toga jos, ali je nepregledno do bola... Ovo mi je kao malo organizovano. Moze da sluzi kao podsetnik kad se sprema RHCE.

Pozz


[Ovu poruku je menjao Machiavelli... dana 26.08.2010. u 17:32 GMT+1]
[ Stator @ 25.08.2010. 11:44 ] @
Cini mi se da text ima nekih gresaka, nisam stigao da procitam ceo ali ovo sto sam preleteo nasao sam u ACL-u i SELinux-u greske.
Tako da ne uzimajte ovo bas kao apsolutnu istinu.
[ Machiavelli... @ 25.08.2010. 13:14 ] @
Sigurno ima gresaka, ovo samo moze da posluzi kao podsetnik ne kao neki definite guide. Ako nesto nije jasno ili nije tacno, ispravicu.
[ Machiavelli... @ 25.08.2010. 19:03 ] @
U narednih par dana cu lepo da formatiram ceo post i proverim sve, tako da ce biti sve 100% ispravno, ako se ipak zalomi neka greska javite da ispravim.
[ Srđan Pavlović @ 25.08.2010. 22:10 ] @
Hvala Djordje, moze biti korisno nekome. Ako uspes
malo da ih dodatno uoblicis i sredis, jos bolje ;)